/* * Regression2 * Description: * Toshiyuki Okajima describes the following radix-tree bug: * * In the following case, we can get a hangup on * radix_radix_tree_gang_lookup_tag_slot. * * 0. The radix tree contains RADIX_TREE_MAP_SIZE items. And the tag of * a certain item has PAGECACHE_TAG_DIRTY. * 1. radix_tree_range_tag_if_tagged(, start, end, , PAGECACHE_TAG_DIRTY, * PAGECACHE_TAG_TOWRITE) is called to add PAGECACHE_TAG_TOWRITE tag * for the tag which has PAGECACHE_TAG_DIRTY. However, there is no tag with * PAGECACHE_TAG_DIRTY within the range from start to end. As the result, * There is no tag with PAGECACHE_TAG_TOWRITE but the root tag has * PAGECACHE_TAG_TOWRITE. * 2. An item is added into the radix tree and then the level of it is * extended into 2 from 1. At that time, the new radix tree node succeeds * the tag status of the root tag. Therefore the tag of the new radix tree * node has PAGECACHE_TAG_TOWRITE but there is not slot with * PAGECACHE_TAG_TOWRITE tag in the child node of the new radix tree node. * 3. The tag of a certain item is cleared with PAGECACHE_TAG_DIRTY. * 4. All items within the index range from 0 to RADIX_TREE_MAP_SIZE - 1 are * released. (Only the item which index is RADIX_TREE_MAP_SIZE exist in the * radix tree.) As the result, the slot of the radix tree node is NULL but * the tag which corresponds to the slot has PAGECACHE_TAG_TOWRITE. * 5. radix_tree_gang_lookup_tag_slot(PAGECACHE_TAG_TOWRITE) calls * __lookup_tag. __lookup_tag returns with 0. And __lookup_tag doesn't * change the index that is the input and output parameter. Because the 1st * slot of the radix tree node is NULL, but the tag which corresponds to * the slot has PAGECACHE_TAG_TOWRITE. * Therefore radix_tree_gang_lookup_tag_slot tries to get some items by * calling __lookup_tag, but it cannot get any items forever. * * The fix is to change that radix_tree_tag_if_tagged doesn't tag the root tag * if it doesn't set any tags within the specified range. * * Running: * This test should run to completion immediately. The above bug would cause it * to hang indefinitely. * * Upstream commit: * Not yet */ #include #include #include #include #include #include #include "regression.h" #include "test.h" #define PAGECACHE_TAG_DIRTY 0 #define PAGECACHE_TAG_WRITEBACK 1 #define PAGECACHE_TAG_TOWRITE 2 static RADIX_TREE(mt_tree, GFP_KERNEL); unsigned long page_count = 0; struct page { unsigned long index; }; static struct page *page_alloc(void) { struct page *p; p = malloc(sizeof(struct page)); p->index = page_count++; return p; } void regression2_test(void) { int i; struct page *p; int max_slots = RADIX_TREE_MAP_SIZE; unsigned long int start, end; struct page *pages[1]; printf("running regression test 2 (should take milliseconds)\n"); /* 0. */ for (i = 0; i <= max_slots - 1; i++) { p = page_alloc(); radix_tree_insert(&mt_tree, i, p); } radix_tree_tag_set(&mt_tree, max_slots - 1, PAGECACHE_TAG_DIRTY); /* 1. */ start = 0; end = max_slots - 2; tag_tagged_items(&mt_tree, NULL, start, end, 1, PAGECACHE_TAG_DIRTY, PAGECACHE_TAG_TOWRITE); /* 2. */ p = page_alloc(); radix_tree_insert(&mt_tree, max_slots, p); /* 3. */ radix_tree_tag_clear(&mt_tree, max_slots - 1, PAGECACHE_TAG_DIRTY); /* 4. */ for (i = max_slots - 1; i >= 0; i--) radix_tree_delete(&mt_tree, i); /* 5. */ // NOTE: start should not be 0 because radix_tree_gang_lookup_tag_slot // can return. start = 1; end = max_slots - 2; radix_tree_gang_lookup_tag_slot(&mt_tree, (void ***)pages, start, end, PAGECACHE_TAG_TOWRITE); /* We remove all the remained nodes */ radix_tree_delete(&mt_tree, max_slots); printf("regression test 2, done\n"); } >mode:
authorDavid S. Miller <davem@davemloft.net>2017-01-30 14:28:22 -0800
committerDavid S. Miller <davem@davemloft.net>2017-01-30 14:28:22 -0800
commit54791b276b4000b307339f269d3bf7db877d536f (patch)
tree1c2616bd373ce5ea28aac2a53e32f5b5834901ce /sound/soc/blackfin
parent5d0e7705774dd412a465896d08d59a81a345c1e4 (diff)
parent047487241ff59374fded8c477f21453681f5995c (diff)
Merge branch 'sparc64-non-resumable-user-error-recovery'
Liam R. Howlett says: ==================== sparc64: Recover from userspace non-resumable PIO & MEM errors A non-resumable error from userspace is able to cause a kernel panic or trap loop due to the setup and handling of the queued traps once in the kernel. This patch series addresses both of these issues. The queues are fixed by simply zeroing the memory before use. PIO errors from userspace will result in a SIGBUS being sent to the user process. The MEM errors form userspace will result in a SIGKILL and also cause the offending pages to be claimed so they are no longer used in future tasks. SIGKILL is used to ensure that the process does not try to coredump and result in an attempt to read the memory again from within kernel space. Although there is a HV call to scrub the memory (mem_scrub), there is no easy way to guarantee that the real memory address(es) are not used by other tasks. Clearing the error with mem_scrub would zero the memory and cause the other processes to proceed with bad data. The handling of other non-resumable errors remain unchanged and will cause a panic. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'sound/soc/blackfin')