GitHub/MotorolaMobilityLLC/kernel-slsi.git
14 years agoMerge branch 'for-2.6.37/drivers' into for-linus
Jens Axboe [Wed, 10 Nov 2010 13:51:27 +0000 (14:51 +0100)]
Merge branch 'for-2.6.37/drivers' into for-linus

Conflicts:
drivers/block/cciss.c

Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoioprio: rcu_read_lock/unlock protect find_task_by_vpid call (V2)
Sergey Senozhatsky [Tue, 9 Nov 2010 20:26:56 +0000 (21:26 +0100)]
ioprio: rcu_read_lock/unlock protect find_task_by_vpid call (V2)

Commit 4221a9918e38b7494cee341dda7b7b4bb8c04bde "Add RCU check for
find_task_by_vpid()" introduced rcu_lockdep_assert to find_task_by_pid_ns=

Assertion failed in sys_ioprio_get. The patch is fixing assertion
failure in ioprio_set as well.

 kernel/pid.c:419 invoked rcu_dereference_check() without protection!

 stack backtrace:
 Pid: 4254, comm: iotop Not tainted
 Call Trace:
 [<ffffffff810656f2>] lockdep_rcu_dereference+0xaa/0xb2
 [<ffffffff81053c67>] find_task_by_pid_ns+0x4f/0x68
 [<ffffffff81053c9d>] find_task_by_vpid+0x1d/0x1f
 [<ffffffff811104e2>] sys_ioprio_get+0x50/0x2da
 [<ffffffff81002182>] system_call_fastpath+0x16/0x1b

V2: rcu critical section expanded according to comment by Paul E. McKenney

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoioprio: fix RCU locking around task dereference
Daniel J Blueman [Tue, 9 Nov 2010 20:33:02 +0000 (21:33 +0100)]
ioprio: fix RCU locking around task dereference

With 2.6.37-rc1, I observe sys_ioprio_set not taking the RCU lock [1]
across access to the task credentials.

Inspecting the code in fs/ioprio.c, the tasklist_lock is held for read
across the __task_cred call, which is presumably sufficient to prevent
the task credentials becoming stale.

===================================================

[ INFO: suspicious rcu_dereference_check() usage. ]

---------------------------------------------------

kernel/pid.c:419 invoked rcu_dereference_check() without protection!

other info that might help us debug this:

rcu_scheduler_active = 1, debug_locks = 1

1 lock held by start-stop-daem/2246:

 #0:  (tasklist_lock){.?.?..}, at: [<ffffffff811a2dfa>]
sys_ioprio_set+0x8a/0x400

stack backtrace:

Pid: 2246, comm: start-stop-daem Not tainted 2.6.37-rc1-330cd+ #2

Call Trace:

 [<ffffffff8109f5f4>] lockdep_rcu_dereference+0xa4/0xc0

 [<ffffffff81085651>] find_task_by_pid_ns+0x81/0x90

 [<ffffffff8108567d>] find_task_by_vpid+0x1d/0x20

 [<ffffffff811a3160>] sys_ioprio_set+0x3f0/0x400

 [<ffffffff816efa79>] ? trace_hardirqs_on_thunk+0x3a/0x3f

 [<ffffffff81003482>] system_call_fastpath+0x16/0x1b

Take the RCU lock for read across acquiring the pointer to the task
credentials and dereferencing it.

Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Fixed up by Jens to fix missing rcu_read_unlock() on mismatches.

Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoblock: ioctl: fix information leak to userland
Vasiliy Kulikov [Mon, 8 Nov 2010 13:42:40 +0000 (14:42 +0100)]
block: ioctl: fix information leak to userland

Structure hd_geometry is copied to userland with 4 padding bytes
between cylinders and start fields uninitialized on 64-bit platforms.
It leads to leaking of contents of kernel stack memory.

Currently there is no memset() in real implementations of getgeo()
in drivers/block/, so it makes sense to have memset() in blkdev_ioctl().

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoblock: read i_size with i_size_read()
Mike Snitzer [Mon, 8 Nov 2010 13:39:12 +0000 (14:39 +0100)]
block: read i_size with i_size_read()

Convert direct reads of an inode's i_size to using i_size_read().

i_size_{read,write} use a seqcount to protect reads from accessing
incomple writes.  Concurrent i_size_write()s require mutual exclussion
to protect the seqcount that is used by i_size_{read,write}.  But
i_size_read() callers do not need to use additional locking.

Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: NeilBrown <neilb@suse.de>
Acked-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agocciss: fix proc warning on attempt to remove non-existant directory
Jens Axboe [Mon, 8 Nov 2010 13:29:13 +0000 (14:29 +0100)]
cciss: fix proc warning on attempt to remove non-existant directory

Randy reports that he gets the following stack trace when
removing the cciss module:

[  109.164277] Pid: 3463, comm: rmmod Not tainted 2.6.37-rc1 #7
[  109.164280] Call Trace:
[  109.164292]  [<ffffffff8107eb8d>] warn_slowpath_common+0xc6/0xf3
[  109.164299]  [<ffffffff8107ecaa>] warn_slowpath_fmt+0x5b/0x6b
[  109.164307]  [<ffffffff8155175b>] ? _raw_spin_unlock+0x40/0x4b
[  109.164313]  [<ffffffff8123dd1e>] remove_proc_entry+0x156/0x35e
[  109.164320]  [<ffffffff812cd91b>] ? do_raw_spin_unlock+0xff/0x10f
[  109.164327]  [<ffffffff8113823d>] ? trace_hardirqs_on+0x10/0x4a
[  109.164333]  [<ffffffff8155162d>] ? _raw_spin_unlock_irq+0x4c/0x7b
[  109.164339]  [<ffffffff8154d4d1>] ? wait_for_common+0x145/0x15e
[  109.164345]  [<ffffffff81075337>] ? default_wake_function+0x0/0x22
[  109.164357]  [<ffffffffa0615a8f>] cciss_cleanup+0xa9/0xc7 [cciss]
[  109.164365]  [<ffffffff810d3cb0>] sys_delete_module+0x2d6/0x368
[  109.164371]  [<ffffffff8155036b>] ? lockdep_sys_exit_thunk+0x35/0x67
[  109.164377]  [<ffffffff810fdfaf>] ? audit_syscall_entry+0x172/0x1a5
[  109.164383]  [<ffffffff815502f5>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[  109.164389]  [<ffffffff8100ea72>] system_call_fastpath+0x16/0x1b
[  109.164394] ---[ end trace 88e8568246ed0b1d ]---

which will happen if you don't actually have an HP CISS adapter,
since it'll do an uncondional removal of a proc directory it
never attempted to create in that case.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agobio: take care not overflow page count when mapping/copying user data
Jens Axboe [Wed, 10 Nov 2010 13:36:25 +0000 (14:36 +0100)]
bio: take care not overflow page count when mapping/copying user data

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoblock: limit vec count in bio_kmalloc() and bio_alloc_map_data()
Jens Axboe [Fri, 29 Oct 2010 17:46:56 +0000 (11:46 -0600)]
block: limit vec count in bio_kmalloc() and bio_alloc_map_data()

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoblock: take care not to overflow when calculating total iov length
Jens Axboe [Fri, 29 Oct 2010 17:31:42 +0000 (11:31 -0600)]
block: take care not to overflow when calculating total iov length

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoblock: check for proper length of iov entries in blk_rq_map_user_iov()
Jens Axboe [Fri, 29 Oct 2010 14:10:18 +0000 (08:10 -0600)]
block: check for proper length of iov entries in blk_rq_map_user_iov()

Ensure that we pass down properly validated iov segments before
calling into the mapping or copy functions.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
14 years agoipw2x00: remove the right /proc/net entry
Linus Torvalds [Sat, 6 Nov 2010 01:57:04 +0000 (18:57 -0700)]
ipw2x00: remove the right /proc/net entry

Commit 27ae60f8f7aa ("ipw2x00: replace "ieee80211" with "libipw" where
appropriate") changed DRV_NAME to be "libipw", but didn't properly fix
up the places where it was used to specify the name for the /proc/net/
directory.

For backwards compatibility reasons, that directory name remained
"ieee80211", but due to the DRV_NAME change, the error case printouts
and the cleanup functions now used "libipw" instead.  Which made it all
fail badly.

For example, on module unload as reported by Randy:

  WARNING: at fs/proc/generic.c:816 remove_proc_entry+0x156/0x35e()
  name 'libipw'

because it's trying to unregister a /proc directory that obviously
doesn't even exist.

Clean it all up to use DRV_PROCNAME for the actual /proc directory name.

Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Pavel Roskin <proski@gnu.org>
Cc: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'kvm-updates/2.6.37' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Sat, 6 Nov 2010 00:49:22 +0000 (17:49 -0700)]
Merge branch 'kvm-updates/2.6.37' of git://git./virt/kvm/kvm

* 'kvm-updates/2.6.37' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: PPC: BookE: Load the lower half of MSR
  KVM: PPC: BookE: fix sleep with interrupts disabled
  KVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().
  PPC: KVM: Book E doesn't have __end_interrupts.
  KVM: x86: Issue smp_call_function_many with preemption disabled
  KVM: x86: fix information leak to userland
  KVM: PPC: fix information leak to userland
  KVM: MMU: fix rmap_remove on non present sptes
  KVM: Write protect memory after slot swap

14 years agofloppy: fix use-after-free in module load failure path
Linus Torvalds [Sat, 6 Nov 2010 00:45:59 +0000 (17:45 -0700)]
floppy: fix use-after-free in module load failure path

Commit 488211844e0c ("floppy: switch to one queue per drive instead of
sharing a queue") introduced a use-after-free.  We do "put_disk()" on
the disk device _before_ we then clean up the queue associated with that
disk.

Move the put_disk() down to avoid dereferencing a free'd data structure.

Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agowatchdog: Fix section mismatch and potential undefined behavior.
David Daney [Fri, 5 Nov 2010 23:17:39 +0000 (16:17 -0700)]
watchdog: Fix section mismatch and potential undefined behavior.

Commit d9ca07a05ce1 ("watchdog: Avoid kernel crash when disabling
watchdog") introduces a section mismatch.

Now that we reference no_watchdog from non-__init code it can no longer
be __initdata.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Fri, 5 Nov 2010 22:25:48 +0000 (15:25 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits)
  inet_diag: Make sure we actually run the same bytecode we audited.
  netlink: Make nlmsg_find_attr take a const nlmsghdr*.
  fib: fib_result_assign() should not change fib refcounts
  netfilter: ip6_tables: fix information leak to userspace
  cls_cgroup: Fix crash on module unload
  memory corruption in X.25 facilities parsing
  net dst: fix percpu_counter list corruption and poison overwritten
  rds: Remove kfreed tcp conn from list
  rds: Lost locking in loop connection freeing
  de2104x: fix panic on load
  atl1 : fix panic on load
  netxen: remove unused firmware exports
  caif: Remove noisy printout when disconnecting caif socket
  caif: SPI-driver bugfix - incorrect padding.
  caif: Bugfix for socket priority, bindtodev and dbg channel.
  smsc911x: Set Ethernet EEPROM size to supported device's size
  ipv4: netfilter: ip_tables: fix information leak to userland
  ipv4: netfilter: arp_tables: fix information leak to userland
  cxgb4vf: remove call to stop TX queues at load time.
  cxgb4: remove call to stop TX queues at load time.
  ...

14 years agoMerge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1...
Linus Torvalds [Fri, 5 Nov 2010 21:17:22 +0000 (14:17 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/ieee1394/linux1394-2.6

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: fix race when reading count in AR descriptor
  firewire: ohci: avoid reallocation of AR buffers
  firewire: ohci: fix race in AR split packet handling
  firewire: ohci: fix buffer overflow in AR split packet handling

14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6
Linus Torvalds [Fri, 5 Nov 2010 21:17:01 +0000 (14:17 -0700)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer
  cifs: dereferencing first then checking
  cifs: trivial comment fix: tlink_tree is now a rbtree
  [CIFS] Cleanup unused variable build warning
  cifs: convert tlink_tree to a rbtree
  cifs: store pointer to master tlink in superblock (try #2)
  cifs: trivial doc fix: note setlease implemented
  CIFS: Add cifs_set_oplock_level
  FS: cifs, remove unneeded NULL tests

14 years agoposix-cpu-timers: workaround to suppress the problems with mt exec
Oleg Nesterov [Fri, 5 Nov 2010 15:53:42 +0000 (16:53 +0100)]
posix-cpu-timers: workaround to suppress the problems with mt exec

posix-cpu-timers.c correctly assumes that the dying process does
posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
timers from signal->cpu_timers list.

But, it also assumes that timer->it.cpu.task is always the group
leader, and thus the dead ->task means the dead thread group.

This is obviously not true after de_thread() changes the leader.
After that almost every posix_cpu_timer_ method has problems.

It is not simple to fix this bug correctly. First of all, I think
that timer->it.cpu should use struct pid instead of task_struct.
Also, the locking should be reworked completely. In particular,
tasklist_lock should not be used at all. This all needs a lot of
nontrivial and hard-to-test changes.

Change __exit_signal() to do posix_cpu_timers_exit_group() when
the old leader dies during exec. This is not the fix, just the
temporary hack to hide the problem for 2.6.37 and stable. IOW,
this is obviously wrong but this is what we currently have anyway:
cpu timers do not work after mt exec.

In theory this change adds another race. The exiting leader can
detach the timers which were attached to the new leader. However,
the window between de_thread() and release_task() is small, we
can pretend that sys_timer_create() was called before de_thread().

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groec...
Linus Torvalds [Fri, 5 Nov 2010 21:15:17 +0000 (14:15 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging

* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
  hwmon: (ltc4261) Fix error message format
  hwmon: (ltc4261) Add missing newline in debug message

14 years agocifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer
Pavel Shilovsky [Wed, 3 Nov 2010 07:58:57 +0000 (10:58 +0300)]
cifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer

All the callers already have a pointer to struct cifsInodeInfo. Use it.

Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Pavel Shilovsky <piastryyy@gmail.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agohwmon: (ltc4261) Fix error message format
Jean Delvare [Fri, 5 Nov 2010 14:59:29 +0000 (10:59 -0400)]
hwmon: (ltc4261) Fix error message format

adapter->id is deprecated and not set by any adapter driver, so this
was certainly not what the author wanted to use. adapter->nr maybe,
but as dev_err() already includes this value, as well as the client's
address, there's no point repeating them. Better print a simple error
message in plain English words.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
14 years agohwmon: (ltc4261) Add missing newline in debug message
Guenter Roeck [Tue, 26 Oct 2010 22:59:21 +0000 (15:59 -0700)]
hwmon: (ltc4261) Add missing newline in debug message

Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile
Linus Torvalds [Fri, 5 Nov 2010 16:52:25 +0000 (09:52 -0700)]
Merge git://git./linux/kernel/git/cmetcalf/linux-tile

* git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  arch/tile: mark "hardwall" device as non-seekable
  asm-generic/stat.h: support 64-bit file time_t for stat()
  arch/tile: don't allow user code to set the PL via ptrace or signal return
  arch/tile: correct double syscall restart for nested signals
  arch/tile: avoid __must_check warning on one strict_strtol check
  arch/tile: bomb raw_local_irq_ to arch_local_irq_
  arch/tile: complete migration to new kmap_atomic scheme

14 years agoleds-net5501: taints kernel, add license
Randy Dunlap [Thu, 4 Nov 2010 17:28:00 +0000 (10:28 -0700)]
leds-net5501: taints kernel, add license

Add MODULE_LICENSE() that matches file comments so that kernel
is not tainted.

leds_net5501: module license 'unspecified' taints kernel.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoKVM: PPC: BookE: Load the lower half of MSR
Scott Wood [Thu, 30 Sep 2010 19:31:27 +0000 (14:31 -0500)]
KVM: PPC: BookE: Load the lower half of MSR

This was preventing the guest from setting any bits in the
hardware MSR which aren't forced on, such as MSR[SPE].

Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: PPC: BookE: fix sleep with interrupts disabled
Scott Wood [Thu, 30 Sep 2010 19:28:50 +0000 (14:28 -0500)]
KVM: PPC: BookE: fix sleep with interrupts disabled

It is not legal to call mutex_lock() with interrupts disabled.
This will assert with debug checks enabled.

If there's a real need to disable interrupts here, it could be done
after the mutex is acquired -- but I don't see why it's needed at all.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Reviewed-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().
Scott Wood [Tue, 5 Oct 2010 19:22:41 +0000 (14:22 -0500)]
KVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().

The VCPU uninit calls some TLB functions, and the TLB uninit function
frees the memory used by them.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Acked-by: Liu Yu <yu.liu@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoPPC: KVM: Book E doesn't have __end_interrupts.
Scott Wood [Mon, 18 Oct 2010 22:35:48 +0000 (17:35 -0500)]
PPC: KVM: Book E doesn't have __end_interrupts.

Fix an unresolved symbol with CONFIG_KVM_GUEST plus CONFIG_RELOCATABLE on
Book E.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: x86: Issue smp_call_function_many with preemption disabled
Jan Kiszka [Mon, 1 Nov 2010 13:01:13 +0000 (14:01 +0100)]
KVM: x86: Issue smp_call_function_many with preemption disabled

smp_call_function_many is specified to be called only with preemption
disabled. Fulfill this requirement.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: x86: fix information leak to userland
Vasiliy Kulikov [Sat, 30 Oct 2010 18:54:47 +0000 (22:54 +0400)]
KVM: x86: fix information leak to userland

Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and
kvm_clock_data are copied to userland with some padding and reserved
fields unitialized.  It leads to leaking of contents of kernel stack
memory.  We have to initialize them to zero.

In patch v1 Jan Kiszka suggested to fill reserved fields with zeros
instead of memset'ting the whole struct.  It makes sense as these
fields are explicitly marked as padding.  No more fields need zeroing.

KVM-Stable-Tag.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: PPC: fix information leak to userland
Vasiliy Kulikov [Sat, 30 Oct 2010 09:04:24 +0000 (13:04 +0400)]
KVM: PPC: fix information leak to userland

Structure kvm_ppc_pvinfo is copied to userland with flags and
pad fields unitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: MMU: fix rmap_remove on non present sptes
Marcelo Tosatti [Mon, 25 Oct 2010 13:58:22 +0000 (11:58 -0200)]
KVM: MMU: fix rmap_remove on non present sptes

drop_spte should not attempt to rmap_remove a non present shadow pte.

This fixes a BUG_ON seen on kvm-autotest.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Reported-by: Lucas Meneghel Rodrigues <lmr@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
14 years agoKVM: Write protect memory after slot swap
Michael S. Tsirkin [Mon, 25 Oct 2010 01:21:24 +0000 (03:21 +0200)]
KVM: Write protect memory after slot swap

I have observed the following bug trigger:

1. userspace calls GET_DIRTY_LOG
2. kvm_mmu_slot_remove_write_access is called and makes a page ro
3. page fault happens and makes the page writeable
   fault is logged in the bitmap appropriately
4. kvm_vm_ioctl_get_dirty_log swaps slot pointers

a lot of time passes

5. guest writes into the page
6. userspace calls GET_DIRTY_LOG

At point (5), bitmap is clean and page is writeable,
thus, guest modification of memory is not logged
and GET_DIRTY_LOG returns an empty bitmap.

The rule is that all pages are either dirty in the current bitmap,
or write-protected, which is violated here.

It seems that just moving kvm_mmu_slot_remove_write_access down
to after the slot pointer swap should fix this bug.

KVM-Stable-Tag.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
14 years agoClean up relay_alloc_page_array() slightly by using vzalloc rather than vmalloc and...
Jesper Juhl [Thu, 4 Nov 2010 20:44:41 +0000 (21:44 +0100)]
Clean up relay_alloc_page_array() slightly by using vzalloc rather than vmalloc and memset

We can optimize kernel/relay.c::relay_alloc_page_array() slightly by
using vzalloc.  The patch makes these changes:

 - use vzalloc instead of vmalloc+memset.
 - remove redundant local variable 'array'.
 - declare local 'pa_size' as const.

Cuts down nicely on both source and object-code size.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Pekka Enberg <penberg@kernel.org>
Acked-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'for-linus-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg...
Linus Torvalds [Fri, 5 Nov 2010 14:54:40 +0000 (07:54 -0700)]
Merge branch 'for-linus-fixes' of git://git./linux/kernel/git/gerg/m68knommu

* 'for-linus-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k, m68knommu: Do not include linux/hardirq.h in asm/irqflags.h
  m68knommu: add back in declaration of do_IRQ

14 years agocifs: dereferencing first then checking
Jeff Layton [Tue, 2 Nov 2010 20:22:50 +0000 (16:22 -0400)]
cifs: dereferencing first then checking

This patch is based on Dan's original patch. His original description is
below:

Smatch complained about a couple checking for NULL after dereferencing
bugs.  I'm not super familiar with the code so I did the conservative
thing and move the dereferences after the checks.

The dereferences in cifs_lock() and cifs_fsync() were added in
ba00ba64cf0 "cifs: make various routines use the cifsFileInfo->tcon
pointer".  The dereference in find_writable_file() was added in
6508d904e6f "cifs: have find_readable/writable_file filter by fsuid".
The comments there say it's possible to trigger the NULL dereference
under stress.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocifs: trivial comment fix: tlink_tree is now a rbtree
Suresh Jayaraman [Wed, 3 Nov 2010 05:23:49 +0000 (10:53 +0530)]
cifs: trivial comment fix: tlink_tree is now a rbtree

Noticed while reviewing (late) the rbtree conversion patchset (which has been merged
already).

Cc: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoinet_diag: Make sure we actually run the same bytecode we audited.
Nelson Elhage [Wed, 3 Nov 2010 16:35:41 +0000 (16:35 +0000)]
inet_diag: Make sure we actually run the same bytecode we audited.

We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.

Fix this by consistently using nlmsg_find_attr everywhere.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetlink: Make nlmsg_find_attr take a const nlmsghdr*.
Nelson Elhage [Wed, 3 Nov 2010 16:35:40 +0000 (16:35 +0000)]
netlink: Make nlmsg_find_attr take a const nlmsghdr*.

This will let us use it on a nlmsghdr stored inside a netlink_callback.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofib: fib_result_assign() should not change fib refcounts
Eric Dumazet [Thu, 4 Nov 2010 01:21:39 +0000 (01:21 +0000)]
fib: fib_result_assign() should not change fib refcounts

After commit ebc0ffae5 (RCU conversion of fib_lookup()),
fib_result_assign()  should not change fib refcounts anymore.

Thanks to Michael who did the bisection and bug report.

Reported-by: Michael Ellerman <michael@ellerman.id.au>
Tested-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetfilter: ip6_tables: fix information leak to userspace
Jan Engelhardt [Thu, 4 Nov 2010 01:55:39 +0000 (18:55 -0700)]
netfilter: ip6_tables: fix information leak to userspace

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
David S. Miller [Thu, 4 Nov 2010 01:52:32 +0000 (18:52 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6

14 years agocls_cgroup: Fix crash on module unload
Herbert Xu [Wed, 3 Nov 2010 13:31:05 +0000 (13:31 +0000)]
cls_cgroup: Fix crash on module unload

Somewhere along the lines net_cls_subsys_id became a macro when
cls_cgroup is built as a module.  Not only did it make cls_cgroup
completely useless, it also causes it to crash on module unload.

This patch fixes this by removing that macro.

Thanks to Eric Dumazet for diagnosing this problem.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agomemory corruption in X.25 facilities parsing
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet dst: fix percpu_counter list corruption and poison overwritten
Xiaotian Feng [Tue, 2 Nov 2010 16:11:05 +0000 (16:11 +0000)]
net dst: fix percpu_counter list corruption and poison overwritten

There're some percpu_counter list corruption and poison overwritten warnings
in recent kernel, which is resulted by fc66f95c.

commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel
init the percpu_counter for dst entries, but, the percpu_counter is never destroyed
in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter
is still on the list, then if we insert/remove other percpu_counter, list corruption
resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of
the freed value, the poison overwritten is resulted then.

With the following patch, the percpu_counter list corruption and poison overwritten
warnings disappeared.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agords: Remove kfreed tcp conn from list
Pavel Emelyanov [Tue, 2 Nov 2010 01:54:01 +0000 (01:54 +0000)]
rds: Remove kfreed tcp conn from list

All the rds_tcp_connection objects are stored list, but when
being freed it should be removed from there.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agords: Lost locking in loop connection freeing
Pavel Emelyanov [Tue, 2 Nov 2010 01:52:05 +0000 (01:52 +0000)]
rds: Lost locking in loop connection freeing

The conn is removed from list in there and this requires
proper lock protection.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agode2104x: fix panic on load
Eric Dumazet [Wed, 3 Nov 2010 12:25:32 +0000 (12:25 +0000)]
de2104x: fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoatl1 : fix panic on load
Eric Dumazet [Wed, 3 Nov 2010 12:11:21 +0000 (12:11 +0000)]
atl1 : fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Reported-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetxen: remove unused firmware exports
Amerigo Wang [Tue, 2 Nov 2010 18:25:31 +0000 (18:25 +0000)]
netxen: remove unused firmware exports

Quote from Amit Salecha:

"Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already
submitted and its present in linux-firmware.git.

I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and
NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?"

We have to remove these, otherwise we will get wrong info from modinfo.

Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com>
Cc: Narender Kumar <narender.kumar@qlogic.com>
Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>--
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Remove noisy printout when disconnecting caif socket
sjur.brandeland@stericsson.com [Wed, 3 Nov 2010 10:19:25 +0000 (10:19 +0000)]
caif: Remove noisy printout when disconnecting caif socket

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: SPI-driver bugfix - incorrect padding.
Sjur Brændeland [Mon, 1 Nov 2010 11:52:48 +0000 (11:52 +0000)]
caif: SPI-driver bugfix - incorrect padding.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix for socket priority, bindtodev and dbg channel.
André Carvalho de Matos [Mon, 1 Nov 2010 11:52:47 +0000 (11:52 +0000)]
caif: Bugfix for socket priority, bindtodev and dbg channel.

Changes:
o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled
  in caif's setsockopt,  using the struct sock attribute priority instead.

o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled
  in caif's setsockopt,  using the struct sock attribute ifindex instead.

o Wrong assert statement for RFM layer segmentation.

o CAIF Debug channels was not working over SPI, caif_payload_info
  containing padding info must be initialized.

o Check on pointer before dereferencing when unregister dev in caif_dev.c

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosmsc911x: Set Ethernet EEPROM size to supported device's size
John Faith [Mon, 1 Nov 2010 11:30:08 +0000 (11:30 +0000)]
smsc911x: Set Ethernet EEPROM size to supported device's size

The SMSC911x supports 128 x 8-bit EEPROMs.  Increase the EEPROM size
so more than just the MAC address can be stored.

Signed-off-by: John Faith <jfaith7@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agovmstat: fix offset calculation on void*
Wu Fengguang [Wed, 3 Nov 2010 17:56:49 +0000 (01:56 +0800)]
vmstat: fix offset calculation on void*

Fix regression introduced by commit 79da826aee6 ("writeback: report
dirty thresholds in /proc/vmstat").

The incorrect pointer arithmetic can result in problems like this:

  BUG: unable to handle kernel paging request at 07c06d16
  IP: [<c050c336>] strnlen+0x6/0x20
  Call Trace:
   [<c050a249>] ? string+0x39/0xe0
   [<c042be6b>] ? __wake_up_common+0x4b/0x80
   [<c050afcc>] ? vsnprintf+0x1ec/0x380
   [<c04b380e>] ? seq_printf+0x2e/0x60
   [<c04829a6>] ? vmstat_show+0x26/0x30
   [<c04b3bb6>] ? seq_read+0xa6/0x380
   [<c04b3b10>] ? seq_read+0x0/0x380
   [<c04d5d2f>] ? proc_reg_read+0x5f/0x90
   [<c049c4a1>] ? vfs_read+0xa1/0x140
   [<c04d5cd0>] ? proc_reg_read+0x0/0x90
   [<c049c981>] ? sys_read+0x41/0x70
   [<c0402bd0>] ? sysenter_do_call+0x12/0x26

Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Michael Rubin <mrubin@google.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Wed, 3 Nov 2010 17:44:55 +0000 (13:44 -0400)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ASoC: tpa6130a2: Get rid of compile warning from tpa6130a2_power
  ALSA: hda - MacBookAir3,1(3,2) alsa support
  ASoC: fix the building issue of missing codec field in 'struct snd_soc_card'
  ALSA: usb-audio - Support for Power/Status LED on Creative USB X-Fi S51
  ALSA: asihpi - Unsafe memory management when allocating control cache
  ASoC: Update WARN uses in wm_hubs
  ASoC: Include cx20442 to SND_SOC_ALL_CODECS
  ASoC: Fix SND_SOC_ALL_CODECS typo for jz4740
  ASoC: Remove volatility from WM8900 POWER1 register
  ALSA: lx6464es - make 1 bit signed bitfield unsigned
  ALSA: cs46xx memory management fixes for cs46xx_dsp_spos_create()
  ALSA: usb - driver neglects kmalloc return value check and may deref NULL
  ASoC: tpa6130a2: Fix unbalanced regulator disables
  ASoC: tlv320dac33: Mode1 FIFO auto configuration fix
  ASoC: tlv320dac33: Limit the US_TO_SAMPLES macro
  ASoC: tlv320dac33: Error handling for broken chip
  ASoC: Check return value of struct_strtoul() in pmdown_time_set()

14 years agoMerge branch 'fix/asoc' into for-linus
Takashi Iwai [Wed, 3 Nov 2010 14:51:26 +0000 (15:51 +0100)]
Merge branch 'fix/asoc' into for-linus

14 years agoASoC: tpa6130a2: Get rid of compile warning from tpa6130a2_power
Jarkko Nikula [Wed, 3 Nov 2010 14:39:00 +0000 (16:39 +0200)]
ASoC: tpa6130a2: Get rid of compile warning from tpa6130a2_power

Patch "ASoC: tpa6130a2: Fix unbalanced regulator disables" introduced a
compiler warning "‘ret’ may be used uninitialized in this function".
Initialize ret to zero to get rid of it and making sure that the function
does not return any random error code when the code is falling through.

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
14 years agoMerge branch 'for-2.6.37' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/asoc...
Takashi Iwai [Wed, 3 Nov 2010 12:56:08 +0000 (13:56 +0100)]
Merge branch 'for-2.6.37' of git://git./linux/kernel/git/lrg/asoc-2.6 into fix/asoc

14 years agoipv4: netfilter: ip_tables: fix information leak to userland
Vasiliy Kulikov [Wed, 3 Nov 2010 07:45:06 +0000 (08:45 +0100)]
ipv4: netfilter: ip_tables: fix information leak to userland

Structure ipt_getinfo is copied to userland with the field "name"
that has the last elements unitialized.  It leads to leaking of
contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agoipv4: netfilter: arp_tables: fix information leak to userland
Vasiliy Kulikov [Wed, 3 Nov 2010 07:44:12 +0000 (08:44 +0100)]
ipv4: netfilter: arp_tables: fix information leak to userland

Structure arpt_getinfo is copied to userland with the field "name"
that has the last elements unitialized.  It leads to leaking of
contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agoALSA: hda - MacBookAir3,1(3,2) alsa support
Edgar (gimli) Hucek [Wed, 3 Nov 2010 07:14:10 +0000 (08:14 +0100)]
ALSA: hda - MacBookAir3,1(3,2) alsa support

This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the alsa
sound system.

Signed-off-by: Edgar (gimli) Hucek <gimli@dark-green.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
14 years agom68k, m68knommu: Do not include linux/hardirq.h in asm/irqflags.h
Philippe De Muyter [Thu, 28 Oct 2010 12:42:58 +0000 (14:42 +0200)]
m68k, m68knommu: Do not include linux/hardirq.h in asm/irqflags.h

Recent changes to header files made kernel compilation for m68k/m68knommu
fail with :
  CC      arch/m68knommu/kernel/asm-offsets.s
In file included from /archives/linux/git/arch/m68k/include/asm/system.h:2,
                 from include/linux/wait.h:25,
                 from include/linux/mmzone.h:9,
                 from include/linux/gfp.h:4,
                 from include/linux/irq.h:20,
                 from include/asm-generic/hardirq.h:12,
                 from /archives/linux/git/arch/m68k/include/asm/hardirq_no.h:17,
                 from /archives/linux/git/arch/m68k/include/asm/hardirq.h:2,
                 from include/linux/hardirq.h:10,
                 from /archives/linux/git/arch/m68k/include/asm/irqflags.h:5,
                 from include/linux/irqflags.h:15,
                 from include/linux/spinlock.h:53,
                 from include/linux/seqlock.h:29,
                 from include/linux/time.h:8,
                 from include/linux/timex.h:56,
                 from include/linux/sched.h:56,
                 from arch/m68knommu/kernel/asm-offsets.c:12:
/archives/linux/git/arch/m68k/include/asm/system_no.h: In function ‘__xchg’:
/archives/linux/git/arch/m68k/include/asm/system_no.h:79: error: implicit
+declaration of function ‘local_irq_save’
/archives/linux/git/arch/m68k/include/asm/system_no.h:101: error: implicit
+declaration of function ‘local_irq_restore’

Fix that

Signed-off-by: Philippe De Muyter <phdm@macqel.be>
Signed-off-by: Greg Ungerer <gerg@uclinux.org>
14 years agom68knommu: add back in declaration of do_IRQ
Greg Ungerer [Tue, 2 Nov 2010 07:44:22 +0000 (17:44 +1000)]
m68knommu: add back in declaration of do_IRQ

The cleanup and merge of machdep should not have removed the do_IRQ
declaration. It is needed by the 68328 based targets.

Signed-off-by: Greg Ungerer <gerg@uclinux.org>
14 years agoRelease page reference during page fault retry
Michel Lespinasse [Tue, 2 Nov 2010 20:05:18 +0000 (13:05 -0700)]
Release page reference during page fault retry

This slipped by when unifying the filemap and swap versions of
lock_page_or_retry()...

Signed-off-by: Michel Lespinasse <walken@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years ago[CIFS] Cleanup unused variable build warning
Steve French [Tue, 2 Nov 2010 19:22:45 +0000 (19:22 +0000)]
[CIFS] Cleanup unused variable build warning

Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocifs: convert tlink_tree to a rbtree
Jeff Layton [Thu, 28 Oct 2010 15:16:44 +0000 (11:16 -0400)]
cifs: convert tlink_tree to a rbtree

Radix trees are ideal when you want to track a bunch of pointers and
can't embed a tracking structure within the target of those pointers.
The tradeoff is an increase in memory, particularly if the tree is
sparse.

In CIFS, we use the tlink_tree to track tcon_link structs. A tcon_link
can never be in more than one tlink_tree, so there's no impediment to
using a rb_tree here instead of a radix tree.

Convert the new multiuser mount code to use a rb_tree instead. This
should reduce the memory required to manage the tlink_tree.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocifs: store pointer to master tlink in superblock (try #2)
Jeff Layton [Thu, 28 Oct 2010 17:33:38 +0000 (13:33 -0400)]
cifs: store pointer to master tlink in superblock (try #2)

This is the second version of this patch, the only difference between
it and the first one is that this explicitly makes cifs_sb_master_tlink
a static inline.

Instead of keeping a tag on the master tlink in the tree, just keep a
pointer to the master in the superblock. That eliminates the need for
using the radix tree to look up a tagged entry.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocifs: trivial doc fix: note setlease implemented
J. Bruce Fields [Sat, 30 Oct 2010 21:06:21 +0000 (17:06 -0400)]
cifs: trivial doc fix: note setlease implemented

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoCIFS: Add cifs_set_oplock_level
Pavel Shilovsky [Tue, 2 Nov 2010 09:00:42 +0000 (12:00 +0300)]
CIFS: Add cifs_set_oplock_level

Simplify many places when we need to set oplock level on an inode.

Signed-off-by: Pavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoext4: Remove useless spinlock in ext4_getattr()
Theodore Ts'o [Tue, 2 Nov 2010 13:34:50 +0000 (09:34 -0400)]
ext4: Remove useless spinlock in ext4_getattr()

Linus noted, and complained to me, that doing while lots of "git diff"'s
of kernel sources, these spinlocks were responsible for 27% of the
spinlock cost on his two-processor system as reported by perf.

Git was doing lots of parallel stats, and this was putting a lot of
pressure on ext4_getattr().  A spinlock to protect a single
memory-to-memory copy is pointless, so remove it.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge commit 'v2.6.37-rc1' into for-2.6.37
Mark Brown [Tue, 2 Nov 2010 13:41:56 +0000 (09:41 -0400)]
Merge commit 'v2.6.37-rc1' into for-2.6.37

14 years agoASoC: fix the building issue of missing codec field in 'struct snd_soc_card'
Eric Miao [Mon, 1 Nov 2010 21:10:07 +0000 (05:10 +0800)]
ASoC: fix the building issue of missing codec field in 'struct snd_soc_card'

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
14 years agopreempt: fix kernel build with !CONFIG_BKL
Arnd Bergmann [Thu, 28 Oct 2010 14:12:33 +0000 (16:12 +0200)]
preempt: fix kernel build with !CONFIG_BKL

The preempt count logic tries to take the BKL into account, which breaks
when CONFIG_BKL is not set.

Use the same preempt_count offset that we use without CONFIG_PREEMPT
when CONFIG_BKL is disabled.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-and-tested-by: Kirill A. Shutemov <kirill@shutemov.name>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoALSA: usb-audio - Support for Power/Status LED on Creative USB X-Fi S51
Mandar Joshi [Tue, 2 Nov 2010 14:43:19 +0000 (14:43 +0000)]
ALSA: usb-audio - Support for Power/Status LED on Creative USB X-Fi S51

This patch adds support for Power/Status LED on Creative USB X-Fi S51.
There is just one LED on the device. The LED can either be On or it
can be set to Blink. There doesn't seem to be a way to switch it off.
The control message to change LED status is similar to that of
audigy2nx except that the index is to be set to 0 and value is 1 for
Blink and 0 for On.

The 'Power LED' control in alsamixer when muted will cause the LED to
Blink continuously. When unmuted  the LED will stay On. The Creative
driver under Windows sets the LED to blink whenever audio is muted.
This LED can be treated as the CMSS LED but I figured since there is
just one LED, it should be treated as the Power LED. Is that alright?

I've also changed the comment "Usb X-Fi" to "Usb X-Fi S51" as there
are other external X-Fi devices from Creative like Usb X-Fi Go and
Xmod. The volume knob and LED support patch doesn't apply to them.

Signed-off-by: Mandar Joshi <emailmandar@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
14 years agoALSA: asihpi - Unsafe memory management when allocating control cache
Jesper Juhl [Fri, 29 Oct 2010 19:35:25 +0000 (21:35 +0200)]
ALSA: asihpi - Unsafe memory management when allocating control cache

I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Eliot Blennerhassett <linux@audioscience.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
14 years agoMerge branch 'master' of /pub/scm/linux/kernel/git/torvalds/linux-2.6
Steve French [Tue, 2 Nov 2010 03:48:02 +0000 (03:48 +0000)]
Merge branch 'master' of /linux/kernel/git/torvalds/linux-2.6

14 years agoFS: cifs, remove unneeded NULL tests
Jiri Slaby [Mon, 1 Nov 2010 15:08:55 +0000 (16:08 +0100)]
FS: cifs, remove unneeded NULL tests

Stanse found that pSMBFile in cifs_ioctl and file->f_path.dentry in
cifs_user_write are dereferenced prior their test to NULL.

The alternative is not to dereference them before the tests. The patch is
to point out the problem, you have to decide.

While at it we cache the inode in cifs_user_write to a local variable
and use all over the function.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org
Cc: Jeff Layton <jlayton@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocxgb4vf: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:51 +0000 (10:59 +0000)]
cxgb4vf: remove call to stop TX queues at load time.

Stopping TX queues at driver load time is not necessary.

Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:46 +0000 (10:59 +0000)]
cxgb4: remove call to stop TX queues at load time.

Remove racy queue stopping after device registration.

Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb3: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:41 +0000 (10:59 +0000)]
cxgb3: remove call to stop TX queues at load time.

Remove racy queue stopping after device registration.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agokconfig: sym_expand_string_value: allow for string termination when reallocing
Andy Whitcroft [Mon, 1 Nov 2010 21:01:44 +0000 (21:01 +0000)]
kconfig: sym_expand_string_value: allow for string termination when reallocing

When expanding a parameterised string we may run out of space, this
triggers a realloc.  When computing the new allocation size we do not
allow for the terminating '\0'.  Allow for this when calculating the new
length.

Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agofs: logfs: Fix up MTD=y build.
Paul Mundt [Mon, 1 Nov 2010 20:29:21 +0000 (05:29 +0900)]
fs: logfs: Fix up MTD=y build.

Commit 7d945a3aa760 ("logfs get_sb, part 3") broke the logfs build when
CONFIG_MTD is set due to a mangled logfs_get_sb_mtd() definition.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agonet: check queue_index from sock is valid for device
Tom Herbert [Mon, 1 Nov 2010 19:55:52 +0000 (12:55 -0700)]
net: check queue_index from sock is valid for device

In dev_pick_tx recompute the queue index if the value stored in the
socket is greater than or equal to the number of real queues for the
device.  The saved index in the sock structure is not guaranteed to
be appropriate for the egress device (this could happen on a route
change or in presence of tunnelling).  The result of the queue index
being bad would be to return a bogus queue (crash could prersumably
follow).

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoASoC: Update WARN uses in wm_hubs
Joe Perches [Sat, 30 Oct 2010 21:08:56 +0000 (14:08 -0700)]
ASoC: Update WARN uses in wm_hubs

Add missing newlines.

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
14 years agoarch/tile: mark "hardwall" device as non-seekable
Chris Metcalf [Mon, 1 Nov 2010 16:46:10 +0000 (12:46 -0400)]
arch/tile: mark "hardwall" device as non-seekable

Arnd's recent patch series tagged this device with noop_llseek,
conservatively.  In fact, it should be no_llseek, which we arrange
for by opening the device with nonseekable_open().

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoasm-generic/stat.h: support 64-bit file time_t for stat()
Chris Metcalf [Thu, 28 Oct 2010 20:07:07 +0000 (16:07 -0400)]
asm-generic/stat.h: support 64-bit file time_t for stat()

The existing asm-generic/stat.h specifies st_mtime, etc., as a 32-value,
and works well for 32-bit architectures (currently microblaze, score,
and 32-bit tile).  However, for 64-bit architectures it isn't sufficient
to return 32 bits of time_t; this isn't good insurance against the 2037
rollover.  (It also makes glibc support less convenient, since we can't
use glibc's handy STAT_IS_KERNEL_STAT mode.)

This change extends the two "timespec" fields for each of the three atime,
mtime, and ctime fields from "int" to "long".  As a result, on 32-bit
platforms nothing changes, and 64-bit platforms will now work as expected.

The only wrinkle is 32-bit userspace under 64-bit kernels taking advantage
of COMPAT mode.  For these, we leave the "struct stat64" definitions with
the "int" versions of the time_t and nsec fields, so that architectures
can implement compat_sys_stat64() and friends with sys_stat64(), etc.,
and get the expected 32-bit structure layout.  This requires a
field-by-field copy in the kernel, implemented by the code guarded
under __ARCH_WANT_STAT64.

This does mean that the shape of the "struct stat" and "struct stat64"
structures is different on a 64-bit kernel, but only one of the two
structures should ever be used by any given process: "struct stat"
is meant for 64-bit userspace only, and "struct stat64" for 32-bit
userspace only.  (On a 32-bit kernel the two structures continue to have
the same shape, since "long" is 32 bits.)

The alternative is keeping the two structures the same shape on 64-bit
kernels, which means a 64-bit time_t in "struct stat64" for 32-bit
processes.  This is a little unnatural since 32-bit userspace can't
do anything with 64 bits of time_t information, since time_t is just
"long", not "int64_t"; and in any case 32-bit userspace might expect
to be running under a 32-bit kernel, which can't provide the high 32
bits anyway.  In the case of a 32-bit kernel we'd then be extending the
kernel's 32-bit time_t to 64 bits, then truncating it back to 32 bits
again in userspace, for no particular reason.  And, as mentioned above,
if we have 64-bit time_t for 32-bit processes we can't easily use glibc's
STAT_IS_KERNEL_STAT, since glibc's stat structure requires an embedded
"struct timespec", which is a pair of "long" (32-bit) values in a 32-bit
userspace.  "Inventive" solutions are possible, but are pretty hacky.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
14 years agoarch/tile: don't allow user code to set the PL via ptrace or signal return
Chris Metcalf [Thu, 28 Oct 2010 19:47:06 +0000 (15:47 -0400)]
arch/tile: don't allow user code to set the PL via ptrace or signal return

The kernel was allowing any component of the pt_regs to be updated either
by signal handlers writing to the stack, or by processes writing via
PTRACE_POKEUSR or PTRACE_SETREGS, which meant they could set their PL
up from 0 to 1 and get access to kernel code and data (or, in practice,
cause a kernel panic).  We now always reset the ex1 field, allowing the
user to set their ICS bit only.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoarch/tile: correct double syscall restart for nested signals
Chris Metcalf [Thu, 28 Oct 2010 19:03:30 +0000 (15:03 -0400)]
arch/tile: correct double syscall restart for nested signals

This change is modelled on similar fixes for other architectures.
The pt_regs "faultnum" member is set to the trap (fault) number that
caused us to enter the kernel, and is INT_SWINT_1 for the syscall software
interrupt.  We already supported a pseudo value, INT_SWINT_1_SIGRETURN,
that we used for the rt_sigreturn syscall; it avoided the case where
one signal was handled, then we "tail-called" to another handler.

This change avoids the similar case where we start to call one handler,
then are preempted into another handler when we start trying to run
the first handler.  We clear ->faultnum after calling handle_signal(),
and to be paranoid also in the case where there was no signal to deliver.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoarch/tile: avoid __must_check warning on one strict_strtol check
Chris Metcalf [Mon, 1 Nov 2010 19:25:16 +0000 (15:25 -0400)]
arch/tile: avoid __must_check warning on one strict_strtol check

For the "initfree" boot argument it's not that big a deal, but
to avoid warnings in the code, we check for a valid value before
allowing the specified argument to override the kernel default.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoarch/tile: bomb raw_local_irq_ to arch_local_irq_
Chris Metcalf [Mon, 1 Nov 2010 19:24:29 +0000 (15:24 -0400)]
arch/tile: bomb raw_local_irq_ to arch_local_irq_

This completes the tile migration to the new naming scheme for
the architecture-specific irq management code.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoarch/tile: complete migration to new kmap_atomic scheme
Chris Metcalf [Mon, 1 Nov 2010 19:21:35 +0000 (15:21 -0400)]
arch/tile: complete migration to new kmap_atomic scheme

This change makes KM_TYPE_NR independent of the actual deprecated
list of km_type values, which are no longer used in tile code anywhere.
For now we leave it set to 8, allowing that many nested mappings,
and thus reserving 32MB of address space.

A few remaining places using KM_* values were cleaned up as well.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
14 years agoUSB: gadget: fix ethernet gadget crash in gether_setup
Dmitry Artamonow [Mon, 1 Nov 2010 16:33:53 +0000 (09:33 -0700)]
USB: gadget: fix ethernet gadget crash in gether_setup

Crash is triggered by commit e6484930d7 ("net: allocate tx queues in
register_netdevice"), which moved tx netqueue creation into register_netdev.
So now calling netif_stop_queue() before register_netdev causes an oops.
Move netif_stop_queue() after net device registration to fix crash.

Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru>
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoibm_newemac: Remove netif_stop_queue() in emac_probe().
David S. Miller [Mon, 1 Nov 2010 15:49:51 +0000 (08:49 -0700)]
ibm_newemac: Remove netif_stop_queue() in emac_probe().

Touching the queue state before register_netdev is not
allowed, and besides the queue state before ->open()
is "don't care"

Reported-by: Josh Boyer <jwboyer@gmail.com>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agousbnet: fix usb_autopm_get_interface failure(v1)
Ming Lei [Mon, 1 Nov 2010 14:11:54 +0000 (07:11 -0700)]
usbnet: fix usb_autopm_get_interface failure(v1)

Since usbnet already took usb runtime pm, we have to
enable runtime pm for usb interface of usbnet, otherwise
usb_autopm_get_interface may return failure and cause
'ifconfig usb0 up' failed if USB_SUSPEND(RUNTIME_PM) is
enabled.

Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Joe Perches <joe@perches.com>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agol2tp: kzalloc with swapped params in l2tp_dfs_seq_open
Dr. David Alan Gilbert [Sun, 31 Oct 2010 07:26:03 +0000 (07:26 +0000)]
l2tp: kzalloc with swapped params in l2tp_dfs_seq_open

  'sparse' spotted that the parameters to kzalloc in l2tp_dfs_seq_open
were swapped.

Tested on current git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
at 1792f17b7210280a3d7ff29da9614ba779cfcedb  build, boots and I can see that directory,
but there again I could see /sys/kernel/debug/l2tp with it swapped; I don't have
any l2tp in use.

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotrivial: fix typos concerning "function"
Uwe Kleine-König [Tue, 26 Oct 2010 09:57:07 +0000 (09:57 +0000)]
trivial: fix typos concerning "function"

I'm a bit unsure about this patch.  I'm unable to parse both statements.

Cc: netdev@vger.kernel.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoASoC: Include cx20442 to SND_SOC_ALL_CODECS
Jarkko Nikula [Fri, 29 Oct 2010 13:47:45 +0000 (16:47 +0300)]
ASoC: Include cx20442 to SND_SOC_ALL_CODECS

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
14 years agobnx2x: Update version number
Yaniv Rosner [Mon, 1 Nov 2010 05:32:43 +0000 (05:32 +0000)]
bnx2x: Update version number

Update bnx2x version number.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Reset 8073 phy during common init
Yaniv Rosner [Mon, 1 Nov 2010 05:32:41 +0000 (05:32 +0000)]
bnx2x: Reset 8073 phy during common init

Resetting 8073 during common init is required on boards in which the
8073 reset pin is not asserted by default.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>