summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ARM: omap: fix section mismatch warning for omap_secondary_startup()Russell King2012-02-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | WARNING: vmlinux.o(.text+0x1c664): Section mismatch in reference from the function omap_secondary_startup() to the function .cpuinit.text:secondary_startup() The function omap_secondary_startup() references the function __cpuinit secondary_startup(). This is often because omap_secondary_startup lacks a __cpuinit annotation or the annotation of secondary_startup is wrong. Unfortunately, fixing this causes a new warning which is harder to solve: WARNING: arch/arm/mach-omap2/built-in.o(.text+0x5328): Section mismatch in reference from the function omap4_hotplug_cpu() to the function .cpuinit.text:omap_secondary_startup() The function omap4_hotplug_cpu() references the function __cpuinit omap_secondary_startup(). This is often because omap4_hotplug_cpu lacks a __cpuinit annotation or the annotation of omap_secondary_startup is wrong. because omap4_hotplug_cpu() is used by power management code as well, which may not end up using omap_secondary_startup(). Acked-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: preemptively fix section mismatch in omap4_sdp4430_wifi_mux_init()Russell King2012-02-131-1/+1
| | | | | | | | | | | | | | | | | Found by review. omap4_sdp4430_wifi_mux_init() is called by an __init marked function, and only calls omap_mux_init_gpio() and omap_mux_init_signal() which are both also an __init marked functions. The only reason this doesn't issue a warning is because the compiler inlines omap4_sdp4430_wifi_mux_init() into omap4_sdp4430_wifi_init(). So, lets add the __init annotation to ensure this remains safe should the compiler choose not to inline. Acked-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: fix section mismatch warning in mux.cRussell King2012-02-131-4/+4
| | | | | | | | | | | WARNING: arch/arm/mach-omap2/built-in.o(.text+0x15a4): Section mismatch in reference from the function omap_mux_init_signals() to the function .init.text:omap_mux_init_signal() The function omap_mux_init_signals() references the function __init omap_mux_init_signal(). This is often because omap_mux_init_signals lacks a __init annotation or the annotation of omap_mux_init_signal is wrong. Acked-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: fix section mismatch errors in TWL PMIC driverRussell King2012-02-131-10/+10
| | | | | | | | | | | | | | WARNING: drivers/mfd/built-in.o(.devinit.text+0x258): Section mismatch in reference from the function twl_probe() to the function .init.text:twl4030_power_init() The function __devinit twl_probe() references a function __init twl4030_power_init(). If twl4030_power_init is only used by twl_probe then annotate twl4030_power_init with a matching annotation. twl4030_power_init() references other __init marked functions, so these too must become __devinit. Acked-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: fix uninformative vc/i2c configuration error messageRussell King2012-02-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | On my OMAP4 platform, I'm getting this error message repeated several times at boot: omap_vc_i2c_init: I2C config for all channels must match. omap_vc_i2c_init: I2C config for all channels must match. This doesn't help identify what the problem is. Fix this message to be more informative: omap_vc_i2c_init: I2C config for vdd_iva does not match other channels (0). omap_vc_i2c_init: I2C config for vdd_mpu does not match other channels (0). This allows us to identify which voltage domains have a problem, and what the I2C configuration state (a boolean, i2c_high_speed) setting being used actually is. From this we find that omap4_core_pmic has i2c_high_speed false, but omap4_iva_pmic and omap4_mpu_pmic both have it set true. Acked-by: Tony Lindgren <tony@atomide.com> Acked-by: Kevin Hilman <khilman@ti.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: fix vc.c PMIC error messageRussell King2012-02-131-4/+2
| | | | | | | | | | | | | | | | While testing on my OMAP3430 platform, this error message was emitted: omap_vc_init_channel: PMIC info requried to configure vc forvdd_core not populated.Hence cannot initialize vc Trying to find this message was difficult because it was wrapped across several lines. It also mis-spells "required", doesn't read very well, and has spaces lacking. Let's replace it with a more concise: omap_vc_init_channel: No PMIC info for vdd_core While we're here, fix a simple spelling error in a comment. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* ARM: omap: fix prm44xx.c OMAP44XX_IRQ_PRCM build errorRussell King2012-02-131-0/+1
| | | | | | | | | When CONFIG_OF is disabled, the compile fails with: arch/arm/mach-omap2/prm44xx.c:41: error: 'OMAP44XX_IRQ_PRCM' undeclared here (not in a function) Acked-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* Linux 3.3-rc3v3.3-rc3Linus Torvalds2012-02-081-1/+1
|
* Merge branch 'iommu/fixes' of ↵Linus Torvalds2012-02-082-6/+4
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu One patch fixes an bug in the ARM/MSM IOMMU code which returned sucess in the unmap function even when an error occured and the other patch adds a workaround into the AMD IOMMU driver to better handle broken IVRS ACPI tables (this patch fixes the case when a device is not listed in the table but actually translated by the iommu). * 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/msm: Fix error handling in msm_iommu_unmap() iommu/amd: Work around broken IVRS tables
| * iommu/msm: Fix error handling in msm_iommu_unmap()Joerg Roedel2012-01-301-6/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Error handling in msm_iommu_unmap() is broken. On some error conditions retval is set to a non-zero value which causes the function to return 'len' at the end. This hides the error from the user. Zero should be returned in those error cases. Cc: David Brown <davidb@codeaurora.org> Cc: Stepan Moskovchenko <stepanm@codeaurora.org> Cc: stable@vger.kernel.org # >= 3.1 Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> Acked-by: David Brown <davidb@codeaurora.org>
| * iommu/amd: Work around broken IVRS tablesJoerg Roedel2012-01-231-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | On some systems the IVRS table does not contain all PCI devices present in the system. In case a device not present in the IVRS table is translated by the IOMMU no DMA is possible from that device by default. This patch fixes this by removing the DTE entry for every PCI device present in the system and not covered by IVRS. Cc: stable@vger.kernel.org # >= 3.0 Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
* | Merge branch '3.3-rc-fixes' of ↵Linus Torvalds2012-02-0821-140/+266
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending This series contains pending target bug-fixes and cleanups for v3.3-rc3 that have been addressed the past weeks in lio-core.git. Some of the highlights include: - Fix handling for control CDBs with data greater than PAGE_SIZE (andy) - Use IP_FREEBIND for iscsi-target to address network portal creation issues with systemd (dax) - Allow PERSISTENT RESERVE IN for non-reservation holder (marco) - Fix iblock se_dev_attrib.unmap_granularity (marco) - Fix unsupported WRITE_SAME sense payload handling (martin) - Add workaround for zero-length control CDB handling (nab) - Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT (nab) - Fix target_submit_cmd() exception handling (nab) - Return correct ASC for unimplemented VPD pages (roland) - Don't zero pages used for data buffers (roland) - Fix return code of core_tpg_.*_lun (sebastian) * '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (26 commits) target: Fix unsupported WRITE_SAME sense payload iscsi: use IP_FREEBIND socket option iblock: fix handling of large requests target: handle empty string writes in sysfs iscsi_target: in_aton needs linux/inet.h target: Fix iblock se_dev_attrib.unmap_granularity target: Fix target_submit_cmd() exception handling target: Change target_submit_cmd() to return void target: accept REQUEST_SENSE with 18bytes target: Fail INQUIRY commands with EVPD==0 but PAGE CODE!=0 target: Return correct ASC for unimplemented VPD pages iscsi-target: Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT target: Allow control CDBs with data > 1 page iscsi-target: Fix up a few assignments iscsi-target: make one-bit bitfields unsigned iscsi-target: Fix double list_add with iscsit_alloc_buffs reject iscsi-target: Fix reject release handling in iscsit_free_cmd() target: fix return code of core_tpg_.*_lun target: use save/restore lock primitive in core_dec_lacl_count() target: avoid multiple outputs in scsi_dump_inquiry() ...
| * | target: Fix unsupported WRITE_SAME sense payloadMartin Svec2012-02-071-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a bug in target-core where unsupported WRITE_SAME ops from a target_check_write_same_discard() failure was incorrectly returning CHECK_CONDITION w/ TCM_INVALID_CDB_FIELD sense data. This was causing some clients to not properly fall back, so go ahead and use the correct TCM_UNSUPPORTED_SCSI_OPCODE sense for this case. Reported-by: Martin Svec <martin.svec@zoner.cz> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi: use IP_FREEBIND socket optionDax Kelson2012-02-071-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use IP_FREEBIND socket option so that iscsi portal configuration with explicit IP addresses can happen during boot, before network interfaces have been assigned IPs. This is especially important on systemd based Linux boxes where system boot happens asynchronously and non-trivial configuration must be done to get targetcli.service to start synchronously after the network is configured. Reference: http://lists.fedoraproject.org/pipermail/devel/2011-October/158025.html Signed-off-by: Dax Kelson <dkelson@gurulabs.com> Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org> Cc: "Andy Grover" <agrover@redhat.com> Cc: "Lennart Poettering" <lennart@poettering.net> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iblock: fix handling of large requestsChristoph Hellwig2012-02-071-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | Requesting to many bvecs upsets bio_alloc_bioset, so limit the number we ask for to the amount it can handle. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: handle empty string writes in sysfsDan Carpenter2012-02-071-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | These are root only and we're not likely to hit the problem in practise, but it makes the static checkers happy. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi_target: in_aton needs linux/inet.hStephen Rothwell2012-02-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes this error after a recent nfs cleanup: drivers/target/iscsi/iscsi_target_configfs.c: In function 'lio_target_call_addnptotpg': drivers/target/iscsi/iscsi_target_configfs.c:214:3: error: implicit declaration of function 'in6_pton' [-Werror=implicit-function-declaration] drivers/target/iscsi/iscsi_target_configfs.c:239:3: error: implicit declaration of function 'in_aton' [-Werror=implicit-function-declaration] Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Fix iblock se_dev_attrib.unmap_granularityMarco Sanvido2012-02-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The block layer keeps q->limits.discard_granularity in bytes, but iblock (and the SCSI Block Limits VPD page) keep unmap_granularity in blocks. Report the correct value when exporting block devices by dividing to convert bytes to blocks. Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Fix target_submit_cmd() exception handlingNicholas Bellinger2012-02-071-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a bug in target_submit_cmd() where the failure path for transport_generic_allocate_tasks() made a direct call to transport_send_check_condition_and_sense() and not calling the final target_put_sess_cmd() release callback. For transport_generic_allocate_tasks() failures, use the proper call to transport_generic_request_failure() to handle kref_put() along with potential internal queue full response processing. It also makes transport_lookup_cmd_lun() failures in target_submit_cmd() use transport_send_check_condition_and_sense() and target_put_sess_cmd() directly to avoid se_cmd->se_dev reference in transport_generic_request_failure() handling. Finally it drops the out_check_cond: label and use direct reference for allocate task failures, and per-se_device queue_full handling is currently not supported for transport_lookup_cmd_lun() failure descriptors due to se_device dependency. Reported-by: Roland Dreier <roland@purestorage.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Change target_submit_cmd() to return voidAndy Grover2012-02-073-11/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Retval not very useful, and may even be harmful. Once submitted, fabrics should expect a sense error if anything goes wrong. All fabrics checking of this retval are useless or broken: fc checks it just to emit more debug output. ib_srpt trickles retval up, then it is ignored. qla2xxx trickles it up, which then causes a bug because the abort goto in qla_target.c thinks cmd hasn't been sent to target. Just returning nothing is best. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: accept REQUEST_SENSE with 18bytesSebastian Andrzej Siewior2012-02-071-10/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WindowsXP+BOT issues a MODE_SENSE request with page 0x1c which is not suppoerted by target. Target rejects that command with TCM_INVALID_CDB_FIELD, so far so good. On BOT I can't send the SENSE response back, instead I can only reply that an error occured. The next thing happens is a REQUEST_SENSE request with 18 bytes length. Since the check here is more than 18 bytes I have to NACK that request as well. This is not really required: We check for some additional room, but we never use it. The additional length is set to 0xa so the total length is 0xa + 8 = 18 which is fine with my 18 bytes. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Fail INQUIRY commands with EVPD==0 but PAGE CODE!=0Roland Dreier2012-01-181-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My draft of SPC-4 says: If the PAGE CODE field is not set to zero when the EVPD bit is set to zero, the command shall be terminated with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to INVALID FIELD IN CDB. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Return correct ASC for unimplemented VPD pagesRoland Dreier2012-01-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My draft of SPC-4 says: If the device server does not implement the requested vital product data page, then the command shall be terminated with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to INVALID FIELD IN CDB. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi-target: Fix discovery with INADDR_ANY and IN6ADDR_ANY_INITNicholas Bellinger2012-01-183-8/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch addresses a bug with sendtargets discovery where INADDR_ANY (0.0.0.0) + IN6ADDR_ANY_INIT ([0:0:0:0:0:0:0:0]) network portals where incorrectly being reported back to initiators instead of the address of the connecting interface. To address this, save local socket ->getname() output during iscsi login setup, and makes iscsit_build_sendtargets_response() return these TargetAddress keys when INADDR_ANY or IN6ADDR_ANY_INIT portals are in use. Reported-by: Dax Kelson <dkelson@gurulabs.com> Reported-by: Andy Grover <agrover@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Allow control CDBs with data > 1 pageAndy Grover2012-01-188-54/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to handle >1 page control cdbs, so extend the code to do a vmap if bigger than 1 page. It seems like kmap() is still preferable if just a page, fewer TLB shootdowns(?), so keep using that when possible. Rename function pair for their new scope. Signed-off-by: Andy Grover <agrover@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi-target: Fix up a few assignmentsJesper Juhl2012-01-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A statement such as struct iscsi_node_attrib *na = na = iscsit_tpg_get_node_attrib(sess); has undefined behaviour since there are two assignments to 'na', strictly speaking (the order in which side-effects from the assignments take place is undefined since there's no intervening sequence point), and it looks unintentional in any case. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi-target: make one-bit bitfields unsignedDan Carpenter2012-01-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed bitfields are a problem because instead of being 1 or 0 like you'd expect they are 0 and -1. It doesn't cause a problem in this case but sparse complains: drivers/target/iscsi/iscsi_target_core.h:564:56: error: dubious one-bit signed bitfield Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi-target: Fix double list_add with iscsit_alloc_buffs rejectNicholas Bellinger2012-01-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a bug where the iscsit_add_reject_from_cmd() call from a failure to iscsit_alloc_buffs() was incorrectly passing add_to_conn=1 and causing a double list_add after iscsi_cmd->i_list had already been added in iscsit_handle_scsi_cmd(). Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | iscsi-target: Fix reject release handling in iscsit_free_cmd()Nicholas Bellinger2012-01-181-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch addresses a bug where iscsit_free_cmd() was incorrectly calling iscsit_release_cmd() for ISCSI_OP_REJECT because iscsi_add_reject*() will overwrite the original iscsi_cmd->iscsi_opcode assignment. This bug was introduced with the following commit: commit 0be67f2ed8f577d2c72d917928394c5885fa9134 Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Sun Oct 9 01:48:14 2011 -0700 iscsi-target: Remove SCF_SE_LUN_CMD flag abuses and was manifesting itself as list corruption with the following: [ 131.191092] ------------[ cut here ]------------ [ 131.191092] WARNING: at lib/list_debug.c:53 __list_del_entry+0x8d/0x98() [ 131.191092] Hardware name: VMware Virtual Platform [ 131.191092] list_del corruption. prev->next should be ffff880022d3c100, but was 6b6b6b6b6b6b6b6b [ 131.191092] Modules linked in: tcm_vhost ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx qla2xxx tcm_loop tcm_fc libfc scsi_transport_fc crc32c iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi sr_mod cdrom sd_mod e1000 ata_piix libata mptspi mptscsih mptbase [last unloaded: scsi_wait_scan] [ 131.191092] Pid: 2250, comm: iscsi_ttx Tainted: G W 3.2.0-rc4+ #42 [ 131.191092] Call Trace: [ 131.191092] [<ffffffff8103b553>] warn_slowpath_common+0x80/0x98 [ 131.191092] [<ffffffff8103b5ff>] warn_slowpath_fmt+0x41/0x43 [ 131.191092] [<ffffffff811d0279>] __list_del_entry+0x8d/0x98 [ 131.191092] [<ffffffffa01395c9>] transport_lun_remove_cmd+0x9b/0xb7 [target_core_mod] [ 131.191092] [<ffffffffa013a55c>] transport_generic_free_cmd+0x5d/0x71 [target_core_mod] [ 131.191092] [<ffffffffa01a012b>] iscsit_free_cmd+0x1e/0x27 [iscsi_target_mod] [ 131.191092] [<ffffffffa01a13be>] iscsit_close_connection+0x14d/0x5b2 [iscsi_target_mod] [ 131.191092] [<ffffffffa0196a0c>] iscsit_take_action_for_connection_exit+0xdb/0xe0 [iscsi_target_mod] [ 131.191092] [<ffffffffa01a55d4>] iscsi_target_tx_thread+0x15cb/0x1608 [iscsi_target_mod] [ 131.191092] [<ffffffff8103609a>] ? check_preempt_wakeup+0x121/0x185 [ 131.191092] [<ffffffff81030801>] ? __dequeue_entity+0x2e/0x33 [ 131.191092] [<ffffffffa01a4009>] ? iscsit_send_text_rsp+0x25f/0x25f [iscsi_target_mod] [ 131.191092] [<ffffffffa01a4009>] ? iscsit_send_text_rsp+0x25f/0x25f [iscsi_target_mod] [ 131.191092] [<ffffffff8138f706>] ? schedule+0x55/0x57 [ 131.191092] [<ffffffff81056c7d>] kthread+0x7d/0x85 [ 131.191092] [<ffffffff81399534>] kernel_thread_helper+0x4/0x10 [ 131.191092] [<ffffffff81056c00>] ? kthread_worker_fn+0x16d/0x16d [ 131.191092] [<ffffffff81399530>] ? gs_change+0x13/0x13 Reported-by: <jrepac@yahoo.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: fix return code of core_tpg_.*_lunSebastian Andrzej Siewior2012-01-184-14/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - core_tpg_pre_addlun() returns always ERR_PTR() or the pointer, never NULL. The additional check for NULL in core_dev_add_lun() is not required. - core_tpg_pre_dellun() returns always ERR_PTR() or the pointer, never NULL. The check for NULL in core_dev_del_lun() is wrong. The third argument (int *) is never used, remove it. - core_dev_add_lun() returns always NULL or the pointer, never ERR_PTR. The check for IS_ERR() is not required. (nab: Convert core_dev_add_lun() use err.h macros for failure handling to be consistent with the rest of target_core_fabric_configfs.c callers) Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: use save/restore lock primitive in core_dec_lacl_count()Sebastian Andrzej Siewior2012-01-181-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It may happen that uasp will free the request in irq conntext, the callchain: uasp_cmd_release() -> transport_generic_free_cmd() -> core_dec_lacl_count() where the last function enables the IRQ. Those irqs are re-disabled later (due to the spin.*irq_restore) but in between we could get hurt. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: avoid multiple outputs in scsi_dump_inquiry()Sebastian Andrzej Siewior2012-01-181-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | The multiple calls to pr_debug() each with one letter results in a new line. This patch merges the multiple requests into one call per line so we don't have the multiple line cuts. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Add workaround for zero-length control CDB handlingNicholas Bellinger2012-01-181-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a work-around for handling zero allocation length control CDBs (type SCF_SCSI_CONTROL_SG_IO_CDB) that was causing an OOPs with the following raw calls: # sg_raw -v /dev/sdd 3 0 0 0 0 0 # sg_raw -v /dev/sdd 0x1a 0 1 0 0 0 This patch will follow existing zero-length handling for data I/O and silently return with GOOD status. This addresses the zero length issue, but the proper long-term resolution for handling arbitary allocation lengths will be to refactor out data-phase handling in individual CDB emulation logic within target_core_cdb.c Reported-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Correct sense key for INVALID FIELD IN {PARAMETER LIST,CDB}Roland Dreier2012-01-181-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to SPC-4, the sense key for commands that are failed with INVALID FIELD IN PARAMETER LIST and INVALID FIELD IN CDB should be ILLEGAL REQUEST (5h) rather than ABORTED COMMAND (Bh). Without this patch, a tcm_loop LUN incorrectly gives: # sg_raw -r 1 -v /dev/sda 3 1 0 0 ff 0 Sense Information: Fixed format, current; Sense key: Aborted Command Additional sense: Invalid field in cdb Raw sense data (in hex): 70 00 0b 00 00 00 00 0a 00 00 00 00 24 00 00 00 00 00 While a real SCSI disk gives: Sense Information: Fixed format, current; Sense key: Illegal Request Additional sense: Invalid field in cdb Raw sense data (in hex): 70 00 05 00 00 00 00 18 00 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 with the main point being that the real disk gives a sense key of ILLEGAL REQUEST (5h). Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Don't zero pages used for data buffersroland@purestorage.com2012-01-181-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Doing alloc_page(GFP_KERNEL | __GFP_ZERO) to get pages used for data buffers wastes a lot of CPU clearing pages that will be quickly be overwritten by the actual data. However, for emulated control commands such as INQUIRY and so on, the code does assume that the buffer is zeroed. To avoid this CPU overhead, skip the __GFP_ZERO for commands that are actually moving data, ie cmds that have SCF_SCSI_DATA_SG_IO_CDB set. Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Allow PERSISTENT RESERVE IN for non-reservation holderMarco Sanvido2012-01-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Initiators that aren't the active reservation holder should be able to do a PERSISTENT RESERVE IN command in all cases, so add it to the list of allowed CDBs in core_scsi3_pr_seq_non_holder(). Signed-off-by: Marco Sanvido <marco@purestorage.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: Use correct preempted registration sense codeMarco Sanvido2012-01-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The comments quote the right parts of the spec: * d) Establish a unit attention condition for the * initiator port associated with every I_T nexus * that lost its registration other than the I_T * nexus on which the PERSISTENT RESERVE OUT command * was received, with the additional sense code set * to REGISTRATIONS PREEMPTED. and * e) Establish a unit attention condition for the initiator * port associated with every I_T nexus that lost its * persistent reservation and/or registration, with the * additional sense code set to REGISTRATIONS PREEMPTED; but the actual code accidentally uses ASCQ_2AH_RESERVATIONS_PREEMPTED instead of ASCQ_2AH_REGISTRATIONS_PREEMPTED. Fix this. Signed-off-by: Marco Sanvido <marco@purestorage.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| * | target: don't allocate bio headroom in iblockChristoph Hellwig2012-01-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | We never embedd the bio into a structure, so there is no need to allocate 64 bytes of headroom per bio. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
* | | Merge tag 'md-3.3-fixes' of git://neil.brown.name/mdLinus Torvalds2012-02-082-5/+12
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some simple md-related fixes. 1/ two small fixes to ensure we handle an interrupted resync properly. 2/ avoid loading the bitmap multiple times in dm-raid * tag 'md-3.3-fixes' of git://neil.brown.name/md: md: two small fixes to handling interrupt resync. Prevent DM RAID from loading bitmap twice.
| * | | md: two small fixes to handling interrupt resync.NeilBrown2012-02-071-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1/ If a resync is aborted we should record how far we got (recovery_cp) the last request that we know has completed (->curr_resync_completed) rather than the last request that was submitted (->curr_resync). 2/ When a resync aborts we still want to update the metadata with any changes, so set MD_CHANGE_DEVS even if we 'skip'. Signed-off-by: NeilBrown <neilb@suse.de>
| * | | Prevent DM RAID from loading bitmap twice.Jonathan Brassow2012-01-311-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The life cycle of a device-mapper target is: 1) create 2) resume 3) suspend *) possibly repeat from 2 4) destroy The dm-raid target is unconditionally calling MD's bitmap_load function upon every resume. If steps 2 & 3 above are repeated, bitmap_load is called multiple times. It is only written to be called once; otherwise, it allocates new memory for the bitmap (without freeing the old) and incrementing the number of pages it thinks it has without zeroing first. This ultimately leads to access beyond allocated memory and lost memory. Simply avoiding the bitmap_load call upon resume is not sufficient. If the target was suspended while the initial recovery was only partially complete, it needs to be restarted when the target is resumed. This is why 'md_wakeup_thread' is called before issuing the 'mddev_resume'. Signed-off-by: Jonathan Brassow <jbrassow@redhat.com> Signed-off-by: NeilBrown <neilb@suse.de>
* | | | Merge tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6Linus Torvalds2012-02-082-4/+4
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SPI bug fixes for v3.3-rc2 Minor SPI device driver changes. A rename of the pch_spi_pcidev symbol that merely eliminates a modpost warning, and a Kconfig change to allow the Samsung spi driver to build on EXYNOS. * tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6: spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
| * | | | spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driverDanny Kukawka2012-02-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rename static struct pci_driver pch_spi_pcidev to pch_spi_pcidev_driver to get rid of warnings from modpost checks. Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de> Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
| * | | | spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4Sylwester Nawrocki2012-02-051-1/+1
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The spi-s3c64xx driver is also used on Exynos4 so update the dependency to enable build on those platforms. Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> [grant.likely: relax depends to ARCH_EXYNOS instead of ARCH_EXYNOS4] Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
* | | | Merge branch 'akpm' (Andrew's tree)Linus Torvalds2012-02-086-9/+18
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Five fixes * branch 'akpm': pcmcia: fix socket refcount decrementing on each resume mm: fix UP THP spin_is_locked BUGs drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax mm: compaction: check for overlapping nodes during isolation for migration nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
| * | | | pcmcia: fix socket refcount decrementing on each resumeRussell King2012-02-081-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a memory-corrupting bug: not only does it cause the warning, but as a result of dropping the refcount to zero, it causes the pcmcia_socket0 device structure to be freed while it still has references, causing slab caches corruption. A fatal oops quickly follows this warning - often even just a 'dmesg' following the warning causes the kernel to oops. While testing suspend/resume on an ARM device with PCMCIA support, and a CF card inserted, I found that after five suspend and resumes, the kernel would complain, and shortly die after with slab corruption. WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50() As the message doesn't give a clue about which kobject, and the built-in debugging in drivers/base/power/main.c happens too late, this was added right before each get_device(): printk("%s: %p [%s] %u\n", __func__, dev, kobject_name(&dev->kobj), atomic_read(&dev->kobj.kref.refcount)); and on the 3rd s2ram cycle, the following behaviour observed: On the 3rd suspend/resume cycle: dpm_prepare: c1a0d998 [pcmcia_socket0] 3 dpm_suspend: c1a0d998 [pcmcia_socket0] 3 dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 3 dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 3 dpm_resume: c1a0d998 [pcmcia_socket0] 3 dpm_complete: c1a0d998 [pcmcia_socket0] 2 4th: dpm_prepare: c1a0d998 [pcmcia_socket0] 2 dpm_suspend: c1a0d998 [pcmcia_socket0] 2 dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 2 dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 2 dpm_resume: c1a0d998 [pcmcia_socket0] 2 dpm_complete: c1a0d998 [pcmcia_socket0] 1 5th: dpm_prepare: c1a0d998 [pcmcia_socket0] 1 dpm_suspend: c1a0d998 [pcmcia_socket0] 1 dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 1 dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 1 dpm_resume: c1a0d998 [pcmcia_socket0] 1 dpm_complete: c1a0d998 [pcmcia_socket0] 0 ------------[ cut here ]------------ WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50() Modules linked in: ucb1x00_core Backtrace: [<c0212090>] (dump_backtrace+0x0/0x110) from [<c04799dc>] (dump_stack+0x18/0x1c) [<c04799c4>] (dump_stack+0x0/0x1c) from [<c021cba0>] (warn_slowpath_common+0x50/0x68) [<c021cb50>] (warn_slowpath_common+0x0/0x68) from [<c021cbdc>] (warn_slowpath_null+0x24/0x28) [<c021cbb8>] (warn_slowpath_null+0x0/0x28) from [<c0335374>] (kobject_get+0x28/0x50) [<c033534c>] (kobject_get+0x0/0x50) from [<c03804f4>] (get_device+0x1c/0x24) [<c0388c90>] (dpm_complete+0x0/0x1a0) from [<c0389cc0>] (dpm_resume_end+0x1c/0x20) ... Looking at commit 7b24e7988263 ("pcmcia: split up central event handler"), the following change was made to cs.c: return 0; } #endif - - send_event(skt, CS_EVENT_PM_RESUME, CS_EVENT_PRI_LOW); + if (!(skt->state & SOCKET_CARDBUS) && (skt->callback)) + skt->callback->early_resume(skt); return 0; } And the corresponding change in ds.c is from: -static int ds_event(struct pcmcia_socket *skt, event_t event, int priority) -{ - struct pcmcia_socket *s = pcmcia_get_socket(skt); ... - switch (event) { ... - case CS_EVENT_PM_RESUME: - if (verify_cis_cache(skt) != 0) { - dev_dbg(&skt->dev, "cis mismatch - different card\n"); - /* first, remove the card */ - ds_event(skt, CS_EVENT_CARD_REMOVAL, CS_EVENT_PRI_HIGH); - mutex_lock(&s->ops_mutex); - destroy_cis_cache(skt); - kfree(skt->fake_cis); - skt->fake_cis = NULL; - s->functions = 0; - mutex_unlock(&s->ops_mutex); - /* now, add the new card */ - ds_event(skt, CS_EVENT_CARD_INSERTION, - CS_EVENT_PRI_LOW); - } - break; ... - } - pcmcia_put_socket(s); - return 0; -} /* ds_event */ to: +static int pcmcia_bus_early_resume(struct pcmcia_socket *skt) +{ + if (!verify_cis_cache(skt)) { + pcmcia_put_socket(skt); + return 0; + } + dev_dbg(&skt->dev, "cis mismatch - different card\n"); + /* first, remove the card */ + pcmcia_bus_remove(skt); + mutex_lock(&skt->ops_mutex); + destroy_cis_cache(skt); + kfree(skt->fake_cis); + skt->fake_cis = NULL; + skt->functions = 0; + mutex_unlock(&skt->ops_mutex); + /* now, add the new card */ + pcmcia_bus_add(skt); + return 0; +} As can be seen, the original function called pcmcia_get_socket() and pcmcia_put_socket() around the guts, whereas the replacement code calls pcmcia_put_socket() only in one path. This creates an imbalance in the refcounting. Testing with pcmcia_put_socket() put removed shows that the bug is gone: dpm_suspend: c1a10998 [pcmcia_socket0] 5 dpm_suspend_noirq: c1a10998 [pcmcia_socket0] 5 dpm_resume_noirq: c1a10998 [pcmcia_socket0] 5 dpm_resume: c1a10998 [pcmcia_socket0] 5 dpm_complete: c1a10998 [pcmcia_socket0] 5 Tested-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | mm: fix UP THP spin_is_locked BUGsHugh Dickins2012-02-082-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_SMP=n CONFIG_DEBUG_VM=y CONFIG_DEBUG_SPINLOCK=n kernel: spin_is_locked() is then always false, and so triggers some BUGs in Transparent HugePage codepaths. asm-generic/bug.h mentions this problem, and provides a WARN_ON_SMP(x); but being too lazy to add VM_BUG_ON_SMP, BUG_ON_SMP, WARN_ON_SMP_ONCE, VM_WARN_ON_SMP_ONCE, just test NR_CPUS != 1 in the existing VM_BUG_ONs. Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmaxAxel Lin2012-02-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In current code, pltfm->als_vmin is set to LM3530_ALS_WINDOW_mV and pltfm->als_vmax is 0. This does not make sense. I think what we want here is setting pltfm->als_vmax to LM3530_ALS_WINDOW_mV. Both als_vmin and als_vmax local variables will be set to pltfm->als_vmin and pltfm->als_vmax by a few lines latter. Thus also remove a redundant assignment for als_vmin and als_vmax in this patch. Signed-off-by: Axel Lin <axel.lin@gmail.com> Cc: Shreshtha Kumar Sahu <shreshthakumar.sahu@stericsson.com> Acked-by: Milo(Woogyom) Kim <milo.kim@ti.com> Tested-by: Milo(Woogyom) Kim <milo.kim@ti.com> Cc: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | mm: compaction: check for overlapping nodes during isolation for migrationMel Gorman2012-02-081-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When isolating pages for migration, migration starts at the start of a zone while the free scanner starts at the end of the zone. Migration avoids entering a new zone by never going beyond the free scanned. Unfortunately, in very rare cases nodes can overlap. When this happens, migration isolates pages without the LRU lock held, corrupting lists which will trigger errors in reclaim or during page free such as in the following oops BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [<ffffffff810f795c>] free_pcppages_bulk+0xcc/0x450 PGD 1dda554067 PUD 1e1cb58067 PMD 0 Oops: 0000 [#1] SMP CPU 37 Pid: 17088, comm: memcg_process_s Tainted: G X RIP: free_pcppages_bulk+0xcc/0x450 Process memcg_process_s (pid: 17088, threadinfo ffff881c2926e000, task ffff881c2926c0c0) Call Trace: free_hot_cold_page+0x17e/0x1f0 __pagevec_free+0x90/0xb0 release_pages+0x22a/0x260 pagevec_lru_move_fn+0xf3/0x110 putback_lru_page+0x66/0xe0 unmap_and_move+0x156/0x180 migrate_pages+0x9e/0x1b0 compact_zone+0x1f3/0x2f0 compact_zone_order+0xa2/0xe0 try_to_compact_pages+0xdf/0x110 __alloc_pages_direct_compact+0xee/0x1c0 __alloc_pages_slowpath+0x370/0x830 __alloc_pages_nodemask+0x1b1/0x1c0 alloc_pages_vma+0x9b/0x160 do_huge_pmd_anonymous_page+0x160/0x270 do_page_fault+0x207/0x4c0 page_fault+0x25/0x30 The "X" in the taint flag means that external modules were loaded but but is unrelated to the bug triggering. The real problem was because the PFN layout looks like this Zone PFN ranges: DMA 0x00000010 -> 0x00001000 DMA32 0x00001000 -> 0x00100000 Normal 0x00100000 -> 0x01e80000 Movable zone start PFN for each node early_node_map[14] active PFN ranges 0: 0x00000010 -> 0x0000009b 0: 0x00000100 -> 0x0007a1ec 0: 0x0007a354 -> 0x0007a379 0: 0x0007f7ff -> 0x0007f800 0: 0x00100000 -> 0x00680000 1: 0x00680000 -> 0x00e80000 0: 0x00e80000 -> 0x01080000 1: 0x01080000 -> 0x01280000 0: 0x01280000 -> 0x01480000 1: 0x01480000 -> 0x01680000 0: 0x01680000 -> 0x01880000 1: 0x01880000 -> 0x01a80000 0: 0x01a80000 -> 0x01c80000 1: 0x01c80000 -> 0x01e80000 The fix is straight-forward. isolate_migratepages() has to make a similar check to isolate_freepage to ensure that it never isolates pages from a zone it does not hold the LRU lock for. This was discovered in a 3.0-based kernel but it affects 3.1.x, 3.2.x and current mainline. Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Michal Nazarewicz <mina86@mina86.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()Xi Wang2012-02-081-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nsegs is read from userspace. Limit its value and avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Haogang Chen <haogangchen@gmail.com> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
OpenPOWER on IntegriCloud