The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
http://userweb.kernel.org/~akpm/mmotm/
and will soon be available at
git://zen-kernel.org/kernel/mmotm.git
It contains the following patches against 2.6.33-rc4:
kfifo-fix-kfifo_out_locked-race-bug.patch
viafb-fix-lcd-hardware-cursor-regression.patch
viafb-do-modesetting-after-updating-variables.patch
viafb-fix-acceleration-for-some-chips.patch
markup_oopspl-fix-error-with-x86.patch
serial-8250_pnp-add-a-new-fujitsu-wacom-tablet-pc-device.patch
kfifo-use-void-pointers-for-user-buffers.patch
kfifo-sanitize-_user-error-handling.patch
kfifo-add-kfifo_out_peek.patch
kfifo-add-kfifo_initialized.patch
kfifo-document-everywhere-that-size-has-to-be-power-of-two.patch
linux-next.patch
next-remove-localversion.patch
i-need-old-gcc.patch
lzo-fix-up-add-support-for-lzo-compressed-kernels-patch.patch
hardware-latency-detector-remove-default-m.patch
revert-input-wistron_btns-switch-to-using-sparse-keymap-library.patch
drivers-media-video-cx23885-needs-kfifo-conversion.patch
page-allocator-fix-update-nr_free_pages-only-as-necessary.patch
mm-page_alloc-fix-the-range-check-for-backward-merging.patch
kernelh-add-build_bug_on_not_power_of_2.patch
smp_call_function_any-pass-the-node-value-to-cpumask_of_node.patch
mmc-remove-const-from-tmio-mmc-platform-data-v2.patch
mmc-balance-tmio-mmc-cell-enable-disable-calls.patch
vmscan-kswapd-dont-retry-balance_pgdat-if-all-zones-are-unreclaimable.patch
drivers-gpu-vga-vgaarbc-fix-userspace-pointer-dereference.patch
mtd-nand-fix-build-failure-caused-by-typo.patch
m68knommu-fix-invalid-flags-on-coldfire-pit-clocksource.patch
ibmphp-read-the-length-of-ebda-and-map-entire-ebda-region.patch
ibmphp-read-the-length-of-ebda-and-map-entire-ebda-region-fix.patch
sched-f83f9ac-causes-tasks-running-at-max_prio.patch
hpsa-fix-scsi-status-reporting-yet-again.patch
drivers-scsi-sesc-eliminate-double-free.patch
kernel-credc-use-kmem_cache_free.patch
revert-clockevents-prevent-clockevent_devices-list-corruption-on-cpu-hotplug.patch
tpm_infineon-fix-suspend-resume-handler-for-pnp_driver.patch
usb-serial-fix-memory-leak-in-generic-driver.patch
dell_laptop-when-the-hardware-switch-is-disabled-dont-actually-allow-changing-the-softblock-status.patch
acpi-fix-confusion-in-acpi_evaluate_string-in-comment.patch
acpi-fix-unused-variable-warning-in-sbsc.patch
acpi-remove-superfluous-null-pointer-check-from-acpi_processor_get_throttling_info.patch
acpica-fix-acpi_ex_release_mutex-comment.patch
arm-convert-proc-cpu-aligment-to-seq_file.patch
arch-arm-plat-pxa-dmac-correct-null-test.patch
revert-cpufreq-fix-race-in-cpufreq_update_policy.patch
powerpc-sky-cpu-redundant-or-incorrect-tests-on-unsigned.patch
kbuild-move-fno-dwarf2-cfi-asm-to-powerpc-only.patch
drivers-gpu-drm-radeon-radeon_combiosc-fix-warning.patch
drivers-gpu-drm-nouveau-nouveau_grctxc-correct-null-test.patch
drivers-media-video-move-dereference-after-null-test.patch
proc_fops-convert-av7110.patch
drivers-media-video-pmsc-needs-versionh.patch
v4l-dvb-wrong-variable-tested.patch
timer-stats-fix-del_timer_sync-and-try_to_del_timer_sync.patch
posix-cpu-timers-reset-expire-cache-when-no-timer-is-running.patch
hrtimer-correct-a-few-numbers-in-comments.patch
clockevents-ensure-taht-min_delta_ns-is-increased-in-error-path.patch
clocksource-add-argument-to-resume-callback.patch
clocksource-start-cmt-at-clocksource-resume.patch
clocksource-add-suspend-callback.patch
infiniband-use-rlimit-helpers.patch
input-bcm5974-retract-efi-broken-suspend_resume.patch
usbtouchscreen-convert-from-usb_device-to-usb_interface.patch
usbtouchscreen-find-input-endpoint-automatically.patch
usbtouchscreen-add-nexio-or-inexio-support.patch
usbtouchscreen-fix-nexio-ack-and-usb-disconnect.patch
usbtouchscreen-dont-send-interrupt-urbs-to-bulk-endpoints.patch
usbtouchscreen-fix-leaks-and-check-return-value-of-usb_submit_urb.patch
mtd-nand-davinci-correct-4-bit-error-correction.patch
jffs2-fix-memory-corruption-in-jffs2_read_inode_range.patch
jffs2-avoid-using-c-keyword-new-in-userspace-visible-header.patch
ntfs-use-bitmap_weight.patch
hisax-timeout-off-by-one-in-waitrecmsg.patch
proc_fops-convert-drivers-isdn-to-seq_file.patch
3x59x-fix-pci-resource-management.patch
net-ipv4-correct-the-size-argument-to-kzalloc.patch
da9030_battery-fix-spelling-in-comment.patch
sunrpc-use-formatting-of-module-name-in-sunrpc.patch
kernel-irq-procc-expose-the-irq_desc-node-in-proc-irq.patch
scsi-add-__init-__exit-macros-to-ibmvstgtc.patch
drivers-scsi-fnic-fnic_scsic-clean-up.patch
ibmmca-buffer-overflow.patch
scsi-eata-fix-buffer-overflow.patch
drivers-scsi-gdthc-fix-buffer-overflow.patch
drivers-scsi-u14-34fc-fix-uffer-overflow.patch
drivers-scsi-lpfc-lpfc_vportc-fix-read-buffer-overflow.patch
osst-fix-read-buffer-overflow.patch
gdth-unmap-ccb_phys-when-scsi_add_host-fails-in-gdth_eisa_probe_one.patch
zfcp-test-kmalloc-failure-in-scsi_get_vpd_page.patch
drivers-scsi-libsas-use-sam_good.patch
ncr5380-bit-mr_dma_mode-set-twice-in-ncr5380_transfer_dma.patch
drivers-scsi-remove-unnecessary-null-test.patch
drivers-message-move-dereference-after-null-test.patch
scsi-pmcraid-redundant-check-in-pmcraid_check_ioctl_buffer.patch
mpt-fusion-convert-to-seq_file.patch
scsi-remove-unnecessary-null-test.patch
g_ncr5380-remove-misleading-pnp-error-message.patch
g_ncr5380-fix-broken-mmio-compilation.patch
g_ncr5380-fix-missing-pnp_device_detach-and-scsi_unregister-on-rmmod.patch
dc395x-decrease-iteration-for-tag_number-of-max_command-in-start_scsi.patch
drivers-scsi-correct-the-size-argument-to-kmalloc.patch
scsi-remove-superfluous-null-pointer-check-from-scsi_kill_request.patch
mpt2sas-fix-confusion-in-_scsih_sas_device_status_change_event.patch
paride-fix-off-by-one-test.patch
convert-sparc-to-arch_gettimeoffset.patch
drivers-staging-tm6000-tm6000-videoc-correct-null-test.patch
80211core-fix-confusion.patch
drivers-usb-correct-the-size-argument-to-kzalloc.patch
musb-test-always-evaluates-to-false.patch
drivers-usb-core-sysfsc-set_reset_quirk-remove-unused-local.patch
vfs-fix-vfs_rename_dir-for-fs_rename_does_d_move-filesystems.patch
vfs-improve-comment-describing-fget_light.patch
ecryptfs-another-lockdep-issue.patch
fs-improve-remountro-vs-buffercache-coherency.patch
xtensa-convert-to-asm-generic-hardirqh.patch
xtensa-includecheck-fix-vectorss.patch
mm.patch
mm-clean-up-mm_counter.patch
mm-avoid-false-sharing-of-mm_counter.patch
mm-avoid-false-sharing-of-mm_counter-checkpatch-fixes.patch
mm-count-swap-usage.patch
mm-count-swap-usage-checkpatch-fixes.patch
mm-add-lowmem-detection-logic.patch
mm-add-lowmem-detection-logic-fix.patch
mm-count-lowmem-rss.patch
mm-count-lowmem-rss-checkpatch-fixes.patch
mm-introduce-dump_page-and-print-symbolic-flag-names.patch
page-allocator-reduce-fragmentation-in-buddy-allocator-by-adding-buddies-that-are-merging-to-the-tail-of-the-free-lists.patch
mm-add-swap-slot-free-callback-to-block_device_operations.patch
ramzswap-use-slot-free-callback-to-eliminate-stale-data.patch
mlock_vma_pages_range-never-return-negative-value.patch
mlock_vma_pages_range-only-return-success-or-failure.patch
mm-use-rlimit-helpers.patch
vmscan-check-high-watermark-after-shrink-zone.patch
vmscan-check-high-watermark-after-shrink-zone-fix.patch
frv-duplicate-output_buffer-of-e03.patch
frv-duplicate-output_buffer-of-e03-checkpatch-fixes.patch
cris-convert-to-use-arch_gettimeoffset.patch
cryptocop-fix-assertion-in-create_output_descriptors.patch
mfgpt-move-clocksource-menu.patch
prctl-add-pr_set_proctitle_area-option-for-prctl.patch
kernel-cpuc-delete-deprecated-definition-in-cpu_up.patch
init-mainc-improve-usability-in-case-of-init-binary-failure.patch
init-initramfsc-fix-symbol-shadows-an-earlier-one-noise.patch
cpumask-let-num__cpus-function-always-return-unsigned-values.patch
fs-use-rlimit-helpers.patch
nodemaskh-remove-macro-any_online_node.patch
scripts-get_maintainerpl-add-file-emails-find-embedded-email-addresses.patch
ricoh_mmc-port-from-driver-to-pci-quirk.patch
davinci-mmc-add-support-for-8bit-mmc-cards.patch
davinci-mmc-add-a-function-to-control-reset-state-of-the-controller.patch
davinci-mmc-updates-to-suspend-resume-implementation.patch
mmc-atmel-host-kconfig-cleanup-for-everyone-else.patch
sdio-recognize-io-card-without-powercycle.patch
scripts-checkpatchpl-add-warn-on-sizeof.patch
checkpatch-trivial-fix-for-trailing-statements-check.patch
checkpatchpl-allow-80-char-lines-for-logging-functions-not-just-printk.patch
checkpatch-fix-false-positive-on-__initconst.patch
checkpatchpl-add-union-and-struct-to-the-exceptions-list.patch
coredump-unify-dump_seek-implementations-for-each-binfmt_c.patch
coredump-move-dump_write-and-dump_seek-into-a-header-file.patch
elf-coredump-replace-elf_core_extra_-macros-by-functions.patch
elf-coredump-make-offset-calculation-process-and-writing-process-explicit.patch
elf-coredump-add-extended-numbering-support.patch
mm-pass-mm-flags-as-a-coredump-parameter-for-consistency.patch
mm-pass-mm-flags-as-a-coredump-parameter-for-consistency-fix.patch
spi-mpc8xxx-dont-check-platform_get_irqs-return-value-against-zero.patch
console-limit-the-range-of-vgacon_soft_scrollback_size.patch
xen-add-kconfig-menu.patch
rtc-mxc-fix-memory-leak.patch
gpio-add-driver-for-max7300-i2c-gpio-extender.patch
pca953x-minor-include-cleanup.patch
gpio-introduce-gpio_request_one-and-friends.patch
asiliantfb-fix-test-of-unsigned-in-asiliant_calc_dclk2.patch
fbdev-bf54x-lq043fb-bfin-t350mcqb-fb-drop-custom-mmap-handler.patch
broadsheetfb-add-multiple-panel-type-support.patch
viafb-deprecate-private-ioctls.patch
viafb-remove-dead-code.patch
viafb-split-global-index-up.patch
viafb-remove-the-remaining-via_res_-uses.patch
viafb-some-dvi-cleanup.patch
viafb-yet-another-dead-code-removal.patch
hfsplus-identify-journal-info-block-in-volume-header.patch
hfsplus-fix-journal-detection.patch
cgroup-introduce-cancel_attach.patch
cgroup-introduce-coalesce-css_get-and-css_put.patch
cgroups-revamp-subsys-array.patch
cgroups-subsystem-module-loading-interface.patch
cgroups-subsystem-module-unloading.patch
cgroups-net_cls-as-module.patch
cgroups-fix-contents-in-cgroups-documentation.patch
memcg-add-interface-to-move-charge-at-task-migration.patch
memcg-move-charges-of-anonymous-page.patch
memcg-move-charges-of-anonymous-page-cleanup.patch
memcg-improve-performance-in-moving-charge.patch
memcg-avoid-oom-during-moving-charge.patch
memcg-move-charges-of-anonymous-swap.patch
memcg-move-charges-of-anonymous-swap-fix.patch
memcg-improve-performance-in-moving-swap-charge.patch
memcg-improve-performance-in-moving-swap-charge-fix.patch
cgroup-implement-eventfd-based-generic-api-for-notifications.patch
cgroup-implement-eventfd-based-generic-api-for-notifications-kconfig-fix.patch
memcg-extract-mem_group_usage-from-mem_cgroup_read.patch
memcg-rework-usage-of-stats-by-soft-limit.patch
memcg-implement-memory-thresholds.patch
memcg-implement-memory-thresholds-checkpatch-fixes.patch
memcg-implement-memory-thresholds-checkpatch-fixes-fix.patch
memcg-typo-in-comment-to-mem_cgroup_print_oom_info.patch
tracehooks-kill-some-pt_ptraced-checks.patch
tracehooks-check-pt_ptraced-before-reporting-the-single-step.patch
ptrace_signal-check-pt_ptraced-before-reporting-a-signal.patch
export-__ptrace_detach-and-do_notify_parent_cldstop.patch
reorder-the-code-in-kernel-ptracec.patch
implement-utrace-ptrace.patch
utrace-core.patch
copy_signal-cleanup-use-zalloc-and-remove-initializations.patch
copy_signal-cleanup-kill-taskstats_tgid_init-and-acct_init_pacct.patch
copy_signal-cleanup-clean-thread_group_cputime_init.patch
copy_signal-cleanup-clean-tty_audit_fork.patch
ipc-use-rlimit-helpers.patch
ipmi-add-parameter-to-limit-cpu-usage-in-kipmid.patch
rcu-add-rcustring-adt-for-rcu-protected-strings.patch
add-a-kernel_address-that-works-for-data-too.patch
sysctl-add-proc_rcu_string-to-manage-sysctls-using-rcu-strings.patch
sysctl-use-rcu-strings-for-core_pattern-sysctl.patch
sysctl-add-call_usermodehelper_cleanup.patch
sysctl-convert-modprobe_path-to-proc_rcu_string.patch
sysctl-convert-poweroff_command-to-proc_rcu_string.patch
sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
sysctl-use-rcu-protected-sysctl-for-ocfs-group-add-helper.patch
drivers-edac-introduce-missing-kfree.patch
w1-fix-test-in-ds2482_wait_1wire_idle.patch
vfs-take-2add-set_page_dirty_notag.patch
reiser4-vfs-add-super_operationssync_inodes-2.patch
reiser4-export-remove_from_page_cache.patch
reiser4-export-remove_from_page_cache-fix.patch
reiser4-export-find_get_pages.patch
reiser4.patch
reiser4-adjust-to-the-new-aops.patch
reiser4-adjust-to-the-new-aops-fixup.patch
reiser4-remove-simple_prepare_write-usage.patch
reiser4-remove-simple_prepare_write-usage-checkpatch-fixes.patch
fs-symlink-write_begin-allocation-context-fix-reiser4-fix.patch
reiser4-handling-error-returned-by-d_obtain_alias-fixup.patch
reiser4-update-names-of-quota-methods.patch
reiser4-use-set_page_dirty_notag.patch
fs-reiser4-add-parenths-around-x-y.patch
fs-reiser4-contextc-current_is_pdflush-got-removed.patch
reiser4-fix.patch
reiser4-rename-psched-to-dispatch.patch
reiser4-drop-journal-info.patch
reiser4-fix-compile-warnings.patch
reiser4-reduce-frame-size-of-reiser4_init_super_data.patch
reiser4-reduce-frame-size-of-reiser4_init_super_data-fixup.patch
reiser4-some-changes-from-reiser4-2631-patch.patch
reiser4-some-comments-were-still-mentioning-pdflush.patch
reiser4-generic_sync_sb_inodes-doesnt-exist-anymore.patch
reiser4-fixed-null-pointer-dereference.patch
make-sure-nobodys-leaking-resources.patch
journal_add_journal_head-debug.patch
releasing-resources-with-children.patch
make-frame_pointer-default=y.patch
mutex-subsystem-synchro-test-module.patch
mutex-subsystem-synchro-test-module-add-missing-header-file.patch
slab-leaks3-default-y.patch
put_bh-debug.patch
add-debugging-aid-for-memory-initialisation-problems.patch
workaround-for-a-pci-restoring-bug.patch
prio_tree-debugging-patch.patch
single_open-seq_release-leak-diagnostics.patch
add-a-refcount-check-in-dput.patch
getblk-handle-2tb-devices.patch
getblk-handle-2tb-devices-fix.patch
undeprecate-pci_find_device.patch
notify_change-callers-must-hold-i_mutex.patch
On Wed, 13 Jan 2010 12:17:36 PST, [email protected] said:
> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
>
> http://userweb.kernel.org/~akpm/mmotm/
Yow.
% make oldconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/basic/docproc
In file included from scripts/basic/docproc.c:44:
/usr/include/sys/wait.h:67: error: conflicting types for '__WAIT_STATUS'
/usr/include/stdlib.h:72: note: previous declaration of '__WAIT_STATUS' was here
In file included from /usr/include/sys/wait.h:80,
from scripts/basic/docproc.c:44:
/usr/include/bits/waitstatus.h:68: error: redefinition of 'union wait'
make[1]: *** [scripts/basic/docproc] Error 1
make: *** [scripts_basic] Error 2
Looks to be busticated Fedora header files though. Heads up to anybody else
foolish enough to build -mm kernels under Fedora Rawhide. ;)
https://bugzilla.redhat.com/show_bug.cgi?id=554643
On Wed, 13 Jan 2010 12:17:36 -0800 [email protected] wrote:
> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
>
> http://userweb.kernel.org/~akpm/mmotm/
>
> and will soon be available at
>
> git://zen-kernel.org/kernel/mmotm.git
patch: cgroups-subsystem-module-unloading.patch
When CONFIG_MODULE_UNLOAD is not enabled:
kernel/cgroup.c:1013: error: implicit declaration of function 'module_refcount'
---
~Randy
From: Randy Dunlap <[email protected]>
I get a few dozen of these warnings when using
gcc (GCC) 4.4.1 20090725 (Red Hat 4.4.1-2):
In file included from mmotm-2010-0113-1217/init/do_mounts.c:5:
mmotm-2010-0113-1217/include/linux/tty.h: In function 'tty_port_get':
mmotm-2010-0113-1217/include/linux/tty.h:469: warning: '______f' is static but declared in inline function 'tty_port_get' which is not static
so make the function static inline.
(may be needed in mainline also; or a gcc problem?)
Signed-off-by: Randy Dunlap <[email protected]>
---
include/linux/tty.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- mmotm-2010-0113-1217.orig/include/linux/tty.h
+++ mmotm-2010-0113-1217/include/linux/tty.h
@@ -464,7 +464,7 @@ extern int tty_port_alloc_xmit_buf(struc
extern void tty_port_free_xmit_buf(struct tty_port *port);
extern void tty_port_put(struct tty_port *port);
-extern inline struct tty_port *tty_port_get(struct tty_port *port)
+static inline struct tty_port *tty_port_get(struct tty_port *port)
{
if (port)
kref_get(&port->kref);
---
~Randy
On Thu, Jan 14, 2010 at 08:07:48AM -0800, Randy Dunlap wrote:
> On Wed, 13 Jan 2010 12:17:36 -0800 [email protected] wrote:
>
> > The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> >
> > http://userweb.kernel.org/~akpm/mmotm/
> >
> > and will soon be available at
> >
> > git://zen-kernel.org/kernel/mmotm.git
>
>
> patch: cgroups-subsystem-module-unloading.patch
>
> When CONFIG_MODULE_UNLOAD is not enabled:
>
> kernel/cgroup.c:1013: error: implicit declaration of function 'module_refcount'
>
>
>
> ---
> ~Randy
>
Argh, my fault. try_module_get and module_put tricked me by not
depending on that config option while module_refcount did. Fix here:
From: Ben Blum <[email protected]>
Signed-off-by: Ben Blum <[email protected]>
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 391ff41..32e001e 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -964,7 +964,9 @@ static int rebind_subsystems(struct cgroupfs_root *root,
* drop the extra reference.
*/
module_put(ss->module);
+#ifdef CONFIG_MODULE_UNLOAD
BUG_ON(ss->module && !module_refcount(ss->module));
+#endif
} else {
/* Subsystem state shouldn't exist */
BUG_ON(cgrp->subsys[i]);
On Thu, 14 Jan 2010 12:20:06 -0500 Ben Blum wrote:
> On Thu, Jan 14, 2010 at 08:07:48AM -0800, Randy Dunlap wrote:
> > On Wed, 13 Jan 2010 12:17:36 -0800 [email protected] wrote:
> >
> > > The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> > >
> > > http://userweb.kernel.org/~akpm/mmotm/
> > >
> > > and will soon be available at
> > >
> > > git://zen-kernel.org/kernel/mmotm.git
> >
> >
> > patch: cgroups-subsystem-module-unloading.patch
> >
> > When CONFIG_MODULE_UNLOAD is not enabled:
> >
> > kernel/cgroup.c:1013: error: implicit declaration of function 'module_refcount'
> >
> >
> >
> > ---
> > ~Randy
> >
>
> Argh, my fault. try_module_get and module_put tricked me by not
> depending on that config option while module_refcount did. Fix here:
>
> From: Ben Blum <[email protected]>
> Signed-off-by: Ben Blum <[email protected]>
>
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 391ff41..32e001e 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -964,7 +964,9 @@ static int rebind_subsystems(struct cgroupfs_root *root,
> * drop the extra reference.
> */
> module_put(ss->module);
> +#ifdef CONFIG_MODULE_UNLOAD
> BUG_ON(ss->module && !module_refcount(ss->module));
> +#endif
> } else {
> /* Subsystem state shouldn't exist */
> BUG_ON(cgrp->subsys[i]);
Thanks.
Acked-by: Randy Dunlap <[email protected]>
---
~Randy
On Sat, 16 Jan 2010 00:38:32 +0100
Jiri Slaby <[email protected]> wrote:
> (fixed subject)
>
> On 01/15/2010 08:33 PM, Jiri Slaby wrote:
> > On 01/13/2010 09:17 PM, [email protected] wrote:
> >> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> >
> > Hi, it crashes on my machine while booting up. It is a regression
> > against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
>
> Well, memcpying to something like this:
> char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
> doesn't sound like a good idea :).
>
> And it's racy with sysctl path anyway.
>
> Looks like added by:
> sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
>
> Andi, did you forget to change uevent_helper_store?
Jiri did you forget to Cc Andi? ;)
> > BUG: unable to handle kernel paging request at ffffffff816efe8e
> > IP: [<ffffffff811acf60>] memcpy_c+0x10/0x20
> > PGD 1807067 PUD 180b063 PMD 80000000016001e1
> > Oops: 0003 [#1] SMP
> > last sysfs file: /sys/kernel/uevent_helper
> > CPU 0
> > Pid: 957, comm: boot.udev Not tainted 2.6.33-rc4-mm1_64 #928 To be
> > filled by O.E.M./To Be Filled By O.E.M.
> > RIP: 0010:[<ffffffff811acf60>] [<ffffffff811acf60>] memcpy_c+0x10/0x20
> > RSP: 0018:ffff8801c3127e80 EFLAGS: 00010202
> > RAX: ffffffff816efe8e RBX: 0000000000000001 RCX: 0000000000000001
> > RDX: 0000000000000001 RSI: ffff8801c30b9000 RDI: ffffffff816efe8e
> > RBP: ffff8801c3127e98 R08: ffffffff81058620 R09: 00000000000c2c7e
> > R10: 0000000000000001 R11: 0000000000000246 R12: ffff8801c3127f48
> > R13: ffff8801cbc26688 R14: ffffffff81829d10 R15: ffff8801cbc903b8
> > FS: 00007fe572b106f0(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: ffffffff816efe8e CR3: 00000001c30f2000 CR4: 00000000000006f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > Process boot.udev (pid: 957, threadinfo ffff8801c3126000, task
> > ffff8801cbcdbf90)
> > Stack:
> > ffffffff8105865f ffff8801c3127ea8 ffff8801c4a3faa0 ffff8801c3127ea8
> > <0> ffffffff811a51b7 ffff8801c3127ef8 ffffffff811224ec 0000000000000001
> > <0> ffff8801c4a3fa80 ffff8801c3127ee8 0000000000000001 00007fe572b4c000
> > Call Trace:
> > [<ffffffff8105865f>] ? uevent_helper_store+0x3f/0x80
> > [<ffffffff811a51b7>] kobj_attr_store+0x17/0x20
> > [<ffffffff811224ec>] sysfs_write_file+0x9c/0xf0
> > [<ffffffff810c9ba8>] vfs_write+0xc8/0x190
> > [<ffffffff810ca4ec>] sys_write+0x4c/0x80
> > [<ffffffff81002e6b>] system_call_fastpath+0x16/0x1b
> > Code: 00 48 3b 42 20 73 07 48 8b 50 f9 31 c0 c3 31 d2 48 c7 c0 f2 ff ff
> > ff c3 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 <f3> a4
> > c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 eb de f8 89 d1
> > RIP [<ffffffff811acf60>] memcpy_c+0x10/0x20
> > RSP <ffff8801c3127e80>
> > CR2: ffffffff816efe8e
> > ---[ end trace 309d1f0b04265911 ]---
>
On 01/13/2010 09:17 PM, [email protected] wrote:
> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
Hi, it crashes on my machine while booting up. It is a regression
against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
BUG: unable to handle kernel paging request at ffffffff816efe8e
IP: [<ffffffff811acf60>] memcpy_c+0x10/0x20
PGD 1807067 PUD 180b063 PMD 80000000016001e1
Oops: 0003 [#1] SMP
last sysfs file: /sys/kernel/uevent_helper
CPU 0
Pid: 957, comm: boot.udev Not tainted 2.6.33-rc4-mm1_64 #928 To be
filled by O.E.M./To Be Filled By O.E.M.
RIP: 0010:[<ffffffff811acf60>] [<ffffffff811acf60>] memcpy_c+0x10/0x20
RSP: 0018:ffff8801c3127e80 EFLAGS: 00010202
RAX: ffffffff816efe8e RBX: 0000000000000001 RCX: 0000000000000001
RDX: 0000000000000001 RSI: ffff8801c30b9000 RDI: ffffffff816efe8e
RBP: ffff8801c3127e98 R08: ffffffff81058620 R09: 00000000000c2c7e
R10: 0000000000000001 R11: 0000000000000246 R12: ffff8801c3127f48
R13: ffff8801cbc26688 R14: ffffffff81829d10 R15: ffff8801cbc903b8
FS: 00007fe572b106f0(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff816efe8e CR3: 00000001c30f2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process boot.udev (pid: 957, threadinfo ffff8801c3126000, task
ffff8801cbcdbf90)
Stack:
ffffffff8105865f ffff8801c3127ea8 ffff8801c4a3faa0 ffff8801c3127ea8
<0> ffffffff811a51b7 ffff8801c3127ef8 ffffffff811224ec 0000000000000001
<0> ffff8801c4a3fa80 ffff8801c3127ee8 0000000000000001 00007fe572b4c000
Call Trace:
[<ffffffff8105865f>] ? uevent_helper_store+0x3f/0x80
[<ffffffff811a51b7>] kobj_attr_store+0x17/0x20
[<ffffffff811224ec>] sysfs_write_file+0x9c/0xf0
[<ffffffff810c9ba8>] vfs_write+0xc8/0x190
[<ffffffff810ca4ec>] sys_write+0x4c/0x80
[<ffffffff81002e6b>] system_call_fastpath+0x16/0x1b
Code: 00 48 3b 42 20 73 07 48 8b 50 f9 31 c0 c3 31 d2 48 c7 c0 f2 ff ff
ff c3 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 <f3> a4
c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 eb de f8 89 d1
RIP [<ffffffff811acf60>] memcpy_c+0x10/0x20
RSP <ffff8801c3127e80>
CR2: ffffffff816efe8e
---[ end trace 309d1f0b04265911 ]---
thanks,
--
js
(fixed subject)
On 01/15/2010 08:33 PM, Jiri Slaby wrote:
> On 01/13/2010 09:17 PM, [email protected] wrote:
>> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
>
> Hi, it crashes on my machine while booting up. It is a regression
> against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
Well, memcpying to something like this:
char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
doesn't sound like a good idea :).
And it's racy with sysctl path anyway.
Looks like added by:
sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
Andi, did you forget to change uevent_helper_store?
> BUG: unable to handle kernel paging request at ffffffff816efe8e
> IP: [<ffffffff811acf60>] memcpy_c+0x10/0x20
> PGD 1807067 PUD 180b063 PMD 80000000016001e1
> Oops: 0003 [#1] SMP
> last sysfs file: /sys/kernel/uevent_helper
> CPU 0
> Pid: 957, comm: boot.udev Not tainted 2.6.33-rc4-mm1_64 #928 To be
> filled by O.E.M./To Be Filled By O.E.M.
> RIP: 0010:[<ffffffff811acf60>] [<ffffffff811acf60>] memcpy_c+0x10/0x20
> RSP: 0018:ffff8801c3127e80 EFLAGS: 00010202
> RAX: ffffffff816efe8e RBX: 0000000000000001 RCX: 0000000000000001
> RDX: 0000000000000001 RSI: ffff8801c30b9000 RDI: ffffffff816efe8e
> RBP: ffff8801c3127e98 R08: ffffffff81058620 R09: 00000000000c2c7e
> R10: 0000000000000001 R11: 0000000000000246 R12: ffff8801c3127f48
> R13: ffff8801cbc26688 R14: ffffffff81829d10 R15: ffff8801cbc903b8
> FS: 00007fe572b106f0(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff816efe8e CR3: 00000001c30f2000 CR4: 00000000000006f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process boot.udev (pid: 957, threadinfo ffff8801c3126000, task
> ffff8801cbcdbf90)
> Stack:
> ffffffff8105865f ffff8801c3127ea8 ffff8801c4a3faa0 ffff8801c3127ea8
> <0> ffffffff811a51b7 ffff8801c3127ef8 ffffffff811224ec 0000000000000001
> <0> ffff8801c4a3fa80 ffff8801c3127ee8 0000000000000001 00007fe572b4c000
> Call Trace:
> [<ffffffff8105865f>] ? uevent_helper_store+0x3f/0x80
> [<ffffffff811a51b7>] kobj_attr_store+0x17/0x20
> [<ffffffff811224ec>] sysfs_write_file+0x9c/0xf0
> [<ffffffff810c9ba8>] vfs_write+0xc8/0x190
> [<ffffffff810ca4ec>] sys_write+0x4c/0x80
> [<ffffffff81002e6b>] system_call_fastpath+0x16/0x1b
> Code: 00 48 3b 42 20 73 07 48 8b 50 f9 31 c0 c3 31 d2 48 c7 c0 f2 ff ff
> ff c3 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 <f3> a4
> c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 eb de f8 89 d1
> RIP [<ffffffff811acf60>] memcpy_c+0x10/0x20
> RSP <ffff8801c3127e80>
> CR2: ffffffff816efe8e
> ---[ end trace 309d1f0b04265911 ]---
--
js
On 01/23/2010 12:52 AM, Andrew Morton wrote:
> On Sat, 16 Jan 2010 00:38:32 +0100
> Jiri Slaby <[email protected]> wrote:
>
>> (fixed subject)
>>
>> On 01/15/2010 08:33 PM, Jiri Slaby wrote:
>>> On 01/13/2010 09:17 PM, [email protected] wrote:
>>>> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
>>>
>>> Hi, it crashes on my machine while booting up. It is a regression
>>> against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
>>
>> Well, memcpying to something like this:
>> char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
>> doesn't sound like a good idea :).
>>
>> And it's racy with sysctl path anyway.
>>
>> Looks like added by:
>> sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
Ping Andi.
--
js
On Wed, Feb 10, 2010 at 08:54:11PM +0100, Jiri Slaby wrote:
> On 01/23/2010 12:52 AM, Andrew Morton wrote:
> > On Sat, 16 Jan 2010 00:38:32 +0100
> > Jiri Slaby <[email protected]> wrote:
> >
> >> (fixed subject)
> >>
> >> On 01/15/2010 08:33 PM, Jiri Slaby wrote:
> >>> On 01/13/2010 09:17 PM, [email protected] wrote:
> >>>> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> >>>
> >>> Hi, it crashes on my machine while booting up. It is a regression
> >>> against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
> >>
> >> Well, memcpying to something like this:
> >> char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
> >> doesn't sound like a good idea :).
> >>
> >> And it's racy with sysctl path anyway.
> >>
> >> Looks like added by:
> >> sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
>
> Ping Andi.
Sorry, busy with other stuff right now. There was at least one
other unsolved problem in this patch series. I'll try to look
at it on the weekend.
Andrew, it's ok for me if you just drop the series for now;
I'll resubmit.
-Andi
--
[email protected] -- Speaking for myself only.
On Thu, 11 Feb 2010 21:57:45 +0100
Andi Kleen <[email protected]> wrote:
> On Wed, Feb 10, 2010 at 08:54:11PM +0100, Jiri Slaby wrote:
> > On 01/23/2010 12:52 AM, Andrew Morton wrote:
> > > On Sat, 16 Jan 2010 00:38:32 +0100
> > > Jiri Slaby <[email protected]> wrote:
> > >
> > >> (fixed subject)
> > >>
> > >> On 01/15/2010 08:33 PM, Jiri Slaby wrote:
> > >>> On 01/13/2010 09:17 PM, [email protected] wrote:
> > >>>> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> > >>>
> > >>> Hi, it crashes on my machine while booting up. It is a regression
> > >>> against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
> > >>
> > >> Well, memcpying to something like this:
> > >> char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
> > >> doesn't sound like a good idea :).
> > >>
> > >> And it's racy with sysctl path anyway.
> > >>
> > >> Looks like added by:
> > >> sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
> >
> > Ping Andi.
>
> Sorry, busy with other stuff right now. There was at least one
> other unsolved problem in this patch series. I'll try to look
> at it on the weekend.
>
> Andrew, it's ok for me if you just drop the series for now;
> I'll resubmit.
urgh, must I? That trashes Neil's
kmod-add-init-function-to-usermodehelper.patch and
kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
and probably requires repairing other stuff and sets the testing status
back to "square one".
If you have patches queued, please make the time to support them!
On Thu, Feb 11, 2010 at 02:25:13PM -0800, Andrew Morton wrote:
> On Thu, 11 Feb 2010 21:57:45 +0100
> Andi Kleen <[email protected]> wrote:
>
> > On Wed, Feb 10, 2010 at 08:54:11PM +0100, Jiri Slaby wrote:
> > > On 01/23/2010 12:52 AM, Andrew Morton wrote:
> > > > On Sat, 16 Jan 2010 00:38:32 +0100
> > > > Jiri Slaby <[email protected]> wrote:
> > > >
> > > >> (fixed subject)
> > > >>
> > > >> On 01/15/2010 08:33 PM, Jiri Slaby wrote:
> > > >>> On 01/13/2010 09:17 PM, [email protected] wrote:
> > > >>>> The mm-of-the-moment snapshot 2010-01-13-12-17 has been uploaded to
> > > >>>
> > > >>> Hi, it crashes on my machine while booting up. It is a regression
> > > >>> against 2010-01-06-14-34. Doesn't it ring a bell by a chance?
> > > >>
> > > >> Well, memcpying to something like this:
> > > >> char *uevent_helper = CONFIG_UEVENT_HELPER_PATH;
> > > >> doesn't sound like a good idea :).
> > > >>
> > > >> And it's racy with sysctl path anyway.
> > > >>
> > > >> Looks like added by:
> > > >> sysctl-convert-hotplug-helper-string-to-proc_rcu_string.patch
> > >
> > > Ping Andi.
> >
> > Sorry, busy with other stuff right now. There was at least one
> > other unsolved problem in this patch series. I'll try to look
> > at it on the weekend.
> >
> > Andrew, it's ok for me if you just drop the series for now;
> > I'll resubmit.
>
> urgh, must I? That trashes Neil's
> kmod-add-init-function-to-usermodehelper.patch and
> kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> and probably requires repairing other stuff and sets the testing status
> back to "square one".
>
> If you have patches queued, please make the time to support them!
>
>
>
Andrew, I'll take a closer look at it first thing in the morning. If we can at
all help it, I'd really like to avoid dropping the whole series. I'll let you
know just as soon as I have something.
Neil
On Thu, 11 Feb 2010 21:39:34 -0500 Neil Horman <[email protected]> wrote:
> Andrew, I'll take a closer look at it first thing in the morning. If we can at
> all help it, I'd really like to avoid dropping the whole series. I'll let you
> know just as soon as I have something.
Thanks.
If it isn't obvious then I suggest you give up - we're at -rc7 and it's
getting pretty late for these patches. We'll soon need to shelve them
and respin yours against mainline.
> urgh, must I? That trashes Neil's
> kmod-add-init-function-to-usermodehelper.patch and
> kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> and probably requires repairing other stuff and sets the testing status
> back to "square one".
>
> If you have patches queued, please make the time to support them!
Ok, understood. I'll try to look into it today. You want incrementals?
-Andi
--
[email protected] -- Speaking for myself only.
On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
> > urgh, must I? That trashes Neil's
> > kmod-add-init-function-to-usermodehelper.patch and
> > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > and probably requires repairing other stuff and sets the testing status
> > back to "square one".
> >
> > If you have patches queued, please make the time to support them!
>
> Ok, understood. I'll try to look into it today.
Ta. As I mentioned to Neil, if it looks serious then let's shelve it
all and revisit for 2.6.35.
> You want incrementals?
If convenient, please. Otherwise we can drop--and-remerge.
On Thu, Feb 11, 2010 at 09:27:08PM -0800, Andrew Morton wrote:
> On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
>
> > > urgh, must I? That trashes Neil's
> > > kmod-add-init-function-to-usermodehelper.patch and
> > > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > > and probably requires repairing other stuff and sets the testing status
> > > back to "square one".
> > >
> > > If you have patches queued, please make the time to support them!
> >
> > Ok, understood. I'll try to look into it today.
>
> Ta. As I mentioned to Neil, if it looks serious then let's shelve it
> all and revisit for 2.6.35.
>
> > You want incrementals?
>
> If convenient, please. Otherwise we can drop--and-remerge.
>
>
Ok, this fixes the oops Jiri reported for me. Its been tested by me, but only
minimally, and my rcu-foo is not the greatest, so through reviews appreciated.
The patch is incremental against the latest mmotm as of this AM.
Thanks!
Neil
Fix up remaining references to uevent_helper to play nice with Andi's
uevent_helper/rcu changes.
Some changes were made recently which modified uevent_helper to be an rcu
protected pointer, rather than a static char array. This has led to a few
missed points in which the sysfs path still assumed that:
1) the uevent_helper symbol could still be accessed safely without
rcu_dereference
2) that the sysfs path could copy data to that pointer safely.
I've fixed this by chaging the sysfs path so that it duplicates the string on
uevent_helper_store, and freeing it (only if it doesn't point to the
CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
also fixed up the remaining references to the uevent_helper pointers to use
rcu_dereference.
Signed-off-by: Neil Horman <[email protected]>
kernel/ksysfs.c | 38 ++++++++++++++++++++++++++++++++++++--
lib/kobject_uevent.c | 4 +++-
2 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
index 21fe3c4..66d1e5b 100644
--- a/kernel/ksysfs.c
+++ b/kernel/ksysfs.c
@@ -37,19 +37,53 @@ KERNEL_ATTR_RO(uevent_seqnum);
static ssize_t uevent_helper_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
- return sprintf(buf, "%s\n", uevent_helper);
+ return sprintf(buf, "%s\n", rcu_dereference(uevent_helper));
}
+
+struct uevent_helper_rcu {
+ char *oldptr;
+ struct rcu_head rcu;
+};
+
+static void free_old_uevent_ptr(struct rcu_head *list)
+{
+ struct uevent_helper_rcu *ptr;
+ char *dfl = CONFIG_UEVENT_HELPER_PATH;
+ ptr = container_of(list, struct uevent_helper_rcu, rcu);
+ if (ptr->oldptr && (ptr->oldptr != dfl))
+ kfree(ptr->oldptr);
+
+ kfree(ptr);
+}
+
static ssize_t uevent_helper_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
+ char *kbuf;
+ struct uevent_helper_rcu *old;
+
if (count+1 > UEVENT_HELPER_PATH_LEN)
return -ENOENT;
- memcpy(uevent_helper, buf, count);
+ kbuf = kstrndup(buf, UEVENT_HELPER_PATH_LEN, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
uevent_helper[count] = '\0';
if (count && uevent_helper[count-1] == '\n')
uevent_helper[count-1] = '\0';
+ old = kmalloc(sizeof(struct uevent_helper_rcu), GFP_KERNEL);
+ if (!old)
+ goto out_free;
+
+ old->oldptr = rcu_dereference(uevent_helper);
+ rcu_assign_pointer(uevent_helper, kbuf);
+ call_rcu(&old->rcu, free_old_uevent_ptr);
+
return count;
+
+out_free:
+ kfree(kbuf);
+ return -ENOMEM;
}
KERNEL_ATTR_RW(uevent_helper);
#endif
diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
index c2383f3..211f846 100644
--- a/lib/kobject_uevent.c
+++ b/lib/kobject_uevent.c
@@ -126,6 +126,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
struct kset *kset;
const struct kset_uevent_ops *uevent_ops;
u64 seq;
+ const char *helper;
int i = 0;
int retval = 0;
@@ -272,7 +273,8 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
#endif
/* call uevent_helper, usually only enabled during early boot */
- if (uevent_helper[0])
+ helper = rcu_dereference(uevent_helper);
+ if (helper[0])
retval = uevent_call_helper(subsystem, env);
exit:
On 02/12/2010 06:06 PM, Neil Horman wrote:
> Fix up remaining references to uevent_helper to play nice with Andi's
> uevent_helper/rcu changes.
>
> Some changes were made recently which modified uevent_helper to be an rcu
> protected pointer, rather than a static char array. This has led to a few
> missed points in which the sysfs path still assumed that:
> 1) the uevent_helper symbol could still be accessed safely without
> rcu_dereference
> 2) that the sysfs path could copy data to that pointer safely.
>
> I've fixed this by chaging the sysfs path so that it duplicates the string on
> uevent_helper_store, and freeing it (only if it doesn't point to the
> CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> also fixed up the remaining references to the uevent_helper pointers to use
> rcu_dereference.
>
> Signed-off-by: Neil Horman <[email protected]>
Tested-by: Jiri Slaby <[email protected]>
--
js
On Sun, Feb 14, 2010 at 06:32:20PM +0100, Jiri Slaby wrote:
> On 02/12/2010 06:06 PM, Neil Horman wrote:
> > Fix up remaining references to uevent_helper to play nice with Andi's
> > uevent_helper/rcu changes.
> >
> > Some changes were made recently which modified uevent_helper to be an rcu
> > protected pointer, rather than a static char array. This has led to a few
> > missed points in which the sysfs path still assumed that:
> > 1) the uevent_helper symbol could still be accessed safely without
> > rcu_dereference
> > 2) that the sysfs path could copy data to that pointer safely.
> >
> > I've fixed this by chaging the sysfs path so that it duplicates the string on
> > uevent_helper_store, and freeing it (only if it doesn't point to the
> > CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> > also fixed up the remaining references to the uevent_helper pointers to use
> > rcu_dereference.
> >
> > Signed-off-by: Neil Horman <[email protected]>
>
> Tested-by: Jiri Slaby <[email protected]>
>
Thanks Jiri!
Neil
> --
> js
>
On Fri, Feb 12, 2010 at 12:06:24PM -0500, Neil Horman wrote:
> On Thu, Feb 11, 2010 at 09:27:08PM -0800, Andrew Morton wrote:
> > On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
> >
> > > > urgh, must I? That trashes Neil's
> > > > kmod-add-init-function-to-usermodehelper.patch and
> > > > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > > > and probably requires repairing other stuff and sets the testing status
> > > > back to "square one".
> > > >
> > > > If you have patches queued, please make the time to support them!
> > >
> > > Ok, understood. I'll try to look into it today.
> >
> > Ta. As I mentioned to Neil, if it looks serious then let's shelve it
> > all and revisit for 2.6.35.
> >
> > > You want incrementals?
> >
> > If convenient, please. Otherwise we can drop--and-remerge.
> >
> >
>
>
> Ok, this fixes the oops Jiri reported for me. Its been tested by me, but only
> minimally, and my rcu-foo is not the greatest, so through reviews appreciated.
> The patch is incremental against the latest mmotm as of this AM.
A few questions interspersed below...
Thanx, Paul
> Thanks!
> Neil
>
>
> Fix up remaining references to uevent_helper to play nice with Andi's
> uevent_helper/rcu changes.
>
> Some changes were made recently which modified uevent_helper to be an rcu
> protected pointer, rather than a static char array. This has led to a few
> missed points in which the sysfs path still assumed that:
> 1) the uevent_helper symbol could still be accessed safely without
> rcu_dereference
> 2) that the sysfs path could copy data to that pointer safely.
>
> I've fixed this by chaging the sysfs path so that it duplicates the string on
> uevent_helper_store, and freeing it (only if it doesn't point to the
> CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> also fixed up the remaining references to the uevent_helper pointers to use
> rcu_dereference.
>
> Signed-off-by: Neil Horman <[email protected]>
>
>
> kernel/ksysfs.c | 38 ++++++++++++++++++++++++++++++++++++--
> lib/kobject_uevent.c | 4 +++-
> 2 files changed, 39 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
> index 21fe3c4..66d1e5b 100644
> --- a/kernel/ksysfs.c
> +++ b/kernel/ksysfs.c
> @@ -37,19 +37,53 @@ KERNEL_ATTR_RO(uevent_seqnum);
> static ssize_t uevent_helper_show(struct kobject *kobj,
> struct kobj_attribute *attr, char *buf)
> {
> - return sprintf(buf, "%s\n", uevent_helper);
> + return sprintf(buf, "%s\n", rcu_dereference(uevent_helper));
> }
> +
> +struct uevent_helper_rcu {
> + char *oldptr;
> + struct rcu_head rcu;
> +};
> +
> +static void free_old_uevent_ptr(struct rcu_head *list)
> +{
> + struct uevent_helper_rcu *ptr;
> + char *dfl = CONFIG_UEVENT_HELPER_PATH;
Given that you kfree() something that might be equal to dfl, I am
hoping that the CONFIG_UEVENT_HELPER_PATH macro expands to something
that kfree() can do something with...
Or did you mean to put a "return;" in the then-clause of the "if"
statement below?
> + ptr = container_of(list, struct uevent_helper_rcu, rcu);
> + if (ptr->oldptr && (ptr->oldptr != dfl))
> + kfree(ptr->oldptr);
> +
> + kfree(ptr);
> +}
> +
> static ssize_t uevent_helper_store(struct kobject *kobj,
> struct kobj_attribute *attr,
> const char *buf, size_t count)
> {
> + char *kbuf;
> + struct uevent_helper_rcu *old;
> +
> if (count+1 > UEVENT_HELPER_PATH_LEN)
> return -ENOENT;
> - memcpy(uevent_helper, buf, count);
> + kbuf = kstrndup(buf, UEVENT_HELPER_PATH_LEN, GFP_KERNEL);
> + if (!kbuf)
> + return -ENOMEM;
> uevent_helper[count] = '\0';
> if (count && uevent_helper[count-1] == '\n')
> uevent_helper[count-1] = '\0';
> + old = kmalloc(sizeof(struct uevent_helper_rcu), GFP_KERNEL);
> + if (!old)
> + goto out_free;
> +
> + old->oldptr = rcu_dereference(uevent_helper);
> + rcu_assign_pointer(uevent_helper, kbuf);
Some lock protects this? Or does something else prevent multiple
instances of uevent_helper_store() from executing concurrently?
> + call_rcu(&old->rcu, free_old_uevent_ptr);
> +
> return count;
> +
> +out_free:
> + kfree(kbuf);
> + return -ENOMEM;
> }
> KERNEL_ATTR_RW(uevent_helper);
> #endif
> diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> index c2383f3..211f846 100644
> --- a/lib/kobject_uevent.c
> +++ b/lib/kobject_uevent.c
> @@ -126,6 +126,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> struct kset *kset;
> const struct kset_uevent_ops *uevent_ops;
> u64 seq;
> + const char *helper;
> int i = 0;
> int retval = 0;
>
> @@ -272,7 +273,8 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> #endif
>
> /* call uevent_helper, usually only enabled during early boot */
> - if (uevent_helper[0])
> + helper = rcu_dereference(uevent_helper);
This is protected by a pre-existing rcu_read_lock() somewhere?
If not, an rcu_read_lock() / rcu_read_unlock() pair is needed that
covers both the rcu_dereference() and any subsequent dereferences of the
pointer returned by rcu_dereference().
> + if (helper[0])
> retval = uevent_call_helper(subsystem, env);
>
> exit:
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
On Mon, Feb 15, 2010 at 12:12:33PM -0800, Paul E. McKenney wrote:
> On Fri, Feb 12, 2010 at 12:06:24PM -0500, Neil Horman wrote:
> > On Thu, Feb 11, 2010 at 09:27:08PM -0800, Andrew Morton wrote:
> > > On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
> > >
> > > > > urgh, must I? That trashes Neil's
> > > > > kmod-add-init-function-to-usermodehelper.patch and
> > > > > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > > > > and probably requires repairing other stuff and sets the testing status
> > > > > back to "square one".
> > > > >
> > > > > If you have patches queued, please make the time to support them!
> > > >
> > > > Ok, understood. I'll try to look into it today.
> > >
> > > Ta. As I mentioned to Neil, if it looks serious then let's shelve it
> > > all and revisit for 2.6.35.
> > >
> > > > You want incrementals?
> > >
> > > If convenient, please. Otherwise we can drop--and-remerge.
> > >
> > >
> >
> >
> > Ok, this fixes the oops Jiri reported for me. Its been tested by me, but only
> > minimally, and my rcu-foo is not the greatest, so through reviews appreciated.
> > The patch is incremental against the latest mmotm as of this AM.
>
> A few questions interspersed below...
>
> Thanx, Paul
>
> > Thanks!
> > Neil
> >
> >
> > Fix up remaining references to uevent_helper to play nice with Andi's
> > uevent_helper/rcu changes.
> >
> > Some changes were made recently which modified uevent_helper to be an rcu
> > protected pointer, rather than a static char array. This has led to a few
> > missed points in which the sysfs path still assumed that:
> > 1) the uevent_helper symbol could still be accessed safely without
> > rcu_dereference
> > 2) that the sysfs path could copy data to that pointer safely.
> >
> > I've fixed this by chaging the sysfs path so that it duplicates the string on
> > uevent_helper_store, and freeing it (only if it doesn't point to the
> > CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> > also fixed up the remaining references to the uevent_helper pointers to use
> > rcu_dereference.
> >
> > Signed-off-by: Neil Horman <[email protected]>
> >
> >
> > kernel/ksysfs.c | 38 ++++++++++++++++++++++++++++++++++++--
> > lib/kobject_uevent.c | 4 +++-
> > 2 files changed, 39 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
> > index 21fe3c4..66d1e5b 100644
> > --- a/kernel/ksysfs.c
> > +++ b/kernel/ksysfs.c
> > @@ -37,19 +37,53 @@ KERNEL_ATTR_RO(uevent_seqnum);
> > static ssize_t uevent_helper_show(struct kobject *kobj,
> > struct kobj_attribute *attr, char *buf)
> > {
> > - return sprintf(buf, "%s\n", uevent_helper);
> > + return sprintf(buf, "%s\n", rcu_dereference(uevent_helper));
> > }
> > +
> > +struct uevent_helper_rcu {
> > + char *oldptr;
> > + struct rcu_head rcu;
> > +};
> > +
> > +static void free_old_uevent_ptr(struct rcu_head *list)
> > +{
> > + struct uevent_helper_rcu *ptr;
> > + char *dfl = CONFIG_UEVENT_HELPER_PATH;
>
> Given that you kfree() something that might be equal to dfl, I am
> hoping that the CONFIG_UEVENT_HELPER_PATH macro expands to something
> that kfree() can do something with...
>
> Or did you mean to put a "return;" in the then-clause of the "if"
> statement below?
>
No, I meant what I have. CONFIG_UEVENT_HELPER_PATH expands to a string. if the
old pointer is not NULL, and doesn't point to the default string (we don't want
to free something in the string table), then we kfree it, since it must have
been allocated in uevent_helper_store
> > + ptr = container_of(list, struct uevent_helper_rcu, rcu);
> > + if (ptr->oldptr && (ptr->oldptr != dfl))
> > + kfree(ptr->oldptr);
> > +
> > + kfree(ptr);
> > +}
> > +
> > static ssize_t uevent_helper_store(struct kobject *kobj,
> > struct kobj_attribute *attr,
> > const char *buf, size_t count)
> > {
> > + char *kbuf;
> > + struct uevent_helper_rcu *old;
> > +
> > if (count+1 > UEVENT_HELPER_PATH_LEN)
> > return -ENOENT;
> > - memcpy(uevent_helper, buf, count);
> > + kbuf = kstrndup(buf, UEVENT_HELPER_PATH_LEN, GFP_KERNEL);
> > + if (!kbuf)
> > + return -ENOMEM;
> > uevent_helper[count] = '\0';
> > if (count && uevent_helper[count-1] == '\n')
> > uevent_helper[count-1] = '\0';
> > + old = kmalloc(sizeof(struct uevent_helper_rcu), GFP_KERNEL);
> > + if (!old)
> > + goto out_free;
> > +
> > + old->oldptr = rcu_dereference(uevent_helper);
> > + rcu_assign_pointer(uevent_helper, kbuf);
>
> Some lock protects this? Or does something else prevent multiple
> instances of uevent_helper_store() from executing concurrently?
>
I had thought that there was a per-file sysfs lock that protected this, but I
wasn't sure. Regardless, I would have thought this was safe, since
rcu_assign_pointer was serialized by rcu quiescence. Am I mistaken?
> > + call_rcu(&old->rcu, free_old_uevent_ptr);
> > +
> > return count;
> > +
> > +out_free:
> > + kfree(kbuf);
> > + return -ENOMEM;
> > }
> > KERNEL_ATTR_RW(uevent_helper);
> > #endif
> > diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> > index c2383f3..211f846 100644
> > --- a/lib/kobject_uevent.c
> > +++ b/lib/kobject_uevent.c
> > @@ -126,6 +126,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > struct kset *kset;
> > const struct kset_uevent_ops *uevent_ops;
> > u64 seq;
> > + const char *helper;
> > int i = 0;
> > int retval = 0;
> >
> > @@ -272,7 +273,8 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > #endif
> >
> > /* call uevent_helper, usually only enabled during early boot */
> > - if (uevent_helper[0])
> > + helper = rcu_dereference(uevent_helper);
>
> This is protected by a pre-existing rcu_read_lock() somewhere?
>
Does rcu_dereference not start a quiescence point the same way rcu_read_lock
does? AS I said, rcu isn't my strong suit :)
Neil
> If not, an rcu_read_lock() / rcu_read_unlock() pair is needed that
> covers both the rcu_dereference() and any subsequent dereferences of the
> pointer returned by rcu_dereference().
>
> > + if (helper[0])
> > retval = uevent_call_helper(subsystem, env);
> >
> > exit:
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to [email protected]
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
>
On Mon, Feb 15, 2010 at 04:42:52PM -0500, Neil Horman wrote:
> On Mon, Feb 15, 2010 at 12:12:33PM -0800, Paul E. McKenney wrote:
> > On Fri, Feb 12, 2010 at 12:06:24PM -0500, Neil Horman wrote:
> > > On Thu, Feb 11, 2010 at 09:27:08PM -0800, Andrew Morton wrote:
> > > > On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
> > > >
> > > > > > urgh, must I? That trashes Neil's
> > > > > > kmod-add-init-function-to-usermodehelper.patch and
> > > > > > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > > > > > and probably requires repairing other stuff and sets the testing status
> > > > > > back to "square one".
> > > > > >
> > > > > > If you have patches queued, please make the time to support them!
> > > > >
> > > > > Ok, understood. I'll try to look into it today.
> > > >
> > > > Ta. As I mentioned to Neil, if it looks serious then let's shelve it
> > > > all and revisit for 2.6.35.
> > > >
> > > > > You want incrementals?
> > > >
> > > > If convenient, please. Otherwise we can drop--and-remerge.
> > > >
> > > >
> > >
> > >
> > > Ok, this fixes the oops Jiri reported for me. Its been tested by me, but only
> > > minimally, and my rcu-foo is not the greatest, so through reviews appreciated.
> > > The patch is incremental against the latest mmotm as of this AM.
> >
> > A few questions interspersed below...
> >
> > Thanx, Paul
> >
> > > Thanks!
> > > Neil
> > >
> > >
> > > Fix up remaining references to uevent_helper to play nice with Andi's
> > > uevent_helper/rcu changes.
> > >
> > > Some changes were made recently which modified uevent_helper to be an rcu
> > > protected pointer, rather than a static char array. This has led to a few
> > > missed points in which the sysfs path still assumed that:
> > > 1) the uevent_helper symbol could still be accessed safely without
> > > rcu_dereference
> > > 2) that the sysfs path could copy data to that pointer safely.
> > >
> > > I've fixed this by chaging the sysfs path so that it duplicates the string on
> > > uevent_helper_store, and freeing it (only if it doesn't point to the
> > > CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> > > also fixed up the remaining references to the uevent_helper pointers to use
> > > rcu_dereference.
> > >
> > > Signed-off-by: Neil Horman <[email protected]>
> > >
> > >
> > > kernel/ksysfs.c | 38 ++++++++++++++++++++++++++++++++++++--
> > > lib/kobject_uevent.c | 4 +++-
> > > 2 files changed, 39 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
> > > index 21fe3c4..66d1e5b 100644
> > > --- a/kernel/ksysfs.c
> > > +++ b/kernel/ksysfs.c
> > > @@ -37,19 +37,53 @@ KERNEL_ATTR_RO(uevent_seqnum);
> > > static ssize_t uevent_helper_show(struct kobject *kobj,
> > > struct kobj_attribute *attr, char *buf)
> > > {
> > > - return sprintf(buf, "%s\n", uevent_helper);
> > > + return sprintf(buf, "%s\n", rcu_dereference(uevent_helper));
> > > }
> > > +
> > > +struct uevent_helper_rcu {
> > > + char *oldptr;
> > > + struct rcu_head rcu;
> > > +};
> > > +
> > > +static void free_old_uevent_ptr(struct rcu_head *list)
> > > +{
> > > + struct uevent_helper_rcu *ptr;
> > > + char *dfl = CONFIG_UEVENT_HELPER_PATH;
> >
> > Given that you kfree() something that might be equal to dfl, I am
> > hoping that the CONFIG_UEVENT_HELPER_PATH macro expands to something
> > that kfree() can do something with...
> >
> > Or did you mean to put a "return;" in the then-clause of the "if"
> > statement below?
> >
> No, I meant what I have. CONFIG_UEVENT_HELPER_PATH expands to a string. if the
> old pointer is not NULL, and doesn't point to the default string (we don't want
> to free something in the string table), then we kfree it, since it must have
> been allocated in uevent_helper_store
Got it, thank you! I confused ptr->oldptr with ptr. :-(
> > > + ptr = container_of(list, struct uevent_helper_rcu, rcu);
> > > + if (ptr->oldptr && (ptr->oldptr != dfl))
> > > + kfree(ptr->oldptr);
> > > +
> > > + kfree(ptr);
> > > +}
> > > +
> > > static ssize_t uevent_helper_store(struct kobject *kobj,
> > > struct kobj_attribute *attr,
> > > const char *buf, size_t count)
> > > {
> > > + char *kbuf;
> > > + struct uevent_helper_rcu *old;
> > > +
> > > if (count+1 > UEVENT_HELPER_PATH_LEN)
> > > return -ENOENT;
> > > - memcpy(uevent_helper, buf, count);
> > > + kbuf = kstrndup(buf, UEVENT_HELPER_PATH_LEN, GFP_KERNEL);
> > > + if (!kbuf)
> > > + return -ENOMEM;
> > > uevent_helper[count] = '\0';
> > > if (count && uevent_helper[count-1] == '\n')
> > > uevent_helper[count-1] = '\0';
> > > + old = kmalloc(sizeof(struct uevent_helper_rcu), GFP_KERNEL);
> > > + if (!old)
> > > + goto out_free;
> > > +
> > > + old->oldptr = rcu_dereference(uevent_helper);
> > > + rcu_assign_pointer(uevent_helper, kbuf);
> >
> > Some lock protects this? Or does something else prevent multiple
> > instances of uevent_helper_store() from executing concurrently?
> >
> I had thought that there was a per-file sysfs lock that protected this, but I
> wasn't sure. Regardless, I would have thought this was safe, since
> rcu_assign_pointer was serialized by rcu quiescence. Am I mistaken?
Indeed you are -- rcu_assign_pointer() coordinates with any concurrent
rcu_dereference() invocations, but does nothing to protect against other
concurrent rcu_assign_pointer() invocations. So you should have something
coordinating the update, be it a lock or whatever.
> > > + call_rcu(&old->rcu, free_old_uevent_ptr);
> > > +
> > > return count;
> > > +
> > > +out_free:
> > > + kfree(kbuf);
> > > + return -ENOMEM;
> > > }
> > > KERNEL_ATTR_RW(uevent_helper);
> > > #endif
> > > diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> > > index c2383f3..211f846 100644
> > > --- a/lib/kobject_uevent.c
> > > +++ b/lib/kobject_uevent.c
> > > @@ -126,6 +126,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > > struct kset *kset;
> > > const struct kset_uevent_ops *uevent_ops;
> > > u64 seq;
> > > + const char *helper;
> > > int i = 0;
> > > int retval = 0;
> > >
> > > @@ -272,7 +273,8 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > > #endif
> > >
> > > /* call uevent_helper, usually only enabled during early boot */
> > > - if (uevent_helper[0])
> > > + helper = rcu_dereference(uevent_helper);
> >
> > This is protected by a pre-existing rcu_read_lock() somewhere?
> >
> Does rcu_dereference not start a quiescence point the same way rcu_read_lock
> does? AS I said, rcu isn't my strong suit :)
What rcu_dereference() does is coordinate with any concurrent
rcu_assign_pointer() calls to the same pointer. If you (incorrectly)
replace the rcu_dereference() and rcu_assign_pointer() calls with
simple assignments, then the helper[0] below might see the garbage
values that were in place before the initialization that preceded the
rcu_assign_pointer().
The rcu_read_lock() and rcu_read_unlock() prevent an RCU grace period both
starting and ending during the enclosed RCU read-side critical section.
A pre-existing RCU grace period might end during this critical section,
or a new RCU grace period might start during this critical section, but
any RCU grace period that starts during a given RCU read-side critical
section is not permitted to end until after that RCU read-side critical
section ends.
So the interaction between rcu_read_lock()/rcu_read_unlock on the one
hand and synchronize_rcu() and call_rcu() on the other hand is what
guarantees that any RCU-protect data structure referenced within an
RCU read-side critical section will remain in existence throughout the
remainder of that RCU read-side critical section.
This arrangement might seem a bit strange at first, but it is what
gives RCU its read-side performance, scalability, and deadlock immunity.
For more detail, please take a look at:
http://lwn.net/Articles/262464/ (What is RCU, Fundamentally?)
http://lwn.net/Articles/263130/ (What is RCU's Usage?)
http://lwn.net/Articles/264090/ (What is RCU's API?)
Thanx, Paul
> Neil
>
> > If not, an rcu_read_lock() / rcu_read_unlock() pair is needed that
> > covers both the rcu_dereference() and any subsequent dereferences of the
> > pointer returned by rcu_dereference().
> >
> > > + if (helper[0])
> > > retval = uevent_call_helper(subsystem, env);
> > >
> > > exit:
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > > the body of a message to [email protected]
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > Please read the FAQ at http://www.tux.org/lkml/
> >
On Mon, Feb 15, 2010 at 02:16:07PM -0800, Paul E. McKenney wrote:
> On Mon, Feb 15, 2010 at 04:42:52PM -0500, Neil Horman wrote:
> > On Mon, Feb 15, 2010 at 12:12:33PM -0800, Paul E. McKenney wrote:
> > > On Fri, Feb 12, 2010 at 12:06:24PM -0500, Neil Horman wrote:
> > > > On Thu, Feb 11, 2010 at 09:27:08PM -0800, Andrew Morton wrote:
> > > > > On Fri, 12 Feb 2010 06:21:26 +0100 Andi Kleen <[email protected]> wrote:
> > > > >
> > > > > > > urgh, must I? That trashes Neil's
> > > > > > > kmod-add-init-function-to-usermodehelper.patch and
> > > > > > > kmod-replace-call_usermodehelper_pipe-with-use-of-umh-init-function-and-resolve-limit.patch
> > > > > > > and probably requires repairing other stuff and sets the testing status
> > > > > > > back to "square one".
> > > > > > >
> > > > > > > If you have patches queued, please make the time to support them!
> > > > > >
> > > > > > Ok, understood. I'll try to look into it today.
> > > > >
> > > > > Ta. As I mentioned to Neil, if it looks serious then let's shelve it
> > > > > all and revisit for 2.6.35.
> > > > >
> > > > > > You want incrementals?
> > > > >
> > > > > If convenient, please. Otherwise we can drop--and-remerge.
> > > > >
> > > > >
> > > >
> > > >
> > > > Ok, this fixes the oops Jiri reported for me. Its been tested by me, but only
> > > > minimally, and my rcu-foo is not the greatest, so through reviews appreciated.
> > > > The patch is incremental against the latest mmotm as of this AM.
> > >
> > > A few questions interspersed below...
> > >
> > > Thanx, Paul
> > >
> > > > Thanks!
> > > > Neil
> > > >
> > > >
> > > > Fix up remaining references to uevent_helper to play nice with Andi's
> > > > uevent_helper/rcu changes.
> > > >
> > > > Some changes were made recently which modified uevent_helper to be an rcu
> > > > protected pointer, rather than a static char array. This has led to a few
> > > > missed points in which the sysfs path still assumed that:
> > > > 1) the uevent_helper symbol could still be accessed safely without
> > > > rcu_dereference
> > > > 2) that the sysfs path could copy data to that pointer safely.
> > > >
> > > > I've fixed this by chaging the sysfs path so that it duplicates the string on
> > > > uevent_helper_store, and freeing it (only if it doesn't point to the
> > > > CONFIG_DEFAULT_UEVENT_HELPER string), in a call_rcu post-quiescent point. I've
> > > > also fixed up the remaining references to the uevent_helper pointers to use
> > > > rcu_dereference.
> > > >
> > > > Signed-off-by: Neil Horman <[email protected]>
> > > >
> > > >
> > > > kernel/ksysfs.c | 38 ++++++++++++++++++++++++++++++++++++--
> > > > lib/kobject_uevent.c | 4 +++-
> > > > 2 files changed, 39 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
> > > > index 21fe3c4..66d1e5b 100644
> > > > --- a/kernel/ksysfs.c
> > > > +++ b/kernel/ksysfs.c
> > > > @@ -37,19 +37,53 @@ KERNEL_ATTR_RO(uevent_seqnum);
> > > > static ssize_t uevent_helper_show(struct kobject *kobj,
> > > > struct kobj_attribute *attr, char *buf)
> > > > {
> > > > - return sprintf(buf, "%s\n", uevent_helper);
> > > > + return sprintf(buf, "%s\n", rcu_dereference(uevent_helper));
> > > > }
> > > > +
> > > > +struct uevent_helper_rcu {
> > > > + char *oldptr;
> > > > + struct rcu_head rcu;
> > > > +};
> > > > +
> > > > +static void free_old_uevent_ptr(struct rcu_head *list)
> > > > +{
> > > > + struct uevent_helper_rcu *ptr;
> > > > + char *dfl = CONFIG_UEVENT_HELPER_PATH;
> > >
> > > Given that you kfree() something that might be equal to dfl, I am
> > > hoping that the CONFIG_UEVENT_HELPER_PATH macro expands to something
> > > that kfree() can do something with...
> > >
> > > Or did you mean to put a "return;" in the then-clause of the "if"
> > > statement below?
> > >
> > No, I meant what I have. CONFIG_UEVENT_HELPER_PATH expands to a string. if the
> > old pointer is not NULL, and doesn't point to the default string (we don't want
> > to free something in the string table), then we kfree it, since it must have
> > been allocated in uevent_helper_store
>
> Got it, thank you! I confused ptr->oldptr with ptr. :-(
>
> > > > + ptr = container_of(list, struct uevent_helper_rcu, rcu);
> > > > + if (ptr->oldptr && (ptr->oldptr != dfl))
> > > > + kfree(ptr->oldptr);
> > > > +
> > > > + kfree(ptr);
> > > > +}
> > > > +
> > > > static ssize_t uevent_helper_store(struct kobject *kobj,
> > > > struct kobj_attribute *attr,
> > > > const char *buf, size_t count)
> > > > {
> > > > + char *kbuf;
> > > > + struct uevent_helper_rcu *old;
> > > > +
> > > > if (count+1 > UEVENT_HELPER_PATH_LEN)
> > > > return -ENOENT;
> > > > - memcpy(uevent_helper, buf, count);
> > > > + kbuf = kstrndup(buf, UEVENT_HELPER_PATH_LEN, GFP_KERNEL);
> > > > + if (!kbuf)
> > > > + return -ENOMEM;
> > > > uevent_helper[count] = '\0';
> > > > if (count && uevent_helper[count-1] == '\n')
> > > > uevent_helper[count-1] = '\0';
> > > > + old = kmalloc(sizeof(struct uevent_helper_rcu), GFP_KERNEL);
> > > > + if (!old)
> > > > + goto out_free;
> > > > +
> > > > + old->oldptr = rcu_dereference(uevent_helper);
> > > > + rcu_assign_pointer(uevent_helper, kbuf);
> > >
> > > Some lock protects this? Or does something else prevent multiple
> > > instances of uevent_helper_store() from executing concurrently?
> > >
> > I had thought that there was a per-file sysfs lock that protected this, but I
> > wasn't sure. Regardless, I would have thought this was safe, since
> > rcu_assign_pointer was serialized by rcu quiescence. Am I mistaken?
>
> Indeed you are -- rcu_assign_pointer() coordinates with any concurrent
> rcu_dereference() invocations, but does nothing to protect against other
> concurrent rcu_assign_pointer() invocations. So you should have something
> coordinating the update, be it a lock or whatever.
>
> > > > + call_rcu(&old->rcu, free_old_uevent_ptr);
> > > > +
> > > > return count;
> > > > +
> > > > +out_free:
> > > > + kfree(kbuf);
> > > > + return -ENOMEM;
> > > > }
> > > > KERNEL_ATTR_RW(uevent_helper);
> > > > #endif
> > > > diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> > > > index c2383f3..211f846 100644
> > > > --- a/lib/kobject_uevent.c
> > > > +++ b/lib/kobject_uevent.c
> > > > @@ -126,6 +126,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > > > struct kset *kset;
> > > > const struct kset_uevent_ops *uevent_ops;
> > > > u64 seq;
> > > > + const char *helper;
> > > > int i = 0;
> > > > int retval = 0;
> > > >
> > > > @@ -272,7 +273,8 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
> > > > #endif
> > > >
> > > > /* call uevent_helper, usually only enabled during early boot */
> > > > - if (uevent_helper[0])
> > > > + helper = rcu_dereference(uevent_helper);
> > >
> > > This is protected by a pre-existing rcu_read_lock() somewhere?
> > >
> > Does rcu_dereference not start a quiescence point the same way rcu_read_lock
> > does? AS I said, rcu isn't my strong suit :)
>
> What rcu_dereference() does is coordinate with any concurrent
> rcu_assign_pointer() calls to the same pointer. If you (incorrectly)
> replace the rcu_dereference() and rcu_assign_pointer() calls with
> simple assignments, then the helper[0] below might see the garbage
> values that were in place before the initialization that preceded the
> rcu_assign_pointer().
>
> The rcu_read_lock() and rcu_read_unlock() prevent an RCU grace period both
> starting and ending during the enclosed RCU read-side critical section.
> A pre-existing RCU grace period might end during this critical section,
> or a new RCU grace period might start during this critical section, but
> any RCU grace period that starts during a given RCU read-side critical
> section is not permitted to end until after that RCU read-side critical
> section ends.
>
> So the interaction between rcu_read_lock()/rcu_read_unlock on the one
> hand and synchronize_rcu() and call_rcu() on the other hand is what
> guarantees that any RCU-protect data structure referenced within an
> RCU read-side critical section will remain in existence throughout the
> remainder of that RCU read-side critical section.
>
> This arrangement might seem a bit strange at first, but it is what
> gives RCU its read-side performance, scalability, and deadlock immunity.
>
> For more detail, please take a look at:
>
> http://lwn.net/Articles/262464/ (What is RCU, Fundamentally?)
> http://lwn.net/Articles/263130/ (What is RCU's Usage?)
> http://lwn.net/Articles/264090/ (What is RCU's API?)
>
> Thanx, Paul
>
Ah, thank you for that Paul. So there is still some work to do here. On the
positive side, this isn't technically a regression, since the previous
implementation didn't provide any concurrency exclusion either (the use of a
static array prevented odd pointer corruption, but multiple uevent_helper reads
and writes can lead to all sorts of odd/erroneous behavior.
Fortunately, this can be fixed with an incremental addtion. Andrew, I'll do my
best by I don't know if it will be in time for -33, but I think thats ok, since
to trip over this you'd really have to be trying, and you'd have to be root to
do it. Let me know if you think this is critical and I'll try prioritize it/get
it done asap.
Neil
> > Neil
> >
> > > If not, an rcu_read_lock() / rcu_read_unlock() pair is needed that
> > > covers both the rcu_dereference() and any subsequent dereferences of the
> > > pointer returned by rcu_dereference().
> > >
> > > > + if (helper[0])
> > > > retval = uevent_call_helper(subsystem, env);
> > > >
> > > > exit:
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > > > the body of a message to [email protected]
> > > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > > Please read the FAQ at http://www.tux.org/lkml/
> > >
>