1. 02 Mar, 2013 1 commit
  2. 01 Mar, 2013 4 commits
  3. 28 Feb, 2013 1 commit
    • Jeff Layton's avatar
      nfs: don't allow nfs_find_actor to match inodes of the wrong type · f6488c9b
      Jeff Layton authored
      Benny Halevy reported the following oops when testing RHEL6:
      <7>nfs_update_inode: inode 892950 mode changed, 0040755 to 0100644
      <1>BUG: unable to handle kernel NULL pointer dereference at (null)
      <1>IP: [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4>PGD 81448a067 PUD 831632067 PMD 0
      <4>Oops: 0000 [#1] SMP
      <4>last sysfs file: /sys/kernel/mm/redhat_transparent_hugepage/enabled
      <4>CPU 6
      <4>Modules linked in: fuse bonding 8021q garp ebtable_nat ebtables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi softdog bridge stp llc xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_multiport iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 dm_round_robin dm_multipath objlayoutdriver2(U) nfs(U) lockd fscache auth_rpcgss nfs_acl sunrpc vhost_net macvtap macvlan tun kvm_intel kvm be2net igb dca ptp pps_core microcode serio_raw sg iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 mbcache jbd2 sd_mod crc_t10dif ahci dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]
      <4>Pid: 6332, comm: dd Not tainted 2.6.32-358.el6.x86_64 #1 HP ProLiant DL170e G6  /ProLiant DL170e G6
      <4>RIP: 0010:[<ffffffffa02a52c5>]  [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4>RSP: 0018:ffff88081458bb98  EFLAGS: 00010292
      <4>RAX: ffffffffa02a52b0 RBX: 0000000000000000 RCX: 0000000000000003
      <4>RDX: ffffffffa02e45a0 RSI: ffff88081440b300 RDI: ffff88082d5f5760
      <4>RBP: ffff88081458bba8 R08: 0000000000000000 R09: 0000000000000000
      <4>R10: 0000000000000772 R11: 0000000000400004 R12: 0000000040000008
      <4>R13: ffff88082d5f5760 R14: ffff88082d6e8800 R15: ffff88082f12d780
      <4>FS:  00007f728f37e700(0000) GS:ffff8800456c0000(0000) knlGS:0000000000000000
      <4>CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      <4>CR2: 0000000000000000 CR3: 0000000831279000 CR4: 00000000000007e0
      <4>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      <4>DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      <4>Process dd (pid: 6332, threadinfo ffff88081458a000, task ffff88082fa0e040)
      <4> 0000000040000008 ffff88081440b300 ffff88081458bbf8 ffffffff81182745
      <4><d> ffff88082d5f5760 ffff88082d6e8800 ffff88081458bbf8 ffffffffffffffea
      <4><d> ffff88082f12d780 ffff88082d6e8800 ffffffffa02a50a0 ffff88082d5f5760
      <4>Call Trace:
      <4> [<ffffffff81182745>] __fput+0xf5/0x210
      <4> [<ffffffffa02a50a0>] ? do_open+0x0/0x20 [nfs]
      <4> [<ffffffff81182885>] fput+0x25/0x30
      <4> [<ffffffff8117e23e>] __dentry_open+0x27e/0x360
      <4> [<ffffffff811c397a>] ? inotify_d_instantiate+0x2a/0x60
      <4> [<ffffffff8117e4b9>] lookup_instantiate_filp+0x69/0x90
      <4> [<ffffffffa02a6679>] nfs_intent_set_file+0x59/0x90 [nfs]
      <4> [<ffffffffa02a686b>] nfs_atomic_lookup+0x1bb/0x310 [nfs]
      <4> [<ffffffff8118e0c2>] __lookup_hash+0x102/0x160
      <4> [<ffffffff81225052>] ? selinux_inode_permission+0x72/0xb0
      <4> [<ffffffff8118e76a>] lookup_hash+0x3a/0x50
      <4> [<ffffffff81192a4b>] do_filp_open+0x2eb/0xdd0
      <4> [<ffffffff8104757c>] ? __do_page_fault+0x1ec/0x480
      <4> [<ffffffff8119f562>] ? alloc_fd+0x92/0x160
      <4> [<ffffffff8117de79>] do_sys_open+0x69/0x140
      <4> [<ffffffff811811f6>] ? sys_lseek+0x66/0x80
      <4> [<ffffffff8117df90>] sys_open+0x20/0x30
      <4> [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
      <4>Code: 65 48 8b 04 25 c8 cb 00 00 83 a8 44 e0 ff ff 01 5b 41 5c c9 c3 90 55 48 89 e5 53 48 83 ec 08 0f 1f 44 00 00 48 8b 9e a0 00 00 00 <48> 8b 3b e8 13 0c f7 ff 48 89 df e8 ab 3d ec e0 48 83 c4 08 31
      <1>RIP  [<ffffffffa02a52c5>] nfs_closedir+0x15/0x30 [nfs]
      <4> RSP <ffff88081458bb98>
      <4>CR2: 0000000000000000
      I think this is ultimately due to a bug on the server. The client had
      previously found a directory dentry. It then later tried to do an atomic
      open on a new (regular file) dentry. The attributes it got back had the
      same filehandle as the previously found directory inode. It then tried
      to put the filp because it failed the aops tests for O_DIRECT opens, and
      oopsed here because the ctx was still NULL.
      Obviously the root cause here is a server issue, but we can take steps
      to mitigate this on the client. When nfs_fhget is called, we always know
      what type of inode it is. In the event that there's a broken or
      malicious server on the other end of the wire, the client can end up
      crashing because the wrong ops are set on it.
      Have nfs_find_actor check that the inode type is correct after checking
      the fileid. The fileid check should rarely ever match, so it should only
      rarely ever get to this check. In the case where we have a broken
      server, we may see two different inodes with the same i_ino, but the
      client should be able to cope with them without crashing.
      This should fix the oops reported here:
      Reported-by: default avatarBenny Halevy <bhalevy@tonian.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
  4. 26 Feb, 2013 1 commit
    • Weston Andros Adamson's avatar
      NFSv4.1: Hold reference to layout hdr in layoutget · a47970ff
      Weston Andros Adamson authored
      This fixes an oops where a LAYOUTGET is in still in the rpciod queue,
      but the requesting processes has been killed.  Without this, killing
      the process does the final pnfs_put_layout_hdr() and sets NFS_I(inode)->layout
      to NULL while the LAYOUTGET rpc task still references it.
      Example oops:
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      IP: [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      PGD 7365b067 PUD 7365d067 PMD 0
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      Modules linked in: nfs_layout_nfsv41_files nfsv4 auth_rpcgss nfs lockd sunrpc ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle ip6table_filter ip6_tables ppdev e1000 i2c_piix4 i2c_core shpchp parport_pc parport crc32c_intel aesni_intel xts aes_x86_64 lrw gf128mul ablk_helper cryptd mptspi scsi_transport_spi mptscsih mptbase floppy autofs4
      CPU 0
      Pid: 27, comm: kworker/0:1 Not tainted 3.8.0-dros_cthon2013+ #4 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffffa01bd586>]  [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      RSP: 0018:ffff88007b0c1c88  EFLAGS: 00010246
      RAX: ffff88006ed36678 RBX: 0000000000000000 RCX: 0000000ea877e3bc
      RDX: ffff88007a729da8 RSI: 0000000000000000 RDI: ffff88007a72b958
      RBP: ffff88007b0c1ca8 R08: 0000000000000002 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88007a72b958
      R13: ffff88007a729da8 R14: 0000000000000000 R15: ffffffffa011077e
      FS:  0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000080 CR3: 00000000735f8000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/0:1 (pid: 27, threadinfo ffff88007b0c0000, task ffff88007c2fa0c0)
       ffff88006fc05388 ffff88007a72b908 ffff88007b240900 ffff88006fc05388
       ffff88007b0c1cd8 ffffffffa01a2170 ffff88007b240900 ffff88007b240900
       ffff88007b240970 ffffffffa011077e ffff88007b0c1ce8 ffffffffa0110791
      Call Trace:
       [<ffffffffa01a2170>] nfs4_layoutget_prepare+0x7b/0x92 [nfsv4]
       [<ffffffffa011077e>] ? __rpc_atrun+0x15/0x15 [sunrpc]
       [<ffffffffa0110791>] rpc_prepare_task+0x13/0x15 [sunrpc]
      Reported-by: default avatarTigran Mkrtchyan <tigran.mkrtchyan@desy.de>
      Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
  5. 24 Feb, 2013 1 commit
    • Benny Halevy's avatar
      pnfs: fix resend_to_mds for directio · 78f33277
      Benny Halevy authored
      Pass the directio request on pageio_init to clean up the API.
      Percolate pg_dreq from original nfs_pageio_descriptor to the
      pnfs_{read,write}_done_resend_to_mds and use it on respective
      call to nfs_pageio_init_{read,write} on the newly created
      Reproduced by command:
       mount -o vers=4.1 server:/ /mnt
       dd bs=128k count=8 if=/dev/zero of=/mnt/dd.out oflag=direct
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
      IP: [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      PGD 34786067 PUD 34794067 PMD 0
      Oops: 0002 [#1] SMP
      Modules linked in: nfs_layout_nfsv41_files nfsv4 nfs nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc btrfs zlib_deflate libcrc32c ipv6 autofs4
      CPU 1
      Pid: 259, comm: kworker/1:2 Not tainted 3.8.0-rc6 #2 Bochs Bochs
      RIP: 0010:[<ffffffffa021a3a8>]  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      RSP: 0018:ffff880038f8fa68  EFLAGS: 00010206
      RAX: ffffffffa021a6a9 RBX: ffff880038f8fb48 RCX: 00000000000a0000
      RDX: ffffffffa021e616 RSI: ffff8800385e9a40 RDI: 0000000000000028
      RBP: ffff880038f8fa68 R08: ffffffff81ad6720 R09: ffff8800385e9510
      R10: ffffffffa0228450 R11: ffff880038e87418 R12: ffff8800385e9a40
      R13: ffff8800385e9a70 R14: ffff880038f8fb38 R15: ffffffffa0148878
      FS:  0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000028 CR3: 0000000034789000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/1:2 (pid: 259, threadinfo ffff880038f8e000, task ffff880038302480)
       ffff880038f8fa78 ffffffffa021a6bf ffff880038f8fa88 ffffffffa021bb82
       ffff880038f8fae8 ffffffffa021f454 ffff880038f8fae8 ffffffff8109689d
       ffff880038f8fab8 ffffffff00000006 0000000000000000 ffff880038f8fb48
      Call Trace:
       [<ffffffffa021a6bf>] nfs_direct_pgio_init+0x16/0x18 [nfs]
       [<ffffffffa021bb82>] nfs_pgheader_init+0x6a/0x6c [nfs]
       [<ffffffffa021f454>] nfs_generic_pg_writepages+0x51/0xf8 [nfs]
       [<ffffffff8109689d>] ? mark_held_locks+0x71/0x99
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa021bc25>] nfs_pageio_doio+0x1a/0x43 [nfs]
       [<ffffffffa021be7c>] nfs_pageio_complete+0x16/0x2c [nfs]
       [<ffffffffa02608be>] pnfs_write_done_resend_to_mds+0x95/0xc5 [nfsv4]
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa028e27f>] filelayout_reset_write+0x8c/0x99 [nfs_layout_nfsv41_files]
       [<ffffffffa028e5f9>] filelayout_write_done_cb+0x4d/0xc1 [nfs_layout_nfsv41_files]
       [<ffffffffa024587a>] nfs4_write_done+0x36/0x49 [nfsv4]
       [<ffffffffa021f996>] nfs_writeback_done+0x53/0x1cc [nfs]
       [<ffffffffa021fb1d>] nfs_writeback_done_common+0xe/0x10 [nfs]
       [<ffffffffa028e03d>] filelayout_write_call_done+0x28/0x2a [nfs_layout_nfsv41_files]
       [<ffffffffa01488a1>] rpc_exit_task+0x29/0x87 [sunrpc]
       [<ffffffffa014a0c9>] __rpc_execute+0x11d/0x3cc [sunrpc]
       [<ffffffff810969dc>] ? trace_hardirqs_on_caller+0x117/0x173
       [<ffffffffa014a39f>] rpc_async_schedule+0x27/0x32 [sunrpc]
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff8105f8c1>] process_one_work+0x226/0x422
       [<ffffffff8105f7f4>] ? process_one_work+0x159/0x422
       [<ffffffff81094757>] ? lock_acquired+0x210/0x249
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff810600d8>] worker_thread+0x126/0x1c4
       [<ffffffff8105ffb2>] ? manage_workers+0x240/0x240
       [<ffffffff81064ef8>] kthread+0xb1/0xb9
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
       [<ffffffff815206ec>] ret_from_fork+0x7c/0xb0
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
      Code: 00 83 38 02 74 12 48 81 4b 50 00 00 01 00 c7 83 60 07 00 00 01 00 00 00 48 89 df e8 55 fe ff ff 5b 41 5c 5d c3 66 90 55 48 89 e5 <f0> ff 07 5d c3 55 48 89 e5 f0 ff 0f 0f 94 c0 84 c0 0f 95 c0 0f
      RIP  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
       RSP <ffff880038f8fa68>
      CR2: 0000000000000028
      Signed-off-by: default avatarBenny Halevy <bhalevy@tonian.com>
      Cc: stable@kernel.org [>= 3.6]
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
  6. 22 Feb, 2013 2 commits
    • Trond Myklebust's avatar
      SUNRPC: Don't start the retransmission timer when out of socket space · a9a6b52e
      Trond Myklebust authored
      If the socket is full, we're better off just waiting until it empties,
      or until the connection is broken. The reason why we generally don't
      want to time out is that the call to xprt->ops->release_xprt() will
      trigger a connection reset, which isn't helpful...
      Let's make an exception for soft RPC calls, since they have to provide
      timeout guarantees.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@vger.kernel.org
    • Trond Myklebust's avatar
      NFS: Don't allow NFS silly-renamed files to be deleted, no signal · 5a7a613a
      Trond Myklebust authored
      Commit 73ca1001
       broke the code that prevents the client from deleting
      a silly renamed dentry.  This affected "delete on last close"
      semantics as after that commit, nothing prevented removal of
      silly-renamed files.  As a result, a process holding a file open
      could easily get an ESTALE on the file in a directory where some
      other process issued 'rm -rf some_dir_containing_the_file' twice.
      Before the commit, any attempt at unlinking silly renamed files would
      fail inside may_delete() with -EBUSY because of the
      DCACHE_NFSFS_RENAMED flag.  The following testcase demonstrates
      the problem:
        tail -f /nfsmnt/dir/file &
        rm -rf /nfsmnt/dir
        rm -rf /nfsmnt/dir
        # second removal does not fail, 'tail' process receives ESTALE
      The problem with the above commit is that it unhashes the old and
      new dentries from the lookup path, even in the normal case when
      a signal is not encountered and it would have been safe to call
      d_move.  Unfortunately the old dentry has the special
      DCACHE_NFSFS_RENAMED flag set on it.  Unhashing has the
      side-effect that future lookups call d_alloc(), allocating a new
      dentry without the special flag for any silly-renamed files.  As a
      result, subsequent calls to unlink silly renamed files do not fail
      but allow the removal to go through.  This will result in ESTALE
      errors for any other process doing operations on the file.
      To fix this, go back to using d_move on success.
      For the signal case, it's unclear what we may safely do beyond d_drop.
      Reported-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      Cc: stable@vger.kernel.org
  7. 19 Feb, 2013 1 commit
  8. 17 Feb, 2013 4 commits
    • fanchaoting's avatar
      umount oops when remove blocklayoutdriver first · 5a12cca6
      fanchaoting authored
      now pnfs client uses block layout, maybe we can remove
      blocklayoutdriver first. if we umount later,
      it can cause oops in unset_pnfs_layoutdriver.
      because nfss->pnfs_curr_ld->clear_layoutdriver is invalid.
      reproduce it:
       modprobe  blocklayoutdriver
       mount -t nfs4 -o minorversion=1 pnfsip:/ /mnt/
       rmmod blocklayoutdriver
       umount /mnt
      then you can see following
      CPU 0
      Pid: 17023, comm: umount.nfs4 Tainted: GF          O 3.7.0-rc6-pnfs #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffffa04cfe6d>]  [<ffffffffa04cfe6d>] unset_pnfs_layoutdriver+0x1d/0x70 [nfsv4]
      RSP: 0018:ffff8800022d9e48  EFLAGS: 00010286
      RAX: ffffffffa04a1b00 RBX: ffff88000b013800 RCX: 0000000000000001
      RDX: ffffffff81ae8ee0 RSI: ffff880001ee94b8 RDI: ffff88000b013800
      RBP: ffff8800022d9e58 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff880001ee9400
      R13: ffff8800105978c0 R14: 00007fff25846c08 R15: 0000000001bba550
      FS:  00007f45ae7f0700(0000) GS:ffff880012c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: ffffffffa04a1b38 CR3: 0000000002c0c000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process umount.nfs4 (pid: 17023, threadinfo ffff8800022d8000, task ffff880006e48aa0)
      ffff8800105978c0 ffff88000b013800 ffff8800022d9e78 ffffffffa04cd0ce
      ffff8800022d9e78 ffff88000b013800 ffff8800022d9ea8 ffffffffa04755a7
      ffff8800022d9ea8 ffff880002f96400 ffff88000b013800 ffff880002f96400
      Call Trace:
      [<ffffffffa04cd0ce>] nfs4_destroy_server+0x1e/0x30 [nfsv4]
      [<ffffffffa04755a7>] nfs_free_server+0xb7/0x150 [nfs]
      [<ffffffffa047d4d5>] nfs_kill_super+0x35/0x40 [nfs]
      [<ffffffff81178d35>] deactivate_locked_super+0x45/0x70
      [<ffffffff8117986a>] deactivate_super+0x4a/0x70
      [<ffffffff81193ee2>] mntput_no_expire+0xd2/0x130
      [<ffffffff81194d62>] sys_umount+0x72/0xe0
      [<ffffffff8154af59>] system_call_fastpath+0x16/0x1b
      Code: 06 e1 b8 ea ff ff ff eb 9e 0f 1f 44 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 8b 87 80 03 00 00 48 89 fb 48 85 c0 74 29 <48> 8b 40 38 48 85 c0 74 02 ff d0 48 8b 03 3e ff 48 04 0f 94 c2
      RIP  [<ffffffffa04cfe6d>] unset_pnfs_layoutdriver+0x1d/0x70 [nfsv4]
      RSP <ffff8800022d9e48>
      CR2: ffffffffa04a1b38
      ---[ end trace 29f75aaedda058bf ]---
      Signed-off-by: default avatar <fanchaoting&lt;fanchaoting@cn.fujitsu.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@vger.kernel.org
    • Jeff Layton's avatar
      sunrpc: silence build warning in gss_fill_context · 173db309
      Jeff Layton authored
      Since commit 620038f6
      , gcc is throwing the following warning:
        CC [M]  net/sunrpc/auth_gss/auth_gss.o
      In file included from include/linux/sunrpc/types.h:14:0,
                       from include/linux/sunrpc/sched.h:14,
                       from include/linux/sunrpc/clnt.h:18,
                       from net/sunrpc/auth_gss/auth_gss.c:45:
      net/sunrpc/auth_gss/auth_gss.c: In function ‘gss_pipe_downcall’:
      include/linux/sunrpc/debug.h:45:10: warning: ‘timeout’ may be used
      uninitialized in this function [-Wmaybe-uninitialized]
          printk(KERN_DEFAULT args); \
      net/sunrpc/auth_gss/auth_gss.c:194:15: note: ‘timeout’ was declared here
        unsigned int timeout;
      If simple_get_bytes returns an error, then we'll end up calling printk
      with an uninitialized timeout value. Reasonably harmless, but fairly
      simple to fix by removing the printout of the uninitialised parameters.
      Cc: Andy Adamson <andros@netapp.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      [Trond: just remove the parameters rather than initialising timeout]
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    • Tim Gardner's avatar
      nfs: remove kfree() redundant null checks · 96aa1549
      Tim Gardner authored
      smatch analysis:
      fs/nfs/getroot.c:130 nfs_get_root() info: redundant null
       check on name calling kfree()
      fs/nfs/unlink.c:272 nfs_async_unlink() info: redundant null
       check on devname_garbage calling kfree()
      Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
      Cc: linux-nfs@vger.kernel.org
      Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    • Weston Andros Adamson's avatar
      NFSv4.1: Don't decode skipped layoutgets · 085b7a45
      Weston Andros Adamson authored
      layoutget's prepare hook can call rpc_exit with status = NFS4_OK (0).
      Because of this, nfs4_proc_layoutget can't depend on a 0 status to mean
      that the RPC was successfully sent, received and parsed.
      To fix this, use the result's len member to see if parsing took place.
      This fixes the following OOPS -- calling xdr_init_decode() with a buffer length
      0 doesn't set the stream's 'p' member and ends up using uninitialized memory
      in filelayout_decode_layout.
      BUG: unable to handle kernel paging request at 0000000000008050
      IP: [<ffffffff81282e78>] memcpy+0x18/0x120
      PGD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/irq
      CPU 1
      Modules linked in: nfs_layout_nfsv41_files nfs lockd fscache auth_rpcgss nfs_acl autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 dm_mirror dm_region_hash dm_log dm_mod ppdev parport_pc parport snd_ens1371 snd_rawmidi snd_ac97_codec ac97_bus snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc e1000 microcode vmware_balloon i2c_piix4 i2c_core sg shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix mptspi mptscsih mptbase scsi_transport_spi [last unloaded: speedstep_lib]
      Pid: 1665, comm: flush-0:22 Not tainted 2.6.32-356-test-2 #2 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffff81282e78>]  [<ffffffff81282e78>] memcpy+0x18/0x120
      RSP: 0018:ffff88003dfab588  EFLAGS: 00010206
      RAX: ffff88003dc42000 RBX: ffff88003dfab610 RCX: 0000000000000009
      RDX: 000000003f807ff0 RSI: 0000000000008050 RDI: ffff88003dc42000
      RBP: ffff88003dfab5b0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000080 R12: 0000000000000024
      R13: ffff88003dc42000 R14: ffff88003f808030 R15: ffff88003dfab6a0
      FS:  0000000000000000(0000) GS:ffff880003420000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000008050 CR3: 000000003bc92000 CR4: 00000000001407e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process flush-0:22 (pid: 1665, threadinfo ffff88003dfaa000, task ffff880037f77540)
      ffffffffa0398ac1 ffff8800397c5940 ffff88003dfab610 ffff88003dfab6a0
      <d> ffff88003dfab5d0 ffff88003dfab680 ffffffffa01c150b ffffea0000d82e70
      <d> 000000508116713b 0000000000000000 0000000000000000 0000000000000000
      Call Trace:
      [<ffffffffa0398ac1>] ? xdr_inline_decode+0xb1/0x120 [sunrpc]
      [<ffffffffa01c150b>] filelayout_decode_layout+0xeb/0x350 [nfs_layout_nfsv41_files]
      [<ffffffffa01c17fc>] filelayout_alloc_lseg+0x8c/0x3c0 [nfs_layout_nfsv41_files]
      [<ffffffff8150e6ce>] ? __wait_on_bit+0x7e/0x90
      Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@vger.kernel.org
  9. 14 Feb, 2013 1 commit
    • Trond Myklebust's avatar
      NFSv4.1: Fix bulk recall and destroy of layouts · fd9a8d71
      Trond Myklebust authored
      The current code in pnfs_destroy_all_layouts() assumes that removing
      the layout from the server->layouts list is sufficient to make it
      invisible to other processes. This ignores the fact that most
      users access the layout through the nfs_inode->layout...
      There is further breakage due to lack of reference counting of the
      layouts, meaning that the whole thing Oopses at the drop of a hat.
      The code in initiate_bulk_draining() is almost correct, and can be
      used as a model for pnfs_destroy_all_layouts(), so move that
      code to pnfs.c, and refactor the code to allow us to choose between
      a single filesystem bulk recall, and a recall of all layouts.
      Also note that initiate_bulk_draining() currently calls iput() while
      holding locks. Fix that too.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@vger.kernel.org
  10. 12 Feb, 2013 1 commit
  11. 11 Feb, 2013 6 commits
  12. 01 Feb, 2013 11 commits
  13. 31 Jan, 2013 6 commits
    • Linus Torvalds's avatar
      Merge branch 'for-3.8/upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · cf5425bf
      Linus Torvalds authored
      PullHID fixes from Jiri Kosina:
       - fix i2c-hid and hidraw interaction, by Benjamin Tissoires
       - a quirk to make a particular device (Formosa IR receiver) work
         properly, by Nicholas Santos
      * 'for-3.8/upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: i2c-hid: fix i2c_hid_output_raw_report
        HID: usbhid: quirk for Formosa IR receiver
        HID: remove x bit from sensor doc
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-3.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · bf6c8a81
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       - Error reporting in nfs_xdev_mount incorrectly maps all errors to
       - Fix an NFSv4 refcounting issue
       - Fix a mount failure when the server reboots during NFSv4 trunking
       - NFSv4.1 mounts may need to run the lease recovery thread.
       - Don't silently fail setattr() requests on mountpoints
       - Fix a SUNRPC socket/transport livelock and priority queue issue
       - We must handle NFS4ERR_DELAY when resetting the NFSv4.1 session.
      * tag 'nfs-for-3.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session
        SUNRPC: When changing the queue priority, ensure that we change the owner
        NFS: Don't silently fail setattr() requests on mountpoints
        NFSv4.1: Ensure that nfs41_walk_client_list() does start lease recovery
        NFSv4: Fix NFSv4 trunking discovery
        NFSv4: Fix NFSv4 reference counting for trunked sessions
        NFS: Fix error reporting in nfs_xdev_mount
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · aeb8eede
      Linus Torvalds authored
      Pull MIPS updates from Ralf Baechle:
       "A number of fixes all across the MIPS tree.  No area is particularly
        standing out and things have cooled down quite nicely for a release."
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Function tracer: Fix broken function tracing
        mips: Move __virt_addr_valid() to a place for MIPS 64
        MIPS: Netlogic: Fix UP compilation on XLR
        MIPS: AR71xx: Fix AR71XX_PCI_MEM_SIZE
        MIPS: AR724x: Fix AR724X_PCI_MEM_SIZE
        MIPS: Lantiq: Fix cp0_perfcount_irq mapping
        MIPS: DSP: Fix DSP mask for registers.
        MIPS: Fix build failure by adding definition of pfn_pmd().
        MIPS: Octeon: Fix warning.
        MIPS: delay.c: Check BITS_PER_LONG instead of __SIZEOF_LONG__
        MIPS: PNX833x: Fix comment.
        MIPS: Add struct p_format to union mips_instruction.
        MIPS: Export <asm/break.h>.
        MIPS: BCM47xx: Enable SSB prerequisite SSB_DRIVER_PCICORE.
        MIPS: BCM47xx: Select GPIOLIB for BCMA on bcm47xx platform
        MIPS: vpe.c: Fix null pointer dereference in print arguments.
    • Benjamin Tissoires's avatar
      HID: i2c-hid: fix i2c_hid_output_raw_report · c284979a
      Benjamin Tissoires authored
      i2c_hid_output_raw_report is used by hidraw to forward set_report requests.
      The current implementation of i2c_hid_set_report needs to take the
      report_id as an argument. The report_id is stored in the first byte
      of the buffer in argument of i2c_hid_output_raw_report.
      Not removing the report_id from the given buffer adds this byte 2 times
      in the command, leading to a non working command.
      Reported-by: default avatarAndrew Duggan <aduggan@synaptics.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    • Al Cooper's avatar
      MIPS: Function tracer: Fix broken function tracing · 58b69401
      Al Cooper authored
      Function tracing is currently broken for all 32 bit MIPS platforms.
      When tracing is enabled, the kernel immediately hangs on boot.
      This is a result of commit b732d439
      that changes the kernel/trace/Kconfig file so that is no longer
      forces FRAME_POINTER when FUNCTION_TRACING is enabled.
      MIPS frame pointers are generally considered to be useless because
      they cannot be used to unwind the stack. Unfortunately the MIPS
      function tracing code has bugs that are masked by the use of frame
      pointers. This commit fixes the bugs so that MIPS frame pointers
      don't need to be enabled.
      The bugs are a result of the odd calling sequence used to call the trace
      routine. This calling sequence is inserted into every traceable function
      when the tracing CONFIG option is enabled. This sequence is generated
      for 32bit MIPS platforms by the compiler via the "-pg" flag.
      Part of the sequence is "addiu sp,sp,-8" in the delay slot after every
      call to the trace routine "_mcount" (some legacy thing where 2 arguments
      used to be pushed on the stack). The _mcount routine is expected to
      adjust the sp by +8 before returning.  So when not disabled, the original
      jalr and addiu will be there, so _mcount has to adjust sp.
      The problem is that when tracing is disabled for a function, the
      "jalr _mcount" instruction is replaced with a nop, but the
      "addiu sp,sp,-8" is still executed and the stack pointer is left
      trashed. When frame pointers are enabled the problem is masked
      because any access to the stack is done through the frame
      pointer and the stack pointer is restored from the frame pointer when
      the function returns.
      This patch writes two nops starting at the address of the "jalr _mcount"
      instruction whenever tracing is disabled. This means that the
      "addiu sp,sp.-8" will be converted to a nop along with the "jalr".  When
      disabled, there will be two nops.
      This is SMP safe because the first time this happens is during
      ftrace_init() which is before any other processor has been started.
      Subsequent calls to enable/disable tracing when other CPUs ARE running
      will still be safe because the enable will only change the first nop
      to a "jalr" and the disable, while writing 2 nops, will only be changing
      the "jalr". This patch also stops using stop_machine() to call the
      tracer enable/disable routines and calls them directly because the
      routines are SMP safe.
      When the kernel first boots we have to be able to handle the gcc
      generated jalr, addui sequence until ftrace_init gets a chance to run
      and change the sequence. At this point mcount just adjusts the stack
      and returns. When ftrace_init runs, we convert the jalr/addui to nops.
      Then whenever tracing is enabled we convert the first nop to a "jalr
      mcount+8". The mcount+8 entry point skips the stack adjust.
      [ralf@linux-mips.org: Folded in  Steven Rostedt's build fix.]
      Signed-off-by: default avatarAl Cooper <alcooperx@gmail.com>
      Cc: rostedt@goodmis.org
      Cc: ddaney.cavm@gmail.com
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/4806/
      Patchwork: https://patchwork.linux-mips.org/patch/4841/
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
    • Alasdair G Kergon's avatar
      dm: fix write same requests counting · fe7af2d3
      Alasdair G Kergon authored
      When processing write same requests, fix dm to send the configured
      number of WRITE SAME requests to the target rather than the number of
      discards, which is not always the same.
      Device-mapper WRITE SAME support was introduced by commit
       ("dm: add WRITE SAME support").
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>