Kacper Kornet [Fri, 28 Jan 2011 23:21:04 +0000 (00:21 +0100)]
Fix prlimit64 for suid/sgid processes
Since check_prlimit_permission always fails in the case of SUID/GUID
processes, such processes are not able to read or set their own limits.
This commit changes this by assuming that process can always read/change
its own limits.
NTFS: Fix invalid pointer dereference in ntfs_mft_record_alloc().
In ntfs_mft_record_alloc() when mapping the new extent mft record with
map_extent_mft_record() we overwrite @m with the return value and on
error, we then try to use the old @m but that is no longer there as @m
now contains an error code instead so we crash when dereferencing the
error code as if it were a pointer.
The simple fix is to use a temporary variable to store the return value
thus preserving the original @m for later use. This is a backport from
the commercial Tuxera-NTFS driver and is well tested...
Thanks go to Julia Lawall for pointing this out (whilst I had fixed it
in the commercial driver I had failed to fix it in the Linux kernel).
Signed-off-by: Anton Altaparmakov <anton@tuxera.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 31 Jan 2011 02:55:38 +0000 (12:55 +1000)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-2.6-cm
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-2.6-cm:
kmemleak: Allow kmemleak metadata allocations to fail
kmemleak: remove memset by using kzalloc
Linus Torvalds [Mon, 31 Jan 2011 02:53:12 +0000 (12:53 +1000)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: HDA: Fix automute on Thinkpad L412/L512
ALSA: HDA: Fix dmesg output of HDMI supported bits
ALSA: fix invalid hardware.h include in ac97c for AVR32 architecture
ASoC: correct link specifications for corgi, poodle and spitz
ASoC: Samsung: Fix outdated cpu_dai_name for s3c24xx i2s
ASoC: Fix codec device id format used by some dai_links
ALSA: azt3328 - fix broken AZF_FMT_XLATE macro
ALSA: Xonar, CS43xx: Don't overrun static array
ASoC: Handle low measured DC offsets for wm_hubs devices
ASoC: da8xx/omap-l1xx: match codec_name with i2c ids
ASoC: WM8994: fix wrong value in tristate function
ASoC: WM8995: Fix incorrect use of snd_soc_update_bits()
Linus Torvalds [Mon, 31 Jan 2011 02:51:28 +0000 (12:51 +1000)]
Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
libata: set queue DMA alignment to sector size for ATAPI too
libata: DVR-212D can't do SETXFER DVD-RW DVR-212D
ahci: add HFLAG_YES_FBS and apply it to 88SE9128
pata_hpt37x: inherit prereset() method for HPT374
ahci: AHCI mode SATA patch for Intel DH89xxCC DeviceIDs
pata_hpt37x: fold 'if' statement into 'switch'
pata_hpt{37x|3x2n}: use pr_*(DRV_NAME ...) instead of printk(KERN_* ...)
pata_hpt{366|37x}: use pr_warning(...) instead of printk(KERN_WARNING ...)
pata_mpc52xx: inherit from ata_bmdma_port_ops
Tejun Heo [Thu, 20 Jan 2011 12:59:06 +0000 (13:59 +0100)]
libata: set queue DMA alignment to sector size for ATAPI too
ata_pio_sectors() expects buffer for each sector to be contained in a
single page; otherwise, it ends up overrunning the first page. This
is achieved by setting queue DMA alignment. If sector_size is smaller
than PAGE_SIZE and all buffers are sector_size aligned, buffer for
each sector is always contained in a single page.
This wasn't applied to ATAPI devices but IDENTIFY_PACKET is executed
as ATA_PROT_PIO and thus uses ata_pio_sectors(). Newer versions of
udev issue IDENTIFY_PACKET with unaligned buffer triggering the
problem and causing oops.
This patch fixes the problem by setting sdev->sector_size to
ATA_SECT_SIZE on ATATPI devices and always setting DMA alignment to
sector_size. While at it, add a warning for the unlikely but still
possible scenario where sector_size is larger than PAGE_SIZE, in which
case the alignment wouldn't be enough.
Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: John Stanley <jpsinthemix@verizon.net> Tested-by: John Stanley <jpsinthemix@verizon.net> Cc: stable@kernel.org Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Anssi Hannula [Wed, 19 Jan 2011 01:03:26 +0000 (20:03 -0500)]
ahci: add HFLAG_YES_FBS and apply it to 88SE9128
Commit 5f173107ecad83a50 added HFLAG_YES_FBS workaround for 88SE9128
(1b4b:9123).
However, that change inadvertently caused the legacy IDE interface of
the controller (with the same pci id) to become associated with the AHCI
driver as well, causing the driver to try to bring the interface up in
vain.
Fix that by matching against class as well.
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Sergei Shtylyov [Tue, 11 Jan 2011 18:01:23 +0000 (21:01 +0300)]
pata_hpt37x: inherit prereset() method for HPT374
Commit ab81a505ae6be069be5b67acd7e1bab3cfb53968 (pata_hpt37x: unify ->pre_reset
methods) neglected to remove the initializer for the prereset() method from
'hpt374_fn1_port_ops' (it's inherited from 'hpt372_port_ops' anyway), as well
as to update the comment in hpt37x_init_one()...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Sergei Shtylyov [Mon, 10 Jan 2011 19:31:13 +0000 (22:31 +0300)]
pata_hpt37x: fold 'if' statement into 'switch'
hpt37x_init_one() has a large *if* statement which should really be folded into
the *switch* statement that currently constitutes its *else* branch, reducing
one level of indentation...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Linus Torvalds [Fri, 28 Jan 2011 02:24:34 +0000 (12:24 +1000)]
Merge branch 'stable/bug-fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
* 'stable/bug-fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/setup: Route halt operations to safe_halt pvop.
xen/e820: Guard against E820_RAM not having page-aligned size or start.
xen/p2m: Mark INVALID_P2M_ENTRY the mfn_list past max_pfn.
Linus Torvalds [Fri, 28 Jan 2011 02:12:58 +0000 (12:12 +1000)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
ceph: avoid picking MDS that is not active
ceph: avoid immediate cap check after import
ceph: fix flushing of caps vs cap import
ceph: fix erroneous cap flush to non-auth mds
ceph: fix cap_wanted_delay_{min,max} mount option initialization
ceph: fix xattr rbtree search
ceph: fix getattr on directory when using norbytes
Linus Torvalds [Fri, 28 Jan 2011 02:10:13 +0000 (12:10 +1000)]
Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/nv50: fix regression on IGPs
drm/radeon/kms: re-emit full context state for evergreen blits
drm/radeon/kms: release CMASK access in preclose_kms
drm/radeon/kms: fix r6xx+ scanout on BE systems
drm/radeon/kms: clean up some magic numbers
drm/radeon/kms: only enable HDMI mode if radeon audio is enabled
radeon/kms: fix dp displayport mode validation
drm/nvc0/grctx: correct an off-by-one
drm/nv50: Fix race with PFIFO during PGRAPH context destruction.
drm/nouveau: Workaround incorrect DCB entry on a GeForce3 Ti 200.
drm/nvc0: implement irq handler for whatever's at 0x14xxxx
drm/nvc0: fix incorrect TPC register setup
drm/nouveau: probe for adt7473 before f75375
drm/nouveau: remove dead function definition
Linus Torvalds [Thu, 27 Jan 2011 20:43:41 +0000 (06:43 +1000)]
Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
percpu, x86: Fix percpu_xchg_op()
x86: Remove left over system_64.h
x86-64: Don't use pointer to out-of-scope variable in dump_trace()
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (43 commits)
bnx2: Eliminate AER error messages on systems not supporting it
cnic: Fix big endian bug
xfrm6: Don't forget to propagate peer into ipsec route.
tg3: Use new VLAN code
bonding: update documentation - alternate configuration.
TCP: fix a bug that triggers large number of TCP RST by mistake
MAINTAINERS: remove Reinette Chatre as iwlwifi maintainer
rt2x00: add device id for windy31 usb device
mac80211: fix a crash in ieee80211_beacon_get_tim on change_interface
ipv6: Revert 'administrative down' address handling changes.
textsearch: doc - fix spelling in lib/textsearch.c.
USB NET KL5KUSB101: Fix mem leak in error path of kaweth_download_firmware()
pch_gbe: don't use flush_scheduled_work()
bnx2: Always set ETH_FLAG_TXVLAN
net: clear heap allocation for ethtool_get_regs()
ipv6: Always clone offlink routes.
dcbnl: make get_app handling symmetric for IEEE and CEE DCBx
tcp: fix bug in listening_get_next()
inetpeer: Use correct AVL tree base pointer in inet_getpeer().
GRO: fix merging a paged skb after non-paged skbs
...
Replaced md4 hashing function local to cifs module with kernel crypto APIs.
As a result, md4 hashing function and its supporting functions in
file md4.c are not needed anymore.
Cleaned up function declarations, removed forward function declarations,
and removed a header file that is being deleted from being included.
Verified that sec=ntlm/i, sec=ntlmv2/i, and sec=ntlmssp/i work correctly.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Catalin Marinas [Thu, 27 Jan 2011 10:30:26 +0000 (10:30 +0000)]
kmemleak: Allow kmemleak metadata allocations to fail
This patch adds __GFP_NORETRY and __GFP_NOMEMALLOC flags to the kmemleak
metadata allocations so that it has a smaller effect on the users of the
kernel slab allocator. Since kmemleak allocations can now fail more
often, this patch also reduces the verbosity by passing __GFP_NOWARN and
not dumping the stack trace when a kmemleak allocation fails.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Reported-by: Toralf Förster <toralf.foerster@gmx.de> Acked-by: Pekka Enberg <penberg@cs.helsinki.fi> Acked-by: David Rientjes <rientjes@google.com> Cc: Ted Ts'o <tytso@mit.edu>
xen/setup: Route halt operations to safe_halt pvop.
With this patch, the cpuidle driver does not load and
does not issue the mwait operations. Instead the hypervisor
is doing them (b/c we call the safe_halt pvops call).
This fixes quite a lot of bootup issues wherein the user had
to force interrupts for the continuation of the bootup.
Reported-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Tested-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
We were not handling that and ended up setting up a pagetable
that included up to df66e000 with the disastrous effect that when
memset(NODE_DATA(nodeid), 0, sizeof(pg_data_t));
tried to clear the page it would crash at the 2K mark.
Initially reported by Michael Young @
http://lists.xensource.com/archives/html/xen-devel/2011-01/msg00108.html
The fix is to page-align the size and also take into consideration
the start of the E820 (in case that is not page-aligned either). This
fixes the bootup failure on those affected machines.
This patch is a rework of the Micheal A Young initial patch and
considers the case if the start is not page-aligned.
Reported-by: Michael A Young <m.a.young@durham.ac.uk> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Michael A Young <m.a.young@durham.ac.uk>
Stefan Bader [Thu, 27 Jan 2011 15:03:14 +0000 (10:03 -0500)]
xen/p2m: Mark INVALID_P2M_ENTRY the mfn_list past max_pfn.
In case the mfn_list does not have enough entries to fill
a p2m page we do not want the entries from max_pfn up to
the boundary to be filled with unknown values. Hence
set them to INVALID_P2M_ENTRY.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Grant Likely [Sun, 16 Jan 2011 05:41:27 +0000 (22:41 -0700)]
arm/tegra: Fix tegra irq_data conversion
Commit 37337a8d5e68d6e19075dbdb3acf4f1011dae972, "ARM: tegra: irq_data
conversion." missed changing one reference to 'irq' in the function
tegra_gpio_irq_set_type(). This patch fixes the build error.
Signed-off-by: Grant Likely <grant.likely@secretlab.ca> Acked-by: Lennert Buytenhek <buytenh@secretlab.ca> Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Colin Cross <ccross@android.com>
Alex Deucher [Tue, 25 Jan 2011 16:55:50 +0000 (11:55 -0500)]
drm/radeon/kms: fix r6xx+ scanout on BE systems
R6xx+ have per-block swappers. BE content in the
framebuffer will now be swapped properly during scanout.
Untested, however, the same code is reported working in
the UMS ddx.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@gmail.com>
Reported-by: Breno Leitao <leitao@linux.vnet.ibm.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Tue, 25 Jan 2011 22:14:50 +0000 (22:14 +0000)]
cnic: Fix big endian bug
The chip's page tables did not set up properly on big endian machines,
causing EEH errors on PPC machines.
Reported-by: Breno Leitao <leitao@linux.vnet.ibm.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Wed, 26 Jan 2011 21:13:10 +0000 (13:13 -0800)]
tg3: Use new VLAN code
This patch pivots the tg3 driver to the new VLAN infrastructure.
All references to vlgrp have been removed. The driver still attempts to
disable VLAN tag stripping if CONFIG_VLAN_8021Q or
CONFIG_VLAN_8021Q_MODULE is not defined.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
BugLink: http://bugs.launchpad.net/bugs/707902
More Thinkpad machines with invalid SKU found, that disables
automute between speakers and headphones on these machines.
Signed-off-by: David Henningsson <david.henningsson@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
avr32: add missing include causing undefined pgtable_page_* references
This patch adds the linux/mm.h header file to the AVR32 arch pgalloc.c
implementation to fix the undefined reference to pgtable_page_ctor() and
pgtable_page_dtor().
Paul Turner [Sat, 22 Jan 2011 04:45:02 +0000 (20:45 -0800)]
sched: Use rq->clock_task instead of rq->clock for correctly maintaining load averages
The delta in clock_task is a more fair attribution of how much time a tg has
been contributing load to the current cpu.
While not really important it also means we're more in sync (by magnitude)
with respect to periodic updates (since __update_curr deltas are clock_task
based).
Signed-off-by: Paul Turner <pjt@google.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <20110122044852.007092349@google.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Paul Turner [Sat, 22 Jan 2011 04:45:00 +0000 (20:45 -0800)]
sched: Fix/remove redundant cfs_rq checks
Since updates are against an entity's queuing cfs_rq it's not possible to
enter update_cfs_{shares,load} with a NULL cfs_rq. (Indeed, update_cfs_load
would crash prior to the check if we did anyway since we load is examined
during the initializers).
Also, in the update_cfs_load case there's no point
in maintaining averages for rq->cfs_rq since we don't perform shares
distribution at that level -- NULL check is replaced accordingly.
Thanks to Dan Carpenter for pointing out the deference before NULL check.
Signed-off-by: Paul Turner <pjt@google.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <20110122044851.825284940@google.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Paul Turner [Sat, 22 Jan 2011 04:44:59 +0000 (20:44 -0800)]
sched: Fix sign under-flows in wake_affine
While care is taken around the zero-point in effective_load to not exceed
the instantaneous rq->weight, it's still possible (e.g. using wake_idx != 0)
for (load + effective_load) to underflow.
In this case the comparing the unsigned values can result in incorrect balanced
decisions.
Signed-off-by: Paul Turner <pjt@google.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <20110122044851.734245014@google.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Dave Airlie [Wed, 26 Jan 2011 07:12:42 +0000 (17:12 +1000)]
Merge branch 'drm-nouveau-next' of git://git.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
* 'drm-nouveau-next' of git://git.freedesktop.org/git/nouveau/linux-2.6:
drm/nvc0/grctx: correct an off-by-one
drm/nv50: Fix race with PFIFO during PGRAPH context destruction.
drm/nouveau: Workaround incorrect DCB entry on a GeForce3 Ti 200.
drm/nvc0: implement irq handler for whatever's at 0x14xxxx
drm/nvc0: fix incorrect TPC register setup
drm/nouveau: probe for adt7473 before f75375
drm/nouveau: remove dead function definition
Sonic Zhang [Wed, 12 Jan 2011 03:39:35 +0000 (22:39 -0500)]
mmc: bfin_sdh: fix alloc size for private data
The bfin_sdh driver allocates the wrong size for the private data
in the mmc_host. The first parameter of mmc_alloc_host should be
the size of the local driver struct rather than the common mmc_host.
Signed-off-by: Sonic Zhang <sonic.zhang@analog.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org> Cc: <stable@kernel.org> Signed-off-by: Chris Ball <cjb@laptop.org>
Jaehoon Chung [Wed, 12 Jan 2011 02:59:12 +0000 (11:59 +0900)]
mmc: sdhci-s3c: add platform_8bit_width() hook
We have 8-bit width support but is not a v3 controller.
So we need platform_8bit_width() to support 8-bit buswidth.
Also we need MMC_CAP_8_BIT_DATA, so we add it in platdata.
This gets 8-bit support working again on s3c, after we previously
disabled 8-bit by default on non-v3 controllers.
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Chris Ball <cjb@laptop.org>
Jamie Iles [Tue, 11 Jan 2011 12:43:50 +0000 (12:43 +0000)]
mmc: jz4740: don't treat NULL clk as an error
clk_get() returns a struct clk cookie to the driver and some platforms
may return NULL if they only support a single clock. clk_get() has only
failed if it returns a ERR_PTR() encoded pointer.
Signed-off-by: Jamie Iles <jamie@jamieiles.com> Signed-off-by: Chris Ball <cjb@laptop.org>
mmc: mmci: don't read command response when invalid
Don't read the command response from the registers when either the
command timed out (because there was no response from the card) or
the checksum on the response was invalid.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Chris Ball <cjb@laptop.org>
Torben Hohn [Tue, 25 Jan 2011 23:07:35 +0000 (15:07 -0800)]
console: rename acquire/release_console_sem() to console_lock/unlock()
The -rt patches change the console_semaphore to console_mutex. As a
result, a quite large chunk of the patches changes all
acquire/release_console_sem() to acquire/release_console_mutex()
This commit makes things use more neutral function names which dont make
implications about the underlying lock.
The only real change is the return value of console_trylock which is
inverted from try_acquire_console_sem()
This patch also paves the way to switching console_sem from a semaphore to
a mutex.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: make console_trylock return 1 on success, per Geert] Signed-off-by: Torben Hohn <torbenh@gmx.de> Cc: Thomas Gleixner <tglx@tglx.de> Cc: Greg KH <gregkh@suse.de> Cc: Ingo Molnar <mingo@elte.hu> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Phillip Lougher [Tue, 25 Jan 2011 23:07:34 +0000 (15:07 -0800)]
squashfs: fix use of uninitialised variable in zlib & xz decompressors
Fix potential use of uninitialised variable caused by recent
decompressor code optimisations.
In zlib_uncompress (zlib_wrapper.c) we have
int zlib_err, zlib_init = 0;
...
do {
...
if (avail == 0) {
offset = 0;
put_bh(bh[k++]);
continue;
}
...
zlib_err = zlib_inflate(stream, Z_SYNC_FLUSH);
...
} while (zlib_err == Z_OK);
If continue is executed (avail == 0) then the while condition will be
evaluated testing zlib_err, which is uninitialised first time around the
loop.
Fix this by getting rid of the 'if (avail == 0)' condition test, this
edge condition should not be being handled in the decompressor code, and
instead handle it generically in the caller code.
Similarly for xz_wrapper.c.
Incidentally, on most architectures (bar Mips and Parisc), no
uninitialised variable warning is generated by gcc, this is because the
while condition test on continue is optimised out and not performed
(when executing continue zlib_err has not been changed since entering
the loop, and logically if the while condition was true previously, then
it's still true).
radix_tree_range_tag_if_tagged() always tags the root tag with settag
if the root tag is set with iftag even if there are no iftag tags
in the specified range (Of course, there are some iftag tags
outside the specified range).
__lookup_tag():
- Return with 0.
- Return with the index which is not bigger than the old one as the
input parameter.
Therefore the following "while" repeats forever because the above
conditions cause "ret" not to be updated and the cur_index cannot be
changed into the bigger one.
radix_tree_gang_lookup_tag_slot():
1178 while (ret < max_items) {
1179 unsigned int slots_found;
1180 unsigned long next_index; /* Index of next search */
1181
1182 if (cur_index > max_index)
1183 break;
1184 slots_found = __lookup_tag(node, results + ret,
1185 cur_index, max_items - ret, &next_index,
tag);
1186 ret += slots_found;
// cannot update ret because slots_found == 0.
// so, this while loops forever.
1187 if (next_index == 0)
1188 break;
1189 cur_index = next_index;
1190 }
(2) Why does __lookup_tag() return with 0 and doesn't update the index?
Assuming the following:
- the one of the slot in radix_tree_node is NULL.
- the one of the tag which corresponds to the slot sets with
PAGECACHE_TAG_TOWRITE or other.
- In a certain height(!=0), the corresponding index is 0.
a) __lookup_tag() notices that the tag is set.
1005 static unsigned int
1006 __lookup_tag(struct radix_tree_node *slot, void ***results, unsigned long index,
1007 unsigned int max_items, unsigned long *next_index, unsigned int tag)
1008 {
1009 unsigned int nr_found = 0;
1010 unsigned int shift, height;
1011
1012 height = slot->height;
1013 if (height == 0)
1014 goto out;
1015 shift = (height-1) * RADIX_TREE_MAP_SHIFT;
1016
1017 while (height > 0) {
1018 unsigned long i = (index >> shift) & RADIX_TREE_MAP_MASK ;
1019
1020 for (;;) {
1021 if (tag_get(slot, tag, i))
1022 break;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* the index is not updated yet.
b) __lookup_tag() notices that the slot is NULL.
1023 index &= ~((1UL << shift) - 1);
1024 index += 1UL << shift;
1025 if (index == 0)
1026 goto out; /* 32-bit wraparound */
1027 i++;
1028 if (i == RADIX_TREE_MAP_SIZE)
1029 goto out;
1030 }
1031 height--;
1032 if (height == 0) { /* Bottom level: grab some items */
...
1055 }
1056 shift -= RADIX_TREE_MAP_SHIFT;
1057 slot = rcu_dereference_raw(slot->slots[i]);
1058 if (slot == NULL)
1059 break;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
c) __lookup_tag() doesn't update the index and return with 0.
Because radix_tree_range_tag_if_tagged() always sets the root tag with
PAGECACHE_TAG_TOWRITE if the root tag is set with PAGECACHE_TAG_DIRTY,
even if there is no tag which can be set with PAGECACHE_TAG_TOWRITE
in the specified range (from *first_indexp to last_index). Of course,
some PAGECACHE_TAG_DIRTY nodes must exist outside the specified range.
(radix_tree_range_tag_if_tagged() is called only from tag_pages_for_writeback())
640 unsigned long radix_tree_range_tag_if_tagged(struct radix_tree_root
*root,
641 unsigned long *first_indexp, unsigned long last_index,
642 unsigned long nr_to_tag,
643 unsigned int iftag, unsigned int settag)
644 {
645 unsigned int height = root->height;
646 struct radix_tree_path path[height];
647 struct radix_tree_path *pathp = path;
648 struct radix_tree_node *slot;
649 unsigned int shift;
650 unsigned long tagged = 0;
651 unsigned long index = *first_indexp;
652
653 last_index = min(last_index, radix_tree_maxindex(height));
654 if (index > last_index)
655 return 0;
656 if (!nr_to_tag)
657 return 0;
658 if (!root_tag_get(root, iftag)) {
659 *first_indexp = last_index + 1;
660 return 0;
661 }
662 if (height == 0) {
663 *first_indexp = last_index + 1;
664 root_tag_set(root, settag);
665 return 1;
666 }
...
733 root_tag_set(root, settag);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
734 *first_indexp = index;
735
736 return tagged;
737 }
As the result, there is no radix_tree_node which is set with
PAGECACHE_TAG_TOWRITE but the root tag(radix_tree_root) is set with
PAGECACHE_TAG_TOWRITE.
[figure: inside radix_tree]
(Please see the figure with typewriter font)
===========================================
[roottag = DIRTY]
| tag=0:NOTHING
tag[0 0 0 1] 1:DIRTY
[x x x +] 2:WRITEBACK
| 3:DIRTY,WRITEBACK
p 4:TOWRITE
<---> 5:DIRTY,TOWRITE ...
specified range (index: 0 to 2)
* There is no DIRTY tag within the specified range.
(But there is a DIRTY tag outside that range.)
| | | | | | | | |
after calling tag_pages_for_writeback()
| | | | | | | | |
v v v v v v v v v
[roottag = DIRTY,TOWRITE]
| p is "page".
tag[0 0 0 1] x is NULL.
[x x x +] +- is a pointer to "page".
|
p
* But TOWRITE tag is set on the root tag.
============================================
After that, radix_tree_extend() via radix_tree_insert() is called
when the page is added.
This function sets the new radix_tree_node with PAGECACHE_TAG_TOWRITE
to succeed the status of the root tag.
246 static int radix_tree_extend(struct radix_tree_root *root, unsigned long
index)
247 {
248 struct radix_tree_node *node;
249 unsigned int height;
250 int tag;
251
252 /* Figure out what the height should be. */
253 height = root->height + 1;
254 while (index > radix_tree_maxindex(height))
255 height++;
256
257 if (root->rnode == NULL) {
258 root->height = height;
259 goto out;
260 }
261
262 do {
263 unsigned int newheight;
264 if (!(node = radix_tree_node_alloc(root)))
265 return -ENOMEM;
266
267 /* Increase the height. */
268 node->slots[0] = radix_tree_indirect_to_ptr(root->rnode);
269
270 /* Propagate the aggregated tag info into the new root */
271 for (tag = 0; tag < RADIX_TREE_MAX_TAGS; tag++) {
272 if (root_tag_get(root, tag))
273 tag_set(node, tag, 0);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
274 }
===========================================
[roottag = DIRTY,TOWRITE]
| :
tag[0 0 0 1] [0 0 0 0]
[x x x +] [+ x x x]
| |
p p (new page)
| | | | | | | | |
after calling radix_tree_insert
| | | | | | | | |
v v v v v v v v v
[roottag = DIRTY,TOWRITE]
|
tag [5 0 0 0] * DIRTY and TOWRITE tags are
[+ + x x] succeeded to the new node.
| |
tag [0 0 0 1] [0 0 0 0]
[x x x +] [+ x x x]
| |
p p
============================================
After that, the index 3 page is released by remove_from_page_cache().
Then we can make the situation that the tag is set with PAGECACHE_TAG_TOWRITE
and that the slot which corresponds to the tag is NULL.
===========================================
[roottag = DIRTY,TOWRITE]
|
tag [5 0 0 0]
[+ + x x]
| |
tag [0 0 0 1] [0 0 0 0]
[x x x +] [+ x x x]
| |
p p
(remove)
| | | | | | | | |
after calling remove_page_cache
| | | | | | | | |
v v v v v v v v v
[roottag = DIRTY,TOWRITE]
|
tag [4 0 0 0] * Only DIRTY tag is cleared
[x + x x] because no TOWRITE tag is existed
| in the bottom node.
[0 0 0 0]
[+ x x x]
|
p
============================================
To solve this problem
Change to that radix_tree_tag_if_tagged() doesn't tag the root tag
if it doesn't set any tags within the specified range.
Like this.
============================================
640 unsigned long radix_tree_range_tag_if_tagged(struct radix_tree_root
*root,
641 unsigned long *first_indexp, unsigned long last_index,
642 unsigned long nr_to_tag,
643 unsigned int iftag, unsigned int settag)
644 {
650 unsigned long tagged = 0;
...
733 if (tagged)
^^^^^^^^^^^^^^^^^^^^^^^^
734 root_tag_set(root, settag);
735 *first_indexp = index;
736
737 return tagged;
738 }
============================================
Signed-off-by: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com> Acked-by: Jan Kara <jack@suse.cz> Cc: Dave Chinner <david@fromorbit.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
setup_irq() was called before clockevents_register_device() which is
needed by the irq handler. Bug was reproducible by restarting the
kernel using kexec (reliable crash).
Signed-off-by: Nikolaus Voss <n.voss@weinmann.de> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Haavard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
memcg: fix race at move_parent around compound_order()
A fix up mem_cgroup_move_parent() which use compound_order() in
asynchronous manner. This compound_order() may return unknown value
because we don't take lock. Use PageTransHuge() and HPAGE_SIZE instead
of it.
Also clean up for mem_cgroup_move_parent().
- remove unnecessary initialization of local variable.
- rename charge_size -> page_size
- remove unnecessary (wrong) comment.
- added a comment about THP.
Note:
Current design take compound_page_lock() in caller of move_account().
This should be revisited when we implement direct move_task of hugepage
without splitting.
Minchan Kim [Tue, 25 Jan 2011 23:07:26 +0000 (15:07 -0800)]
mm: migration: clarify migrate_pages() comment
Callers of migrate_pages should putback_lru_pages to return pages
isolated to LRU or free list. Now comment is rather confusing. It says
caller always have to call it.
It is more clear to point out that the caller has to call it if
migrate_pages's return value isn't zero.
Signed-off-by: Minchan Kim <minchan.kim@gmail.com> Cc: Christoph Lameter <cl@linux.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrea Arcangeli [Tue, 25 Jan 2011 23:07:25 +0000 (15:07 -0800)]
mm: compaction: don't depend on HUGETLB_PAGE
Commit 5d6892407 ("thp: select CONFIG_COMPACTION if TRANSPARENT_HUGEPAGE
enabled") causes this warning during the configuration process:
warning: (TRANSPARENT_HUGEPAGE) selects COMPACTION which has unmet
direct dependencies (EXPERIMENTAL && HUGETLB_PAGE && MMU)
COMPACTION doesn't depend on HUGETLB_PAGE, it doesn't depend on THP
either, it is also useful for regular alloc_pages(order > 0) including
the very kernel stack during fork (THREAD_ORDER = 1). It's always
better to enable COMPACTION.
The warning should be an error because we would end up with MIGRATION
not selected, and COMPACTION wouldn't work without migration (despite it
seems to build with an inline migrate_pages returning -ENOSYS).
I'd also like to remove EXPERIMENTAL: compaction has been in the kernel
for some releases (for full safety the default remains disabled which I
think is enough).
Jesper Juhl [Tue, 25 Jan 2011 23:07:24 +0000 (15:07 -0800)]
mm/memcontrol.c: fix uninitialized variable use in mem_cgroup_move_parent()
In mm/memcontrol.c::mem_cgroup_move_parent() there's a path that jumps
to the 'put_back' label
ret = __mem_cgroup_try_charge(NULL, gfp_mask, &parent, false, charge);
if (ret || !parent)
goto put_back;
where we'll
if (charge > PAGE_SIZE)
compound_unlock_irqrestore(page, flags);
but, we have not assigned anything to 'flags' at this point, nor have we
called 'compound_lock_irqsave()' (which is what sets 'flags'). The
'put_back' label should be moved below the call to
compound_unlock_irqrestore() as per this patch.
David Rientjes [Tue, 25 Jan 2011 23:07:23 +0000 (15:07 -0800)]
mm: clear pages_scanned only if draining a pcp adds pages to the buddy allocator
Commit 0e093d99763e ("writeback: do not sleep on the congestion queue if
there are no congested BDIs or if significant congestion is not being
encountered in the current zone") uncovered a livelock in the page
allocator that resulted in tasks infinitely looping trying to find
memory and kswapd running at 100% cpu.
The issue occurs because drain_all_pages() is called immediately
following direct reclaim when no memory is freed and try_to_free_pages()
returns non-zero because all zones in the zonelist do not have their
all_unreclaimable flag set.
When draining the per-cpu pagesets back to the buddy allocator for each
zone, the zone->pages_scanned counter is cleared to avoid erroneously
setting zone->all_unreclaimable later. The problem is that no pages may
actually be drained and, thus, the unreclaimable logic never fails
direct reclaim so the oom killer may be invoked.
This apparently only manifested after wait_iff_congested() was
introduced and the zone was full of anonymous memory that would not
congest the backing store. The page allocator would infinitely loop if
there were no other tasks waiting to be scheduled and clear
zone->pages_scanned because of drain_all_pages() as the result of this
change before kswapd could scan enough pages to trigger the reclaim
logic. Additionally, with every loop of the page allocator and in the
reclaim path, kswapd would be kicked and would end up running at 100%
cpu. In this scenario, current and kswapd are all running continuously
with kswapd incrementing zone->pages_scanned and current clearing it.
The problem is even more pronounced when current swaps some of its
memory to swap cache and the reclaimable logic then considers all active
anonymous memory in the all_unreclaimable logic, which requires a much
higher zone->pages_scanned value for try_to_free_pages() to return zero
that is never attainable in this scenario.
Before wait_iff_congested(), the page allocator would incur an
unconditional timeout and allow kswapd to elevate zone->pages_scanned to
a level that the oom killer would be called the next time it loops.
The fix is to only attempt to drain pcp pages if there is actually a
quantity to be drained. The unconditional clearing of
zone->pages_scanned in free_pcppages_bulk() need not be changed since
other callers already ensure that draining will occur. This patch
ensures that free_pcppages_bulk() will actually free memory before
calling into it from drain_all_pages() so zone->pages_scanned is only
cleared if appropriate.
Signed-off-by: David Rientjes <rientjes@google.com> Cc: Mel Gorman <mel@csn.ul.ie> Reviewed-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Minchan Kim <minchan.kim@gmail.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Reviewed-by: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Rientjes [Tue, 25 Jan 2011 23:07:20 +0000 (15:07 -0800)]
mm: fix deferred congestion timeout if preferred zone is not allowed
Before 0e093d99763e ("writeback: do not sleep on the congestion queue if
there are no congested BDIs or if significant congestion is not being
encountered in the current zone"), preferred_zone was only used for NUMA
statistics, to determine the zoneidx from which to allocate from given
the type requested, and whether to utilize memory compaction.
wait_iff_congested(), though, uses preferred_zone to determine if the
congestion wait should be deferred because its dirty pages are backed by
a congested bdi. This incorrectly defers the timeout and busy loops in
the page allocator with various cond_resched() calls if preferred_zone
is not allowed in the current context, usually consuming 100% of a cpu.
This patch ensures preferred_zone is an allowed zone in the fastpath
depending on whether current is constrained by its cpuset or nodes in
its mempolicy (when the nodemask passed is non-NULL). This is correct
since the fastpath allocation always passes ALLOC_CPUSET when trying to
allocate memory. In the slowpath, this patch resets preferred_zone to
the first zone of the allowed type when the allocation is not
constrained by current's cpuset, i.e. it does not pass ALLOC_CPUSET.
This patch also ensures preferred_zone is from the set of allowed nodes
when called from within direct reclaim since allocations are always
constrained by cpusets in this context (it is blockable).
Both of these uses of cpuset_current_mems_allowed are protected by
get_mems_allowed().
Signed-off-by: David Rientjes <rientjes@google.com> Cc: Mel Gorman <mel@csn.ul.ie> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Minchan Kim <minchan.kim@gmail.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Both pps_parport and pps_gen_parport are written in a way that they
can't share a port with any other driver. This can result in locking up
the process that loads modules or even the whole kernel if the modules
are compiled in. Use PARPORT_FLAG_EXCL to indicate this.
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su> Cc: Alexander Gordeev <lasaine@lvk.cs.msu.su> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
parport_unregister_device() should never be used when interrupts are
enabled in hardware and irq handler is registered so there is no need to
disable interrupts when using waitlist_lock. But there is no way to
explain this subtle semantics to lockdep analyzer.
So disable interrupts here too to simplify things. The price is
negligible.
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Feng Tang [Tue, 25 Jan 2011 23:07:15 +0000 (15:07 -0800)]
langwell_gpio: modify EOI handling following change of kernel irq subsystem
Latest kernel has many changes in IRQ subsystem and its interfaces, like
adding "irq_eoi" for struct irq_chip, this patch is a follow up change
for that.
Also remove the unnecessary cast for a "void *".
Signed-off-by: Feng Tang <feng.tang@intel.com> Cc: Alek Du <alek.du@intel.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Axel Lin [Tue, 25 Jan 2011 23:07:14 +0000 (15:07 -0800)]
leds: leds-pwm: return proper error if pwm_request failed
Return PTR_ERR(led_dat->pwm) instead of 0 if pwm_request failed
Signed-off-by: Axel Lin <axel.lin@gmail.com> Cc: Richard Purdie <rpurdie@rpsys.net> Cc: Luotao Fu <l.fu@pengutronix.de> Cc: Reviewed-by: Dmitry Torokhov <dtor@mail.ru> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Tue, 25 Jan 2011 23:07:11 +0000 (15:07 -0800)]
mm/pgtable-generic.c: fix CONFIG_SWAP=n build
mips (and sparc32):
In file included from arch/mips/include/asm/tlb.h:21,
from mm/pgtable-generic.c:9:
include/asm-generic/tlb.h: In function `tlb_flush_mmu':
include/asm-generic/tlb.h:76: error: implicit declaration of function `release_pages'
include/asm-generic/tlb.h: In function `tlb_remove_page':
include/asm-generic/tlb.h:105: error: implicit declaration of function `page_cache_release'
free_pages_and_swap_cache() and free_page_and_swap_cache() are macros
which call release_pages() and page_cache_release(). The obvious fix is
to include pagemap.h in swap.h, where those macros are defined. But that
breaks sparc for weird reasons.
So fix it within mm/pgtable-generic.c instead.
Reported-by: Yoichi Yuasa <yuasa@linux-mips.org> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Sam Ravnborg <sam@ravnborg.org> Cc: Sergei Shtylyov <sshtylyov@mvista.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrea Arcangeli [Tue, 25 Jan 2011 23:07:09 +0000 (15:07 -0800)]
thp: fix PARAVIRT x86 32bit noPAE
This fixes TRANSPARENT_HUGEPAGE=y with PARAVIRT=y and HIGHMEM64=n.
The #ifdef that this patch removes was erratically introduced to fix a
build error for noPAE (where pmd.pmd doesn't exist). So then the kernel
built but it failed at runtime because set_pmd_at was a noop. This will
correct it by enabling set_pmd_at for noPAE mode too.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Reported-by: werner <w.landgraf@ru.ru> Reported-by: Minchan Kim <minchan.kim@gmail.com> Tested-by: Minchan Kim <minchan.kim@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 25 Jan 2011 23:04:18 +0000 (09:04 +1000)]
Merge branch 'fixes' of master.kernel.org:/home/rmk/linux-2.6-arm
* 'fixes' of master.kernel.org:/home/rmk/linux-2.6-arm:
ALSA: AACI: fix timeout duration
ALSA: AACI: fix timeout condition checking
ARM: 6636/1: ep93xx: default multiplexed gpio ports to gpio mode
ARM: 6637/1: Make the argument to virt_to_phys() "const volatile"
ARM: twd: ensure timer reload is reprogrammed on entry to periodic mode
ARM: 6635/2: Configure reference clock for Versatile Express timers
ARM: versatile: name configuration options after actual board names
ARM: realview: name configuration options after actual board names
ARM: realview,vexpress: fix section mismatch warning for pen_release
ARM: 6632/3: mmci: stop using the blockend interrupts
Linus Torvalds [Tue, 25 Jan 2011 23:00:17 +0000 (09:00 +1000)]
Merge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6
* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
sh: Fix build of sh7750 base boards
sh: update INTC to clear IRQ sense valid flag
sh: Fix sh build failure when CONFIG_SFC=m
sh: fix MSIOF0 SPI on ecovec: it conflicts with VOU
sh: support XZ-compressed kernel.
sh: Fix up breakage from asm-generic/pgtable.h changes.
David Howells [Tue, 25 Jan 2011 16:34:28 +0000 (16:34 +0000)]
KEYS: Fix __key_link_end() quota fixup on error
Fix __key_link_end()'s attempt to fix up the quota if an error occurs.
There are two erroneous cases: Firstly, we always decrease the quota if
the preallocated replacement keyring needs cleaning up, irrespective of
whether or not we should (we may have replaced a pointer rather than
adding another pointer).
Secondly, we never clean up the quota if we added a pointer without the
keyring storage being extended (we allocate multiple pointers at a time,
even if we're not going to use them all immediately).
We handle this by setting the bottom bit of the preallocation pointer in
__key_link_begin() to indicate that the quota needs fixing up, which is
then passed to __key_link() (which clears the whole thing) and
__key_link_end().
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Axel Lin [Tue, 25 Jan 2011 14:12:12 +0000 (14:12 +0000)]
intel_scu_ipc: fix signedness bug
busy_loop() returns negative error code, thus change err variable
from u32 to int to properly propagate correct error code.
Also remove unneeded initialization for err and i variables.
Signed-off-by: Axel Lin <axel.lin@gmail.com> Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jerry Chu [Tue, 25 Jan 2011 21:46:30 +0000 (13:46 -0800)]
TCP: fix a bug that triggers large number of TCP RST by mistake
This patch fixes a bug that causes TCP RST packets to be generated
on otherwise correctly behaved applications, e.g., no unread data
on close,..., etc. To trigger the bug, at least two conditions must
be met:
1. The FIN flag is set on the last data packet, i.e., it's not on a
separate, FIN only packet.
2. The size of the last data chunk on the receive side matches
exactly with the size of buffer posted by the receiver, and the
receiver closes the socket without any further read attempt.
This bug was first noticed on our netperf based testbed for our IW10
proposal to IETF where a large number of RST packets were observed.
netperf's read side code meets the condition 2 above 100%.
Before the fix, tcp_data_queue() will queue the last skb that meets
condition 1 to sk_receive_queue even though it has fully copied out
(skb_copy_datagram_iovec()) the data. Then if condition 2 is also met,
tcp_recvmsg() often returns all the copied out data successfully
without actually consuming the skb, due to a check
"if ((chunk = len - tp->ucopy.len) != 0) {"
and
"len -= chunk;"
after tcp_prequeue_process() that causes "len" to become 0 and an
early exit from the big while loop.
I don't see any reason not to free the skb whose data have been fully
consumed in tcp_data_queue(), regardless of the FIN flag. We won't
get there if MSG_PEEK is on. Am I missing some arcane cases related
to urgent data?
Signed-off-by: H.K. Jerry Chu <hkchu@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Reinette Chatre [Tue, 25 Jan 2011 16:38:06 +0000 (08:38 -0800)]
MAINTAINERS: remove Reinette Chatre as iwlwifi maintainer
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>