GitHub/mt8127/android_kernel_alcatel_ttab.git
14 years agolockup_detector: Remove nmi_watchdog.c file
Don Zickus [Fri, 7 May 2010 21:11:47 +0000 (17:11 -0400)]
lockup_detector: Remove nmi_watchdog.c file

This file migrated to kernel/watchdog.c and then combined with
kernel/softlockup.c.  As a result kernel/nmi_watchdog.c is no longer
needed.  Just remove it.

Signed-off-by: Don Zickus <dzickus@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
LKML-Reference: <1273266711-18706-5-git-send-email-dzickus@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
14 years agolockup_detector: Remove old softlockup code
Don Zickus [Fri, 7 May 2010 21:11:46 +0000 (17:11 -0400)]
lockup_detector: Remove old softlockup code

Now that is no longer compiled or used, just remove it.

Also move some of the code wrapped with DETECT_SOFTLOCKUP to the
LOCKUP_DETECTOR wrappers because that is the code that uses it now.

Signed-off-by: Don Zickus <dzickus@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
LKML-Reference: <1273266711-18706-4-git-send-email-dzickus@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
14 years agolockup_detector: Touch_softlockup cleanups and softlockup_tick removal
Don Zickus [Fri, 7 May 2010 21:11:45 +0000 (17:11 -0400)]
lockup_detector: Touch_softlockup cleanups and softlockup_tick removal

Just some code cleanup to make touch_softlockup clearer and remove the
softlockup_tick function as it is no longer needed.

Also remove the /proc softlockup_thres call as it has been changed to
watchdog_thres.

Signed-off-by: Don Zickus <dzickus@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
LKML-Reference: <1273266711-18706-3-git-send-email-dzickus@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
14 years agolockup_detector: Combine nmi_watchdog and softlockup detector
Don Zickus [Fri, 7 May 2010 21:11:44 +0000 (17:11 -0400)]
lockup_detector: Combine nmi_watchdog and softlockup detector

The new nmi_watchdog (which uses the perf event subsystem) is very
similar in structure to the softlockup detector.  Using Ingo's
suggestion, I combined the two functionalities into one file:
kernel/watchdog.c.

Now both the nmi_watchdog (or hardlockup detector) and softlockup
detector sit on top of the perf event subsystem, which is run every
60 seconds or so to see if there are any lockups.

To detect hardlockups, cpus not responding to interrupts, I
implemented an hrtimer that runs 5 times for every perf event
overflow event.  If that stops counting on a cpu, then the cpu is
most likely in trouble.

To detect softlockups, tasks not yielding to the scheduler, I used the
previous kthread idea that now gets kicked every time the hrtimer fires.
If the kthread isn't being scheduled neither is anyone else and the
warning is printed to the console.

I tested this on x86_64 and both the softlockup and hardlockup paths
work.

V2:
- cleaned up the Kconfig and softlockup combination
- surrounded hardlockup cases with #ifdef CONFIG_PERF_EVENTS_NMI
- seperated out the softlockup case from perf event subsystem
- re-arranged the enabling/disabling nmi watchdog from proc space
- added cpumasks for hardlockup failure cases
- removed fallback to soft events if no PMU exists for hard events

V3:
- comment cleanups
- drop support for older softlockup code
- per_cpu cleanups
- completely remove software clock base hardlockup detector
- use per_cpu masking on hard/soft lockup detection
- #ifdef cleanups
- rename config option NMI_WATCHDOG to LOCKUP_DETECTOR
- documentation additions

V4:
- documentation fixes
- convert per_cpu to __get_cpu_var
- powerpc compile fixes

V5:
- split apart warn flags for hard and soft lockups

TODO:
- figure out how to make an arch-agnostic clock2cycles call
  (if possible) to feed into perf events as a sample period

[fweisbec: merged conflict patch]

Signed-off-by: Don Zickus <dzickus@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
LKML-Reference: <1273266711-18706-2-git-send-email-dzickus@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
14 years agoMerge commit 'v2.6.34-rc7' into perf/nmi
Frederic Weisbecker [Wed, 12 May 2010 21:19:01 +0000 (23:19 +0200)]
Merge commit 'v2.6.34-rc7' into perf/nmi

Merge reason: catch up with latest softlockup detector changes.

14 years agoLinux 2.6.34-rc7
Linus Torvalds [Mon, 10 May 2010 01:36:28 +0000 (18:36 -0700)]
Linux 2.6.34-rc7

14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
Linus Torvalds [Mon, 10 May 2010 01:35:53 +0000 (18:35 -0700)]
Merge git://git./linux/kernel/git/jejb/scsi-rc-fixes-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O error
  [SCSI] Enable retries for SYNCRONIZE_CACHE commands to fix I/O error
  [SCSI] scsi_debug: virtual_gb ignores sector_size
  [SCSI] libiscsi: regression: fix header digest errors
  [SCSI] fix locking around blk_abort_request()
  [SCSI] advansys: fix narrow board error path

14 years agocpuidle: Fix incorrect optimization
Arjan van de Ven [Sat, 8 May 2010 22:47:37 +0000 (15:47 -0700)]
cpuidle: Fix incorrect optimization

commit 672917dcc78 ("cpuidle: menu governor: reduce latency on exit")
added an optimization, where the analysis on the past idle period moved
from the end of idle, to the beginning of the new idle.

Unfortunately, this optimization had a bug where it zeroed one key
variable for new use, that is needed for the analysis.  The fix is
simple, zero the variable after doing the work from the previous idle.

During the audit of the code that found this issue, another issue was
also found; the ->measured_us data structure member is never set, a
local variable is always used instead.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Corrado Zoccolo <czoccolo@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'for-linus' of git://neil.brown.name/md
Linus Torvalds [Fri, 7 May 2010 21:11:40 +0000 (14:11 -0700)]
Merge branch 'for-linus' of git://neil.brown.name/md

* 'for-linus' of git://neil.brown.name/md:
  md: restore ability of spare drives to spin down.
  md/raid6: Fix raid-6 read-error correction in degraded state

14 years agoMerge branch 'urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6
Linus Torvalds [Fri, 7 May 2010 21:11:09 +0000 (14:11 -0700)]
Merge branch 'urgent' of git://git./linux/kernel/git/brodo/pcmcia-2.6

* 'urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6:
  pcmcia: fix compilation after 16bit state locking changes
  pcmcia: order userspace suspend and resume requests
  pcmcia: avoid pccard_validate_cis failure in resume callpath

14 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
Linus Torvalds [Fri, 7 May 2010 21:07:20 +0000 (14:07 -0700)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  blk-cgroup: Fix an RCU warning in blkiocg_create()
  blk-cgroup: Fix RCU correctness warning in cfq_init_queue()
  drbd: don't expose failed local READ to upper layers

14 years agoMerge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Fri, 7 May 2010 21:02:01 +0000 (14:02 -0700)]
Merge branch 'drm-linus' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/ttm: Remove the ttm_bo_block_reservation() function.
  drm/ttm: Remove some leftover debug messages.
  drm/radeon: async event synchronization for drmWaitVblank

14 years agovirtio: initialize earlier
Stijn Tintel [Fri, 7 May 2010 04:58:34 +0000 (14:28 +0930)]
virtio: initialize earlier

Move initialization of the virtio framework before the initialization of
mtd, so that block2mtd can be used on virtio-based block devices.

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15644

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoMerge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6
Linus Torvalds [Fri, 7 May 2010 20:59:48 +0000 (13:59 -0700)]
Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6

* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
  NFS: Fix RCU issues in the NFSv4 delegation code
  NFSv4: Fix the locking in nfs_inode_reclaim_delegation()

14 years agoMerge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux...
Linus Torvalds [Fri, 7 May 2010 20:59:22 +0000 (13:59 -0700)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
  ACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155x
  ACPI: fix acpi_hest_firmware_first_pci() caused oops
  sbshc: acpi_device_class "smbus_host_controller" too long
  power_meter: acpi_device_class "power_meter_resource" too long
  acpi_pad: "processor_aggregator" name too long
  PNP: don't check for conflicts with bridge windows
  ACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPads
  PNPACPI: compute Address Space length rather than using _LEN
  ACPI: silence kmemcheck false positive

14 years agoMerge branch 'v4l_for_2.6.34' of git://git.kernel.org/pub/scm/linux/kernel/git/mcheha...
Linus Torvalds [Fri, 7 May 2010 20:58:56 +0000 (13:58 -0700)]
Merge branch 'v4l_for_2.6.34' of git://git./linux/kernel/git/mchehab/linux-2.6

* 'v4l_for_2.6.34' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
  V4L/DVB: pxa_camera: move fifo reset direct before dma start
  V4L/DVB: video: testing unsigned for less than 0
  V4L/DVB: mx1-camera: compile fix
  V4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer  dereference"
  V4L/DVB: ngene: Workaround for stuck DiSEqC pin
  V4L/DVB: saa7146: fix regression of the av7110/budget-av driver
  V4L/DVB: v4l: fix config dependencies: mxb and saa7191 are V4L2 drivers, not V4L1
  V4L/DVB: feature-removal: announce videotext.h removal
  V4L/DVB: V4L - vpfe capture - fix for kernel crash
  V4L/DVB: gspca: make usb id 0461:0815 get handled by the right driver
  V4L/DVB: gspca - stv06xx: Remove the 046d:08da from the stv06xx driver
  V4L/DVB: gspca - sn9c20x: Correct onstack wait_queue_head declaration
  V4L/DVB: saa7146: fix up bytesperline if it is an impossible value
  V4L/DVB: V4L: vpfe_capture - free ccdc_lock when memory allocation fails
  V4L/DVB: V4L - Makfile:Removed duplicate entry of davinci
  V4L/DVB: omap24xxcam: potential buffer overflow

14 years agoMerge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 7 May 2010 20:58:21 +0000 (13:58 -0700)]
Merge branch 'core-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  rcu: create rcu_my_thread_group_empty() wrapper
  memcg: css_id() must be called under rcu_read_lock()
  cgroup: Check task_lock in task_subsys_state()
  sched: Fix an RCU warning in print_task()
  cgroup: Fix an RCU warning in alloc_css_id()
  cgroup: Fix an RCU warning in cgroup_path()
  KEYS: Fix an RCU warning in the reading of user keys
  KEYS: Fix an RCU warning

14 years agomd: restore ability of spare drives to spin down.
NeilBrown [Fri, 7 May 2010 09:44:26 +0000 (19:44 +1000)]
md: restore ability of spare drives to spin down.

Some time ago we stopped the clean/active metadata updates
from being written to a 'spare' device in most cases so that
it could spin down and say spun down.  Device failure/removal
etc are still recorded on spares.

However commit 51d5668cb2e3fd1827a55 broke this 50% of the time,
depending on whether the event count is even or odd.
The change log entry said:

   This means that the alignment between 'odd/even' and
    'clean/dirty' might take a little longer to attain,

how ever the code makes no attempt to create that alignment, so it
could take arbitrarily long.

So when we find that clean/dirty is not aligned with odd/even,
force a second metadata-update immediately.  There are already cases
where a second metadata-update is needed immediately (e.g. when a
device fails during the metadata update).  We just piggy-back on that.

Reported-by: Joe Bryant <tenminjoe@yahoo.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Cc: stable@kernel.org
14 years agomd/raid6: Fix raid-6 read-error correction in degraded state
Gabriele A. Trombetti [Wed, 28 Apr 2010 01:51:17 +0000 (11:51 +1000)]
md/raid6: Fix raid-6 read-error correction in degraded state

Fix: Raid-6 was not trying to correct a read-error when in
singly-degraded state and was instead dropping one more device, going to
doubly-degraded state. This patch fixes this behaviour.

Tested-by: Janos Haar <janos.haar@netcenter.hu>
Signed-off-by: Gabriele A. Trombetti <g.trombetti.lkrnl1213@logicschema.com>
Reported-by: Janos Haar <janos.haar@netcenter.hu>
Signed-off-by: NeilBrown <neilb@suse.de>
Cc: stable@kernel.org
14 years agoblk-cgroup: Fix an RCU warning in blkiocg_create()
Li Zefan [Fri, 7 May 2010 06:57:00 +0000 (08:57 +0200)]
blk-cgroup: Fix an RCU warning in blkiocg_create()

with CONFIG_PROVE_RCU=y, a warning can be triggered:

  # mount -t cgroup -o blkio xxx /mnt
  # mkdir /mnt/subgroup

...
kernel/cgroup.c:4442 invoked rcu_dereference_check() without protection!
...

To fix this, we avoid caling css_depth() here, which is a bit simpler
than the original code.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
14 years agoMerge branches 'bugzilla-14337', 'bugzilla-14998', 'bugzilla-15407', 'bugzilla-15903...
Len Brown [Fri, 7 May 2010 02:04:31 +0000 (22:04 -0400)]
Merge branches 'bugzilla-14337', 'bugzilla-14998', 'bugzilla-15407', 'bugzilla-15903' and 'misc-2.6.34' into release

14 years agodrm/ttm: Remove the ttm_bo_block_reservation() function.
Thomas Hellstrom [Wed, 28 Apr 2010 09:33:25 +0000 (11:33 +0200)]
drm/ttm: Remove the ttm_bo_block_reservation() function.

It's unused and buggy in its current form, since it can place a bo
in the reserved state without removing it from lru lists.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
14 years agodrm/ttm: Remove some leftover debug messages.
Thomas Hellstrom [Wed, 28 Apr 2010 09:33:24 +0000 (11:33 +0200)]
drm/ttm: Remove some leftover debug messages.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
14 years agodrm/radeon: async event synchronization for drmWaitVblank
Jerome Glisse [Thu, 6 May 2010 16:52:14 +0000 (18:52 +0200)]
drm/radeon: async event synchronization for drmWaitVblank

Bring radeon up to speed with the async event synchronization for
drmWaitVblank. See c9a9c5e02aedc1a2815877b0268f886d2640b771 for
more information. Without this patch event never get delivered
to userspace client.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
14 years agoV4L/DVB: pxa_camera: move fifo reset direct before dma start
Stefan Herbrechtsmeier [Tue, 20 Apr 2010 06:51:29 +0000 (03:51 -0300)]
V4L/DVB: pxa_camera: move fifo reset direct before dma start

Move the fifo reset from pxa_camera_start_capture to pxa_camera_irq direct
before the dma start after an end of frame interrupt to prevent images from
shifting because of old data at the begin of the frame.

Signed-off-by: Stefan Herbrechtsmeier <hbmeier@hni.uni-paderborn.de>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Tested-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: video: testing unsigned for less than 0
Dan Carpenter [Wed, 7 Apr 2010 09:41:14 +0000 (06:41 -0300)]
V4L/DVB: video: testing unsigned for less than 0

soc_mbus_bytes_per_line() returns -EINVAL on error but we store it in an
unsigned int so the test for less than zero doesn't work.  I think it
always returns "small" positive values so we can just cast it to int
here.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: mx1-camera: compile fix
Uwe Kleine-König [Sat, 27 Mar 2010 21:42:13 +0000 (18:42 -0300)]
V4L/DVB: mx1-camera: compile fix

This fixes a regression of

7d58289 (mx1: prefix SOC specific defines with MX1_ and deprecate old names)

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer dereference"
Bjørn Mork [Wed, 24 Mar 2010 10:57:57 +0000 (07:57 -0300)]
V4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer  dereference"

Never call dvb_frontend_detach if we failed to attach a frontend. This fixes
the following oops, which will be triggered by a missing stv090x module:

[    8.172997] DVB: registering new adapter (TT-Budget S2-1600 PCI)
[    8.209018] adapter has MAC addr = 00:d0:5c:cc:a7:29
[    8.328665] Intel ICH 0000:00:1f.5: PCI INT B -> GSI 17 (level, low) -> IRQ 17
[    8.328753] Intel ICH 0000:00:1f.5: setting latency timer to 64
[    8.562047] DVB: Unable to find symbol stv090x_attach()
[    8.562117] BUG: unable to handle kernel NULL pointer dereference at 000000ac
[    8.562239] IP: [<e08b04a3>] dvb_frontend_detach+0x4/0x67 [dvb_core]

Ref http://bugs.debian.org/575207

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Cc: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: ngene: Workaround for stuck DiSEqC pin
Oliver Endriss [Sun, 21 Mar 2010 14:48:47 +0000 (11:48 -0300)]
V4L/DVB: ngene: Workaround for stuck DiSEqC pin

Send one DiSEqC byte to make sure that the pin is set to low level.

Signed-off-by: Oliver Endriss <o.endriss@gmx.de>
Reviewed-by: Manu Abraham <abraham.manu@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: saa7146: fix regression of the av7110/budget-av driver
Hans Verkuil [Wed, 24 Mar 2010 22:09:55 +0000 (19:09 -0300)]
V4L/DVB: saa7146: fix regression of the av7110/budget-av driver

An earlier regression fix for the mxb driver (V4L/DVB: saa7146_vv: fix
regression where v4l2_device was registered too late) caused a new
regression in the av7110 driver.

Reverted the old fix and fixed the problem in the mxb driver instead.
Tested on mxb and budget-av cards.

The real problem is that the saa7146 framework has separate probe()
and attach() driver callbacks which should be rolled into one. This
is now done for the mxb driver, but others should do the same. Lack
of hardware makes this hard to do, though. I hope to get hold of some
hexium cards and then I can try to improve the framework to prevent
this from happening again.

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: v4l: fix config dependencies: mxb and saa7191 are V4L2 drivers, not V4L1
Hans Verkuil [Mon, 22 Mar 2010 06:14:22 +0000 (03:14 -0300)]
V4L/DVB: v4l: fix config dependencies: mxb and saa7191 are V4L2 drivers, not V4L1

v4l: fix config dependencies: mxb and saa7191 are V4L2 drivers, not V4L1

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: feature-removal: announce videotext.h removal
Hans Verkuil [Mon, 22 Mar 2010 08:43:08 +0000 (05:43 -0300)]
V4L/DVB: feature-removal: announce videotext.h removal

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: V4L - vpfe capture - fix for kernel crash
Muralidharan Karicheri [Thu, 18 Mar 2010 14:44:12 +0000 (11:44 -0300)]
V4L/DVB: V4L - vpfe capture - fix for kernel crash

As part of upstream merge, set_params() function was removed from isif.c.
This requires removal of BUG_ON() and check for set_params ptr in
vpfe_capture.c. Without this kernel crash dump is seen while bootup on DM365

Also made following changes:-

 1) converted error messages to debug messages since it is not right to flood
    the console with error messages for user mistakes.
 2) returns -EINVAL if ioctl is not supported

Signed-off-by: Muralidharan Karicheri <m-karicheri2@ti.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: gspca: make usb id 0461:0815 get handled by the right driver
John Ellson [Wed, 17 Mar 2010 13:22:58 +0000 (10:22 -0300)]
V4L/DVB: gspca: make usb id 0461:0815 get handled by the right driver

The 0461:0815 camera is spca561 based not spca508

Signed-off-by: John Ellson <john.ellson@comcast.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: gspca - stv06xx: Remove the 046d:08da from the stv06xx driver
Erik Andrén [Mon, 8 Mar 2010 20:16:00 +0000 (17:16 -0300)]
V4L/DVB: gspca - stv06xx: Remove the 046d:08da from the stv06xx driver

The 046d:08da usb id shouldn't be associated with the stv06xx driver as they're
not compatible with each other.
This fixes a bug where Quickcam Messenger cams fail to use its proper driver
(gspca-zc3xx), rendering the camera inoperable.

Signed-off-by: Erik Andrén <erik.andren@gmail.com>
Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
Signed-off-by: Jean-François Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: gspca - sn9c20x: Correct onstack wait_queue_head declaration
Yong Zhang [Fri, 5 Feb 2010 13:52:39 +0000 (10:52 -0300)]
V4L/DVB: gspca - sn9c20x: Correct onstack wait_queue_head declaration

Use DECLARE_WAIT_QUEUE_HEAD_ONSTACK to make lockdep happy

Signed-off-by: Yong Zhang <yong.zhang0@gmail.com>
Signed-off-by: Jean-François Moine <moinejf@free.fr>
CC: Brian Johnson <brijohn@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: saa7146: fix up bytesperline if it is an impossible value
Michael Hunold [Sat, 13 Mar 2010 14:45:46 +0000 (11:45 -0300)]
V4L/DVB: saa7146: fix up bytesperline if it is an impossible value

xawtv using DGA on a Radeon graphics card provides bogus
values to S_FBUF, which will then screw up overlay video:

https://bugs.launchpad.net/ubuntu/+source/xawtv/+bug/499734

This fixes the bytesperline value if it is off completely.

Signed-off-by: Michael Hunold <michael@mihu.de>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: V4L: vpfe_capture - free ccdc_lock when memory allocation fails
Murali Karicheri [Mon, 1 Mar 2010 22:54:02 +0000 (19:54 -0300)]
V4L/DVB: V4L: vpfe_capture - free ccdc_lock when memory allocation fails

This patch fixes a bug in vpfe_probe() that doesn't call mutex_unlock() if memory
allocation for ccdc_cfg fails. See also the smatch warning report from Dan
Carpenter that shows this as an issue.

Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: V4L - Makfile:Removed duplicate entry of davinci
Vaibhav Hiremath [Sat, 13 Mar 2010 13:58:39 +0000 (10:58 -0300)]
V4L/DVB: V4L - Makfile:Removed duplicate entry of davinci

Signed-off-by: Vaibhav Hiremath <hvaibhav@ti.com>
Signed-off-by: Muralidharan Karicheri <mkaricheri@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoV4L/DVB: omap24xxcam: potential buffer overflow
Dan Carpenter [Wed, 10 Mar 2010 10:57:03 +0000 (07:57 -0300)]
V4L/DVB: omap24xxcam: potential buffer overflow

The previous loop goes until last == VIDEO_MAX_FRAME, so this could
potentially go one past the end of the loop.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
14 years agoACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155x
Kamal Mostafa [Tue, 27 Apr 2010 21:02:40 +0000 (14:02 -0700)]
ACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155x

Add Dell Studio models (1558, 1557, 1555) to the 'set_sci_en_on_resume'
list to fix hang on resume.

BugLink: http://bugs.launchpad.net/bugs/553498
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Acked-by: Alex Chiang <achiang@canonical.com>
Cc: stable@kernel.org
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agorcu: create rcu_my_thread_group_empty() wrapper
Paul E. McKenney [Thu, 6 May 2010 16:28:41 +0000 (09:28 -0700)]
rcu: create rcu_my_thread_group_empty() wrapper

Some RCU-lockdep splat repairs need to know whether they are running
in a single-threaded process.  Unfortunately, the thread_group_empty()
primitive is defined in sched.h, and can induce #include hell.  This
commit therefore introduces a rcu_my_thread_group_empty() wrapper that
is defined in rcupdate.c, thus avoiding the need to include sched.h
everywhere.

Signed-off-by: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
14 years agoMerge branch 'for-linus' of git://git.monstr.eu/linux-2.6-microblaze
Linus Torvalds [Thu, 6 May 2010 15:38:20 +0000 (08:38 -0700)]
Merge branch 'for-linus' of git://git.monstr.eu/linux-2.6-microblaze

* 'for-linus' of git://git.monstr.eu/linux-2.6-microblaze:
  microblaze: Defconfig update
  microblaze: Optimize CACHE_LOOP_LIMITS and CACHE_RANGE_LOOP macros
  microblaze: Fix consistent-sync code
  microblaze: Define correct L1_CACHE_SHIFT value
  microblaze: cpuinfo shows cache line length
  microblaze: Fix kmalloc alignment on non-coherent DMA platforms
  microblaze: Fix typo fault in cache code
  microblaze: Fix consistent code
  microblaze: pci-dma: use include/linux/dma-mapping.h
  microblaze: page.h: Remove get_user_page and free_user_page
  microblaze: Remove "cache" optimized copy_page function
  microblaze: invoke oom-killer from page fault
  microblaze: fix divide by zero exception message
  microblaze: Add isa_dma_bridge_buggy to dma.h
  microblaze: Remove ancient code
  microblaze: Quiet section mismatch warnings for MMU version
  microblaze: Quiet section mismatch warnings
  microblaze: Fix IRQ entry/exit ftracing
  microblaze: resource/PCI: align functions now return start of resource
  microblaze: PCI: add pci_bus_for_each_resource(), remove direct bus->resource[] refs

14 years agoMerge master.kernel.org:/home/rmk/linux-2.6-arm
Linus Torvalds [Thu, 6 May 2010 15:38:03 +0000 (08:38 -0700)]
Merge master.kernel.org:/home/rmk/linux-2.6-arm

* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] pxa/colibri: fix missing #include <mach/mfp.h> in colibri.h
  [ARM] pxa/spitz: fix On/off key name to fix warning during boot
  [ARM] pxa: fix the incorrect cpu_is_pxa950()
  [ARM] pxa: update cpuid pattern for pxa9xx in head.S
  [ARM] pxa/viper: fix timeout usage for I2C
  [ARM] pxa/raumfeld: fix button name
  [ARM] pxa/imote2: Fix iMote2 defconfig
  [ARM] pxa: add missing new line to regs-u2d.h
  ARM: 6093/1: Fix kernel memory printing for sparsemem
  arch/arm/include/asm/elf.h: forward-declare the task-struct
  arch/arm/plat-pxa/dma.c: correct NULL test
  ARM: 6076/1: SA1100: add processor check to sa1110-cpufreq driver
  ARM: 6075/1: SA1100: fix wrong CPU type for h3100 and h3600
  ARM: Update mach-types
  ARM: 6066/1: Fix "BUG: scheduling while atomic: swapper/0/0x00000002
  ARM: 6068/1: Fix build break with KPROBES enabled
  mx5: Fix build error for mx51_defconfig

14 years agoMerge branch 'sh/for-2.6.34' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal...
Linus Torvalds [Thu, 6 May 2010 15:37:39 +0000 (08:37 -0700)]
Merge branch 'sh/for-2.6.34' of git://git./linux/kernel/git/lethal/sh-2.6

* 'sh/for-2.6.34' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: fix a number of Oopses and leaks in SH framebuffer driver
  SH: fix error paths in DMA driver
  sh: sh7751 pci controller io port fix
  sh: Fix maximum number of SCIF ports in R2D defconfigs
  SH: fix TS field shift calculation for DMA drivers

14 years agomicroblaze: Defconfig update
Michal Simek [Thu, 6 May 2010 09:37:42 +0000 (11:37 +0200)]
microblaze: Defconfig update

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Optimize CACHE_LOOP_LIMITS and CACHE_RANGE_LOOP macros
Michal Simek [Mon, 26 Apr 2010 06:54:13 +0000 (08:54 +0200)]
microblaze: Optimize CACHE_LOOP_LIMITS and CACHE_RANGE_LOOP macros

1. Remove CACHE_ALL_LOOP2 macro because it is identical to CACHE_ALL_LOOP
2. Change BUG_ON to WARN_ON
3. Remove end aligned from CACHE_LOOP_LIMITS.
C implementation do not need aligned end address and ASM code do aligned
in their macros
4. ASM optimized  CACHE_RANGE_LOOP_1/2 macros needs to get aligned end address.
Because end address is compound from start + size, end address is the first address
which is exclude.

Here is the corresponding code which describe it.
+       int align = ~(line_length - 1);
+       end = ((end & align) == end) ? end - line_length : end & align;

a) end is aligned:
it is necessary to subtruct line length because we don't want to work with
next cacheline
b) end address is not aligned:
Just align it to be ready for ASM code.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Fix consistent-sync code
Michal Simek [Thu, 29 Apr 2010 11:02:17 +0000 (13:02 +0200)]
microblaze: Fix consistent-sync code

PCI_DMA_FROMDEVICE should call invalidation not flushing.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Define correct L1_CACHE_SHIFT value
Michal Simek [Mon, 26 Apr 2010 11:43:23 +0000 (13:43 +0200)]
microblaze: Define correct L1_CACHE_SHIFT value

Microblaze cacheline length is configurable and current cpu
uses two cacheline length 4 and 8.

We are taking conservative maximum value to be sure that cacheline
alignment is satisfied for all cases.

Here is the calculation for cacheline lenght 8  32bit=4Byte values
which is corresponding with SHIFT 5.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: cpuinfo shows cache line length
Michal Simek [Mon, 26 Apr 2010 11:53:04 +0000 (13:53 +0200)]
microblaze: cpuinfo shows cache line length

Show cache line length in /proc/cpuinfo.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Fix kmalloc alignment on non-coherent DMA platforms
Michal Simek [Mon, 26 Apr 2010 11:49:01 +0000 (13:49 +0200)]
microblaze: Fix kmalloc alignment on non-coherent DMA platforms

Based on PowerPC patche 52142e756e9bf6485d3d53596e8aff2e816a7253

PowerPC description:
On platforms doing non-coherent DMA (4xx, 8xx, ...), it's important
that the kmalloc minimum alignment is set to the cache line size, to
avoid sharing cache lines between different objects, so that DMA to
one of the objects doesn't corrupt the other.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Fix typo fault in cache code
Michal Simek [Fri, 23 Apr 2010 09:38:43 +0000 (11:38 +0200)]
microblaze: Fix typo fault in cache code

Copy & paste error.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Fix consistent code
Michal Simek [Sat, 10 Apr 2010 15:34:06 +0000 (17:34 +0200)]
microblaze: Fix consistent code

This patch fix consistent code which had problems with consistent_free
function.
I am not sure if we need to call flush_tlb_all after it but it keeps
tlbs synced.
I added noMMU and MMU version together.

Uncached shadow feature is not tested.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: pci-dma: use include/linux/dma-mapping.h
Michal Simek [Fri, 16 Apr 2010 07:13:27 +0000 (09:13 +0200)]
microblaze: pci-dma: use include/linux/dma-mapping.h

Based on af407c6db16aa9ca63559076dbe620220a822580
and f41b177157718abe9a93868bb76e47d4a6f3681d

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: page.h: Remove get_user_page and free_user_page
Michal Simek [Thu, 22 Apr 2010 06:07:46 +0000 (08:07 +0200)]
microblaze: page.h: Remove get_user_page and free_user_page

Remove ancient macros which are here from Linux-2.4

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Remove "cache" optimized copy_page function
Michal Simek [Thu, 22 Apr 2010 05:28:48 +0000 (07:28 +0200)]
microblaze: Remove "cache" optimized copy_page function

Current implementation doesn't handle dcache_line_length
correctly that's why is better to use generic memcpy.

Cache optimized function could be good way howto improve
performance but must be based on benchmarking not blind
function like this.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: invoke oom-killer from page fault
Nick Piggin [Thu, 22 Apr 2010 16:06:21 +0000 (02:06 +1000)]
microblaze: invoke oom-killer from page fault

As explained in commit 1c0fe6e3bd, we want to call the architecture independent
oom killer when getting an unexplained OOM from handle_mm_fault, rather than
simply killing current.

Cc: microblaze-uclinux@itee.uq.edu.au
Cc: Michal Simek <monstr@monstr.eu>
Cc: linux-arch@vger.kernel.org
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: fix divide by zero exception message
Randy Dunlap [Wed, 21 Apr 2010 21:11:34 +0000 (14:11 -0700)]
microblaze: fix divide by zero exception message

Fix divide exception message to say "divide by zero".

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Michal Simek <monstr@monstr.eu>
Cc: microblaze-uclinux@itee.uq.edu.au
Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Add isa_dma_bridge_buggy to dma.h
Michal Simek [Tue, 20 Apr 2010 17:02:13 +0000 (19:02 +0200)]
microblaze: Add isa_dma_bridge_buggy to dma.h

It is necessary for several drivers.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Remove ancient code
Michal Simek [Fri, 16 Apr 2010 07:41:07 +0000 (09:41 +0200)]
microblaze: Remove ancient code

I found several function which we don't use that's why I am removing them.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Quiet section mismatch warnings for MMU version
Michal Simek [Tue, 13 Apr 2010 06:59:37 +0000 (08:59 +0200)]
microblaze: Quiet section mismatch warnings for MMU version

Remove section mismatch - based on ppc aproach.

WARNING: vmlinux.o(.text+0x64834): Section mismatch in reference
from the function __pte_alloc_kernel() to the function .init.text:early_get_page()
The function __pte_alloc_kernel() references
the function __init early_get_page().
This is often because __pte_alloc_kernel lacks a __init
annotation or the annotation of early_get_page is wrong.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Quiet section mismatch warnings
Steven J. Magnani [Sat, 10 Apr 2010 03:03:37 +0000 (22:03 -0500)]
microblaze: Quiet section mismatch warnings

_start is located in .text, which causes mismatch warnings with
machine_early_init() and start_kernel() in .init.text.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: Fix IRQ entry/exit ftracing
Steven J. Magnani [Mon, 12 Apr 2010 21:01:36 +0000 (16:01 -0500)]
microblaze: Fix IRQ entry/exit ftracing

Function traces on Microblaze don't include IRQ entry and exit arrows,
i.e.

 0)               |                            memcpy_toiovec() {
 0)   ==========> |
 0)               |                              do_IRQ() {
 ...
 0)   <========== |
 0) ! 5414.000 us |                            }

...because do_IRQ() doesn't have the proper attributes.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: resource/PCI: align functions now return start of resource
Michal Simek [Fri, 16 Apr 2010 07:04:51 +0000 (09:04 +0200)]
microblaze: resource/PCI: align functions now return start of resource

This change should be part of b26b2d494b659f988b4d75eb394dfa0ddac415c9

Origin description:

resource/PCI: align functions now return start of resource

As suggested by Linus, align functions should return the start
of a resource, not void. An update of "res->start" is no longer
necessary.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agomicroblaze: PCI: add pci_bus_for_each_resource(), remove direct bus->resource[] refs
Michal Simek [Fri, 16 Apr 2010 07:03:00 +0000 (09:03 +0200)]
microblaze: PCI: add pci_bus_for_each_resource(), remove direct bus->resource[] refs

This change should be part of 89a74ecccd1f78e51faf6287e5c0e93a92ac096e

Origin description:

PCI: add pci_bus_for_each_resource(), remove direct bus->resource[] refs

No functional change; this converts loops that iterate from 0 to
PCI_BUS_NUM_RESOURCES through pci_bus resource[] table to use the
pci_bus_for_each_resource() iterator instead.

This doesn't change the way resources are stored; it merely removes
dependencies on the fact that they're in a table.

Signed-off-by: Michal Simek <monstr@monstr.eu>
14 years agoMerge branch 'fix' of git://git.kernel.org/pub/scm/linux/kernel/git/ycmiao/pxa-linux-2.6
Russell King [Thu, 6 May 2010 07:16:34 +0000 (08:16 +0100)]
Merge branch 'fix' of git://git./linux/kernel/git/ycmiao/pxa-linux-2.6

14 years agoblk-cgroup: Fix RCU correctness warning in cfq_init_queue()
Vivek Goyal [Thu, 22 Apr 2010 15:54:52 +0000 (11:54 -0400)]
blk-cgroup: Fix RCU correctness warning in cfq_init_queue()

It is necessary to be in an RCU read-side critical section when invoking
css_id(), so this patch adds one to blkiocg_add_blkio_group().  This is
actually a false positive, because this is called at initialization time
and hence always refers to the root cgroup, which cannot go away.

[  103.790505] ===================================================
[  103.790509] [ INFO: suspicious rcu_dereference_check() usage. ]
[  103.790511] ---------------------------------------------------
[  103.790514] kernel/cgroup.c:4432 invoked rcu_dereference_check() without protection!
[  103.790517]
[  103.790517] other info that might help us debug this:
[  103.790519]
[  103.790521]
[  103.790521] rcu_scheduler_active = 1, debug_locks = 1
[  103.790524] 4 locks held by bash/4422:
[  103.790526]  #0:  (&buffer->mutex){+.+.+.}, at: [<ffffffff8114befa>] sysfs_write_file+0x3c/0x144
[  103.790537]  #1:  (s_active#102){.+.+.+}, at: [<ffffffff8114bfa5>] sysfs_write_file+0xe7/0x144
[  103.790544]  #2:  (&q->sysfs_lock){+.+.+.}, at: [<ffffffff812263b1>] queue_attr_store+0x49/0x8f
[  103.790552]  #3:  (&(&blkcg->lock)->rlock){......}, at: [<ffffffff8122e4db>] blkiocg_add_blkio_group+0x2b/0xad
[  103.790560]
[  103.790561] stack backtrace:
[  103.790564] Pid: 4422, comm: bash Not tainted 2.6.34-rc4-blkio-second-crash #81
[  103.790567] Call Trace:
[  103.790572]  [<ffffffff81068f57>] lockdep_rcu_dereference+0x9d/0xa5
[  103.790577]  [<ffffffff8107fac1>] css_id+0x44/0x57
[  103.790581]  [<ffffffff8122e503>] blkiocg_add_blkio_group+0x53/0xad
[  103.790586]  [<ffffffff81231936>] cfq_init_queue+0x139/0x32c
[  103.790591]  [<ffffffff8121f2d0>] elv_iosched_store+0xbf/0x1bf
[  103.790595]  [<ffffffff812263d8>] queue_attr_store+0x70/0x8f
[  103.790599]  [<ffffffff8114bfa5>] ? sysfs_write_file+0xe7/0x144
[  103.790603]  [<ffffffff8114bfc6>] sysfs_write_file+0x108/0x144
[  103.790609]  [<ffffffff810f527f>] vfs_write+0xae/0x10b
[  103.790612]  [<ffffffff81069863>] ? trace_hardirqs_on_caller+0x10c/0x130
[  103.790616]  [<ffffffff810f539c>] sys_write+0x4a/0x6e
[  103.790622]  [<ffffffff81002b5b>] system_call_fastpath+0x16/0x1b
[  103.790625]

Located-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
14 years agoACPI: fix acpi_hest_firmware_first_pci() caused oops
Shaohua Li [Thu, 8 Apr 2010 03:16:15 +0000 (11:16 +0800)]
ACPI: fix acpi_hest_firmware_first_pci() caused oops

acpi_hest_firmware_first_pci() could be called when acpi is disabled
and cause system oops.

Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agosbshc: acpi_device_class "smbus_host_controller" too long
Dan Carpenter [Tue, 27 Apr 2010 21:06:05 +0000 (14:06 -0700)]
sbshc: acpi_device_class "smbus_host_controller" too long

acpi_device_class can only be 19 characters and a NULL terminator.

With the current name we get a buffer overflow in acpi_smbus_hc_add()
when we do:
strcpy(acpi_device_class(device), ACPI_SMB_HC_CLASS);

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agopower_meter: acpi_device_class "power_meter_resource" too long
Dan Carpenter [Tue, 27 Apr 2010 21:01:07 +0000 (14:01 -0700)]
power_meter: acpi_device_class "power_meter_resource" too long

acpi_device_class can only be 19 characters and a NULL terminator.

The current code has a buffer overflow in acpi_power_meter_add():
       strcpy(acpi_device_class(device), ACPI_POWER_METER_CLASS);

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Len Brown <lenb@kernel.org>
Cc: "Darrick J. Wong" <djwong@us.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agoacpi_pad: "processor_aggregator" name too long
Dan Carpenter [Tue, 27 Apr 2010 21:06:05 +0000 (14:06 -0700)]
acpi_pad: "processor_aggregator" name too long

cpi_device_class can only be 19 characters and a NULL terminator.

With the current name we get a buffer overflow in acpi_pad_add()
strcpy(acpi_device_class(device), ACPI_PROCESSOR_AGGREGATOR_CLASS);

[akpm@linux-foundation.org: call it acpi_pad, per Shaohua Li]
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: walter harms <wharms@bfs.de>
Acked-by: Shaohua Li <shaohua.li@intel.com>
Cc: Len Brown <lenb@kernel.org>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agoPNP: don't check for conflicts with bridge windows
Bjorn Helgaas [Mon, 3 May 2010 16:47:21 +0000 (10:47 -0600)]
PNP: don't check for conflicts with bridge windows

With fa35b4926, I broke a lot of PNP resource assignment.  That commit made
PNPACPI include bridge windows as PNP resources, and PNP resource assignment
treats any enabled overlapping PNP resources as conflicts.  Since PCI host
bridge windows typically include most of the I/O port space, this makes PNP
port assigments fail.

The PCI host bridge driver will eventually use those PNP window resources,
so we should make PNP ignore them when checking for conflicts.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15903

Reported-and-tested-by: Pavel Kysilka <goldenfish@linuxsoft.cz>
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years agosh: fix a number of Oopses and leaks in SH framebuffer driver
Guennadi Liakhovetski [Fri, 30 Apr 2010 16:07:00 +0000 (16:07 +0000)]
sh: fix a number of Oopses and leaks in SH framebuffer driver

Fix a number of Oopses, memory leaks and unbalanced calls on error paths in
sh_mobile_lcdcfb.c.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
14 years ago[ARM] pxa/colibri: fix missing #include <mach/mfp.h> in colibri.h
Jakob Viketoft [Wed, 5 May 2010 10:25:27 +0000 (18:25 +0800)]
[ARM] pxa/colibri: fix missing #include <mach/mfp.h> in colibri.h

The use of mfp_cfg_t causes build errors without including <mach/mfp.h>.

CC: stable@kernel.org
CC: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Jakob Viketoft <jakob.viketoft@bitsim.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa/spitz: fix On/off key name to fix warning during boot
Pavel Machek [Wed, 5 May 2010 07:03:12 +0000 (15:03 +0800)]
[ARM] pxa/spitz: fix On/off key name to fix warning during boot

On/Off contains slash in the name, which causes warning during boot.

Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa: fix the incorrect cpu_is_pxa950()
Haojian Zhuang [Fri, 12 Mar 2010 13:51:54 +0000 (08:51 -0500)]
[ARM] pxa: fix the incorrect cpu_is_pxa950()

Fix the wrong variable used in cpu_is_pxa950().

Signed-off-by: Haojian Zhuang <haojian.zhuang@marvell.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa: update cpuid pattern for pxa9xx in head.S
Haojian Zhuang [Fri, 12 Mar 2010 10:47:55 +0000 (05:47 -0500)]
[ARM] pxa: update cpuid pattern for pxa9xx in head.S

Update CPUID pattern of PXA9xx in head.S and fix the duplicate
entries for pxa935.

Signed-off-by: Haojian Zhuang <haojian.zhuang@marvell.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa/viper: fix timeout usage for I2C
Wolfram Sang [Sun, 18 Apr 2010 11:48:29 +0000 (13:48 +0200)]
[ARM] pxa/viper: fix timeout usage for I2C

The timeout value is in jiffies, so it should be using HZ, not a plain
number. Assume with HZ=100 '100' means 1s here and adapt accordingly.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Acked-by: Marc Zyngier <maz@misterjones.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Paul Shen <paul.shen@marvell.com>
Cc: Mike Rapoport <mike@compulab.co.il>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa/raumfeld: fix button name
Daniel Mack [Sun, 18 Apr 2010 07:35:29 +0000 (09:35 +0200)]
[ARM] pxa/raumfeld: fix button name

"on/off button" was recently renamed to remove the slash character.
Follow that change in the pin polarity detection as well.

While at it, fix another cosmetic coding style flaw as well.

Signed-off-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa/imote2: Fix iMote2 defconfig
Stefan Schmidt [Thu, 8 Apr 2010 14:03:25 +0000 (16:03 +0200)]
[ARM] pxa/imote2: Fix iMote2 defconfig

- Bring in a CMDLINE that actually works and prints to the right tty
- Compile-in JFFS2 to boot into rootfs
- Remove unneeded options for Bluetooth and radio
- Disable CPU_FREQ as it makes the flash driver fail

Thanks Jonathan for spotting what I messed up.

Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years ago[ARM] pxa: add missing new line to regs-u2d.h
Igor Grinberg [Wed, 7 Apr 2010 08:40:37 +0000 (11:40 +0300)]
[ARM] pxa: add missing new line to regs-u2d.h

Signed-off-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
14 years agoMerge branch 'zerolen' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/misc-2.6
Linus Torvalds [Wed, 5 May 2010 22:48:13 +0000 (15:48 -0700)]
Merge branch 'zerolen' of git://git./linux/kernel/git/jgarzik/misc-2.6

* 'zerolen' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/misc-2.6:
  [MTD] Remove zero-length files mtdbdi.c and internal.ho

14 years agoMerge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzi...
Linus Torvalds [Wed, 5 May 2010 22:47:57 +0000 (15:47 -0700)]
Merge branch 'upstream-linus' of git://git./linux/kernel/git/jgarzik/libata-dev

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  pata_pcmcia / ide-cs: Fix bad hashes for Transcend and kingston IDs
  libata: Fix several inaccuracies in developer's guide

14 years ago[MTD] Remove zero-length files mtdbdi.c and internal.ho
Jeff Garzik [Wed, 5 May 2010 19:25:12 +0000 (15:25 -0400)]
[MTD] Remove zero-length files mtdbdi.c and internal.ho

Both were "removed" in commit a33eb6b91034c95b9b08576f68be170f995b2c7d.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
14 years agopata_pcmcia / ide-cs: Fix bad hashes for Transcend and kingston IDs
Kristoffer Ericson [Sun, 2 May 2010 19:48:24 +0000 (21:48 +0200)]
pata_pcmcia / ide-cs: Fix bad hashes for Transcend and kingston IDs

This patch fixes the bad hashes for one Kingston and one Transcend card.
Thanks to komuro for pointing this out.

Signed-off-by: Kristoffer Ericson <kristoffer.ericson@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
14 years agolibata: Fix several inaccuracies in developer's guide
Sergei Shtylyov [Wed, 5 May 2010 13:27:10 +0000 (17:27 +0400)]
libata: Fix several inaccuracies in developer's guide

Commit 6bfff31e77cfa1b13490337e5a4dbaa3407e83ac (libata: kill probe_ent
and related helpers) killed ata_device_add() but didn't remove references
to it from the libata developer's guide.

Commits 9363c3825ea9ad76561eb48a395349dd29211ed6 (libata: rename SFF
functions) and 5682ed33aae05d10a25c95633ef9d9c062825888 (libata: rename
SFF port ops) renamed the taskfile access methods but didn't update the
developer's guide.  Commit c9f75b04ed5ed65a058d18a8a8dda50632a96de8
(libata: kill ata_noop_dev_select()) didn't update the developer's
guide as well.

The guide also refers to the long gone ata_pio_data_xfer_noirq(),
ata_pio_data_xfer(), and ata_mmio_data_xfer() -- replace those by
the modern ata_sff_data_xfer_noirq(), ata_sff_data_xfer(), and
ata_sff_data_xfer32().

Also, remove the reference to non-existant ata_port_stop()...

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
14 years agoMerge branch 'slab-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penber...
Linus Torvalds [Wed, 5 May 2010 18:18:16 +0000 (11:18 -0700)]
Merge branch 'slab-for-linus' of git://git./linux/kernel/git/penberg/slab-2.6

* 'slab-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/slab-2.6:
  slub: Fix bad boundary check in init_kmem_cache_nodes()

14 years agoslub: Fix bad boundary check in init_kmem_cache_nodes()
Zhang, Yanmin [Thu, 1 Apr 2010 09:32:30 +0000 (17:32 +0800)]
slub: Fix bad boundary check in init_kmem_cache_nodes()

Function init_kmem_cache_nodes is incorrect when checking upper limitation of
kmalloc_caches. The breakage was introduced by commit
91efd773c74bb26b5409c85ad755d536448e229c ("dma kmalloc handling fixes").

Acked-by: Christoph Lameter <cl@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
14 years agoACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPads
Alex Chiang [Tue, 20 Apr 2010 14:03:14 +0000 (08:03 -0600)]
ACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPads

Multiple Lenovo ThinkPad models with Intel Core i5/i7 CPUs can
successfully suspend/resume once, and then hang on the second s/r
cycle.

We got confirmation that this was due to a BIOS defect. The BIOS
did not properly set SCI_EN coming out of S3. The BIOS guys
hinted that The Other Leading OS ignores the fact that hardware
owns the bit and sets it manually.

In any case, an existing DMI table exists for machines where this
defect is a known problem. Lenovo promise to fix their BIOS, but
for folks who either won't or can't upgrade their BIOS, allow
Linux to workaround the issue.

https://bugzilla.kernel.org/show_bug.cgi?id=15407
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/532374

Confirmed by numerous testers in the launchpad bug that using
acpi_sleep=sci_force_enable fixes the issue. We add the machines
to acpisleep_dmi_table[] to automatically enable this workaround.

Cc: stable@kernel.org
Cc: Colin King <colin.king@canonical.com>
Signed-off-by: Alex Chiang <achiang@canonical.com>
Signed-off-by: Len Brown <len.brown@intel.com>
14 years ago[SCSI] Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O error
James Bottomley [Tue, 4 May 2010 20:51:40 +0000 (16:51 -0400)]
[SCSI] Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O error

There's nastyness in the way we currently handle barriers (and
discards): They're effectively filesystem commands, but they get
processed as BLOCK_PC commands.  Unfortunately BLOCK_PC commands are
taken by SCSI to be SG_IO commands and the issuer expects to see and
handle any returned errors, however trivial.  This leads to a huge
problem, because the block layer doesn't expect this to happen and any
trivially retryable error on a barrier causes an immediate I/O error
to the filesystem.

The only real way to hack around this is to take the usual class of
offending errors (unit attentions) and make them all retryable in the
case of a REQ_HARDBARRIER.  A correct fix would involve a rework of
the entire block and SCSI submit system, and so is out of scope for a
quick fix.

Cc: Hannes Reinecke <hare@suse.de>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
14 years ago[SCSI] Enable retries for SYNCRONIZE_CACHE commands to fix I/O error
Hannes Reinecke [Tue, 4 May 2010 14:49:21 +0000 (16:49 +0200)]
[SCSI] Enable retries for SYNCRONIZE_CACHE commands to fix I/O error

Some arrays are giving I/O errors with ext3 filesystems when
SYNCHRONIZE_CACHE gets a UNIT_ATTENTION.  What is happening is that
these commands have no retries, so the UNIT_ATTENTION causes the
barrier to fail.  We should be enable retries here to clear any
transient error and allow the barrier to succeed.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Wed, 5 May 2010 16:06:24 +0000 (09:06 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  KEYS: call_sbin_request_key() must write lock keyrings before modifying them
  KEYS: Use RCU dereference wrappers in keyring key type code
  KEYS: find_keyring_by_name() can gain access to a freed keyring

14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
Linus Torvalds [Wed, 5 May 2010 14:56:36 +0000 (07:56 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tj/wq

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: flush_delayed_work: keep the original workqueue for re-queueing

14 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Wed, 5 May 2010 14:55:07 +0000 (07:55 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  FEC: Fix kernel panic in fec_set_mac_address.
  ipv6: Fix default multicast hops setting.
  net: ep93xx_eth stops receiving packets
  drivers/net/phy: micrel phy driver
  dm9601: fix phy/eeprom write routine
  ppp_generic: handle non-linear skbs when passing them to pppd
  ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid
  net: fix compile error due to double return type in SOCK_DEBUG
  net/usb: initiate sync sequence in sierra_net.c driver
  net/usb: remove default in Kconfig for sierra_net driver
  r8169: Fix rtl8169_rx_interrupt()
  e1000e: Fix oops caused by ASPM patch.
  net/sb1250: register mdio bus in probe
  sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
  p54pci: fix bugs in p54p_check_tx_ring

14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Wed, 5 May 2010 14:54:22 +0000 (07:54 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: hda: Fix 0 dB for Packard Bell models using Conexant CX20549 (Venice)
  ALSA: hda - Add quirk for Dell Inspiron 19T using a Conexant CX20582
  ALSA: take tu->qlock with irqs disabled
  ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite P500-PSPGSC-01800T
  ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite Pro T130-15F
  ALSA: hda - fix array indexing while creating inputs for Cirrus codecs
  ALSA: es968: fix wrong PnP dma index

14 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Linus Torvalds [Wed, 5 May 2010 14:53:18 +0000 (07:53 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: joydev - allow binding to button-only devices
  Input: elantech - ignore high bits in the position coordinates
  Input: elantech - allow forcing Elantech protocol
  Input: elantech - fix firmware version check
  Input: ati_remote - add some missing devices from lirc_atiusb
  Input: eeti_ts - cancel pending work when going to suspend
  Input: Add support of Synaptics Clickpad device
  Revert "Input: ALPS - add signature for HP Pavilion dm3 laptops"
  Input: psmouse - ignore parity error for basic protocols

14 years agoraid6: fix recovery performance regression
Dan Williams [Wed, 5 May 2010 03:41:56 +0000 (20:41 -0700)]
raid6: fix recovery performance regression

The raid6 recovery code should immediately drop back to the optimized
synchronous path when a p+q dma resource is not available.  Otherwise we
run the non-optimized/multi-pass async code in sync mode.

Verified with raid6test (NDISKS=255)

Applies to kernels >= 2.6.32.

Cc: <stable@kernel.org>
Acked-by: NeilBrown <neilb@suse.de>
Reported-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14 years agoKEYS: call_sbin_request_key() must write lock keyrings before modifying them
David Howells [Fri, 30 Apr 2010 13:32:23 +0000 (14:32 +0100)]
KEYS: call_sbin_request_key() must write lock keyrings before modifying them

call_sbin_request_key() creates a keyring and then attempts to insert a link to
the authorisation key into that keyring, but does so without holding a write
lock on the keyring semaphore.

It will normally get away with this because it hasn't told anyone that the
keyring exists yet.  The new keyring, however, has had its serial number
published, which means it can be accessed directly by that handle.

This was found by a previous patch that adds RCU lockdep checks to the code
that reads the keyring payload pointer, which includes a check that the keyring
semaphore is actually locked.

Without this patch, the following command:

keyctl request2 user b a @s

will provoke the following lockdep warning is displayed in dmesg:

===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
security/keys/keyring.c:727 invoked rcu_dereference_check() without protection!

other info that might help us debug this:

rcu_scheduler_active = 1, debug_locks = 0
2 locks held by keyctl/2076:
 #0:  (key_types_sem){.+.+.+}, at: [<ffffffff811a5b29>] key_type_lookup+0x1c/0x71
 #1:  (keyring_serialise_link_sem){+.+.+.}, at: [<ffffffff811a6d1e>] __key_link+0x4d/0x3c5

stack backtrace:
Pid: 2076, comm: keyctl Not tainted 2.6.34-rc6-cachefs #54
Call Trace:
 [<ffffffff81051fdc>] lockdep_rcu_dereference+0xaa/0xb2
 [<ffffffff811a6d1e>] ? __key_link+0x4d/0x3c5
 [<ffffffff811a6e6f>] __key_link+0x19e/0x3c5
 [<ffffffff811a5952>] ? __key_instantiate_and_link+0xb1/0xdc
 [<ffffffff811a59bf>] ? key_instantiate_and_link+0x42/0x5f
 [<ffffffff811aa0dc>] call_sbin_request_key+0xe7/0x33b
 [<ffffffff8139376a>] ? mutex_unlock+0x9/0xb
 [<ffffffff811a5952>] ? __key_instantiate_and_link+0xb1/0xdc
 [<ffffffff811a59bf>] ? key_instantiate_and_link+0x42/0x5f
 [<ffffffff811aa6fa>] ? request_key_auth_new+0x1c2/0x23c
 [<ffffffff810aaf15>] ? cache_alloc_debugcheck_after+0x108/0x173
 [<ffffffff811a9d00>] ? request_key_and_link+0x146/0x300
 [<ffffffff810ac568>] ? kmem_cache_alloc+0xe1/0x118
 [<ffffffff811a9e45>] request_key_and_link+0x28b/0x300
 [<ffffffff811a89ac>] sys_request_key+0xf7/0x14a
 [<ffffffff81052c0b>] ? trace_hardirqs_on_caller+0x10c/0x130
 [<ffffffff81394fb9>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff81001eeb>] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
14 years agoKEYS: Use RCU dereference wrappers in keyring key type code
David Howells [Fri, 30 Apr 2010 13:32:18 +0000 (14:32 +0100)]
KEYS: Use RCU dereference wrappers in keyring key type code

The keyring key type code should use RCU dereference wrappers, even when it
holds the keyring's key semaphore.

Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
14 years agoKEYS: find_keyring_by_name() can gain access to a freed keyring
Toshiyuki Okajima [Fri, 30 Apr 2010 13:32:13 +0000 (14:32 +0100)]
KEYS: find_keyring_by_name() can gain access to a freed keyring

find_keyring_by_name() can gain access to a keyring that has had its reference
count reduced to zero, and is thus ready to be freed.  This then allows the
dead keyring to be brought back into use whilst it is being destroyed.

The following timeline illustrates the process:

|(cleaner)                           (user)
|
| free_user(user)                    sys_keyctl()
|  |                                  |
|  key_put(user->session_keyring)     keyctl_get_keyring_ID()
|  || //=> keyring->usage = 0        |
|  |schedule_work(&key_cleanup_task)   lookup_user_key()
|  ||                                   |
|  kmem_cache_free(,user)               |
|  .                                    |[KEY_SPEC_USER_KEYRING]
|  .                                    install_user_keyrings()
|  .                                    ||
| key_cleanup() [<= worker_thread()]    ||
|  |                                    ||
|  [spin_lock(&key_serial_lock)]        |[mutex_lock(&key_user_keyr..mutex)]
|  |                                    ||
|  atomic_read() == 0                   ||
|  |{ rb_ease(&key->serial_node,) }     ||
|  |                                    ||
|  [spin_unlock(&key_serial_lock)]      |find_keyring_by_name()
|  |                                    |||
|  keyring_destroy(keyring)             ||[read_lock(&keyring_name_lock)]
|  ||                                   |||
|  |[write_lock(&keyring_name_lock)]    ||atomic_inc(&keyring->usage)
|  |.                                   ||| *** GET freeing keyring ***
|  |.                                   ||[read_unlock(&keyring_name_lock)]
|  ||                                   ||
|  |list_del()                          |[mutex_unlock(&key_user_k..mutex)]
|  ||                                   |
|  |[write_unlock(&keyring_name_lock)]  ** INVALID keyring is returned **
|  |                                    .
|  kmem_cache_free(,keyring)            .
|                                       .
|                                       atomic_dec(&keyring->usage)
v                                         *** DESTROYED ***
TIME

If CONFIG_SLUB_DEBUG=y then we may see the following message generated:

=============================================================================
BUG key_jar: Poison overwritten
-----------------------------------------------------------------------------

INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b
INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086
INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10
INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3
INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300

Bytes b4 0xffff880197a7e1f0:  5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
  Object 0xffff880197a7e200:  6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk

Alternatively, we may see a system panic happen, such as:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
PGD 6b2b4067 PUD 6a80d067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/kernel/kexec_crash_loaded
CPU 1
...
Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY
RIP: 0010:[<ffffffff810e61a3>]  [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
RSP: 0018:ffff88006af3bd98  EFLAGS: 00010002
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b
RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430
RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0
R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce
FS:  00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)
Stack:
 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001
 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce
 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3
Call Trace:
 [<ffffffff810f20ce>] ? get_empty_filp+0x70/0x12f
 [<ffffffff810face3>] ? do_filp_open+0x145/0x590
 [<ffffffff810ce208>] ? tlb_finish_mmu+0x2a/0x33
 [<ffffffff810ce43c>] ? unmap_region+0xd3/0xe2
 [<ffffffff810e4393>] ? virt_to_head_page+0x9/0x2d
 [<ffffffff81103916>] ? alloc_fd+0x69/0x10e
 [<ffffffff810ef4ed>] ? do_sys_open+0x56/0xfc
 [<ffffffff81008a02>] ? system_call_fastpath+0x16/0x1b
Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef
RIP  [<ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9

This problem is that find_keyring_by_name does not confirm that the keyring is
valid before accepting it.

Skipping keyrings that have been reduced to a zero count seems the way to go.
To this end, use atomic_inc_not_zero() to increment the usage count and skip
the candidate keyring if that returns false.

The following script _may_ cause the bug to happen, but there's no guarantee
as the window of opportunity is small:

#!/bin/sh
LOOP=100000
USER=dummy_user
/bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; }
for ((i=0; i<LOOP; i++))
do
/bin/su -c "echo '$i' > /dev/null" $USER
done
(( add == 1 )) && /usr/sbin/userdel -r $USER
exit

Note that the nominated user must not be in use.

An alternative way of testing this may be:

for ((i=0; i<100000; i++))
do
keyctl session foo /bin/true || break
done >&/dev/null

as that uses a keyring named "foo" rather than relying on the user and
user-session named keyrings.

Reported-by: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>