Russell King [Thu, 22 Sep 2011 09:32:25 +0000 (10:32 +0100)]
ARM: dma-mapping: free allocated page if unable to map
If the attempt to map a page for DMA fails (eg, because we're out of
mapping space) then we must not hold on to the page we allocated for
DMA - doing so will result in a memory leak.
Cc: <stable@kernel.org> Reported-by: Bryan Phillippe <bp@darkforest.org> Tested-by: Bryan Phillippe <bp@darkforest.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Tue, 20 Sep 2011 22:35:15 +0000 (23:35 +0100)]
ARM: fix vmlinux.lds.S discarding sections
We are seeing linker errors caused by sections being discarded, despite
the linker script trying to keep them. The result is (eg):
`.exit.text' referenced in section `.alt.smp.init' of drivers/built-in.o: defined in discarded section `.exit.text' of drivers/built-in.o
`.exit.text' referenced in section `.alt.smp.init' of net/built-in.o: defined in discarded section `.exit.text' of net/built-in.o
This is the relevent part of the linker script (reformatted to make it
clearer):
| SECTIONS
| {
| /*
| * unwind exit sections must be discarded before the rest of the
| * unwind sections get included.
| */
| /DISCARD/ : {
| *(.ARM.exidx.exit.text)
| *(.ARM.extab.exit.text)
| }
| ...
| .exit.text : {
| *(.exit.text)
| *(.memexit.text)
| }
| ...
| /DISCARD/ : {
| *(.exit.text)
| *(.memexit.text)
| *(.exit.data)
| *(.memexit.data)
| *(.memexit.rodata)
| *(.exitcall.exit)
| *(.discard)
| *(.discard.*)
| }
| }
Now, this is what the linker manual says about discarded output sections:
| The special output section name `/DISCARD/' may be used to discard
| input sections. Any input sections which are assigned to an output
| section named `/DISCARD/' are not included in the output file.
No questions, no exceptions. It doesn't say "unless they are listed
before the /DISCARD/ section." Now, this is what asn-generic/vmlinux.lds.S
says:
| /*
| * Default discarded sections.
| *
| * Some archs want to discard exit text/data at runtime rather than
| * link time due to cross-section references such as alt instructions,
| * bug table, eh_frame, etc. DISCARDS must be the last of output
| * section definitions so that such archs put those in earlier section
| * definitions.
| */
And guess what - the list _always_ includes .exit.text etc.
Now, what's actually happening is that the linker is reading the script,
and it finds the first /DISCARD/ output section at the beginning of the
script. It continues reading the script, and finds the 'DISCARD' macro
at the end, which having been postprocessed results in another
/DISCARD/ output section. As the linker already contains the earlier
/DISCARD/ output section, it adds it to that existing section, so it
effectively is placed at the start. This can be seen by using the -M
option to ld:
As you can see, all the discarded sections are grouped together - and
as a result of it being the first output section, they all appear before
any other section.
The result is that not only is the unwind information discarded (as
intended), but also the .exit.text, despite us wanting to have the
.exit.text preserved.
We can't move the unwind information elsewhere, because it'll then be
included even when we do actually discard the .exit.text (and similar)
sections.
So, work around this by avoiding the generic DISCARDS macro, and instead
conditionalize the sections to be discarded ourselves. This avoids the
ambiguity in how the linker assigns input sections to output sections,
making our script less dependent on undocumented linker behaviour.
Reported-by: Rob Herring <robherring2@gmail.com> Tested-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Sat, 17 Sep 2011 11:50:27 +0000 (12:50 +0100)]
ARM: nommu: fix warning with checksyscalls.sh
CALL scripts/checksyscalls.sh
<stdin>:46:1: warning: "__IGNORE_migrate_pages" redefined
In file included from <stdin>:2:
arch/arm/include/asm/unistd.h:482:1: warning: this is the location of the previous definition
This is caused because we define __IGNORE_migrate_pages to be 1, but
in the case of nommu, it's defined to be empty. Fix this by just
defining the __IGNORE_ symbols to be empty.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Will Deacon [Thu, 15 Sep 2011 10:45:15 +0000 (11:45 +0100)]
ARM: 7091/1: errata: D-cache line maintenance operation by MVA may not succeed
This patch implements a workaround for erratum 764369 affecting
Cortex-A9 MPCore with two or more processors (all current revisions).
Under certain timing circumstances, a data cache line maintenance
operation by MVA targeting an Inner Shareable memory region may fail to
proceed up to either the Point of Coherency or to the Point of
Unification of the system. This workaround adds a DSB instruction before
the relevant cache maintenance functions and sets a specific bit in the
diagnostic control register of the SCU.
Cc: <stable@kernel.org> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Tested-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Merge branch 'stable/bug.fixes' of git://oss.oracle.com/git/kwilk/xen
* 'stable/bug.fixes' of git://oss.oracle.com/git/kwilk/xen:
xen/i386: follow-up to "replace order-based range checking of M2P table by linear one"
xen/irq: Alter the locking to use a mutex instead of a spinlock.
xen/e820: if there is no dom0_mem=, don't tweak extra_pages.
xen: disable PV spinlocks on HVM
On x86-64, they were just wasteful: with the explicitly added (now
unnecessary) padding, the size of the alternatives structure was 16
bytes, and an alignment of 8 bytes didn't hurt much.
However, it was still silly, since the natural size and alignment for
the structure is actually just 12 bytes, 4-byte aligned since commit 59e97e4d6fbc ("x86: Make alternative instruction pointers relative").
So removing the padding, and removing the extra alignment is just a good
idea.
On x86-32, the alignment of 4 bytes was correct, but was incorrectly
hardcoded as 8 bytes in <asm/alternative-asm.h>. That header file had
used to be an x86-64 only header file, but various unification efforts
have made it be used for x86-32 too (ie the unification of rwlock and
rwsem).
That in turn caused x86-32 boot failures, because the extra alignment
would result in random zero-filled words in the altinstructions section,
causing oopses early at boot when doing alternative instruction
replacement.
So just remove all the alignment noise entirely. It's wrong, and it's
unnecessary. The section itself is already properly aligned by the
linker scripts, and all additions to the section had better be of the
proper 12-byte format, keeping it aligned. So if the align directive
were to ever make a difference, that would be an indication of a serious
bug to begin with.
Reported-by: Werner Landgraf <w.landgraf@ru.r> Acked-by: Andrew Lutomirski <luto@mit.edu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
nfs: Do not allow multiple mounts on same mountpoint when using -o noac
NFS: Fix a typo in nfs_flush_multi
NFSv4: renewd needs to be able to handle the NFS4ERR_CB_PATH_DOWN error
NFSv4: The NFSv4.0 client must send RENEW calls if it holds a delegation
NFSv4: nfs4_proc_renew should be declared static
NFSv4: nfs4_proc_async_renew should use a GFP_NOFS allocation
generic_check_addressable can't deal with hfsplus's larger than page
size allocation blocks, so simply opencode the checks that we actually
need in hfsplus_fill_super.
Signed-off-by: Christoph Hellwig <hch@tuxera.com> Reported-by: Pavel Ivanov <paivanof@gmail.com> Tested-by: Pavel Ivanov <paivanof@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
hfsplus: Fix kfree of wrong pointers in hfsplus_fill_super() error path
Commit 6596528e391a ("hfsplus: ensure bio requests are not smaller than
the hardware sectors") changed the pointers used for volume header
allocations but failed to free the correct pointers in the error path
path of hfsplus_fill_super() and hfsplus_read_wrapper.
The second hunk came from a separate patch by Pavel Ivanov.
Reported-by: Pavel Ivanov <paivanof@gmail.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Christoph Hellwig <hch@tuxera.com> Cc: <stable@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Beulich [Thu, 15 Sep 2011 07:52:40 +0000 (08:52 +0100)]
xen/i386: follow-up to "replace order-based range checking of M2P table by linear one"
The numbers obtained from the hypervisor really can't ever lead to an
overflow here, only the original calculation going through the order
of the range could have. This avoids the (as Jeremy points outs)
somewhat ugly NULL-based calculation here.
Signed-off-by: Jan Beulich <jbeulich@novell.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/irq: Alter the locking to use a mutex instead of a spinlock.
When we allocate/change the IRQ informations, we do not
need to use spinlocks. We can use a mutex (which is
what the generic IRQ code does for allocations/changes).
Fixes a slew of:
Reported-by: Jim Burns <jim_burn@bellsouth.net> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Arjan van de Ven [Thu, 15 Sep 2011 06:49:25 +0000 (08:49 +0200)]
ALSA: pcm - fix race condition in wait_for_avail()
wait_for_avail() in pcm_lib.c has a race in it (observed in practice by an
Intel validation group).
The function is supposed to return once space in the buffer has become
available, or if some timeout happens. The entity that creates space (irq
handler of sound driver and some such) will do a wake up on a waitqueue
that this function registers for.
However there are two races in the existing code
1) If space became available between the caller noticing there was no
space and this function actually sleeping, the wakeup is missed and the
timeout condition will happen instead
2) If a wakeup happened but not sufficient space became available, the
code will loop again and wait for more space. However, if the second
wake comes in prior to hitting the schedule_timeout_interruptible(), it
will be missed, and potentially you'll wait out until the timeout
happens.
The fix consists of using more careful setting of the current state (so
that if a wakeup happens in the main loop window, the schedule_timeout()
falls through) and by checking for available space prior to going into the
schedule_timeout() loop, but after being on the waitqueue and having the
state set to interruptible.
[tiwai: the following changes have been added to Arjan's original patch:
- merged akpm's fix for waitqueue adding order into a single patch
- reduction of duplicated code of avail check
]
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Shaohua Li [Thu, 15 Sep 2011 00:45:19 +0000 (08:45 +0800)]
mm: account skipped entries to avoid looping in find_get_pages
The found entries by find_get_pages() could be all swap entries. In
this case we skip the entries, but make sure the skipped entries are
accounted, so we don't keep looping.
Using nr_found > nr_skip to simplify code as suggested by Eric.
Reported-and-tested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Shaohua Li <shaohua.li@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Russell King [Wed, 14 Sep 2011 23:22:29 +0000 (16:22 -0700)]
drivers/gpio/gpio-generic.c: fix build errors
Building a kernel with hotplug disabled results in a link failure:
`bgpio_remove' referenced in section `___ksymtab_gpl+bgpio_remove' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o
This is because of bgpio_remove() is exported. It is illegal to export
symbols which are discarded either at link time or as part of an
init/exit section.
Fix this by dropping the __devexit attributation from bgpio_remove().
Also drop the __devinit attributation from bgpio_init().
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Cc: Grant Likely <grant.likely@secretlab.ca> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Thomas Tuttle [Wed, 14 Sep 2011 23:22:28 +0000 (16:22 -0700)]
workqueue: lock cwq access in drain_workqueue
Take cwq->gcwq->lock to avoid racing between drain_workqueue checking to
make sure the workqueues are empty and cwq_dec_nr_in_flight decrementing
and then incrementing nr_active when it activates a delayed work.
We discovered this when a corner case in one of our drivers resulted in
us trying to destroy a workqueue in which the remaining work would
always requeue itself again in the same workqueue. We would hit this
race condition and trip the BUG_ON on workqueue.c:3080.
Signed-off-by: Thomas Tuttle <ttuttle@chromium.org> Acked-by: Tejun Heo <tj@kernel.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Loading CPUFreq modules[ 437.661360] BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffffa0434314>] pcc_cpufreq_cpu_init+0x74/0x220 [pcc_cpufreq]
It's better to avoid the oops by failing the driver, and allowing the
system to boot.
Signed-off-by: Naga Chumbalkar <nagananda.chumbalkar@hp.com> Cc: Dave Jones <davej@codemonkey.org.uk> Cc: Len Brown <lenb@kernel.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Donggeun Kim [Wed, 14 Sep 2011 23:22:19 +0000 (16:22 -0700)]
drivers/rtc/rtc-s3c.c: fix no occurrence of alarm interrupt
The driver does not generate an alarm interrupt even though a time for
an alarm is set.
This results from disabling rtc_clk after setting the alarm time.
To generate an alarm interrupt the driver should maintain its enabled
state for rtc_clk the until alarm interrupt occurs. This patch permits
generation of an alarm interrupt.
[akpm@linux-foundation.org: make s3c_rtc_alarm_clk_lock local to s3c_rtc_alarm_clk_enable()] Signed-off-by: Donggeun Kim <dg77.kim@samsung.com> Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fix regression introduced by commit 5ada28bf7675 ("led-class: always
implement blinking") which broke sysfs delay handling by not storing the
updated value. Consequently it was only possible to set one of the delays
through the sysfs interface as the other delay was automatically restored
to it's default value. Reading the parameters always gave the defaults.
Signed-off-by: Johan Hovold <jhovold@gmail.com> Acked-by: Florian Fainelli <florian@openwrt.org> Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org> Cc: <stable@kernel.org> [2.6.37+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/misc/pti.c: give 'comm' function scope in pti_control_frame_built_and_sent()
In drivers/misc/pti.c::pti_control_frame_built_and_sent() we assign 'comm'
to 'thread_name_p' if (!thread_name). The problem is that 'comm' then
goes out of scope and later we use 'thread_name_p' which now refers to an
out-of-scope variable. To fix that, simply move 'comm' up to have
function scope.
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Cc: Greg Kroah-Hartman <gregkh@suse.de> Cc: J Freyensee <james_p_freyensee@linux.intel.com> Cc: Jeremy Rocher <rocher.jeremy@gmail.com> Cc: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
WANG Cong [Wed, 14 Sep 2011 23:22:06 +0000 (16:22 -0700)]
cris: fix a build error in drivers/tty/serial/crisv10.c
Fix these errors:
drivers/tty/serial/crisv10.c:4453: error: 'if_ser0' undeclared (first use in this function): 2 errors in 2 logs
drivers/tty/serial/crisv10.c:4453: error: (Each undeclared identifier is reported only once: 2 errors in 2 logs
drivers/tty/serial/crisv10.c:4453: error: for each function it appears in.): 2 errors in 2 logs
"if_ser0" is a typo, it should be "if_serial_0".
Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com> Cc: Mikael Starvik <starvik@axis.com> Cc: Jesper Nilsson <jesper.nilsson@axis.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Vrabel [Wed, 14 Sep 2011 23:22:02 +0000 (16:22 -0700)]
mm: sync vmalloc address space page tables in alloc_vm_area()
Xen backend drivers (e.g., blkback and netback) would sometimes fail to
map grant pages into the vmalloc address space allocated with
alloc_vm_area(). The GNTTABOP_map_grant_ref would fail because Xen could
not find the page (in the L2 table) containing the PTEs it needed to
update.
(XEN) mm.c:3846:d0 Could not find L1 PTE for address fbb42000
netback and blkback were making the hypercall from a kernel thread where
task->active_mm != &init_mm and alloc_vm_area() was only updating the page
tables for init_mm. The usual method of deferring the update to the page
tables of other processes (i.e., after taking a fault) doesn't work as a
fault cannot occur during the hypercall.
This would work on some systems depending on what else was using vmalloc.
Fix this by reverting ef691947d8a3 ("vmalloc: remove vmalloc_sync_all()
from alloc_vm_area()") and add a comment to explain why it's needed.
Signed-off-by: David Vrabel <david.vrabel@citrix.com> Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Ian Campbell <Ian.Campbell@citrix.com> Cc: Keir Fraser <keir.xen@gmail.com> Cc: <stable@kernel.org> [3.0.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Johannes Weiner [Wed, 14 Sep 2011 23:21:58 +0000 (16:21 -0700)]
memcg: Revert "memcg: add memory.vmscan_stat"
Revert the post-3.0 commit 82f9d486e59f5 ("memcg: add
memory.vmscan_stat").
The implementation of per-memcg reclaim statistics violates how memcg
hierarchies usually behave: hierarchically.
The reclaim statistics are accounted to child memcgs and the parent
hitting the limit, but not to hierarchy levels in between. Usually,
hierarchical statistics are perfectly recursive, with each level
representing the sum of itself and all its children.
Since this exports statistics to userspace, this may lead to confusion
and problems with changing things after the release, so revert it now,
we can try again later.
Signed-off-by: Johannes Weiner <jweiner@redhat.com> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp> Cc: Michal Hocko <mhocko@suse.cz> Cc: Ying Han <yinghan@google.com> Cc: Balbir Singh <bsingharora@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Axel Lin [Wed, 14 Sep 2011 23:21:47 +0000 (16:21 -0700)]
drivers/rtc/rtc-imxdi.c needs linux/sched.h
Include linux/sched.h to fix below build error.
CC drivers/rtc/rtc-imxdi.o
drivers/rtc/rtc-imxdi.c: In function 'di_write_wait':
drivers/rtc/rtc-imxdi.c:168: error: 'TASK_INTERRUPTIBLE' undeclared (first use in this function)
drivers/rtc/rtc-imxdi.c:168: error: (Each undeclared identifier is reported only once
drivers/rtc/rtc-imxdi.c:168: error: for each function it appears in.)
drivers/rtc/rtc-imxdi.c:168: error: implicit declaration of function 'signal_pending'
drivers/rtc/rtc-imxdi.c:168: error: implicit declaration of function 'schedule_timeout'
drivers/rtc/rtc-imxdi.c: In function 'dryice_norm_irq':
drivers/rtc/rtc-imxdi.c:329: error: 'TASK_INTERRUPTIBLE' undeclared (first use in this function)
Signed-off-by: Axel Lin <axel.lin@gmail.com> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Wan ZongShun <mcuos.com@gmail.com> Cc: Alessandro Zummo <a.zummo@towertech.it> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ben Hutchings [Wed, 14 Sep 2011 23:21:42 +0000 (16:21 -0700)]
alpha, gpio: GENERIC_GPIO default must be n
Since GPIOLIB is optional on alpha, GENERIC_GPIO must not be selected by
default. If GPIOLIB is enabled, it will select GENERIC_GPIO.
See <http://bugs.debian.org/638696> for an example of what 'def_bool y'
breaks.
Reported-by: Michael Cree <mcree@orcon.net.nz> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Cc: Matt Turner <mattst88@gmail.com> Cc: Michael Cree <mcree@orcon.net.nz> Cc: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Al Viro [Wed, 14 Sep 2011 23:21:38 +0000 (16:21 -0700)]
um: fix strrchr() problems
richard@nod.at:
Fixes:
/usr/lib/gcc/x86_64-linux-gnu/4.4.5/../../../../lib/libc.a(strrchr.o): In function `rindex':
(.text+0x0): multiple definition of `strrchr'
If both STATIC_LINK and UML_NET_VDE are set to "y" libc's strrchr may
clash with the kernel implementation.
This workaround comes originally from Jeff Dike:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494995#35
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at> Cc: Jeff Dike <jdike@addtoit.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Al Viro [Wed, 14 Sep 2011 23:21:31 +0000 (16:21 -0700)]
um: fix free_winch() mess
while not doing free_irq() from irq handler is commendable, kfree() on the
data passed to said handler before free_irq() is Not Good(tm). Freeing
the stack it's being run on is also not nice... Solution: delay actually
freeing stuff.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Al Viro [Wed, 14 Sep 2011 23:21:28 +0000 (16:21 -0700)]
um: winch_interrupt() can happen inside of free_winch()
... so set winch->fd to -1 before doing free_irq(), to avoid having
winch_interrupt() come from/during the latter and attempt to do
reactivate_fd() on something that's already gone.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Al Viro [Wed, 14 Sep 2011 23:21:25 +0000 (16:21 -0700)]
um: fix oopsable race in line_close()
tty->count is decremented only after ->close() had been called and
several tasks can hit it in parallel. As the result, using tty->count
to check if you are the last one is broken. We end up leaving line->tty
not reset to NULL and the next IRQ on that sucker will blow up trying to
dereference pointers from kfree'd struct tty.
Fix is obvious: we need to use a counter of our own.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ingo van Lil [Wed, 14 Sep 2011 23:21:23 +0000 (16:21 -0700)]
um: Save FPU registers between task switches
Some time ago Jeff prepared 42daba316557 ("uml: stop saving process FP
state") for UML to stop saving the process FP state between task
switches. The assumption was that since with SKAS0 every guest process
runs inside a host process context the host OS will take care of keeping
the proper FP state.
Unfortunately this is not true for multi-threaded applications, where
all guest threads share a single host process context yet all may use
the FPU on their own. Although I haven't verified it I suspect things
to be even worse in SKAS3 mode where all guest processes run inside a
single host process.
The patch reintroduces the saving and restoring of the FP context
between task switches.
[richard@nod.at: Ingo posted this patch in 2009, sadly it was never applied
and got lost. Now in 2011 the problem was reported by Gunnar.]
Signed-off-by: Ingo van Lil <inguin@gmx.de> Signed-off-by: Richard Weinberger <richard@nod.at> Reported-by: <gunnarlindroth@hotmail.com> Tested-by: <gunnarlindroth@hotmail.com> Cc: Stanislav Meduna <stano@meduna.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
I could use out_close1, but that seems to be the code path to close the fd
returned by os_create_unix_socket, and using it to close the fd returned
by mkstemp might lead to some confusion, so I don't do it.
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit b789ef518b2 ("slub: Add cmpxchg_double_slab()") tests for
cmpxchg_double support in the SLUB code and it breaks UML builds with
SLUB. Since UML does not support checking for CPU features, disable
CMPXCHG_DOUBLE just like CMPXCHG_LOCAL is disabled for UML.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com> Reviewed-by: Christoph Lameter <cl@linux.com> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/mempolicy.c: make copy_from_user() provably correct
When compiling mm/mempolicy.c with struct user copy checks the following
warning is shown:
In file included from arch/x86/include/asm/uaccess.h:572,
from include/linux/uaccess.h:5,
from include/linux/highmem.h:7,
from include/linux/pagemap.h:10,
from include/linux/mempolicy.h:70,
from mm/mempolicy.c:68:
In function `copy_from_user',
inlined from `compat_sys_get_mempolicy' at mm/mempolicy.c:1415:
arch/x86/include/asm/uaccess_64.h:64: warning: call to `copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct
LD mm/built-in.o
commit 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") didn't really
fix the mbind vma merge problem due to wrong pgoff value passing to
vma_merge(), which made vma_merge() always return NULL.
Before the patch applied, we are getting a result like:
* git://bedivere.hansenpartnership.com/git/scsi-rc-fixes-2.6: (25 commits)
[SCSI] bnx2i: Fixed the endian on TTT for NOP out transmission
[SCSI] libfc: fix referencing to fc_fcp_pkt from the frame pointer via fr_fsp()
[SCSI] libfc: block SCSI eh thread for blocked rports
[SCSI] libfc: fix fc_eh_host_reset
[SCSI] fcoe: Fix deadlock between fip's recv_work and rtnl
[SCSI] qla2xxx: Update version number to 8.03.07.07-k.
[SCSI] qla2xxx: Set the task attributes after memsetting fcp cmnd.
[SCSI] qla2xxx: Correct inadvertent loop state transitions during port-update handling.
[SCSI] qla2xxx: Save and restore irq in the response queue interrupt handler.
[SCSI] qla2xxx: Double check for command completion if abort mailbox command fails.
[SCSI] qla2xxx: Acquire hardware lock while manipulating dsd list.
[SCSI] qla2xxx: Fix qla24xx revision check while enabling interrupts.
[SCSI] qla2xxx: T10 DIF - Fix incorrect error reporting.
[SCSI] qla2xxx: T10 DIF - Handle uninitalized sectors.
[SCSI] hpsa: fix physical device lun and target numbering problem
[SCSI] hpsa: fix problem that OBDR devices are not detected
[SCSI] isci: add version number
[SCSI] isci: fix event-get pointer increment
[SCSI] isci: dynamic interrupt coalescing
[SCSI] isci: Leave requests alone if already terminating.
...
Al Viro [Wed, 14 Sep 2011 17:55:41 +0000 (18:55 +0100)]
restore pinning the victim dentry in vfs_rmdir()/vfs_rename_dir()
We used to get the victim pinned by dentry_unhash() prior to commit 64252c75a219 ("vfs: remove dget() from dentry_unhash()") and ->rmdir()
and ->rename() instances relied on that; most of them don't care, but
ones that used d_delete() themselves do. As the result, we are getting
rmdir() oopses on NFS now.
Just grab the reference before locking the victim and drop it explicitly
after unlocking, same as vfs_rename_other() does.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Simon Kirby <sim@hostway.ca> Cc: stable@kernel.org (3.0.x) Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
xfs: fix a use after free in xfs_end_io_direct_write
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free. Fix this by storing
the inode pointer in a local variable.
This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Alex Elder <aelder@sgi.com>
ALSA: HDA: Cirrus - fix "Surround Speaker" volume control name
This patch fixes "Surround Speaker Playback Volume" being cut off.
(Commit b4dabfc452a10 was probably meant to fix this, but it fixed
only the "Switch" name, not the "Volume" name.)
Signed-off-by: David Henningsson <david.henningsson@canonical.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
pci: Don't crash when reading mpss from root complex
In pcie_find_smpss(), we have the following statement:
if (dev->is_hotplug_bridge && (!list_is_singular(&dev->bus->devices) ||
dev->bus->self->pcie_type != PCI_EXP_TYPE_ROOT_PORT))
The problem is that at least on my machine, this gets called for the
root complex (virtual P2P bridge), and dev->bus->self is NULL since
the parent bus for this is not itself anchor to a PCI device.
This adds the necessary NULL check.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Acked-by: Jon Mason <mason@myri.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Sachin Prabhu [Mon, 1 Aug 2011 11:10:12 +0000 (12:10 +0100)]
nfs: Do not allow multiple mounts on same mountpoint when using -o noac
Do not allow multiple mounts on same mountpoint when using -o noac
When you normally attempt to mount a share twice on the same mountpoint,
a check in do_add_mount causes it to return an error
# mount localhost:/nfsv3 /mnt
# mount localhost:/nfsv3 /mnt
mount.nfs: /mnt is already mounted or busy
However when using the option 'noac', the user is able to mount the same
share on the same mountpoint multiple times. This happens because a
share mounted with the noac option is automatically assigned the 'sync'
flag MS_SYNCHRONOUS in nfs_initialise_sb(). This flag is set after the
check for already existing superblocks is done in sget(). The check for
the mount flags in nfs_compare_mount_options() does not take into
account the 'sync' flag applied later on in the code path. This means
that when using 'noac', a new superblock structure is assigned for every
new mount of the same share and multiple shares on the same mountpoint
are allowed.
ie.
# mount -onoac localhost:/nfsv3 /mnt
can be run multiple times.
The patch checks for noac and assigns the sync flag before sget() is
called to obtain an already existing superblock structure.
David Vrabel [Tue, 13 Sep 2011 14:17:32 +0000 (10:17 -0400)]
xen/e820: if there is no dom0_mem=, don't tweak extra_pages.
The patch "xen: use maximum reservation to limit amount of usable RAM"
(d312ae878b6aed3912e1acaaf5d0b2a9d08a4f11) breaks machines that
do not use 'dom0_mem=' argument with:
reserve RAM buffer: 000000133f2e2000 - 000000133fffffff
(XEN) mm.c:4976:d0 Global bit is set to kernel page fffff8117e
(XEN) domain_crash_sync called from entry.S
(XEN) Domain 0 (vcpu#0) crashed on cpu#0:
...
The reason being that the last E820 entry is created using the
'extra_pages' (which is based on how many pages have been freed).
The mentioned git commit sets the initial value of 'extra_pages'
using a hypercall which returns the number of pages (if dom0_mem
has been used) or -1 otherwise. If the later we return with
MAX_DOMAIN_PAGES as basis for calculation:
which means we end up with extra_pages = 128GB in PFNs (33554432)
- 8GB in PFNs (2097152, on this specific box, can be larger or smaller),
and then we add that value to the E820 making it:
Temperature alarms are detected by checking the alarm bit and comparing
temperature limits against the current temperature. For low limits, this
comparison needs to be reversed (temp < limit instead of temp > limit).
This was not taken into account, resulting in wrong alarms if a temperature
fell below a low limit.
Fix by adding a low limit flag in the limit data structure. When creating the
sensor entry, the order of registers to compare is now reversed for low limits.
ALSA: hda - Terminate the recursive connection search properly
The recursive search of widget connections in snd_hda_get_conn_index()
must be terminated at the pin and the audio-out widgets. Otherwise
you'll get "too deep connection" warnings unnecessarily.
Reported-by: Francis Moreau <francis.moro@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Chris Bagwell [Fri, 9 Sep 2011 20:38:10 +0000 (13:38 -0700)]
Input: wacom - fix touch parsing on newer Bamboos
Bamboos with Product ID's > 0xD4 return values unrelated to pressure
in touch 1 pressure field. They also report 2nd touch X/Y values
shifted down 1 byte (where pressure was). This results in jumpy
1 finger touch and totally invalid 2nd finger data.
For touch detection, switch to a Touch Present single bit that
all versions of Bamboo support.
For touch 2 offset, calculate offset based on a bit that is set
different between the two packet layouts.
Since touch pressure reports were removed from driver, there was
no need to be reading pressure any more.
Merge branch 'acpi' of git://github.com/lenb/linux
* 'acpi' of git://github.com/lenb/linux:
acpica: ACPI_MAX_SLEEP should be 2 sec, not 20
ACPI APEI: Add Kconfig option IRQ_WORK for GHES
PNP: update pnp.debug usage (needs value on command line)
APEI: Fix WHEA _OSC call
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm: Remove duplicate "return" statement
drm/nv04/crtc: Bail out if FB is not bound to crtc
drm/nouveau: fix nv04_sgdma_bind on non-"4kB pages" archs
drm/nouveau: properly handle allocation failure in nouveau_sgdma_populate
drm/nouveau: fix oops on pre-semaphore hardware
drm/nv50/crtc: Bail out if FB is not bound to crtc
drm/radeon/kms: fix DP detect and EDID fetch for DP bridges
Merge branch 'fixes' of git://git.linaro.org/people/arnd/arm-soc
* 'fixes' of git://git.linaro.org/people/arnd/arm-soc:
ARM: CSR: add missing sentinels to of_device_id tables
ARM: cns3xxx: Fix newly introduced warnings in the PCIe code
ARM: cns3xxx: Fix compile error caused by hardware.h removed
ARM: davinci: fix cache flush build error
ARM: davinci: correct MDSTAT_STATE_MASK
ARM: davinci: da850 EVM: read mac address from SPI flash
OMAP: omap_device: fix !CONFIG_SUSPEND case in _noirq handlers
OMAP2430: hwmod: musb: add missing terminator to omap2430_usbhsotg_addrs[]
OMAP3: clock: indicate that gpt12_fck and wdt1_fck are in the WKUP clockdomain
OMAP4: clock: fix compile warning
OMAP4: clock: re-enable previous clockdomain enable/disable sequence
OMAP: clockdomain: Wait for powerdomain to be ON when using clockdomain force wakeup
OMAP: powerdomains: Make all powerdomain target states as ON at init
The LTTng 2.0 kernel tracer (stand-alone module package, available at
http://lttng.org) uses the 0xF6 ioctl range for tracer control and
transport operations.
Merge branch 'for-linus' of git://github.com/chrismason/linux
* 'for-linus' of git://github.com/chrismason/linux:
Btrfs: add dummy extent if dst offset excceeds file end in
Btrfs: calc file extent num_bytes correctly in file clone
btrfs: xattr: fix attribute removal
Btrfs: fix wrong nbytes information of the inode
Btrfs: fix the file extent gap when doing direct IO
Btrfs: fix unclosed transaction handle in btrfs_cont_expand
Btrfs: fix misuse of trans block rsv
Btrfs: reset to appropriate block rsv after orphan operations
Btrfs: skip locking if searching the commit root in csum lookup
btrfs: fix warning in iput for bad-inode
Btrfs: fix an oops when deleting snapshots
If we write some data into the data hole of the file(no preallocation for this
hole), Btrfs will allocate some disk space, and update nbytes of the inode, but
the other element--disk_i_size needn't be updated. At this condition, we must
update inode metadata though disk_i_size is not changed(btrfs_ordered_update_i_size()
return 1).
Btrfs: fix the file extent gap when doing direct IO
When we write some data to the place that is beyond the end of the file
in direct I/O mode, a data hole will be created. And Btrfs should insert
a file extent item that point to this hole into the fs tree. But unfortunately
Btrfs forgets doing it.
The following is a simple way to reproduce it:
# mkfs.btrfs /dev/sdc2
# mount /dev/sdc2 /test4
# touch /test4/a
# dd if=/dev/zero of=/test4/a seek=8 count=1 bs=4K oflag=direct conv=nocreat,notrunc
# umount /test4
# btrfsck /dev/sdc2
root 5 inode 257 errors 100
Liu Bo [Sun, 11 Sep 2011 14:52:24 +0000 (10:52 -0400)]
Btrfs: fix misuse of trans block rsv
At the beginning of create_pending_snapshot, trans->block_rsv is set
to pending->block_rsv and is used for snapshot things, however, when
it is done, we do not recover it as will.
Signed-off-by: Liu Bo <liubo2009@cn.fujitsu.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Liu Bo [Sun, 11 Sep 2011 14:52:24 +0000 (10:52 -0400)]
Btrfs: reset to appropriate block rsv after orphan operations
While truncating free space cache, we forget to change trans->block_rsv
back to the original one, but leave it with the orphan_block_rsv, and
then with option inode_cache enable, it leads to countless warnings of
btrfs_alloc_free_block and btrfs_orphan_commit_root:
WARNING: at fs/btrfs/extent-tree.c:5711 btrfs_alloc_free_block+0x180/0x350 [btrfs]()
...
WARNING: at fs/btrfs/inode.c:2193 btrfs_orphan_commit_root+0xb0/0xc0 [btrfs]()
Signed-off-by: Liu Bo <liubo2009@cn.fujitsu.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Josef Bacik [Sun, 11 Sep 2011 14:52:24 +0000 (10:52 -0400)]
Btrfs: skip locking if searching the commit root in csum lookup
It's not enough to just search the commit root, since we could be cow'ing the
very block we need to search through, which would mean that its locked and we'll
still deadlock. So use path->skip_locking as well. Thanks,
Signed-off-by: Josef Bacik <josef@redhat.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> CC: Konstantin Khlebnikov <khlebnikov@openvz.org> Tested-by: David Sterba <dsterba@suse.cz> CC: Josef Bacik <josef@redhat.com> CC: Chris Mason <chris.mason@oracle.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
When it comes to btrfs_lookup_dentry, we may set a snapshot's inode->i_ino
to BTRFS_EMPTY_SUBVOL_DIR_OBJECTID instead of BTRFS_FIRST_FREE_OBJECTID,
while the snapshot's location.objectid remains unchanged.
However, btrfs_ino() does not take this into account, and returns a wrong ino,
and causes the oops.
Signed-off-by: Liu Bo <liubo2009@cn.fujitsu.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
Florian Mickler [Wed, 10 Aug 2011 10:05:20 +0000 (07:05 -0300)]
[media] vp7045: fix buffer setup
dvb_usb_device_init calls the frontend_attach method of this driver which
uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to
be allocated before that happens.
Luckily we can use the whole private data as the buffer as it gets separately
allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for
use via usb_control_msg.
This fixes a
BUG: unable to handle kernel paging request at 0000000000001e78
reported by Tino Keitel and diagnosed by Dan Carpenter.
Cc: stable@kernel.org # For v3.0 and upper Tested-by: Tino Keitel <tino.keitel@tikei.de> Signed-off-by: Florian Mickler <florian@mickler.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Jarod Wilson [Mon, 8 Aug 2011 20:20:40 +0000 (17:20 -0300)]
[media] nuvoton-cir: simplify raw IR sample handling
The nuvoton-cir driver was storing up consecutive pulse-pulse and
space-space samples internally, for no good reason, since
ir_raw_event_store_with_filter() already merges back to back like
samples types for us. This should also fix a regression introduced late
in 3.0 that related to a timeout change, which actually becomes correct
when coupled with this change. Tested with RC6 and RC5 on my own
nuvoton-cir hardware atop vanilla 3.0.0, after verifying quirky
behavior in 3.0 due to the timeout change.
Reported-by: Stephan Raue <sraue@openelec.tv> CC: Stephan Raue <sraue@openelec.tv> CC: stable@vger.kernel.org Signed-off-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Jesper Juhl [Mon, 1 Aug 2011 21:39:17 +0000 (18:39 -0300)]
[media] [Resend] viacam: Don't explode if pci_find_bus() returns NULL
In the unlikely case that pci_find_bus() should return NULL
viacam_serial_is_enabled() is going to dereference a NULL pointer and
blow up. Better safe than sorry, so be defensive and check the
pointer.
Dan Carpenter [Sat, 23 Jul 2011 18:53:03 +0000 (15:53 -0300)]
[media] pwc: precedence bug in pwc_init_controls()
'!' has higher precedence than '&' so we need parenthesis here.
Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Jonas Bonn [Mon, 5 Sep 2011 11:47:10 +0000 (13:47 +0200)]
Add missing DMA ops
For the initial architecture submission, not all of the DMA ops were
implemented. This patch adds the *map_page and *map_sg variants of the
DMA mapping ops.
This patch is currently of interest mainly to some drivers that haven't
been submitted upstream yet.
Merge branch 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm
* 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm:
ARM: 7088/1: entry: fix wrong parameter name used in do_thumb_abort
ARM: 7080/1: l2x0: make sure I&D are not locked down on init
ARM: 7081/1: mach-integrator: fix the clocksource
NET: am79c961: fix race in link status code
ARM: 7067/1: mm: keep significant bits in pfn_valid
ARM: 7088/1: entry: fix wrong parameter name used in do_thumb_abort
Commit be020f8618ca, "ARM: entry: abort-macro: specify registers to be
used for macros", while replacing register numbers with macro parameter
names, mismatched the name used for r1. For me, this resulted in user
space built for EABI with -march=armv4t -mtune=arm920t -mthumb-interwork
-mthumb broken on my OMAP1510 based Amstrad Delta (old ABI and no thumb
still worked for me though).
Fix this by using correct parameter name fsr instead of mismatched psr,
used by callers for another purpose.
Signed-off-by: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Since backlight_types[] isn't modified, let's declare it const. That
was probably the intention of the author of commit bb7ca747f8d6
("backlight: add backlight type"), via which the "const char const *"
construct was introduced. The duplicate const was detected by sparse.
Signed-off-by: Bart Van Assche <bvanassche@acm.org> Cc: Matthew Garrett <mjg@redhat.com> Cc: Richard Purdie <rpurdie@rpsys.net> Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'for-linus' of git://neil.brown.name/md
* 'for-linus' of git://neil.brown.name/md:
md: Fix handling for devices from 2TB to 4TB in 0.90 metadata.
md/raid1,10: Remove use-after-free bug in make_request.
md/raid10: unify handling of write completion.
Avoid dereferencing a 'request_queue' after last close.
md: Fix handling for devices from 2TB to 4TB in 0.90 metadata.
0.90 metadata uses an unsigned 32bit number to count the number of
kilobytes used from each device.
This should allow up to 4TB per device.
However we multiply this by 2 (to get sectors) before casting to a
larger type, so sizes above 2TB get truncated.
Also we allow rdev->sectors to be larger than 4TB, so it is possible
for the array to be resized larger than the metadata can handle.
So make sure rdev->sectors never exceeds 4TB when 0.90 metadata is in
used.
Also the sanity check at the end of super_90_load should include level
1 as it used ->size too. (RAID0 and Linear don't use ->size at all).