Al Viro [Sat, 25 Sep 2010 20:07:14 +0000 (21:07 +0100)]
alpha: fix hae_cache race in RESTORE_ALL
We want interrupts disabled on all paths leading to RESTORE_ALL;
otherwise, we are risking an IRQ coming between the updates of
alpha_mv->hae_cache and *alpha_mv->hae_register and set_hae()
within the IRQ getting badly confused.
RESTORE_ALL used to play with disabling IRQ itself, but that got
removed back in 2002, without making sure we had them disabled
on all paths. It's cheaper to make sure we have them disabled than
to revert to original variant...
Remove the detritus left from that commit back in 2002; we used to
need a reload of $0 and $1 since swpipl would change those, but
doing that had become pointless when we stopped doing swpipl in
there...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Larry Woodman [Fri, 24 Sep 2010 16:04:48 +0000 (12:04 -0400)]
Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in
fremap.c has a potential overflow in the first part of the if statement
below, which could cause it to process bogus input parameters.
Specifically the pgoff + size parameters could be wrap thereby
preventing the system call from failing when it should.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: Larry Woodman <lwoodman@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
unprivileged users to read uninitialized kernel stack memory, because
several fields of the hdsp{m}_config_info structs declared on the stack
are not altered or zeroed before being copied back to the user. This
patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Adrian Hunter [Sat, 25 Sep 2010 10:42:55 +0000 (12:42 +0200)]
block: prevent merges of discard and write requests
Add logic to prevent two I/O requests being merged if
only one of them is a discard. Ditto secure discard.
Without this fix, it is possible for write requests
to transform into discard requests. For example:
Submit bio 1 to discard 8 sectors from sector n
Submit bio 2 to write 8 sectors from sector n + 16
Submit bio 3 to write 8 sectors from sector n + 8
Bio 1 becomes request 1. Bio 2 becomes request 2.
Bio 3 is merged with request 2, and then subsequently
request 2 is merged with request 1 resulting in just
one I/O request which discards all 24 sectors.
Signed-off-by: Adrian Hunter <adrian.hunter@nokia.com>
(Moved the checks above the position checks /Jens)
Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
x86/hwmon: pkgtemp has no dependency on PCI
MAINTAINERS: Update hwmon entry
x86/hwmon: register alternate sibling upon CPU removal
x86/hwmon: fix initialization of pkgtemp
x86/hwmon: fix initialization of coretemp
x86/hwmon: don't leak device attribute file from pkgtemp_probe() and pkgtemp_remove()
x86/hwmon: avoid deadlock on CPU removal in pkgtemp
x86/hwmon: fix module init for hotplug-but-no-device-found case
hwmon: (lis3) Fix Oops with NULL platform data
Chris Metcalf [Fri, 24 Sep 2010 21:19:20 +0000 (17:19 -0400)]
arch/tile: remove dead code from intvec_32.S
This "bpt_code" instruction was killed off in our development line a while
ago (the actual definition of bpt_code that is used is in kernel/traps.c)
but I didn't push it for 2.6.36 because it seemed harmless and I didn't
want to try to push more than absolutely necessary.
However, we recently fixed a bug in our gcc that had been causing
"-gdwarf2" not to be passed to the assembler, and passing this flag causes
an erroneous assembler failure in the presence of code in a data section,
sometimes. While we'd like to track down the bug in the assembler,
we'd also like to make sure 2.6.36 builds with the current toolchain,
so I'm removing this dead code as well.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Thomas Pollet points out that the 'end' variable is broken. It was
computed based on start/size before they were page-aligned, and as such
doesn't actually match any of the other actions we take. The overflow
test on end was also redundant, since we had already tested it with the
properly aligned version.
So just get rid of it entirely. The one remaining use for that broken
variable can just use 'start+size' like all the other cases already did.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2:
o2dlm: force free mles during dlm exit
ocfs2: Sync inode flags with ext2.
ocfs2: Move 'wanted' into parens of ocfs2_resmap_resv_bits.
ocfs2: Use cpu_to_le16 for e_leaf_clusters in ocfs2_bg_discontig_add_extent.
ocfs2: update ctime when changing the file's permission by setfacl
ocfs2/net: fix uninitialized ret in o2net_send_message_vec()
Ocfs2: Handle empty list in lockres_seq_start() for dlmdebug.c
Ocfs2: Re-access the journal after ocfs2_insert_extent() in dxdir codes.
ocfs2: Fix lockdep warning in reflink.
ocfs2/lockdep: Move ip_xattr_sem out of ocfs2_xattr_get_nolock.
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
USB: update Kconfig help text for CONFIG_USB_SUSPEND
usb: musb: gadget: restart request on clearing endpoint halt
usb: musb: host: Issue a memory barrier before starting DMA
usb: musb: gadget: fix dma length in txstate
usb: musb: gadget: complete request only if data is transfered over
usb: musb: gadget: fix DMA length for OUT transfer
usb: musb: gadget: enable autoclear for OUT transfer in both DMA 0 and DMA 1
usb: musb: gadget: fix bulk IN infinit hangs in double buffer case
usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style
USB: fix bug in initialization of interface minor numbers
Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
vgaarb: trivial fix
drm: radeon cleanup fixes...
drm: fix trivial coding errors
drm: ttm sparse fixes.
drm/nouveau: fix panels using straps-based mode detection
drm/ttm: Clear the ghost cpu_writers flag on ttm_buffer_object_transfer.
drm/radeon: don't allow device to be opened if powered down
Jan Beulich [Mon, 13 Sep 2010 10:23:05 +0000 (10:23 +0000)]
x86/hwmon: register alternate sibling upon CPU removal
Just like pkgtemp registers another core of the same package when one
gets removed, coretemp should register another hyperthread (if
available) in that situation.
As pointed out in the patch fixing the respective code in pkgtemp, the
list protectng mutex must be dropped before calling
coretemp_device_add(), and due to the restructured loop (including an
explicit return) the "safe" variant of the list iterator isn't needed
anymore.
Signed-off-by: Jan Beulich <jbeulich@novell.com> Cc: Rudolf Marek <r.marek@assembler.cz> Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Jan Beulich [Fri, 24 Sep 2010 05:21:34 +0000 (22:21 -0700)]
x86/hwmon: fix initialization of coretemp
Using cpuid_eax() to determine feature availability on other than
the current CPU is invalid. And feature availability should also be
checked in the hotplug code path.
Signed-off-by: Jan Beulich <jbeulich@novell.com> Cc: Rudolf Marek <r.marek@assembler.cz> Cc: Fenghua Yu <fenghua.yu@intel.com> Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Jan Beulich [Mon, 13 Sep 2010 10:14:43 +0000 (10:14 +0000)]
x86/hwmon: don't leak device attribute file from pkgtemp_probe() and pkgtemp_remove()
While apparently inherited from coretemp source, this particular error handling
cleanup and exit path wasn't copied properly (or perhaps got discarded
intermediately and not re-added properly later).
Signed-off-by: Jan Beulich <jbeulich@novell.com> Cc: Fenghua Yu <fenghua.yu@intel.com> Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
(added device file removal in pkgtemp_remove)
Jan Beulich [Mon, 13 Sep 2010 10:11:05 +0000 (10:11 +0000)]
x86/hwmon: avoid deadlock on CPU removal in pkgtemp
pkgtemp_device_remove(), holding the list protecting mutex, calls
pkgtemp_device_add(), which itself wants to acquire the same mutex.
Holding the mutex over the entire loop body in pkgtemp_device_remove()
isn't really necessary, as long as the loop gets exited after
processing the matched CPU.
Once exiting the loop after removing an eventual match, there's no
need for using the "safe" list iterator anymore.
Jan Beulich [Mon, 13 Sep 2010 10:05:51 +0000 (10:05 +0000)]
x86/hwmon: fix module init for hotplug-but-no-device-found case
In commit 0dca94baeab4a1a514841b0a4c8e3a51dfb4d5ae the call to
platform_driver_unregister() was made conditional upon !HOTPLUG_CPU,
but the return value from coretemp_init() was left to indicate an
error. This isn't correct, as the negative return value indicates to
the module loader that initialization failed, which isn't intended
here and results in dangling pointers.
Signed-off-by: Jan Beulich <jbeulich@novell.com> Cc: Chen Gong <gong.chen@linux.intel.com> Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Alan Stern [Fri, 24 Sep 2010 15:41:46 +0000 (11:41 -0400)]
USB: update Kconfig help text for CONFIG_USB_SUSPEND
This patch (as1429) updates the Kconfig help text for
CONFIG_USB_SUSPEND. The power/level file is now deprecated; we should
tell people to use power/control instead.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sergei Shtylyov [Sat, 11 Sep 2010 18:23:12 +0000 (13:23 -0500)]
usb: musb: gadget: restart request on clearing endpoint halt
Commit 46034dca515bc4ddca0399ae58106d1f5f0d809f (USB: musb_gadget_ep0: stop
abusing musb_gadget_set_halt()) forgot to restart a queued request after
clearing the endpoint halt feature. This results in a couple of USB resets
while enumerating the file-backed storage gadget due to CSW packet not being
sent for the MODE SENSE(10) command.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Cc: stable@kernel.org Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
usb: musb: host: Issue a memory barrier before starting DMA
This patch fixes the issue which was observed while transfering
a large file ( > 20MB) over USB (OMAP MUSB controller acts as USB host)
to an attached USB thumb drive.
It was found that CDB field of CBW packet was set to 0x0. This was
due to missing a barrier before DMA engine starts transfer.
This buffer is allocated using dma_alloc_coherent which gives
non-cacheble but bufferable memory and hence needed a write
memory barrier to flush the write buffer.
More info on this thread is here:
http://www.spinics.net/lists/linux-omap/msg33987.html
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@ti.com> Signed-off-by: Maulik Mankad <x0082077@ti.com> Cc: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ming Lei [Mon, 20 Sep 2010 07:32:06 +0000 (10:32 +0300)]
usb: musb: gadget: fix dma length in txstate
DMA length should not go beyond the availabe space
of request buffer, so fix it.
Also set max_len of cppi dma channel as max size of
int type, so make musb dma handling happier.
Signed-off-by: Ming Lei <tom.leiming@gmail.com> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Anand Gadiyar <gadiyar@ti.com> Cc: Mike Frysinger <vapier@gentoo.org> Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ming Lei [Mon, 20 Sep 2010 07:32:05 +0000 (10:32 +0300)]
usb: musb: gadget: complete request only if data is transfered over
Complete the current request only if the data transfer is over.
Signed-off-by: Ming Lei <tom.leiming@gmail.com> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Anand Gadiyar <gadiyar@ti.com> Cc: Mike Frysinger <vapier@gentoo.org> Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ming Lei [Mon, 20 Sep 2010 07:32:03 +0000 (10:32 +0300)]
usb: musb: gadget: enable autoclear for OUT transfer in both DMA 0 and DMA 1
This patch fixes one bugs of OUT transfer in double buffer case:
-the current code only enable autoclear for dma mode 1, and not
for dma mode 0
Without this patch, test #5 of usbtest can't be passed if we
configure musb as g_zero and use fifo mode 3 to enable double
buffer mode.
With this patch and the following patch(fix dma length),
on my beagle B5, test#5(queued bulk out) may go beyond
18Mbyte/s(seems dma mode 0 is quicker in double buffer case)
if musb is configured as g_zero and fifo mode 3 is taken, follows
the test command:
Also I have tested this patch can't make g_ether broken.
[1],source of testusb : tools/usb/testusb.c under linux kernel;
Signed-off-by: Ming Lei <tom.leiming@gmail.com> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Anand Gadiyar <gadiyar@ti.com> Cc: Mike Frysinger <vapier@gentoo.org> Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ming Lei [Mon, 20 Sep 2010 07:32:02 +0000 (10:32 +0300)]
usb: musb: gadget: fix bulk IN infinit hangs in double buffer case
This patch fixes one infinite hang of bulk IN transfer in double buffer
case, the hang can be observed easily by test #6 of usbtest if musb is
configured as g_zero and fifo mode 3 is taken to enable double fifo.
In fact, the patch only removes the check for non-empty fifo before
loading data from new request into fifo since the check is not correct:
-in double buffer case, fifo may accommodate more than one packet,
even though it has contained one packet already and is non-empty
-since last DMA is completed before calling musb_g_tx, it is sure
that fifo may accommodate at least one packet
Without applying the patch, new requst enqueued from .complte may not
have a chance to be loaded into fifo, then will never be completed and
cause infinite hangs.
With the patch, on my beagle B5, test#6(queued bulk in) can be passed and
test result may go beyond 33Mbyte/s if musb is configured as g_zero and
fifo mode 3 is taken, follows the test command:
Ming Lei [Mon, 20 Sep 2010 07:32:01 +0000 (10:32 +0300)]
usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style
For shared fifo hw endpoint(with FIFO_TXRX style), only ep_in
field of musb_hw_ep is intialized in musb_g_init_endpoints, and
ep_out is not initialized, but musb_g_rx and rxstate may access
ep_out field of musb_hw_ep by the method below:
musb_ep = &musb->endpoints[epnum].ep_out
which can cause the kernel panic[1] below, this patch fixes the issue
by getting 'musb_ep' from '&musb->endpoints[epnum].ep_in' for shared fifo
endpoint.
Signed-off-by: Ming Lei <tom.leiming@gmail.com> Reviewed-by: Sergei Shtylyov <sshtylyov@mvista.com> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Anand Gadiyar <gadiyar@ti.com> Cc: Mike Frysinger <vapier@gentoo.org> Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com> Cc: stable <stable@kernel.org> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Tue, 21 Sep 2010 19:01:53 +0000 (15:01 -0400)]
USB: fix bug in initialization of interface minor numbers
Recent changes in the usbhid layer exposed a bug in usbcore. If
CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
a minor number of 0. However interfaces that aren't registered as USB
class devices also have their minor number set to 0, during
initialization. As a result usb_find_interface() may return the
wrong interface, leading to a crash.
This patch (as1418) fixes the problem by initializing every
interface's minor number to -1. It also cleans up the
usb_register_dev() function, which besides being somewhat awkwardly
written, does not unwind completely on all its error paths.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Tested-by: Philip J. Turmel <philip@turmel.org> Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com> Tested-by: Alex Riesen <raa.lkml@gmail.com> Tested-by: Matthias Bayer <jackdachef@gmail.com> CC: Jiri Kosina <jkosina@suse.cz> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pavan Savoy [Thu, 19 Aug 2010 18:08:51 +0000 (14:08 -0400)]
Staging: ti-st: remove st_get_plat_device
In order to support multiple ST platform devices, a new symbol
'st_get_plat_device' earlier needed to be exported by the arch/XX/brd-XX.c
file which intends to add the ST platform device.
On removing this dependency, now inside ST driver maintain the array of
ST platform devices that would be registered.
As of now let id=0, as and when we end up having such platforms
where mutliple ST devices can exist, id would come from
protocol drivers (BT, FM and GPS) as to on which platform device
they want to register to.
Signed-off-by: Pavan Savoy <pavan_savoy@ti.com> Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Cc: Anca Emanuel <anca.emanuel@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
ALSA: hda - Fix auto-parse of SPDIF input of Realtek codecs
The SPDIF in audio widget must be searched through the list as the widget
that contains the given pin as the connection source. The current code
was implemented in a reverse way.
hugetlb, rmap: fix confusing page locking in hugetlb_cow()
The "if (!trylock_page)" block in the avoidcopy path of hugetlb_cow()
looks confusing and is buggy. Originally this trylock_page() was
intended to make sure that old_page is locked even when old_page !=
pagecache_page, because then only pagecache_page is locked.
This patch fixes it by moving page locking into hugetlb_fault().
Correct function being needlessly visible outside compilation unit
when the only users are internal.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Correct function storage class, and correct assignment type.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Correct allocation flags type and function prototype for ANSI C compliance.
[airlied: whitespace fixed]
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Ben Skeggs [Thu, 23 Sep 2010 06:44:01 +0000 (16:44 +1000)]
drm/nouveau: fix panels using straps-based mode detection
nouveau_bios_fp_mode() zeroes the mode struct before filling in relevant
entries. This nukes the mode id initialised by drm_mode_create(), and
causes warnings from idr when we try to remove the mode.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
While umounting, a block mle doesn't get freed if dlm is shutdown after
master request is received but before assert master. This results in unclean
shutdown of dlm domain.
This patch frees all mles that lie around after other nodes were notified about
exiting the dlm and marking dlm state as leaving. Only block mles are expected
to be around, so we log ERROR for other mles but still free them.
Signed-off-by: Srinivas Eeda <srinivas.eeda@oracle.com> Signed-off-by: Joel Becker <joel.becker@oracle.com>
Tao Ma [Sun, 19 Sep 2010 05:42:29 +0000 (13:42 +0800)]
ocfs2: Sync inode flags with ext2.
We sync our inode flags with ext2 and define them by hex
values. But actually in commit 3669567(4 years ago), all
these values are moved to include/linux/fs.h. So we'd
better also use them as what ext2 did. So sync our inode
flags with ext2 by using FS_*.
Signed-off-by: Tao Ma <tao.ma@oracle.com> Signed-off-by: Joel Becker <joel.becker@oracle.com>
Tao Ma [Sun, 19 Sep 2010 05:42:28 +0000 (13:42 +0800)]
ocfs2: Move 'wanted' into parens of ocfs2_resmap_resv_bits.
The first time I read the function ocfs2_resmap_resv_bits, I consider
about what 'wanted' will be used and consider about the comments.
Then I find it is only used if the reservation is empty. ;)
So we'd better move it to the parens so that it make the code more
readable, what's more, ocfs2_resmap_resv_bits is used so frequently
and we should save some cpus.
Acked-by: Mark Fasheh <mfasheh@suse.com> Signed-off-by: Tao Ma <tao.ma@oracle.com> Signed-off-by: Joel Becker <joel.becker@oracle.com>
Change the code so that it will use the correct size for keymap entries.
Do it in a way that makes it harder to screw it up in the future.
Reported-by: Jaime Velasco Juan <jsagarribay@gmail.com> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Matthew Garrett <mjg@redhat.com>
Change MSI LAPTOP driver maintainer to Lee, Chun-Yi
Change MSI LAPTOP driver maintainer from Lennart Poettering to Lee, Chun-Yi.
MSI is a Taiwan OEM company, Lee, Chun-Yi can more easy to contact with MSI
and maintain msi-laptop driver.
Thank's for Lennart Poettering's contribute, Lee, Chun-Yi will base on his
article to continue maintain the msi-laptop driver.
Signed-off-by: Lee, Chun-Yi <jlee@novell.com> Signed-off-by: Matthew Garrett <mjg@redhat.com>
Avi Kivity [Tue, 21 Sep 2010 17:59:43 +0000 (19:59 +0200)]
KVM: Fix reboot on Intel hosts
When we reboot, we disable vmx extensions or otherwise INIT gets blocked.
If a task on another cpu hits a vmx instruction, it will fault if vmx is
disabled. We trap that to avoid a nasty oops and spin until the reboot
completes.
Problem is, we sleep with interrupts disabled. This blocks smp_send_stop()
from running, and the reboot process halts.
Fix by enabling interrupts before spinning.
KVM-Stable-Tag. Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
During irqfd assign, we drop irqfds lock before we
schedule inject work. Therefore, deassign running
on another CPU could cause shutdown and flush to run
before inject, causing user after free in inject.
A simple fix it to schedule inject under the lock.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Gregory Haskins <ghaskins@novell.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Andrea Arcangeli [Wed, 22 Sep 2010 20:05:12 +0000 (13:05 -0700)]
mmap: call unlink_anon_vmas() in __split_vma() in case of error
If __split_vma fails because of an out of memory condition the
anon_vma_chain isn't teardown and freed potentially leading to rmap walks
accessing freed vma information plus there's a memleak.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Acked-by: Johannes Weiner <jweiner@redhat.com> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Hugh Dickins <hughd@google.com> Cc: Marcelo Tosatti <mtosatti@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrea Arcangeli [Wed, 22 Sep 2010 20:05:12 +0000 (13:05 -0700)]
rmap: fix walk during fork
The below bug in fork led to the rmap walk finding the parent huge-pmd
twice instead of just once, because the anon_vma_chain objects of the
child vma still point to the vma->vm_mm of the parent.
The patch fixes it by making the rmap walk accurate during fork. It's not
a big deal normally but it worth being accurate considering the cost is
the same.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Acked-by: Johannes Weiner <jweiner@redhat.com> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Hugh Dickins <hughd@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Wed, 22 Sep 2010 20:05:11 +0000 (13:05 -0700)]
drivers/pci/intel-iommu.c: fix build with older gcc's
drivers/pci/intel-iommu.c: In function `__iommu_calculate_agaw':
drivers/pci/intel-iommu.c:437: sorry, unimplemented: inlining failed in call to 'width_to_agaw': function body not available
drivers/pci/intel-iommu.c:445: sorry, unimplemented: called from here
Move the offending function (and its siblings) to top-of-file, remove the
forward declaration.
David Rientjes [Wed, 22 Sep 2010 20:05:10 +0000 (13:05 -0700)]
oom: filter unkillable tasks from tasklist dump
/proc/sys/vm/oom_dump_tasks is enabled by default, so it's necessary to
limit as much information as possible that it should emit.
The tasklist dump should be filtered to only those tasks that are eligible
for oom kill. This is already done for memcg ooms, but this patch extends
it to both cpuset and mempolicy ooms as well as init.
In addition to suppressing irrelevant information, this also reduces
confusion since users currently don't know which tasks in the tasklist
aren't eligible for kill (such as those attached to cpusets or bound to
mempolicies with a disjoint set of mems or nodes, respectively) since that
information is not shown.
Signed-off-by: David Rientjes <rientjes@google.com> Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
of uninitialized stack memory, because the "reserved" member of the
fb_vblank struct declared on the stack is not altered or zeroed before
being copied back to the user. This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Cc: Thomas Winischhofer <thomas@winischhofer.net> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This fixes:
incompatible pointer type: => 89
arch/um/kernel/exec.c: warning: passing argument 2 of 'execve1' from
incompatible pointer type: => 69, 85
arch/um/kernel/exec.c: warning: passing argument 3 of 'execve1' from
incompatible pointer type: => 69, 85
which was introduced by d7627467b7a8d ("Make do_execve() take a const
filename pointer")
Signed-off-by: Richard Weinberger <richard@nod.at> Cc: David Howells <dhowells@redhat.com> Cc: Jeff Dike <jdike@addtoit.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Currently, /proc/<pid>/smaps has wrong dirty pages accounting.
Shared_Dirty and Private_Dirty output only pte dirty pages and ignore
PG_dirty page flag. It is difference against documentation, but also
inconsistent against Referenced field. (Referenced checks both pte and
page flags)
The warning is caused by trying to cancel an uninitialized work from
fbcon_exit(). Fix it by adding a check for queue.func, similarly to other
places in this code.
Luke Macken [Wed, 22 Sep 2010 20:05:04 +0000 (13:05 -0700)]
efifb: support the EFI framebuffer on more Apple hardware
Enable the EFI framebuffer on 14 more Macs, including the iMac11,1
iMac10,1 iMac8,1 Macmini3,1 Macmini4,1 MacBook5,1 MacBook6,1 MacBook7,1
MacBookPro2,2 MacBookPro5,2 MacBookPro5,3 MacBookPro6,1 MacBookPro6,2 and
MacBookPro7,1
Information gathered from various user submissions.
[akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Luke Macken <lmacken@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Peter Jones [Wed, 22 Sep 2010 20:05:04 +0000 (13:05 -0700)]
efifb: check that the base address is plausible on pci systems
Some Apple machines have identical DMI data but different memory
configurations for the video. Given that, check that the address in our
table is actually within the range of a PCI BAR on a VGA device in the
machine.
This also fixes up the return value from set_system(), which has always
been wrong, but never resulted in bad behavior since there's only ever
been one matching entry in the dmi table.
The patch
1) stops people's machines from crashing when we get their display wrong,
which seems to be unfortunately inevitable,
2) allows us to support identical dmi data with differing video memory
configurations
This also adds me as the efifb maintainer, since I've effectively been
acting as such for quite some time.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Wed, 22 Sep 2010 20:05:03 +0000 (13:05 -0700)]
aio: do not return ERESTARTSYS as a result of AIO
OCFS2 can return ERESTARTSYS from its write function when the process is
signalled while waiting for a cluster lock (and the filesystem is mounted
with intr mount option). Generally, it seems reasonable to allow
filesystems to return this error code from its IO functions. As we must
not leak ERESTARTSYS (and similar error codes) to userspace as a result of
an AIO operation, we have to properly convert it to EINTR inside AIO code
(restarting the syscall isn't really an option because other AIO could
have been already submitted by the same io_submit syscall).
Signed-off-by: Jan Kara <jack@suse.cz> Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Zach Brown <zach.brown@oracle.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Minchan Kim [Wed, 22 Sep 2010 20:05:01 +0000 (13:05 -0700)]
vmscan: check all_unreclaimable in direct reclaim path
M. Vefa Bicakci reported 2.6.35 kernel hang up when hibernation on his
32bit 3GB mem machine.
(https://bugzilla.kernel.org/show_bug.cgi?id=16771). Also he bisected
the regression to
vmscan: fix do_try_to_free_pages() return value when priority==0 reclaim failure
At first impression, this seemed very strange because the above commit
only chenged function return value and hibernate_preallocate_memory()
ignore return value of shrink_all_memory(). But it's related.
Now, page allocation from hibernation code may enter infinite loop if the
system has highmem. The reasons are that vmscan don't care enough OOM
case when oom_killer_disabled.
If kswapd is not freozen, it would set zone->all_unreclaimable to 1 and
then shrink_zones maybe return true(ie, all_unreclaimable is true). So at
last, alloc_pages could go to _nopage_. If it is, it should have no
problem.
This patch adds all_unreclaimable check to protect in direct reclaim path,
too. It can care of hibernation OOM case and help bailout
all_unreclaimable case slightly.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: Minchan Kim <minchan.kim@gmail.com> Reported-by: M. Vefa Bicakci <bicave@superonline.com> Reported-by: <caiqian@redhat.com> Reviewed-by: Johannes Weiner <hannes@cmpxchg.org> Tested-by: <caiqian@redhat.com> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Balbir Singh <balbir@in.ibm.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Alter the maintainer of the AVR32 architecture and the AVR32/AT32AP
machine support to me. Haavard is moving on to new challenges, and we've
found it better to transfer the maintainer part to me. I will have good
contact with Haavard anyway.
In an effort to minimize customer confusion we want to unify naming
convention for VMware-provided kernel modules. This change renames the
balloon driver from vmware_ballon to vmw_balloon.
We expect to follow this naming convention (vmw_<module_name>) for all
modules that are part of mainline kernel and/or being distributed by
VMware, with the sole exception of vmxnet3 driver (since the name of
mainline driver happens to match with the name used in VMware Tools).
arm: fix "arm: fix pci_set_consistent_dma_mask for dmabounce devices"
This fixes the regression caused by the commit 6fee48cd330c68
("dma-mapping: arm: use generic pci_set_dma_mask and
pci_set_consistent_dma_mask").
ARM needs to clip the dma coherent mask for dmabounce devices. This
restores the old trick.
Note that strictly speaking, the DMA API doesn't allow architectures to do
such but I'm not sure it's worth adding the new API to set the dma mask
that allows architectures to clip it.
Reported-by: Krzysztof Halasa <khc@pm.waw.pl> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit 73296bc611 ("procfs: Use generic_file_llseek in /proc/vmcore")
broke seeking on /proc/vmcore. This changes it back to use default_llseek
in order to restore the original behaviour.
The problem with generic_file_llseek is that it only allows seeks up to
inode->i_sb->s_maxbytes, which is zero on procfs and some other virtual
file systems. We should merge generic_file_llseek and default_llseek some
day and clean this up in a proper way, but for 2.6.35/36, reverting vmcore
is the safer solution.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Frederic Weisbecker <fweisbec@gmail.com> Reported-by: CAI Qian <caiqian@redhat.com> Tested-by: CAI Qian <caiqian@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Rientjes [Wed, 22 Sep 2010 20:04:52 +0000 (13:04 -0700)]
oom: always return a badness score of non-zero for eligible tasks
A task's badness score is roughly a proportion of its rss and swap
compared to the system's capacity. The scale ranges from 0 to 1000 with
the highest score chosen for kill. Thus, this scale operates on a
resolution of 0.1% of RAM + swap. Admin tasks are also given a 3% bonus,
so the badness score of an admin task using 3% of memory, for example,
would still be 0.
It's possible that an exceptionally large number of tasks will combine to
exhaust all resources but never have a single task that uses more than
0.1% of RAM and swap (or 3.0% for admin tasks).
This patch ensures that the badness score of any eligible task is never 0
so the machine doesn't unnecessarily panic because it cannot find a task
to kill.
Signed-off-by: David Rientjes <rientjes@google.com> Cc: Dave Hansen <dave@linux.vnet.ibm.com> Cc: Nitin Gupta <ngupta@vflare.org> Cc: Pekka Enberg <penberg@cs.helsinki.fi> Cc: Minchan Kim <minchan.kim@gmail.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dan Rosenberg [Wed, 22 Sep 2010 18:32:56 +0000 (14:32 -0400)]
Prevent freeing uninitialized pointer in compat_do_readv_writev
In 32-bit compatibility mode, the error handling for
compat_do_readv_writev() may free an uninitialized pointer, potentially
leading to all sorts of ugly memory corruption. This is reliably
triggerable by unprivileged users by invoking the readv()/writev()
syscalls with an invalid iovec pointer. The below patch fixes this to
emulate the non-compat version.
Introduced by commit b83733639a49 ("compat: factor out
compat_rw_copy_check_uvector from compat_do_readv_writev")
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Cc: stable@kernel.org (2.6.35) Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
sparc: Prevent no-handler signal syscall restart recursion.
sparc: Don't mask signal when we can't setup signal frame.
sparc64: Fix race in signal instruction flushing.
sparc64: Support RAW perf events.
Al Viro [Mon, 20 Sep 2010 20:48:57 +0000 (21:48 +0100)]
powerpc: fix double syscall restarts
Make sigreturn zero regs->trap, make do_signal() do the same on all
paths. As it is, signal interrupting e.g. read() from fd 512 (==
ERESTARTSYS) with another signal getting unblocked when the first
handler finishes will lead to restart one insn earlier than it ought
to. Same for multiple signals with in-kernel handlers interrupting
that sucker at the same time. Same for multiple signals of any kind
interrupting that sucker on 64bit...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
bdi: Fix warnings in __mark_inode_dirty for /dev/zero and friends
char: Mark /dev/zero and /dev/kmem as not capable of writeback
bdi: Initialize noop_backing_dev_info properly
cfq-iosched: fix a kernel OOPs when usb key is inserted
block: fix blk_rq_map_kern bio direction flag
cciss: freeing uninitialized data on error path
Erik J. Staab [Wed, 22 Sep 2010 09:07:41 +0000 (11:07 +0200)]
ALSA: oxygen: fix analog capture on Claro halo cards
On the HT-Omega Claro halo card, the ADC data must be captured from the
second I2S input. Using the default first input, which isn't connected
to anything, would result in silence.
Signed-off-by: Erik J. Staab <ejs@insightbb.com> Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Jan Kara [Tue, 21 Sep 2010 09:51:01 +0000 (11:51 +0200)]
bdi: Fix warnings in __mark_inode_dirty for /dev/zero and friends
Inodes of devices such as /dev/zero can get dirty for example via
utime(2) syscall or due to atime update. Backing device of such inodes
(zero_bdi, etc.) is however unable to handle dirty inodes and thus
__mark_inode_dirty complains. In fact, inode should be rather dirtied
against backing device of the filesystem holding it. This is generally a
good rule except for filesystems such as 'bdev' or 'mtd_inodefs'. Inodes
in these pseudofilesystems are referenced from ordinary filesystem
inodes and carry mapping with real data of the device. Thus for these
inodes we have to use inode->i_mapping->backing_dev_info as we did so
far. We distinguish these filesystems by checking whether sb->s_bdi
points to a non-trivial backing device or not.
Example: Assume we have an ext3 filesystem on /dev/sda1 mounted on /.
There's a device inode A described by a path "/dev/sdb" on this
filesystem. This inode will be dirtied against backing device "8:0"
after this patch. bdev filesystem contains block device inode B coupled
with our inode A. When someone modifies a page of /dev/sdb, it's B that
gets dirtied and the dirtying happens against the backing device "8:16".
Thus both inodes get filed to a correct bdi list.
Cc: stable@kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Jan Kara [Tue, 21 Sep 2010 09:49:01 +0000 (11:49 +0200)]
char: Mark /dev/zero and /dev/kmem as not capable of writeback
These devices don't do any writeback but their device inodes still can get
dirty so mark bdi appropriately so that bdi code does the right thing and files
inodes to lists of bdi carrying the device inodes.
Cc: stable@kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Francisco Jerez [Tue, 21 Sep 2010 00:15:15 +0000 (02:15 +0200)]
drm/ttm: Clear the ghost cpu_writers flag on ttm_buffer_object_transfer.
It makes sense for a BO to move after a process has requested
exclusive RW access on it (e.g. because the BO used to be located in
unmappable VRAM and we intercepted the CPU access from the fault
handler).
If we let the ghost object inherit cpu_writers from the original
object, ttm_bo_release_list() will raise a kernel BUG when the ghost
object is destroyed. This can be reproduced with the nouveau driver on
nv5x.
Reported-by: Marcin Slusarz <marcin.slusarz@gmail.com> Reviewed-by: Jerome Glisse <jglisse@redhat.com> Tested-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Francisco Jerez <currojerez@riseup.net> Signed-off-by: Dave Airlie <airlied@redhat.com>