summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [MTD] [NAND] fsl_elbc_nand: fix OOB workability for large page NAND chipsAnton Vorontsov2008-07-111-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | For large page chips, nand_bbt is looking into OOB area, and checking for "0xff 0xff" pattern at OOB offset 0. That is, two bytes should be reserved for bbt means. But ELBC driver is specifying ecclayout so that oobfree area starts at offset 1, so only one byte left for the bbt purposes. This causes problems with any OOB users, namely JFFS2: after first mount JFFS2 will fill all OOBs with "erased marker", so OOBs will contain: OOB Data: ff 19 85 20 03 00 ff ff ff 00 00 08 ff ff ff ff OOB Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff OOB Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff OOB Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff And on the next boot, NAND core will rescan for bad blocks, then will see "0xff 0x19" pattern, and will mark all blocks as bad ones. To fix the issue we should implement our own bad block pattern: just one byte at OOB start. Though, this will work only for x8 chips. For x16 chips two bytes must be checked. Since ELBC driver does not support x16 NANDs (yet), we're safe for now. Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Acked-by: Scott Wood <scottwood@freescale.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] [NAND] atmel_nand can be modularDavid Brownell2008-07-111-1/+1
| | | | | | | | | | | There's no reason to prevent the Atmel NAND driver from building as a module. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Håvard Skinnemoen <haavard.skinnemoen@atmel.com> Acked-by: Andrew Victor <linux@maxim.org.za> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] [NAND] atmel_nand: Work around AT32AP7000 ECC erratumHaavard Skinnemoen2008-07-111-2/+23
| | | | | | | | | | | | | The ALE signal isn't correctly wired up to the ECC controller on the AP7000, so it starts calculating ECC during the address cycles. Work around this by resetting the ECC controller between the address and data cycles. Signed-off-by: Håvard Skinnemoen <haavard.skinnemoen@atmel.com> Acked-by: Andrew Victor <linux@maxim.org.za> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] [NAND] atmel_nand speedup via {read,write}s{b,w}()David Brownell2008-07-111-5/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | This uses __raw_{read,write}s{b,w}() primitives to access data on NAND chips for more efficient I/O. On an arm926 with memory clocked at 100 MHz, this reduced the elapsed time for a 64 MiB read by 16%. ("dd" /dev/mtd0 to /dev/null, with an 8-bit NAND using hardware ECC and 128KiB blocksize.) Also some minor section tweaks: - Use platform_driver_probe() so no pointer to probe() lingers after that code has been removed at run-time. - Use __exit and __exit_p so the remove() code will normally be removed by the linker. Since these buffer read/write calls are new, this increases the runtime code footprint (by 88 bytes on my build, after the section tweaks). [haavard.skinnemoen@atmel.com: rebase onto atmel_nand rename] Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Håvard Skinnemoen <haavard.skinnemoen@atmel.com> Acked-by: Andrew Victor <linux@maxim.org.za> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] mtdchar.c remove shadowed variable warningsHarvey Harrison2008-07-111-9/+9
| | | | | | | | | | | | | | | | Use einfo, oinfo for the inner erase_info and otp_info structs used in individual case statements. drivers/mtd/mtdchar.c:582:26: warning: symbol 'info' shadows an earlier one drivers/mtd/mtdchar.c:380:23: originally declared here drivers/mtd/mtdchar.c:596:26: warning: symbol 'info' shadows an earlier one drivers/mtd/mtdchar.c:380:23: originally declared here drivers/mtd/mtdchar.c:704:19: warning: symbol 'info' shadows an earlier one drivers/mtd/mtdchar.c:380:23: originally declared here Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] mtdchar.c silence sparse warningHarvey Harrison2008-07-111-2/+2
| | | | | | | | | | | | | | | The copy_to_user was casting away the address space to get the offset of the length member. Use offsetof() instead and add it to the void __user *argp. drivers/mtd/mtdchar.c:527:23: warning: cast removes address space of expression drivers/mtd/mtdchar.c:527:23: warning: incorrect type in argument 1 (different address spaces) drivers/mtd/mtdchar.c:527:23: expected void [noderef] <asn:1>*to drivers/mtd/mtdchar.c:527:23: got unsigned int *<noident> Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* [MTD] m25p80: fix bug - ATmel spi flash fails to be copied toMichael Hennerich2008-07-111-0/+22
| | | | | | | | | | | Atmel serial flash tends to power up with the protection status bits set. http://blackfin.uclinux.org/gf/project/uclinux-dist/tracker/?action=TrackerItemEdit&tracker_item_id=4089 [michael.hennerich@analog.com: remove duplicate code] Signed-off-by: Michael Hennerich <michael.hennerich@analog.com> Signed-off-by: Bryan Wu <cooloney@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* Merge branch 'master' of ↵David Woodhouse2008-07-112978-38183/+84088
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6
| * Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-07-1033-128/+351
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits) tun: Persistent devices can get stuck in xoff state xfrm: Add a XFRM_STATE_AF_UNSPEC flag to xfrm_usersa_info ipv6: missed namespace context in ipv6_rthdr_rcv netlabel: netlink_unicast calls kfree_skb on error path by itself ipv4: fib_trie: Fix lookup error return tcp: correct kcalloc usage ip: sysctl documentation cleanup Documentation: clarify tcp_{r,w}mem sysctl docs netfilter: nf_nat_snmp_basic: fix a range check in NAT for SNMP netfilter: nf_conntrack_tcp: fix endless loop libertas: fix memory alignment problems on the blackfin zd1211rw: stop beacons on remove_interface rt2x00: Disable synchronization during initialization rc80211_pid: Fix fast_start parameter handling sctp: Add documentation for sctp sysctl variable ipv6: fix race between ipv6_del_addr and DAD timer irda: Fix netlink error path return value irda: New device ID for nsc-ircc irda: via-ircc proper dma freeing sctp: Mark the tsn as received after all allocations finish ...
| | * tun: Persistent devices can get stuck in xoff stateMax Krasnyansky2008-07-101-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The scenario goes like this. App stops reading from tun/tap. TX queue gets full and driver does netif_stop_queue(). App closes fd and TX queue gets flushed as part of the cleanup. Next time the app opens tun/tap and starts reading from it but the xoff state is not cleared. We're stuck. Normally xoff state is cleared when netdev is brought up. But in the case of persistent devices this happens only during initial setup. The fix is trivial. If device is already up when an app opens it we clear xoff state and that gets things moving again. Signed-off-by: Max Krasnyansky <maxk@qualcomm.com> Tested-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * xfrm: Add a XFRM_STATE_AF_UNSPEC flag to xfrm_usersa_infoSteffen Klassert2008-07-102-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a XFRM_STATE_AF_UNSPEC flag to handle the AF_UNSPEC behavior for the selector family. Userspace applications can set this flag to leave the selector family of the xfrm_state unspecified. This can be used to to handle inter family tunnels if the selector is not set from userspace. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * ipv6: missed namespace context in ipv6_rthdr_rcvDenis V. Lunev2008-07-101-1/+1
| | | | | | | | | | | | | | | Signed-off-by: Denis V. Lunev <den@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * netlabel: netlink_unicast calls kfree_skb on error path by itselfDenis V. Lunev2008-07-103-21/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | So, no need to kfree_skb here on the error path. In this case we can simply return. Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * ipv4: fib_trie: Fix lookup error returnBen Hutchings2008-07-101-11/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit a07f5f508a4d9728c8e57d7f66294bf5b254ff7f "[IPV4] fib_trie: style cleanup", the changes to check_leaf() and fn_trie_lookup() were wrong - where fn_trie_lookup() would previously return a negative error value from check_leaf(), it now returns 0. Now fn_trie_lookup() doesn't appear to care about plen, so we can revert check_leaf() to returning the error value. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Tested-by: William Boughton <bill@boughton.de> Acked-by: Stephen Heminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * tcp: correct kcalloc usageMilton Miller2008-07-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | kcalloc is supposed to be called with the count as its first argument and the element size as the second. Signed-off-by: Milton Miller <miltonm@bga.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * ip: sysctl documentation cleanupStephen Hemminger2008-07-101-31/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reduced version of the spelling cleanup patch. Take out the confusing language in tcp_frto, and organize the undocumented values. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * Documentation: clarify tcp_{r,w}mem sysctl docsJ. Bruce Fields2008-07-101-11/+15
| | | | | | | | | | | | | | | | | | | | | Fix some of the defaults and attempt to clarify some language. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * Merge branch 'master' of ↵David S. Miller2008-07-099-25/+63
| | |\ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| | | * libertas: fix memory alignment problems on the blackfinIhar Hrachyshka2008-07-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixing unaligned memory access on the blackfin architecture. Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@promwad.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | | * zd1211rw: stop beacons on remove_interfaceLuis Carlos Cobo2008-07-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a mesh or ad-hoc interface is brought up and later it is replaced by managed interface, the managed interface will keep transmitting the beacons that were configured for the former interface. This patch fixes that behaviour. Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | | * rt2x00: Disable synchronization during initializationIvo van Doorn2008-07-095-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As soon as init_registers() was called, the rt2400/rt2500 would start raising beacondone interrupts. Since this is highly premature since no beacons were provided yet, we should initialize the synchronization register to 0. This will make all drivers initialize it to 0 regardless if they are raising beacondone interrupts or not, since it only makes sense to have it completely disabled. Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | | * rc80211_pid: Fix fast_start parameter handlingMattias Nissler2008-07-092-23/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes the fast_start parameter from the rc_pid parameters information and instead uses the parameter macro when initializing the rc_pid state. Since the parameter is only used on initialization, there is no point of making exporting it via debugfs. This also fixes uninitialized memory references to the fast_start and norm_offset parameters detected by the kmemcheck utility. Thanks to Vegard Nossum for reporting the bug. Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | netfilter: nf_nat_snmp_basic: fix a range check in NAT for SNMPDavid Howells2008-07-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a range check in netfilter IP NAT for SNMP to always use a big enough size variable that the compiler won't moan about comparing it to ULONG_MAX/8 on a 64-bit platform. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * | netfilter: nf_conntrack_tcp: fix endless loopPatrick McHardy2008-07-091-2/+8
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a conntrack entry is destroyed in process context and destruction is interrupted by packet processing and the packet is an attempt to reopen a closed connection, TCP conntrack tries to kill the old entry itself and returns NF_REPEAT to pass the packet through the hook again. This may lead to an endless loop: TCP conntrack repeatedly finds the old entry, but can not kill it itself since destruction is already in progress, but destruction in process context can not complete since TCP conntrack is keeping the CPU busy. Drop the packet in TCP conntrack if we can't kill the connection ourselves to avoid this. Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * sctp: Add documentation for sctp sysctl variableVlad Yasevich2008-07-081-0/+170
| | | | | | | | | | | | | | | | | | Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * ipv6: fix race between ipv6_del_addr and DAD timerAndrey Vagin2008-07-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Consider the following scenario: ipv6_del_addr(ifp) ipv6_ifa_notify(RTM_DELADDR, ifp) ip6_del_rt(ifp->rt) after returning from the ipv6_ifa_notify and enabling BH-s back, but *before* calling the addrconf_del_timer the ifp->timer fires and: addrconf_dad_timer(ifp) addrconf_dad_completed(ifp) ipv6_ifa_notify(RTM_NEWADDR, ifp) ip6_ins_rt(ifp->rt) then return back to the ipv6_del_addr and: in6_ifa_put(ifp) inet6_ifa_finish_destroy(ifp) dst_release(&ifp->rt->u.dst) After this we have an ifp->rt inserted into fib6 lists, but queued for gc, which in turn can result in oopses in the fib6_run_gc. Maybe some other nasty things, but we caught only the oops in gc so far. The solution is to disarm the ifp->timer before flushing the rt from it. Signed-off-by: Andrey Vagin <avagin@parallels.com> Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * irda: Fix netlink error path return valueJulius Volz2008-07-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix an incorrect return value check of genlmsg_put() in irda_nl_get_mode(). genlmsg_put() does not use ERR_PTR() to encode return values, it just returns NULL on error. Signed-off-by: Julius Volz <juliusv@google.com> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * irda: New device ID for nsc-irccVille Syrjala2008-07-081-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HP OmniBook 500's DSDT code changes the HID of the FIR device from NSC6001 to HWPC224 when run under an "NT" operating system. Add the new ID to the pnp device id table. Signed-off-by: Ville Syrjala <syrjala@sci.fi> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * irda: via-ircc proper dma freeingWang Chen2008-07-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | 1. dma should be freed when dma2 request fail. 2. dma2 should be freed too when device close. Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * sctp: Mark the tsn as received after all allocations finishVlad Yasevich2008-07-082-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we don't have the buffer space or memory allocations fail, the data chunk is dropped, but TSN is still reported as received. This introduced a data loss that can't be recovered. We should only mark TSNs are received after memory allocations finish. The one exception is the invalid stream identifier, but that's due to user error and is reported back to the user. This was noticed by Michael Tuexen. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * mac80211: don't report selected IBSS when not foundVladimir Koutny2008-07-071-2/+4
| | | | | | | | | | | | | | | | | | | | | Don't report a 'selected' IBSS in sta_find_ibss when none was found. Signed-off-by: Vladimir Koutny <vlado@ksp.sk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * ssb-pcicore: Fix IRQ-vector init on embedded devicesMichael Buesch2008-07-071-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | On embedded devices we must not route the interrupts through the PCI core, if our host-bus is not PCI. Reported-by: Steve Brown <sbrown@cortland.com> Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * zd1211rw: add ID for AirTies WUS-201Firat Birlik2008-07-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | I would like to inform you of our zd1211 based usb wifi adapter (AirTies WUS-201), which works with the zd1211rw driver with the following device id definition. Signed-off-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: Only flush workqueue when last interface was removedIvo van Doorn2008-07-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the ieee80211_hw->workqueue is flushed each time an interface is being removed. However most scheduled work is not interface specific but device specific, for example things like periodic work for link tuners. This patch will move the flush_workqueue() call to directly behind the call to ops->stop() to make sure the workqueue is only flushed when all interfaces are gone and there really shouldn't be any scheduled work in the drivers left. Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: move netif_carrier_on to after ieee80211_bss_info_change_notifyGuy Cohen2008-07-071-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Putting netif_carrier_on before configuring the driver/device with the new association state may cause a race (tx frames may be sent before configuration is done) Signed-off-by: Guy Cohen <guy.cohen@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * drivers/net/wireless/iwlwifi/iwl-3945.c Fix type issue on 64bitDarren Jenkins2008-07-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Coverity CID: 2265 NEGATIVE_RETURNS "rate" is of an unsigned type, and the code requires a signed type. The following patch makes it so. Signed-off-by: Darren Jenkins <darrenrjenkins@gmailcom> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * hostap_cs: correct poor NULL checks in suspend/resume routinesJohn W. Linville2008-07-071-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | This corrects this kernel.org bug: http://bugzilla.kernel.org/show_bug.cgi?id=9701 Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | slub: Fix use-after-preempt of per-CPU data structureDmitry Adamushko2008-07-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Vegard Nossum reported a crash in kmem_cache_alloc(): BUG: unable to handle kernel paging request at da87d000 IP: [<c01991c7>] kmem_cache_alloc+0xc7/0xe0 *pde = 28180163 *pte = 1a87d160 Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC Pid: 3850, comm: grep Not tainted (2.6.26-rc9-00059-gb190333 #5) EIP: 0060:[<c01991c7>] EFLAGS: 00210203 CPU: 0 EIP is at kmem_cache_alloc+0xc7/0xe0 EAX: 00000000 EBX: da87c100 ECX: 1adad71a EDX: 6b6b6b6b ESI: 00200282 EDI: da87d000 EBP: f60bfe74 ESP: f60bfe54 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 and analyzed it: "The register %ecx looks innocent but is very important here. The disassembly: mov %edx,%ecx shr $0x2,%ecx rep stos %eax,%es:(%edi) <-- the fault So %ecx has been loaded from %edx... which is 0x6b6b6b6b/POISON_FREE. (0x6b6b6b6b >> 2 == 0x1adadada.) %ecx is the counter for the memset, from here: memset(object, 0, c->objsize); i.e. %ecx was loaded from c->objsize, so "c" must have been freed. Where did "c" come from? Uh-oh... c = get_cpu_slab(s, smp_processor_id()); This looks like it has very much to do with CPU hotplug/unplug. Is there a race between SLUB/hotplug since the CPU slab is used after it has been freed?" Good analysis. Yeah, it's possible that a caller of kmem_cache_alloc() -> slab_alloc() can be migrated on another CPU right after local_irq_restore() and before memset(). The inital cpu can become offline in the mean time (or a migration is a consequence of the CPU going offline) so its 'kmem_cache_cpu' structure gets freed ( slab_cpuup_callback). At some point of time the caller continues on another CPU having an obsolete pointer... Signed-off-by: Dmitry Adamushko <dmitry.adamushko@gmail.com> Reported-by: Vegard Nossum <vegard.nossum@gmail.com> Acked-by: Ingo Molnar <mingo@elte.hu> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | exec: fix stack excutability without PT_GNU_STACKHugh Dickins2008-07-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kernel Bugzilla #11063 points out that on some architectures (e.g. x86_32) exec'ing an ELF without a PT_GNU_STACK program header should default to an executable stack; but this got broken by the unlimited argv feature because stack vma is now created before the right personality has been established: so breaking old binaries using nested function trampolines. Therefore re-evaluate VM_STACK_FLAGS in setup_arg_pages, where stack vm_flags used to be set, before the mprotect_fixup. Checking through our existing VM_flags, none would have changed since insert_vm_struct: so this seems safer than finding a way through the personality labyrinth. Reported-by: pageexec@freemail.hu Signed-off-by: Hugh Dickins <hugh@veritas.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | Merge branch 'upstream-linus' of ↵Linus Torvalds2008-07-101-7/+7
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2 * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2: ocfs2: Fix flags in ocfs2_file_lock
| | * | ocfs2: Fix flags in ocfs2_file_lockMark Fasheh2008-07-101-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The stack-glue merge changed the way we use flags in dlmglue in that we now use the fs/dlm equivalents. Unfortunately, a merge error left the new flock code only partially updated. This took a while to show up though, because the lock level constants are actually identical between o2dlm and fs/dlm. The *_CONVERT and *_NOQUEUE flags have different values though, which is eventually causing a crash in flags_to_o2dlm(). Signed-off-by: Mark Fasheh <mfasheh@suse.com>
| * | | Merge branch 'sched-fixes-for-linus' of ↵Linus Torvalds2008-07-101-3/+4
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: sched: fix cpu hotplug, cleanup sched: fix cpu hotplug
| | * | | sched: fix cpu hotplug, cleanupLinus Torvalds2008-07-101-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Clean up __migrate_task(): to just have separate "done" and "fail" cases, instead of that "out" case with random error behavior. Signed-off-by: Ingo Molnar <mingo@elte.hu>
| | * | | sched: fix cpu hotplugDmitry Adamushko2008-07-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I think we may have a race between try_to_wake_up() and migrate_live_tasks() -> move_task_off_dead_cpu() when the later one may end up looping endlessly. Interrupts are enabled on other CPUs when migration_call(CPU_DEAD, ...) is called so we may get a race between try_to_wake_up() and migrate_live_tasks() -> move_task_off_dead_cpu(). The former one may push a task out of a dead CPU causing the later one to loop endlessly. Heiko Carstens observed: | That's exactly what explains a dump I got yesterday. Thanks for fixing! :) Signed-off-by: Dmitry Adamushko <dmitry.adamushko@gmail.com> Cc: miaox@cn.fujitsu.com Cc: Lai Jiangshan <laijs@cn.fujitsu.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Avi Kivity <avi@qumranet.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ingo Molnar <mingo@elte.hu>
| * | | | Merge branch 'x86-fixes-for-linus' of ↵Linus Torvalds2008-07-101-1/+24
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86: fix /dev/mem compatibility under PAT
| | * | | | x86: fix /dev/mem compatibility under PATVenkatesh Pallipadi2008-07-101-1/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add ioremap_default(), which gives a sane mapping without worrying about type conflicts. Use it in /dev/mem read in place of ioremap(), as with ioremap(), any mapping of the region (other than UC_MINUS) will cause a conflict and failure of /dev/mem read. Should address the vbetest failure reported at: http://bugzilla.kernel.org/show_bug.cgi?id=11057 Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
| * | | | | Fix PREEMPT_RCU without HOTPLUG_CPUNick Piggin2008-07-101-12/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PREEMPT_RCU without HOTPLUG_CPU is broken. The rcu_online_cpu is called to initially populate rcu_cpu_online_map with all online CPUs when the hotplug event handler is installed, and also to populate the map with CPUs as they come online. The former case is meant to happen with and without HOTPLUG_CPU, but without HOTPLUG_CPU, the rcu_offline_cpu function is no-oped -- while it still gets called, it does not set the rcu CPU map. With a blank RCU CPU map, grace periods get to tick by completely oblivious to active RCU read side critical sections. This results in free-before-grace bugs. Fix is obvious once the problem is known. (Also, change __devinit to __cpuinit so the function gets thrown away on !HOTPLUG_CPU kernels). Signed-off-by: Nick Piggin <npiggin@suse.de> Reported-and-tested-by: Alexey Dobriyan <adobriyan@gmail.com> Acked-by: Ingo Molnar <mingo@elte.hu> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> [ Nick is my personal hero of the day - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | | ftrace: DocumentationSteven Rostedt2008-07-101-0/+1353
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the long awaited ftrace.txt. It explains in quite detail how to use ftrace and the various tracers. Signed-off-by: Steven Rostedt <srostedt@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | | arch/x86/kernel/.gitignore: Added vmlinux.lds to .gitignore file because it ↵Daniel Guilak2008-07-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | shouldn't be tracked. Signed-off-by: Daniel Guilak <daniel@danielguilak.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| * | | | | kernel/kprobes.c: Made kprobe_blacklist static.Daniel Guilak2008-07-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Daniel Guilak <daniel@danielguilak.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
OpenPOWER on IntegriCloud