GitHub/LineageOS/android_kernel_samsung_universal7580.git
13 years agosecurity: select correct default LSM_MMAP_MIN_ADDR on ARM.
Paul Gortmaker [Mon, 14 Mar 2011 23:32:21 +0000 (19:32 -0400)]
security: select correct default LSM_MMAP_MIN_ADDR on ARM.

The default for this is universally set to 64k, but the help says:

   For most ia64, ppc64 and x86 users with lots of address space
   a value of 65536 is reasonable and should cause no problems.
   On arm and other archs it should not be higher than 32768.

The text is right, in that we are seeing selinux-enabled ARM targets
that fail to launch /sbin/init because selinux blocks a memory map.
So select the right value if we know we are building ARM.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Make request_key() and co. return an error for a negative key
David Howells [Fri, 11 Mar 2011 17:57:33 +0000 (17:57 +0000)]
KEYS: Make request_key() and co. return an error for a negative key

Make request_key() and co. return an error for a negative or rejected key.  If
the key was simply negated, then return ENOKEY, otherwise return the error
with which it was rejected.

Without this patch, the following command returns a key number (with the latest
keyutils):

[root@andromeda ~]# keyctl request2 user debug:foo rejected @s
586569904

Trying to print the key merely gets you a permission denied error:

[root@andromeda ~]# keyctl print 586569904
keyctl_read_alloc: Permission denied

Doing another request_key() call does get you the error, as long as it hasn't
expired yet:

[root@andromeda ~]# keyctl request user debug:foo
request_key: Key was rejected by service

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Improve /proc/keys
David Howells [Fri, 11 Mar 2011 17:57:23 +0000 (17:57 +0000)]
KEYS: Improve /proc/keys

Improve /proc/keys by:

 (1) Don't attempt to summarise the payload of a negated key.  It won't have
     one.  To this end, a helper function - key_is_instantiated() has been
     added that allows the caller to find out whether the key is positively
     instantiated (as opposed to being uninstantiated or negatively
     instantiated).

 (2) Do show keys that are negative, expired or revoked rather than hiding
     them.  This requires an override flag (no_state_check) to be passed to
     search_my_process_keyrings() and keyring_search_aux() to suppress this
     check.

     Without this, keys that are possessed by the caller, but only grant
     permissions to the caller if possessed are skipped as the possession check
     fails.

     Keys that are visible due to user, group or other checks are visible with
     or without this patch.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'security-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jj...
James Morris [Wed, 9 Mar 2011 03:12:07 +0000 (14:12 +1100)]
Merge branch 'security-next' of git://git./linux/kernel/git/jj/apparmor-dev into next

13 years agoAppArmor: kill unused macros in lsm.c
Shan Wei [Fri, 21 Jan 2011 02:13:13 +0000 (10:13 +0800)]
AppArmor: kill unused macros in lsm.c

Remove unused macros.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
13 years agoAppArmor: cleanup generated files correctly
Michal Hocko [Fri, 7 Jan 2011 14:03:02 +0000 (15:03 +0100)]
AppArmor: cleanup generated files correctly

clean-files should be defined as a variable not a target.

Signed-off-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: John Johansen <john.johansen@canonical.com>
13 years agoMerge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
James Morris [Tue, 8 Mar 2011 00:38:10 +0000 (11:38 +1100)]
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next

13 years agoKEYS: Add an iovec version of KEYCTL_INSTANTIATE
David Howells [Mon, 7 Mar 2011 15:06:20 +0000 (15:06 +0000)]
KEYS: Add an iovec version of KEYCTL_INSTANTIATE

Add a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but
takes an iovec array and concatenates the data in-kernel into one buffer.
Since the KEYCTL_INSTANTIATE copies the data anyway, this isn't too much of a
problem.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add a new keyctl op to reject a key with a specified error code
David Howells [Mon, 7 Mar 2011 15:06:09 +0000 (15:06 +0000)]
KEYS: Add a new keyctl op to reject a key with a specified error code

Add a new keyctl op to reject a key with a specified error code.  This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key().  The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.

Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add a key type op to permit the key description to be vetted
David Howells [Mon, 7 Mar 2011 15:05:59 +0000 (15:05 +0000)]
KEYS: Add a key type op to permit the key description to be vetted

Add a key type operation to permit the key type to vet the description of a new
key that key_alloc() is about to allocate.  The operation may reject the
description if it wishes with an error of its choosing.  If it does this, the
key will not be allocated.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add an RCU payload dereference macro
David Howells [Mon, 7 Mar 2011 15:05:51 +0000 (15:05 +0000)]
KEYS: Add an RCU payload dereference macro

Add an RCU payload dereference macro as this seems to be a common piece of code
amongst key types that use RCU referenced payloads.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'master'; commit 'v2.6.38-rc7' into next
James Morris [Mon, 7 Mar 2011 23:55:06 +0000 (10:55 +1100)]
Merge branch 'master'; commit 'v2.6.38-rc7' into next

13 years agoMerge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Mon, 7 Mar 2011 21:15:02 +0000 (13:15 -0800)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6

* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
  omap: mailbox: resolve hang issue
  OMAP2+: PM: SmartReflex: fix memory leaks in Smartreflex driver
  arm: mach-omap2: smartreflex: fix another memory leak

13 years agoMerge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6
Linus Torvalds [Mon, 7 Mar 2011 21:14:19 +0000 (13:14 -0800)]
Merge branch 'for-linus' of git://git390.marist.edu/linux-2.6

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] tape: deadlock on system work queue
  [S390] keyboard: integer underflow bug
  [S390] xpram: remove __initdata attribute from module parameters

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Sun, 6 Mar 2011 18:44:49 +0000 (10:44 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: hda - Don't set to D3 in Cirrus errata init verbs
  ALSA: hda - add new Fermi 5xx codec IDs to snd-hda
  ASoC: WM8994: Ensure late enable events are processed for the ADCs
  ASoC: WM8994: Don't disable the AIF[1|2]CLK_ENA unconditionaly
  ASoC: Fix WM9081 platform data initialisation
  ALSA: hda - Fix unable to record issue on ASUS N82JV
  ALSA: HDA: Realtek: Fixup jack detection to input subsystem

13 years agovirtio: console: Don't access vqs if device was unplugged
Amit Shah [Fri, 4 Mar 2011 03:34:33 +0000 (14:04 +1030)]
virtio: console: Don't access vqs if device was unplugged

If a virtio-console device gets unplugged while a port is open, a
subsequent close() call on the port accesses vqs to free up buffers.
This can lead to a crash.

The buffers are already freed up as a result of the call to
unplug_ports() from virtcons_remove().  The fix is to simply not access
vq information if port->portdev is NULL.

Reported-by: juzhang <juzhang@redhat.com>
CC: stable@kernel.org
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge branch 'fix/asoc' into for-linus
Takashi Iwai [Sun, 6 Mar 2011 11:37:42 +0000 (12:37 +0100)]
Merge branch 'fix/asoc' into for-linus

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph...
Linus Torvalds [Sat, 5 Mar 2011 18:43:22 +0000 (10:43 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  ceph: no .snap inside of snapped namespace
  libceph: fix msgr standby handling
  libceph: fix msgr keepalive flag
  libceph: fix msgr backoff
  libceph: retry after authorization failure
  libceph: fix handling of short returns from get_user_pages
  ceph: do not clear I_COMPLETE from d_release
  ceph: do not set I_COMPLETE
  Revert "ceph: keep reference to parent inode on ceph_dentry"

13 years agoAppArmor: Cleanup make file to remove cruft and make it easier to read
John Johansen [Sat, 5 Mar 2011 10:18:02 +0000 (02:18 -0800)]
AppArmor: Cleanup make file to remove cruft and make it easier to read

Cleanups based on comments from Sam Ravnborg,

* remove references to the currently unused af_names.h
* add rlim_names.h to clean-files:
* rework cmd_make-XXX to make them more readable by adding comments,
  reworking the expressions to put logical components on individual lines,
  and keep lines < 80 characters.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
13 years agomm: use correct numa policy node for transparent hugepages
Andi Kleen [Sat, 5 Mar 2011 01:36:32 +0000 (17:36 -0800)]
mm: use correct numa policy node for transparent hugepages

Pass down the correct node for a transparent hugepage allocation.  Most
callers continue to use the current node, however the hugepaged daemon
now uses the previous node of the first to be collapsed page instead.
This ensures that khugepaged does not mess up local memory for an
existing process which uses local policy.

The choice of node is somewhat primitive currently: it just uses the
node of the first page in the pmd range.  An alternative would be to
look at multiple pages and use the most popular node.  I used the
simplest variant for now which should work well enough for the case of
all pages being on the same node.

[akpm@linux-foundation.org: coding-style fixes]
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: preserve original node for transparent huge page copies
Andi Kleen [Sat, 5 Mar 2011 01:36:31 +0000 (17:36 -0800)]
mm: preserve original node for transparent huge page copies

This makes a difference for LOCAL policy, where the node cannot be
determined from the policy itself, but has to be gotten from the original
page.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: add alloc_page_vma_node()
Andi Kleen [Sat, 5 Mar 2011 01:36:30 +0000 (17:36 -0800)]
mm: add alloc_page_vma_node()

Add a alloc_page_vma_node that allows passing the "local" node in.  Used
in a followon patch.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: change alloc_pages_vma to pass down the policy node for local policy
Andi Kleen [Sat, 5 Mar 2011 01:36:29 +0000 (17:36 -0800)]
mm: change alloc_pages_vma to pass down the policy node for local policy

Currently alloc_pages_vma() always uses the local node as policy node for
the LOCAL policy.  Pass this node down as an argument instead.

No behaviour change from this patch, but will be needed for followons.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoRapidIO: Update MAINTAINERS
Alexandre Bounine [Sat, 5 Mar 2011 01:36:28 +0000 (17:36 -0800)]
RapidIO: Update MAINTAINERS

Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/video/backlight/ltv350qv.c: fix a memory leak
Axel Lin [Sat, 5 Mar 2011 01:36:27 +0000 (17:36 -0800)]
drivers/video/backlight/ltv350qv.c: fix a memory leak

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Haavard Skinnemoen <hskinnemoen@atmel.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMAINTAINERS: add maintainer of Samsung Mobile Machine support
Kyungmin Park [Sat, 5 Mar 2011 01:36:26 +0000 (17:36 -0800)]
MAINTAINERS: add maintainer of Samsung Mobile Machine support

Add maintainer of Samsung Mobile machine support.  Currently, Aquila,
Goni, Universal (C210), and Nuri board are supported.

Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Joe Perches <joe@perches.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agopps: make pps_gen_parport depend on BROKEN
Thomas Gleixner [Sat, 5 Mar 2011 01:36:23 +0000 (17:36 -0800)]
pps: make pps_gen_parport depend on BROKEN

This driver causes hard lockups, when the active clock soure is jiffies.

The reason is that it loops with interrupts disabled waiting for a
timestamp to be reached by polling getnstimeofday().  Though with a
jiffies clocksource, when that code runs on the same CPU which is
responsible for updating jiffies, then we loop in circles for ever
simply because the timer interrupt cannot update jiffies.  So both UP
and SMP can be affected.

There is no easy fix for that problem so make it depend on BROKEN for
now.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Gordeev <lasaine@lvk.cs.msu.su>
Cc: Rodolfo Giometti <giometti@linux.it>
Cc: john stultz <johnstul@us.ibm.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/misc/bmp085.c: add MODULE_DEVICE_TABLE
Axel Lin [Sat, 5 Mar 2011 01:36:22 +0000 (17:36 -0800)]
drivers/misc/bmp085.c: add MODULE_DEVICE_TABLE

The device table is required to load modules based on modaliases.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Shubhrajyoti D <shubhrajyoti@ti.com>
Cc: Christoph Mair <christoph.mair@gmail.com>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agocpuset: add a missing unlock in cpuset_write_resmask()
Li Zefan [Sat, 5 Mar 2011 01:36:21 +0000 (17:36 -0800)]
cpuset: add a missing unlock in cpuset_write_resmask()

Don't forget to release cgroup_mutex if alloc_trial_cpuset() fails.

[akpm@linux-foundation.org: avoid multiple return points]
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Miao Xie <miaox@cn.fujitsu.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie()
Axel Lin [Sat, 5 Mar 2011 01:36:19 +0000 (17:36 -0800)]
drivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie()

Fix s3c_rtc_setaie() prototype to eliminate the following compile
warning:

  drivers/rtc/rtc-s3c.c:383: warning: initialization from incompatible pointer type

(akpm: the rtc_class_ops.alarm_irq_enable() handler is being passed two
arguments where it expects just one, presumably with undesired effects)

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier...
Linus Torvalds [Sat, 5 Mar 2011 01:31:43 +0000 (17:31 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/vapier/blackfin

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
  Blackfin: iflush: update anomaly 05000491 workaround
  Blackfin: outs[lwb]: make sure count is greater than 0

13 years agoMerge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 5 Mar 2011 01:31:19 +0000 (17:31 -0800)]
Merge branch 'rmobile-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  ARM: mach-shmobile: mackerel: modify LCDC clock divider value
  ARM: mach-shmobile: ap4evb: modify LCDC clock divider value
  ARM: mach-shmobile: mackerel: fixup memory initialize for zboot
  ARM: mach-shmobile: ap4evb: fixup memory initialize for zboot
  ARM: mach-shmobile: Add sh73a0 MIPI-CSI and CEU clocks
  ARM: mach-shmobile: AG5EVM MIPI-DSI LCD reset delay fix

13 years agoMerge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sat, 5 Mar 2011 01:31:01 +0000 (17:31 -0800)]
Merge branch 'sh-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: Change __nosave_XXX symbols to long
  sh: Flush executable pages in copy_user_highpage
  sh: Ensure ST40-300 BogoMIPS value is consistent
  sh: sh7750: Fix incompatible pointer type
  sh: sh7750: move machtypes.h to include/generated

13 years agoMerge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Sat, 5 Mar 2011 01:30:32 +0000 (17:30 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/nouveau: allocate kernel's notifier object at end of block

13 years agonfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
Neil Horman [Sat, 5 Mar 2011 00:26:03 +0000 (19:26 -0500)]
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)

The "bad_page()" page allocator sanity check was reported recently (call
chain as follows):

  bad_page+0x69/0x91
  free_hot_cold_page+0x81/0x144
  skb_release_data+0x5f/0x98
  __kfree_skb+0x11/0x1a
  tcp_ack+0x6a3/0x1868
  tcp_rcv_established+0x7a6/0x8b9
  tcp_v4_do_rcv+0x2a/0x2fa
  tcp_v4_rcv+0x9a2/0x9f6
  do_timer+0x2df/0x52c
  ip_local_deliver+0x19d/0x263
  ip_rcv+0x539/0x57c
  netif_receive_skb+0x470/0x49f
  :virtio_net:virtnet_poll+0x46b/0x5c5
  net_rx_action+0xac/0x1b3
  __do_softirq+0x89/0x133
  call_softirq+0x1c/0x28
  do_softirq+0x2c/0x7d
  do_IRQ+0xec/0xf5
  default_idle+0x0/0x50
  ret_from_intr+0x0/0xa
  default_idle+0x29/0x50
  cpu_idle+0x95/0xb8
  start_kernel+0x220/0x225
  _sinittext+0x22f/0x236

It occurs because an skb with a fraglist was freed from the tcp
retransmit queue when it was acked, but a page on that fraglist had
PG_Slab set (indicating it was allocated from the Slab allocator (which
means the free path above can't safely free it via put_page.

We tracked this back to an nfsv4 setacl operation, in which the nfs code
attempted to fill convert the passed in buffer to an array of pages in
__nfs4_proc_set_acl, which gets used by the skb->frags list in
xs_sendpages.  __nfs4_proc_set_acl just converts each page in the buffer
to a page struct via virt_to_page, but the vfs allocates the buffer via
kmalloc, meaning the PG_slab bit is set.  We can't create a buffer with
kmalloc and free it later in the tcp ack path with put_page, so we need
to either:

1) ensure that when we create the list of pages, no page struct has
   PG_Slab set

 or

2) not use a page list to send this data

Given that these buffers can be multiple pages and arbitrarily sized, I
think (1) is the right way to go.  I've written the below patch to
allocate a page from the buddy allocator directly and copy the data over
to it.  This ensures that we have a put_page free-able page for every
entry that winds up on an skb frag list, so it can be safely freed when
the frame is acked.  We do a put page on each entry after the
rpc_call_sync call so as to drop our own reference count to the page,
leaving only the ref count taken by tcp_sendpages.  This way the data
will be properly freed when the ack comes in

Successfully tested by myself to solve the above oops.

Note, as this is the result of a setacl operation that exceeded a page
of data, I think this amounts to a local DOS triggerable by an
uprivlidged user, so I'm CCing security on this as well.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Trond Myklebust <Trond.Myklebust@netapp.com>
CC: security@kernel.org
CC: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoceph: no .snap inside of snapped namespace
Sage Weil [Thu, 3 Mar 2011 21:44:35 +0000 (13:44 -0800)]
ceph: no .snap inside of snapped namespace

Otherwise you can do things like

# mkdir .snap/foo
# cd .snap/foo/.snap
# ls
<badness>

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr standby handling
Sage Weil [Fri, 4 Mar 2011 20:25:05 +0000 (12:25 -0800)]
libceph: fix msgr standby handling

The standby logic used to be pretty dependent on the work requeueing
behavior that changed when we switched to WQ_NON_REENTRANT.  It was also
very fragile.

Restructure things so that:
 - We clear WRITE_PENDING when we set STANDBY.  This ensures we will
   requeue work when we wake up later.
 - con_work backs off if STANDBY is set.  There is nothing to do if we are
   in standby.
 - clear_standby() helper is called by both con_send() and con_keepalive(),
   the two actions that can wake us up again.  Move the connect_seq++
   logic here.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr keepalive flag
Sage Weil [Thu, 3 Mar 2011 18:10:15 +0000 (10:10 -0800)]
libceph: fix msgr keepalive flag

There was some broken keepalive code using a dead variable.  Shift to using
the proper bit flag.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr backoff
Sage Weil [Fri, 4 Mar 2011 20:24:28 +0000 (12:24 -0800)]
libceph: fix msgr backoff

With commit f363e45f we replaced a bunch of hacky workqueue mutual
exclusion logic with the WQ_NON_REENTRANT flag.  One pieces of fallout is
that the exponential backoff breaks in certain cases:

 * con_work attempts to connect.
 * we get an immediate failure, and the socket state change handler queues
   immediate work.
 * con_work calls con_fault, we decide to back off, but can't queue delayed
   work.

In this case, we add a BACKOFF bit to make con_work reschedule delayed work
next time it runs (which should be immediately).

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoMAINTAINERS: Update shaggy's email address
Dave Kleikamp [Fri, 4 Mar 2011 16:13:47 +0000 (10:13 -0600)]
MAINTAINERS: Update shaggy's email address

Signed-off-by: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMark ptrace_{traceme,attach,detach} static
Linus Torvalds [Fri, 4 Mar 2011 17:23:30 +0000 (09:23 -0800)]
Mark ptrace_{traceme,attach,detach} static

They are only used inside kernel/ptrace.c, and have been for a long
time.  We don't want to go back to the bad-old-days when architectures
did things on their own, so make them static and private.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoBlackfin: iflush: update anomaly 05000491 workaround
Mike Frysinger [Wed, 2 Feb 2011 01:55:22 +0000 (01:55 +0000)]
Blackfin: iflush: update anomaly 05000491 workaround

Recent feedback from design says we need three NOPs in the hardware loop.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
13 years agoBlackfin: outs[lwb]: make sure count is greater than 0
Mike Frysinger [Wed, 26 Jan 2011 18:10:44 +0000 (18:10 +0000)]
Blackfin: outs[lwb]: make sure count is greater than 0

Some devices will use the outs* funcs with a length of zero, so make sure
we do not write any data in that case.

Reported-by: Gilbert Inho <gneny@edevice.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
13 years agoARM: mach-shmobile: mackerel: modify LCDC clock divider value
Kuninori Morimoto [Wed, 2 Mar 2011 09:05:21 +0000 (09:05 +0000)]
ARM: mach-shmobile: mackerel: modify LCDC clock divider value

mackerel WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agoARM: mach-shmobile: ap4evb: modify LCDC clock divider value
Kuninori Morimoto [Wed, 2 Mar 2011 09:05:44 +0000 (09:05 +0000)]
ARM: mach-shmobile: ap4evb: modify LCDC clock divider value

ap4evb WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agodrm/nouveau: allocate kernel's notifier object at end of block
Ben Skeggs [Thu, 3 Mar 2011 23:58:36 +0000 (09:58 +1000)]
drm/nouveau: allocate kernel's notifier object at end of block

The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
object which, it turns out, doesn't like its DMA object to not be
aligned to a 4KiB boundary.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Thu, 3 Mar 2011 23:48:01 +0000 (15:48 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]

13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Thu, 3 Mar 2011 23:43:15 +0000 (15:43 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
  MAINTAINERS: Add Andy Gospodarek as co-maintainer.
  r8169: disable ASPM
  RxRPC: Fix v1 keys
  AF_RXRPC: Handle receiving ACKALL packets
  cnic: Fix lost interrupt on bnx2x
  cnic: Prevent status block race conditions with hardware
  net: dcbnl: check correct ops in dcbnl_ieee_set()
  e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
  igb: fix sparse warning
  e1000: fix sparse warning
  netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
  dccp: fix oops on Reset after close
  ipvs: fix dst_lock locking on dest update
  davinci_emac: Add Carrier Link OK check in Davinci RX Handler
  bnx2x: update driver version to 1.62.00-6
  bnx2x: properly calculate lro_mss
  bnx2x: perform statistics "action" before state transition.
  bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
  bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
  bnx2x: Fix nvram test for single port devices.
  ...

13 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
Linus Torvalds [Thu, 3 Mar 2011 23:42:35 +0000 (15:42 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  block: kill loop_mutex
  blktrace: Remove blk_fill_rwbs_rq.
  block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
  block: add @force_kblockd to __blk_run_queue()
  block: fix kernel-doc format for blkdev_issue_zeroout
  blk-throttle: Do not use kblockd workqueue for throtl work

13 years agoMerge branch 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
Linus Torvalds [Thu, 3 Mar 2011 23:37:59 +0000 (15:37 -0800)]
Merge branch 'i_nlink' of git://git./linux/kernel/git/viro/vfs-2.6

* 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  hfs: fix rename() over non-empty directory
  udf: fix i_nlink limit
  fix reiserfs mkdir() breakage
  exofs: i_nlink races in rename()
  nilfs2: i_nlink races in rename()
  minix: i_nlink races in rename()
  ufs: i_nlink races in rename()
  sysv: i_nlink races in rename()

13 years agoDNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
David Howells [Thu, 3 Mar 2011 11:28:58 +0000 (11:28 +0000)]
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]

When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].

Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.

Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.

The buggy code was added in:

commit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09
Author: Wang Lei <wang840925@gmail.com>
Date:   Wed Aug 11 09:37:58 2010 +0100
Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]

This can trivially be reproduced by any user with the following program
compiled with -lkeyutils:

#include <stdlib.h>
#include <keyutils.h>
#include <err.h>
static char payload[] = "#dnserror=6";
int main()
{
key_serial_t key;
key = add_key("dns_resolver", "a", payload, sizeof(payload),
      KEY_SPEC_SESSION_KEYRING);
if (key == -1)
err(1, "add_key");
if (keyctl_read(key, NULL, 0) == -1)
err(1, "read_key");
return 0;
}

What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:

dns-break: read_key: No such device or address

but instead the kernel oopses.

This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data.  Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.

The oops looks like:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
PGD 3bdf8067 PUD 385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:

Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
Stack:
 ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
 [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
 RSP <ffff88003bf47f08>
CR2: 0000000000000010

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agolibceph: retry after authorization failure
Sage Weil [Thu, 3 Mar 2011 20:14:53 +0000 (12:14 -0800)]
libceph: retry after authorization failure

If we mark the connection CLOSED we will give up trying to reconnect to
this server instance.  That is appropriate for things like a protocol
version mismatch that won't change until the server is restarted, at which
point we'll get a new addr and reconnect.  An authorization failure like
this is probably due to the server not properly rotating it's secret keys,
however, and should be treated as transient so that the normal backoff and
retry behavior kicks in.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix handling of short returns from get_user_pages
Sage Weil [Thu, 3 Mar 2011 00:55:21 +0000 (16:55 -0800)]
libceph: fix handling of short returns from get_user_pages

get_user_pages() can return fewer pages than we ask for.  We were returning
a bogus pointer/error code in that case.  Instead, loop until we get all
the pages we want or get an error we can return to the caller.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoMAINTAINERS: Add Andy Gospodarek as co-maintainer.
Jay Vosburgh [Thu, 3 Mar 2011 10:43:10 +0000 (10:43 +0000)]
MAINTAINERS: Add Andy Gospodarek as co-maintainer.

Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoSELinux: implement the new sb_remount LSM hook
Eric Paris [Thu, 3 Mar 2011 21:09:14 +0000 (16:09 -0500)]
SELinux: implement the new sb_remount LSM hook

For SELinux we do not allow security information to change during a remount
operation.  Thus this hook simply strips the security module options from
the data and verifies that those are the same options as exist on the
current superblock.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoLSM: Pass -o remount options to the LSM
Eric Paris [Thu, 3 Mar 2011 21:09:14 +0000 (16:09 -0500)]
LSM: Pass -o remount options to the LSM

The VFS mount code passes the mount options to the LSM.  The LSM will remove
options it understands from the data and the VFS will then pass the remaining
options onto the underlying filesystem.  This is how options like the
SELinux context= work.  The problem comes in that -o remount never calls
into LSM code.  So if you include an LSM specific option it will get passed
to the filesystem and will cause the remount to fail.  An example of where
this is a problem is the 'seclabel' option.  The SELinux LSM hook will
print this word in /proc/mounts if the filesystem is being labeled using
xattrs.  If you pass this word on mount it will be silently stripped and
ignored.  But if you pass this word on remount the LSM never gets called
and it will be passed to the FS.  The FS doesn't know what seclabel means
and thus should fail the mount.  For example an ext3 fs mounted over loop

# mount -o loop /tmp/fs /mnt/tmp
# cat /proc/mounts | grep /mnt/tmp
/dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
# mount -o remount /mnt/tmp
mount: /mnt/tmp not mounted already, or bad option
# dmesg
EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value

This patch passes the remount mount options to an new LSM hook.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
Linus Torvalds [Thu, 3 Mar 2011 20:44:22 +0000 (12:44 -0800)]
Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs

* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  xfs: zero proper structure size for geometry calls

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke...
Linus Torvalds [Thu, 3 Mar 2011 20:42:48 +0000 (12:42 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ryusuke/nilfs2

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
  nilfs2: fix regression that i-flag is not set on changeless checkpoints

13 years agoSELinux: Compute SID for the newly created socket
Harry Ciao [Wed, 2 Mar 2011 05:32:34 +0000 (13:32 +0800)]
SELinux: Compute SID for the newly created socket

The security context for the newly created socket shares the same
user, role and MLS attribute as its creator but may have a different
type, which could be specified by a type_transition rule in the relevant
policy package.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
[fix call to security_transition_sid to include qstr, Eric Paris]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agoSELinux: Socket retains creator role and MLS attribute
Harry Ciao [Wed, 2 Mar 2011 05:32:33 +0000 (13:32 +0800)]
SELinux: Socket retains creator role and MLS attribute

The socket SID would be computed on creation and no longer inherit
its creator's SID by default. Socket may have a different type but
needs to retain the creator's role and MLS attribute in order not
to break labeled networking and network access control.

The kernel value for a class would be used to determine if the class
if one of socket classes. If security_compute_sid is called from
userspace the policy value for a class would be mapped to the relevant
kernel value first.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agoSELinux: Auto-generate security_is_socket_class
Harry Ciao [Wed, 2 Mar 2011 05:46:08 +0000 (13:46 +0800)]
SELinux: Auto-generate security_is_socket_class

The security_is_socket_class() is auto-generated by genheaders based
on classmap.h to reduce maintenance effort when a new class is defined
in SELinux kernel. The name for any socket class should be suffixed by
"socket" and doesn't contain more than one substr of "socket".

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agor8169: disable ASPM
Stanislaw Gruszka [Tue, 22 Feb 2011 02:00:11 +0000 (02:00 +0000)]
r8169: disable ASPM

For some time is known that ASPM is causing troubles on r8169, i.e. make
device randomly stop working without any errors in dmesg.

Currently Tomi Leppikangas reports that system with r8169 device hangs
with MCE errors when ASPM is enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4

Lets disable ASPM for r8169 devices at all, to avoid problems with
r8169 PCIe devices at least for some users.

Reported-by: Tomi Leppikangas <tomi.leppikangas@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'for_2.6.38/pm-fixes' of ssh://master.kernel.org/pub/scm/linux/kernel...
Tony Lindgren [Thu, 3 Mar 2011 18:25:18 +0000 (10:25 -0800)]
Merge branch 'for_2.6.38/pm-fixes' of ssh:///linux/kernel/git/khilman/linux-omap-pm into devel-fixes

13 years agoomap: mailbox: resolve hang issue
Hari Kanigeri [Wed, 2 Mar 2011 22:14:18 +0000 (22:14 +0000)]
omap: mailbox: resolve hang issue

omap4 interrupt disable bits is different. On rx kfifo full, the mbox rx
interrupts wasn't getting disabled, and this is causing the rcm stress tests
to hang.

Signed-off-by: Hari Kanigeri <h-kanigeri2@ti.com>
Signed-off-by: Armando Uribe <x0095078@ti.com>
Signed-off-by: Fernando Guzman Lugo <fernando.lugo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
13 years agoceph: do not clear I_COMPLETE from d_release
Sage Weil [Mon, 28 Feb 2011 20:49:15 +0000 (12:49 -0800)]
ceph: do not clear I_COMPLETE from d_release

First, this was racy anyway: d_release isn't called until well after the
dentry is unhashed.  Second, this runs afoul of the recent dcache change
that clears d_parent prior to calling d_release (949854d0), causing a NULL
pointer dereference.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoceph: do not set I_COMPLETE
Sage Weil [Mon, 28 Feb 2011 20:46:46 +0000 (12:46 -0800)]
ceph: do not set I_COMPLETE

Do not set the I_COMPLETE flag on directories until we resolve races with
dcache pruning.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoRevert "ceph: keep reference to parent inode on ceph_dentry"
Sage Weil [Mon, 28 Feb 2011 17:47:37 +0000 (09:47 -0800)]
Revert "ceph: keep reference to parent inode on ceph_dentry"

This reverts commit 97d79b403ef03f729883246208ef5d8a2ebc4d68.

This fails to account for d_parent changes due to rename or disconnected
dentries due to submounts or NFS reexports.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years ago[S390] tape: deadlock on system work queue
Martin Schwidefsky [Thu, 3 Mar 2011 16:56:07 +0000 (17:56 +0100)]
[S390] tape: deadlock on system work queue

The 34xx and 3590 tape driver uses the system work queue to defer work
from the interrupt function to process context, e.g. a medium sense
after an unsolicited interrupt. The tape commands started by the work
handler need to be asynchronous, otherwise a deadlock on the system
work queue can occur.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years ago[S390] keyboard: integer underflow bug
Dan Carpenter [Thu, 3 Mar 2011 16:56:06 +0000 (17:56 +0100)]
[S390] keyboard: integer underflow bug

The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years ago[S390] xpram: remove __initdata attribute from module parameters
Martin Schwidefsky [Thu, 3 Mar 2011 16:56:05 +0000 (17:56 +0100)]
[S390] xpram: remove __initdata attribute from module parameters

The module parameter 'devs' and 'sizes' are marked as __initdata. The
memory for the parameters are freed after module_init completed. This
can lead to kernel crashes in param_free_charp. Remove the __initdata
attribute to fix the problem.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years agoblock: kill loop_mutex
Petr Uzel [Thu, 3 Mar 2011 16:48:50 +0000 (11:48 -0500)]
block: kill loop_mutex

Following steps lead to deadlock in kernel:

dd if=/dev/zero of=img bs=512 count=1000
losetup -f img
mkfs.ext2 /dev/loop0
mount -t ext2 -o loop /dev/loop0 mnt
umount mnt/

Stacktrace:
[<c102ec04>] irq_exit+0x36/0x59
[<c101502c>] smp_apic_timer_interrupt+0x6b/0x75
[<c127f639>] apic_timer_interrupt+0x31/0x38
[<c101df88>] mutex_spin_on_owner+0x54/0x5b
[<fe2250e9>] lo_release+0x12/0x67 [loop]
[<c10c4eae>] __blkdev_put+0x7c/0x10c
[<c10a4da5>] fput+0xd5/0x1aa
[<fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop]
[<fe225110>] lo_release+0x39/0x67 [loop]
[<c10c4eae>] __blkdev_put+0x7c/0x10c
[<c10a59d9>] deactivate_locked_super+0x17/0x36
[<c10b6f37>] sys_umount+0x27e/0x2a5
[<c10b6f69>] sys_oldumount+0xb/0xe
[<c1002897>] sysenter_do_call+0x12/0x26
[<ffffffff>] 0xffffffff

Regression since 2a48fc0ab24241755dc9, which introduced the private
loop_mutex as part of the BKL removal process.

As per [1], the mutex can be safely removed.

[1] http://www.gossamer-threads.com/lists/linux/kernel/1341930

Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394
Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172

Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
Cc: stable@kernel.org
Reviewed-by: Nikanth Karthikesan <knikanth@suse.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agoblktrace: Remove blk_fill_rwbs_rq.
Tao Ma [Thu, 3 Mar 2011 15:53:20 +0000 (10:53 -0500)]
blktrace: Remove blk_fill_rwbs_rq.

If we enable trace events to trace block actions, We use
blk_fill_rwbs_rq to analyze the corresponding actions
in request's cmd_flags, but we only choose the minor 2 bits
from it, so most of other flags(e.g, REQ_SYNC) are missing.
For example, with a sync write we get:
write_test-2409  [001]   160.013869: block_rq_insert: 3,64 W 0 () 258135 + =
8 [write_test]

Since now we have integrated the flags of both bio and request,
it is safe to pass rq->cmd_flags directly to blk_fill_rwbs and
blk_fill_rwbs_rq isn't needed any more.

With this patch, after a sync write we get:
write_test-2417  [000]   226.603878: block_rq_insert: 3,64 WS 0 () 258135 +=
 8 [write_test]

Signed-off-by: Tao Ma <boyu.mt@taobao.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agoALSA: hda - Don't set to D3 in Cirrus errata init verbs
Takashi Iwai [Thu, 3 Mar 2011 13:54:19 +0000 (14:54 +0100)]
ALSA: hda - Don't set to D3 in Cirrus errata init verbs

The errata init verbs for CS42xx codecs contain the verbs to set
the power-state of SPDIF nodes to D3, which seem to break the SPDIF
output on some MacBooks.  Since this is executed during the power-up
initialization, we shouldn't turn them down there.

Reported-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 years agoALSA: hda - add new Fermi 5xx codec IDs to snd-hda
Richard Samson [Thu, 3 Mar 2011 11:46:13 +0000 (12:46 +0100)]
ALSA: hda - add new Fermi 5xx codec IDs to snd-hda

Added the missing HDMI codec IDs for new Nvidia stuff.
Note that ID 0x17 isn't assigned to anything so far, as suggested by
Stephen.

[Modified to get rid of 0x17 by tiwai]

Signed-off-by: Richard Samson <samson.richard@gmail.com>
Acked-by: Acked-By: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 years agohfs: fix rename() over non-empty directory
Al Viro [Thu, 3 Mar 2011 04:46:51 +0000 (23:46 -0500)]
hfs: fix rename() over non-empty directory

merge hfs_unlink() and hfs_rmdir(), while we are at it.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoudf: fix i_nlink limit
Al Viro [Wed, 2 Mar 2011 15:15:26 +0000 (10:15 -0500)]
udf: fix i_nlink limit

(256 << sizeof(x)) - 1 is not the maximal possible value of x...
In reality, the maximal allowed value for UDF FileLinkCount is
65535.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agofix reiserfs mkdir() breakage
Al Viro [Wed, 2 Mar 2011 14:35:13 +0000 (09:35 -0500)]
fix reiserfs mkdir() breakage

if directory has so many subdirectories that its link count is set
to 1 (i.e. "can't tell accurately") and reiserfs_new_inode() fails,
we shouldn't decrement the parent's link count in cleanup path;
that's what DEC_DIR_INODE_NLINK() is for.  As it is, we end up
with parent suddenly getting zero i_nlink, with very unpleasant
effects.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoexofs: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 21:42:38 +0000 (16:42 -0500)]
exofs: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agonilfs2: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 17:01:13 +0000 (12:01 -0500)]
nilfs2: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agominix: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:41:38 +0000 (09:41 -0500)]
minix: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoufs: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:40:21 +0000 (09:40 -0500)]
ufs: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agosysv: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:38:45 +0000 (09:38 -0500)]
sysv: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoRxRPC: Fix v1 keys
Anton Blanchard [Mon, 28 Feb 2011 03:27:53 +0000 (03:27 +0000)]
RxRPC: Fix v1 keys

commit 339412841d7 (RxRPC: Allow key payloads to be passed in XDR form)
broke klog for me. I notice the v1 key struct had a kif_version field
added:

-struct rxkad_key {
-       u16     security_index;         /* RxRPC header security index */
-       u16     ticket_len;             /* length of ticket[] */
-       u32     expiry;                 /* time at which expires */
-       u32     kvno;                   /* key version number */
-       u8      session_key[8];         /* DES session key */
-       u8      ticket[0];              /* the encrypted ticket */
-};

+struct rxrpc_key_data_v1 {
+       u32             kif_version;            /* 1 */
+       u16             security_index;
+       u16             ticket_length;
+       u32             expiry;                 /* time_t */
+       u32             kvno;
+       u8              session_key[8];
+       u8              ticket[0];
+};

However the code in rxrpc_instantiate strips it away:

data += sizeof(kver);
datalen -= sizeof(kver);

Removing kif_version fixes my problem.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoAF_RXRPC: Handle receiving ACKALL packets
David Howells [Mon, 28 Feb 2011 03:27:43 +0000 (03:27 +0000)]
AF_RXRPC: Handle receiving ACKALL packets

The OpenAFS server is now sending ACKALL packets, so we need to handle them.
Otherwise we report a protocol error and abort.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Thu, 3 Mar 2011 04:02:32 +0000 (20:02 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/i915: fix memory corruption with GM965 and >4GB RAM

13 years agoMerge branch 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6
Linus Torvalds [Thu, 3 Mar 2011 04:01:57 +0000 (20:01 -0800)]
Merge branch 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6

* 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6:
  of/promtree: allow DT device matching by fixing 'name' brokenness (v5)
  x86: OLPC: have prom_early_alloc BUG rather than return NULL
  of/flattree: Drop an uninteresting message to pr_debug level
  of: Add missing of_address.h to xilinx ehci driver

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88...
Linus Torvalds [Thu, 3 Mar 2011 04:01:31 +0000 (20:01 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mattst88/alpha-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha-2.6:
  alpha: Enable GENERIC_HARDIRQS_NO_DEPRECATED
  alpha: irq: Convert affinity to use irq_data
  alpha: irq: Remove pointless irq status manipulation
  alpha: titan: Convert irq_chip functions
  alpha: takara: Convert irq_chip functions
  alpha: sable: Convert irq_chip functions
  alpha: rx164: Convert irq_chip functions
  alpha: noritake: Convert irq_chip functions
  alpha: rawhide: Convert irq_chip functions
  alpha: mikasa: Convert irq_chip functions
  alpha: marvel: Convert irq_chip functions
  alpha: eiger: Convert irq_chip functions
  alpha: eb64p: Convert irq_chip functions
  alpha: dp264: Convert irq_chip functions
  alpha: cabriolet: Convert irq_chip functions
  alpha: i8259, alcor, jensen wildfire: Convert irq_chip
  alpha: srm: Convert irq_chip functions
  alpha: Pyxis convert irq_chip functions
  Fix typo in call to irq_to_desc()

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6
Linus Torvalds [Thu, 3 Mar 2011 04:01:07 +0000 (20:01 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sameo/mfd-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
  mfd: Avoid tps6586x burst writes
  mfd: Don't suspend WM8994 if the CODEC is not suspended
  mfd: Fix DaVinci voice codec device name
  mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
  mfd: Fix ASIC3 build with GENERIC_HARDIRQS_NO_DEPRECATED

13 years agoMerge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux...
Linus Torvalds [Thu, 3 Mar 2011 04:00:47 +0000 (20:00 -0800)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs-2.6

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6:
  ext2: Fix link count corruption under heavy link+rename load

13 years agoMerge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq
Linus Torvalds [Thu, 3 Mar 2011 03:58:31 +0000 (19:58 -0800)]
Merge branch 'fixes' of git://git./linux/kernel/git/davej/cpufreq

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
  [CPUFREQ] p4-clockmod: print EST-capable warning message only once
  [CPUFREQ] fix BUG on cpufreq policy init failure
  [CPUFREQ] Fix another notifier leak in powernow-k8.
  [CPUFREQ] Missing "unregister_cpu_notifier" in powernow-k8.c

13 years agoMerge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
Linus Torvalds [Thu, 3 Mar 2011 03:58:14 +0000 (19:58 -0800)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
  powerpc: Fix call to flush_ptrace_hw_breakpoint()
  powerpc/kexec: Restore ppc_md.machine_kexec
  powerpc/mm: Make hpte_need_flush() safe for preemption

13 years agoMerge branch 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb...
Linus Torvalds [Thu, 3 Mar 2011 02:08:03 +0000 (18:08 -0800)]
Merge branch 'idle-release' of git://git./linux/kernel/git/lenb/linux-idle-2.6

* 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
  intel_idle: disable Atom/Lincroft HW C-state auto-demotion
  intel_idle: disable NHM/WSM HW C-state auto-demotion

13 years agocnic: Fix lost interrupt on bnx2x
Michael Chan [Wed, 2 Mar 2011 13:00:50 +0000 (13:00 +0000)]
cnic: Fix lost interrupt on bnx2x

We service 2 queues (kcq1 and kcq2) in cnic_service_bnx2x_bh().  If
the status block index has changed when servicing the kcq2, we must
go back and check kcq1.  The latest status block index will be used
to acknowledge the interrupt, and without looping back to check kcq1,
we may miss events on kcq1.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agocnic: Prevent status block race conditions with hardware
Michael Chan [Wed, 2 Mar 2011 13:00:49 +0000 (13:00 +0000)]
cnic: Prevent status block race conditions with hardware

The status block index is used to acknowledge interrupt events and must
be read before checking for the interrupt events, so we need to add rmb()
to guarantee that.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux...
Linus Torvalds [Wed, 2 Mar 2011 23:26:57 +0000 (15:26 -0800)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
  ACPI / ACPICA: Implicit notify for multiple devices
  ACPI / debugfs: Fix buffer overflows, double free

13 years agoTOMOYO: Fix memory leak upon file open.
Tetsuo Handa [Wed, 2 Mar 2011 07:54:24 +0000 (16:54 +0900)]
TOMOYO: Fix memory leak upon file open.

In tomoyo_check_open_permission() since 2.6.36, TOMOYO was by error
recalculating already calculated pathname when checking allow_rewrite
permission. As a result, memory will leak whenever a file is opened for writing
without O_APPEND flag. Also, performance will degrade because TOMOYO is
calculating pathname regardless of profile configuration.
This patch fixes the leak and performance degrade.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/jkirsher/net-2.6
David S. Miller [Wed, 2 Mar 2011 23:06:01 +0000 (15:06 -0800)]
Merge branch 'master' of /linux/kernel/git/jkirsher/net-2.6

13 years agonet: dcbnl: check correct ops in dcbnl_ieee_set()
John Fastabend [Wed, 2 Mar 2011 10:35:33 +0000 (10:35 +0000)]
net: dcbnl: check correct ops in dcbnl_ieee_set()

The incorrect ops routine was being tested for in
DCB_ATTR_IEEE_PFC attributes. This patch corrects
it.

Currently, every driver implementing ieee_setets also
implements ieee_setpfc so this bug is not actualized
yet.

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoof/promtree: allow DT device matching by fixing 'name' brokenness (v5)
Andres Salomon [Thu, 24 Feb 2011 06:38:22 +0000 (22:38 -0800)]
of/promtree: allow DT device matching by fixing 'name' brokenness (v5)

Commit e2f2a93b, "of/promtree: add package-to-path support to pdt"
changed dp->name from using the 'name' property to using
package-to-path.  This fixed /proc/device-tree creation by eliminating
conflicts between names (the 'name' property provides names like
'battery', whereas package-to-path provides names like
'/foo/bar/battery@0', which we stripped to 'battery@0').  However, it
also breaks of_device_id table matching.

The fix that we _really_ wanted was to keep dp->name based upon
the name property ('battery'), but based dp->full_name upon
package-to-path ('battery@0').  This patch does just that.

This changes all users (except SPARC) of promtree to use the full
result from package-to-path for full_name, rather than stripping the
directory out.  In practice, the strings end up being exactly the
same; this change saves time, code, and memory.

SPARC continues to use the existing build_path_component() code.

v2: combine two patches and revert of_pdt_node_name to original version
v3: use dp->phandle instead of passing around node
v4: warn/bail out for non-sparc archs if pkg2path is not set
v5: split of_pdt_build_full_name into sparc & non-sparc versions
v6: Pass NULL to pkg2path before buf gets assigned.
    Drop check for pkg2path hook on each and every node.
v7: Don't BUG() when unable to get the full_path; create a
    known-unique name instead.

Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
13 years agox86: OLPC: have prom_early_alloc BUG rather than return NULL
Andres Salomon [Fri, 25 Feb 2011 04:06:31 +0000 (20:06 -0800)]
x86: OLPC: have prom_early_alloc BUG rather than return NULL

..similar to what sparc's prom_early_alloc does.

Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>