From 7b363e440021a1cf9ed76944b2685f48dacefb3e Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 9 Dec 2008 23:22:26 -0800 Subject: netpoll: fix race on poll_list resulting in garbage entry A few months back a race was discused between the netpoll napi service path, and the fast path through net_rx_action: http://kerneltrap.org/mailarchive/linux-netdev/2007/10/16/345470 A patch was submitted for that bug, but I think we missed a case. Consider the following scenario: INITIAL STATE CPU0 has one napi_struct A on its poll_list CPU1 is calling netpoll_send_skb and needs to call poll_napi on the same napi_struct A that CPU0 has on its list CPU0 CPU1 net_rx_action poll_napi !list_empty (returns true) locks poll_lock for A poll_one_napi napi->poll netif_rx_complete __napi_complete (removes A from poll_list) list_entry(list->next) In the above scenario, net_rx_action assumes that the per-cpu poll_list is exclusive to that cpu. netpoll of course violates that, and because the netpoll path can dequeue from the poll list, its possible for CPU0 to detect a non-empty list at the top of the while loop in net_rx_action, but have it become empty by the time it calls list_entry. Since the poll_list isn't surrounded by any other structure, the returned data from that list_entry call in this situation is garbage, and any number of crashes can result based on what exactly that garbage is. Given that its not fasible for performance reasons to place exclusive locks arround each cpus poll list to provide that mutal exclusion, I think the best solution is modify the netpoll path in such a way that we continue to guarantee that the poll_list for a cpu is in fact exclusive to that cpu. To do this I've implemented the patch below. It adds an additional bit to the state field in the napi_struct. When executing napi->poll from the netpoll_path, this bit will be set. When a driver calls netif_rx_complete, if that bit is set, it will not remove the napi_struct from the poll_list. That work will be saved for the next iteration of net_rx_action. I've tested this and it seems to work well. About the biggest drawback I can see to it is the fact that it might result in an extra loop through net_rx_action in the event that the device is actually contended for (i.e. the netpoll path actually preforms all the needed work no the device, and the call to net_rx_action winds up doing nothing, except removing the napi_struct from the poll_list. However I think this is probably a small price to pay, given that the alternative is a crash. Signed-off-by: Neil Horman Signed-off-by: David S. Miller --- include/linux/netdevice.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include') diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 9d77b1d7dca8..e26f54952892 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -319,6 +319,7 @@ enum { NAPI_STATE_SCHED, /* Poll is scheduled */ NAPI_STATE_DISABLE, /* Disable pending */ + NAPI_STATE_NPSVC, /* Netpoll - don't dequeue from poll_list */ }; extern void __napi_schedule(struct napi_struct *n); @@ -1497,6 +1498,12 @@ static inline void netif_rx_complete(struct net_device *dev, { unsigned long flags; + /* + * don't let napi dequeue from the cpu poll list + * just in case its running on a different cpu + */ + if (unlikely(test_bit(NAPI_STATE_NPSVC, &napi->state))) + return; local_irq_save(flags); __netif_rx_complete(dev, napi); local_irq_restore(flags); -- cgit v1.2.3 From 6c34bc2976b30dc8b56392c020e25bae1f363cab Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Wed, 10 Dec 2008 09:26:17 -0800 Subject: Revert "radeonfb: accelerate imageblit and other improvements" This reverts commit b1ee26bab14886350ba12a5c10cbc0696ac679bf, along with the "fixes" for it that all just caused problems: - c4c6fa9891f3d1bcaae4f39fb751d5302965b566 "radeonfb: fix problem with color expansion & alignment" - f3179748a157c21d44d929fd3779421ebfbeaa93 "radeonfb: Disable new color expand acceleration unless explicitely enabled" because even when disabled, it breaks for people. See http://bugzilla.kernel.org/show_bug.cgi?id=12191 for the latest example. Acked-by: Benjamin Herrenschmidt Acked-by: David S. Miller Cc: Krzysztof Halasa Cc: James Cloos Cc: "Rafael J. Wysocki" Cc: Krzysztof Helt Cc: Jean-Luc Coulon Cc: Andrew Morton Signed-off-by: Linus Torvalds --- include/video/radeon.h | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) (limited to 'include') diff --git a/include/video/radeon.h b/include/video/radeon.h index d5dcaf154ba4..1cd09cc5b169 100644 --- a/include/video/radeon.h +++ b/include/video/radeon.h @@ -525,9 +525,6 @@ #define CRTC_DISPLAY_DIS (1 << 10) #define CRTC_CRT_ON (1 << 15) -/* DSTCACHE_MODE bits constants */ -#define RB2D_DC_AUTOFLUSH_ENABLE (1 << 8) -#define RB2D_DC_DC_DISABLE_IGNORE_PE (1 << 17) /* DSTCACHE_CTLSTAT bit constants */ #define RB2D_DC_FLUSH_2D (1 << 0) @@ -869,10 +866,15 @@ #define GMC_DST_16BPP_YVYU422 0x00000c00 #define GMC_DST_32BPP_AYUV444 0x00000e00 #define GMC_DST_16BPP_ARGB4444 0x00000f00 +#define GMC_SRC_MONO 0x00000000 +#define GMC_SRC_MONO_LBKGD 0x00001000 +#define GMC_SRC_DSTCOLOR 0x00003000 #define GMC_BYTE_ORDER_MSB_TO_LSB 0x00000000 #define GMC_BYTE_ORDER_LSB_TO_MSB 0x00004000 #define GMC_DP_CONVERSION_TEMP_9300 0x00008000 #define GMC_DP_CONVERSION_TEMP_6500 0x00000000 +#define GMC_DP_SRC_RECT 0x02000000 +#define GMC_DP_SRC_HOST 0x03000000 #define GMC_DP_SRC_HOST_BYTEALIGN 0x04000000 #define GMC_3D_FCN_EN_CLR 0x00000000 #define GMC_3D_FCN_EN_SET 0x08000000 @@ -883,9 +885,6 @@ #define GMC_WRITE_MASK_LEAVE 0x00000000 #define GMC_WRITE_MASK_SET 0x40000000 #define GMC_CLR_CMP_CNTL_DIS (1 << 28) -#define GMC_SRC_DATATYPE_MASK (3 << 12) -#define GMC_SRC_DATATYPE_MONO_FG_BG (0 << 12) -#define GMC_SRC_DATATYPE_MONO_FG_LA (1 << 12) #define GMC_SRC_DATATYPE_COLOR (3 << 12) #define ROP3_S 0x00cc0000 #define ROP3_SRCCOPY 0x00cc0000 @@ -894,7 +893,6 @@ #define DP_SRC_SOURCE_MASK (7 << 24) #define GMC_BRUSH_NONE (15 << 4) #define DP_SRC_SOURCE_MEMORY (2 << 24) -#define DP_SRC_SOURCE_HOST_DATA (3 << 24) #define GMC_BRUSH_SOLIDCOLOR 0x000000d0 /* DP_MIX bit constants */ @@ -980,12 +978,6 @@ #define DISP_PWR_MAN_TV_ENABLE_RST (1 << 25) #define DISP_PWR_MAN_AUTO_PWRUP_EN (1 << 26) -/* RBBM_GUICNTL constants */ -#define RBBM_GUICNTL_HOST_DATA_SWAP_NONE (0 << 0) -#define RBBM_GUICNTL_HOST_DATA_SWAP_16BIT (1 << 0) -#define RBBM_GUICNTL_HOST_DATA_SWAP_32BIT (2 << 0) -#define RBBM_GUICNTL_HOST_DATA_SWAP_HDW (3 << 0) - /* masks */ #define CONFIG_MEMSIZE_MASK 0x1f000000 -- cgit v1.2.3 From d2ff911882b6bc693d86ca9566daac70aacbb2b3 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Mon, 15 Dec 2008 19:04:35 +1030 Subject: Define smp_call_function_many for UP Otherwise those using it in transition patches (eg. kvm) can't compile with CONFIG_SMP=n: arch/x86/kvm/../../../virt/kvm/kvm_main.c: In function 'make_all_cpus_request': arch/x86/kvm/../../../virt/kvm/kvm_main.c:380: error: implicit declaration of function 'smp_call_function_many' Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds --- include/linux/smp.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/linux/smp.h b/include/linux/smp.h index 3f9a60043a97..6e7ba16ff454 100644 --- a/include/linux/smp.h +++ b/include/linux/smp.h @@ -146,6 +146,8 @@ static inline void smp_send_reschedule(int cpu) { } }) #define smp_call_function_mask(mask, func, info, wait) \ (up_smp_call_function(func, info)) +#define smp_call_function_many(mask, func, info, wait) \ + (up_smp_call_function(func, info)) static inline void init_call_single_data(void) { } -- cgit v1.2.3 From 092cab7e2cd868cb0b30209a0337689c3ffd6133 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 16 Dec 2008 01:19:41 -0800 Subject: netfilter: ctnetlink: fix missing CTA_NAT_SEQ_UNSPEC This patch fixes an inconsistency in nfnetlink_conntrack.h that I introduced myself. The problem is that CTA_NAT_SEQ_UNSPEC is missing from enum ctattr_natseq. This inconsistency may lead to problems in the message parsing in userspace (if the message contains the CTA_NAT_SEQ_* attributes, of course). This patch breaks backward compatibility, however, the only known client of this code is libnetfilter_conntrack which indeed crashes because it assumes the existence of CTA_NAT_SEQ_UNSPEC to do the parsing. The CTA_NAT_SEQ_* attributes were introduced in 2.6.25. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nfnetlink_conntrack.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index c19595c89304..29fe9ea1d346 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h @@ -141,6 +141,7 @@ enum ctattr_protonat { #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) enum ctattr_natseq { + CTA_NAT_SEQ_UNSPEC, CTA_NAT_SEQ_CORRECTION_POS, CTA_NAT_SEQ_OFFSET_BEFORE, CTA_NAT_SEQ_OFFSET_AFTER, -- cgit v1.2.3 From 9a9fafb89433c5fd1331bac0c84c4b321e358b42 Mon Sep 17 00:00:00 2001 From: Phil Endecott Date: Mon, 1 Dec 2008 10:22:33 -0500 Subject: USB: fix comment about endianness of descriptors This patch fixes a comment and clarifies the documentation about the endianness of descriptors. The current policy is that descriptors will be little-endian at the API even on big-endian systems; however the /proc/bus/usb API predates this policy and presents descriptors with some multibyte fields byte-swapped. Signed-off-by: Phil Endecott Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- include/linux/usb/ch9.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/usb/ch9.h b/include/linux/usb/ch9.h index 73a2f4eb1f7a..9b42baed3900 100644 --- a/include/linux/usb/ch9.h +++ b/include/linux/usb/ch9.h @@ -158,8 +158,12 @@ struct usb_ctrlrequest { * (rarely) accepted by SET_DESCRIPTOR. * * Note that all multi-byte values here are encoded in little endian - * byte order "on the wire". But when exposed through Linux-USB APIs, - * they've been converted to cpu byte order. + * byte order "on the wire". Within the kernel and when exposed + * through the Linux-USB APIs, they are not converted to cpu byte + * order; it is the responsibility of the client code to do this. + * The single exception is when device and configuration descriptors (but + * not other descriptors) are read from usbfs (i.e. /proc/bus/usb/BBB/DDD); + * in this case the fields are converted to host endianness by the kernel. */ /* -- cgit v1.2.3 From 69c30e1e7492192f882a3fc11888b320fde5206a Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Wed, 17 Dec 2008 15:44:58 -0800 Subject: irda: Add irda_skb_cb qdisc related padding We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit() calls. This is some ugly and temporary hack triggered by recent qisc code changes. Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a proper fix before 2.6.29 is released. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller --- include/net/irda/irda_device.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/irda/irda_device.h b/include/net/irda/irda_device.h index 3025ae17ddbe..94c852d47d0f 100644 --- a/include/net/irda/irda_device.h +++ b/include/net/irda/irda_device.h @@ -135,9 +135,11 @@ struct dongle_reg { /* * Per-packet information we need to hide inside sk_buff - * (must not exceed 48 bytes, check with struct sk_buff) + * (must not exceed 48 bytes, check with struct sk_buff) + * The default_qdisc_pad field is a temporary hack. */ struct irda_skb_cb { + unsigned int default_qdisc_pad; magic_t magic; /* Be sure that we can trust the information */ __u32 next_speed; /* The Speed to be set *after* this frame */ __u16 mtt; /* Minimum turn around time */ -- cgit v1.2.3