13 years agoMerge commit 'v2.6.28-rc8' into x86/doc
Ingo Molnar [Tue, 16 Dec 2008 21:04:48 +0000 (22:04 +0100)]
Merge commit 'v2.6.28-rc8' into x86/doc

13 years agoLinux 2.6.28-rc8 v2.6.28-rc8
Linus Torvalds [Wed, 10 Dec 2008 23:11:51 +0000 (15:11 -0800)]
Linux 2.6.28-rc8

13 years agoMerge branch 'sched-fixes-for-linus' of git://
Linus Torvalds [Wed, 10 Dec 2008 22:41:06 +0000 (14:41 -0800)]
Merge branch 'sched-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'sched-fixes-for-linus' of git://
  sched: CPU remove deadlock fix

13 years agofix mapping_writably_mapped()
Hugh Dickins [Wed, 10 Dec 2008 20:48:52 +0000 (20:48 +0000)]
fix mapping_writably_mapped()

Lee Schermerhorn noticed yesterday that I broke the mapping_writably_mapped
test in 2.6.7!  Bad bad bug, good good find.

The i_mmap_writable count must be incremented for VM_SHARED (just as
i_writecount is for VM_DENYWRITE, but while holding the i_mmap_lock)
when dup_mmap() copies the vma for fork: it has its own more optimal
version of __vma_link_file(), and I missed this out.  So the count
was later going down to 0 (dangerous) when one end unmapped, then
wrapping negative (inefficient) when the other end unmapped.

The only impact on x86 would have been that setting a mandatory lock on
a file which has at some time been opened O_RDWR and mapped MAP_SHARED
(but not necessarily PROT_WRITE) across a fork, might fail with -EAGAIN
when it should succeed, or succeed when it should fail.

But those architectures which rely on flush_dcache_page() to flush
userspace modifications back into the page before the kernel reads it,
may in some cases have skipped the flush after such a fork - though any
repetitive test will soon wrap the count negative, in which case it will
flush_dcache_page() unnecessarily.

Fix would be a two-liner, but mapping variable added, and comment moved.

Reported-by: Lee Schermerhorn <>
Signed-off-by: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'to-linus' of git://
Linus Torvalds [Wed, 10 Dec 2008 22:40:21 +0000 (14:40 -0800)]
Merge branch 'to-linus' of git://git./linux/kernel/git/frob/linux-2.6-roland

* 'to-linus' of git://
  tracehook: exec double-reporting fix

13 years agolib/idr.c: Fix bug introduced by RCU fix
Manfred Spraul [Wed, 10 Dec 2008 17:17:06 +0000 (18:17 +0100)]
lib/idr.c: Fix bug introduced by RCU fix

The last patch to lib/idr.c caused a bug if idr_get_new_above() was
called on an empty idr.

Usually, nodes stay on the same layer.  New layers are added to the top
of the tree.

The exception is idr_get_new_above() on an empty tree: In this case, the
new root node is first added on layer 0, then moved upwards.  p->layer
was not updated.

As usual: You shall never rely on the source code comments, they will
only mislead you.

Signed-off-by: Manfred Spraul <>
Signed-off-by: Linus Torvalds <>
13 years agoMN10300: Give correct size when reserving interrupt vector table
Akira Takeuchi [Wed, 10 Dec 2008 12:43:39 +0000 (12:43 +0000)]
MN10300: Give correct size when reserving interrupt vector table

Give the correct size when reserving the interrupt vector table.  It should be
a page not a single byte.

Signed-off-by: Akira Takeuchi <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMN10300: Fix __put_user_asm8()
Akira Takeuchi [Wed, 10 Dec 2008 12:43:34 +0000 (12:43 +0000)]
MN10300: Fix __put_user_asm8()

Fix __put_user_asm8() by jumping to the end label (3:) from the exception
handler, rather than jumping back to retry the second store instruction (label

Signed-off-by: Akira Takeuchi <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMN10300: Fix the preemption resume_kernel() routine
Akira Takeuchi [Wed, 10 Dec 2008 12:43:29 +0000 (12:43 +0000)]
MN10300: Fix the preemption resume_kernel() routine

Fix the preemption resume_kernel() routine by inverting the test to see
whether interrupts are off (IM7 is all enabled, not all disabled).

Furthermore, interrupts should be disabled on entry to resume_kernel() so that
they're correctly set for jumping to restore_all() and doing the need
reschedule test.

Signed-off-by: Akira Takeuchi <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMN10300: Discard low-priority Tx interrupts when closing an on-chip serial port
Akira Takeuchi [Wed, 10 Dec 2008 12:43:24 +0000 (12:43 +0000)]
MN10300: Discard low-priority Tx interrupts when closing an on-chip serial port

Discard low-prioriy Tx interrupts when closing an MN10300 on-chip serial port.

The MN10300 on-chip serial port uses three interrupts to manage its serial

 (1) A very high priority interrupt that drives virtual DMA for Rx.

 (2) A very high priority interrupt that drives virtual DMA for Tx.

 (3) A normal priority virtual interrupt that does the normal UART interrupt
     stuff and is shared between Rx and Tx.

mn10300_serial_stop_tx() only disables the high priority Tx interrupt.  It
doesn't also disable the normal priority one because it is shared with Rx.

However, the high priority interrupt may interrupt local_irq_disabled()
sections, and so may have queued up a low priority virtual interrupt whilst the
UART driver is asking for the Tx interrupt to be disabled.

The result of this can be an oops when we try to process the interrupt in
mn10300_serial_transmit_interrupt() as port-> and port->>tty
may have gone away.

To deal with this, if either of those pointers is NULL, we make sure the
high-priority Tx interrupt is disabled and discard the interrupt.  The low
priority interrupt is disabled by the mn10300_serial_pic irq_chip table.

Signed-off-by: Akira Takeuchi <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMN10300: cleanup - use PAGE_SIZE, PERCPU macros
Cyrill Gorcunov [Wed, 10 Dec 2008 12:43:19 +0000 (12:43 +0000)]
MN10300: cleanup - use PAGE_SIZE, PERCPU macros

Include the linux/page.h header into the MN10300 kernel linker script thus
allowing us to use PAGE_SIZE macro instead of a numeric constant.

Also use the PERCPU macro instead of an explicit section definition.

Signed-off-by: Cyrill Gorcunov <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge git://
Linus Torvalds [Wed, 10 Dec 2008 18:13:57 +0000 (10:13 -0800)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

* git://
  crypto: api - Disallow cryptomgr as a module if algorithms are built-in

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Wed, 10 Dec 2008 18:04:50 +0000 (10:04 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jbarnes/pci-2.6

* 'for-linus' of git://
  PCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch
  PCI: stop leaking 'slot_name' in pci_create_slot

13 years agoMerge branch 'release' of git://
Linus Torvalds [Wed, 10 Dec 2008 18:04:25 +0000 (10:04 -0800)]
Merge branch 'release' of git://git./linux/kernel/git/aegl/linux-2.6

* 'release' of git://
  [IA64] SN: prevent IRQ retargetting in request_irq()
  [IA64] Fix section mismatch ioc3uart_init()/ioc3uart_submodule
  [IA64] Clear up section mismatch for ioc4_ide_attach_one.
  [IA64] Clear up section mismatch with arch_unregister_cpu()
  [IA64] Clear up section mismatch for sn_check_wars.
  [IA64] Updated the generic_defconfig to work with the 2.6.28-rc7 kernel.
  [IA64] Fix GRU compile error w/o CONFIG_HUGETLB_PAGE
  [IA64] eliminate NULL test and memset after alloc_bootmem
  [IA64] remove BUILD_BUG_ON from paravirt_getreg()

13 years agoMerge branch 'upstream' of git://
Linus Torvalds [Wed, 10 Dec 2008 18:03:55 +0000 (10:03 -0800)]
Merge branch 'upstream' of git://

* 'upstream' of git://
  MIPS: Better than nothing implementation of PCI mmap to fix X.

13 years agopktcdvd: remove broken dev_t export of class devices
Kay Sievers [Sat, 6 Dec 2008 03:38:11 +0000 (04:38 +0100)]
pktcdvd: remove broken dev_t export of class devices

The pktcdvd created class devices only export some sysfs files,
but have no char dev_t registered in the driver.

At class device creation time they copy the dev_t value of the
block device to the char device, wich will register a new char
device in the driver core and userspace, with a conflicting dev_t

In many cases the class devices dev_t just points to a random
USB device. This fixes the sysfs "duplicate entry" errors.

Signed-off-by: Kay Sievers <>
Acked-by: Peter Osterlund <>
Cc: Al Viro <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Wed, 10 Dec 2008 18:02:17 +0000 (10:02 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ieee1394/linux1394-2.6

* 'for-linus' of git://
  firewire: fw-ohci: fix IOMMU resource exhaustion
  ieee1394: node manager causes up to ~3.25s delay in freezing tasks

13 years agodrivers/video/mb862xx/mb862xxfb.c: fix printk
Andrew Morton [Tue, 9 Dec 2008 21:14:31 +0000 (13:14 -0800)]
drivers/video/mb862xx/mb862xxfb.c: fix printk


drivers/video/mb862xx/mb862xxfb.c:929: warning: long long unsigned int format, resource_size_t arg (arg 4)
drivers/video/mb862xx/mb862xxfb.c:931: warning: long long unsigned int format, resource_size_t arg (arg 4)

We don't know what type the architecture uses to implement u64, hence they
cannot be printed.

Cc: Anatolij Gustschin <>
Cc: Dmitry Baryshkov <>
Cc: Anton Vorontsov <>
Cc: Matteo Fortini <>
Cc: Krzysztof Helt <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoKSYM_SYMBOL_LEN fixes
Hugh Dickins [Tue, 9 Dec 2008 21:14:27 +0000 (13:14 -0800)]

Miles Lane tailing /sys files hit a BUG which Pekka Enberg has tracked
to my 966c8c12dc9e77f931e2281ba25d2f0244b06949 sprint_symbol(): use
less stack exposing a bug in slub's list_locations() -
kallsyms_lookup() writes a 0 to namebuf[KSYM_NAME_LEN-1], but that was
beyond the end of page provided.

The 100 slop which list_locations() allows at end of page looks roughly
enough for all the other stuff it might print after the symbol before
it checks again: break out KSYM_SYMBOL_LEN earlier than before.

Latencytop and ftrace and are using KSYM_NAME_LEN buffers where they
need KSYM_SYMBOL_LEN buffers, and vmallocinfo a 2*KSYM_NAME_LEN buffer
where it wants a KSYM_SYMBOL_LEN buffer: fix those before anyone copies

[ ftrace.h needs module.h]
Signed-off-by: Hugh Dickins <>
Cc: Christoph Lameter <>
Cc Miles Lane <>
Acked-by: Pekka Enberg <>
Acked-by: Steven Rostedt <>
Acked-by: Frederic Weisbecker <>
Cc: Rusty Russell <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoinotify: fix IN_ONESHOT unmount event watcher
Dmitri Monakhov [Tue, 9 Dec 2008 21:14:26 +0000 (13:14 -0800)]
inotify: fix IN_ONESHOT unmount event watcher

On umount two event will be dispatched to watcher:

1: inotify_dev_queue_event(.., IN_UNMOUNT,..)
2: remove_watch(watch, dev)
    ->inotify_dev_queue_event(.., IN_IGNORED, ..)

But if watcher has IN_ONESHOT bit set then the watcher will be released
inside first event.  Which result in accessing invalid object later.  IMHO
it is not pure regression.  This bug wasn't triggered while initial
inotify interface testing phase because of another bug in IN_ONESHOT
handling logic :)

  commit ac74c00e499ed276a965e5b5600667d5dc04a84a
  Author: Ulisses Furquim <>
  Date:   Fri Feb 8 04:18:16 2008 -0800
    inotify: fix check for one-shot watches before destroying them
    As the IN_ONESHOT bit is never set when an event is sent we must check it
    in the watch's mask and not in the event's mask.

mkdir mnt
mount -ttmpfs none mnt
mkdir mnt/d
./inotify mnt/d&
umount mnt ## << lockup or crash here

/* gcc -oinotify inotify.c */
#include <stdio.h>
#include <stdlib.h>
#include <sys/inotify.h>

int main(int argc, char **argv)
        char buf[1024];
        struct inotify_event *ie;
        char *p;
        int i;
        ssize_t l;

        p = argv[1];
        i = inotify_init();
        inotify_add_watch(i, p, ~0);

        l = read(i, buf, sizeof(buf));
        printf("read %d bytes\n", l);
        ie = (struct inotify_event *) buf;
        printf("event mask: %d\n", ie->mask);
return 0;

Signed-off-by: Dmitri Monakhov <>
Cc: John McCutchan <>
Cc: Al Viro <>
Cc: Robert Love <>
Cc: Ulisses Furquim <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoatomic: fix a typo in atomic_long_xchg()
Eric Dumazet [Tue, 9 Dec 2008 21:14:25 +0000 (13:14 -0800)]
atomic: fix a typo in atomic_long_xchg()

atomic_long_xchg() is not correctly defined for 32bit arches.

Signed-off-by: Eric Dumazet <>
Cc: Mathieu Desnoyers <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomm: no get_user/put_user while holding mmap_sem in do_pages_stat?
Brice Goglin [Tue, 9 Dec 2008 21:14:23 +0000 (13:14 -0800)]
mm: no get_user/put_user while holding mmap_sem in do_pages_stat?

Since commit 2f007e74bb85b9fc4eab28524052161703300f1a, do_pages_stat()
gets the page address from user-space and puts the corresponding status
back while holding the mmap_sem for read.  There is no need to hold
mmap_sem there while some page-faults may occur.

This patch adds a temporary address and status buffer so as to only
hold mmap_sem while working on these kernel buffers.  This is
implemented by extracting do_pages_stat_array() out of do_pages_stat().

Signed-off-by: Brice Goglin <>
Cc: Christoph Lameter <>
Cc: KAMEZAWA Hiroyuki <>
Cc: Nick Piggin <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agodrivers/serial/s3c2440.c: fix typo in MODULE_LICENSE
Balaji Rao [Tue, 9 Dec 2008 21:14:22 +0000 (13:14 -0800)]
drivers/serial/s3c2440.c: fix typo in MODULE_LICENSE

Signed-off-by: Balaji Rao <>
Acked-by: Ben Dooks <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agopagemap: fix 32-bit pagemap regression
Matt Mackall [Tue, 9 Dec 2008 21:14:21 +0000 (13:14 -0800)]
pagemap: fix 32-bit pagemap regression

The large pages fix from bcf8039ed45 broke 32-bit pagemap by pulling the
pagemap entry code out into a function with the wrong return type.
Pagemap entries are 64 bits on all systems and unsigned long is only 32
bits on 32-bit systems.

Signed-off-by: Matt Mackall <>
Reported-by: Doug Graham <>
Cc: Alexey Dobriyan <>
Cc: Dave Hansen <>
Cc: <> [2.6.26.x, 2.6.27.x]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agopage_cgroup should ignore empty nodes
KAMEZAWA Hiroyuki [Tue, 9 Dec 2008 21:14:20 +0000 (13:14 -0800)]
page_cgroup should ignore empty nodes

Fix a total bootup freeze on ia64.

Signed-off-by: KAMEZAWA Hiroyuki <>
Tested-by: Li Zefan <>
Reported-by: Li Zefan <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agortc twl4030: rename ioctl function when RTC_INTF_DEV=n
Randy Dunlap [Tue, 9 Dec 2008 21:14:18 +0000 (13:14 -0800)]
rtc twl4030: rename ioctl function when RTC_INTF_DEV=n

Fix build error when RTC_INTF_DEV=n:

drivers/rtc/rtc-twl4030.c:402: error: 'twl4030_rtc_ioctl' undeclared here (not in a function)
make[3]: *** [drivers/rtc/rtc-twl4030.o] Error 1

Signed-off-by: Randy Dunlap <>
Cc: David Brownell <>
Cc: Tony Lindgren <>
Cc: Samuel Ortiz <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agofbcon: fix workqueue shutdown
Geoff Levand [Tue, 9 Dec 2008 21:14:17 +0000 (13:14 -0800)]
fbcon: fix workqueue shutdown

Add a call to cancel_work_sync() in fbcon_exit() to cancel any pending
work in the fbcon workqueue.

The current implementation of fbcon_exit() sets the fbcon workqueue
function info->queue.func to NULL, but does not assure that there is no
work pending when it does so.  On occasion, depending on system timing,
there will still be pending work in the queue when fbcon_exit() is
called.  This results in a null pointer deference when run_workqueue()
tries to call the queue's work function.

Fixes errors on shutdown similar to these:

  Console: switching to colour dummy device 80x25
  Unable to handle kernel paging request for data at address 0x00000000

Signed-off-by: Geoff Levand <>
Cc: Krzysztof Helt <>
Cc: Geert Uytterhoeven <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomm: remove UP version of lru_add_drain_all()
KOSAKI Motohiro [Tue, 9 Dec 2008 21:14:16 +0000 (13:14 -0800)]
mm: remove UP version of lru_add_drain_all()

Currently, lru_add_drain_all() has two version.
  (1) use schedule_on_each_cpu()
  (2) don't use schedule_on_each_cpu()

Gerald Schaefer reported it doesn't work well on SMP (not NUMA) S390

  offline_pages() calls lru_add_drain_all() followed by drain_all_pages().
  While drain_all_pages() works on each cpu, lru_add_drain_all() only runs
  on the current cpu for architectures w/o CONFIG_NUMA. This let us run
  into the BUG_ON(!PageBuddy(page)) in __offline_isolated_pages() during
  memory hotplug stress test on s390. The page in question was still on the
  pcp list, because of a race with lru_add_drain_all() and drain_all_pages()
  on different cpus.

Actually, Almost machine has CONFIG_UNEVICTABLE_LRU=y. Then almost machine use
(1) version lru_add_drain_all although the machine is UP.

Then this ifdef is not valueable.
simple removing is better.

Signed-off-by: KOSAKI Motohiro <>
Cc: Christoph Lameter <>
Cc: Lee Schermerhorn <>
Acked-by: Gerald Schaefer <>
Cc: Dave Hansen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agorevert "percpu_counter: new function percpu_counter_sum_and_set"
Andrew Morton [Tue, 9 Dec 2008 21:14:14 +0000 (13:14 -0800)]
revert "percpu_counter: new function percpu_counter_sum_and_set"


    commit e8ced39d5e8911c662d4d69a342b9d053eaaac4e
    Author: Mingming Cao <>
    Date:   Fri Jul 11 19:27:31 2008 -0400

        percpu_counter: new function percpu_counter_sum_and_set

As described in

revert "percpu counter: clean up percpu_counter_sum_and_set()"

the new percpu_counter_sum_and_set() is racy against updates to the
cpu-local accumulators on other CPUs.  Revert that change.

This means that ext4 will be slow again.  But correct.

Reported-by: Eric Dumazet <>
Cc: "David S. Miller" <>
Cc: Peter Zijlstra <>
Cc: Mingming Cao <>
Cc: <>
Cc: <> [2.6.27.x]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agorevert "percpu counter: clean up percpu_counter_sum_and_set()"
Andrew Morton [Tue, 9 Dec 2008 21:14:13 +0000 (13:14 -0800)]
revert "percpu counter: clean up percpu_counter_sum_and_set()"


    commit 1f7c14c62ce63805f9574664a6c6de3633d4a354
    Author: Mingming Cao <>
    Date:   Thu Oct 9 12:50:59 2008 -0400

        percpu counter: clean up percpu_counter_sum_and_set()

Before this patch we had the following:

percpu_counter_sum(): return the percpu_counter's value

percpu_counter_sum_and_set(): return the percpu_counter's value, copying
that value into the central value and zeroing the per-cpu counters before

After this patch, percpu_counter_sum_and_set() has gone, and
percpu_counter_sum() gets the old percpu_counter_sum_and_set()

Problem is, as Eric points out, the old percpu_counter_sum_and_set()
functionality was racy and wrong.  It zeroes out counters on "other" cpus,
without holding any locks which will prevent races agaist updates from
those other CPUS.

This patch reverts 1f7c14c62ce63805f9574664a6c6de3633d4a354.  This means
that percpu_counter_sum_and_set() still has the race, but
percpu_counter_sum() does not.

Note that this is not a simple revert - ext4 has since started using
percpu_counter_sum() for its dirty_blocks counter as well.

Note that this revert patch changes percpu_counter_sum() semantics.

Before the patch, a call to percpu_counter_sum() will bring the counter's
central counter mostly up-to-date, so a following percpu_counter_read()
will return a close value.

After this patch, a call to percpu_counter_sum() will leave the counter's
central accumulator unaltered, so a subsequent call to
percpu_counter_read() can now return a significantly inaccurate result.

If there is any code in the tree which was introduced after
e8ced39d5e8911c662d4d69a342b9d053eaaac4e was merged, and which depends
upon the new percpu_counter_sum() semantics, that code will break.

Reported-by: Eric Dumazet <>
Cc: "David S. Miller" <>
Cc: Peter Zijlstra <>
Cc: Mingming Cao <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agopercpu_counter: fix CPU unplug race in percpu_counter_destroy()
Eric Dumazet [Tue, 9 Dec 2008 21:14:11 +0000 (13:14 -0800)]
percpu_counter: fix CPU unplug race in percpu_counter_destroy()

We should first delete the counter from percpu_counters list
before freeing memory, or a percpu_counter_hotcpu_callback()
could dereference a NULL pointer.

Signed-off-by: Eric Dumazet <>
Acked-by: David S. Miller <>
Cc: Peter Zijlstra <>
Cc: Mingming Cao <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agortc: fix missing id_table in rtc-ds1672 and rtc-max6900 drivers
Alessandro Zummo [Tue, 9 Dec 2008 21:14:11 +0000 (13:14 -0800)]
rtc: fix missing id_table in rtc-ds1672 and rtc-max6900 drivers

Add missing id_table to the drivers in subject.  Patch is against the
latest git.  It should go in with 2.6.28 if possible, the drivers won't
work without the id_table bits.

Signed-off-by: Alessandro Zummo <>
Reported-by: Imre Kaloz <>
Tested-by: Imre Kaloz <>
Cc: David Brownell <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agorelayfs: fix infinite loop with splice()
Tom Zanussi [Tue, 9 Dec 2008 21:14:10 +0000 (13:14 -0800)]
relayfs: fix infinite loop with splice()

Running kmemtraced, which uses splice() on relayfs, causes a hard lock on
x86-64 SMP.  As described by Tom Zanussi:

  It looks like you hit the same problem as described here:

  commit 8191ecd1d14c6914c660dfa007154860a7908857

      splice: fix infinite loop in generic_file_splice_read()

  relay uses the same loop but it never got noticed or fixed.

Cc: Mathieu Desnoyers <>
Tested-by: Pekka Enberg <>
Signed-off-by: Tom Zanussi <>
Signed-off-by: Pekka Enberg <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agouml: boot broken due to buffer overrun
Balbir Singh [Tue, 9 Dec 2008 21:14:07 +0000 (13:14 -0800)]
uml: boot broken due to buffer overrun

mconsole_init() passed 256 bytes as length in os_create_unix_socket, while
the sizeof UNIX_PATH_MAX is 108. This patch fixes that problem and avoids
a big overrun bug reported on UML bootup.

sockaddr_un.sun_path is UNIX_PATH_MAX long which causes the problem.
Reported-by: Vikas K Managutte <>
Reported-by: Sarvesh Kumar Lal Das <>
Signed-off-by: Balbir Singh <>
Reviewed-by: Pekka Enberg <>
Reviewed-by: WANG Cong <>
Cc: Jeff Dike <>
Cc: <> [please check with Jeff]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomm/backing-dev.c: remove recently-added WARN_ON()
Andrew Morton [Tue, 9 Dec 2008 21:14:06 +0000 (13:14 -0800)]
mm/backing-dev.c: remove recently-added WARN_ON()

On second thoughts, this is just going to disturb people while telling us
things which we already knew.

Cc: Peter Korsgaard <>
Cc: Peter Zijlstra <>
Cc: Kay Sievers <>
Cc: David Woodhouse <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agocrypto: api - Disallow cryptomgr as a module if algorithms are built-in
Herbert Xu [Wed, 10 Dec 2008 12:29:44 +0000 (23:29 +1100)]
crypto: api - Disallow cryptomgr as a module if algorithms are built-in

If we have at least one algorithm built-in then it no longer makes
sense to have the testing framework, and hence cryptomgr to be a
module.  It should be either on or off, i.e., built-in or disabled.

This just happens to stop a potential runaway modprobe loop that
seems to trigger on at least one distro.

With fixes from Evgeniy Polyakov.

Signed-off-by: Herbert Xu <>
13 years agofirewire: fw-ohci: fix IOMMU resource exhaustion
Stefan Richter [Tue, 9 Dec 2008 23:20:38 +0000 (00:20 +0100)]
firewire: fw-ohci: fix IOMMU resource exhaustion

There is a DMA map/ unmap imbalance whenever a block write request
packet is sent and then dequeued with ohci_cancel_packet.  The latter
may happen frequently if the AR resp tasklet is executed before the AT
req tasklet for the same transaction.

Add the missing dma_unmap_single.  This fixes

Reported-by: Emmanuel Kowalski
Tested-by: Emmanuel Kowalski
Signed-off-by: Stefan Richter <>
13 years agotracehook: exec double-reporting fix
Roland McGrath [Wed, 10 Dec 2008 03:36:38 +0000 (19:36 -0800)]
tracehook: exec double-reporting fix

The patch 6341c39 "tracehook: exec" introduced a small regression in
2.6.27 regarding binfmt_misc exec event reporting.  Since the reporting
is now done in the common search_binary_handler() function, an exec
of a misc binary will result in two (or possibly multiple) exec events
being reported, instead of just a single one, because the misc handler
contains a recursive call to search_binary_handler.

To add to the confusion, if PTRACE_O_TRACEEXEC is not active, the multiple
SIGTRAP signals will in fact cause only a single ptrace intercept, as the
signals are not queued.  However, if PTRACE_O_TRACEEXEC is on, the debugger
will actually see multiple ptrace intercepts (PTRACE_EVENT_EXEC).

The test program included below demonstrates the problem.

This change fixes the bug by calling tracehook_report_exec() only in the
outermost search_binary_handler() call (bprm->recursion_depth == 0).

The additional change to restore bprm->recursion_depth after each binfmt
load_binary call is actually superfluous for this bug, since we test the
value saved on entry to search_binary_handler().  But it keeps the use of
of the depth count to its most obvious expected meaning.  Depending on what
binfmt handlers do in certain cases, there could have been false-positive
tests for recursion limits before this change.

    /* Test program using PTRACE_O_TRACEEXEC.
       This forks and exec's the first argument with the rest of the arguments,
       while ptrace'ing.  It expects to see one PTRACE_EVENT_EXEC stop and
       then a successful exit, with no other signals or events in between.

       Test for kernel doing two PTRACE_EVENT_EXEC stops for a binfmt_misc exec:

       $ gcc -g traceexec.c -o traceexec
       $ sudo sh -c 'echo :test:M::foobar::/bin/cat: > /proc/sys/fs/binfmt_misc/register'
       $ echo 'foobar test' > ./foobar
       $ chmod +x ./foobar
       $ ./traceexec ./foobar; echo $?
       ==> good <==
       foobar test
       ==> bad <==
       foobar test
       unexpected status 0x4057f != 0


    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <sys/ptrace.h>
    #include <unistd.h>
    #include <signal.h>
    #include <stdlib.h>

    static void
    wait_for (pid_t child, int expect)
      int status;
      pid_t p = wait (&status);
      if (p != child)
  perror ("wait");
  exit (2);
      if (status != expect)
  fprintf (stderr, "unexpected status %#x != %#x\n", status, expect);
  exit (3);

    main (int argc, char **argv)
      pid_t child = fork ();

      if (child < 0)
  perror ("fork");
  return 127;
      else if (child == 0)
  ptrace (PTRACE_TRACEME);
  raise (SIGUSR1);
  execv (argv[1], &argv[1]);
  perror ("execve");
  _exit (127);

      wait_for (child, W_STOPCODE (SIGUSR1));

      if (ptrace (PTRACE_SETOPTIONS, child,
  0L, (void *) (long) PTRACE_O_TRACEEXEC) != 0)
  return 4;

      if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0)
  perror ("PTRACE_CONT");
  return 5;

      wait_for (child, W_STOPCODE (SIGTRAP | (PTRACE_EVENT_EXEC << 8)));

      if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0)
  perror ("PTRACE_CONT");
  return 6;

      wait_for (child, W_EXITCODE (0, 0));

      return 0;

Reported-by: Arnd Bergmann <>
CC: Ulrich Weigand <>
Signed-off-by: Roland McGrath <>
13 years agoPCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch
Thomas Renninger [Tue, 9 Dec 2008 12:05:09 +0000 (13:05 +0100)]
PCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch

Makes a Compaq 6735s boot reliably again.  It used to hang in the loop
on some boots.  Give the link one second to train, otherwise break out
of the loop and reset the previously set clock bits.

Signed-off-by: Thomas Renninger <>
Signed-off-by: Shaohua Li <>
Signed-off-by: Matthew Garrett <>
Signed-off-by: Jesse Barnes <>
13 years agoPCI: stop leaking 'slot_name' in pci_create_slot
Alex Chiang [Tue, 2 Dec 2008 01:17:21 +0000 (18:17 -0700)]
PCI: stop leaking 'slot_name' in pci_create_slot

In pci_create_slot(), the local variable 'slot_name' is allocated by
make_slot_name(), but never freed. We never use it after passing it to
the kobject core, so we should free it upon function exit.

Signed-off-by: Alex Chiang <>
Signed-off-by: Jesse Barnes <>
13 years agoMIPS: Better than nothing implementation of PCI mmap to fix X.
Ralf Baechle [Tue, 9 Dec 2008 17:58:46 +0000 (17:58 +0000)]
MIPS: Better than nothing implementation of PCI mmap to fix X.

Certain X11 servers such as the SIS server will only work if PCI mmap is
implemented.  This patch implements PCI mmap but to be on the same side
so close to a release it only supports uncached mappings so performance
will not be optimal for some uses such as framebuffers.

Thanks to Zhang Le <> for the original report and

Signed-off-by: Ralf Baechle <>
13 years ago[IA64] SN: prevent IRQ retargetting in request_irq()
John Keller [Mon, 8 Dec 2008 17:44:11 +0000 (11:44 -0600)]
[IA64] SN: prevent IRQ retargetting in request_irq()

With the introduction of the generic affinity autoselector,
irq_select_affinity(), IRQs are now being retargetted,
using a default mask, via the request_irq() path.
This results in all IRQs targetted at CPU 0.

SN Altix assigns affinity in the SN PROM, and does not
expect that to be changed as part of request_irq().

Set the IRQ_AFFINITY_SET flag to prevent
request_irq() from resetting affinity.

Signed-off-by: John Keller <>
Signed-off-by: Tony Luck <>
13 years agoieee1394: node manager causes up to ~3.25s delay in freezing tasks
Nigel Cunningham [Tue, 9 Dec 2008 11:40:20 +0000 (22:40 +1100)]
ieee1394: node manager causes up to ~3.25s delay in freezing tasks

The firewire nodemanager function "nodemgr_host_thread" contains a loop
that calls try_to_freeze near the top of the loop, but then delays for
up to 3.25 seconds (plus time to do work) before getting back to the top
of the loop. When starting a cycle post-boot, this doesn't seem to bite,
but it is causing a noticeable delay at boot time, when freezing
processes prior to starting to read the image.

The following patch adds invocation of try_to_freeze to the subloops
that are used in the body of this function. With these additions, the
time to freeze when starting to resume at boot time is virtually zero.
I'm no expert on firewire, and so don't know that we shouldn't check
the return value and jump back to the top of the loop or such like after
being frozen, but I submit it for your consideration.

Signed-off-by: Nigel Cunningham <>
The delay until nodemgr freezes was up to 0.25s (plus time for node
probes) in Linux 2.6.27 and older and up to 3.25s (plus ~) since Linux
2.6.28-rc1, hence much more noticeable.

try_to_freeze() without any jump is correct.  The surrounding code in
the respective loops will catch whether another bus reset happens during
the freeze and handle it.

Signed-off-by: Stefan Richter <>
13 years agosched: CPU remove deadlock fix
Brian King [Tue, 9 Dec 2008 14:47:00 +0000 (08:47 -0600)]
sched: CPU remove deadlock fix

Impact: fix possible deadlock in CPU hot-remove path

This patch fixes a possible deadlock scenario in the CPU remove path.
migration_call grabs rq->lock, then wakes up everything on rq->migration_queue
with the lock held. Then one of the tasks on the migration queue ends up
calling tg_shares_up which then also tries to acquire the same rq->lock.

[c000000058eab2e0c000000000502078 ._spin_lock_irqsave+0x98/0xf0
[c000000058eab370c00000000008011c .tg_shares_up+0x10c/0x20c
[c000000058eab430c00000000007867c .walk_tg_tree+0xc4/0xfc
[c000000058eab4d0c0000000000840c8 .try_to_wake_up+0xb0/0x3c4
[c000000058eab590c0000000000799a0 .__wake_up_common+0x6c/0xe0
[c000000058eab640c00000000007ada4 .complete+0x54/0x80
[c000000058eab6e0c000000000509fa8 .migration_call+0x5fc/0x6f8
[c000000058eab7c0c000000000504074 .notifier_call_chain+0x68/0xe0
[c000000058eab860c000000000506568 ._cpu_down+0x2b0/0x3f4
[c000000058eaba60c000000000506750 .cpu_down+0xa4/0x108
[c000000058eabb10c000000000507e54 .store_online+0x44/0xa8
[c000000058eabba0c000000000396260 .sysdev_store+0x3c/0x50
[c000000058eabc10c0000000001a39b8 .sysfs_write_file+0x124/0x18c
[c000000058eabcd0c00000000013061c .vfs_write+0xd0/0x1bc
[c000000058eabd70c0000000001308a4 .sys_write+0x68/0x114
[c000000058eabe30c0000000000086b4 syscall_exit+0x0/0x40

Signed-off-by: Brian King <>
Acked-by: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
13 years ago[IA64] Fix section mismatch ioc3uart_init()/ioc3uart_submodule
Tony Luck [Tue, 9 Dec 2008 00:16:21 +0000 (16:16 -0800)]
[IA64] Fix section mismatch ioc3uart_init()/ioc3uart_submodule

s/ioc3uart_submodule/ioc3uart_ops/ makes the section mismatch
check happy.

Signed-off-by: Tony Luck <>
13 years ago[IA64] Clear up section mismatch for ioc4_ide_attach_one.
Robin Holt [Mon, 8 Dec 2008 23:47:20 +0000 (15:47 -0800)]
[IA64] Clear up section mismatch for ioc4_ide_attach_one.

The generic_defconfig has three section mismatches.  This clears up

Signed-off-by: Robin Holt <>
Signed-off-by: Mike Reid <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] Clear up section mismatch with arch_unregister_cpu()
Robin Holt [Mon, 8 Dec 2008 14:43:46 +0000 (08:43 -0600)]
[IA64] Clear up section mismatch with arch_unregister_cpu()

The generic_defconfig has three section mismatches.  This clears

Signed-off-by: Robin Holt <>
Signed-off-by: Jack Steiner <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] Clear up section mismatch for sn_check_wars.
Robin Holt [Mon, 8 Dec 2008 14:43:46 +0000 (08:43 -0600)]
[IA64] Clear up section mismatch for sn_check_wars.

The generic_defconfig has three section mismatches.  This clears up

Signed-off-by: Robin Holt <>
Signed-off-by: Jack Steiner <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] Updated the generic_defconfig to work with the 2.6.28-rc7 kernel.
Robin Holt [Mon, 8 Dec 2008 14:43:46 +0000 (08:43 -0600)]
[IA64] Updated the generic_defconfig to work with the 2.6.28-rc7 kernel.

The AUTOFS=y and AUTOFS4=y causes problems with some distros versions of
automount.  I turned both of those to =m and then followed the default
prompts for everything else.  I did notice that CONFIG_PNP_DEBUG got
changed to CONFIG_PNP_DEBUG_MESSAGES and the default was a =y so I turned
that back to a =n.

Signed-off-by: Robin Holt <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] Fix GRU compile error w/o CONFIG_HUGETLB_PAGE
Jack Steiner [Tue, 9 Dec 2008 16:51:32 +0000 (10:51 -0600)]
[IA64] Fix GRU compile error w/o CONFIG_HUGETLB_PAGE

Eliminate compile error when compiling without CONFIG_HUGETLB_PAGE.

Signed-off-by: Jack Steiner <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] eliminate NULL test and memset after alloc_bootmem
Julia Lawall [Mon, 1 Dec 2008 22:18:37 +0000 (14:18 -0800)]
[IA64] eliminate NULL test and memset after alloc_bootmem

As noted by Akinobu Mita in patch b1fceac2b9e04d278316b2faddf276015fc06e3b,
alloc_bootmem and related functions never return NULL and always return a
zeroed region of memory.  Thus a NULL test or memset after calls to these
functions is unnecessary.

Signed-off-by: Julia Lawall <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Tony Luck <>
13 years ago[IA64] remove BUILD_BUG_ON from paravirt_getreg()
Alexey Dobriyan [Tue, 9 Dec 2008 18:01:26 +0000 (10:01 -0800)]
[IA64] remove BUILD_BUG_ON from paravirt_getreg()

CC      arch/ia64/kernel/asm-offsets.s
In file included from include/linux/bitops.h:17,
                 from include/linux/kernel.h:15,
                 from include/linux/sched.h:52,
                 from arch/ia64/kernel/asm-offsets.c:9:
arch/ia64/include/asm/bitops.h: In function 'set_bit':
arch/ia64/include/asm/bitops.h:47: error: implicit declaration of function 'BUILD_BUG_ON'

Obvious inclusion of kernel.h doesn't fix it, because of circular dependencies
involving fls.h and log2(). Fixing the latter requires some serious header surgery,
it seems, so just remove BUILD_BUG_ON for now.

Signed-off-by: Alexey Dobriyan <>
Signed-off-by: Tony Luck <>
13 years agoMerge
Linus Torvalds [Tue, 9 Dec 2008 16:29:31 +0000 (08:29 -0800)]

  [ARM] Fix alignment fault handling for ARMv6 and later CPUs
  [ARM] 5340/1: fix stack placement after noexecstack changes
  [ARM] 5339/1: fix __fls() on ARM
  [ARM] Orion: fix bug in pcie configuration cycle function field mask
  [ARM] omap: fix a pile of issues

13 years agoMerge git://
Linus Torvalds [Tue, 9 Dec 2008 16:28:36 +0000 (08:28 -0800)]
Merge git://

* git://
  [MTD] [NAND] fix OOPS accessing flash operations over STM flash on PXA
  [MTD] [NAND] drivers/mtd/nand/pasemi_nand.c: Add missing pci_dev_put
  [MTD] [NAND] fsl_upm: fix build problem with 2.6.28-rc2
  [MTD] physmap: fix memory leak on physmap_flash_remove by using devres
  [MTD] m25p80: chip erase != block erase != sector erase
  [MTD] m25p80: fix detection of m25p16 flashes
  [MTD] m25p80: fix detection of SPI parts
  [MTD] [NAND] OMAP: OneNAND: header file relocation (part 2)
  [MTD] [NAND] OMAP: OneNAND: header file relocation

13 years agoMerge branch 'audit.b59' of git://
Linus Torvalds [Tue, 9 Dec 2008 16:28:13 +0000 (08:28 -0800)]
Merge branch 'audit.b59' of git://git./linux/kernel/git/viro/audit-current

* 'audit.b59' of git://
  [PATCH] fix broken timestamps in AVC generated by kernel threads
  [patch 1/1] audit: remove excess kernel-doc
  [PATCH] asm/generic: fix bug - kernel fails to build when enable some common audit code on Blackfin
  [PATCH] return records for fork() both to child and parent
  [PATCH] Audit: make audit=0 actually turn off audit

13 years agoMerge branch 'upstream-linus' of git://
Linus Torvalds [Tue, 9 Dec 2008 16:27:57 +0000 (08:27 -0800)]
Merge branch 'upstream-linus' of git://git./linux/kernel/git/jgarzik/libata-dev

* 'upstream-linus' of git://
  ata: Fix experimental tags
  pata_ninja32: update ID table
  pata_sis: Remove bogus cable match
  ATA: piix, fix pointer deref on suspend
  pata_hpt366: fix clock detection

13 years agoMerge branch 'drm-fixes' of git://
Linus Torvalds [Tue, 9 Dec 2008 16:27:39 +0000 (08:27 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://
  drm/i915: Disable the GM965 MSI errata workaround.
  drm/i915: Don't return error in evict_everything when we get to the end.
  drm/radeon: don't actually enable the IRQ regs until irq is enabled

13 years agoMerge branch 'merge' of git://
Linus Torvalds [Tue, 9 Dec 2008 16:26:43 +0000 (08:26 -0800)]
Merge branch 'merge' of git://git./linux/kernel/git/paulus/powerpc

* 'merge' of git://
  powerpc/virtex5: Fix Virtex5 machine check handling

13 years agoradeonfb: Disable new color expand acceleration unless explicitely enabled
Benjamin Herrenschmidt [Tue, 9 Dec 2008 04:54:18 +0000 (15:54 +1100)]
radeonfb: Disable new color expand acceleration unless explicitely enabled

This new color expansion acceleration for radeonfb appears to trigger
problems with X on VT switch and suspend/resume on some machines. It
might be a problem in the VT layer or in X, but I haven't quite found
it yet, so in the meantime, this disables the acceleration by default,
reverting to 2.6.27 state. It can be enabled using the "accel_cexp"
module parameter or fbdev argument.

Signed-off-by: Benjamin Herrenschmidt <>
Acked-by: David S. Miller <>
Signed-off-by: Linus Torvalds <>
13 years ago[PATCH] fix broken timestamps in AVC generated by kernel threads
Al Viro [Sat, 6 Dec 2008 06:05:50 +0000 (01:05 -0500)]
[PATCH] fix broken timestamps in AVC generated by kernel threads

Timestamp in audit_context is valid only if ->in_syscall is set.

Signed-off-by: Al Viro <>
13 years ago[patch 1/1] audit: remove excess kernel-doc
Randy Dunlap [Mon, 1 Dec 2008 22:16:06 +0000 (14:16 -0800)]
[patch 1/1] audit: remove excess kernel-doc

Delete excess kernel-doc notation in kernel/auditsc.c:

Warning(linux-2.6.27-git10//kernel/auditsc.c:1481): Excess function parameter or struct member 'tsk' description in 'audit_syscall_entry'
Warning(linux-2.6.27-git10//kernel/auditsc.c:1564): Excess function parameter or struct member 'tsk' description in 'audit_syscall_exit'

Signed-off-by: Randy Dunlap <>
Cc: Al Viro <>
Cc: Eric Paris <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Al Viro <>
13 years ago[PATCH] asm/generic: fix bug - kernel fails to build when enable some common audit...
Mike Frysinger [Tue, 18 Nov 2008 07:03:49 +0000 (15:03 +0800)]
[PATCH] asm/generic: fix bug - kernel fails to build when enable some common audit code on Blackfin

If you enable some common audit code, the kernel fails to build.

In file included from lib/audit.c:17:
include/asm-generic/audit_write.h:3: error: '__NR_swapon' undeclared here (not in a function)
make[1]: *** [lib/audit.o] Error 1
make: *** [lib] Error 2

So do not use __NR_swapon if it isnt defined for a port.

Signed-off-by: Mike Frysinger <>
Signed-off-by: Bryan Wu <>
Signed-off-by: Al Viro <>
13 years ago[PATCH] return records for fork() both to child and parent
Al Viro [Wed, 12 Nov 2008 23:37:41 +0000 (18:37 -0500)]
[PATCH] return records for fork() both to child and parent

Signed-off-by: Al Viro <>
13 years ago[PATCH] Audit: make audit=0 actually turn off audit
Eric Paris [Wed, 5 Nov 2008 17:47:09 +0000 (12:47 -0500)]
[PATCH] Audit: make audit=0 actually turn off audit

Currently audit=0 on the kernel command line does absolutely nothing.
Audit always loads and always uses its resources such as creating the
kernel netlink socket.  This patch causes audit=0 to actually disable
audit.  Audit will use no resources and starting the userspace auditd
daemon will not cause the kernel audit system to activate.

Signed-off-by: Eric Paris <>
Signed-off-by: Al Viro <>
13 years agoata: Fix experimental tags
Alan Cox [Fri, 5 Dec 2008 19:43:03 +0000 (19:43 +0000)]
ata: Fix experimental tags

Various tags are now way out of date

Signed-off-by: Jeff Garzik <>
13 years agopata_ninja32: update ID table
Alan Cox [Fri, 5 Dec 2008 19:42:38 +0000 (19:42 +0000)]
pata_ninja32: update ID table

Signed-off-by: Alan Cox <>
Signed-off-by: Jeff Garzik <>
13 years agopata_sis: Remove bogus cable match
Alan Cox [Fri, 5 Dec 2008 19:41:52 +0000 (19:41 +0000)]
pata_sis: Remove bogus cable match

Some systems report SIS 5513 as both vendor/id and subvendor/id
string. In that case we can't distinguish the system by the id
svid/sdid and in fact the entry here breaks some boxes. At some
point we need to find another way to detect the Targa Visionary 1000,
until then this trades a hang for some users with lower performance
for others.

Closes: #12092

Signed-off-by: Alan Cox <>
Signed-off-by: Jeff Garzik <>
13 years agoATA: piix, fix pointer deref on suspend
Jiri Slaby [Wed, 3 Dec 2008 08:13:46 +0000 (09:13 +0100)]
ATA: piix, fix pointer deref on suspend


I've found this issue in the mmotm 2008-12-02-17-08.


ata_piix: add borked Tecra M4 to broken suspend list
introduced DMI variables checking, but they can be null, so that
we possibly dereference null.

Check if they are null and avoid checks in that case.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
IP: [<ffffffff8043da97>] piix_pci_device_suspend+0x117/0x230

Signed-off-by: Jiri Slaby <>
Cc: Jeff Garzik <>
Cc: Alexandru Romanescu <>
Cc: Tejun Heo <>
Signed-off-by: Jeff Garzik <>
13 years agopata_hpt366: fix clock detection
Tejun Heo [Mon, 8 Dec 2008 09:48:42 +0000 (18:48 +0900)]
pata_hpt366: fix clock detection

pata_hpt366 had its clock detection wrong and detected 25Mhz as 40Mhz
and vice-versa.  Fix it.

Signed-off-by: Tejun Heo <>
Signed-off-by: Jeff Garzik <>
13 years agodrm/i915: Disable the GM965 MSI errata workaround.
Keith Packard [Mon, 8 Dec 2008 19:12:28 +0000 (11:12 -0800)]
drm/i915: Disable the GM965 MSI errata workaround.

Since applying the fix suggested by the errata (disabling MSI), we've had
issues with interrupts being stuck on despite IIR being 0 on GM965 hardware.
Most reporters of the issue have confirmed that turning MSI back on fixes
things, and given the difficulties experienced in getting reliable MSI working
on Linux, it's believable that the errata was about software issues and not
actual hardware issues.

Signed-off-by: Dave Airlie <>
13 years agodrm/i915: Don't return error in evict_everything when we get to the end.
Owain Ainsworth [Sun, 7 Dec 2008 04:42:20 +0000 (20:42 -0800)]
drm/i915: Don't return error in evict_everything when we get to the end.

Returning -ENOMEM errored all the way out of execbuf, so the rendering never

Signed-off-by: Dave Airlie <>
13 years agodrm/radeon: don't actually enable the IRQ regs until irq is enabled
Dave Airlie [Tue, 9 Dec 2008 05:30:50 +0000 (15:30 +1000)]
drm/radeon: don't actually enable the IRQ regs until irq is enabled

vblank can try and enable the IRQ registers before we've set the interrupt
handler up.

Signed-off-by: Dave Airlie <>
13 years agoMerge branch 'merge' of
Paul Mackerras [Tue, 9 Dec 2008 03:58:37 +0000 (14:58 +1100)]
Merge branch 'merge' of /linux/kernel/git/galak/powerpc into merge

13 years agoMerge git://
Linus Torvalds [Tue, 9 Dec 2008 03:52:43 +0000 (19:52 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  tproxy: fixe a possible read from an invalid location in the socket match
  zd1211rw: use unaligned safe memcmp() in-place of compare_ether_addr()
  mac80211: use unaligned safe memcmp() in-place of compare_ether_addr()
  ipw2200: fix netif_*_queue() removal regression
  iwlwifi: clean key table in iwl_clear_stations_table function
  tcp: tcp_vegas ssthresh bug fix
  can: omit received RTR frames for single ID filter lists
  ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
  netx-eth: initialize per device spinlock
  tcp: make urg+gso work for real this time
  enc28j60: Fix sporadic packet loss (corrected again)
  hysdn: fix writing outside the field on 64 bits
  b1isa: fix b1isa_exit() to really remove registered capi controllers
  can: Fix CAN_(EFF|RTR)_FLAG handling in can_filter
  Phonet: do not dump addresses from other namespaces
  netlabel: Fix a potential NULL pointer dereference
  bnx2: Add workaround to handle missed MSI.
  xfrm: Fix kernel panic when flush and dump SPD entries

13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Tue, 9 Dec 2008 03:50:26 +0000 (19:50 -0800)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86: fix default_spin_lock_flags() prototype
  AMD IOMMU: __unmap_single: check for bad_dma_address instead of 0
  AMD IOMMU: fix WARN_ON in dma_ops unmap path
  AMD IOMMU: fix typo in comment
  AMD IOMMU: fix loop counter in free_pagetable function
  AMD IOMMU: fix iommu_map_page function

13 years agoMerge git://
Linus Torvalds [Tue, 9 Dec 2008 03:50:09 +0000 (19:50 -0800)]
Merge git://git./linux/kernel/git/bart/ide-2.6

* git://
  ide: build-fix for CONFIG_BLK_DEV_IDEDMA_PMAC=n
  Revert "ide: respect current DMA setting during resume"

13 years agoEXPORTFS: handle NULL returns from fh_to_dentry()/fh_to_parent()
J. Bruce Fields [Mon, 8 Dec 2008 23:24:18 +0000 (18:24 -0500)]
EXPORTFS: handle NULL returns from fh_to_dentry()/fh_to_parent()

While 440037287c5 "[PATCH] switch all filesystems over to
d_obtain_alias" removed some cases where fh_to_dentry() and
fh_to_parent() could return NULL, there are still a few NULL returns
left in individual filesystems.  Thus it was a mistake for that commit
to remove the handling of NULL returns in the callers.

Revert those parts of 440037287c5 which removed the NULL handling.

(We could, alternatively, modify all implementations to return -ESTALE
instead of NULL, but that proves to require fixing a number of
filesystems, and in some cases it's arguably more natural to return

Thanks to David for original patch and Linus, Christoph, and Hugh for

Signed-off-by: J. Bruce Fields <>
Cc: David Howells <>
Cc: Christoph Hellwig <>
Cc: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
13 years agoide: build-fix for CONFIG_BLK_DEV_IDEDMA_PMAC=n
Bartlomiej Zolnierkiewicz [Mon, 8 Dec 2008 16:52:05 +0000 (17:52 +0100)]
ide: build-fix for CONFIG_BLK_DEV_IDEDMA_PMAC=n

IDE pmac host driver build fails with CONFIG_BLK_DEV_IDEDMA_PMAC=n
as reported by Kamalesh:

> drivers/ide/pmac.c: In function 'pmac_ide_set_pio_mode':
> drivers/ide/pmac.c:527: error: implicit declaration of function 'kauai_lookup_timing'
> drivers/ide/pmac.c:527: error: 'shasta_pio_timings' undeclared (first use in this function)
> drivers/ide/pmac.c:527: error: (Each undeclared identifier is reported only once
> drivers/ide/pmac.c:527: error: for each function it appears in.)
> drivers/ide/pmac.c:534: error: 'kauai_pio_timings' undeclared (first use in this function)
> drivers/ide/pmac.c: In function 'pmac_ide_do_resume':
> drivers/ide/pmac.c:914: error: 'IDE_WAKEUP_DELAY' undeclared (first use in this function)
> drivers/ide/pmac.c: At top level:
> drivers/ide/pmac.c:1007: error: 'pmac_ide_init_dma' undeclared here (not in a function)
> drivers/ide/pmac.c: In function 'pmac_ide_setup_device':
> drivers/ide/pmac.c:1107: error: 'IDE_WAKEUP_DELAY' undeclared (first use in this function)
> drivers/ide/pmac.c: In function 'pmac_ide_macio_attach':
> drivers/ide/pmac.c:1209: error: 'pmac_ide_hwif_t' has no member named 'dma_regs'
> drivers/ide/pmac.c:1210: error: 'pmac_ide_hwif_t' has no member named 'dma_regs'
> make[2]: *** [drivers/ide/pmac.o] Error 1

Fix it by removing the superfluous config option.

Reported-and-tested-by: Kamalesh Babulal <>
Cc: Benjamin Herrenschmidt <>
Cc: Sergei Shtylyov <>
Cc: Stephen Rothwell <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>
13 years agoRevert "ide: respect current DMA setting during resume"
Bartlomiej Zolnierkiewicz [Mon, 8 Dec 2008 16:42:35 +0000 (17:42 +0100)]
Revert "ide: respect current DMA setting during resume"

This reverts commit e9eb8388306364295308132265c00bea685f409f since
it could break resume (thanks to Paul Collins for the report).

I'll look into sorting this out properly for 2.6.29
but for 2.6.28 it is the best to just revert my patch.

Reported-by: Paul Collins <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>
13 years agox86: fix default_spin_lock_flags() prototype
Ingo Molnar [Fri, 17 Oct 2008 14:09:57 +0000 (16:09 +0200)]
x86: fix default_spin_lock_flags() prototype

these warnings:

  arch/x86/kernel/paravirt-spinlocks.c: In function ‘default_spin_lock_flags’:
  arch/x86/kernel/paravirt-spinlocks.c:12: warning: passing argument 1 of ‘__raw_spin_lock’ from incompatible pointer type
  arch/x86/kernel/paravirt-spinlocks.c: At top level:
  arch/x86/kernel/paravirt-spinlocks.c:11: warning: ‘default_spin_lock_flags’ defined but not used

showed that the prototype of default_spin_lock_flags() was confused about
what type spinlocks have.

the proper type on UP is raw_spinlock_t.

Signed-off-by: Ingo Molnar <>
13 years agoAMD IOMMU: __unmap_single: check for bad_dma_address instead of 0
Joerg Roedel [Mon, 8 Dec 2008 13:40:26 +0000 (14:40 +0100)]
AMD IOMMU: __unmap_single: check for bad_dma_address instead of 0

Impact: minor fix

Signed-off-by: Joerg Roedel <>
13 years agoAMD IOMMU: fix WARN_ON in dma_ops unmap path
Joerg Roedel [Mon, 8 Dec 2008 13:37:20 +0000 (14:37 +0100)]
AMD IOMMU: fix WARN_ON in dma_ops unmap path

Impact: minor fix

Signed-off-by: Joerg Roedel <>
13 years agoAMD IOMMU: fix typo in comment
Joerg Roedel [Mon, 8 Dec 2008 13:25:39 +0000 (14:25 +0100)]
AMD IOMMU: fix typo in comment

Impact: cleanup

Signed-off-by: Joerg Roedel <>
13 years agoAMD IOMMU: fix loop counter in free_pagetable function
Joerg Roedel [Thu, 4 Dec 2008 15:44:31 +0000 (16:44 +0100)]
AMD IOMMU: fix loop counter in free_pagetable function

Impact: bugfix

Signed-off-by: Joerg Roedel <>
13 years agoAMD IOMMU: fix iommu_map_page function
Joerg Roedel [Thu, 4 Dec 2008 14:59:48 +0000 (15:59 +0100)]
AMD IOMMU: fix iommu_map_page function

Impact: bugfix in iommu_map_page function

Signed-off-by: Joerg Roedel <>
13 years agotproxy: fixe a possible read from an invalid location in the socket match
Balazs Scheidler [Mon, 8 Dec 2008 07:53:46 +0000 (23:53 -0800)]
tproxy: fixe a possible read from an invalid location in the socket match

TIME_WAIT sockets need to be handled specially, and the socket match
casted inet_timewait_sock instances to inet_sock, which are not

Handle this special case by checking sk->sk_state.

Signed-off-by: Balazs Scheidler <>
Signed-off-by: David S. Miller <>
13 years ago[ARM] Fix alignment fault handling for ARMv6 and later CPUs
Russell King [Sun, 7 Dec 2008 09:44:55 +0000 (09:44 +0000)]
[ARM] Fix alignment fault handling for ARMv6 and later CPUs

On ARMv6 and later CPUs, it is possible for userspace processes to
get stuck on a misaligned load or store due to the "ignore fault"
setting; unlike previous CPUs, retrying the instruction without
the 'A' bit set does not always cause the load to succeed.

We have no real option but to default to fixing up alignment faults
on these CPUs, and having the CPU fix up those misaligned accesses
which it can.

Reported-by: Wolfgang Grandegger <>
Signed-off-by: Russell King <>
13 years ago[ARM] 5340/1: fix stack placement after noexecstack changes
Lennert Buytenhek [Fri, 5 Dec 2008 02:25:47 +0000 (03:25 +0100)]
[ARM] 5340/1: fix stack placement after noexecstack changes

Commit 8ec53663d2698076468b3e1edc4e1b418bd54de3 ("[ARM] Improve
non-executable support") added support for detecting non-executable
stack binaries.  One of the things it does is to make READ_IMPLIES_EXEC
be set in ->personality if we are running on a CPU that doesn't support
the XN ("Execute Never") page table bit or if we are running a binary
that needs an executable stack.

This exposed a latent bug in ARM's asm/processor.h due to which we'll
end up placing the stack at a very low address, where it will bump into
the heap on any application that uses significant amount of stack or
heap or both, causing many interesting crashes.

Fix this by testing the ADDR_LIMIT_32BIT bit in ->personality instead
of testing for equality against PER_LINUX_32BIT.

Reviewed-by: Nicolas Pitre <>
Signed-off-by: Lennert Buytenhek <>
Signed-off-by: Russell King <>
13 years agoMerge branch 'master' of git://
David S. Miller [Sat, 6 Dec 2008 06:09:56 +0000 (22:09 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

13 years agoFix a race condition in FASYNC handling
Jonathan Corbet [Fri, 5 Dec 2008 23:12:48 +0000 (16:12 -0700)]
Fix a race condition in FASYNC handling

Changeset a238b790d5f99c7832f9b73ac8847025815b85f7 (Call fasync()
functions without the BKL) introduced a race which could leave
file->f_flags in a state inconsistent with what the underlying
driver/filesystem believes.  Revert that change, and also fix the same
races in ioctl_fioasync() and ioctl_fionbio().

This is a minimal, short-term fix; the real fix will not involve the

Reported-by: Oleg Nesterov <>
Cc: Andi Kleen <>
Cc: Al Viro <>
Signed-off-by: Jonathan Corbet <>
Signed-off-by: Linus Torvalds <>
13 years agoEnforce a minimum SG_IO timeout
Linus Torvalds [Fri, 5 Dec 2008 22:49:18 +0000 (14:49 -0800)]
Enforce a minimum SG_IO timeout

There's no point in having too short SG_IO timeouts, since if the
command does end up timing out, we'll end up through the reset sequence
that is several seconds long in order to abort the command that timed

As a result, shorter timeouts than a few seconds simply do not make
sense, as the recovery would be longer than the timeout itself.

Add a BLK_MIN_SG_TIMEOUT to match the existign BLK_DEFAULT_SG_TIMEOUT.

Suggested-by: Alan Cox <>
Acked-by: Tejun Heo <>
Acked-by: Jens Axboe <>
Cc: Jeff Garzik <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'upstream' of git://
Linus Torvalds [Fri, 5 Dec 2008 21:42:08 +0000 (13:42 -0800)]
Merge branch 'upstream' of git://

* 'upstream' of git://
  MIPS: Fix incorrect use of loose in vpe.c

13 years agodrivers/message/i2o/iop.c: cleanup kerneldoc
Qinghuang Feng [Fri, 5 Dec 2008 16:35:07 +0000 (16:35 +0000)]
drivers/message/i2o/iop.c: cleanup kerneldoc

no argument named @msg in i2o_msg_get_wait(), remove it.

Signed-off-by: Qinghuang Feng <>
Signed-off-by: Alan Cox <>
Signed-off-by: Linus Torvalds <>
13 years agoFix incorrect use of loose in i2o_block.c
Nick Andrew [Fri, 5 Dec 2008 16:34:56 +0000 (16:34 +0000)]
Fix incorrect use of loose in i2o_block.c

Fix incorrect use of loose in i2o_block.c

It should be 'lose', not 'loose'.

Signed-off-by: Nick Andrew <>
Signed-off-by: Alan Cox <>
Signed-off-by: Linus Torvalds <>
13 years agoFix incorrect use of loose in tty/serial drivers
Nick Andrew [Fri, 5 Dec 2008 16:34:46 +0000 (16:34 +0000)]
Fix incorrect use of loose in tty/serial drivers

[Folded together as one diff from 3]

It should be 'lose', not 'loose'.

Signed-off-by: Nick Andrew <>
Signed-off-by: Alan Cox <>
Signed-off-by: Linus Torvalds <>
13 years agoRevert "ACPI: battery: Convert discharge energy rate to current properly"
Linus Torvalds [Fri, 5 Dec 2008 21:30:03 +0000 (13:30 -0800)]
Revert "ACPI: battery: Convert discharge energy rate to current properly"

This reverts commit 558073dd56707864f09d563b64e7c37c021e89d2, along with
the failed try to fix the regression it caused ("ACPI: Fix ACPI battery
regression introduced by commit 558073"), which just made things worse.

Commit aaad077638be1a25871bcae5e43952d6b63abfca (that failed "Fix ACPI
battery regression") got the voltage conversion confused, and fixed the
problem with Rafael's battery monitor apparently just by mistake.

So revert them both, getting us back to the 2.6.27 state in this, and
let's revisit it when people understand what's going on.

Noted-by: Paul Martin <>
Requested-by: Rafael J. Wysocki <>
Cc: Len Brown <>
Cc: Alexey Starikovskiy <>
Signed-off-by: Linus Torvalds <>
13 years agopowerpc/virtex5: Fix Virtex5 machine check handling
Grant Likely [Thu, 4 Dec 2008 05:39:55 +0000 (05:39 +0000)]
powerpc/virtex5: Fix Virtex5 machine check handling

The 440x5 core in the Virtex5 uses the 440A type machine check
(ie, they have MCSRR0/MCSRR1). They thus need to call the
appropriate fixup function to hook the right variant of the

Without this, all machine checks become fatal due to loss
of context when entering the exception handler.

Signed-off-by: Grant Likely <>
Signed-off-by: Josh Boyer <>
13 years agoMIPS: Fix incorrect use of loose in vpe.c
Nick Andrew [Fri, 5 Dec 2008 00:36:54 +0000 (11:36 +1100)]
MIPS: Fix incorrect use of loose in vpe.c

It should be 'lose', not 'loose'.

Signed-off-by: Nick Andrew <>
Signed-off-by: Ralf Baechle <>
13 years agozd1211rw: use unaligned safe memcmp() in-place of compare_ether_addr()
Shaddy Baddah [Fri, 28 Nov 2008 06:10:45 +0000 (17:10 +1100)]
zd1211rw: use unaligned safe memcmp() in-place of compare_ether_addr()

Under my 2.6.28-rc6 sparc64, when associating to an AP through my
zd1211rw device, I was seeing kernel log messages like (not exact output):

  Kernel unaligned access at TPC[10129b68] zd_mac_rx+0x144/0x32c [zd1211rw]

For the zd1211rw module, on RX, the 80211 packet will be located after
the PLCP header in the skb data buffer. The PLCP header being 5 bytes
long, the 80211 header will start unaligned from an aligned skb

As per Documentation/unaligned-memory-access.txt, we must replace the
not unaligned() safe compare_ether_addr() with memcmp() to protect
architectures that require alignment.

Signed-off-by: Shaddy Baddah <>
Signed-off-by: John W. Linville <>
13 years agomac80211: use unaligned safe memcmp() in-place of compare_ether_addr()
Shaddy Baddah [Fri, 28 Nov 2008 06:08:10 +0000 (17:08 +1100)]
mac80211: use unaligned safe memcmp() in-place of compare_ether_addr()

After fixing zd1211rw: use unaligned safe memcmp() in-place of
compare_ether_addr(), I started to see kernel log messages detailing
unaligned access:

  Kernel unaligned access at TPC[100f7f44] sta_info_get+0x24/0x68 [mac80211]

As with the aforementioned patch, the unaligned access was eminating
from a compare_ether_addr() call. Concerned that whilst it was safe to
assume that unalignment was the norm for the zd1211rw, and take
preventative measures, it may not be the case or acceptable to use the
easy fix of changing the call to memcmp().

My research however indicated that it was OK to do this, as there are
a few instances where memcmp() is the preferred mechanism for doing
mac address comparisons throughout the module.

Signed-off-by: Shaddy Baddah <>
Signed-off-by: John W. Linville <>