Hiroshi DOYU [Mon, 15 Feb 2010 18:03:32 +0000 (10:03 -0800)]
omap: iommu: fix incorrect address for supersection 1st entry
There was a potential risk that the following "memset" could override
its range if a given address was not the 1st entry of a
supersection. This is not the case for "iovmm".
Signed-off-by: Hiroshi DOYU <Hiroshi.DOYU@nokia.com> Signed-off-by: Hari Nagalla <hnagalla@ti.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Tony Lindgren [Fri, 12 Feb 2010 20:26:49 +0000 (12:26 -0800)]
omap2/3: Update omap3_defconfig to build in all the 2420 based boards
Note that booting 2420 depends on another patch posted earlier to not
select CONFIG_CPU_32v6K if CONFIG_ARCH_OMAP2 is selected.
Also note that we cannot add omap2430 in yet because of the different
clock addresses compared to 2420. Also note that we cannot have
CONFIG_CPU_32v6K=y in order to boot on 24xx.
Tony Lindgren [Mon, 15 Feb 2010 17:26:51 +0000 (09:26 -0800)]
omap2/3: Make get_irqnr_and_base common for mach-omap2 multiboot
Make get_irqnr_and_base common for mach-omap2 multiboot
Thanks to a tip from Russell King <rmk+kernel@arm.linux.org.uk>,
this also optimizes the code for non-multiboot configurations by
using get_irqnr_preamble.
Note that this will only work currently for 24xx and 34xx.
Support for 44xx can be added later on for basic multiboot,
and similar patch should be done for mach-omap1/entry-macro.S.
Tony Lindgren [Mon, 15 Feb 2010 16:49:01 +0000 (08:49 -0800)]
omap: Make uncompress code and DEBUG_LL code generic
Define arch_decomp_setup() the same way as some other
architectures do. Use arch_id to configure the debug uart
based on the machine_is by storing it into the uart
scratchpad register for DEBUG_LL code to use.
Tony Lindgren [Mon, 15 Feb 2010 16:48:53 +0000 (08:48 -0800)]
omap: Clean the serial port defines
This way we don't have conflicts with the defines
with compiling in multiple omaps. Set the addresses
for uarts in struct omap_globals for the early serial
init code.
Aaro Koskinen [Thu, 4 Feb 2010 11:06:59 +0000 (13:06 +0200)]
OMAP: hsmmc: fix memory leak
The platform data allocated with kmalloc() will become unreachable once
the init is complete, so it should be freed. The problem was discovered
by kmemleak.
Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com> Acked-by: Adrian Hunter <adrian.hunter@nokia.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Linus Torvalds [Sun, 7 Feb 2010 18:11:23 +0000 (10:11 -0800)]
Fix race in tty_fasync() properly
This reverts commit 703625118069 ("tty: fix race in tty_fasync") and
commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/
restore") that tried to fix up some of the fallout but was incomplete.
It turns out that we really cannot hold 'tty->ctrl_lock' over calling
__f_setown, because not only did that cause problems with interrupt
disables (which the second commit fixed), it also causes a potential
ABBA deadlock due to lock ordering.
Thanks to Tetsuo Handa for following up on the issue, and running
lockdep to show the problem. It goes roughly like this:
- f_getown gets filp->f_owner.lock for reading without interrupts
disabled, so an interrupt that happens while that lock is held can
cause a lockdep chain from f_owner.lock -> sighand->siglock.
- at the same time, the tty->ctrl_lock -> f_owner.lock chain that
commit 703625118069 introduced, together with the pre-existing
sighand->siglock -> tty->ctrl_lock chain means that we have a lock
dependency the other way too.
So instead of extending tty->ctrl_lock over the whole __f_setown() call,
we now just take a reference to the 'pid' structure while holding the
lock, and then release it after having done the __f_setown. That still
guarantees that 'struct pid' won't go away from under us, which is all
we really ever needed.
Linus Torvalds [Sat, 6 Feb 2010 21:01:39 +0000 (13:01 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel:
drm/i915: Fix leak of relocs along do_execbuffer error path
drm/i915: slow acpi_lid_open() causes flickering - V2
drm/i915: Disable SR when more than one pipe is enabled
drm/i915: page flip support for Ironlake
drm/i915: Fix the incorrect DMI string for Samsung SX20S laptop
drm/i915: Add support for SDVO composite TV
drm/i915: don't trigger ironlake vblank interrupt at irq install
drm/i915: handle non-flip pending case when unpinning the scanout buffer
drm/i915: Fix the device info of Pineview
drm/i915: enable vblank interrupt on ironlake
drm/i915: Prevent use of uninitialized pointers along error path.
drm/i915: disable hotplug detect before Ironlake CRT detect
Linus Torvalds [Sat, 6 Feb 2010 00:16:50 +0000 (16:16 -0800)]
Fix potential crash with sys_move_pages
We incorrectly depended on the 'node_state/node_isset()' functions
testing the node range, rather than checking it explicitly. That's not
reliable, even if it might often happen to work. So do the proper
explicit test.
Jean Delvare [Fri, 5 Feb 2010 18:58:36 +0000 (19:58 +0100)]
hwmon: (w83781d) Request I/O ports individually for probing
Different motherboards have different PNP declarations for
W83781D/W83782D chips. Some declare the whole range of I/O ports (8
ports), some declare only the useful ports (2 ports at offset 5) and
some declare fancy ranges, for example 4 ports at offset 4. To
properly handle all cases, request all ports individually for probing.
After we have determined that we really have a W83781D or W83782D
chip, the useful port range will be requested again, as a single
block.
I did not see a board which needs this yet, but I know of one for lm78
driver and I'd like to keep the logic of these two drivers in sync.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@kernel.org
Jean Delvare [Fri, 5 Feb 2010 18:58:36 +0000 (19:58 +0100)]
hwmon: (lm78) Request I/O ports individually for probing
Different motherboards have different PNP declarations for LM78/LM79
chips. Some declare the whole range of I/O ports (8 ports), some
declare only the useful ports (2 ports at offset 5) and some declare
fancy ranges, for example 4 ports at offset 4. To properly handle all
cases, request all ports individually for probing. After we have
determined that we really have an LM78 or LM79 chip, the useful port
range will be requested again, as a single block.
This fixes the driver on the Olivetti M3000 DT 540, at least.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@kernel.org
Ray Copeland [Fri, 5 Feb 2010 18:58:35 +0000 (19:58 +0100)]
hwmon: (adt7462) Wrong ADT7462_VOLT_COUNT
The #define ADT7462_VOLT_COUNT is wrong, it should be 13 not 12. All the
for loops that use this as a limit count are of the typical form, "for
(n = 0; n < ADT7462_VOLT_COUNT; n++)", so to loop through all voltages
w/o missing the last one it is necessary for the count to be one greater
than it is. (Specifically, you will miss the +1.5V 3GPIO input with count
= 12 vs. 13.)
Signed-off-by: Ray Copeland <ray.copeland@aprius.com> Acked-by: "Darrick J. Wong" <djwong@us.ibm.com> Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@kernel.org
Linus Torvalds [Fri, 5 Feb 2010 15:58:21 +0000 (07:58 -0800)]
Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
[libata] Call flush_dcache_page after PIO data transfers in libata-sff.c
ahci: add Acer G725 to broken suspend list
libata: fix ata_id_logical_per_physical_sectors
libata-scsi passthru: fix bug which truncated LBA48 return values
Andres Salomon [Fri, 5 Feb 2010 06:42:43 +0000 (01:42 -0500)]
CS5536: apply pci quirk for BIOS SMBUS bug
The new cs5535-* drivers use PCI header config info rather than MSRs to
determine the memory region to use for things like GPIOs and MFGPTs. As
anticipated, we've run into a buggy BIOS:
This is a Soekris board, and its BIOS sets the size of the PCI ISA bridge
device's BAR0 to 8k. In reality, it should be 8 bytes (BAR0 is used for
SMBus stuff). This quirk checks for an incorrect size, and resets it
accordingly.
Linus Torvalds [Fri, 5 Feb 2010 15:24:01 +0000 (07:24 -0800)]
Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/radeon/kms: fix r300 vram width calculations
drm/radeon/kms: rs400/480 MC setup is different than r300.
drm/radeon/kms: make initial state of load detect property correct.
drm/radeon/kms: disable HDMI audio for now on rv710/rv730
drm/radeon/kms: don't call suspend path before cleaning up GPU
drivers/gpu/drm/radeon/radeon_combios.c: fix warning
ati_pcigart: fix printk format warning
drm/r100/kms: Emit cache flush to the end of command buffer. (v2)
drm/radeon/kms: fix regression rendering issue on R6XX/R7XX
drm/radeon/kms: move blit initialization after we disabled VGA
* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
Btrfs: apply updated fallocate i_size fix
Btrfs: do not try and lookup the file extent when finishing ordered io
Btrfs: Fix oopsen when dropping empty tree.
Btrfs: remove BUG_ON() due to mounting bad filesystem
Btrfs: make error return negative in btrfs_sync_file()
Btrfs: fix race between allocate and release extent buffer.
Jaroslav Kysela [Fri, 5 Feb 2010 09:19:41 +0000 (10:19 +0100)]
ALSA: ice1724 - aureon - fix wm8770 volume offset
The volume register is from 0..0x7f and 0..0x1a range is mute.
Also, fix mute combining in wm_vol_put(). The wrong behaviour was
noticed by Peter Christensen.
Maxim Levitsky [Thu, 4 Feb 2010 20:21:47 +0000 (22:21 +0200)]
ALSA: hda - Delay switching to polling mode if an interrupt was missing
My sound codec seems sometimes (very rarely) to omit interrupts (ALC268)
However, interrupt mode still works.
Thus if we get timeout, poll the codec once.
If we get 3 such polls in a row, then switch to polling mode.
This patch is maybe an bandaid, but this might be a workaround for hardware bug.
Dave Airlie [Fri, 5 Feb 2010 03:41:54 +0000 (13:41 +1000)]
drm/radeon/kms: rs400/480 MC setup is different than r300.
Boot testing on my rs480 laptop found the MC idle never happened
on startup, a quick check with AMD found the idle bit is in a different
place on the rs4xx than r300.
Implement a new rs400 mc idle function to fix this.
Jerome Glisse [Tue, 2 Feb 2010 10:51:45 +0000 (11:51 +0100)]
drm/radeon/kms: don't call suspend path before cleaning up GPU
In suspend path we unmap the GART table while in cleaning up
path we will unbind buffer and thus try to write to unmapped
GART leading to oops. In order to avoid this we don't call the
suspend path in cleanup path. Cleanup path is clever enough
to desactive GPU like the suspend path is doing, thus this was
redondant.
Tested on: RV370, R420, RV515, RV570, RV610, RV770 (all PCIE)
Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/radeon/radeon_combios.c: In function 'radeon_combios_get_lvds_info':
drivers/gpu/drm/radeon/radeon_combios.c:893: warning: comparison is always false due to limited range of data type
Cc: Dave Airlie <airlied@linux.ie> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Randy Dunlap [Tue, 2 Feb 2010 22:40:33 +0000 (14:40 -0800)]
ati_pcigart: fix printk format warning
Fix ati_pcigart printk format warning:
drivers/gpu/drm/ati_pcigart.c:115: warning: format '%Lx' expects type 'long long unsigned int', but argument 3 has type 'dma_addr_t'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Cc: Zhenyu Wang <zhenyuw@linux.intel.com> Cc: Dave Airlie <airlied@linux.ie> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Jerome Glisse [Thu, 4 Feb 2010 19:36:39 +0000 (20:36 +0100)]
drm/radeon/kms: fix regression rendering issue on R6XX/R7XX
It seems that some R6XX/R7XX silently ignore HDP flush when
programmed through ring, this patch addback an ioctl callback
to allow R6XX/R7XX hw to perform such flush through MMIO in
order to fix a regression. For more details see:
http://bugzilla.kernel.org/show_bug.cgi?id=15186
Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Jerome Glisse [Thu, 4 Feb 2010 16:27:27 +0000 (17:27 +0100)]
drm/radeon/kms: move blit initialization after we disabled VGA
VGA might be overwritting VRAM and corrupt our blit shader leading
to corruption, it likely won't happen if you load fbcon right after
radeon. Thanks to Shawn Starr and Andre Maasikas for tracking down
this issue.
Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Linus Torvalds [Fri, 5 Feb 2010 00:09:01 +0000 (16:09 -0800)]
Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
ARM: Fix wrong register in proc-arm6_7.S data abort handler
ARM: 5909/1: ARM: Correct the FPSCR bits setting when raising exceptions
ARM: 5904/1: ARM: Always generate the IT instruction when compiling for Thumb-2
ARM: 5907/1: ARM: Fix the reset on the RealView PBX Development board
mx35: add a missing comma in a pad definition
mx25: make the FEC AHB clk secondary of the IPG
mx25: fix time accounting
mx25: properly initialize clocks
mx25: remove unused mx25_clocks_init() argument
i.MX25: implement secondary clocks for uarts and fec
i.MX25: Allow secondary clocks in DEFINE_CLOCK
ARM: MX3: Fixed typo in declared enum type name.
MXC: Add AUDMUXv2 register decode to debugfs
mx31ads: Provide an IRQ range to the WM835x on the 1133-EV1 module
mx31ads: Provide a name for EXPIO interrupt chip
mx31ads: Allow enable/disable of switchable supplies
Linus Torvalds [Fri, 5 Feb 2010 00:08:42 +0000 (16:08 -0800)]
Merge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6
* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
omap: Disable serial port autoidle by default
omap: Fix access to already released memory in clk_debugfs_register_one()
omap: Fix arch/arm/mach-omap2/mux.c: Off by one error
omap: Fix 3630 mux errors
OMAP2/3: GPMC: ensure valid clock pointer
OMAP2/3: IRQ: ensure valid base address
ARCH OMAP : enable ARCH_HAS_HOLES_MEMORYMODEL for OMAP
omap: Remove old unused defines for OMAP_32KSYNCT_BASE
omap: define _toggle_gpio_edge_triggering only for OMAP1
Linus Torvalds [Fri, 5 Feb 2010 00:08:15 +0000 (16:08 -0800)]
Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6
* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
NFS: Don't clobber the attribute type in nfs_update_inode()
NFS: Fix a umount race
NFS: Fix an Oops when truncating a file
NFS: Ensure that we handle NFS4ERR_STALE_STATEID correctly
NFSv4.1: Don't call nfs4_schedule_state_recovery() unnecessarily
NFSv4: Don't allow posix locking against servers that don't support it
NFSv4: Ensure that the NFSv4 locking can recover from stateid errors
NFS: Avoid warnings when CONFIG_NFS_V4=n
NFS: Make nfs_commitdata_release static
NFS: Try to commit unstable writes in nfs_release_page()
NFS: Fix a reference leak in nfs_wb_cancel_page()
Linus Torvalds [Fri, 5 Feb 2010 00:07:41 +0000 (16:07 -0800)]
Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
futex: Handle futex value corruption gracefully
futex: Handle user space corruption gracefully
futex_lock_pi() key refcnt fix
softlockup: Add sched_clock_tick() to avoid kernel warning on kgdb resume
* git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-2.6-fixes:
GFS2: Extend umount wait coverage to full glock lifetime
GFS2: Wait for unlock completion on umount
Tejun Heo [Thu, 4 Feb 2010 08:57:37 +0000 (17:57 +0900)]
idr: revert misallocation bug fix
Commit 859ddf09743a8cc680af33f7259ccd0fd36bfe9d tried to fix
misallocation bug but broke full bit marking by not clearing
pa[idp->layers] and also is causing X failures due to lookup failure
in drm code. The cause of the latter hasn't been found yet. Revert
the fix for now.
Jaroslav Kysela [Tue, 2 Feb 2010 18:58:25 +0000 (19:58 +0100)]
ALSA: ctxfi - fix PTP address initialization
After hours of debugging, I finally found the reason why some source
and runtime combination does not work. The PTP (page table pages)
address must be aligned. I am not sure how much, but alignment to
PAGE_SIZE is sufficient. Also, use ALSA's page allocation routines
to ensure proper virtual -> physical address translation.
Cc: <stable@kernel.org> Signed-off-by: Jaroslav Kysela <perex@perex.cz>
acpi_lid_open() could take up to 10ms on my computer. Some component is
calling the drm GETCONNECTOR ioctl many times in a row. This results in
flickering (for example, when starting a video). Fix it by assuming an
always connected lid status.
Signed-off-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Eric Anholt <eric@anholt.net>
David John [Wed, 27 Jan 2010 09:49:08 +0000 (15:19 +0530)]
drm/i915: Disable SR when more than one pipe is enabled
Self Refresh should be disabled on dual plane configs. Otherwise, as
the SR watermark is not calculated for such configs, switching to non
VGA mode causes FIFO underrun and display flicker.
This fixes Korg Bug #14897.
Signed-off-by: David John <davidjon@xenontk.org> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: stable@kernel.org Signed-off-by: Eric Anholt <eric@anholt.net>
you would see long stalls where no work was being done. That is because we were
doing all this extra work to read in the file extent outside of the transaction,
however in the random io case this ends up hurting us because the file extents
are not there to begin with. So axe this logic, since we end up reading in the
file extent when we go to update it anyway. This took the fio job from 11 mb/s
with several ~10 second stalls to 24 mb/s to a couple of 1-2 second stalls.
Signed-off-by: Josef Bacik <josef@redhat.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Miao Xie [Tue, 2 Feb 2010 08:46:44 +0000 (08:46 +0000)]
Btrfs: remove BUG_ON() due to mounting bad filesystem
Mounting a bad filesystem caused a BUG_ON(). The following is steps to
reproduce it.
# mkfs.btrfs /dev/sda2
# mount /dev/sda2 /mnt
# mkfs.btrfs /dev/sda1 /dev/sda2
(the program says that /dev/sda2 was mounted, and then exits. )
# umount /mnt
# mount /dev/sda1 /mnt
At the third step, mkfs.btrfs exited in the way of make filesystem. So the
initialization of the filesystem didn't finish. So the filesystem was bad, and
it caused BUG_ON() when mounting it. But BUG_ON() should be called by the wrong
code, not user's operation, so I think it is a bug of btrfs.
This patch fixes it.
Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Catalin Marinas [Thu, 4 Feb 2010 06:04:50 +0000 (01:04 -0500)]
[libata] Call flush_dcache_page after PIO data transfers in libata-sff.c
flush_dcache_page() must be called after (!ATA_TFLAG_WRITE) the
data copying to avoid D-cache aliasing with user space or I-D cache
coherency issues (when reading data from an ATA device using PIO,
the kernel dirties the D-cache but there is no flush_dcache_page()
required on Harvard architectures).
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Tejun Heo [Thu, 28 Jan 2010 07:04:15 +0000 (16:04 +0900)]
ahci: add Acer G725 to broken suspend list
Acer G725 shares the same suspend problem with the HP laptops which
lose ATA devices on resume. New firmware which fixes the problem is
already available. Add G725 with old firmwares to the broken suspend
list.
The value we get from the low byte of the ATA_ID_SECTOR_SIZE word is not not
a plain multiple, but the log of it, so fix the helper to give the correct
answer. Without this we'll get an incorrect minimal I/O size in the block
limits VPD page for 4k sector drives.
Also change the return value of ata_id_logical_per_physical_sectors to u16
for the unlikely case of very large logical sectors.
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Tony Lindgren [Mon, 1 Feb 2010 20:34:31 +0000 (12:34 -0800)]
omap: Disable serial port autoidle by default
Currently the omap serial clocks are autoidled after 5 seconds.
However, this causes lost characters on the serial ports. As this
is considered non-standard behaviour for Linux, disable the timeout.
Note that this will also cause blocking of any deeper omap sleep
states.
To enable the autoidling of the serial ports, do something like
this for each serial port:
Tony Lindgren [Mon, 1 Feb 2010 19:22:54 +0000 (11:22 -0800)]
omap: Fix 3630 mux errors
3630 has more mux signals than 34xx. The additional pins
exist in omap36xx_cbp_subset, but are not initialized
as the superset is missing these offsets. This causes
the following errors during the boot:
Sriram [Fri, 29 Jan 2010 22:20:05 +0000 (14:20 -0800)]
ARCH OMAP : enable ARCH_HAS_HOLES_MEMORYMODEL for OMAP
OMAP platforms(like OMAP3530) include DSP or other co-processors
for media acceleration. when carving out memory for the
accelerators we can end up creating a hole in the memory map
of sort:
<kernel memory><hole(memory for accelerator)><kernel memory>
To handle such a memory configuration ARCH_HAS_HOLES_MEMORYMODEL
has to be enabled. For further information refer discussion at:
http://www.mail-archive.com/linux-omap@vger.kernel.org/msg15262.html.
Signed-off-by: Sriramakrishnan <srk@ti.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Thomas Gleixner [Wed, 3 Feb 2010 08:33:05 +0000 (09:33 +0100)]
futex: Handle futex value corruption gracefully
The WARN_ON in lookup_pi_state which complains about a mismatch
between pi_state->owner->pid and the pid which we retrieved from the
user space futex is completely bogus.
The code just emits the warning and then continues despite the fact
that it detected an inconsistent state of the futex. A conveniant way
for user space to spam the syslog.
Replace the WARN_ON by a consistency check. If the values do not match
return -EINVAL and let user space deal with the mess it created.
This also fixes the missing task_pid_vnr() when we compare the
pi_state->owner pid with the futex value.
Reported-by: Jermome Marchand <jmarchan@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Darren Hart <dvhltc@us.ibm.com> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: <stable@kernel.org>
Thomas Gleixner [Tue, 2 Feb 2010 10:40:27 +0000 (11:40 +0100)]
futex: Handle user space corruption gracefully
If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.
Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.
This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.
Reported-by: Jermome Marchand <jmarchan@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Darren Hart <dvhltc@us.ibm.com> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: <stable@kernel.org>
This fixes a futex key reference count bug in futex_lock_pi(),
where a key's reference count is incremented twice but decremented
only once, causing the backing object to not be released.
If the futex is created in a temporary file in an ext3 file system,
this bug causes the file's inode to become an "undead" orphan,
which causes an oops from a BUG_ON() in ext3_put_super() when the
file system is unmounted. glibc's test suite is known to trigger this,
see <http://bugzilla.kernel.org/show_bug.cgi?id=14256>.
The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's 38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on
get_user_pages() for shared futexes". That commit made get_futex_key()
also increment the reference count of the futex key, and updated its
callers to decrement the key's reference count before returning.
Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
the reference count is incremented by get_futex_key() and queue_lock(),
but the normal exit path only decrements once, via unqueue_me_pi().
The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31
this is easily done by 'goto out_put_key' rather than 'goto out'.
Signed-off-by: Mikael Pettersson <mikpe@it.uu.se> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Acked-by: Darren Hart <dvhltc@us.ibm.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org>