GitHub/moto-9609/android_kernel_motorola_exynos9610.git
14 years agocrypto: pcrypt - Fix use after free on padata_free
Steffen Klassert [Wed, 10 Nov 2010 11:21:43 +0000 (12:21 +0100)]
crypto: pcrypt - Fix use after free on padata_free

kobject_put is called from padata_free for the padata kobject.
The kobject's release function frees the padata instance,
so don't call kobject_put for the padata kobject from pcrypt.

Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agobacklight: MacBookAir3,1(3,2) mbp-nvidia-bl support
Edgar (gimli) Hucek [Thu, 11 Nov 2010 22:05:30 +0000 (14:05 -0800)]
backlight: MacBookAir3,1(3,2) mbp-nvidia-bl support

Add support for the MacBookAir3,1 and MacBookAir3,2 to the mbp-nvidia-bl
driver.

Signed-off-by: Edgar (gimli) Hucek <gimli@dark-green.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/video/backlight/adp8860_bl.c: check strict_strtoul() return value
Michael Hennerich [Thu, 11 Nov 2010 22:05:29 +0000 (14:05 -0800)]
drivers/video/backlight/adp8860_bl.c: check strict_strtoul() return value

Handle return value, strict_strtoul is declared with attribute
warn_unused_result.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/video/backlight/adp8860_bl.c: fix ambient light zone overwrite handling
Michael Hennerich [Thu, 11 Nov 2010 22:05:29 +0000 (14:05 -0800)]
drivers/video/backlight/adp8860_bl.c: fix ambient light zone overwrite handling

This affects the get/set of the current Ambient Light Zone.  Reading
should return an integer between 1..3 (1 = Daylight, 2 = office, 3 =
dark).  Writing a value between 1..3 forces the backlight controller to
enter the corresponding Ambient Light Zone.  Writing 0 returns to normal
operation.

Fix valid range checking so we don't write invalid values to the
controller, and make sure we subtract 1, since this is what the register
definition (CFGR:BLV) requires.  Otherwise the values written don't work
correctly.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agobacklight: add low threshold to pwm backlight
Arun Murthy [Thu, 11 Nov 2010 22:05:28 +0000 (14:05 -0800)]
backlight: add low threshold to pwm backlight

The intensity of the backlight can be varied from a range of
max_brightness to zero.  Though most, if not all the pwm based backlight
devices start flickering at lower brightness value.  And also for each
device there exists a brightness value below which the backlight appears
to be turned off though the value is not equal to zero.

If the range of brightness for a device is from zero to max_brightness.  A
graph is plotted for brightness Vs intensity for the pwm based backlight
device has to be a linear graph.

intensity
  |   /
  |  /
  | /
  |/
  ---------
 0 max_brightness

But pratically on measuring the above we note that the intensity of
backlight goes to zero(OFF) when the value in not zero almost nearing to
zero(some x%).  so the graph looks like

intensity
  |    /
  |   /
  |  /
  |  |
  ------------
 0   x  max_brightness

In order to overcome this drawback knowing this x% i.e nothing but the low
threshold beyond which the backlight is off and will have no effect, the
brightness value is being offset by the low threshold value(retaining the
linearity of the graph).  Now the graph becomes

intensity
  |     /
  |    /
  |   /
  |  /
  -------------
   0   max_brightness

With this for each and every digit increment in the brightness from zero
there is a change in the intensity of backlight.  Devices having this
behaviour can set the low threshold brightness(lth_brightness) and pass
the same as platform data else can have it as zero.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Arun Murthy <arun.murthy@stericsson.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/video/backlight/s6e63m0.c: fix section mismatch
Axel Lin [Thu, 11 Nov 2010 22:05:27 +0000 (14:05 -0800)]
drivers/video/backlight/s6e63m0.c: fix section mismatch

Eliminate section mismatch warning by marking s6e63m0_probe() as __devinit.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Cc: InKi Dae <inki.dae@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/video/backlight/s6e63m0.c: unregister backlight device and remove sysfs attri...
Axel Lin [Thu, 11 Nov 2010 22:05:26 +0000 (14:05 -0800)]
drivers/video/backlight/s6e63m0.c: unregister backlight device and remove sysfs attribute file in s6e63m0_remove

s6e63m0_probe() registered backlight device and create sysfs attribute
files, thus s6e63m0_remove() should unregister backlight device and remove
sysfs attribute files.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Cc: InKi Dae <inki.dae@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agobacklight: fix blanking for L4F00242T03 LCD
Marek Vasut [Thu, 11 Nov 2010 22:05:26 +0000 (14:05 -0800)]
backlight: fix blanking for L4F00242T03 LCD

The LCD was turned on if the variable power was > 0, but that was
incorrect.  The LCD has to be turned on in NORMAL and UNBLANK case.

Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Acked-by: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agobacklight: fix blanking for LMS283GF05 LCD
Marek Vasut [Thu, 11 Nov 2010 22:05:25 +0000 (14:05 -0800)]
backlight: fix blanking for LMS283GF05 LCD

The LCD was turned on if the variable power was > 0, but that was
incorrect.  The LCD has to be turned on in NORMAL and UNBLANK case.

Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Acked-by: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/video/backlight/s6e63m0.c: set permissions on gamma_table file to 0444
Axel Lin [Thu, 11 Nov 2010 22:05:25 +0000 (14:05 -0800)]
drivers/video/backlight/s6e63m0.c: set permissions on gamma_table file to 0444

gamma_table is not writable, so set permissions to 0444.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/leds/leds-gpio.c: properly initialize return value
Davidlohr Bueso [Thu, 11 Nov 2010 22:05:24 +0000 (14:05 -0800)]
drivers/leds/leds-gpio.c: properly initialize return value

In the event that none of the configs are set (CONFIG_LEDS_GPIO_PLATFORM,
CONFIG_LEDS_GPIO_OF, CONFIG_LEDS_GPIO_PLATFORM), we will return a bogus
value when initializing the module.

Signed-off-by: Davidlohr Bueso <dave@gnu.org>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoDocumentation: led drivers lp5521 and lp5523
Samu Onkalo [Thu, 11 Nov 2010 22:05:23 +0000 (14:05 -0800)]
Documentation: led drivers lp5521 and lp5523

Create sub directory Documentation/leds and add short documentation for
LP5521 and LP5523 drivers.

Signed-off-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoleds: update LP552x support Kconfig and Makefile
Samu Onkalo [Thu, 11 Nov 2010 22:05:23 +0000 (14:05 -0800)]
leds: update LP552x support Kconfig and Makefile

Provide configuration and compilation support for LP5521 and LP5523

Signed-off-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoleds: driver for National Semiconductors LP5523 chip
Samu Onkalo [Thu, 11 Nov 2010 22:05:22 +0000 (14:05 -0800)]
leds: driver for National Semiconductors LP5523 chip

LP5523 chip is nine channel led driver with programmable engines.  Driver
provides support for that chip for direct access via led class or via
programmable engines.

Signed-off-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoleds: driver for National Semiconductor LP5521 chip
Samu Onkalo [Thu, 11 Nov 2010 22:05:22 +0000 (14:05 -0800)]
leds: driver for National Semiconductor LP5521 chip

This patchset provides support for LP5521 and LP5523 LED driver chips from
National Semicondutor.  Both drivers supports programmable engines and
naturally LED class features.

Documentation is provided as a part of the patchset.  I created "leds"
subdirectory under Documentation.  Perhaps the rest of the leds*
documentation should be moved there.

Datasheets are freely available at National Semiconductor www pages.

This patch:

LP5521 chip is three channel led driver with programmable engines.  Driver
provides support for that chip for direct access via led class or via
programmable engines.

Signed-off-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoled-class: always implement blinking
Johannes Berg [Thu, 11 Nov 2010 22:05:21 +0000 (14:05 -0800)]
led-class: always implement blinking

Currently, blinking LEDs can be awkward because it is not guaranteed that
all LEDs implement blinking.  The trigger that wants it to blink then
needs to implement its own timer solution.

Rather than require that, add led_blink_set() API that triggers can use.
This function will attempt to use hw blinking, but if that fails
implements a timer for it.  To stop blinking again, brightness_set() also
needs to be wrapped into API that will stop the software blink.

As a result of this, the timer trigger becomes a very trivial one, and
hopefully we can finally see triggers using blinking as well because it's
always easy to use.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agohugetlbfs: lessen the impact of a deprecation warning
Dave Jones [Thu, 11 Nov 2010 22:05:20 +0000 (14:05 -0800)]
hugetlbfs: lessen the impact of a deprecation warning

WARN_ONCE is a bit strong for a deprecation warning, given that it spews a
huge backtrace.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoradix-tree: fix RCU bug
Nick Piggin [Thu, 11 Nov 2010 22:05:19 +0000 (14:05 -0800)]
radix-tree: fix RCU bug

Salman Qazi describes the following radix-tree bug:

In the following case, we get can get a deadlock:

0.  The radix tree contains two items, one has the index 0.
1.  The reader (in this case find_get_pages) takes the rcu_read_lock.
2.  The reader acquires slot(s) for item(s) including the index 0 item.
3.  The non-zero index item is deleted, and as a consequence the other item is
    moved to the root of the tree. The place where it used to be is queued for
    deletion after the readers finish.
3b. The zero item is deleted, removing it from the direct slot, it remains in
    the rcu-delayed indirect node.
4.  The reader looks at the index 0 slot, and finds that the page has 0 ref
    count
5.  The reader looks at it again, hoping that the item will either be freed or
    the ref count will increase. This never happens, as the slot it is looking
    at will never be updated. Also, this slot can never be reclaimed because
    the reader is holding rcu_read_lock and is in an infinite loop.

The fix is to re-use the same "indirect" pointer case that requires a slot
lookup retry into a general "retry the lookup" bit.

Signed-off-by: Nick Piggin <npiggin@kernel.dk>
Reported-by: Salman Qazi <sqazi@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoRestrict unprivileged access to kernel syslog
Dan Rosenberg [Thu, 11 Nov 2010 22:05:18 +0000 (14:05 -0800)]
Restrict unprivileged access to kernel syslog

The kernel syslog contains debugging information that is often useful
during exploitation of other vulnerabilities, such as kernel heap
addresses.  Rather than futilely attempt to sanitize hundreds (or
thousands) of printk statements and simultaneously cripple useful
debugging functionality, it is far simpler to create an option that
prevents unprivileged users from reading the syslog.

This patch, loosely based on grsecurity's GRKERNSEC_DMESG, creates the
dmesg_restrict sysctl.  When set to "0", the default, no restrictions are
enforced.  When set to "1", only users with CAP_SYS_ADMIN can read the
kernel syslog via dmesg(8) or other mechanisms.

[akpm@linux-foundation.org: explain the config option in kernel.txt]
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Eugene Teo <eugeneteo@kernel.org>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agooom: document obsolete oom_adj tunable
David Rientjes [Thu, 11 Nov 2010 22:05:18 +0000 (14:05 -0800)]
oom: document obsolete oom_adj tunable

/proc/pid/oom_adj was deprecated in August 2010 with the introduction of
the new oom killer heuristic.

This patch copies the Documentation/feature-removal-schedule.txt entry for
this tunable to the Documentation/ABI/obsolete directory so nobody misses
it.

Signed-off-by: David Rientjes <rientjes@google.com>
Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agovmscan: avoid setting zone congested if no page dirty
Shaohua Li [Thu, 11 Nov 2010 22:05:17 +0000 (14:05 -0800)]
vmscan: avoid setting zone congested if no page dirty

nr_dirty and nr_congested are increased only when the page is dirty.  So
if all pages are clean, both them will be zero.  In this case, we should
not mark the zone congested.

Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agolatencytop: fix per task accumulator
Ken Chen [Thu, 11 Nov 2010 22:05:16 +0000 (14:05 -0800)]
latencytop: fix per task accumulator

Per task latencytop accumulator prematurely terminates due to erroneous
placement of latency_record_count.  It should be incremented whenever a
new record is allocated instead of increment on every latencytop event.

Also fix search iterator to only search known record events instead of
blindly searching all pre-allocated space.

Signed-off-by: Ken Chen <kenchen@google.com>
Reviewed-by: Arjan van de Ven <arjan@infradead.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agomm/vfs: revalidate page->mapping in do_generic_file_read()
Dave Hansen [Thu, 11 Nov 2010 22:05:15 +0000 (14:05 -0800)]
mm/vfs: revalidate page->mapping in do_generic_file_read()

70 hours into some stress tests of a 2.6.32-based enterprise kernel, we
ran into a NULL dereference in here:

int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc,
                                        unsigned long from)
{
----> struct inode *inode = page->mapping->host;

It looks like page->mapping was the culprit.  (xmon trace is below).
After closer examination, I realized that do_generic_file_read() does a
find_get_page(), and eventually locks the page before calling
block_is_partially_uptodate().  However, it doesn't revalidate the
page->mapping after the page is locked.  So, there's a small window
between the find_get_page() and ->is_partially_uptodate() where the page
could get truncated and page->mapping cleared.

We _have_ a reference, so it can't get reclaimed, but it certainly
can be truncated.

I think the correct thing is to check page->mapping after the
trylock_page(), and jump out if it got truncated.  This patch has been
running in the test environment for a month or so now, and we have not
seen this bug pop up again.

xmon info:

  1f:mon> e
  cpu 0x1f: Vector: 300 (Data Access) at [c0000002ae36f770]
      pc: c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100
      lr: c000000000142944: .generic_file_aio_read+0x1e4/0x770
      sp: c0000002ae36f9f0
     msr: 8000000000009032
     dar: 0
   dsisr: 40000000
    current = 0xc000000378f99e30
    paca    = 0xc000000000f66300
      pid   = 21946, comm = bash
  1f:mon> r
  R00 = 0025c0500000006d   R16 = 0000000000000000
  R01 = c0000002ae36f9f0   R17 = c000000362cd3af0
  R02 = c000000000e8cd80   R18 = ffffffffffffffff
  R03 = c0000000031d0f88   R19 = 0000000000000001
  R04 = c0000002ae36fa68   R20 = c0000003bb97b8a0
  R05 = 0000000000000000   R21 = c0000002ae36fa68
  R06 = 0000000000000000   R22 = 0000000000000000
  R07 = 0000000000000001   R23 = c0000002ae36fbb0
  R08 = 0000000000000002   R24 = 0000000000000000
  R09 = 0000000000000000   R25 = c000000362cd3a80
  R10 = 0000000000000000   R26 = 0000000000000002
  R11 = c0000000001e7b60   R27 = 0000000000000000
  R12 = 0000000042000484   R28 = 0000000000000001
  R13 = c000000000f66300   R29 = c0000003bb97b9b8
  R14 = 0000000000000001   R30 = c000000000e28a08
  R15 = 000000000000ffff   R31 = c0000000031d0f88
  pc  = c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100
  lr  = c000000000142944 .generic_file_aio_read+0x1e4/0x770
  msr = 8000000000009032   cr  = 22000488
  ctr = c0000000001e7a60   xer = 0000000020000000   trap =  300
  dar = 0000000000000000   dsisr = 40000000
  1f:mon> t
  [link register   ] c000000000142944 .generic_file_aio_read+0x1e4/0x770
  [c0000002ae36f9f0c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable)
  [c0000002ae36fb40c0000000001b03e4 .do_sync_read+0xd4/0x160
  [c0000002ae36fce0c0000000001b153c .vfs_read+0xec/0x1f0
  [c0000002ae36fd80c0000000001b1768 .SyS_read+0x58/0xb0
  [c0000002ae36fe30c00000000000852c syscall_exit+0x0/0x40
  --- Exception: c00 (System Call) at 00000080a840bc54
  SP (fffca15df30) is in userspace
  1f:mon> di c0000000001e7a6c
  c0000000001e7a6c  e9290000      ld      r9,0(r9)
  c0000000001e7a70  418200c0      beq     c0000000001e7b30        # .block_is_partially_uptodate+0xd0/0x100
  c0000000001e7a74  e9440008      ld      r10,8(r4)
  c0000000001e7a78  78a80020      clrldi  r8,r5,32
  c0000000001e7a7c  3c000001      lis     r0,1
  c0000000001e7a80  812900a8      lwz     r9,168(r9)
  c0000000001e7a84  39600001      li      r11,1
  c0000000001e7a88  7c080050      subf    r0,r8,r0
  c0000000001e7a8c  7f805040      cmplw   cr7,r0,r10
  c0000000001e7a90  7d6b4830      slw     r11,r11,r9
  c0000000001e7a94  796b0020      clrldi  r11,r11,32
  c0000000001e7a98  419d00a8      bgt     cr7,c0000000001e7b40    # .block_is_partially_uptodate+0xe0/0x100
  c0000000001e7a9c  7fa55840      cmpld   cr7,r5,r11
  c0000000001e7aa0  7d004214      add     r8,r0,r8
  c0000000001e7aa4  79080020      clrldi  r8,r8,32
  c0000000001e7aa8  419c0078      blt     cr7,c0000000001e7b20    # .block_is_partially_uptodate+0xc0/0x100

Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <arunabal@in.ibm.com>
Cc: <sbest@us.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agokernel/range.c: fix clean_sort_range() for the case of full array
Alexey Khoroshilov [Thu, 11 Nov 2010 22:05:14 +0000 (14:05 -0800)]
kernel/range.c: fix clean_sort_range() for the case of full array

clean_sort_range() should return a number of nonempty elements of range
array, but if the array is full clean_sort_range() returns 0.

The problem is that the number of nonempty elements is evaluated by
finding the first empty element of the array.  If there is no such element
it returns an initial value of local variable nr_range that is zero.

The fix is trivial: it changes initial value of nr_range to size of the
array.

The bug can lead to loss of information regarding all ranges, since
typically returned value of clean_sort_range() is considered as an actual
number of ranges in the array after a series of add/subtract operations.

Found by Analytical Verification project of Linux Verification Center
(linuxtesting.org), thanks to Alexander Kolosov.

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/misc/bh1770glc.c: error handling in bh1770_power_state_store()
Dan Carpenter [Thu, 11 Nov 2010 22:05:13 +0000 (14:05 -0800)]
drivers/misc/bh1770glc.c: error handling in bh1770_power_state_store()

There was a signedness bug so "ret" was never less than zero and that
breaks the error handling.  Also in the original code it would overwrite
ret and the result is still negative but it's bogus number instead of the
correct error code.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Samu Onkalo <samu.p.onkalo@nokia.com>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agomemcg: null dereference on allocation failure
Dan Carpenter [Thu, 11 Nov 2010 22:05:12 +0000 (14:05 -0800)]
memcg: null dereference on allocation failure

The original code had a null dereference if alloc_percpu() failed.  This
was introduced in commit 711d3d2c9bc3 ("memcg: cpu hotplug aware percpu
count updates")

Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/misc/apds9802als.c: fix signedness bug
Vasiliy Kulikov [Thu, 11 Nov 2010 22:05:11 +0000 (14:05 -0800)]
drivers/misc/apds9802als.c: fix signedness bug

i2c_smbus_read_byte_data() may return negative error code.  This is not
seen to als_sensing_range_store() as the result is stored in unsigned int.

Made it signed.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: Hong Liu <hong.liu@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Anantha Narayanan <anantha.narayanan@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agomisc/isl29020: signedness bug in als_sensing_range_store()
Dan Carpenter [Thu, 11 Nov 2010 22:05:11 +0000 (14:05 -0800)]
misc/isl29020: signedness bug in als_sensing_range_store()

"ret_val" is supposed to be signed here or the error handling breaks.
Also we should check the return value from i2c_smbus_read_byte_data().

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoinclude/linux/highmem.h needs hardirq.h
Catalin Marinas [Thu, 11 Nov 2010 22:05:10 +0000 (14:05 -0800)]
include/linux/highmem.h needs hardirq.h

Commit 3e4d3af501cc ("mm: stack based kmap_atomic()") introduced the
kmap_atomic_idx_push() function which warns on in_irq() with
CONFIG_DEBUG_HIGHMEM enabled.  This patch includes linux/hardirq.h for
the in_irq definition.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoatomic: add atomic_inc_not_zero_hint()
Eric Dumazet [Thu, 11 Nov 2010 22:05:08 +0000 (14:05 -0800)]
atomic: add atomic_inc_not_zero_hint()

Followup of perf tools session in Netfilter WorkShop 2010

In the network stack we make high usage of atomic_inc_not_zero() in
contexts we know the probable value of atomic before increment (2 for udp
sockets for example)

Using a special version of atomic_inc_not_zero() giving this hint can help
processor to use less bus transactions.

On x86 (MESI protocol) for example, this avoids entering Shared state,
because "lock cmpxchg" issues an RFO (Read For Ownership)

akpm: Adds a new include/linux/atomic.h.  This means that new code should
henceforth include linux/atomic.h and not asm/atomic.h.  The presence of
include/linux/atomic.h will in fact cause checkpatch.pl to warn about use
of asm/atomic.h.  The new include/linux/atomic.h becomes the place where
arch-neutral atomic_t code should be placed.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: David Miller <davem@davemloft.net>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Nick Piggin <npiggin@kernel.dk>
Reviewed-by: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoinclude/linux/resource.h needs types.h
Jean Delvare [Thu, 11 Nov 2010 22:05:07 +0000 (14:05 -0800)]
include/linux/resource.h needs types.h

Fix the following warning:
usr/include/linux/resource.h:49: found __[us]{8,16,32,64} type without #include <linux/types.h>

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agorapidio: use resource_size()
Dan Carpenter [Thu, 11 Nov 2010 22:05:07 +0000 (14:05 -0800)]
rapidio: use resource_size()

The size calculation is done incorrectly here because it should include
both the start and end (end - start + 1).  It's easiest to just use
resource_size() which does the right thing.

I was worried there was something non-standard going on because the
printk() subtracts "end - 1", but the rest of the file uses the normal
resource size calculations.  This function is only called from
fsl_rio_setup() in arch/powerpc/sysdev/fsl_rio.c and the calculation
there is also:

port->iores.start = law_start;
port->iores.end = law_start + law_size - 1;

So I think this is the correct fix.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Alexandre Bounine <alexandre.bounine@idt.com>
Acked-by: Li Yang <leoli@freescale.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agodrivers/macintosh/adb-iop.c: flags should be unsigned long
Geert Uytterhoeven [Thu, 11 Nov 2010 22:05:06 +0000 (14:05 -0800)]
drivers/macintosh/adb-iop.c: flags should be unsigned long

Fix these warnings:

  drivers/macintosh/adb-iop.c: In function `adb_iop_complete':
  drivers/macintosh/adb-iop.c:85: warning: comparison of distinct pointer types lacks a cast
  drivers/macintosh/adb-iop.c:92: warning: comparison of distinct pointer types lacks a cast
  drivers/macintosh/adb-iop.c: In function Â¡adb_iop_listen¢:
  drivers/macintosh/adb-iop.c:111: warning: comparison of distinct pointer types lacks a cast
  drivers/macintosh/adb-iop.c:151: warning: comparison of distinct pointer types lacks a cast

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoum: fix ptrace build error
Richard Weinberger [Thu, 11 Nov 2010 22:05:04 +0000 (14:05 -0800)]
um: fix ptrace build error

Both commits 0a3d763f1a68 ("ptrace: cleanup arch_ptrace() on um") and
9b05a69e0534 ("ptrace: change signature of arch_ptrace()") broke the um
build.  This patch fixes the issues.

0a3d763f1a68 introduced the undeclared variable "datavp".  The patch seems
completely untested.  :-(

9b05a69e0534 changed arch_ptrace()'s signature but did not update
um/include/asm/ptrace-generic.h.

Signed-off-by: Richard Weinberger <richard@nod.at>
Cc: Namhyung Kim <namhyung@gmail.com>
Cc: Jeff Dike <jdike@addtoit.com>
Tested-by: Will Newton <will.newton@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6
Linus Torvalds [Tue, 9 Nov 2010 18:34:48 +0000 (10:34 -0800)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: fix a memleak in cifs_setattr_nounix()
  cifs: make cifs_ioctl handle NULL filp->private_data correctly

14 years agoperf_events: Fix perf_counter_mmap() hook in mprotect()
Pekka Enberg [Mon, 8 Nov 2010 19:29:07 +0000 (21:29 +0200)]
perf_events: Fix perf_counter_mmap() hook in mprotect()

As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
merging. Fix the problem by moving perf_event_mmap() hook to
mprotect_fixup().

Note: there's another successful return path from mprotect_fixup() if old
flags equal to new flags. We don't, however, need to call
perf_event_mmap() there because 'perf' already knows the VMA is
executable.

Reported-by: Dave Jones <davej@redhat.com>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agocifs: fix a memleak in cifs_setattr_nounix()
Suresh Jayaraman [Tue, 9 Nov 2010 06:57:41 +0000 (12:27 +0530)]
cifs: fix a memleak in cifs_setattr_nounix()

Andrew Hendry reported a kmemleak warning in 2.6.37-rc1 while editing a
text file with gedit over cifs.

unreferenced object 0xffff88022ee08b40 (size 32):
  comm "gedit", pid 2524, jiffies 4300160388 (age 2633.655s)
  hex dump (first 32 bytes):
    5c 2e 67 6f 75 74 70 75 74 73 74 72 65 61 6d 2d  \.goutputstream-
    35 42 41 53 4c 56 00 de 09 00 00 00 2c 26 78 ee  5BASLV......,&x.
  backtrace:
    [<ffffffff81504a4d>] kmemleak_alloc+0x2d/0x60
    [<ffffffff81136e13>] __kmalloc+0xe3/0x1d0
    [<ffffffffa0313db0>] build_path_from_dentry+0xf0/0x230 [cifs]
    [<ffffffffa031ae1e>] cifs_setattr+0x9e/0x770 [cifs]
    [<ffffffff8115fe90>] notify_change+0x170/0x2e0
    [<ffffffff81145ceb>] sys_fchmod+0x10b/0x140
    [<ffffffff8100c172>] system_call_fastpath+0x16/0x1b
    [<ffffffffffffffff>] 0xffffffffffffffff

The commit 1025774c that removed inode_setattr() seems to have introduced this
memleak by returning early without freeing 'full_path'.

Reported-by: Andrew Hendry <andrew.hendry@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Tue, 9 Nov 2010 02:30:11 +0000 (18:30 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  kernel: Constify temporary variable in roundup()

14 years agokernel: Constify temporary variable in roundup()
Tetsuo Handa [Mon, 8 Nov 2010 02:20:49 +0000 (11:20 +0900)]
kernel: Constify temporary variable in roundup()

Fix build error with GCC 3.x caused by commit b28efd54
"kernel: roundup should only reference arguments once" by constifying
temporary variable used in that macro.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Suggested-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
14 years agosparc: fix openpromfs compile
Meelis Roos [Mon, 8 Nov 2010 21:38:14 +0000 (13:38 -0800)]
sparc: fix openpromfs compile

Fix openpromfs compilation by adding a missing semicolon in
fs/openpromfs/inode.c openprom_mount().

Signed-off-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Linus Torvalds [Mon, 8 Nov 2010 19:54:53 +0000 (11:54 -0800)]
Merge branch 'for_linus' of git://git./linux/kernel/git/tytso/ext4

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: Add new ext4 inode tracepoints
  ext4: Don't call sb_issue_discard() in ext4_free_blocks()
  ext4: do not try to grab the s_umount semaphore in ext4_quota_off
  ext4: fix potential race when freeing ext4_io_page structures
  ext4: handle writeback of inodes which are being freed
  ext4: initialize the percpu counters before replaying the journal
  ext4: "ret" may be used uninitialized in ext4_lazyinit_thread()
  ext4: fix lazyinit hang after removing request

14 years agocifs: make cifs_ioctl handle NULL filp->private_data correctly
Jeff Layton [Mon, 8 Nov 2010 12:28:32 +0000 (07:28 -0500)]
cifs: make cifs_ioctl handle NULL filp->private_data correctly

Commit 13cfb7334e made cifs_ioctl use the tlink attached to the
cifsFileInfo for a filp. This ignores the case of an open directory
however, which in CIFS can have a NULL private_data until a readdir
is done on it.

This patch re-adds the NULL pointer checks that were removed in commit
50ae28f01 and moves the setting of tcon and "caps" variables lower.

Long term, a better fix would be to establish a f_op->open routine for
directories that populates that field at open time, but that requires
some other changes to how readdir calls are handled.

Reported-by: Kjell Rune Skaaraas <kjella79@yahoo.no>
Reviewed-and-Tested-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6
Linus Torvalds [Mon, 8 Nov 2010 18:55:29 +0000 (10:55 -0800)]
Merge git://git./linux/kernel/git/gregkh/tty-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6:
  TTY: move .gitignore from drivers/char/ to drivers/tty/vt/
  TTY: create drivers/tty/vt and move the vt code there
  TTY: create drivers/tty and move the tty core files there

14 years agoMerge branch 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh...
Linus Torvalds [Mon, 8 Nov 2010 18:54:49 +0000 (10:54 -0800)]
Merge branch 'staging-linus' of git://git./linux/kernel/git/gregkh/staging-next-2.6

* 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-next-2.6:
  Staging: ath6kl: remove empty files that mess with 'distclean'
  staging: ath6kl: Fixing the driver to use modified mmc_host structure
  Staging: solo6x10: fix build problem

14 years agoMerge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Mon, 8 Nov 2010 18:54:23 +0000 (10:54 -0800)]
Merge branch 'rmobile-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  mmc: sh_mmcif: Convert extern inline to static inline.
  ARM: mach-shmobile: Allow GPIO chips to register IRQ mappings.
  ARM: mach-shmobile: fix sh7372 after a recent clock framework rework
  ARM: mach-shmobile: include drivers/sh/Kconfig
  ARM: mach-shmobile: ap4evb: Add HDMI sound support
  ARM: mach-shmobile: clock-sh7372: Add FSIDIV clock support
  ARM: shmobile: remove sh_timer_config clk member

14 years agoMerge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Mon, 8 Nov 2010 18:53:21 +0000 (10:53 -0800)]
Merge branch 'sh-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: clkfwk: Fix up checkpatch warnings.
  sh: make some needlessly global sh7724 clocks static
  sh: add clk_round_parent() to optimize parent clock rate
  sh: Simplify phys_addr_mask()/PTE_PHYS_MASK for 29/32-bit.
  sh: nommu: Support building without an uncached mapping.
  sh: nommu: use 32-bit phys mode.
  sh: mach-se: Fix up SE7206 no ioport build.
  sh: intc: Update for single IRQ reservation helper.
  sh: clkfwk: Fix up rate rounding error handling.
  sh: mach-se: Rip out superfluous 7751 PIO routines.
  sh: mach-se: Rip out superfluous 770x PIO routines.
  sh: mach-edosk7705: Kill off machtype, consolidate board def.
  sh: mach-edosk7705: update for this century, kill off PIO trapping.
  sh: mach-se: Rip out superfluous 7206 PIO routines.
  sh: mach-systemh: Kill off dead board.
  sh: mach-snapgear: Kill off machtype, consolidate board def.
  sh: mach-snapgear: Rip out superfluous PIO routines.
  sh: mach-microdev: SuperIO-relative ioport mapping.

14 years agoext4: Add new ext4 inode tracepoints
Theodore Ts'o [Mon, 8 Nov 2010 18:51:33 +0000 (13:51 -0500)]
ext4: Add new ext4 inode tracepoints

Add ext4_evict_inode, ext4_drop_inode, ext4_mark_inode_dirty, and
ext4_begin_ordered_truncate()

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
14 years agoext4: Don't call sb_issue_discard() in ext4_free_blocks()
Theodore Ts'o [Mon, 8 Nov 2010 18:49:33 +0000 (13:49 -0500)]
ext4: Don't call sb_issue_discard() in ext4_free_blocks()

Commit 5c521830cf (ext4: Support discard requests when running in
no-journal mode) attempts to add sb_issue_discard() for data blocks
(in data=writeback mode) and in no-journal mode.  Unfortunately, this
no longer works, because in commit dd3932eddf (block: remove
BLKDEV_IFL_WAIT), sb_issue_discard() only presents a synchronous
interface, and there are times when we call ext4_free_blocks() when we
are are holding a spinlock, or are otherwise in an atomic context.

For now, I've removed the call to sb_issue_discard() to prevent a
deadlock or (if spinlock debugging is enabled) failures like this:

BUG: scheduling while atomic: rc.sysinit/1376/0x00000002
Pid: 1376, comm: rc.sysinit Not tainted 2.6.36-ARCH #1
Call Trace:
[<ffffffff810397ce>] __schedule_bug+0x5e/0x70
[<ffffffff81403110>] schedule+0x950/0xa70
[<ffffffff81060bad>] ? insert_work+0x7d/0x90
[<ffffffff81060fbd>] ? queue_work_on+0x1d/0x30
[<ffffffff81061127>] ? queue_work+0x37/0x60
[<ffffffff8140377d>] schedule_timeout+0x21d/0x360
[<ffffffff812031c3>] ? generic_make_request+0x2c3/0x540
[<ffffffff81402680>] wait_for_common+0xc0/0x150
[<ffffffff81041490>] ? default_wake_function+0x0/0x10
[<ffffffff812034bc>] ? submit_bio+0x7c/0x100
[<ffffffff810680a0>] ? wake_bit_function+0x0/0x40
[<ffffffff814027b8>] wait_for_completion+0x18/0x20
[<ffffffff8120a969>] blkdev_issue_discard+0x1b9/0x210
[<ffffffff811ba03e>] ext4_free_blocks+0x68e/0xb60
[<ffffffff811b1650>] ? __ext4_handle_dirty_metadata+0x110/0x120
[<ffffffff811b098c>] ext4_ext_truncate+0x8cc/0xa70
[<ffffffff810d713e>] ? pagevec_lookup+0x1e/0x30
[<ffffffff81191618>] ext4_truncate+0x178/0x5d0
[<ffffffff810eacbb>] ? unmap_mapping_range+0xab/0x280
[<ffffffff810d8976>] vmtruncate+0x56/0x70
[<ffffffff811925cb>] ext4_setattr+0x14b/0x460
[<ffffffff811319e4>] notify_change+0x194/0x380
[<ffffffff81117f80>] do_truncate+0x60/0x90
[<ffffffff811e08fa>] ? security_inode_permission+0x1a/0x20
[<ffffffff811eaec1>] ? tomoyo_path_truncate+0x11/0x20
[<ffffffff81127539>] do_last+0x5d9/0x770
[<ffffffff811278bd>] do_filp_open+0x1ed/0x680
[<ffffffff8140644f>] ? page_fault+0x1f/0x30
[<ffffffff81132bfc>] ? alloc_fd+0xec/0x140
[<ffffffff81118db1>] do_sys_open+0x61/0x120
[<ffffffff81118e8b>] sys_open+0x1b/0x20
[<ffffffff81002e6b>] system_call_fastpath+0x16/0x1b

https://bugzilla.kernel.org/show_bug.cgi?id=22302

Reported-by: Mathias Burén <mathias.buren@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: jiayingz@google.com
14 years agoext4: do not try to grab the s_umount semaphore in ext4_quota_off
Dmitry Monakhov [Mon, 8 Nov 2010 18:47:33 +0000 (13:47 -0500)]
ext4: do not try to grab the s_umount semaphore in ext4_quota_off

It's not needed to sync the filesystem, and it fixes a lock_dep complaint.

Signed-off-by: Dmitry Monakhov <dmonakhov@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
14 years agoext4: fix potential race when freeing ext4_io_page structures
Theodore Ts'o [Mon, 8 Nov 2010 18:45:33 +0000 (13:45 -0500)]
ext4: fix potential race when freeing ext4_io_page structures

Use an atomic_t and make sure we don't free the structure while we
might still be submitting I/O for that page.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
14 years agoext4: handle writeback of inodes which are being freed
Theodore Ts'o [Mon, 8 Nov 2010 18:43:33 +0000 (13:43 -0500)]
ext4: handle writeback of inodes which are being freed

The following BUG can occur when an inode which is getting freed when
it still has dirty pages outstanding, and it gets deleted (in this
because it was the target of a rename).  In ordered mode, we need to
make sure the data pages are written just in case we crash before the
rename (or unlink) is committed.  If the inode is being freed then
when we try to igrab the inode, we end up tripping the BUG_ON at
fs/ext4/page-io.c:146.

To solve this problem, we need to keep track of the number of io
callbacks which are pending, and avoid destroying the inode until they
have all been completed.  That way we don't have to bump the inode
count to keep the inode from being destroyed; an approach which
doesn't work because the count could have already been dropped down to
zero before the inode writeback has started (at which point we're not
allowed to bump the count back up to 1, since it's already started
getting freed).

Thanks to Dave Chinner for suggesting this approach, which is also
used by XFS.

  kernel BUG at /scratch_space/linux-2.6/fs/ext4/page-io.c:146!
  Call Trace:
   [<ffffffff811075b1>] ext4_bio_write_page+0x172/0x307
   [<ffffffff811033a7>] mpage_da_submit_io+0x2f9/0x37b
   [<ffffffff811068d7>] mpage_da_map_and_submit+0x2cc/0x2e2
   [<ffffffff811069b3>] mpage_add_bh_to_extent+0xc6/0xd5
   [<ffffffff81106c66>] write_cache_pages_da+0x2a4/0x3ac
   [<ffffffff81107044>] ext4_da_writepages+0x2d6/0x44d
   [<ffffffff81087910>] do_writepages+0x1c/0x25
   [<ffffffff810810a4>] __filemap_fdatawrite_range+0x4b/0x4d
   [<ffffffff810815f5>] filemap_fdatawrite_range+0xe/0x10
   [<ffffffff81122a2e>] jbd2_journal_begin_ordered_truncate+0x7b/0xa2
   [<ffffffff8110615d>] ext4_evict_inode+0x57/0x24c
   [<ffffffff810c14a3>] evict+0x22/0x92
   [<ffffffff810c1a3d>] iput+0x212/0x249
   [<ffffffff810bdf16>] dentry_iput+0xa1/0xb9
   [<ffffffff810bdf6b>] d_kill+0x3d/0x5d
   [<ffffffff810be613>] dput+0x13a/0x147
   [<ffffffff810b990d>] sys_renameat+0x1b5/0x258
   [<ffffffff81145f71>] ? _atomic_dec_and_lock+0x2d/0x4c
   [<ffffffff810b2950>] ? cp_new_stat+0xde/0xea
   [<ffffffff810b29c1>] ? sys_newlstat+0x2d/0x38
   [<ffffffff810b99c6>] sys_rename+0x16/0x18
   [<ffffffff81002a2b>] system_call_fastpath+0x16/0x1b

Reported-by: Nick Bowler <nbowler@elliptictech.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Tested-by: Nick Bowler <nbowler@elliptictech.com>
14 years agoMerge branch 'rmobile/core' into rmobile-fixes-for-linus
Paul Mundt [Mon, 8 Nov 2010 00:51:41 +0000 (09:51 +0900)]
Merge branch 'rmobile/core' into rmobile-fixes-for-linus

14 years agoMerge branches 'sh/pio-death', 'sh/nommu', 'sh/clkfwk', 'sh/core' and 'sh/intc-extens...
Paul Mundt [Mon, 8 Nov 2010 00:42:43 +0000 (09:42 +0900)]
Merge branches 'sh/pio-death', 'sh/nommu', 'sh/clkfwk', 'sh/core' and 'sh/intc-extension' into sh-fixes-for-linus

14 years agosh: clkfwk: Fix up checkpatch warnings.
Paul Mundt [Mon, 8 Nov 2010 00:40:23 +0000 (09:40 +0900)]
sh: clkfwk: Fix up checkpatch warnings.

The clk_round_parent() change introduced various checkpatch warnings,
tidy them up.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agosh: make some needlessly global sh7724 clocks static
Guennadi Liakhovetski [Thu, 4 Nov 2010 14:14:29 +0000 (14:14 +0000)]
sh: make some needlessly global sh7724 clocks static

These clocks are currently only used inside one .c file and are not
declared in any headers, therefore having them global is useless.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agosh: add clk_round_parent() to optimize parent clock rate
Guennadi Liakhovetski [Tue, 2 Nov 2010 11:27:24 +0000 (11:27 +0000)]
sh: add clk_round_parent() to optimize parent clock rate

Sometimes it is possible and reasonable to adjust the parent clock rate to
improve precision of the child clock, e.g., if the child clock has no siblings.
clk_round_parent() is a new addition to the SH clock-framework API, that
implements such an optimization for child clocks with divisors, taking all
integer values in a range.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agoStaging: ath6kl: remove empty files that mess with 'distclean'
Greg Kroah-Hartman [Sat, 6 Nov 2010 18:27:04 +0000 (11:27 -0700)]
Staging: ath6kl: remove empty files that mess with 'distclean'

These two .h files would get removed from the tree when doing
make distclean

It turns out they are not needed at all, so just delete them which fixes
people's git trees when doing development.

Reported-by: Andi Kleen <andi@firstfloor.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofloppy: fix another use-after-free
Vivek Goyal [Sat, 6 Nov 2010 12:16:05 +0000 (08:16 -0400)]
floppy: fix another use-after-free

While scanning the floopy code due to c093ee4f07f4 ("floppy: fix
use-after-free in module load failure path"), I found one more instance
of trying to access disk->queue pointer after doing put_disk() on
gendisk.  For some reason , floppy moule still loads/unloads fine.  The
object is probably still around with right pointer values.

 o There seems to be one more instance of trying to cleanup the request
   queue after we have called put_disk() on associated gendisk.

 o This fix is more out of code inspection.  Even without this fix for
   some reason I am able to load/unload floppy module without any
   issues.

 o Floppy module loads/unloads fine after the fix.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoTTY: move .gitignore from drivers/char/ to drivers/tty/vt/
Greg Kroah-Hartman [Sat, 6 Nov 2010 05:18:23 +0000 (22:18 -0700)]
TTY: move .gitignore from drivers/char/ to drivers/tty/vt/

The autogenerated files (consolemap_deftbl.c and defkeymap.c) need to
be ignored by git, so move the .gitignore file that was doing it to the
properly location now that the files have moved as well.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipw2x00: remove the right /proc/net entry
Linus Torvalds [Sat, 6 Nov 2010 01:57:04 +0000 (18:57 -0700)]
ipw2x00: remove the right /proc/net entry

Commit 27ae60f8f7aa ("ipw2x00: replace "ieee80211" with "libipw" where
appropriate") changed DRV_NAME to be "libipw", but didn't properly fix
up the places where it was used to specify the name for the /proc/net/
directory.

For backwards compatibility reasons, that directory name remained
"ieee80211", but due to the DRV_NAME change, the error case printouts
and the cleanup functions now used "libipw" instead.  Which made it all
fail badly.

For example, on module unload as reported by Randy:

  WARNING: at fs/proc/generic.c:816 remove_proc_entry+0x156/0x35e()
  name 'libipw'

because it's trying to unregister a /proc directory that obviously
doesn't even exist.

Clean it all up to use DRV_PROCNAME for the actual /proc directory name.

Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Pavel Roskin <proski@gnu.org>
Cc: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'kvm-updates/2.6.37' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Sat, 6 Nov 2010 00:49:22 +0000 (17:49 -0700)]
Merge branch 'kvm-updates/2.6.37' of git://git./virt/kvm/kvm

* 'kvm-updates/2.6.37' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: PPC: BookE: Load the lower half of MSR
  KVM: PPC: BookE: fix sleep with interrupts disabled
  KVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().
  PPC: KVM: Book E doesn't have __end_interrupts.
  KVM: x86: Issue smp_call_function_many with preemption disabled
  KVM: x86: fix information leak to userland
  KVM: PPC: fix information leak to userland
  KVM: MMU: fix rmap_remove on non present sptes
  KVM: Write protect memory after slot swap

14 years agofloppy: fix use-after-free in module load failure path
Linus Torvalds [Sat, 6 Nov 2010 00:45:59 +0000 (17:45 -0700)]
floppy: fix use-after-free in module load failure path

Commit 488211844e0c ("floppy: switch to one queue per drive instead of
sharing a queue") introduced a use-after-free.  We do "put_disk()" on
the disk device _before_ we then clean up the queue associated with that
disk.

Move the put_disk() down to avoid dereferencing a free'd data structure.

Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agowatchdog: Fix section mismatch and potential undefined behavior.
David Daney [Fri, 5 Nov 2010 23:17:39 +0000 (16:17 -0700)]
watchdog: Fix section mismatch and potential undefined behavior.

Commit d9ca07a05ce1 ("watchdog: Avoid kernel crash when disabling
watchdog") introduces a section mismatch.

Now that we reference no_watchdog from non-__init code it can no longer
be __initdata.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Fri, 5 Nov 2010 22:25:48 +0000 (15:25 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits)
  inet_diag: Make sure we actually run the same bytecode we audited.
  netlink: Make nlmsg_find_attr take a const nlmsghdr*.
  fib: fib_result_assign() should not change fib refcounts
  netfilter: ip6_tables: fix information leak to userspace
  cls_cgroup: Fix crash on module unload
  memory corruption in X.25 facilities parsing
  net dst: fix percpu_counter list corruption and poison overwritten
  rds: Remove kfreed tcp conn from list
  rds: Lost locking in loop connection freeing
  de2104x: fix panic on load
  atl1 : fix panic on load
  netxen: remove unused firmware exports
  caif: Remove noisy printout when disconnecting caif socket
  caif: SPI-driver bugfix - incorrect padding.
  caif: Bugfix for socket priority, bindtodev and dbg channel.
  smsc911x: Set Ethernet EEPROM size to supported device's size
  ipv4: netfilter: ip_tables: fix information leak to userland
  ipv4: netfilter: arp_tables: fix information leak to userland
  cxgb4vf: remove call to stop TX queues at load time.
  cxgb4: remove call to stop TX queues at load time.
  ...

14 years agoMerge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1...
Linus Torvalds [Fri, 5 Nov 2010 21:17:22 +0000 (14:17 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/ieee1394/linux1394-2.6

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: fix race when reading count in AR descriptor
  firewire: ohci: avoid reallocation of AR buffers
  firewire: ohci: fix race in AR split packet handling
  firewire: ohci: fix buffer overflow in AR split packet handling

14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6
Linus Torvalds [Fri, 5 Nov 2010 21:17:01 +0000 (14:17 -0700)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer
  cifs: dereferencing first then checking
  cifs: trivial comment fix: tlink_tree is now a rbtree
  [CIFS] Cleanup unused variable build warning
  cifs: convert tlink_tree to a rbtree
  cifs: store pointer to master tlink in superblock (try #2)
  cifs: trivial doc fix: note setlease implemented
  CIFS: Add cifs_set_oplock_level
  FS: cifs, remove unneeded NULL tests

14 years agoposix-cpu-timers: workaround to suppress the problems with mt exec
Oleg Nesterov [Fri, 5 Nov 2010 15:53:42 +0000 (16:53 +0100)]
posix-cpu-timers: workaround to suppress the problems with mt exec

posix-cpu-timers.c correctly assumes that the dying process does
posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
timers from signal->cpu_timers list.

But, it also assumes that timer->it.cpu.task is always the group
leader, and thus the dead ->task means the dead thread group.

This is obviously not true after de_thread() changes the leader.
After that almost every posix_cpu_timer_ method has problems.

It is not simple to fix this bug correctly. First of all, I think
that timer->it.cpu should use struct pid instead of task_struct.
Also, the locking should be reworked completely. In particular,
tasklist_lock should not be used at all. This all needs a lot of
nontrivial and hard-to-test changes.

Change __exit_signal() to do posix_cpu_timers_exit_group() when
the old leader dies during exec. This is not the fix, just the
temporary hack to hide the problem for 2.6.37 and stable. IOW,
this is obviously wrong but this is what we currently have anyway:
cpu timers do not work after mt exec.

In theory this change adds another race. The exiting leader can
detach the timers which were attached to the new leader. However,
the window between de_thread() and release_task() is small, we
can pretend that sys_timer_create() was called before de_thread().

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groec...
Linus Torvalds [Fri, 5 Nov 2010 21:15:17 +0000 (14:15 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging

* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
  hwmon: (ltc4261) Fix error message format
  hwmon: (ltc4261) Add missing newline in debug message

14 years agocifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer
Pavel Shilovsky [Wed, 3 Nov 2010 07:58:57 +0000 (10:58 +0300)]
cifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer

All the callers already have a pointer to struct cifsInodeInfo. Use it.

Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Pavel Shilovsky <piastryyy@gmail.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agohwmon: (ltc4261) Fix error message format
Jean Delvare [Fri, 5 Nov 2010 14:59:29 +0000 (10:59 -0400)]
hwmon: (ltc4261) Fix error message format

adapter->id is deprecated and not set by any adapter driver, so this
was certainly not what the author wanted to use. adapter->nr maybe,
but as dev_err() already includes this value, as well as the client's
address, there's no point repeating them. Better print a simple error
message in plain English words.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
14 years agohwmon: (ltc4261) Add missing newline in debug message
Guenter Roeck [Tue, 26 Oct 2010 22:59:21 +0000 (15:59 -0700)]
hwmon: (ltc4261) Add missing newline in debug message

Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile
Linus Torvalds [Fri, 5 Nov 2010 16:52:25 +0000 (09:52 -0700)]
Merge git://git./linux/kernel/git/cmetcalf/linux-tile

* git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  arch/tile: mark "hardwall" device as non-seekable
  asm-generic/stat.h: support 64-bit file time_t for stat()
  arch/tile: don't allow user code to set the PL via ptrace or signal return
  arch/tile: correct double syscall restart for nested signals
  arch/tile: avoid __must_check warning on one strict_strtol check
  arch/tile: bomb raw_local_irq_ to arch_local_irq_
  arch/tile: complete migration to new kmap_atomic scheme

14 years agoleds-net5501: taints kernel, add license
Randy Dunlap [Thu, 4 Nov 2010 17:28:00 +0000 (10:28 -0700)]
leds-net5501: taints kernel, add license

Add MODULE_LICENSE() that matches file comments so that kernel
is not tainted.

leds_net5501: module license 'unspecified' taints kernel.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoKVM: PPC: BookE: Load the lower half of MSR
Scott Wood [Thu, 30 Sep 2010 19:31:27 +0000 (14:31 -0500)]
KVM: PPC: BookE: Load the lower half of MSR

This was preventing the guest from setting any bits in the
hardware MSR which aren't forced on, such as MSR[SPE].

Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: PPC: BookE: fix sleep with interrupts disabled
Scott Wood [Thu, 30 Sep 2010 19:28:50 +0000 (14:28 -0500)]
KVM: PPC: BookE: fix sleep with interrupts disabled

It is not legal to call mutex_lock() with interrupts disabled.
This will assert with debug checks enabled.

If there's a real need to disable interrupts here, it could be done
after the mutex is acquired -- but I don't see why it's needed at all.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Reviewed-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().
Scott Wood [Tue, 5 Oct 2010 19:22:41 +0000 (14:22 -0500)]
KVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit().

The VCPU uninit calls some TLB functions, and the TLB uninit function
frees the memory used by them.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Acked-by: Liu Yu <yu.liu@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoPPC: KVM: Book E doesn't have __end_interrupts.
Scott Wood [Mon, 18 Oct 2010 22:35:48 +0000 (17:35 -0500)]
PPC: KVM: Book E doesn't have __end_interrupts.

Fix an unresolved symbol with CONFIG_KVM_GUEST plus CONFIG_RELOCATABLE on
Book E.

Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
14 years agoKVM: x86: Issue smp_call_function_many with preemption disabled
Jan Kiszka [Mon, 1 Nov 2010 13:01:13 +0000 (14:01 +0100)]
KVM: x86: Issue smp_call_function_many with preemption disabled

smp_call_function_many is specified to be called only with preemption
disabled. Fulfill this requirement.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: x86: fix information leak to userland
Vasiliy Kulikov [Sat, 30 Oct 2010 18:54:47 +0000 (22:54 +0400)]
KVM: x86: fix information leak to userland

Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and
kvm_clock_data are copied to userland with some padding and reserved
fields unitialized.  It leads to leaking of contents of kernel stack
memory.  We have to initialize them to zero.

In patch v1 Jan Kiszka suggested to fill reserved fields with zeros
instead of memset'ting the whole struct.  It makes sense as these
fields are explicitly marked as padding.  No more fields need zeroing.

KVM-Stable-Tag.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: PPC: fix information leak to userland
Vasiliy Kulikov [Sat, 30 Oct 2010 09:04:24 +0000 (13:04 +0400)]
KVM: PPC: fix information leak to userland

Structure kvm_ppc_pvinfo is copied to userland with flags and
pad fields unitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
14 years agoKVM: MMU: fix rmap_remove on non present sptes
Marcelo Tosatti [Mon, 25 Oct 2010 13:58:22 +0000 (11:58 -0200)]
KVM: MMU: fix rmap_remove on non present sptes

drop_spte should not attempt to rmap_remove a non present shadow pte.

This fixes a BUG_ON seen on kvm-autotest.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Reported-by: Lucas Meneghel Rodrigues <lmr@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
14 years agoKVM: Write protect memory after slot swap
Michael S. Tsirkin [Mon, 25 Oct 2010 01:21:24 +0000 (03:21 +0200)]
KVM: Write protect memory after slot swap

I have observed the following bug trigger:

1. userspace calls GET_DIRTY_LOG
2. kvm_mmu_slot_remove_write_access is called and makes a page ro
3. page fault happens and makes the page writeable
   fault is logged in the bitmap appropriately
4. kvm_vm_ioctl_get_dirty_log swaps slot pointers

a lot of time passes

5. guest writes into the page
6. userspace calls GET_DIRTY_LOG

At point (5), bitmap is clean and page is writeable,
thus, guest modification of memory is not logged
and GET_DIRTY_LOG returns an empty bitmap.

The rule is that all pages are either dirty in the current bitmap,
or write-protected, which is violated here.

It seems that just moving kvm_mmu_slot_remove_write_access down
to after the slot pointer swap should fix this bug.

KVM-Stable-Tag.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
14 years agoClean up relay_alloc_page_array() slightly by using vzalloc rather than vmalloc and...
Jesper Juhl [Thu, 4 Nov 2010 20:44:41 +0000 (21:44 +0100)]
Clean up relay_alloc_page_array() slightly by using vzalloc rather than vmalloc and memset

We can optimize kernel/relay.c::relay_alloc_page_array() slightly by
using vzalloc.  The patch makes these changes:

 - use vzalloc instead of vmalloc+memset.
 - remove redundant local variable 'array'.
 - declare local 'pa_size' as const.

Cuts down nicely on both source and object-code size.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Pekka Enberg <penberg@kernel.org>
Acked-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoTTY: create drivers/tty/vt and move the vt code there
Greg Kroah-Hartman [Thu, 4 Nov 2010 19:50:47 +0000 (12:50 -0700)]
TTY: create drivers/tty/vt and move the vt code there

The vt and other related code is moved into the drivers/tty/vt directory.

Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoTTY: create drivers/tty and move the tty core files there
Greg Kroah-Hartman [Thu, 4 Nov 2010 18:10:29 +0000 (11:10 -0700)]
TTY: create drivers/tty and move the tty core files there

The tty code should be in its own subdirectory and not in the char
driver with all of the cruft that is currently there.

Based on work done by Arnd Bergmann <arnd@arndb.de>

Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoMerge branch 'for-linus-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg...
Linus Torvalds [Fri, 5 Nov 2010 14:54:40 +0000 (07:54 -0700)]
Merge branch 'for-linus-fixes' of git://git./linux/kernel/git/gerg/m68knommu

* 'for-linus-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k, m68knommu: Do not include linux/hardirq.h in asm/irqflags.h
  m68knommu: add back in declaration of do_IRQ

14 years agocifs: dereferencing first then checking
Jeff Layton [Tue, 2 Nov 2010 20:22:50 +0000 (16:22 -0400)]
cifs: dereferencing first then checking

This patch is based on Dan's original patch. His original description is
below:

Smatch complained about a couple checking for NULL after dereferencing
bugs.  I'm not super familiar with the code so I did the conservative
thing and move the dereferences after the checks.

The dereferences in cifs_lock() and cifs_fsync() were added in
ba00ba64cf0 "cifs: make various routines use the cifsFileInfo->tcon
pointer".  The dereference in find_writable_file() was added in
6508d904e6f "cifs: have find_readable/writable_file filter by fsuid".
The comments there say it's possible to trigger the NULL dereference
under stress.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agocifs: trivial comment fix: tlink_tree is now a rbtree
Suresh Jayaraman [Wed, 3 Nov 2010 05:23:49 +0000 (10:53 +0530)]
cifs: trivial comment fix: tlink_tree is now a rbtree

Noticed while reviewing (late) the rbtree conversion patchset (which has been merged
already).

Cc: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Steve French <sfrench@us.ibm.com>
14 years agoinet_diag: Make sure we actually run the same bytecode we audited.
Nelson Elhage [Wed, 3 Nov 2010 16:35:41 +0000 (16:35 +0000)]
inet_diag: Make sure we actually run the same bytecode we audited.

We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.

Fix this by consistently using nlmsg_find_attr everywhere.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetlink: Make nlmsg_find_attr take a const nlmsghdr*.
Nelson Elhage [Wed, 3 Nov 2010 16:35:40 +0000 (16:35 +0000)]
netlink: Make nlmsg_find_attr take a const nlmsghdr*.

This will let us use it on a nlmsghdr stored inside a netlink_callback.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofib: fib_result_assign() should not change fib refcounts
Eric Dumazet [Thu, 4 Nov 2010 01:21:39 +0000 (01:21 +0000)]
fib: fib_result_assign() should not change fib refcounts

After commit ebc0ffae5 (RCU conversion of fib_lookup()),
fib_result_assign()  should not change fib refcounts anymore.

Thanks to Michael who did the bisection and bug report.

Reported-by: Michael Ellerman <michael@ellerman.id.au>
Tested-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosh: Simplify phys_addr_mask()/PTE_PHYS_MASK for 29/32-bit.
Paul Mundt [Thu, 4 Nov 2010 03:51:08 +0000 (12:51 +0900)]
sh: Simplify phys_addr_mask()/PTE_PHYS_MASK for 29/32-bit.

Given that __in_29bit_mode() is a constant for the non-PMB case, we can
simply use the PMB-facing version of phys_addr_mask() and drop the other
variants.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agosh: nommu: Support building without an uncached mapping.
Paul Mundt [Thu, 4 Nov 2010 03:46:19 +0000 (12:46 +0900)]
sh: nommu: Support building without an uncached mapping.

Now that nommu selects 32BIT we run in to the situation where SH-2A
supports an uncached identity mapping by way of the BSC, while the SH-2
does not. This provides stubs for the PC manglers and tidies up some of
the system*.h mess in the process.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agosh: nommu: use 32-bit phys mode.
Paul Mundt [Thu, 4 Nov 2010 03:32:24 +0000 (12:32 +0900)]
sh: nommu: use 32-bit phys mode.

The nommu code has regressed somewhat in that 29BIT gets set for the
SH-2/2A configs regardless of the fact that they are really 32BIT sans
MMU or PMB. This does a bit of tidying to get nommu properly selecting
32BIT as it was before.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agosh: mach-se: Fix up SE7206 no ioport build.
Paul Mundt [Thu, 4 Nov 2010 03:29:00 +0000 (12:29 +0900)]
sh: mach-se: Fix up SE7206 no ioport build.

There was a leftover inw() used here that really just wants to be a
__raw_readw() instead. Convert it over.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agommc: sh_mmcif: Convert extern inline to static inline.
Paul Mundt [Thu, 4 Nov 2010 03:21:25 +0000 (12:21 +0900)]
mmc: sh_mmcif: Convert extern inline to static inline.

Presently the extern inline case results in a compiler warning on ARM due
to the memory barrier definition used in the I/O routines. These
ultimately all want to be static inline anyways, so just convert them all
in place.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agoARM: mach-shmobile: Allow GPIO chips to register IRQ mappings.
Paul Mundt [Thu, 4 Nov 2010 03:19:11 +0000 (12:19 +0900)]
ARM: mach-shmobile: Allow GPIO chips to register IRQ mappings.

As non-PFC chips are added that may support IRQs, pass through to the
generic helper. This follows the the SH change.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years agonetfilter: ip6_tables: fix information leak to userspace
Jan Engelhardt [Thu, 4 Nov 2010 01:55:39 +0000 (18:55 -0700)]
netfilter: ip6_tables: fix information leak to userspace

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
David S. Miller [Thu, 4 Nov 2010 01:52:32 +0000 (18:52 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6

14 years agocls_cgroup: Fix crash on module unload
Herbert Xu [Wed, 3 Nov 2010 13:31:05 +0000 (13:31 +0000)]
cls_cgroup: Fix crash on module unload

Somewhere along the lines net_cls_subsys_id became a macro when
cls_cgroup is built as a module.  Not only did it make cls_cgroup
completely useless, it also causes it to crash on module unload.

This patch fixes this by removing that macro.

Thanks to Eric Dumazet for diagnosing this problem.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>