Evgeny Kuznetsov [Tue, 5 Oct 2010 08:47:57 +0000 (12:47 +0400)]
wait: using uninitialized member of wait queue
The "flags" member of "struct wait_queue_t" is used in several places in
the kernel code without beeing initialized by init_wait(). "flags" is
used in bitwise operations.
If "flags" not initialized then unexpected behaviour may take place.
Incorrect flags might used later in code.
Added initialization of "wait_queue_t.flags" with zero value into
"init_wait".
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
[ The bit we care about does end up being initialized by both
prepare_to_wait() and add_to_wait_queue(), so this doesn't seem to
cause actual bugs, but is definitely the right thing to do -Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 5 Oct 2010 18:29:27 +0000 (11:29 -0700)]
modules: Fix module_bug_list list corruption race
With all the recent module loading cleanups, we've minimized the code
that sits under module_mutex, fixing various deadlocks and making it
possible to do most of the module loading in parallel.
However, that whole conversion totally missed the rather obscure code
that adds a new module to the list for BUG() handling. That code was
doubly obscure because (a) the code itself lives in lib/bugs.c (for
dubious reasons) and (b) it gets called from the architecture-specific
"module_finalize()" rather than from generic code.
Calling it from arch-specific code makes no sense what-so-ever to begin
with, and is now actively wrong since that code isn't protected by the
module loading lock any more.
So this commit moves the "module_bug_{finalize,cleanup}()" calls away
from the arch-specific code, and into the generic code - and in the
process protects it with the module_mutex so that the list operations
are now safe.
Future fixups:
- move the module list handling code into kernel/module.c where it
belongs.
- get rid of 'module_bug_list' and just use the regular list of modules
(called 'modules' - imagine that) that we already create and maintain
for other reasons.
Reported-and-tested-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Adrian Bunk <bunk@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 4 Oct 2010 20:35:48 +0000 (13:35 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/lrg/voltage-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
regulator: max8649 - fix setting extclk_freq
regulator: fix typo in current units
regulator: fix device_register() error handling
Linus Torvalds [Mon, 4 Oct 2010 18:45:35 +0000 (11:45 -0700)]
Merge branch 'merge-powerpc' of git://git.secretlab.ca/git/linux-2.6
* 'merge-powerpc' of git://git.secretlab.ca/git/linux-2.6:
powerpc/5200: tighten up ac97 reset timing
powerpc/5200: efika.c: Add of_node_put to avoid memory leak
powerpc/512x: fix clk_get() return value
Linus Torvalds [Mon, 4 Oct 2010 18:15:59 +0000 (11:15 -0700)]
Merge branch 'fix/misc' of git://git./linux/kernel/git/tiwai/sound-2.6
* 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n
ALSA: prevent heap corruption in snd_ctl_new()
Linus Torvalds [Mon, 4 Oct 2010 18:15:06 +0000 (11:15 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
hwmon: f71882fg: use a muxed resource lock for the Super I/O port
Linus Torvalds [Mon, 4 Oct 2010 18:14:21 +0000 (11:14 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/davej/cpufreq
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
[CPUFREQ] Fix memory leaks in pcc_cpufreq_do_osc
[CPUFREQ] acpi-cpufreq: add missing __percpu markup
Linus Torvalds [Mon, 4 Oct 2010 18:13:22 +0000 (11:13 -0700)]
Merge branch 'merge-spi' of git://git.secretlab.ca/git/linux-2.6
* 'merge-spi' of git://git.secretlab.ca/git/linux-2.6:
of/spi: Fix OF-style driver binding of spi devices
spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
spi/mpc8xxx: fix buffer overrun on large transfers
Linus Torvalds [Mon, 4 Oct 2010 18:11:01 +0000 (11:11 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
vlan: dont drop packets from unknown vlans in promiscuous mode
Phonet: Correct header retrieval after pskb_may_pull
um: Proper Fix for
f25c80a4: remove duplicate structure field initialization
ip_gre: Fix dependencies wrt. ipv6.
net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out()
iwl3945: queue the right work if the scan needs to be aborted
mac80211: fix use-after-free
Linus Torvalds [Mon, 4 Oct 2010 18:10:26 +0000 (11:10 -0700)]
Merge branch 'drm-intel-fixes' of git://git./linux/kernel/git/ickle/drm-intel
* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel:
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
drm/i915: Sanity check pread/pwrite
drm/i915: Use pipe state to tell when pipe is off
drm/i915: vblank status not valid while training display port
drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
drm/i915: Fix refleak during eviction.
drm/i915: fix GMCH power reporting
Hugh Dickins [Sun, 3 Oct 2010 00:49:08 +0000 (17:49 -0700)]
ksm: fix bad user data when swapping
Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with
an internal compiler error: typically indicating an error in swapping.
Perhaps there's a timing issue which makes it now more likely, perhaps
it's just a long time since I tried for so long: this bug goes back to
KSM swapping in 2.6.33.
Notice how reuse_swap_page() allows an exclusive page to be reused, but
only does SetPageDirty if it can delete it from swap cache right then -
if it's currently under Writeback, it has to be left in cache and we
don't SetPageDirty, but the page can be reused. Fine, the dirty bit
will get set in the pte; but notice how zap_pte_range() does not bother
to transfer pte_dirty to page_dirty when unmapping a PageAnon.
If KSM chooses to share such a page, it will look like a clean copy of
swapcache, and not be written out to swap when its memory is needed;
then stale data read back from swap when it's needed again.
We could fix this in reuse_swap_page() (or even refuse to reuse a
page under writeback), but it's more honest to fix my oversight in
KSM's write_protect_page(). Several days of testing on three machines
confirms that this fixes the issue they showed.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Hugh Dickins [Sun, 3 Oct 2010 00:46:06 +0000 (17:46 -0700)]
ksm: fix page_address_in_vma anon_vma oops
2.6.36-rc1 commit
21d0d443cdc1658a8c1484fdcece4803f0f96d0e "rmap:
resurrect page_address_in_vma anon_vma check" was right to resurrect
that check; but now that it's comparing anon_vma->roots instead of
just anon_vmas, there's a danger of oopsing on a NULL anon_vma.
In most cases no NULL anon_vma ever gets here; but it turns out that
occasionally KSM, when enabled on a forked or forking process, will
itself call page_address_in_vma() on a "half-KSM" page left over from
an earlier failed attempt to merge - whose page_anon_vma() is NULL.
It's my bug that those should be getting here at all: I thought they
were already dealt with, this oops proves me wrong, I'll fix it in
the next release - such pages are effectively pinned until their
process exits, since rmap cannot find their ptes (though swapoff can).
For now just work around it by making page_address_in_vma() safe (and
add a comment on why that check is wanted anyway). A similar check
in __page_check_anon_rmap() is safe because do_page_add_anon_rmap()
already excluded KSM pages.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Chris Wilson [Sun, 26 Sep 2010 19:21:44 +0000 (20:21 +0100)]
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
... and do the same for pread.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Chris Wilson [Sun, 26 Sep 2010 19:50:05 +0000 (20:50 +0100)]
drm/i915: Sanity check pread/pwrite
Move the access control up from the fast paths, which are no longer
universally taken first, up into the caller. This then duplicates some
sanity checking along the slow paths, but is much simpler.
Tracked as CVE-2010-2962.
Reported-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Giel van Schijndel [Sun, 3 Oct 2010 12:09:49 +0000 (08:09 -0400)]
hwmon: f71882fg: use a muxed resource lock for the Super I/O port
Sleep while acquiring a resource lock on the Super I/O port. This should
prevent collisions from causing the hardware probe to fail with -EBUSY.
Signed-off-by: Giel van Schijndel <me@mortis.eu>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Keith Packard [Sun, 3 Oct 2010 07:33:06 +0000 (00:33 -0700)]
drm/i915: Use pipe state to tell when pipe is off
Instead of waiting for the display line value to settle, we can simply
wait for the pipe configuration register 'state' bit to turn off.
Contrarywise, disabling the plane will not cause the display line
value to stop changing, so instead we wait for the vblank interrupt
bit to get set. And, we only do this when we're not about to wait for
the pipe to turn off.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Keith Packard [Sun, 3 Oct 2010 07:33:05 +0000 (00:33 -0700)]
drm/i915: vblank status not valid while training display port
While the display port is in training mode, vblank interrupts don't
occur. Because we have to wait for the display port output to turn on
before starting the training sequence, enable the output in 'normal'
mode so that we can tell when a vblank has occurred, then start the
training sequence.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Sinan Akman [Sun, 3 Oct 2010 03:28:29 +0000 (21:28 -0600)]
of/spi: Fix OF-style driver binding of spi devices
This patch adds the OF hook to the spi core so that devices
can automatically be registered based on device tree data. This fixes
a problem with spi devices not binding to drivers after the cleanup of
the spi & i2c binding code.
Signed-off-by: Sinan Akman <sinan@writeme.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Roel Kluin [Sat, 2 Oct 2010 12:03:32 +0000 (14:03 +0200)]
spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
The SPI_MASTER_NO_TX bit (can't do buffer write) wasn't tested. This
code was introduced in commit
3c8e1a84 (spi/spi-gpio: add support for
controllers without MISO or MOSI pin). This patch fixes a bug in
choosing which transfer ops to use.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Julia Lawall [Sat, 2 Oct 2010 13:59:17 +0000 (15:59 +0200)]
drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
Extend the error handling code with operations found in other nearby error
handling code
A simplified version of the sematic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@r exists@
@r@
statement S1,S2,S3;
constant C1,C2,C3;
@@
*if (...)
{... S1 return -C1;}
...
*if (...)
{... when != S1
return -C2;}
...
*if (...)
{... S1 return -C3;}
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Axel Lin [Fri, 1 Oct 2010 05:56:27 +0000 (13:56 +0800)]
regulator: max8649 - fix setting extclk_freq
The SYNC bits are BIT6 and BIT7 of MAX8649_SYNC register.
pdata->extclk_freq could be [0|1|2].
(MAX8649_EXTCLK_26MHZ|MAX8649_EXTCLK_13MHZ|MAX8649_EXTCLK_19MHZ)
It requires to left shift 6 bits to properly set extclk_freq.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Cyril Chemparathy [Wed, 22 Sep 2010 16:30:15 +0000 (12:30 -0400)]
regulator: fix typo in current units
This patch fixes a typo that incorrectly reports mA numbers as uA.
Signed-off-by: Cyril Chemparathy <cyril@ti.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Vasiliy Kulikov [Sun, 19 Sep 2010 12:55:01 +0000 (16:55 +0400)]
regulator: fix device_register() error handling
If device_register() fails then call put_device().
See comment to device_register.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Linus Torvalds [Fri, 1 Oct 2010 22:03:37 +0000 (15:03 -0700)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
cifs: prevent infinite recursion in cifs_reconnect_tcon
cifs: set backing_dev_info on new S_ISREG inodes
Linus Torvalds [Fri, 1 Oct 2010 22:02:41 +0000 (15:02 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, hpet: Fix bogus error check in hpet_assign_irq()
x86, irq: Plug memory leak in sparse irq
x86, cpu: After uncapping CPUID, re-run CPU feature detection
David Howells [Fri, 1 Oct 2010 09:31:03 +0000 (10:31 +0100)]
MN10300: Fix flush_icache_range()
flush_icache_range() is given virtual addresses to describe the region. It
deals with these by attempting to translate them through the current set of
page tables.
This is fine for userspace memory and vmalloc()'d areas as they are governed by
page tables. However, since the regions above 0x80000000 aren't translated
through the page tables by the MMU, the kernel doesn't bother to set up page
tables for them (see paging_init()).
This means flush_icache_range() as it stands cannot be used to flush regions of
the VM area between 0x80000000 and 0x9fffffff where the kernel resides if the
data cache is operating in WriteBack mode.
To fix this, make flush_icache_range() first check for addresses in the upper
half of VM space and deal with them appropriately, before dealing with any
range in the page table mapped area.
Ordinarily, this is not a problem, but it has the capacity to make kprobes and
kgdb malfunction. It should not affect gdbstub, signal frame setup or module
loading as gdb has its own flush functions, and the others take place in the
page table mapped area only.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Akira Takeuchi <takeuchi.akr@jp.panasonic.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 1 Oct 2010 17:58:31 +0000 (10:58 -0700)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
vmwgfx: Fix fb VRAM pinning failure due to fragmentation
vmwgfx: Remove initialisation of dev::devname
vmwgfx: Enable use of the vblank system
vmwgfx: vt-switch (master drop) fixes
drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under allocating buffer and having drivers overwrite it (v2)"
drm: Hold the mutex when dropping the last GEM reference (v2)
drm/gem: handlecount isn't really a kref so don't make it one.
drm: i810/i830: fix locked ioctl variant
drm/radeon/kms: add quirk for MSI K9A2GM motherboard
drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle
drm: Prune GEM vma entries
drm/radeon/kms: fix up encoder info messages for DFP6
drm/radeon: fix PCI ID 5657 to be an RV410
Linus Torvalds [Fri, 1 Oct 2010 17:55:54 +0000 (10:55 -0700)]
Merge branch 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux
* 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux:
i2c-s3c2410: fix calculation of SDA line delay
i2c-davinci: Fix race when setting up for TX
i2c-octeon: Return -ETIMEDOUT in octeon_i2c_wait() on timeout
Linus Torvalds [Fri, 1 Oct 2010 17:54:58 +0000 (10:54 -0700)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
ACPI: invoke DSDT corruption workaround on all Toshiba Satellite
ACPI, APEI, Fix ERST MOVE_DATA instruction implementation
ACPI: fan: Fix more unbalanced code block
ACPI: acpi_pad: simplify code to avoid false gcc build warning
ACPI, APEI, Fix error path for memory allocation
ACPI, APEI, HEST Fix the unsuitable usage of platform_data
ACPI, APEI, Fix acpi_pre_map() return value
ACPI, APEI, Fix APEI related table size checking
ACPI: Disable Windows Vista compatibility for Toshiba P305D
ACPI: Kconfig: fix typo.
ACPI: add missing __percpu markup in arch/x86/kernel/acpi/cstate.c
ACPI: Fix typos
ACPI video: fix a poor warning message
ACPI: fix build warnings resulting from merge window conflict
ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
ACPI: expand Vista blacklist to include SP1 and SP2
ACPI: delete ZEPTO idle=nomwait DMI quirk
ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume
PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs
ACPI: Don't report current_now if battery reports in mWh
Linus Torvalds [Fri, 1 Oct 2010 17:53:45 +0000 (10:53 -0700)]
Merge branch 'idle-release' of git://git./linux/kernel/git/lenb/linux-idle-2.6
* 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
intel_idle: Voluntary leave_mm before entering deeper
acpi_idle: add missing \n to printk
intel_idle: add missing __percpu markup
intel_idle: Change mode 755 => 644
cpuidle: Fix typos
intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
Linus Torvalds [Fri, 1 Oct 2010 17:53:06 +0000 (10:53 -0700)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6
* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
omap: McBSP: tx_irq_completion used in rx_irq_handler
omap: Fix compile dependency to LEDS_CLASS
Frederic Weisbecker [Thu, 30 Sep 2010 22:15:38 +0000 (15:15 -0700)]
reiserfs: fix unwanted reiserfs lock recursion
Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
because we may call journal_begin() that requires the lock to be taken
only once, otherwise it won't be able to release the lock while taking
other mutexes, ending up in inverted dependencies between the journal
mutex and the reiserfs lock for example.
This fixes:
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.35.4.4a #3
-------------------------------------------------------
lilo/1620 is trying to acquire lock:
(&journal->j_mutex){+.+...}, at: [<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
but task is already holding lock:
(&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
[<
d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
[<
c10b6a20>] do_remount_sb+0x60/0x110
[<
c10cee25>] do_mount+0x625/0x790
[<
c10cf014>] sys_mount+0x84/0xb0
[<
c12fca3d>] syscall_call+0x7/0xb
-> #0 (&journal->j_mutex){+.+...}:
[<
c10560f6>] __lock_acquire+0x1026/0x1180
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
[<
d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
[<
c10db9db>] __block_prepare_write+0x1bb/0x3a0
[<
c10dbbe6>] block_prepare_write+0x26/0x40
[<
d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
[<
d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
[<
d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3188>] vfs_ioctl+0x28/0xa0
[<
c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3eb3>] sys_ioctl+0x63/0x70
[<
c12fca3d>] syscall_call+0x7/0xb
other info that might help us debug this:
2 locks held by lilo/1620:
#0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<
d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
#1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
stack backtrace:
Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
Call Trace:
[<
c10560f6>] __lock_acquire+0x1026/0x1180
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
[<
d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
[<
c10db9db>] __block_prepare_write+0x1bb/0x3a0
[<
c10dbbe6>] block_prepare_write+0x26/0x40
[<
d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
[<
d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
[<
d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3188>] vfs_ioctl+0x28/0xa0
[<
c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3eb3>] sys_ioctl+0x63/0x70
[<
c12fca3d>] syscall_call+0x7/0xb
Reported-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: All since 2.6.32 <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Frederic Weisbecker [Thu, 30 Sep 2010 22:15:37 +0000 (15:15 -0700)]
reiserfs: fix dependency inversion between inode and reiserfs mutexes
The reiserfs mutex already depends on the inode mutex, so we can't lock
the inode mutex in reiserfs_unpack() without using the safe locking API,
because reiserfs_unpack() is always called with the reiserfs mutex locked.
This fixes:
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.35c #13
-------------------------------------------------------
lilo/1606 is trying to acquire lock:
(&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
but task is already holding lock:
(&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
[<
d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
[<
d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
[<
c10b7d17>] get_sb_bdev+0x117/0x170
[<
d0313e21>] get_super_block+0x21/0x30 [reiserfs]
[<
c10b74ba>] vfs_kern_mount+0x6a/0x1b0
[<
c10b7659>] do_kern_mount+0x39/0xe0
[<
c10cebe0>] do_mount+0x340/0x790
[<
c10cf0b4>] sys_mount+0x84/0xb0
[<
c12f25cd>] syscall_call+0x7/0xb
-> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
[<
c1056186>] __lock_acquire+0x1026/0x1180
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
[<
d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3228>] vfs_ioctl+0x28/0xa0
[<
c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3f53>] sys_ioctl+0x63/0x70
[<
c12f25cd>] syscall_call+0x7/0xb
other info that might help us debug this:
1 lock held by lilo/1606:
#0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
stack backtrace:
Pid: 1606, comm: lilo Not tainted 2.6.35c #13
Call Trace:
[<
c1056186>] __lock_acquire+0x1026/0x1180
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
[<
d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3228>] vfs_ioctl+0x28/0xa0
[<
c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3f53>] sys_ioctl+0x63/0x70
[<
c12f25cd>] syscall_call+0x7/0xb
Reported-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: <stable@kernel.org> [2.6.32 and later]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kukjin Kim [Thu, 30 Sep 2010 22:15:35 +0000 (15:15 -0700)]
MAINTAINERS: update maintainer for S5P ARM ARCHITECTURES
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Acked-by: Ben Dooks <ben-linux@fluff.org>
Acked-by: Russell King <rmk@arm.linux.org.uk>
Cc: Kyungmin Park <kmpark@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Petr Vandrovec [Thu, 30 Sep 2010 22:15:34 +0000 (15:15 -0700)]
MAINTAINERS: update matroxfb & ncpfs status
I moved couple years ago, so let's update my email and snail mail.
And I do not have any access to Matrox hardware anymore, and I'm quite
unresponsive to matroxfb bug reports (sorry Alan), so saying that I'm
maintainer is a bit far fetched.
For ncpfs I do not use ncpfs in my daily life either, but at least I can
test that one, so I can stay listed here for odd fixes.
Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jiri Olsa [Thu, 30 Sep 2010 22:15:33 +0000 (15:15 -0700)]
proc: make /proc/pid/limits world readable
Having the limits file world readable will ease the task of system
management on systems where root privileges might be restricted.
Having admin restricted with root priviledges, he/she could not check
other users process' limits.
Also it'd align with most of the /proc stat files.
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Cc: Eugene Teo <eugene@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Don Mullis [Thu, 30 Sep 2010 22:15:32 +0000 (15:15 -0700)]
lib/list_sort: do not pass bad pointers to cmp callback
If the original list is a POT in length, the first callback from line 73
will pass a==b both pointing to the original list_head. This is dangerous
because the 'list_sort()' user can use 'container_of()' and accesses the
"containing" object, which does not necessary exist for the list head. So
the user can access RAM which does not belong to him. If this is a write
access, we can end up with memory corruption.
Signed-off-by: Don Mullis <don.mullis@gmail.com>
Tested-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dan Rosenberg [Thu, 30 Sep 2010 22:15:31 +0000 (15:15 -0700)]
sys_semctl: fix kernel stack leakage
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Marcin Slusarz [Thu, 30 Sep 2010 22:15:30 +0000 (15:15 -0700)]
i7core_edac: fix panic in udimm sysfs attributes registration
Array of udimm sysfs attributes was not ended with NULL marker, leading to
dereference of random memory.
EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm0
EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm1
EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm2
BUG: unable to handle kernel NULL pointer dereference at
00000000000001a4
IP: [<
ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
Pid: 1, comm: swapper Not tainted 2.6.36-rc3-nv+ #483 P6T SE/System Product Name
RIP: 0010:[<
ffffffff81330b36>] [<
ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
(...)
Call Trace:
[<
ffffffff81330b86>] edac_create_mci_instance_attributes+0x198/0x1f1
[<
ffffffff81330c9a>] edac_create_sysfs_mci_device+0xbb/0x2b2
[<
ffffffff8132f533>] edac_mc_add_mc+0x46b/0x557
[<
ffffffff81428901>] i7core_probe+0xccf/0xec0
RIP [<
ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
---[ end trace
20de320855b81d78 ]---
Kernel panic - not syncing: Attempted to kill init!
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Acked-by: Doug Thompson <dougthompson@xmission.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Thu, 30 Sep 2010 22:15:29 +0000 (15:15 -0700)]
drivers/serial/mrst_max3110.c needs linux/irq.h
sparc64 allmodconfig:
drivers/serial/mrst_max3110.c: In function `serial_m3110_startup':
drivers/serial/mrst_max3110.c:470: error: `IRQ_TYPE_EDGE_FALLING' undeclared (first use in this function)
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Thu, 30 Sep 2010 22:15:29 +0000 (15:15 -0700)]
arch/m68k/mac/macboing.c: use unsigned long for irqflags
Fix the warnings
arch/m68k/mac/macboing.c: In function 'mac_mksound':
arch/m68k/mac/macboing.c:189: warning: comparison of distinct pointer types lacks a cast
arch/m68k/mac/macboing.c:211: warning: comparison of distinct pointer types lacks a cast
arch/m68k/mac/macboing.c: In function 'mac_quadra_start_bell':
arch/m68k/mac/macboing.c:241: warning: comparison of distinct pointer types lacks a cast
arch/m68k/mac/macboing.c:263: warning: comparison of distinct pointer types lacks a cast
arch/m68k/mac/macboing.c: In function 'mac_quadra_ring_bell':
arch/m68k/mac/macboing.c:283: warning: comparison of distinct pointer types lacks a cast
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Thu, 30 Sep 2010 22:15:28 +0000 (15:15 -0700)]
drivers/serial/mfd.c needs slab.h
alpha allmodconfig:
drivers/serial/mfd.c:144: error: implicit declaration of function 'kzalloc'
drivers/serial/mfd.c:144: warning: assignment makes pointer from integer without a cast
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ira W. Snyder [Thu, 30 Sep 2010 22:15:27 +0000 (15:15 -0700)]
kfifo: fix scatterlist usage
The kfifo_dma family of functions use sg_mark_end() on the last element in
their scatterlist. This forces use of a fresh scatterlist for each DMA
operation, which makes recycling a single scatterlist impossible.
Change the behavior of the kfifo_dma functions to match the usage of the
dma_map_sg function. This means that users must respect the returned
nents value. The sample code is updated to reflect the change.
This bug is trivial to cause: call kfifo_dma_in_prepare() such that it
prepares a scatterlist with a single entry comprising the whole fifo.
This is the case when you map the entirety of a newly created empty fifo.
This causes the setup_sgl() function to mark the first scatterlist entry
as the end of the chain, no matter what comes after it.
Afterwards, add and remove some data from the fifo such that another call
to kfifo_dma_in_prepare() will create two scatterlist entries. It returns
nents=2. However, due to the previous sg_mark_end() call, sg_is_last()
will now return true for the first scatterlist element. This causes the
sample code to print a single scatterlist element when it should print
two.
By removing the call to sg_mark_end(), we make the API as similar as
possible to the DMA mapping API. All users are required to respect the
returned nents.
Signed-off-by: Ira W. Snyder <iws@ovro.caltech.edu>
Cc: Stefani Seibold <stefani@seibold.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jeff Layton [Wed, 29 Sep 2010 19:27:08 +0000 (15:27 -0400)]
cifs: prevent infinite recursion in cifs_reconnect_tcon
cifs_reconnect_tcon is called from smb_init. After a successful
reconnect, cifs_reconnect_tcon will call reset_cifs_unix_caps. That
function will, in turn call CIFSSMBQFSUnixInfo and CIFSSMBSetFSUnixInfo.
Those functions also call smb_init.
It's possible for the session and tcon reconnect to succeed, and then
for another cifs_reconnect to occur before CIFSSMBQFSUnixInfo or
CIFSSMBSetFSUnixInfo to be called. That'll cause those functions to call
smb_init and cifs_reconnect_tcon again, ad infinitum...
Break the infinite recursion by having those functions use a new
smb_init variant that doesn't attempt to perform a reconnect.
Reported-and-Tested-by: Michal Suchanek <hramrach@centrum.cz>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Thomas Hellstrom [Fri, 1 Oct 2010 08:21:51 +0000 (10:21 +0200)]
vmwgfx: Fix fb VRAM pinning failure due to fragmentation
If the soon-to-be scanout buffer is partly covering the intended
VRAM region, move and pin will fail. In that case, just move it out
to system before attempting to move it in again.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Fri, 1 Oct 2010 08:21:50 +0000 (10:21 +0200)]
vmwgfx: Remove initialisation of dev::devname
The removed code causes oopses with newer drms on master drop.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Fri, 1 Oct 2010 08:21:49 +0000 (10:21 +0200)]
vmwgfx: Enable use of the vblank system
This is to avoid accessing uninitialized data during
drm_irq_uninstall and vblank ioctls. At the same time, enable error check from
drm_kms_init which previously appeared to ignore all errors.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Fri, 1 Oct 2010 08:21:48 +0000 (10:21 +0200)]
vmwgfx: vt-switch (master drop) fixes
We add an option not to enable fbdev, this option is off (0) by default.
Not enabling fbdev at load time makes it possible to co-operate with
vga16fb and vga text mode when VT switching.
However, if 3D resources are active when VT switching, we're currently
not able to switch over to vga, due to device limitations.
This fixes a bug where we previously lost 3D state during VT switch.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Thu, 30 Sep 2010 10:18:33 +0000 (12:18 +0200)]
drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under allocating buffer and having drivers overwrite it (v2)"
The mentioned commit breaks the vmwgfx ioctl argument sanity check.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Chris Wilson [Thu, 30 Sep 2010 08:10:26 +0000 (09:10 +0100)]
drm: Hold the mutex when dropping the last GEM reference (v2)
In order to be fully threadsafe we need to check that the drm_gem_object
refcount is still 0 after acquiring the mutex in order to call the free
function. Otherwise, we may encounter scenarios like:
Thread A: Thread B:
drm_gem_close
unreference_unlocked
kref_put mutex_lock
... i915_gem_evict
... kref_get -> BUG
... i915_gem_unbind
... kref_put
... i915_gem_object_free
... mutex_unlock
mutex_lock
i915_gem_object_free -> BUG
i915_gem_object_unbind
kfree
mutex_unlock
Note that no driver is currently using the free_unlocked vfunc and it is
scheduled for removal, hasten that process.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454
Reported-and-Tested-by: Magnus Kessler <Magnus.Kessler@gmx.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Chris Wilson [Wed, 29 Sep 2010 21:23:05 +0000 (22:23 +0100)]
drm/i915: Fix refleak during eviction.
Now that we hold onto a reference whilst evicting objects, we need to
be sure that we drop all the references taken -- even on the error
paths.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Suresh Siddha [Fri, 1 Oct 2010 01:19:07 +0000 (21:19 -0400)]
intel_idle: Voluntary leave_mm before entering deeper
Avoid TLB flush IPIs for the cores in deeper c-states by voluntary leave_mm()
before entering into that state. CPUs tend to flush TLB in those c-states
anyways.
acpi_idle does this with C3-type states, but it was not caried over
when intel_idle was introduced. intel_idle can apply it
to C-states in addition to those that ACPI might export as C3...
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Eric Dumazet [Thu, 30 Sep 2010 02:16:44 +0000 (02:16 +0000)]
vlan: dont drop packets from unknown vlans in promiscuous mode
Roger Luethi noticed packets for unknown VLANs getting silently dropped
even in promiscuous mode.
Check for promiscuous mode in __vlan_hwaccel_rx() and vlan_gro_common()
before drops.
As suggested by Patrick, mark such packets to have skb->pkt_type set to
PACKET_OTHERHOST to make sure they are dropped by IP stack.
Reported-by: Roger Luethi <rl@hellgate.ch>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Airlie [Mon, 27 Sep 2010 06:17:17 +0000 (16:17 +1000)]
drm/gem: handlecount isn't really a kref so don't make it one.
There were lots of places being inconsistent since handle count
looked like a kref but it really wasn't.
Fix this my just making handle count an atomic on the object,
and have it increase the normal object kref.
Now i915/radeon/nouveau drivers can drop the normal reference on
userspace object creation, and have the handle hold it.
This patch fixes a memory leak or corruption on unload, because
the driver had no way of knowing if a handle had been actually
added for this object, and the fbcon object needed to know this
to clean itself up properly.
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
MyungJoo Ham [Thu, 30 Sep 2010 13:54:46 +0000 (15:54 +0200)]
i2c-s3c2410: fix calculation of SDA line delay
S3C2440 style I2C controller uses PCLK to calculate the SDA line delay.
The driver wrongly assumed that this delay is calculated from the
frequency that the controller is operating on. This patch fixes this
issue.
Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Thomas Gleixner [Tue, 28 Sep 2010 21:20:23 +0000 (23:20 +0200)]
x86, hpet: Fix bogus error check in hpet_assign_irq()
create_irq() returns -1 if the interrupt allocation failed, but the
code checks for irq == 0.
Use create_irq_nr() instead.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Venkatesh Pallipadi <venki@google.com>
LKML-Reference: <alpine.LFD.2.00.
1009282310360.2416@localhost6.localdomain6>
Cc: stable@kernel.org
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Thomas Gleixner [Tue, 28 Sep 2010 18:57:19 +0000 (20:57 +0200)]
x86, irq: Plug memory leak in sparse irq
free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this
triggers a use after free caused by the fact that copying struct
irq_cfg is done with memcpy, which copies the pointer not the cpumask.
Fix both places.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yhlu.kernel@gmail.com>
LKML-Reference: <alpine.LFD.2.00.
1009282052570.2416@localhost6.localdomain6>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Takashi Iwai [Thu, 30 Sep 2010 20:59:12 +0000 (22:59 +0200)]
ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pekka Enberg [Thu, 30 Sep 2010 19:57:33 +0000 (22:57 +0300)]
[CPUFREQ] Fix memory leaks in pcc_cpufreq_do_osc
If acpi_evaluate_object() function call doesn't fail, we must kfree()
output.buffer before returning from pcc_cpufreq_do_osc().
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Namhyung Kim [Fri, 13 Aug 2010 14:00:11 +0000 (23:00 +0900)]
[CPUFREQ] acpi-cpufreq: add missing __percpu markup
acpi_perf_data is a percpu pointer but was missing __percpu markup.
Add it.
Signed-off-by: Namhyung Kim <namhyung@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Dave Jones <davej@redhat.com>
David S. Miller [Thu, 30 Sep 2010 19:02:22 +0000 (12:02 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Linus Torvalds [Thu, 30 Sep 2010 15:37:38 +0000 (08:37 -0700)]
Fix up more fallout form alpha signal cleanups
Commit
c52c2ddc1dfa ("alpha: switch osf_sigprocmask() to use of
sigprocmask()") had several problems. The more obvious compile issues
got fixed in commit
0f44fbd297e1 ("alpha: fix compile problem in
arch/alpha/kernel/signal.c"), but it also caused a regression.
Since _BLOCKABLE is already the set of signals that can be blocked, the
code should do "newmask & _BLOCKABLE" rather than inverting _BLOCKABLE
before masking.
Reported-by: Michael Cree <mcree@orcon.net.nz>
Patch-by: Al Viro <viro@zeniv.linux.org.uk>
Patch-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 30 Sep 2010 03:38:07 +0000 (20:38 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/jlbec/ocfs2
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2:
ocfs2: Don't walk off the end of fast symlinks.
Arnd Bergmann [Wed, 29 Sep 2010 15:47:58 +0000 (17:47 +0200)]
drm: i810/i830: fix locked ioctl variant
The i810 and i830 device drivers may replace their file operations
on an open file descriptor. My previous patch to move the BKL
out of the common DRM code into these drivers only caught the
default file operations, not the ones that actually end up being
used.
Found while trying to come up with a way to kill the BKL for
good in these drivers.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Kumar Sanghvi [Mon, 27 Sep 2010 23:10:42 +0000 (23:10 +0000)]
Phonet: Correct header retrieval after pskb_may_pull
Retrieve the header after doing pskb_may_pull since, pskb_may_pull
could change the buffer structure.
This is based on the comment given by Eric Dumazet on Phonet
Pipe controller patch for a similar problem.
Signed-off-by: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Boaz Harrosh [Wed, 29 Sep 2010 08:34:27 +0000 (08:34 +0000)]
um: Proper Fix for
f25c80a4: remove duplicate structure field initialization
uml_net_set_mac() was broken and luckily it was never used, before.
What it was trying to do is spin_lock before memcopy the mac address.
Linus attempted to fix it in assumption that someone decided the
lock was needed. But since it was never ever used at all, and was
just dead code, I think we can assume that it is not needed, after
all.
On the other hand patch [
f25c80a4] was trying to use eth_mac_addr()
in eth_configure(), *which was the real fallout*. Because of state
checks done inside eth_mac_addr() the address was never set. I have
not reintroduced the memcpy wrapper, but I've put a comment for future
cats.
The code now is back to exactly as it was before [
f25c80a4]. With
the cleanup applied. If the spin_lock is indeed needed then a contender
should supply a test case that fails, then fix it with the proper
locking, as a separate unrelated patch.
CC: Julia Lawall <julia@diku.dk>
CC: David S. Miller <davem@davemloft.net>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 30 Sep 2010 01:41:19 +0000 (18:41 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/djbw/async_tx
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx:
dmaengine: fix interrupt clearing for mv_xor
missing inline keyword for static function in linux/dmaengine.h
dma/shdma: move dereference below the NULL check
Joel Becker [Thu, 30 Sep 2010 00:33:05 +0000 (17:33 -0700)]
ocfs2: Don't walk off the end of fast symlinks.
ocfs2 fast symlinks are NUL terminated strings stored inline in the
inode data area. However, disk corruption or a local attacker could, in
theory, remove that NUL. Because we're using strlen() (my fault,
introduced in a731d1 when removing vfs_follow_link()), we could walk off
the end of that string.
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Cc: stable@kernel.org
Linus Torvalds [Wed, 29 Sep 2010 21:58:11 +0000 (14:58 -0700)]
Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
* 'for-linus' of git://oss.sgi.com/xfs/xfs:
xfs: force background CIL push under sustained load
Linus Torvalds [Wed, 29 Sep 2010 21:57:53 +0000 (14:57 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sameo/mfd-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
mfd: Fix max8925 irq control bit incorrect setting
mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types
Daniel J Blueman [Wed, 29 Sep 2010 20:01:55 +0000 (21:01 +0100)]
fix OMAP2 MTD build failure
Fix build failure from recent interface change and merge.
Tested on OMAP3430.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jeff Layton [Wed, 29 Sep 2010 13:49:54 +0000 (09:49 -0400)]
cifs: set backing_dev_info on new S_ISREG inodes
Testing on very recent kernel (2.6.36-rc6) made this warning pop:
WARNING: at fs/fs-writeback.c:87 inode_to_bdi+0x65/0x70()
Hardware name:
Dirtiable inode bdi default != sb bdi cifs
...the following patch fixes it and seems to be the obviously correct
thing to do for cifs.
Cc: stable@kernel.org
Acked-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Len Brown [Wed, 29 Sep 2010 19:18:28 +0000 (15:18 -0400)]
Merge branches 'apei', 'battery-mwh-fix', 'bugzilla-10807', 'bugzilla-14736', 'bugzilla-14679', 'bugzilla-16396', 'launchpad-613381' and 'misc' into release
Len Brown [Wed, 29 Sep 2010 02:57:02 +0000 (22:57 -0400)]
ACPI: invoke DSDT corruption workaround on all Toshiba Satellite
Our list of Toshiba Satellite models that require this workaround
is growing -- so invoke the workaround for the entire product line.
https://bugzilla.kernel.org/show_bug.cgi?id=14679
Signed-off-by: Len Brown <len.brown@intel.com>
Huang Ying [Wed, 29 Sep 2010 11:53:55 +0000 (19:53 +0800)]
ACPI, APEI, Fix ERST MOVE_DATA instruction implementation
The src_base and dst_base fields in apei_exec_context are physical
address, so they should be ioremaped before being used in ERST
MOVE_DATA instruction.
Reported-by: Javier Martinez Canillas <martinez.javier@gmail.com>
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Luis Henriques [Wed, 7 Jul 2010 18:30:15 +0000 (19:30 +0100)]
ACPI: fan: Fix more unbalanced code block
commit
934231de706d2579fae14f5857fcd8de991009ff fixes an unbalanced
CONFIG_ACPI_PROCFS code block during module initialisation. This
patch fixes similar issue but for the module exit.
Signed-off-by: Luis Henriques <luis.henrix@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Len Brown [Tue, 28 Sep 2010 20:50:50 +0000 (16:50 -0400)]
ACPI: acpi_pad: simplify code to avoid false gcc build warning
acpi_pad.c:432: warning: ‘num_cpus’ may be used uninitialized in this function
gcc 4.4.4 was unable to notice that num_cpus is always set.
Re-arrange the code to un-confuse gcc, and also make
it easier for humans to read....
Signed-off-by: Len Brown <len.browns@intel.com>
Huang Ying [Wed, 29 Sep 2010 11:53:54 +0000 (19:53 +0800)]
ACPI, APEI, Fix error path for memory allocation
In ERST debug/test support patch, a dynamic allocated buffer is
used. The may-failed memory allocation should be tried firstly before
free the previous buffer.
APEI resource management memory allocation related error path is fixed
too.
v2:
- Fix error messages for APEI resources management
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Jin Dongming [Wed, 29 Sep 2010 11:53:53 +0000 (19:53 +0800)]
ACPI, APEI, HEST Fix the unsuitable usage of platform_data
platform_data in hest_parse_ghes() is used for saving the address of entry
information of erst_tab. When the device is failed to be added, platform_data
will be freed by platform_device_put(). But the value saved in platform_data
should not be freed here. If it is done, it will make system panic.
So I think platform_data should save the address of allocated memory
which saves entry information of erst_tab.
This patch fixed it and I confirmed it on x86_64 next-tree.
v2:
Transport the pointer of hest_hdr to platform_data using
platform_device_add_data()
Signed-off-by: Jin Dongming <jin.dongming@np.css.fujitsu.com>
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Jin Dongming [Wed, 29 Sep 2010 11:53:52 +0000 (19:53 +0800)]
ACPI, APEI, Fix acpi_pre_map() return value
After we ioremap() a new region, we call __acpi_try_ioremap() to
see whether another thread has already mapped the same region.
This check clobbers "vaddr", so compute the return value of
acpi_pre_map() using the ioremap() result "map->vaddr" instead.
v2:
Modified the unsuitable description of patch.
v3:
Removed unlikely() check and made description simpler.
Signed-off-by: Jin Dongming <jin.dongming@np.css.fujitsu.com>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Huang Ying [Wed, 29 Sep 2010 11:53:51 +0000 (19:53 +0800)]
ACPI, APEI, Fix APEI related table size checking
On Huang Ying's machine:
erst_tab->header_length == sizeof(struct acpi_table_einj)
but Yinghai reported that on his machine,
erst_tab->header_length == sizeof(struct acpi_table_einj) -
sizeof(struct acpi_table_header)
To make erst table size checking code works on all systems, both
testing are treated as PASS.
Same situation applies to einj_tab->header_length, so corresponding
table size checking is changed in similar way too.
v2:
- Treat both table size as valid
Originally-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Dave Chinner [Fri, 24 Sep 2010 08:13:44 +0000 (18:13 +1000)]
xfs: force background CIL push under sustained load
I have been seeing occasional pauses in transaction throughput up to
30s long under heavy parallel workloads. The only notable thing was
that the xfsaild was trying to be active during the pauses, but
making no progress. It was running exactly 20 times a second (on the
50ms no-progress backoff), and the number of pushbuf events was
constant across this time as well. IOWs, the xfsaild appeared to be
stuck on buffers that it could not push out.
Further investigation indicated that it was trying to push out inode
buffers that were pinned and/or locked. The xfsbufd was also getting
woken at the same frequency (by the xfsaild, no doubt) to push out
delayed write buffers. The xfsbufd was not making any progress
because all the buffers in the delwri queue were pinned. This scan-
and-make-no-progress dance went one in the trace for some seconds,
before the xfssyncd came along an issued a log force, and then
things started going again.
However, I noticed something strange about the log force - there
were way too many IO's issued. 516 log buffers were written, to be
exact. That added up to 129MB of log IO, which got me very
interested because it's almost exactly 25% of the size of the log.
He delayed logging code is suppose to aggregate the minimum of 25%
of the log or 8MB worth of changes before flushing. That's what
really puzzled me - why did a log force write 129MB instead of only
8MB?
Essentially what has happened is that no CIL pushes had occurred
since the previous tail push which cleared out 25% of the log space.
That caused all the new transactions to block because there wasn't
log space for them, but they kick the xfsaild to push the tail.
However, the xfsaild was not making progress because there were
buffers it could not lock and flush, and the xfsbufd could not flush
them because they were pinned. As a result, both the xfsaild and the
xfsbufd could not move the tail of the log forward without the CIL
first committing.
The cause of the problem was that the background CIL push, which
should happen when 8MB of aggregated changes have been committed, is
being held off by the concurrent transaction commit load. The
background push does a down_write_trylock() which will fail if there
is a concurrent transaction commit holding the push lock in read
mode. With 8 CPUs all doing transactions as fast as they can, there
was enough concurrent transaction commits to hold off the background
push until tail-pushing could no longer free log space, and the halt
would occur.
It should be noted that there is no reason why it would halt at 25%
of log space used by a single CIL checkpoint. This bug could
definitely violate the "no transaction should be larger than half
the log" requirement and hence result in corruption if the system
crashed under heavy load. This sort of bug is exactly the reason why
delayed logging was tagged as experimental....
The fix is to start blocking background pushes once the threshold
has been exceeded. Rework the threshold calculations to keep the
amount of log space a CIL checkpoint can use to below that of the
AIL push threshold to avoid the problem completely.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Alex Elder <aelder@sgi.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Kevin Liu [Wed, 8 Sep 2010 13:44:36 +0000 (09:44 -0400)]
mfd: Fix max8925 irq control bit incorrect setting
In max8925_irq_sync_unlock(), irq control bit is set at the same time.
Zero means enabling irq, and one means disabling irq.
The original code is:
irq_chg[0] &= irq_data->enable;
It should be changed to:
irq_chg[0] &= ~irq_data->enable;
Otherwise, irq control bit is mess.
Signed-off-by: Kevin Liu <kliu5@marvell.com>
Signed-off-by: Haojian Zhuang <haojian.zhuang@marvell.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Mark Brown [Mon, 16 Aug 2010 19:26:51 +0000 (20:26 +0100)]
mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types
The driver was originally tested with an additional patch which
made this unneeded but that patch had issuges and got lost on the
way to mainline, causing problems when the errors are reported.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Cc: stable@kernel.org
David S. Miller [Wed, 29 Sep 2010 05:37:56 +0000 (22:37 -0700)]
ip_gre: Fix dependencies wrt. ipv6.
The GRE tunnel driver needs to invoke icmpv6 helpers in the
ipv6 stack when ipv6 support is enabled.
Therefore if IPV6 is enabled, we have to enforce that GRE's
enabling (modular or static) matches that of ipv6.
Reported-by: Patrick McHardy <kaber@trash.net>
Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Len Brown [Wed, 29 Sep 2010 03:30:58 +0000 (23:30 -0400)]
Merge branch 'meego-7093' into idle-release
Len Brown [Sat, 25 Sep 2010 00:50:02 +0000 (20:50 -0400)]
acpi_idle: add missing \n to printk
otherwise, these two lines print as one:
ACPI: acpi_idle yielding to intel_idle
ACPI: SSDT
3f5d8741 00203 (v02 PmRef Cpu0Ist
00003000 INTL
20050624)
Signed-off-by: Len Brown <len.brown@intel.com>
Namhyung Kim [Sat, 7 Aug 2010 18:10:03 +0000 (03:10 +0900)]
intel_idle: add missing __percpu markup
intel_idle_cpuidle_devices is a percpu pointer
but was missing __percpu markup.
Signed-off-by: Namhyung Kim <namhyung@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Thomas Weber [Mon, 12 Jul 2010 06:56:43 +0000 (08:56 +0200)]
intel_idle: Change mode 755 => 644
Remove execution permission from source file.
Signed-off-by: Thomas Weber <weber@corscience.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Lucas De Marchi [Tue, 7 Sep 2010 16:53:49 +0000 (12:53 -0400)]
cpuidle: Fix typos
Signed-off-by: Len Brown <len.brown@intel.com>
Zhang Rui [Wed, 29 Sep 2010 02:48:55 +0000 (22:48 -0400)]
ACPI: Disable Windows Vista compatibility for Toshiba P305D
Disable the Windows Vista (SP1) compatibility for Toshiba P305D.
http://bugzilla.kernel.org/show_bug.cgi?id=14736
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Andrea Gelmini [Wed, 18 Aug 2010 13:22:10 +0000 (15:22 +0200)]
ACPI: Kconfig: fix typo.
"power of" -> "power off"
Signed-off-by: Len Brown <len.brown@intel.com>
Namhyung Kim [Sat, 7 Aug 2010 17:17:29 +0000 (02:17 +0900)]
ACPI: add missing __percpu markup in arch/x86/kernel/acpi/cstate.c
cpu_cstate_entry is a percpu pointer
but was missing __percpu markup.
Signed-off-by: Namhyung Kim <namhyung@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Lucas De Marchi [Tue, 7 Sep 2010 16:49:45 +0000 (12:49 -0400)]
ACPI: Fix typos
Signed-off-by: Len Brown <len.brown@intel.com>
Zhang Rui [Fri, 3 Sep 2010 02:08:50 +0000 (10:08 +0800)]
ACPI video: fix a poor warning message
Fix a vague warning message.
https://bugzilla.kernel.org/show_bug.cgi?id=16599
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Zhang Rui [Mon, 30 Aug 2010 06:08:02 +0000 (14:08 +0800)]
ACPI: fix build warnings resulting from merge window conflict
drivers/acpi/sysfs.c:154: warning: passing argument 1 of '__check_old_set_param' from incompatible pointer type
include/linux/moduleparam.h:165: note: expected 'int (*)(const char *, struct kernel_param *)' but argument is of type 'int (*)(const char *, const struct kernel_param *)'
Introduced by commit
1c8fce27e275fd7c6b75bc6455745f02d3903ee6 ("ACPI:
introduce drivers/acpi/sysfs.c") interacting with commit
9bbb9e5a33109b2832e2e63dcc7a132924ab374b ("param: use ops in struct
kernel_param, rather than get and set fns directly").
Use module_param_cb instead of the obsoleted module_param_call to fix a build warning.
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Linus Torvalds [Wed, 29 Sep 2010 01:01:22 +0000 (18:01 -0700)]
Linux 2.6.36-rc6
David Howells [Wed, 29 Sep 2010 00:57:02 +0000 (01:57 +0100)]
MN10300: Handle missing sys_cacheflush() when caching disabled
When caching is disabled on the MN10300 arch, the sys_cacheflush()
function is removed by conditional stuff in the makefiles, but is still
referred to by the syscall table.
Provide a null version that just returns 0 when caching is disabled (or
-EINVAL if the arguments are silly).
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
H. Peter Anvin [Tue, 28 Sep 2010 22:35:01 +0000 (15:35 -0700)]
x86, cpu: After uncapping CPUID, re-run CPU feature detection
After uncapping the CPUID level, we need to also re-run the CPU
feature detection code.
This resolves kernel bugzilla 16322.
Reported-by: boris64 <bugzilla.kernel.org@boris64.net>
Cc: <stable@kernel.org> v2.6.29..2.6.35
LKML-Reference: <tip-@git.kernel.org>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Len Brown [Tue, 28 Sep 2010 21:51:51 +0000 (17:51 -0400)]
ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
https://bugzilla.kernel.org/show_bug.cgi?id=12641
Signed-off-by: Len Brown <len.brown@intel.com>