13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Sat, 15 May 2010 16:03:15 +0000 (09:03 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs-2.6

* 'for-linus' of git://
  JFS: Free sbi memory in error path
  fs/sysv: dereferencing ERR_PTR()
  Fix double-free in logfs
  Fix the regression created by "set S_DEAD on unlink()..." commit

13 years agoMerge branch 'perf-fixes-for-linus' of git://
Linus Torvalds [Sat, 15 May 2010 16:03:02 +0000 (09:03 -0700)]
Merge branch 'perf-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'perf-fixes-for-linus' of git://
  perf record: Add a fallback to the reference relocation symbol

13 years agoJFS: Free sbi memory in error path
Jan Blunck [Mon, 12 Apr 2010 23:44:08 +0000 (16:44 -0700)]
JFS: Free sbi memory in error path

I spotted the missing kfree() while removing the BKL.

[ avoid multiple returns so it doesn't happen again]
Signed-off-by: Jan Blunck <>
Cc: Dave Kleikamp <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Al Viro <>
13 years agofs/sysv: dereferencing ERR_PTR()
Dan Carpenter [Wed, 21 Apr 2010 10:30:32 +0000 (12:30 +0200)]
fs/sysv: dereferencing ERR_PTR()

I moved the dir_put_page() inside the if condition so we don't dereference
"page", if it's an ERR_PTR().

Signed-off-by: Dan Carpenter <>
Signed-off-by: Al Viro <>
13 years agoFix double-free in logfs
Al Viro [Thu, 29 Apr 2010 00:57:02 +0000 (20:57 -0400)]
Fix double-free in logfs

iput() is needed *until* we'd done successful d_alloc_root()

Signed-off-by: Al Viro <>
13 years agoFix the regression created by "set S_DEAD on unlink()..." commit
Al Viro [Fri, 30 Apr 2010 21:17:09 +0000 (17:17 -0400)]
Fix the regression created by "set S_DEAD on unlink()..." commit

1) i_flags simply doesn't work for mount/unlink race prevention;
we may have many links to file and rm on one of those obviously
shouldn't prevent bind on top of another later on.  To fix it
right way we need to mark _dentry_ as unsuitable for mounting
upon; new flag (DCACHE_CANT_MOUNT) is protected by d_flags and
i_mutex on the inode in question.  Set it (with dont_mount(dentry))
in unlink/rmdir/etc., check (with cant_mount(dentry)) in places
in namespace.c that used to check for S_DEAD.  Setting S_DEAD
is still needed in places where we used to set it (for directories
getting killed), since we rely on it for readdir/rmdir race

2) rename()/mount() protection has another bogosity - we unhash
the target before we'd checked that it's not a mountpoint.  Fixed.

3) ancient bogosity in pivot_root() - we locked i_mutex on the
right directory, but checked S_DEAD on the different (and wrong)
one.  Noticed and fixed.

Signed-off-by: Al Viro <>
13 years agoMerge
Linus Torvalds [Sat, 15 May 2010 04:28:42 +0000 (21:28 -0700)]

  ARM: 6126/1: ARM mpcore_wdt: fix build failure and other fixes
  ARM: 6125/1: ARM TWD: move TWD registers to common header
  ARM: 6110/1: Fix Thumb-2 kernel builds when UACCESS_WITH_MEMCPY is enabled
  ARM: 6112/1: Use the Inner Shareable I-cache and BTB ops on ARMv7 SMP
  ARM: 6111/1: Implement read/write for ownership in the ARMv6 DMA cache ops
  ARM: 6106/1: Implement copy_to_user_page() for noMMU
  ARM: 6105/1: Fix the __arm_ioremap_caller() definition in nommu.c

13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Sat, 15 May 2010 04:28:23 +0000 (21:28 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86, mrst: Don't blindly access extended config space

13 years agoprofile: fix stats and data leakage
Hugh Dickins [Sat, 15 May 2010 02:44:10 +0000 (19:44 -0700)]
profile: fix stats and data leakage

If the kernel is large or the profiling step small, /proc/profile
leaks data and readprofile shows silly stats, until readprofile -r
has reset the buffer: clear the prof_buffer when it is vmalloc()ed.

Signed-off-by: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
13 years agohughd: update email address
Hugh Dickins [Sat, 15 May 2010 02:40:35 +0000 (19:40 -0700)]
hughd: update email address

My old address will shut down in a couple of weeks: update the tree.

Signed-off-by: Hugh Dickins <>
Signed-off-by: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
13 years agox86, mrst: Don't blindly access extended config space
H. Peter Anvin [Fri, 14 May 2010 20:55:57 +0000 (13:55 -0700)]
x86, mrst: Don't blindly access extended config space

Do not blindly access extended configuration space unless we actively
know we're on a Moorestown platform.  The fixed-size BAR capability
lives in the extended configuration space, and thus is not applicable
if the configuration space isn't appropriately sized.

This fixes booting certain VMware configurations with CONFIG_MRST=y.

Moorestown will add a fake PCI-X 266 capability to advertise the
presence of extended configuration space.

Reported-and-tested-by: Petr Vandrovec <>
Signed-off-by: H. Peter Anvin <>
Acked-by: Jacob Pan <>
Acked-by: Jesse Barnes <>
LKML-Reference: <>

13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Fri, 14 May 2010 19:20:09 +0000 (12:20 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments
  x86, k8: Fix build error when K8_NB is disabled
  x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs
  x86: Fix fake apicid to node mapping for numa emulation

13 years agox86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments
Frank Arnold [Thu, 22 Apr 2010 14:06:59 +0000 (16:06 +0200)]
x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments

When running a quest kernel on xen we get:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
IP: [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df
Oops: 0000 [#1] SMP
last sysfs file:
Modules linked in:

Pid: 0, comm: swapper Tainted: G        W  2.6.34-rc3 #1 /HVM domU
RIP: 0010:[<ffffffff8142f2fb>]  [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x
RSP: 0018:ffff880002203e08  EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000060
RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffff880002203ed8 R08: 00000000000017c0 R09: ffff880002203e38
R10: ffff8800023d5d40 R11: ffffffff81a01e28 R12: ffff880187e6f5c0
R13: ffff880002203e34 R14: ffff880002203e58 R15: ffff880002203e68
FS:  0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000038 CR3: 0000000001a3c000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a44020)
 ffffffff810d7ecb ffff880002203e20 ffffffff81059140 ffff880002203e30
<0> ffffffff810d7ec9 0000000002203e40 000000000050d140 ffff880002203e70
<0> 0000000002008140 0000000000000086 ffff880040020140 ffffffff81068b8b
Call Trace:
 [<ffffffff810d7ecb>] ? sync_supers_timer_fn+0x0/0x1c
 [<ffffffff81059140>] ? mod_timer+0x23/0x25
 [<ffffffff810d7ec9>] ? arm_supers_timer+0x34/0x36
 [<ffffffff81068b8b>] ? hrtimer_get_next_event+0xa7/0xc3
 [<ffffffff81058e85>] ? get_next_timer_interrupt+0x19a/0x20d
 [<ffffffff8142fa23>] get_cpu_leaves+0x5c/0x232
 [<ffffffff8106a7b1>] ? sched_clock_local+0x1c/0x82
 [<ffffffff8106a9a0>] ? sched_clock_tick+0x75/0x7a
 [<ffffffff8107748c>] generic_smp_call_function_single_interrupt+0xae/0xd0
 [<ffffffff8101f6ef>] smp_call_function_single_interrupt+0x18/0x27
 [<ffffffff8100a773>] call_function_single_interrupt+0x13/0x20
 [<ffffffff8143c468>] ? notifier_call_chain+0x14/0x63
 [<ffffffff810295c6>] ? native_safe_halt+0xc/0xd
 [<ffffffff810114eb>] ? default_idle+0x36/0x53
 [<ffffffff81008c22>] cpu_idle+0xaa/0xe4
 [<ffffffff81423a9a>] rest_init+0x7e/0x80
 [<ffffffff81b10dd2>] start_kernel+0x40e/0x419
 [<ffffffff81b102c8>] x86_64_start_reservations+0xb3/0xb7
 [<ffffffff81b103c4>] x86_64_start_kernel+0xf8/0x107
Code: 14 d5 40 ff ae 81 8b 14 02 31 c0 3b 15 47 1c 8b 00 7d 0e 48 8b 05 36 1c 8b
 00 48 63 d2 48 8b 04 d0 c7 85 5c ff ff ff 00 00 00 00 <8b> 70 38 48 8d 8d 5c ff
 ff ff 48 8b 78 10 ba c4 01 00 00 e8 eb
RIP  [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df
 RSP <ffff880002203e08>
CR2: 0000000000000038
---[ end trace a7919e7f17c0a726 ]---

The L3 cache index disable feature of AMD CPUs has to be disabled if the
kernel is running as guest on top of a hypervisor because northbridge
devices are not available to the guest. Currently, this fixes a boot
crash on top of Xen. In the future this will become an issue on KVM as

Check if northbridge devices are present and do not enable the feature
if there are none.

[ hpa: backported to 2.6.34 ]

Signed-off-by: Frank Arnold <>
LKML-Reference: <>
Acked-by: Borislav Petkov <>
Signed-off-by: H. Peter Anvin <>
Cc: <>
13 years agox86, k8: Fix build error when K8_NB is disabled
Borislav Petkov [Sat, 24 Apr 2010 07:56:53 +0000 (09:56 +0200)]
x86, k8: Fix build error when K8_NB is disabled

K8_NB depends on PCI and when the last is disabled (allnoconfig) we fail
at the final linking stage due to missing exported num_k8_northbridges.
Add a header stub for that.

Signed-off-by: Borislav Petkov <>
LKML-Reference: <20100503183036.GJ26107@aftab>
Signed-off-by: H. Peter Anvin <>
Cc: <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 14 May 2010 18:49:42 +0000 (11:49 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  inotify: don't leak user struct on inotify release
  inotify: race use after free/double free in inotify inode marks
  inotify: clean up the inotify_add_watch out path
  Inotify: undefined reference to `anon_inode_getfd'

Manual merge to remove duplicate "select ANON_INODES" from Kconfig file

13 years agoMerge branch 'davinci-fixes-for-linus-2' of git://
Linus Torvalds [Fri, 14 May 2010 18:43:52 +0000 (11:43 -0700)]
Merge branch 'davinci-fixes-for-linus-2' of git://git./linux/kernel/git/khilman/linux-davinci

* 'davinci-fixes-for-linus-2' of git://
  DA830: fix USB 2.0 clock entry

13 years agoDA830: fix USB 2.0 clock entry
Sergei Shtylyov [Thu, 13 May 2010 18:51:51 +0000 (22:51 +0400)]
DA830: fix USB 2.0 clock entry

DA8xx OHCI driver fails to load due to failing clk_get() call for the USB 2.0
clock. Arrange matching USB 2.0 clock by the clock name instead of the device.
(Adding another CLK() entry for "ohci.0" device won't do -- in the future I'll
also have to enable USB 2.0 clock to configure CPPI 4.1 module, in which case
I won't have any device at all.)

Signed-off-by: Sergei Shtylyov <>
Signed-off-by: Kevin Hilman <>
13 years agoinotify: don't leak user struct on inotify release
Pavel Emelyanov [Wed, 12 May 2010 22:34:07 +0000 (15:34 -0700)]
inotify: don't leak user struct on inotify release

inotify_new_group() receives a get_uid-ed user_struct and saves the
reference on group->inotify_data.user.  The problem is that free_uid() is
never called on it.

Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify
using fsnotify) after 2.6.30.

Signed-off-by: Pavel Emelyanov <>
Eric Paris <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Eric Paris <>
13 years agoinotify: race use after free/double free in inotify inode marks
Eric Paris [Tue, 11 May 2010 21:17:40 +0000 (17:17 -0400)]
inotify: race use after free/double free in inotify inode marks

There is a race in the inotify add/rm watch code.  A task can find and
remove a mark which doesn't have all of it's references.  This can
result in a use after free/double free situation.

Task A Task B
------------ -----------
 allocate a mark (refcnt == 1)
 add it to the idr
      refcnt hits 0, free
 take reference because we are on idr
 [at this point it is a use after free]
 [time goes on]
 refcnt may hit 0 again, double free

The fix is to take the reference BEFORE the object can be found in the

Signed-off-by: Eric Paris <>
Cc: <>
13 years agoinotify: clean up the inotify_add_watch out path
Eric Paris [Tue, 11 May 2010 21:16:23 +0000 (17:16 -0400)]
inotify: clean up the inotify_add_watch out path

inotify_add_watch explictly frees the unused inode mark, but it can just
use the generic code.  Just do that.

Signed-off-by: Eric Paris <>
13 years agoMerge git://
Linus Torvalds [Fri, 14 May 2010 14:56:45 +0000 (07:56 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  vhost: fix barrier pairing

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 14 May 2010 14:55:42 +0000 (07:55 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://
  mmap_min_addr check CAP_SYS_RAWIO only for write

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 14 May 2010 14:29:29 +0000 (07:29 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  microblaze: Fix module loading on system with WB cache
  microblaze: export assembly functions used by modules
  microblaze: Remove powerpc code from Microblaze port
  microblaze: Remove compilation warnings in cache macro
  microblaze: export assembly functions used by modules
  microblaze: fix get_user/put_user side-effects
  microblaze: re-enable interrupts before calling schedule

13 years agoMerge branch 'net-2.6' of git://
David S. Miller [Fri, 14 May 2010 10:42:49 +0000 (03:42 -0700)]
Merge branch 'net-2.6' of git://git./linux/kernel/git/mst/vhost

13 years agommap_min_addr check CAP_SYS_RAWIO only for write
Kees Cook [Thu, 22 Apr 2010 19:19:17 +0000 (12:19 -0700)]
mmap_min_addr check CAP_SYS_RAWIO only for write

Redirecting directly to lsm, here's the patch discussed on lkml:

The mmap_min_addr value is useful information for an admin to see without
being root ("is my system vulnerable to kernel NULL pointer attacks?") and
its setting is trivially easy for an attacker to determine by calling
mmap() in PAGE_SIZE increments starting at 0, so trying to keep it private
has no value.

Only require CAP_SYS_RAWIO if changing the value, not reading it.

Comment from Serge :

  Me, I like to write my passwords with light blue pen on dark blue
  paper, pasted on my window - if you're going to get my password, you're
  gonna get a headache.

Signed-off-by: Kees Cook <>
Acked-by: Serge Hallyn <>
Signed-off-by: James Morris <>
(cherry picked from commit 822cceec7248013821d655545ea45d1c6a9d15b3)

13 years agomicroblaze: Fix module loading on system with WB cache
Michal Simek [Fri, 14 May 2010 05:40:46 +0000 (07:40 +0200)]
microblaze: Fix module loading on system with WB cache

There is necessary to flush whole dcache. Icache work should be
done in kernel/module.c.

Signed-off-by: Michal Simek <>
13 years agox86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs
Andreas Herrmann [Tue, 27 Apr 2010 10:13:48 +0000 (12:13 +0200)]
x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs

If host CPU is exposed to a guest the OSVW MSRs are not guaranteed
to be present and a GP fault occurs. Thus checking the feature flag is

Cc: <> # .32.x .33.x
Signed-off-by: Andreas Herrmann <>
LKML-Reference: <>
Signed-off-by: H. Peter Anvin <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 21:48:10 +0000 (14:48 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sameo/mfd-2.6

* 'for-linus' of git://
  mfd: Clean up after WM83xx AUXADC interrupt if it arrives late

13 years agoMerge branch 'kvm-updates/2.6.34' of git://
Linus Torvalds [Thu, 13 May 2010 21:36:19 +0000 (14:36 -0700)]
Merge branch 'kvm-updates/2.6.34' of git://git./virt/kvm/kvm

* 'kvm-updates/2.6.34' of git://
  KVM: PPC: Keep index within boundaries in kvmppc_44x_emul_tlbwe()
  KVM: VMX: blocked-by-sti must not defer NMI injections
  KVM: x86: Call vcpu_load and vcpu_put in cpuid_update
  KVM: SVM: Fix wrong intercept masks on 32 bit
  KVM: convert ioapic lock to spinlock

13 years agoMerge git://
Linus Torvalds [Thu, 13 May 2010 19:21:44 +0000 (12:21 -0700)]
Merge git://git./linux/kernel/git/gregkh/tty-2.6

* git://
  serial: imx.c: fix CTS trigger level lower to avoid lost chars
  tty: Fix unbalanced BKL handling in error path
  serial: mpc52xx_uart: fix null pointer dereference

13 years agoserial: imx.c: fix CTS trigger level lower to avoid lost chars
Valentin Longchamp [Wed, 5 May 2010 09:47:07 +0000 (11:47 +0200)]
serial: imx.c: fix CTS trigger level lower to avoid lost chars

The imx CTS trigger level is left at its reset value that is 32
chars. Since the RX FIFO has 32 entries, when CTS is raised, the
FIFO already is full. However, some serial port devices first empty
their TX FIFO before stopping when CTS is raised, resulting in lost

This patch sets the trigger level lower so that other chars arrive
after CTS is raised, there is still room for 16 of them.

Signed-off-by: Valentin Longchamp<>
Tested-by: Philippe Rétornaz<>
Acked-by: Wolfram Sang<>
Cc: stable <>
Signed-off-by: Greg Kroah-Hartman <>
13 years agotty: Fix unbalanced BKL handling in error path
Alan Cox [Tue, 4 May 2010 19:42:36 +0000 (20:42 +0100)]
tty: Fix unbalanced BKL handling in error path

Arnd noted:

After the "retry_open:" label, we first get the tty_mutex
and then the BKL. However a the end of tty_open, we jump
back to retry_open with the BKL still held. If we run into
this case, the tty_open function will be left with the BKL
still held.

Signed-off-by: Alan Cox <>
Acked-by: Arnd Bergmann <>
Cc: stable <>
Signed-off-by: Greg Kroah-Hartman <>
13 years agoserial: mpc52xx_uart: fix null pointer dereference
Anatolij Gustschin [Tue, 4 May 2010 22:18:59 +0000 (00:18 +0200)]
serial: mpc52xx_uart: fix null pointer dereference

Commit 6acc6833510db8f72b5ef343296d97480555fda9
introduced NULL pointer dereference and kernel crash
on ppc32 machines while booting. Fix this bug now.

Reported-by: Leonardo Chiquitto <>
Tested-by: Leonardo Chiquitto <>
Signed-off-by: Anatolij Gustschin <>
Acked-by: Grant Likely <>
Signed-off-by: Greg Kroah-Hartman <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 17:36:16 +0000 (10:36 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sfrench/cifs-2.6

* 'for-linus' of git://
  cifs: guard against hardlinking directories

13 years agovfs: Fix O_NOFOLLOW behavior for paths with trailing slashes
Jan Kara [Thu, 13 May 2010 10:52:57 +0000 (12:52 +0200)]
vfs: Fix O_NOFOLLOW behavior for paths with trailing slashes

According to specification

mkdir d; ln -s d a; open("a/", O_NOFOLLOW | O_RDONLY)

should return success but currently it returns ELOOP.  This is a
regression caused by path lookup cleanup patch series.

Fix the code to ignore O_NOFOLLOW in case the provided path has trailing

Cc: Andrew Morton <>
Cc: Al Viro <>
Reported-by: Marius Tolzmann <>
Acked-by: Miklos Szeredi <>
Signed-off-by: Jan Kara <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 14:35:26 +0000 (07:35 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://
  ALSA: ice1724 - Fix ESI Maya44 capture source control
  ALSA: pcm - Use pgprot_noncached() for MIPS non-coherent archs
  ALSA: virtuoso: fix Xonar D1/DX front panel microphone
  ALSA: hda - Add hp-dv4 model for IDT 92HD71bx
  ALSA: hda - Fix mute-LED GPIO pin for HP dv series
  ALSA: hda: Fix 0 dB for Lenovo models using Conexant CX20549 (Venice)

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 14:28:43 +0000 (07:28 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

* 'for-linus' of git://
  Input: ad7877 - keep dma rx buffers in seperate cache lines
  Input: psmouse - reset all types of mice before reconnecting
  Input: elantech - use all 3 bytes when checking version
  Input: iforce - fix Guillemot Jet Leader 3D entry
  Input: iforce - add Guillemot Jet Leader Force Feedback

13 years agomfd: Clean up after WM83xx AUXADC interrupt if it arrives late
Mark Brown [Fri, 2 Apr 2010 12:08:39 +0000 (13:08 +0100)]
mfd: Clean up after WM83xx AUXADC interrupt if it arrives late

In certain circumstances, especially under heavy load, the AUXADC
completion interrupt may be detected after we've timed out waiting for
it.  That conversion would still succeed but the next conversion will
see the completion that was signalled by the interrupt for the previous
conversion and therefore not wait for the AUXADC conversion to run,
causing it to report failure.

Provide a simple, non-invasive cleanup by using try_wait_for_completion()
to ensure that the completion is not signalled before we wait.  Since
the AUXADC is run within a mutex we know there can only have been at
most one AUXADC interrupt outstanding.  A more involved change should
follow for the next merge window.

Signed-off-by: Mark Brown <>
Signed-off-by: Samuel Ortiz <>
13 years agomicroblaze: export assembly functions used by modules
Michal Simek [Thu, 13 May 2010 10:11:42 +0000 (12:11 +0200)]
microblaze: export assembly functions used by modules

Export __strncpy_user, memory_size, ioremap_bot for modules.

Signed-off-by: Michal Simek <>
13 years agomicroblaze: Remove powerpc code from Microblaze port
Michal Simek [Thu, 13 May 2010 10:09:54 +0000 (12:09 +0200)]
microblaze: Remove powerpc code from Microblaze port

Remove eeh_add_device_tree_late which is powerpc specific code.

Signed-off-by: Michal Simek <>
13 years agomicroblaze: Remove compilation warnings in cache macro
Michal Simek [Thu, 13 May 2010 08:55:47 +0000 (10:55 +0200)]
microblaze: Remove compilation warnings in cache macro

CC      arch/microblaze/kernel/cpu/cache.o
arch/microblaze/kernel/cpu/cache.c: In function '__invalidate_dcache_range_wb':
arch/microblaze/kernel/cpu/cache.c:398: warning: ISO C90 forbids mixed declarations and code
arch/microblaze/kernel/cpu/cache.c: In function '__flush_dcache_range_wb':
arch/microblaze/kernel/cpu/cache.c:509: warning: ISO C90 forbids mixed declara

Signed-off-by: Michal Simek <>
13 years agomicroblaze: export assembly functions used by modules
Steven J. Magnani [Tue, 27 Apr 2010 18:00:35 +0000 (13:00 -0500)]
microblaze: export assembly functions used by modules

Modules that use copy_{to,from}_user(), memcpy(), and memset() fail to build
in certain circumstances.

Signed-off-by: Steven J. Magnani <>
Signed-off-by: Michal Simek <>
13 years agoMerge branch 'fix/hda' into for-linus
Takashi Iwai [Thu, 13 May 2010 08:07:15 +0000 (10:07 +0200)]
Merge branch 'fix/hda' into for-linus

13 years agoInput: ad7877 - keep dma rx buffers in seperate cache lines
Oskar Schirmer [Thu, 13 May 2010 07:42:23 +0000 (00:42 -0700)]
Input: ad7877 - keep dma rx buffers in seperate cache lines

With dma based spi transmission, data corruption is observed
occasionally. With dma buffers located right next to msg and
xfer fields, cache lines correctly flushed in preparation for
dma usage may be polluted again when writing to fields in the
same cache line.

Make sure cache fields used with dma do not share cache lines
with fields changed during dma handling. As both fields are part
of a struct that is allocated via kzalloc, thus cache aligned,
moving the fields to the 1st position and insert padding for
alignment does the job.

Signed-off-by: Oskar Schirmer <>
Signed-off-by: Daniel Glöckner <>
Signed-off-by: Oliver Schneidewind <>
Signed-off-by: Johannes Weiner <>
Acked-by: Mike Frysinger <>
[ - changed to use ___cacheline_aligned as suggested
 by akpm]
Signed-off-by: Dmitry Torokhov <>
13 years agoInput: psmouse - reset all types of mice before reconnecting
Dmitry Torokhov [Thu, 13 May 2010 07:42:23 +0000 (00:42 -0700)]
Input: psmouse - reset all types of mice before reconnecting

Synaptics hardware requires resetting device after suspend to ram
in order for the device to be operational. The reset lives in
synaptics-specific reconnect handler, but it is not being invoked
if synaptics support is disabled and the device is handled as a
standard PS/2 device (bare or IntelliMouse protocol).

Let's add reset into generic reconnect handler as well.

Signed-off-by: Dmitry Torokhov <>
13 years agoInput: elantech - use all 3 bytes when checking version
Dmitry Torokhov [Thu, 13 May 2010 07:41:15 +0000 (00:41 -0700)]
Input: elantech - use all 3 bytes when checking version

Apparently all 3 bytes returned by ETP_FW_VERSION_QUERY are significant
and should be taken into account when matching hardware version/features.

Tested-by: Eric Piel <>
Signed-off-by: Dmitry Torokhov <>
13 years agomicroblaze: fix get_user/put_user side-effects
Steven J. Magnani [Thu, 6 May 2010 21:38:33 +0000 (16:38 -0500)]
microblaze: fix get_user/put_user side-effects

The Microblaze implementations of get_user() and (MMU) put_user() evaluate
the address argument more than once. This causes unexpected side-effects for
invocations that include increment operators, i.e. get_user(foo, bar++).

This patch also removes the distinction between MMU and noMMU put_user().

Without the patch:
  $ echo 1234567890 > /proc/sys/kernel/core_pattern
  $ cat /proc/sys/kernel/core_pattern

Signed-off-by: Steven J. Magnani <>
13 years agomicroblaze: re-enable interrupts before calling schedule
Steven J. Magnani [Tue, 27 Apr 2010 18:00:23 +0000 (13:00 -0500)]
microblaze: re-enable interrupts before calling schedule

schedule() should not be called with interrupts disabled.

Signed-off-by: Steven J. Magnani <>
Signed-off-by: Michal Simek <>
13 years agoperf record: Add a fallback to the reference relocation symbol
Arnaldo Carvalho de Melo [Tue, 30 Mar 2010 21:27:39 +0000 (18:27 -0300)]
perf record: Add a fallback to the reference relocation symbol

Usually "_text" is enough, but I received reports that its not always
available, so fallback to "_stext" for the symbol we use to check if we
need to apply any relocation to all the symbols in the kernel symtab,
for when, for instance, kexec is being used.

Reported-by: Darren Hart <>
Reported-by: Steven Rostedt <>
Cc: Frédéric Weisbecker <>
Cc: Mike Galbraith <>
Cc: Peter Zijlstra <>
Cc: Paul Mackerras <>
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Ingo Molnar <>
13 years agoKVM: PPC: Keep index within boundaries in kvmppc_44x_emul_tlbwe()
Roel Kluin [Sun, 9 May 2010 15:26:47 +0000 (17:26 +0200)]
KVM: PPC: Keep index within boundaries in kvmppc_44x_emul_tlbwe()

An index of KVM44x_GUEST_TLB_SIZE is already one too large.

Signed-off-by: Roel Kluin <>
Acked-by: Hollis Blanchard <>
Acked-by: Alexander Graf <>
Signed-off-by: Marcelo Tosatti <>
13 years agoKVM: VMX: blocked-by-sti must not defer NMI injections
Jan Kiszka [Tue, 11 May 2010 13:16:46 +0000 (15:16 +0200)]
KVM: VMX: blocked-by-sti must not defer NMI injections

As the processor may not consider GUEST_INTR_STATE_STI as a reason for
blocking NMI, it could return immediately with EXIT_REASON_NMI_WINDOW
when we asked for it. But as we consider this state as NMI-blocking, we
can run into an endless loop.

Resolve this by allowing NMI injection if just GUEST_INTR_STATE_STI is
active (originally suggested by Gleb). Intel confirmed that this is
safe, the processor will never complain about NMI injection in this

Signed-off-by: Jan Kiszka <>
Acked-by: Gleb Natapov <>
Signed-off-by: Marcelo Tosatti <>
13 years agoKVM: x86: Call vcpu_load and vcpu_put in cpuid_update
Dongxiao Xu [Tue, 11 May 2010 10:21:33 +0000 (18:21 +0800)]
KVM: x86: Call vcpu_load and vcpu_put in cpuid_update

cpuid_update may operate VMCS, so vcpu_load() and vcpu_put()
should be called to ensure correctness.

Signed-off-by: Dongxiao Xu <>
Signed-off-by: Marcelo Tosatti <>
13 years agoKVM: SVM: Fix wrong intercept masks on 32 bit
Joerg Roedel [Wed, 5 May 2010 14:04:43 +0000 (16:04 +0200)]
KVM: SVM: Fix wrong intercept masks on 32 bit

This patch makes KVM on 32 bit SVM working again by
correcting the masks used for iret interception. With the
wrong masks the upper 32 bits of the intercepts are masked
out which leaves vmrun unintercepted. This is not legal on
svm and the vmrun fails.
Bug was introduced by commits 95ba827313 and 3cfc3092.

Cc: Jan Kiszka <>
Cc: Gleb Natapov <>
Signed-off-by: Joerg Roedel <>
Signed-off-by: Avi Kivity <>
13 years agoKVM: convert ioapic lock to spinlock
Marcelo Tosatti [Fri, 23 Apr 2010 17:03:38 +0000 (14:03 -0300)]
KVM: convert ioapic lock to spinlock

kvm_set_irq is used from non sleepable contexes, so convert ioapic from
mutex to spinlock.

Tested-by: Ralf Bonenkamp <>
Signed-off-by: Marcelo Tosatti <>
13 years agoMerge branch 'merge' of git://
Linus Torvalds [Thu, 13 May 2010 01:48:26 +0000 (18:48 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

* 'merge' of git://
  powerpc/perf_event: Fix oops due to perf_event_do_pending call
  powerpc/swiotlb: Fix off by one in determining boundary of which ops to use

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 01:47:55 +0000 (18:47 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  [S390] correct address of _stext with CONFIG_SHARED_KERNEL=y
  [S390] ptrace: fix return value of do_syscall_trace_enter()
  [S390] dasd: fix race between tasklet and dasd_sleep_on

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 13 May 2010 01:47:29 +0000 (18:47 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client

* 'for-linus' of git://
  ceph: preserve seq # on requeued messages after transient transport errors
  ceph: fix cap removal races
  ceph: zero unused message header, footer fields
  ceph: fix locking for waking session requests after reconnect
  ceph: resubmit requests on pg mapping change (not just primary change)
  ceph: fix open file counting on snapped inodes when mds returns no caps
  ceph: unregister osd request on failure
  ceph: don't use writeback_control in writepages completion
  ceph: unregister bdi before kill_anon_super releases device name

13 years agoMerge commit 'kumar/merge' into merge
Benjamin Herrenschmidt [Thu, 13 May 2010 01:42:40 +0000 (11:42 +1000)]
Merge commit 'kumar/merge' into merge

13 years agoRevert "PCI: update bridge resources to get more big ranges in PCI assign unssigned"
Linus Torvalds [Thu, 13 May 2010 01:39:45 +0000 (18:39 -0700)]
Revert "PCI: update bridge resources to get more big ranges in PCI assign unssigned"

This reverts commit 977d17bb1749517b353874ccdc9b85abc7a58c2a, because it
can cause problems with some devices not getting any resources at all
when the resource tree is re-allocated.

For an example of this, see
(lkml thread:

where Peter Henriksson reported his Xonar DX sound card gone, because
the IO port region was no longer allocated.

Reported-bisected-and-tested-by: Peter Henriksson <>
Requested-by: Andrew Morton <>
Requested-by: Clemens Ladisch <>
Acked-by: Jesse Barnes <>
Cc: Yinghai Lu <>
Signed-off-by: Linus Torvalds <>
13 years agoCacheFiles: Fix error handling in cachefiles_determine_cache_security()
David Howells [Wed, 12 May 2010 14:34:03 +0000 (15:34 +0100)]
CacheFiles: Fix error handling in cachefiles_determine_cache_security()

cachefiles_determine_cache_security() is expected to return with a
security override in place.  However, if set_create_files_as() fails, we
fail to do this.  In this case, we should just reinstate the security
override that was set by the caller.

Furthermore, if set_create_files_as() fails, we should dispose of the
new credentials we were in the process of creating.

Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agorwsem: Test for no active locks in __rwsem_do_wake undo code
Michel Lespinasse [Wed, 12 May 2010 10:38:45 +0000 (11:38 +0100)]
rwsem: Test for no active locks in __rwsem_do_wake undo code

If there are no active threasd using a semaphore, it is always correct
to unqueue blocked threads.  This seems to be what was intended in the
undo code.

What was done instead, was to look for a sem count of zero - this is an
impossible situation, given that at least one thread is known to be
queued on the semaphore.  The code might be correct as written, but it's
hard to reason about and it's not what was intended (otherwise the goto
out would have been unconditional).

Go for checking the active count - the alternative is not worth the

Signed-off-by: Michel Lespinasse <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agovhost: fix barrier pairing
Michael S. Tsirkin [Tue, 11 May 2010 16:44:17 +0000 (19:44 +0300)]
vhost: fix barrier pairing

According to memory-barriers.txt, an smp memory barrier in guest
should always be paired with an smp memory barrier in host,
and I quote "a lack of appropriate pairing is almost certainly an
error". In case of vhost, failure to flush out used index
update before looking at the interrupt disable flag
could result in missed interrupts, resulting in
networking hang under stress.

This might happen when flags read bypasses used index write.
So we see interrupts disabled and do not interrupt, at the
same time guest writes flags value to enable interrupt,
reads an old used index value, thinks that
used ring is empty and waits for interrupt.

Note: the barrier we pair with here is in
drivers/virtio/virtio_ring.c, function

Signed-off-by: Michael S. Tsirkin <>
Acked-by: Juan Quintela <>
13 years agoInotify: undefined reference to `anon_inode_getfd'
Russell King [Sun, 18 Apr 2010 20:25:11 +0000 (21:25 +0100)]
Inotify: undefined reference to `anon_inode_getfd'


fs/built-in.o: In function `sys_inotify_init1':
summary.c:(.text+0x347a4): undefined reference to `anon_inode_getfd'

found by kautobuild with arms bcmring_defconfig, which ends up with
INOTIFY_USER enabled (through the 'default y') but leaves ANON_INODES
unset.  However, inotify_user.c uses anon_inode_getfd().

Signed-off-by: Russell King <>
Signed-off-by: Eric Paris <>
13 years agoALSA: ice1724 - Fix ESI Maya44 capture source control
Takashi Iwai [Wed, 12 May 2010 14:43:32 +0000 (16:43 +0200)]
ALSA: ice1724 - Fix ESI Maya44 capture source control

The capture source control of maya44 was wrongly coded with the bit
shift instead of the bit mask.  Also, the slot for line-in was
wrongly assigned (slot 5 instead of 4).

Reported-by: Alex Chernyshoff <>
Cc: <>
Signed-off-by: Takashi Iwai <>
13 years agoARM: 6126/1: ARM mpcore_wdt: fix build failure and other fixes
Srinidhi Kasagar [Wed, 12 May 2010 04:53:26 +0000 (05:53 +0100)]
ARM: 6126/1: ARM mpcore_wdt: fix build failure and other fixes

This fixes the build failures seen when building mpcore_wdt and it
also removes the nonexistent ARM_MPCORE_PLATFORM dependency, instead
make it dependent on HAVE_ARM_TWD.

Also this fixes spinlock usage appropriately.

Signed-off-by: srinidhi kasagar <>
Acked-by: Linus Walleij <>
Signed-off-by: Russell King <>
13 years agoARM: 6125/1: ARM TWD: move TWD registers to common header
Srinidhi Kasagar [Wed, 12 May 2010 04:52:18 +0000 (05:52 +0100)]
ARM: 6125/1: ARM TWD: move TWD registers to common header

This moves the TWD register set of MPcore to a common
existing file so that watchdog driver can access it

Signed-off-by: srinidhi kasagar <>
Acked-by: Linus Walleij <>
Signed-off-by: Russell King <>
13 years agoALSA: pcm - Use pgprot_noncached() for MIPS non-coherent archs
Takashi Iwai [Wed, 12 May 2010 08:32:42 +0000 (10:32 +0200)]
ALSA: pcm - Use pgprot_noncached() for MIPS non-coherent archs

MIPS non-coherent archs need the noncached pgprot in mmap of PCM buffers.
But, since the coherency needs to be checked dynamically via
plat_device_is_coherent(), we need an ugly check dependent on MIPS
in ALSA core code.

This should be cleaned up in MIPS arch side (e.g. creating
dma_mmap_coherent()) in near future.

Tested-by: Wu Zhangjin <>
Signed-off-by: Takashi Iwai <>
13 years agoALSA: virtuoso: fix Xonar D1/DX front panel microphone
Clemens Ladisch [Tue, 11 May 2010 14:34:39 +0000 (16:34 +0200)]
ALSA: virtuoso: fix Xonar D1/DX front panel microphone

Commit 65c3ac885ce9852852b895a4a62212f62cb5f2e9 in 2.6.33 accidentally
left out the initialization of the AC97 codec FMIC2MIC bit, which broke
recording from the front panel microphone.

Signed-off-by: Clemens Ladisch <>
Cc: <>
Signed-off-by: Jaroslav Kysela <>
Signed-off-by: Takashi Iwai <>
13 years agoALSA: hda - Add hp-dv4 model for IDT 92HD71bx
Takashi Iwai [Wed, 12 May 2010 08:16:20 +0000 (10:16 +0200)]
ALSA: hda - Add hp-dv4 model for IDT 92HD71bx

It turned out that HP dv series have inconsistent the mute-LED GPIO
mapping among various models.  dv4/7 seem to use GPIO 0 while dv 5/6
seem to use GPIO 3.  The previous commit
  ALSA: hda - Fix mute-LED GPIO pin for HP dv series
breaks dv5/6.

This patch adds the new quirk model, hp-dv4, to handle HP dv4/7
separately from HP dv5/6.

Tested-by: Kunal Gangakhedkar <> (for dv6-1110ax)
Acked-by: Kunal Gangakhedkar <>
Signed-off-by: Takashi Iwai <>
13 years ago[S390] correct address of _stext with CONFIG_SHARED_KERNEL=y
Martin Schwidefsky [Wed, 12 May 2010 07:32:13 +0000 (09:32 +0200)]
[S390] correct address of _stext with CONFIG_SHARED_KERNEL=y

As of git commit 1844c9bc0b2fed3023551c1affe033ab38e90b9a head64.S/head31.S
are not included in head.S anymore but build as an extra object. This breaks
shared kernel support because the .org statement in head64.S/head31.S for
CONFIG_SHARED_KERNEL=y will have a different effect. The end address of the
head.text section in head.o will be added to the .org value, to compensate
for this subtract 0x11000 to get the required value of 0x100000 again.

Signed-off-by: Martin Schwidefsky <>
13 years ago[S390] ptrace: fix return value of do_syscall_trace_enter()
Gerald Schaefer [Wed, 12 May 2010 07:32:12 +0000 (09:32 +0200)]
[S390] ptrace: fix return value of do_syscall_trace_enter()

strace may change the system call number, so regs->gprs[2] must not
be read before tracehook_report_syscall_entry(). This fixes a bug
where "strace -f" will hang after a vfork().

Cc: <>
Signed-off-by: Gerald Schaefer <>
Signed-off-by: Martin Schwidefsky <>
13 years ago[S390] dasd: fix race between tasklet and dasd_sleep_on
Stefan Weinhuber [Wed, 12 May 2010 07:32:11 +0000 (09:32 +0200)]
[S390] dasd: fix race between tasklet and dasd_sleep_on

The various dasd_sleep_on functions use a global wait queue when
waiting for a cqr. The wait condition checks the status and devlist
fields of the cqr to determine if it is safe to continue. This
evaluation may return true, although the tasklet has not finished
processing of the cqr and the callback function has not been called
yet. When the callback is finally called, the data in the cqr may
already be invalid. The sleep_on wait condition needs a safe way to
determine if the tasklet has finished processing. Use the
callback_data field of the cqr to store a token, which is set by
the callback function itself.

Cc: <>
Signed-off-by: Stefan Weinhuber <>
Signed-off-by: Heiko Carstens <>
Signed-off-by: Martin Schwidefsky <>
13 years agopowerpc/perf_event: Fix oops due to perf_event_do_pending call
Paul Mackerras [Tue, 13 Apr 2010 20:46:04 +0000 (20:46 +0000)]
powerpc/perf_event: Fix oops due to perf_event_do_pending call

Anton Blanchard found that large POWER systems would occasionally
crash in the exception exit path when profiling with perf_events.
The symptom was that an interrupt would occur late in the exit path
when the MSR[RI] (recoverable interrupt) bit was clear.  Interrupts
should be hard-disabled at this point but they were enabled.  Because
the interrupt was not recoverable the system panicked.

The reason is that the exception exit path was calling
perf_event_do_pending after hard-disabling interrupts, and
perf_event_do_pending will re-enable interrupts.

The simplest and cleanest fix for this is to use the same mechanism
that 32-bit powerpc does, namely to cause a self-IPI by setting the
decrementer to 1.  This means we can remove the tests in the exception
exit path and raw_local_irq_restore.

This also makes sure that the call to perf_event_do_pending from
timer_interrupt() happens within irq_enter/irq_exit.  (Note that
calling perf_event_do_pending from timer_interrupt does not mean that
there is a possible 1/HZ latency; setting the decrementer to 1 ensures
that the timer interrupt will happen immediately, i.e. within one
timebase tick, which is a few nanoseconds or 10s of nanoseconds.)

Signed-off-by: Paul Mackerras <>
Signed-off-by: Benjamin Herrenschmidt <>
13 years agoceph: preserve seq # on requeued messages after transient transport errors
Sage Weil [Wed, 12 May 2010 04:20:38 +0000 (21:20 -0700)]
ceph: preserve seq # on requeued messages after transient transport errors

If the tcp connection drops and we reconnect to reestablish a stateful
session (with the mds), we need to resend previously sent (and possibly
received) messages with the _same_ seq # so that they can be dropped on
the other end if needed.  Only assign a new seq once after the message is

Signed-off-by: Sage Weil <>
13 years agoceph: fix cap removal races
Sage Weil [Wed, 12 May 2010 03:56:31 +0000 (20:56 -0700)]
ceph: fix cap removal races

The iterate_session_caps helper traverses the session caps list and tries
to grab an inode reference.  However, the __ceph_remove_cap was clearing
the inode backpointer _before_ removing itself from the session list,
causing a null pointer dereference.

Clear cap->ci under protection of s_cap_lock to avoid the race, and to
tightly couple the list and backpointer state.  Use a local flag to
indicate whether we are releasing the cap, as cap->session may be modified
by a racing thread in iterate_session_caps.

Signed-off-by: Sage Weil <>
13 years agoMerge branch 'hwmon-for-linus' of git://
Linus Torvalds [Wed, 12 May 2010 00:38:04 +0000 (17:38 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/jdelvare/staging

* 'hwmon-for-linus' of git://
  hwmon: (applesmc) Correct sysfs fan error handling
  hwmon: (asc7621) Bug fixes

13 years agoMerge branch 'perf-fixes-for-linus' of git://
Linus Torvalds [Wed, 12 May 2010 00:37:24 +0000 (17:37 -0700)]
Merge branch 'perf-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'perf-fixes-for-linus' of git://
  kprobes/x86: Fix removed int3 checking order
  perf: Fix static strings treated like dynamic ones

13 years agodrivers/gpu/drm/i915/i915_irq.c:i915_error_object_create(): use correct kmap-atomic...
Andrew Morton [Tue, 11 May 2010 21:07:05 +0000 (14:07 -0700)]
drivers/gpu/drm/i915/i915_irq.c:i915_error_object_create(): use correct kmap-atomic slot

i915_error_object_create() is called from the timer interrupt and hence
can corrupt the KM_USER0 slot.  Use KM_IRQ0 instead.

Reported-by: Jaswinder Singh Rajput <>
Tested-by: Jaswinder Singh Rajput <>
Acked-by: Chris Wilson <>
Cc: Dave Airlie <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agohp_accel: fix race in device removal
Oliver Neukum [Tue, 11 May 2010 21:07:03 +0000 (14:07 -0700)]
hp_accel: fix race in device removal

The work queue has to be flushed after the device has been made
inaccessible.  The patch closes a window during which a work queue might
remain active after the device is removed and would then lead to ACPI
calls with undefined behavior.

Signed-off-by: Oliver Neukum <>
Acked-by: Eric Piel <>
Acked-by: Pavel Machek <>
Cc: Pavel Herrmann <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomqueue: fix kernel BUG caused by double free() on mq_open()
André Goddard Rosa [Tue, 11 May 2010 21:07:03 +0000 (14:07 -0700)]
mqueue: fix kernel BUG caused by double free() on mq_open()

In case of aborting because we reach the maximum amount of memory which
can be allocated to message queues per user (RLIMIT_MSGQUEUE), we would
try to free the message area twice when bailing out: first by the error
handling code itself, and then later when cleaning up the inode through

Signed-off-by: André Goddard Rosa <>
Cc: Alexey Dobriyan <>
Cc: Al Viro <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agofbdev: bfin-t350mcqb-fb: fix fbmem allocation with blanking lines
Michael Hennerich [Tue, 11 May 2010 21:07:00 +0000 (14:07 -0700)]
fbdev: bfin-t350mcqb-fb: fix fbmem allocation with blanking lines

The current allocation does not include the memory required for blanking
lines.  So avoid memory corruption when multiple devices are using the DMA
memory near each other.

Signed-off-by: Michael Hennerich <>
Signed-off-by: Mike Frysinger <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomemcg: fix css_is_ancestor() RCU locking
KAMEZAWA Hiroyuki [Tue, 11 May 2010 21:06:59 +0000 (14:06 -0700)]
memcg: fix css_is_ancestor() RCU locking

Some callers (in memcontrol.c) calls css_is_ancestor() without
rcu_read_lock.  Because css_is_ancestor() has to access RCU protected
data, it should be under rcu_read_lock().

This makes css_is_ancestor() itself does safe access to RCU protected
area.  (At least, "root" can have refcnt==0 if it's not an ancestor of
"child".  So, we need rcu_read_lock().)

Signed-off-by: KAMEZAWA Hiroyuki <>
Cc: "Paul E. McKenney" <>
Cc: Daisuke Nishimura <>
Cc: Balbir Singh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomemcg: fix css_id() RCU locking for real
KAMEZAWA Hiroyuki [Tue, 11 May 2010 21:06:58 +0000 (14:06 -0700)]
memcg: fix css_id() RCU locking for real

Commit ad4ba375373937817404fd92239ef4cadbded23b ("memcg: css_id() must be
called under rcu_read_lock()") modifies memcontol.c for fixing RCU check
message.  But Andrew Morton pointed out that the fix doesn't seems sane
and it was just for hidining lockdep messages.

This is a patch for do proper things.  Checking again, all places,
accessing without rcu_read_lock, that commit fixies was intentional....
all callers of css_id() has reference count on it.  So, it's not necessary
to be under rcu_read_lock().

Considering again, we can use rcu_dereference_check for css_id().  We know
css->id is valid if css->refcnt > 0.  (css->id never changes and freed
after css->refcnt going to be 0.)

This patch makes use of rcu_dereference_check() in css_id/depth and remove
unnecessary rcu-read-lock added by the commit.

Signed-off-by: KAMEZAWA Hiroyuki <>
Cc: "Paul E. McKenney" <>
Cc: Daisuke Nishimura <>
Cc: Balbir Singh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agobsdacct: use del_timer_sync() in acct_exit_ns()
Vitaliy Gusev [Tue, 11 May 2010 21:06:56 +0000 (14:06 -0700)]
bsdacct: use del_timer_sync() in acct_exit_ns()

acct_exit_ns --> acct_file_reopen deletes timer without check timer
execution on other CPUs.  So acct_timeout() can change an unmapped memory.

Signed-off-by: Vitaliy Gusev <>
Cc: Pavel Emelyanov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agormap: remove anon_vma check in page_address_in_vma()
Naoya Horiguchi [Tue, 11 May 2010 21:06:55 +0000 (14:06 -0700)]
rmap: remove anon_vma check in page_address_in_vma()

Currently page_address_in_vma() compares vma->anon_vma and
page_anon_vma(page) for parameter check, but in 2.6.34 a vma can have
multiple anon_vmas with anon_vma_chain, so current check does not work.
(For anonymous page shared by multiple processes, some verified (page,vma)
pairs return -EFAULT wrongly.)

We can go to checking all anon_vmas in the "same_vma" chain, but it needs
to meet lock requirement.  Instead, we can remove anon_vma check safely
because page_address_in_vma() assumes that page and vma are already
checked to belong to the identical process.

Signed-off-by: Naoya Horiguchi <>
Reviewed-by: Rik van Riel <>
Cc: Andi Kleen <>
Cc: Andrea Arcangeli <>
Cc: Mel Gorman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agohugetlbfs: kill applications that use MAP_NORESERVE with SIGBUS instead of OOM-killer
Mel Gorman [Tue, 11 May 2010 21:06:53 +0000 (14:06 -0700)]
hugetlbfs: kill applications that use MAP_NORESERVE with SIGBUS instead of OOM-killer

Ordinarily, application using hugetlbfs will create mappings with
reserves.  For shared mappings, these pages are reserved before mmap()
returns success and for private mappings, the caller process is guaranteed
and a child process that cannot get the pages gets killed with sigbus.

An application that uses MAP_NORESERVE gets no reservations and mmap()
will always succeed at the risk the page will not be available at fault
time.  This might be used for example on very large sparse mappings where
the developer is confident the necessary huge pages exist to satisfy all
faults even though the whole mapping cannot be backed by huge pages.
Unfortunately, if an allocation does fail, VM_FAULT_OOM is returned to the
fault handler which proceeds to trigger the OOM-killer.  This is

Even without hugetlbfs mounted, a user using mmap() can trivially trigger
the OOM-killer because VM_FAULT_OOM is returned (will provide example
program if desired - it's a whopping 24 lines long).  It could be
considered a DOS available to an unprivileged user.

This patch alters hugetlbfs to kill a process that uses MAP_NORESERVE
where huge pages were not available with SIGBUS instead of triggering the
OOM killer.

This change affects hugetlb_cow() as well.  I feel there is a failure case
in there, but I didn't create one.  It would need a fairly specific target
in terms of the faulting application and the hugepage pool size.  The
hugetlb_no_page() path is much easier to hit but both might as well be

Signed-off-by: Mel Gorman <>
Cc: Lee Schermerhorn <>
Cc: David Rientjes <>
Cc: Andi Kleen <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agokexec: fix OOPS in crash_kernel_shrink
Vitaly Mayatskikh [Tue, 11 May 2010 21:06:51 +0000 (14:06 -0700)]
kexec: fix OOPS in crash_kernel_shrink

Two "echo 0 > /sys/kernel/kexec_crash_size" OOPSes kernel.  Also content
of this file is invalid after first shrink to zero: it shows 1 instead of

This scenario is unlikely to happen often (root privs, valid crashkernel=
in cmdline, dump-capture kernel not loaded), I hit it only by chance.

This patch fixes it.

Signed-off-by: Vitaly Mayatskikh <>
Cc: Cong Wang <>
Cc: Neil Horman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agommc: atmel-mci: fix in debugfs: response value printing
Nicolas Ferre [Tue, 11 May 2010 21:06:50 +0000 (14:06 -0700)]
mmc: atmel-mci: fix in debugfs: response value printing

In debugfs, printing of command response reports resp[2] twice: fix it to

Signed-off-by: Nicolas Ferre <>
Haavard Skinnemoen <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agommc: atmel-mci: remove data error interrupt after xfer
Nicolas Ferre [Tue, 11 May 2010 21:06:50 +0000 (14:06 -0700)]
mmc: atmel-mci: remove data error interrupt after xfer

Disable data error interrupts while we are actually recording that there
is not such errors.  This will prevent, in some cases, the warning message
printed at new request queuing (in atmci_start_request()).

Signed-off-by: Nicolas Ferre <>
Cc: Haavard Skinnemoen <>
Cc: <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agommc: atmel-mci: prevent kernel oops while removing card
Nicolas Ferre [Tue, 11 May 2010 21:06:49 +0000 (14:06 -0700)]
mmc: atmel-mci: prevent kernel oops while removing card

The removing of an SD card in certain circumstances can lead to a kernel
oops if we do not make sure that the "data" field of the host structure is
valid.  This patch adds a test in atmci_dma_cleanup() function and also
calls atmci_stop_dma() before throwing away the reference to data.

Signed-off-by: Nicolas Ferre <>
Cc: Haavard Skinnemoen <>
Cc: <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agommc: atmel-mci: fix two parameters swapped
Nicolas Ferre [Tue, 11 May 2010 21:06:48 +0000 (14:06 -0700)]
mmc: atmel-mci: fix two parameters swapped

Two parameters were swapped in the calls to atmci_init_slot().

Signed-off-by: Nicolas Ferre <>
Reported-by: Anders Grahn <>
Cc: Haavard Skinnemoen <>
Cc: <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agorevert "procfs: provide stack information for threads" and its fixup commits
Robin Holt [Tue, 11 May 2010 21:06:46 +0000 (14:06 -0700)]
revert "procfs: provide stack information for threads" and its fixup commits

Originally, commit d899bf7b ("procfs: provide stack information for
threads") attempted to introduce a new feature for showing where the
threadstack was located and how many pages are being utilized by the

Commit c44972f1 ("procfs: disable per-task stack usage on NOMMU") was
applied to fix the NO_MMU case.

Commit 89240ba0 ("x86, fs: Fix x86 procfs stack information for threads on
64-bit") was applied to fix a bug in ia32 executables being loaded.

Commit 9ebd4eba7 ("procfs: fix /proc/<pid>/stat stack pointer for kernel
threads") was applied to fix a bug which had kernel threads printing a
userland stack address.

Commit 1306d603f ('proc: partially revert "procfs: provide stack
information for threads"') was then applied to revert the stack pages
being used to solve a significant performance regression.

This patch nearly undoes the effect of all these patches.

The reason for reverting these is it provides an unusable value in
field 28.  For x86_64, a fork will result in the task->stack_start
value being updated to the current user top of stack and not the stack
start address.  This unpredictability of the stack_start value makes
it worthless.  That includes the intended use of showing how much stack
space a thread has.

Other architectures will get different values.  As an example, ia64
gets 0.  The do_fork() and copy_process() functions appear to treat the
stack_start and stack_size parameters as architecture specific.

I only partially reverted c44972f1 ("procfs: disable per-task stack usage
on NOMMU") .  If I had completely reverted it, I would have had to change
mm/Makefile only build pagewalk.o when CONFIG_PROC_PAGE_MONITOR is
configured.  Since I could not test the builds without significant effort,
I decided to not change mm/Makefile.

I only partially reverted 89240ba0 ("x86, fs: Fix x86 procfs stack
information for threads on 64-bit") .  I left the KSTK_ESP() change in
place as that seemed worthwhile.

Signed-off-by: Robin Holt <>
Cc: Stefani Seibold <>
Cc: KOSAKI Motohiro <>
Cc: Michal Simek <>
Cc: Ingo Molnar <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoit8761e_gpio: fix bug in gpio numbering
Denis Turischev [Tue, 11 May 2010 21:06:44 +0000 (14:06 -0700)]
it8761e_gpio: fix bug in gpio numbering

The SIO chip contains 16 possible gpio lines, not 14.  The schematic was
not read carefully.

Signed-off-by: Denis Turischev <>
Cc: David Brownell <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agodma-mapping: fix dma_sync_single_range_*
FUJITA Tomonori [Tue, 11 May 2010 21:06:43 +0000 (14:06 -0700)]
dma-mapping: fix dma_sync_single_range_*

dma_sync_single_range_for_cpu() and dma_sync_single_range_for_device() use
a wrong address with a partial synchronization.

Signed-off-by: FUJITA Tomonori <>
Reviewed-by: Konrad Rzeszutek Wilk <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoceph: zero unused message header, footer fields
Sage Weil [Tue, 11 May 2010 22:01:51 +0000 (15:01 -0700)]
ceph: zero unused message header, footer fields

We shouldn't leak any prior memory contents to other parties.  And random
data, particularly in the 'version' field, can cause problems down the

Signed-off-by: Sage Weil <>
13 years agocifs: guard against hardlinking directories
Jeff Layton [Tue, 11 May 2010 18:59:55 +0000 (14:59 -0400)]
cifs: guard against hardlinking directories

When we made serverino the default, we trusted that the field sent by the
server in the "uniqueid" field was actually unique. It turns out that it
isn't reliably so.

Samba, in particular, will just put the st_ino in the uniqueid field when
unix extensions are enabled. When a share spans multiple filesystems, it's
quite possible that there will be collisions. This is a server bug, but
when the inodes in question are a directory (as is often the case) and
there is a collision with the root inode of the mount, the result is a
kernel panic on umount.

Fix this by checking explicitly for directory inodes with the same
uniqueid. If that is the case, then we can assume that using server inode
numbers will be a problem and that they should be disabled.

Fixes Samba bugzilla 7407

Signed-off-by: Jeff Layton <>
CC: Stable <>
Reviewed-and-Tested-by: Suresh Jayaraman <>
Signed-off-by: Steve French <>
13 years agoMerge branch 'drm-linus' of git://
Linus Torvalds [Tue, 11 May 2010 17:12:18 +0000 (10:12 -0700)]
Merge branch 'drm-linus' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-linus' of git://
  drm/radeon: Fix 3 regressions - since buffer rework

13 years agoMerge git://
Linus Torvalds [Tue, 11 May 2010 17:11:40 +0000 (10:11 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  net: Fix FDDI and TR config checks in ipv4 arp and LLC.
  IPv4: unresolved multicast route cleanup
  mac80211: remove association work when processing deauth request
  ar9170: wait for asynchronous firmware loading
  ipv4: udp: fix short packet and bad checksum logging
  phy: Fix initialization in micrel driver.
  sctp: Fix a race between ICMP protocol unreachable and connect()
  veth: Dont kfree_skb() after dev_forward_skb()
  IPv6: fix IPV6_RECVERR handling of locally-generated errors
  net/gianfar: drop recycled skbs on MTU change
  iwlwifi: work around passive scan issue

13 years agoCacheFiles: Fix occasional EIO on call to vfs_unlink()
David Howells [Tue, 11 May 2010 15:51:39 +0000 (16:51 +0100)]
CacheFiles: Fix occasional EIO on call to vfs_unlink()

Fix an occasional EIO returned by a call to vfs_unlink():

[ 4868.465413] CacheFiles: I/O Error: Unlink failed
[ 4868.465444] FS-Cache: Cache cachefiles stopped due to I/O error
[ 4947.320011] CacheFiles: File cache on md3 unregistering
[ 4947.320041] FS-Cache: Withdrawing cache "mycache"
[ 5127.348683] FS-Cache: Cache "mycache" added (type cachefiles)
[ 5127.348716] CacheFiles: File cache on md3 registered
[ 7076.871081] CacheFiles: I/O Error: Unlink failed
[ 7076.871130] FS-Cache: Cache cachefiles stopped due to I/O error
[ 7116.780891] CacheFiles: File cache on md3 unregistering
[ 7116.780937] FS-Cache: Withdrawing cache "mycache"
[ 7296.813394] FS-Cache: Cache "mycache" added (type cachefiles)
[ 7296.813432] CacheFiles: File cache on md3 registered

What happens is this:

 (1) A cached NFS file is seen to have become out of date, so NFS retires the
     object and immediately acquires a new object with the same key.

 (2) Retirement of the old object is done asynchronously - so the lookup/create
     to generate the new object may be done first.

     This can be a problem as the old object and the new object must exist at
     the same point in the backing filesystem (i.e. they must have the same

 (3) The lookup for the new object sees that a backing file already exists,
     checks to see whether it is valid and sees that it isn't.  It then deletes
     that file and creates a new one on disk.

 (4) The retirement phase for the old file is then performed.  It tries to
     delete the dentry it has, but ext4_unlink() returns -EIO because the inode
     attached to that dentry no longer matches the inode number associated with
     the filename in the parent directory.

The trace below shows this quite well.

[md5sum] ==> __fscache_relinquish_cookie(ffff88002d12fb58{NFS.fh,ffff88002ce62100},1)
[md5sum] ==> __fscache_acquire_cookie({NFS.server},{NFS.fh},ffff88002ce62100)

NFS has retired the old cookie and asked for a new one.

[kslowd] ==> fscache_object_state_machine({OBJ52,OBJECT_ACTIVE,24})
[kslowd] <== fscache_object_state_machine() [->OBJECT_DYING]
[kslowd] ==> fscache_object_state_machine({OBJ53,OBJECT_INIT,0})
[kslowd] <== fscache_object_state_machine() [->OBJECT_LOOKING_UP]
[kslowd] ==> fscache_object_state_machine({OBJ52,OBJECT_DYING,24})
[kslowd] <== fscache_object_state_machine() [->OBJECT_RECYCLING]

The old object (OBJ52) is going through the terminal states to get rid of it,
whilst the new object - (OBJ53) - is coming into being.

[kslowd] ==> fscache_object_state_machine({OBJ53,OBJECT_LOOKING_UP,0})
[kslowd] ==> cachefiles_walk_to_object({ffff88003029d8b8},OBJ53,@68,)
[kslowd] lookup '@68'
[kslowd] next -> ffff88002ce41bd0 positive
[kslowd] advance
[kslowd] lookup 'Es0g00og0_Nd_XCYe3BOzvXrsBLMlN6aw16M1htaA'
[kslowd] next -> ffff8800369faac8 positive

The new object has looked up the subdir in which the file would be in (getting
dentry ffff88002ce41bd0) and then looked up the file itself (getting dentry

[kslowd] validate 'Es0g00og0_Nd_XCYe3BOzvXrsBLMlN6aw16M1htaA'
[kslowd] ==> cachefiles_bury_object(,'@68','Es0g00og0_Nd_XCYe3BOzvXrsBLMlN6aw16M1htaA')
[kslowd] remove ffff8800369faac8 from ffff88002ce41bd0
[kslowd] unlink stale object
[kslowd] <== cachefiles_bury_object() = 0

It then checks the file's xattrs to see if it's valid.  NFS says that the
auxiliary data indicate the file is out of date (obvious to us - that's why NFS
ditched the old version and got a new one).  CacheFiles then deletes the old
file (dentry ffff8800369faac8).

[kslowd] redo lookup
[kslowd] lookup 'Es0g00og0_Nd_XCYe3BOzvXrsBLMlN6aw16M1htaA'
[kslowd] next -> ffff88002cd94288 negative
[kslowd] create -> ffff88002cd94288{ffff88002cdaf238{ino=148247}}

CacheFiles then redoes the lookup and gets a negative result in a new dentry
(ffff88002cd94288) which it then creates a file for.

[kslowd] ==> cachefiles_mark_object_active(,OBJ53)
[kslowd] <== cachefiles_mark_object_active() = 0
[kslowd] === OBTAINED_OBJECT ===
[kslowd] <== cachefiles_walk_to_object() = 0 [148247]
[kslowd] <== fscache_object_state_machine() [->OBJECT_AVAILABLE]

The new object is then marked active and the state machine moves to the
available state - at which point NFS can start filling the object.

[kslowd] ==> fscache_object_state_machine({OBJ52,OBJECT_RECYCLING,20})
[kslowd] ==> fscache_release_object()
[kslowd] ==> cachefiles_drop_object({OBJ52,2})
[kslowd] ==> cachefiles_delete_object(,OBJ52{ffff8800369faac8})

The old object, meanwhile, goes on with being retired.  If allocation occurs
first, cachefiles_delete_object() has to wait for dir->d_inode->i_mutex to
become available before it can continue.

[kslowd] ==> cachefiles_bury_object(,'@68','Es0g00og0_Nd_XCYe3BOzvXrsBLMlN6aw16M1htaA')
[kslowd] remove ffff8800369faac8 from ffff88002ce41bd0
[kslowd] unlink stale object
EXT4-fs warning (device sda6): ext4_unlink: Inode number mismatch in unlink (148247!=148193)
CacheFiles: I/O Error: Unlink failed
FS-Cache: Cache cachefiles stopped due to I/O error

CacheFiles then tries to delete the file for the old object, but the dentry it
has (ffff8800369faac8) no longer points to a valid inode for that directory
entry, and so ext4_unlink() returns -EIO when de->inode does not match i_ino.

[kslowd] <== cachefiles_bury_object() = -5
[kslowd] <== cachefiles_delete_object() = -5
[kslowd] <== fscache_object_state_machine() [->OBJECT_DEAD]
[kslowd] ==> fscache_object_state_machine({OBJ53,OBJECT_AVAILABLE,0})
[kslowd] <== fscache_object_state_machine() [->OBJECT_ACTIVE]

(Note that the above trace includes extra information beyond that produced by
the upstream code).

The fix is to note when an object that is being retired has had its object
deleted preemptively by a replacement object that is being created, and to
skip the second removal attempt in such a case.

Reported-by: Greg M <>
Reported-by: Mark Moseley <>
Reported-by: Romain DEGEZ <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoACPI: sleep: eliminate duplicate entries in acpisleep_dmi_table[]
Alex Chiang [Tue, 11 May 2010 16:21:38 +0000 (10:21 -0600)]
ACPI: sleep: eliminate duplicate entries in acpisleep_dmi_table[]

Duplicate entries ended up acpisleep_dmi_table[] by accident.
They don't hurt functionality, but they are ugly, so let's get
rid of them.

Signed-off-by: Alex Chiang <>
Signed-off-by: Linus Torvalds <>