Skip to content
Snippets Groups Projects
  1. Jan 23, 2013
  2. Jan 21, 2013
    • Jerry Snitselaar's avatar
      security/device_cgroup: lock assert fails in dev_exception_clean() · 103a197c
      Jerry Snitselaar authored
      
      devcgroup_css_free() calls dev_exception_clean() without the devcgroup_mutex being locked.
      
      Shutting down a kvm virt was giving me the following trace:
      
      [36280.732764] ------------[ cut here ]------------
      [36280.732778] WARNING: at /home/snits/dev/linux/security/device_cgroup.c:172 dev_exception_clean+0xa9/0xc0()
      [36280.732782] Hardware name: Studio XPS 8100
      [36280.732785] Modules linked in: xt_REDIRECT fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_CHECKSUM iptable_mangle bridge stp llc nf_conntrack_ipv4 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter it87 hwmon_vid xt_state nf_conntrack ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq coretemp snd_seq_device crc32c_intel snd_pcm snd_page_alloc snd_timer snd broadcom tg3 serio_raw i7core_edac edac_core ptp pps_core lpc_ich pcspkr mfd_core soundcore microcode i2c_i801 nfsd auth_rpcgss nfs_acl lockd vhost_net sunrpc tun macvtap macvlan kvm_intel kvm uinput binfmt_misc autofs4 usb_storage firewire_ohci firewire_core crc_itu_t radeon drm_kms_helper ttm
      [36280.732921] Pid: 933, comm: libvirtd Tainted: G        W    3.8.0-rc3-00307-g4c217de #1
      [36280.732922] Call Trace:
      [36280.732927]  [<ffffffff81044303>] warn_slowpath_common+0x93/0xc0
      [36280.732930]  [<ffffffff8104434a>] warn_slowpath_null+0x1a/0x20
      [36280.732932]  [<ffffffff812deaf9>] dev_exception_clean+0xa9/0xc0
      [36280.732934]  [<ffffffff812deb2a>] devcgroup_css_free+0x1a/0x30
      [36280.732938]  [<ffffffff810ccd76>] cgroup_diput+0x76/0x210
      [36280.732941]  [<ffffffff8119eac0>] d_delete+0x120/0x180
      [36280.732943]  [<ffffffff81195cff>] vfs_rmdir+0xef/0x130
      [36280.732945]  [<ffffffff81195e47>] do_rmdir+0x107/0x1c0
      [36280.732949]  [<ffffffff8132d17e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [36280.732951]  [<ffffffff81198646>] sys_rmdir+0x16/0x20
      [36280.732954]  [<ffffffff8173bd82>] system_call_fastpath+0x16/0x1b
      [36280.732956] ---[ end trace ca39dced899a7d9f ]---
      
      Signed-off-by: default avatarJerry Snitselaar <jerry.snitselaar@oracle.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      103a197c
    • Dmitry Kasatkin's avatar
      evm: checking if removexattr is not a NULL · a67adb99
      Dmitry Kasatkin authored
      
      The following lines of code produce a kernel oops.
      
      fd = socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
      fchmod(fd, 0666);
      
      [  139.922364] BUG: unable to handle kernel NULL pointer dereference at   (null)
      [  139.924982] IP: [<  (null)>]   (null)
      [  139.924982] *pde = 00000000
      [  139.924982] Oops: 0000 [#5] SMP
      [  139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button
      [  139.924982] Pid: 3070, comm: acpid Tainted: G      D      3.8.0-rc2-kds+ #465 Bochs Bochs
      [  139.924982] EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0
      [  139.924982] EIP is at 0x0
      [  139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2
      [  139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4
      [  139.924982]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      [  139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0
      [  139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [  139.924982] DR6: ffff0ff0 DR7: 00000400
      [  139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000)
      [  139.924982] Stack:
      [  139.924982]  c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940
      [  139.924982]  e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3
      [  139.924982]  00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08
      [  139.924982] Call Trace:
      [  139.924982]  [<c1203c88>] ? evm_update_evmxattr+0x5b/0x62
      [  139.924982]  [<c1203964>] evm_inode_post_setattr+0x22/0x26
      [  139.924982]  [<c10e20c3>] notify_change+0x25f/0x281
      [  139.924982]  [<c10cbf56>] chmod_common+0x59/0x76
      [  139.924982]  [<c10e27a1>] ? put_unused_fd+0x33/0x33
      [  139.924982]  [<c10cca09>] sys_fchmod+0x39/0x5c
      [  139.924982]  [<c13f4f30>] syscall_call+0x7/0xb
      [  139.924982] Code:  Bad EIP value.
      
      This happens because sockets do not define the removexattr operation.
      Before removing the xattr, verify the removexattr function pointer is
      not NULL.
      
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      a67adb99
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 9a928415
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A bunch of intel and radeon fixes, along with two fixes to TTM code.
      
        The correct fix for the Intel ironlake failure is in this, and should
        make things more stable, along with some misc radeon fixes."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        ttm: on move memory failure don't leave a node dangling
        ttm: don't destroy old mm_node on memcpy failure
        Revert "drm/radeon: do not move bo to different placement at each cs"
        drm/i915: fix FORCEWAKE posting reads
        drm/i915: Invalidate the relocation presumed_offsets along the slow path
        drm/i915/eDP: do not write power sequence registers for ghost eDP
        drm/radeon: improve semaphore debugging on lockup
        drm/radeon: allow FP16 color clear registers on r500
        drm/radeon: clear reset flags if engines are idle
        drm/i915: Record DERRMR, FORCEWAKE and RING_CTL in error-state
      9a928415
    • Linus Torvalds's avatar
      module: fix missing module_mutex unlock · ee61abb3
      Linus Torvalds authored
      
      Commit 1fb9341a ("module: put modules in list much earlier") moved
      some of the module initialization code around, and in the process
      changed the exit paths too.  But for the duplicate export symbol error
      case the change made the ddebug_cleanup path jump to after the module
      mutex unlock, even though it happens with the mutex held.
      
      Rusty has some patches to split this function up into some helper
      functions, hopefully the mess of complex goto targets will go away
      eventually.
      
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ee61abb3
    • Dave Airlie's avatar
      ttm: on move memory failure don't leave a node dangling · 014b3440
      Dave Airlie authored
      
      if we have a move notify callback, when moving fails, we call move notify
      the opposite way around, however this ends up with *mem containing the mm_node
      from the bo, which means we double free it. This is a follow on to the previous
      fix.
      
      Reviewed-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      014b3440
    • Dave Airlie's avatar
      ttm: don't destroy old mm_node on memcpy failure · 63054186
      Dave Airlie authored
      
      When we are using memcpy to move objects around, and we fail to memcpy
      due to lack of memory to populate or failure to finish the copy, we don't
      want to destroy the mm_node that has been copied into old_copy.
      
      While working on a new kms driver that uses memcpy, if I overallocated bo's
      up to the memory limits, and eviction failed, then machine would oops soon
      after due to having an active bo with an already freed drm_mm embedded in it,
      freeing it a second time didn't end well.
      
      Reviewed-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      63054186
    • Dave Airlie's avatar
      Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into drm-next · ffb5fd53
      Dave Airlie authored
      More important fixes for 3.9:
      - error_state improvements to help debug the new scanline wait code added
        for gen6+ - bug reports started popping up :( patch from Chris Wilson.
      - fix a panel power sequence confusion between the eDP and lvds detection
        code resulting in black screens - regression introduce in 3.8 (Jani
        Nikula)
      - Chris fixed the root-cause of the ilk relocation vs. evict bug.
      - Another piece of cargo-culted rc6 lore from Jani, fixes up a regression
        where a system refused to go into rc6 after suspend sometimes.
      
      * 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
        drm/i915: fix FORCEWAKE posting reads
        drm/i915: Invalidate the relocation presumed_offsets along the slow path
        drm/i915/eDP: do not write power sequence registers for ghost eDP
        drm/i915: Record DERRMR, FORCEWAKE and RING_CTL in error-state
      ffb5fd53
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-3.8' of git://people.freedesktop.org/~agd5f/linux into drm-next · a3f5aed4
      Dave Airlie authored
      A number of fixes, and one revert for a patch having some wierd side effects.
      
      * 'drm-fixes-3.8' of git://people.freedesktop.org/~agd5f/linux:
        Revert "drm/radeon: do not move bo to different placement at each cs"
        drm/radeon: improve semaphore debugging on lockup
        drm/radeon: allow FP16 color clear registers on r500
        drm/radeon: clear reset flags if engines are idle
      a3f5aed4
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · 22636476
      Linus Torvalds authored
      Pull module fixes and a virtio block fix from Rusty Russell:
       "Various minor fixes, but a slightly more complex one to fix the
        per-cpu overload problem introduced recently by kvm id changes."
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
        module: put modules in list much earlier.
        module: add new state MODULE_STATE_UNFORMED.
        module: prevent warning when finit_module a 0 sized file
        virtio-blk: Don't free ida when disk is in use
      22636476
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal · 3a142ed9
      Linus Torvalds authored
      Pull misc syscall fixes from Al Viro:
      
       - compat syscall fixes (discussed back in December)
      
       - a couple of "make life easier for sigaltstack stuff by reducing
         inter-tree dependencies"
      
       - fix up compiler/asmlinkage calling convention disagreement of
         sys_clone()
      
       - misc
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal:
        sys_clone() needs asmlinkage_protect
        make sure that /linuxrc has std{in,out,err}
        x32: fix sigtimedwait
        x32: fix waitid()
        switch compat_sys_wait4() and compat_sys_waitid() to COMPAT_SYSCALL_DEFINE
        switch compat_sys_sigaltstack() to COMPAT_SYSCALL_DEFINE
        CONFIG_GENERIC_SIGALTSTACK build breakage with asm-generic/syscalls.h
        Ensure that kernel_init_freeable() is not inlined into non __init code
      3a142ed9
    • Oleg Nesterov's avatar
      ia64: kill thread_matches(), unexport ptrace_check_attach() · edea0d03
      Oleg Nesterov authored
      
      The ia64 function "thread_matches()" has no users since commit
      e868a55c ("[IA64] remove find_thread_for_addr()").  Remove it.
      
      This allows us to make ptrace_check_attach() static to kernel/ptrace.c,
      which is good since we'll need to change the semantics of it and fix up
      all the callers.
      
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      edea0d03
  3. Jan 20, 2013
  4. Jan 19, 2013
  5. Jan 18, 2013
  6. Jan 17, 2013
    • Jani Nikula's avatar
      drm/i915: fix FORCEWAKE posting reads · b5144075
      Jani Nikula authored
      We stopped reading FORCEWAKE for posting reads in
      
      commit 8dee3eea
      Author: Ben Widawsky <ben@bwidawsk.net>
      Date:   Sat Sep 1 22:59:50 2012 -0700
      
          drm/i915: Never read FORCEWAKE
      
      and started using something from the same cacheline instead. On the
      bug reporter's machine this broke entering rc6 states after a
      suspend/resume cycle. It turns out reading ECOBUS as posting read
      worked fine, while GTFIFODBG did not, preventing RC6 states after
      suspend/resume per the bug report referenced below. It's not entirely
      clear why, but clearly GTFIFODBG was nowhere near the same cacheline
      or address range as FORCEWAKE.
      
      Trying out various registers for posting reads showed that all tested
      registers for which NEEDS_FORCE_WAKE() (in i915_drv.c) returns true
      work. Conversely, most (but not quite all) registers for which
      NEEDS_FORCE_WAKE() returns false do not work. Details in the referenced
      bug.
      
      Based on the above, add posting reads on ECOBUS where GTFIFODBG was
      previously relied on.
      
      In true cargo cult spirit, add posting reads for FORCEWAKE_VLV writes as
      well, but instead of ECOBUS, use FORCEWAKE_ACK_VLV which is in the same
      address range as FORCEWAKE_VLV.
      
      v2: Add more details to the commit message. No functional changes.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=52411
      
      
      Reported-and-tested-by: default avatarAlexander Bersenev <bay@hackerdom.ru>
      CC: Ben Widawsky <ben@bwidawsk.net>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@vger.kernel.org
      [danvet: add cc: stable and make the commit message a bit clearer that
      this is a regression fix and what exactly broke.]
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      b5144075