Conditional mntput() moved into __do_follow_link(). There it collapses with
unconditional mntget() on the same sucker, closing another too-early-mntput()
race.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Getting rid of sloppy logics:
a) in do_follow_link() we have the wrong vfsmount dropped if our symlink
had been mounted on something. Currently it worls only because we never
get such situation (modulo filesystem playing dirty tricks on us). And
it obfuscates already convoluted logics...
b) same goes for open_namei().
c) in __link_path_walk() we have another "it should never happen" sloppiness -
out_dput: there does double-free on underlying vfsmount and leaks the covering
one if we hit it just after crossing a mountpoint. Again, wrong vfsmount
getting dropped.
d) another too-early-mntput() race - in do_follow_mount() we need to postpone
conditional mntput(path->mnt) until after dput(path->dentry). Again, this one
happens only in it-currently-never-happens-unless-some-fs-plays-dirty
scenario...
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
shifted conditional mntput() into do_follow_link() - all callers were doing
the same thing.
Obviously equivalent transformation.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
In open_namei() exit_dput: we have mntput() done in the wrong order -
if nd->mnt != path.mnt we end up doing
mntput(nd->mnt);
nd->mnt = path.mnt;
dput(nd->dentry);
mntput(nd->mnt);
which drops nd->dentry too late. Fixed by having path.mnt go first.
That allows to switch O_NOFOLLOW under if (__follow_mount(...)) back
to exit_dput, while we are at it.
Fix for early-mntput() race + equivalent transformation.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
In open_namei() we take mntput(nd->mnt);nd->mnt=path.mnt; out of the if
(__follow_mount(...)), making it conditional on nd->mnt != path.mnt instead.
Then we shift the result downstream.
Equivalent transformations.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
In open_namei(), __follow_down() loop turned into __follow_mount().
Instead of
if we are on a mountpoint dentry
if O_NOFOLLOW checks fail
drop path.dentry
drop nd
return
do equivalent of follow_mount(&path.mnt, &path.dentry)
nd->mnt = path.mnt
we do
if __follow_mount(path) had, indeed, traversed mountpoint
/* now both nd->mnt and path.mnt are pinned down */
if O_NOFOLLOW checks fail
drop path.dentry
drop path.mnt
drop nd
return
mntput(nd->mnt)
nd->mnt = path.mnt
Now __follow_down() can be folded into follow_down() - no other callers left.
We need to reorder dput()/mntput() there - same problem as in follow_mount().
Equivalent transformation + fix for a bug in O_NOFOLLOW handling - we used to
get -ELOOP if we had the same fs mounted on /foo and /bar, had something bound
on /bar/baz and tried to open /foo/baz with O_NOFOLLOW. And fix of
too-early-mntput() race in follow_down()
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
New helper: __follow_mount(struct path *path). Same as follow_mount(), except
that we do *not* do mntput() after the first lookup_mnt().
IOW, original path->mnt stays pinned down. We also take care to do dput()
before mntput() in the loop body (follow_mount() also needs that reordering,
but that will be done later in the series).
The following are equivalent, assuming that path.mnt == x:
(1)
follow_mount(&path.mnt, &path.dentry)
(2)
__follow_mount(&path);
if (path->mnt != x)
mntput(x);
(3)
if (__follow_mount(&path))
mntput(x);
Callers of follow_mount() in __link_path_walk() converted to (2).
Equivalent transformation + fix for too-late-mntput() race in __follow_mount()
loop.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
In open_namei() we never use path.mnt or path.dentry after exit: or ok:.
Assignment of path.dentry in case of LAST_BIND is dead code and only
obfuscates already convoluted function; assignment of path.mnt after
__do_follow_link() can be moved down to the place where we set path.dentry.
Obviously equivalent transformations, just to clean the air a bit in that
region.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The first argument of __do_follow_link() switched to struct path *
(__do_follow_link(path->dentry, ...) -> __do_follow_link(path, ...)).
All callers have the same calls of mntget() right before and dput()/mntput()
right after __do_follow_link(); these calls have been moved inside.
Obviously equivalent transformations.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
mntget(path->mnt) in do_follow_link() moved down to right before the
__do_follow_link() call and rigth after loop: resp.
dput()+mntput() on non-ELOOP branch moved up to right after __do_follow_link()
call.
resulting
loop:
mntget(path->mnt);
path_release(nd);
dput(path->mnt);
mntput(path->mnt);
replaced with equivalent
dput(path->mnt);
path_release(nd);
Equivalent transformations - the reason why we have that mntget() is that
__do_follow_link() can drop a reference to nd->mnt and that's what holds
path->mnt. So that call can happen at any point prior to __do_follow_link()
touching nd->mnt. The rest is obvious.
NOTE: current tree relies on symlinks *never* being mounted on anything. It's
not hard to get rid of that assumption (actually, that will come for free
later in the series). For now we are just not making the situation worse than
it is.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
fix for too early mntput() in open_namei() - we pin path.mnt down for the
duration of __do_follow_link(). Otherwise we could get the fs where our
symlink lived unmounted while we were in __do_follow_link(). That would end
up with dentry of symlink staying pinned down through the fs shutdown.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
path.mnt in open_namei() set to mirror nd->mnt.
nd->mnt is set in 3 places in that function - path_lookup() in the beginning,
__follow_down() loop after do_last: and __do_follow_link() call after
do_link:.
We set path.mnt to nd->mnt after path_lookup() and __do_follow_link(). In
__follow_down() loop we use &path.mnt instead of &nd->mnt and set nd->mnt to
path.mnt immediately after that loop.
Obviously equivalent transformation.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Replaced struct dentry *dentry in namei with struct path path. All uses of
dentry replaced with path.dentry there.
Obviously equivalent transformation.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
All callers of do_follow_link() do mntget() right before it and
dput()+mntput() right after. These calls are moved inside do_follow_link()
now.
Obviously equivalent transformation.
Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
OK, here comes a patch series that hopefully should close all
too-early-mntput() races in fs/namei.c. Entire area is convoluted as hell, so
I'm splitting that series into _very_ small chunks.
Patches alread in the tree close only (very wide) races in following symlinks
(see "busy inodes after umount" thread some time ago). Unfortunately, quite a
few narrower races of the same nature were not closed. Hopefully this should
take care of all of them.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Runtime feature support for unified caches was testing a userland feature
flag (PPC_FEATURE_UNIFIED_CACHE) instead of a cpu feature flag
(CPU_FTR_SPLIT_ID_CACHE). Luckily the current defined bit mask for cpu
features and userland features do not overlap so this only causes an issue
on machines with a unified cache, which is extremely rare on PPC today.
Signed-off-by: Kumar Gala <kumar.gala@freescale.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
h8300 was missing a few definitions.
Signed-off-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stop using tty internal structure in mxser_receive_chars(), use
tty_insert_flip_char(tty, ch flag); instead.
Without this change driver ignores any rx'ed chars.
Run tested.
Cc: Alan Cox <alan@redhat.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
fault_in_pages_readable() is being passed an incorrect `end' address, which
can result in writes accidentally faulting in pages which will not be affected
by the write() call.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
- Changed the return value of unknown type to NULL.
- Deleted the NULL check of dev_id in siu_interrupt().
- Deleted the NULL check of port->membase in siu_shutdown().
- Added the NULL check of port->membase to siu_startup().
- Removed early_uart_ops. Now using vr41xx_siu standerd one.
- Changed KSEG1ADDR() in siu_console_setup() to ioremap().
- When uart_add_one_port() failed, changed to set NULL to port->dev.
Signed-off-by: Yoichi Yuasa <yuasa@hh.iij4u.or.jp>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The system might hang when using appldata_mem with high I/O traffic and a
large number of devices. The spinlocks bdev_lock and swaplock are acquired
via calls to si_meminfo() and si_swapinfo() from a tasklet, i.e. interrupt
context, which can lead to a deadlock. Replace tasklet with work queue.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The condition for no context in do_exception checks for hard and soft
interrupts by using in_interrupt() but not for preemption. This is bad for
the users of __copy_from/to_user_inatomic because the fault handler might call
schedule although the preemption count is != 0. Use in_atomic() instead
in_interrupt().
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
To make UML build and run on s390, I needed to do these two little
changes:
1) UML includes some of the subarch's (s390) headers. I had to
change one of them with the following one-liner, to make this
compile. AFAICS, this change doesn't break compilation of s390
itself.
2) UML needs to intercept syscalls via ptrace to invalidate the syscall,
read syscall's parameters and write the result with the result of
UML's syscall processing. Also, UML needs to make sure, that the host
does no syscall restart processing. On i386 for example, this can be
done by writing -1 to orig_eax on the 2nd syscall interception
(orig_eax is the syscall number, which after the interception is used
as a "interrupt was a syscall" flag only.
Unfortunately, s390 holds syscall number and syscall result in gpr2 and
its "interrupt was a syscall" flag (trap) is unreachable via ptrace.
So I changed the host to set trap to -1, if the syscall number is changed
to an invalid value on the first syscall interception.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The special cases of peek and poke on acrs[15] and the fpc register are not
handled correctly. A poke on acrs[15] will clobber the 4 bytes after the
access registers in the thread_info structure. That happens to be the kernel
stack pointer. A poke on the fpc with an invalid value is not caught by the
validity check. On the next context switch the broken fpc value will cause a
program check in the kernel. Improving the checks in peek and poke fixes
this.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
When fsync() runs wait_on_page_writeback_range() it only inspects pages which
are actually under I/O (PAGECACHE_TAG_WRITEBACK). If a page completed I/O
prior to wait_on_page_writeback_range() looking at it, it is supposed to have
recorded its I/O error state in the address_space.
But mpage_mpage_end_io_write() forgot to set the address_space error flag in
this case.
Signed-off-by: Qu Fuping <fs@ercist.iscas.ac.cn>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Patch from Deepak Saxena
The IXDP2800 bootloader does not disable IRQs before jumping into
the kernel and this is causing the Grand Unified KGDB to crash
the system when we do an early call to trap_init() and irq handlers
have not yet been registered. This patch disables IRQs before we
jump into the kernel.
Signed-off-by: Deepak Saxena
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
A typo in prom_find_machine_type from Ben's recent patch "ppc64: Fix
result code handling in prom_init" prevents pSeries LPAR systems from
booting.
Tested on a pSeries 570 and OpenPower 720 (both Power5 LPAR).
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Patch from Todd Poynor
PXA27x sleep fixes:
* set additional sleep/wakeup registers for Mainstone boards.
* move CKEN=0 to pxa25x-specific code; that value is harmful on pxa27x.
* save/restore additional registers, including some found necessary for
C5 processors and/or newer blob versions.
* enable future support of additional sleep modes for PXA27x (eg,
standby, deep sleep).
* split off cpu-specific sleep processing between pxa27x and pxa25x into
separate files (partly in preparation for additional sleep modes).
Includes fixes from David Burrage.
Signed-off-by: Todd Poynor
Signed-off-by: Nicolas Pitre
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Mike Frysinger
the ELF_DATA define in both arm asm subdirs of linux/include/ contain a
semicolon at the end. this of course will cause any code that tries to use
ELF_DATA in assignment or comparison to fail. no other arch has a semicolon
in their ELF_DATA defines.
Signed-off-by: Mike Frysinger
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Albrecht Dreß
Problem:
When a module requests a DMA channel via the function s3c2410_dma_request(), this function requests the appropriate irq under the name of the client module. When the client module is unloaded, it calls s3c2410_dma_free() which does not free the irq. Consequently, when e.g. running "cat /proc/interrupts", the irq owner points to freed memory, leading to a kernel oops.
File:
linux/arch/arm/mach-s3c2410/dma.c
Fix:
trivial, below
Signed-off-by: Albrecht Dreß
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Deepak Saxena
This patch fixes the following warnings:
include/asm/arch/io.h: In function `insw':
include/asm/arch/io.h:78: warning: comparison of distinct pointer types
lacks acast
include/asm/arch/io.h:79: warning: comparison of distinct pointer types
lacks acast
include/asm/arch/io.h: In function `outsw':
include/asm/arch/io.h:103: warning: comparison of distinct pointer types
lacks a cast
include/asm/arch/io.h:104: warning: comparison of distinct pointer types
lacks a cast
include/asm/arch/io.h: In function `inw':
include/asm/arch/io.h:127: warning: comparison of distinct pointer types
lacks a cast
Signed-off-by: Deepak Saxena
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Fix a bug in which shub_1_1_found is not being properly initialized or set,
resulting in the improper setting of sn_hub_info->shub_1_1_found.
Signed-off-by: Dean Nelson <dcn@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Re-work the m68knommu specific idle code according to suggestions
from Nick Piggin <nickpiggin@yahoo.com.au>.
A couple of rules that we need to follow:
1. Preempt should now disabled over idle routines. Should only be enabled
to call schedule() then disabled again.
3. When cpu_idle finds (need_resched() == 'true'), it should call schedule().
It should not call schedule() otherwise.
Also fix interrupt locking around the need_resched() and cpu stop state
so that there is no race condition.
Signed-off-by: Greg Ungerer <gerg@snapgear.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This "obvious" one-liner is needed to recognize Zaurus SL 6000;
it just checks two GUIDs not just one.
OSDL bugids #4512 and #4545 seem to be duplicates of this report.
From: Gerald Skerbitz <gsker@tcfreenet.org>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>