firefly-linux-kernel-4.4.55.git
12 years agoAppArmor: Fix underflow in xindex calculation
John Johansen [Wed, 22 Feb 2012 08:32:30 +0000 (00:32 -0800)]
AppArmor: Fix underflow in xindex calculation

If the xindex value stored in the accept tables is 0, the extraction of
that value will result in an underflow (0 - 4).

In properly compiled policy this should not happen for file rules but
it may be possible for other rule types in the future.

To exploit this underflow a user would have to be able to load a corrupt
policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
memory or know of a compiler error resulting in the flaw being present
for loaded policy (no such flaw is known at this time).

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
12 years agoAppArmor: Fix dropping of allowed operations that are force audited
John Johansen [Wed, 22 Feb 2012 08:20:26 +0000 (00:20 -0800)]
AppArmor: Fix dropping of allowed operations that are force audited

The audit permission flag, that specifies an audit message should be
provided when an operation is allowed, was being ignored in some cases.

This is because the auto audit mode (which determines the audit mode from
system flags) was incorrectly assigned the same value as audit mode. The
shared value would result in messages that should be audited going through
a second evaluation as to whether they should be audited based on the
auto audit, resulting in some messages being dropped.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
12 years agoAppArmor: Add mising end of structure test to caps unpacking
John Johansen [Thu, 16 Feb 2012 15:06:41 +0000 (07:06 -0800)]
AppArmor: Add mising end of structure test to caps unpacking

The unpacking of struct capsx is missing a check for the end of the
caps structure.  This can lead to unpack failures depending on what else
is packed into the policy file being unpacked.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
12 years agoAppArmor: export known rlimit names/value mappings in securityfs
Kees Cook [Fri, 27 Jan 2012 00:29:23 +0000 (16:29 -0800)]
AppArmor: export known rlimit names/value mappings in securityfs

Since the parser needs to know which rlimits are known to the kernel,
export the list via a mask file in the "rlimit" subdirectory in the
securityfs "features" directory.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
12 years agoAppArmor: add "file" details to securityfs
Kees Cook [Fri, 27 Jan 2012 00:29:22 +0000 (16:29 -0800)]
AppArmor: add "file" details to securityfs

Create the "file" directory in the securityfs for tracking features
related to files.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
12 years agoAppArmor: add initial "features" directory to securityfs
Kees Cook [Fri, 27 Jan 2012 00:29:21 +0000 (16:29 -0800)]
AppArmor: add initial "features" directory to securityfs

This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
12 years agoAppArmor: refactor securityfs to use structures
Kees Cook [Fri, 27 Jan 2012 00:29:20 +0000 (16:29 -0800)]
AppArmor: refactor securityfs to use structures

Use a file tree structure to represent the AppArmor securityfs.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
12 years agoIMA: fix audit res field to indicate 1 for success and 0 for failure
Eric Paris [Tue, 14 Feb 2012 22:11:07 +0000 (17:11 -0500)]
IMA: fix audit res field to indicate 1 for success and 0 for failure

The audit res field ususally indicates success with a 1 and 0 for a
failure.  So make IMA do it the same way.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agoYama: add PR_SET_PTRACER_ANY
Kees Cook [Wed, 15 Feb 2012 00:48:09 +0000 (16:48 -0800)]
Yama: add PR_SET_PTRACER_ANY

For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agoTPM: Zero buffer whole after copying to userspace
Tim Gardner [Tue, 6 Dec 2011 18:29:20 +0000 (11:29 -0700)]
TPM: Zero buffer whole after copying to userspace

Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM
buffer if the user specified read length is >= the TPM buffer length. However,
if the user specified read length is < the TPM buffer length, then part of the
TPM buffer is left uncleared.

Reported-by: Seth Forshee <seth.forshee@canonical.com>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Marcel Selhorst <m.selhorst@sirrix.com>
Cc: tpmdd-devel@lists.sourceforge.net
Cc: stable@vger.kernel.org
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
12 years agotpm_tis: Clean up after module_param cleanup
Stefan Berger [Fri, 20 Jan 2012 17:58:50 +0000 (12:58 -0500)]
tpm_tis: Clean up after module_param cleanup

Commit 90ab5ee94171b3e28de6bb42ee30b527014e0be7 changed the
itpm module parameter from int to bool. Some other changes
need to be done to clean up after this change.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
12 years agotpm_tis: Only probe iTPMs
Stefan Berger [Fri, 20 Jan 2012 17:58:49 +0000 (12:58 -0500)]
tpm_tis: Only probe iTPMs

Detect iTPMs through the vendor ID on the hardware interface and only
probe the device if the manufacturer is found to be Intel. This
obsoletes a previously added delay necessary for some TPMs but not iTPMs.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
12 years agosecurity: trim security.h
Al Viro [Mon, 13 Feb 2012 03:58:52 +0000 (03:58 +0000)]
security: trim security.h

Trim security.h

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agomm: collapse security_vm_enough_memory() variants into a single function
Al Viro [Mon, 13 Feb 2012 03:58:52 +0000 (03:58 +0000)]
mm: collapse security_vm_enough_memory() variants into a single function

Collapse security_vm_enough_memory() variants into a single function.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agodigsig: changed type of the timestamp
Dmitry Kasatkin [Thu, 2 Feb 2012 08:46:49 +0000 (10:46 +0200)]
digsig: changed type of the timestamp

time_t was used in the signature and key packet headers,
which is typedef of long and is different on 32 and 64 bit architectures.
Signature and key format should be independent of architecture.
Similar to GPG, I have changed the type to uint32_t.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agosecurity: Yama LSM
Kees Cook [Wed, 21 Dec 2011 20:17:04 +0000 (12:17 -0800)]
security: Yama LSM

This adds the Yama Linux Security Module to collect DAC security
improvements (specifically just ptrace restrictions for now) that have
existed in various forms over the years and have been carried outside the
mainline kernel by other Linux distributions like Openwall and grsecurity.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agosecurity: create task_free security callback
Kees Cook [Wed, 21 Dec 2011 20:17:03 +0000 (12:17 -0800)]
security: create task_free security callback

The current LSM interface to cred_free is not sufficient for allowing
an LSM to track the life and death of a task. This patch adds the
task_free hook so that an LSM can clean up resources on task death.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agoMerge branch 'next-queue' into next
James Morris [Thu, 9 Feb 2012 06:02:34 +0000 (17:02 +1100)]
Merge branch 'next-queue' into next

12 years agoMerge branch 'linus-master'; commit 'v3.3-rc3' into next
James Morris [Thu, 9 Feb 2012 05:40:31 +0000 (16:40 +1100)]
Merge branch 'linus-master'; commit 'v3.3-rc3' into next

12 years agoLinux 3.3-rc3
Linus Torvalds [Thu, 9 Feb 2012 03:21:53 +0000 (19:21 -0800)]
Linux 3.3-rc3

12 years agoMerge branch 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro...
Linus Torvalds [Thu, 9 Feb 2012 03:11:00 +0000 (19:11 -0800)]
Merge branch 'iommu/fixes' of git://git./linux/kernel/git/joro/iommu

One patch fixes an bug in the ARM/MSM IOMMU code which returned sucess
in the unmap function even when an error occured and the other patch
adds a workaround into the AMD IOMMU driver to better handle broken IVRS
ACPI tables (this patch fixes the case when a device is not listed in
the table but actually translated by the iommu).

* 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/msm: Fix error handling in msm_iommu_unmap()
  iommu/amd: Work around broken IVRS tables

12 years agoMerge branch '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab...
Linus Torvalds [Thu, 9 Feb 2012 03:09:25 +0000 (19:09 -0800)]
Merge branch '3.3-rc-fixes' of git://git./linux/kernel/git/nab/target-pending

This series contains pending target bug-fixes and cleanups for v3.3-rc3
that have been addressed the past weeks in lio-core.git.

Some of the highlights include:

 - Fix handling for control CDBs with data greater than PAGE_SIZE (andy)
 - Use IP_FREEBIND for iscsi-target to address network portal creation
   issues with systemd (dax)
 - Allow PERSISTENT RESERVE IN for non-reservation holder (marco)
 - Fix iblock se_dev_attrib.unmap_granularity (marco)
 - Fix unsupported WRITE_SAME sense payload handling (martin)
 - Add workaround for zero-length control CDB handling (nab)
 - Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT (nab)
 - Fix target_submit_cmd() exception handling (nab)
 - Return correct ASC for unimplemented VPD pages (roland)
 - Don't zero pages used for data buffers (roland)
 - Fix return code of core_tpg_.*_lun (sebastian)

* '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (26 commits)
  target: Fix unsupported WRITE_SAME sense payload
  iscsi: use IP_FREEBIND socket option
  iblock: fix handling of large requests
  target: handle empty string writes in sysfs
  iscsi_target: in_aton needs linux/inet.h
  target: Fix iblock se_dev_attrib.unmap_granularity
  target: Fix target_submit_cmd() exception handling
  target: Change target_submit_cmd() to return void
  target: accept REQUEST_SENSE with 18bytes
  target: Fail INQUIRY commands with EVPD==0 but PAGE CODE!=0
  target: Return correct ASC for unimplemented VPD pages
  iscsi-target: Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT
  target: Allow control CDBs with data > 1 page
  iscsi-target: Fix up a few assignments
  iscsi-target: make one-bit bitfields unsigned
  iscsi-target: Fix double list_add with iscsit_alloc_buffs reject
  iscsi-target: Fix reject release handling in iscsit_free_cmd()
  target: fix return code of core_tpg_.*_lun
  target: use save/restore lock primitive in core_dec_lacl_count()
  target: avoid multiple outputs in scsi_dump_inquiry()
  ...

12 years agoMerge tag 'md-3.3-fixes' of git://neil.brown.name/md
Linus Torvalds [Thu, 9 Feb 2012 03:06:30 +0000 (19:06 -0800)]
Merge tag 'md-3.3-fixes' of git://neil.brown.name/md

Some simple md-related fixes.

1/ two small fixes to ensure we handle an interrupted resync properly.
2/ avoid loading the bitmap multiple times in dm-raid

* tag 'md-3.3-fixes' of git://neil.brown.name/md:
  md: two small fixes to handling interrupt resync.
  Prevent DM RAID from loading bitmap twice.

12 years agoMerge tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6
Linus Torvalds [Thu, 9 Feb 2012 03:05:47 +0000 (19:05 -0800)]
Merge tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6

SPI bug fixes for v3.3-rc2

Minor SPI device driver changes.  A rename of the pch_spi_pcidev symbol
that merely eliminates a modpost warning, and a Kconfig change to allow
the Samsung spi driver to build on EXYNOS.

* tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6:
  spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
  spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4

12 years agoMerge branch 'akpm' (Andrew's tree)
Linus Torvalds [Thu, 9 Feb 2012 03:04:47 +0000 (19:04 -0800)]
Merge branch 'akpm' (Andrew's tree)

Five fixes

* branch 'akpm':
  pcmcia: fix socket refcount decrementing on each resume
  mm: fix UP THP spin_is_locked BUGs
  drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax
  mm: compaction: check for overlapping nodes during isolation for migration
  nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()

12 years agopcmcia: fix socket refcount decrementing on each resume
Russell King [Thu, 9 Feb 2012 01:13:41 +0000 (17:13 -0800)]
pcmcia: fix socket refcount decrementing on each resume

This fixes a memory-corrupting bug: not only does it cause the warning,
but as a result of dropping the refcount to zero, it causes the
pcmcia_socket0 device structure to be freed while it still has
references, causing slab caches corruption.  A fatal oops quickly
follows this warning - often even just a 'dmesg' following the warning
causes the kernel to oops.

While testing suspend/resume on an ARM device with PCMCIA support, and a
CF card inserted, I found that after five suspend and resumes, the
kernel would complain, and shortly die after with slab corruption.

  WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()

As the message doesn't give a clue about which kobject, and the built-in
debugging in drivers/base/power/main.c happens too late, this was added
right before each get_device():

  printk("%s: %p [%s] %u\n", __func__, dev, kobject_name(&dev->kobj), atomic_read(&dev->kobj.kref.refcount));

and on the 3rd s2ram cycle, the following behaviour observed:

On the 3rd suspend/resume cycle:

  dpm_prepare: c1a0d998 [pcmcia_socket0] 3
  dpm_suspend: c1a0d998 [pcmcia_socket0] 3
  dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 3
  dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 3
  dpm_resume: c1a0d998 [pcmcia_socket0] 3
  dpm_complete: c1a0d998 [pcmcia_socket0] 2

4th:

  dpm_prepare: c1a0d998 [pcmcia_socket0] 2
  dpm_suspend: c1a0d998 [pcmcia_socket0] 2
  dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 2
  dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 2
  dpm_resume: c1a0d998 [pcmcia_socket0] 2
  dpm_complete: c1a0d998 [pcmcia_socket0] 1

5th:

  dpm_prepare: c1a0d998 [pcmcia_socket0] 1
  dpm_suspend: c1a0d998 [pcmcia_socket0] 1
  dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 1
  dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 1
  dpm_resume: c1a0d998 [pcmcia_socket0] 1
  dpm_complete: c1a0d998 [pcmcia_socket0] 0
  ------------[ cut here ]------------
  WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
  Modules linked in: ucb1x00_core
  Backtrace:
  [<c0212090>] (dump_backtrace+0x0/0x110) from [<c04799dc>] (dump_stack+0x18/0x1c)
  [<c04799c4>] (dump_stack+0x0/0x1c) from [<c021cba0>] (warn_slowpath_common+0x50/0x68)
  [<c021cb50>] (warn_slowpath_common+0x0/0x68) from [<c021cbdc>] (warn_slowpath_null+0x24/0x28)
  [<c021cbb8>] (warn_slowpath_null+0x0/0x28) from [<c0335374>] (kobject_get+0x28/0x50)
  [<c033534c>] (kobject_get+0x0/0x50) from [<c03804f4>] (get_device+0x1c/0x24)
  [<c0388c90>] (dpm_complete+0x0/0x1a0) from [<c0389cc0>] (dpm_resume_end+0x1c/0x20)
  ...

Looking at commit 7b24e7988263 ("pcmcia: split up central event handler"),
the following change was made to cs.c:

                return 0;
        }
 #endif
-
-       send_event(skt, CS_EVENT_PM_RESUME, CS_EVENT_PRI_LOW);
+       if (!(skt->state & SOCKET_CARDBUS) && (skt->callback))
+               skt->callback->early_resume(skt);
        return 0;
 }

And the corresponding change in ds.c is from:

-static int ds_event(struct pcmcia_socket *skt, event_t event, int priority)
-{
-       struct pcmcia_socket *s = pcmcia_get_socket(skt);
...
-       switch (event) {
...
-       case CS_EVENT_PM_RESUME:
-               if (verify_cis_cache(skt) != 0) {
-                       dev_dbg(&skt->dev, "cis mismatch - different card\n");
-                       /* first, remove the card */
-                       ds_event(skt, CS_EVENT_CARD_REMOVAL, CS_EVENT_PRI_HIGH);
-                       mutex_lock(&s->ops_mutex);
-                       destroy_cis_cache(skt);
-                       kfree(skt->fake_cis);
-                       skt->fake_cis = NULL;
-                       s->functions = 0;
-                       mutex_unlock(&s->ops_mutex);
-                       /* now, add the new card */
-                       ds_event(skt, CS_EVENT_CARD_INSERTION,
-                                CS_EVENT_PRI_LOW);
-               }
-               break;
...
-    }

-    pcmcia_put_socket(s);

-    return 0;
-} /* ds_event */

to:

+static int pcmcia_bus_early_resume(struct pcmcia_socket *skt)
+{
+       if (!verify_cis_cache(skt)) {
+               pcmcia_put_socket(skt);
+               return 0;
+       }

+       dev_dbg(&skt->dev, "cis mismatch - different card\n");

+       /* first, remove the card */
+       pcmcia_bus_remove(skt);
+       mutex_lock(&skt->ops_mutex);
+       destroy_cis_cache(skt);
+       kfree(skt->fake_cis);
+       skt->fake_cis = NULL;
+       skt->functions = 0;
+       mutex_unlock(&skt->ops_mutex);

+       /* now, add the new card */
+       pcmcia_bus_add(skt);
+       return 0;
+}

As can be seen, the original function called pcmcia_get_socket() and
pcmcia_put_socket() around the guts, whereas the replacement code
calls pcmcia_put_socket() only in one path.  This creates an imbalance
in the refcounting.

Testing with pcmcia_put_socket() put removed shows that the bug is gone:

  dpm_suspend: c1a10998 [pcmcia_socket0] 5
  dpm_suspend_noirq: c1a10998 [pcmcia_socket0] 5
  dpm_resume_noirq: c1a10998 [pcmcia_socket0] 5
  dpm_resume: c1a10998 [pcmcia_socket0] 5
  dpm_complete: c1a10998 [pcmcia_socket0] 5

Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agomm: fix UP THP spin_is_locked BUGs
Hugh Dickins [Thu, 9 Feb 2012 01:13:40 +0000 (17:13 -0800)]
mm: fix UP THP spin_is_locked BUGs

Fix CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_SMP=n CONFIG_DEBUG_VM=y
CONFIG_DEBUG_SPINLOCK=n kernel: spin_is_locked() is then always false,
and so triggers some BUGs in Transparent HugePage codepaths.

asm-generic/bug.h mentions this problem, and provides a WARN_ON_SMP(x);
but being too lazy to add VM_BUG_ON_SMP, BUG_ON_SMP, WARN_ON_SMP_ONCE,
VM_WARN_ON_SMP_ONCE, just test NR_CPUS != 1 in the existing VM_BUG_ONs.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agodrivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax
Axel Lin [Thu, 9 Feb 2012 01:13:39 +0000 (17:13 -0800)]
drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax

In current code, pltfm->als_vmin is set to LM3530_ALS_WINDOW_mV and
pltfm->als_vmax is 0.  This does not make sense.  I think what we want
here is setting pltfm->als_vmax to LM3530_ALS_WINDOW_mV.

Both als_vmin and als_vmax local variables will be set to
pltfm->als_vmin and pltfm->als_vmax by a few lines latter.  Thus also
remove a redundant assignment for als_vmin and als_vmax in this patch.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Shreshtha Kumar Sahu <shreshthakumar.sahu@stericsson.com>
Acked-by: Milo(Woogyom) Kim <milo.kim@ti.com>
Tested-by: Milo(Woogyom) Kim <milo.kim@ti.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agomm: compaction: check for overlapping nodes during isolation for migration
Mel Gorman [Thu, 9 Feb 2012 01:13:38 +0000 (17:13 -0800)]
mm: compaction: check for overlapping nodes during isolation for migration

When isolating pages for migration, migration starts at the start of a
zone while the free scanner starts at the end of the zone.  Migration
avoids entering a new zone by never going beyond the free scanned.

Unfortunately, in very rare cases nodes can overlap.  When this happens,
migration isolates pages without the LRU lock held, corrupting lists
which will trigger errors in reclaim or during page free such as in the
following oops

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: [<ffffffff810f795c>] free_pcppages_bulk+0xcc/0x450
  PGD 1dda554067 PUD 1e1cb58067 PMD 0
  Oops: 0000 [#1] SMP
  CPU 37
  Pid: 17088, comm: memcg_process_s Tainted: G            X
  RIP: free_pcppages_bulk+0xcc/0x450
  Process memcg_process_s (pid: 17088, threadinfo ffff881c2926e000, task ffff881c2926c0c0)
  Call Trace:
    free_hot_cold_page+0x17e/0x1f0
    __pagevec_free+0x90/0xb0
    release_pages+0x22a/0x260
    pagevec_lru_move_fn+0xf3/0x110
    putback_lru_page+0x66/0xe0
    unmap_and_move+0x156/0x180
    migrate_pages+0x9e/0x1b0
    compact_zone+0x1f3/0x2f0
    compact_zone_order+0xa2/0xe0
    try_to_compact_pages+0xdf/0x110
    __alloc_pages_direct_compact+0xee/0x1c0
    __alloc_pages_slowpath+0x370/0x830
    __alloc_pages_nodemask+0x1b1/0x1c0
    alloc_pages_vma+0x9b/0x160
    do_huge_pmd_anonymous_page+0x160/0x270
    do_page_fault+0x207/0x4c0
    page_fault+0x25/0x30

The "X" in the taint flag means that external modules were loaded but but
is unrelated to the bug triggering.  The real problem was because the PFN
layout looks like this

  Zone PFN ranges:
    DMA      0x00000010 -> 0x00001000
    DMA32    0x00001000 -> 0x00100000
    Normal   0x00100000 -> 0x01e80000
  Movable zone start PFN for each node
  early_node_map[14] active PFN ranges
      0: 0x00000010 -> 0x0000009b
      0: 0x00000100 -> 0x0007a1ec
      0: 0x0007a354 -> 0x0007a379
      0: 0x0007f7ff -> 0x0007f800
      0: 0x00100000 -> 0x00680000
      1: 0x00680000 -> 0x00e80000
      0: 0x00e80000 -> 0x01080000
      1: 0x01080000 -> 0x01280000
      0: 0x01280000 -> 0x01480000
      1: 0x01480000 -> 0x01680000
      0: 0x01680000 -> 0x01880000
      1: 0x01880000 -> 0x01a80000
      0: 0x01a80000 -> 0x01c80000
      1: 0x01c80000 -> 0x01e80000

The fix is straight-forward.  isolate_migratepages() has to make a
similar check to isolate_freepage to ensure that it never isolates pages
from a zone it does not hold the LRU lock for.

This was discovered in a 3.0-based kernel but it affects 3.1.x, 3.2.x
and current mainline.

Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agonilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
Xi Wang [Thu, 9 Feb 2012 01:13:37 +0000 (17:13 -0800)]
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()

nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Linus Torvalds [Wed, 8 Feb 2012 22:56:39 +0000 (14:56 -0800)]
Merge tag 'sound-fixes' of git://git./linux/kernel/git/tiwai/sound

sound fixes #2 for 3.3-rc3

A collection of small fixes, mostly for regressions.
In addition, a few ASoC wm8994 updates are included, too.

* tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: wm8994: Disable line output discharge prior to ramping VMID
  ASoC: wm8994: Fix typo in VMID ramp setting
  ALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs
  ALSA: usb-audio: add Edirol UM-3G support
  ALSA: hda - add support for Uniwill ECS M31EI notebook
  ALSA: hda - Fix error handling in patch_ca0132.c
  ASoC: wm8994: Enabling VMID should take a runtime PM reference
  ALSA: hda/realtek - Fix a wrong condition
  ALSA: emu8000: Remove duplicate linux/moduleparam.h include from emu8000_patch.c
  ALSA: hda/realtek - Add missing Bass and CLFE as vmaster slaves
  ASoC: wm_hubs: Correct line input to line output 2 paths
  ASoC: cs42l73: Fix Output [X|A|V]SP_SCLK Sourcing Mode setting for master mode
  ASoC: wm8962: Fix word length configuration
  ASoC: core: Better support for idle_bias_off suspend ignores
  ASoC: wm8994: Remove ASoC level register cache sync
  ASoC: wm_hubs: Fix routing of input PGAs to line output mixer

12 years agoMerge tag 'asoc-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound...
Takashi Iwai [Wed, 8 Feb 2012 20:29:38 +0000 (21:29 +0100)]
Merge tag 'asoc-3.3' of git://git./linux/kernel/git/broonie/sound into for-linus

A few small WM8994 updates to go on top of the previous lot of things
that were sent.  They collide with some -next work so I'd really like to
get them into 3.3-rc3 if possible to merge back up into the -next code.
All driver specific and unexciting in the grand scheme of things.

12 years agoASoC: wm8994: Disable line output discharge prior to ramping VMID
Mark Brown [Tue, 7 Feb 2012 14:18:29 +0000 (14:18 +0000)]
ASoC: wm8994: Disable line output discharge prior to ramping VMID

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
12 years agoASoC: wm8994: Fix typo in VMID ramp setting
Mark Brown [Tue, 7 Feb 2012 17:24:19 +0000 (17:24 +0000)]
ASoC: wm8994: Fix typo in VMID ramp setting

The VMID ramp rate is supposed to be 0x3, not 11b. Fix that.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
12 years agoALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs
Clemens Ladisch [Sat, 4 Feb 2012 19:56:47 +0000 (20:56 +0100)]
ALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs

The driver accidentally exchanged the left/right fields for stereo AC'97
mixer registers.  This affected only the aux and CD inputs because the
line input bypasses the AC'97 codec and the mic input is mono; cards
without AC'97 (Xonar DS/DG/HDAV Slim, HG2PCI, HiFier) were not affected.

Reported-and-tested-by: Abby Cedar <abbycedar@yahoo.com.au>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.31+ <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agoALSA: usb-audio: add Edirol UM-3G support
Clemens Ladisch [Sat, 4 Feb 2012 19:51:43 +0000 (20:51 +0100)]
ALSA: usb-audio: add Edirol UM-3G support

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agoMerge tag 'fbdev-fixes-for-3.3-1' of git://github.com/schandinat/linux-2.6
Linus Torvalds [Tue, 7 Feb 2012 23:54:02 +0000 (15:54 -0800)]
Merge tag 'fbdev-fixes-for-3.3-1' of git://github.com/schandinat/linux-2.6

fbdev fixes for 3.3

It includes:
 - compile fix for fsl-diu-fb
 - fix for a suspend/resume issue in atmel_lcdfb
 - fix for a suspend/resume issue in OMAP
 - workaround for a hardware bug to avoid physical damage in OMAP
 - really trivial dead code removal in intelfb

* tag 'fbdev-fixes-for-3.3-1' of git://github.com/schandinat/linux-2.6:
  atmel_lcdfb: fix usage of CONTRAST_CTR in suspend/resume
  intelfb: remove some dead code
  drivers/video: compile fixes for fsl-diu-fb.c
  OMAPDSS: HDMI: PHY burnout fix
  OMAP: 4430SDP/Panda: add HDMI HPD gpio
  OMAP: 4430SDP/Panda: setup HDMI GPIO muxes
  OMAPDSS: remove wrong HDMI HPD muxing
  OMAP: 4430SDP/Panda: rename HPD GPIO to CT_CP_HPD
  OMAP: 4430SDP/Panda: use gpio_free_array to free HDMI gpios
  OMAPDSS: use sync versions of pm_runtime_put

12 years agocheckpatch: Warn on code with 6+ tab indentation
Joe Perches [Fri, 3 Feb 2012 23:20:39 +0000 (15:20 -0800)]
checkpatch: Warn on code with 6+ tab indentation

Overly indented code should be refactored.

Suggest refactoring excessive indentation of of
if/else/for/do/while/switch statements.

For example:

$ cat t.c
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{

if (1)
if (2)
if (3)
if (4)
if (5)
if (6)
if (7)
if (8)
;
return 0;
}

$ ./scripts/checkpatch.pl -f t.c
WARNING: Too many leading tabs - consider code refactoring
#12: FILE: t.c:12:
+ if (6)

WARNING: Too many leading tabs - consider code refactoring
#13: FILE: t.c:13:
+ if (7)

WARNING: Too many leading tabs - consider code refactoring
#14: FILE: t.c:14:
+ if (8)

total: 0 errors, 3 warnings, 17 lines checked

t.c has style problems, please review.

If any of these errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge tag 'ib-srpt-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/roland...
Linus Torvalds [Tue, 7 Feb 2012 22:35:19 +0000 (14:35 -0800)]
Merge tag 'ib-srpt-fixes' of git://git./linux/kernel/git/roland/infiniband

Cleanups and error path fixes for the new SRP (SCSI RDMA protocol) target.

* tag 'ib-srpt-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/srpt: Don't return freed pointer from srpt_alloc_ioctx_ring()
  IB/srpt: Fix ERR_PTR() vs. NULL checking confusion
  IB/srpt: Remove unneeded <linux/version.h> include
  IB/srpt: Use ARRAY_SIZE() instead of open-coding
  IB/srpt: Use DEFINE_SPINLOCK()/LIST_HEAD()

12 years agoMerge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Linus Torvalds [Tue, 7 Feb 2012 22:32:24 +0000 (14:32 -0800)]
Merge tag 'for-linus' of git://git./linux/kernel/git/mst/vhost

arch: fix ioport mapping on mips,sh

Kevin Cernekee reported that recent cleanup that replaced pci_iomap with
a generic function failed to take into account the differences in io
port handling on mips and sh architectures.

Rather than revert the changes reintroducing the code duplication, this
patchset fixes this by adding ability for architectures to override
ioport mapping for pci devices.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
  sh: use the the PCI channels's io_map_base
  mips: use the the PCI controller's io_map_base
  lib: add NO_GENERIC_PCI_IOPORT_MAP

12 years agoACPI: remove duplicated lines of merging problems with acpi_processor_add
Yinghai Lu [Tue, 7 Feb 2012 16:20:37 +0000 (08:20 -0800)]
ACPI: remove duplicated lines of merging problems with acpi_processor_add

Those lines have two copies.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Cc: Thomas Renninger <trenn@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge git://git.samba.org/sfrench/cifs-2.6
Linus Torvalds [Tue, 7 Feb 2012 22:07:20 +0000 (14:07 -0800)]
Merge git://git.samba.org/sfrench/cifs-2.6

* git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix oops in session setup code for null user mounts
  [CIFS] Update cifs Kconfig title to match removal of experimental dependency
  cifs: fix printk format warnings
  cifs: check offset in decode_ntlmssp_challenge()
  cifs: NULL dereference on allocation failure

12 years agoMerge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Linus Torvalds [Tue, 7 Feb 2012 22:06:11 +0000 (14:06 -0800)]
Merge branch 'upstream-fixes' of git://git./linux/kernel/git/jikos/hid

* 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: wiimote: fix invalid power_supply_powers call
  HID: wacom: Fix invalid power_supply_powers calls
  HID: hyperv: Properly disconnect the input device
  HID: usbhid: fix dead lock between open and disconect

12 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6
Linus Torvalds [Tue, 7 Feb 2012 22:05:49 +0000 (14:05 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sameo/mfd-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
  mfd: Avoid twl6040-codec PLL reconfiguration when not needed
  mfd: Store twl6040-codec mclk configuration

12 years agoALSA: hda - add support for Uniwill ECS M31EI notebook
Jaroslav Kysela [Tue, 7 Feb 2012 13:18:14 +0000 (14:18 +0100)]
ALSA: hda - add support for Uniwill ECS M31EI notebook

This hardware requires same fixup for the node 0x0f like Asus A6Rp.
More information: https://bugzilla.redhat.com/show_bug.cgi?id=785417

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agoHID: wiimote: fix invalid power_supply_powers call
Jiri Kosina [Tue, 7 Feb 2012 12:40:56 +0000 (13:40 +0100)]
HID: wiimote: fix invalid power_supply_powers call

Analogically to d7cb3dbd1 ("HID: wacom: Fix invalid power_supply_powers
calls"), fix also the same occurence in wiimote driver.

Reported-by: przemo@firszt.eu
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
12 years agoALSA: hda - Fix error handling in patch_ca0132.c
Takashi Iwai [Tue, 7 Feb 2012 10:00:53 +0000 (11:00 +0100)]
ALSA: hda - Fix error handling in patch_ca0132.c

In patch_ca0132.c, the error returned from chipio_write() isn't checked
always.  Also, the power-up/down sequence isn't tracked properly in some
error paths.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agoMerge tag 'asoc-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound...
Takashi Iwai [Tue, 7 Feb 2012 10:04:48 +0000 (11:04 +0100)]
Merge tag 'asoc-3.3' of git://git./linux/kernel/git/broonie/sound into for-linus

The only particularly remarkable change here is the one for handling of
the Android suspend ignore code for idle_bias_off CODECs.  That one is
actually a regression fix as some of the new power savings that have
been introduced confused the suspend ignore code, making devices that
are active for non-audio reasons look like they are idle causing them to
be suspended instead of being kept active.

12 years agotarget: Fix unsupported WRITE_SAME sense payload
Martin Svec [Tue, 7 Feb 2012 06:13:25 +0000 (22:13 -0800)]
target: Fix unsupported WRITE_SAME sense payload

This patch fixes a bug in target-core where unsupported WRITE_SAME ops
from a target_check_write_same_discard() failure was incorrectly
returning CHECK_CONDITION w/ TCM_INVALID_CDB_FIELD sense data.
This was causing some clients to not properly fall back, so go ahead
and use the correct TCM_UNSUPPORTED_SCSI_OPCODE sense for this case.

Reported-by: Martin Svec <martin.svec@zoner.cz>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agoiscsi: use IP_FREEBIND socket option
Dax Kelson [Sat, 4 Feb 2012 06:40:25 +0000 (23:40 -0700)]
iscsi: use IP_FREEBIND socket option

Use IP_FREEBIND socket option so that iscsi portal configuration with
explicit IP addresses can happen during boot, before network interfaces
have been assigned IPs.

This is especially important on systemd based Linux boxes where system
boot happens asynchronously and non-trivial configuration must be done
to get targetcli.service to start synchronously after the network is
configured.

Reference:
http://lists.fedoraproject.org/pipermail/devel/2011-October/158025.html

Signed-off-by: Dax Kelson <dkelson@gurulabs.com>
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
Cc: "Andy Grover" <agrover@redhat.com>
Cc: "Lennart Poettering" <lennart@poettering.net>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agoiblock: fix handling of large requests
Christoph Hellwig [Thu, 2 Feb 2012 21:51:24 +0000 (16:51 -0500)]
iblock: fix handling of large requests

Requesting to many bvecs upsets bio_alloc_bioset, so limit the number we ask
for to the amount it can handle.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agotarget: handle empty string writes in sysfs
Dan Carpenter [Fri, 27 Jan 2012 12:50:55 +0000 (15:50 +0300)]
target: handle empty string writes in sysfs

These are root only and we're not likely to hit the problem in practise,
but it makes the static checkers happy.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agoiscsi_target: in_aton needs linux/inet.h
Stephen Rothwell [Mon, 23 Jan 2012 00:39:49 +0000 (11:39 +1100)]
iscsi_target: in_aton needs linux/inet.h

Fixes this error after a recent nfs cleanup:

drivers/target/iscsi/iscsi_target_configfs.c: In function 'lio_target_call_addnptotpg':
drivers/target/iscsi/iscsi_target_configfs.c:214:3: error: implicit declaration of function 'in6_pton' [-Werror=implicit-function-declaration]
drivers/target/iscsi/iscsi_target_configfs.c:239:3: error: implicit declaration of function 'in_aton' [-Werror=implicit-function-declaration]

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agotarget: Fix iblock se_dev_attrib.unmap_granularity
Marco Sanvido [Fri, 20 Jan 2012 23:49:27 +0000 (15:49 -0800)]
target: Fix iblock se_dev_attrib.unmap_granularity

The block layer keeps q->limits.discard_granularity in bytes, but iblock
(and the SCSI Block Limits VPD page) keep unmap_granularity in blocks.
Report the correct value when exporting block devices by dividing to
convert bytes to blocks.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agotarget: Fix target_submit_cmd() exception handling
Nicholas Bellinger [Sat, 21 Jan 2012 03:02:56 +0000 (19:02 -0800)]
target: Fix target_submit_cmd() exception handling

This patch fixes a bug in target_submit_cmd() where the failure path
for transport_generic_allocate_tasks() made a direct call to
transport_send_check_condition_and_sense() and not calling the
final target_put_sess_cmd() release callback.

For transport_generic_allocate_tasks() failures, use the proper call to
transport_generic_request_failure() to handle kref_put() along
with potential internal queue full response processing.

It also makes transport_lookup_cmd_lun() failures in
target_submit_cmd() use transport_send_check_condition_and_sense() and
target_put_sess_cmd() directly to avoid se_cmd->se_dev reference in
transport_generic_request_failure() handling.

Finally it drops the out_check_cond: label and use direct reference for
allocate task failures, and per-se_device queue_full handling is
currently not supported for transport_lookup_cmd_lun() failure
descriptors due to se_device dependency.

Reported-by: Roland Dreier <roland@purestorage.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agotarget: Change target_submit_cmd() to return void
Andy Grover [Thu, 19 Jan 2012 21:39:23 +0000 (13:39 -0800)]
target: Change target_submit_cmd() to return void

Retval not very useful, and may even be harmful. Once submitted, fabrics
should expect a sense error if anything goes wrong. All fabrics checking
of this retval are useless or broken:

fc checks it just to emit more debug output.
ib_srpt trickles retval up, then it is ignored.
qla2xxx trickles it up, which then causes a bug because the abort goto
in qla_target.c thinks cmd hasn't been sent to target.

Just returning nothing is best.

Signed-off-by: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agotarget: accept REQUEST_SENSE with 18bytes
Sebastian Andrzej Siewior [Wed, 18 Jan 2012 13:04:29 +0000 (14:04 +0100)]
target: accept REQUEST_SENSE with 18bytes

WindowsXP+BOT issues a MODE_SENSE request with page 0x1c which is not
suppoerted by target. Target rejects that command with
TCM_INVALID_CDB_FIELD, so far so good. On BOT I can't send the SENSE
response back, instead I can only reply that an error occured. The next
thing happens is a REQUEST_SENSE request with 18 bytes length. Since the
check here is more than 18 bytes I have to NACK that request as well.
This is not really required: We check for some additional room, but we
never use it. The additional length is set to 0xa so the total length is
0xa + 8 = 18 which is fine with my 18 bytes.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
12 years agomd: two small fixes to handling interrupt resync.
NeilBrown [Tue, 7 Feb 2012 01:01:51 +0000 (12:01 +1100)]
md: two small fixes to handling interrupt resync.

1/ If a resync is aborted we should record how far we got
 (recovery_cp) the last request that we know has completed
 (->curr_resync_completed) rather than the last request that was
 submitted (->curr_resync).

2/ When a resync aborts we still want to update the metadata with
 any changes, so set MD_CHANGE_DEVS even if we 'skip'.

Signed-off-by: NeilBrown <neilb@suse.de>
12 years agoDocumentation: update quilt tree location for Documentation patches
Randy Dunlap [Mon, 6 Feb 2012 17:50:00 +0000 (09:50 -0800)]
Documentation: update quilt tree location for Documentation patches

Update quilt tree location for Documentation/ patches.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoDocumentation: add missing tainted bits to Documentation/sysctl/kernel.txt
Larry Finger [Mon, 6 Feb 2012 17:49:50 +0000 (09:49 -0800)]
Documentation: add missing tainted bits to Documentation/sysctl/kernel.txt

Two of the bits in the tainted flag are not documented.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge branch 'kvm-updates/3.3' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Tue, 7 Feb 2012 00:26:58 +0000 (16:26 -0800)]
Merge branch 'kvm-updates/3.3' of git://git./virt/kvm/kvm

Fixing a regression with the PMU MSRs when PMU virtualization is
disabled, a guest-internal DoS with the SYSCALL instruction, and a dirty
memory logging race that may cause live migration to fail.

* 'kvm-updates/3.3' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: do not #GP on perf MSR writes when vPMU is disabled
  KVM: x86: fix missing checks in syscall emulation
  KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"
  KVM: Fix __set_bit() race in mark_page_dirty() during dirty logging

12 years agoMerge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6
Linus Torvalds [Mon, 6 Feb 2012 23:29:56 +0000 (15:29 -0800)]
Merge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6

GPIO fixes for v3.3-rc2

Straight forward bug fixes in this branch.  A couple of x86 gpio drivers
missing spinlock initialization, an API change fixup for the samsung driver
and a name typo fix.

* tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6:
  gpio: Add missing spin_lock_init in gpio-ml-ioh driver
  gpio: Add missing spin_lock_init in gpio-pch driver
  gpio: samsung: adapt to changes in gpio specifier translator function declaration
  Correct bad gpio naming

12 years agoMerge tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Mon, 6 Feb 2012 23:25:48 +0000 (15:25 -0800)]
Merge tag 'hwmon-fixes-for-3.3-rc3' of git://git./linux/kernel/git/groeck/linux-staging

One patch to fix fan detection on NCT6776F.

* tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (w83627ehf) Fix number of fans for NCT6776F

12 years agoexec: fix use-after-free bug in setup_new_exec()
Heiko Carstens [Sat, 4 Feb 2012 09:47:10 +0000 (10:47 +0100)]
exec: fix use-after-free bug in setup_new_exec()

Setting the task name is done within setup_new_exec() by accessing
bprm->filename. However this happens after flush_old_exec().
This may result in a use after free bug, flush_old_exec() may
"complete" vfork_done, which will wake up the parent which in turn
may free the passed in filename.
To fix this add a new tcomm field in struct linux_binprm which
contains the now early generated task name until it is used.

Fixes this bug on s390:

  Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
  Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
  Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
  Call Trace:
  ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
   [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
   [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
   [<0000000000282b6c>] do_execve_common+0x410/0x514
   [<0000000000282cb6>] do_execve+0x46/0x58
   [<00000000005bce58>] kernel_execve+0x28/0x70
   [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
   [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
   [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
  Last Breaking-Event-Address:
   [<00000000002830f0>] setup_new_exec+0x2fc/0x374

  Kernel panic - not syncing: Fatal exception: panic_on_oops

Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoIB/srpt: Don't return freed pointer from srpt_alloc_ioctx_ring()
Jesper Juhl [Sat, 4 Feb 2012 22:49:40 +0000 (23:49 +0100)]
IB/srpt: Don't return freed pointer from srpt_alloc_ioctx_ring()

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Roland Dreier <roland@purestorage.com>
12 years agoHID: wacom: Fix invalid power_supply_powers calls
Przemo Firszt [Sun, 5 Feb 2012 22:35:24 +0000 (22:35 +0000)]
HID: wacom: Fix invalid power_supply_powers calls

power_supply_powers calls added in 35b4c01e2 ("power_supply: add "powers" links
to self-powered HID devices") have to be called after power device is created.
This patch also fixes the second call - it has to be "ac" instead of "battery"

Signed-off-by: Przemo Firszt <przemo@firszt.eu>
Signed-off-by: Chris Bagwell <chris@cnpbagwell.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
12 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux...
Jiri Kosina [Mon, 6 Feb 2012 15:11:09 +0000 (16:11 +0100)]
Merge branch 'master' of git://git./linux/kernel/git/torvalds/linux into upstream-fixes

Sync with Linus' tree. This is necessary to have a base for
patch that fixes commit 35b4c01e29b ("power_supply: add "powers"
links to self-powered HID devices") which went in through Anton's
tree.

12 years agoASoC: wm8994: Enabling VMID should take a runtime PM reference
Mark Brown [Mon, 6 Feb 2012 12:07:08 +0000 (12:07 +0000)]
ASoC: wm8994: Enabling VMID should take a runtime PM reference

We can enable VMID independently of the bias in some use cases so we need
to ensure that the core device is powered up.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
12 years agoALSA: hda/realtek - Fix a wrong condition
Takashi Iwai [Mon, 6 Feb 2012 09:24:04 +0000 (10:24 +0100)]
ALSA: hda/realtek - Fix a wrong condition

sparse complains that "spec->multiout.dac_nids" is a pointer.

sound/pci/hda/patch_realtek.c:2321:37: error: incompatible types for operation (>)
sound/pci/hda/patch_realtek.c:2321:37:    left side has type unsigned short const [usertype] *dac_nids
sound/pci/hda/patch_realtek.c:2321:37:    right side has type int

It was meant to be num_dacs instead of dac_nids.
Although the current code still works as expected (when num_dacs is zero,
dac_nids should be NULL, too), better to fix now, of course.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agoALSA: emu8000: Remove duplicate linux/moduleparam.h include from emu8000_patch.c
Jesper Juhl [Sun, 5 Feb 2012 00:27:44 +0000 (01:27 +0100)]
ALSA: emu8000: Remove duplicate linux/moduleparam.h include from emu8000_patch.c

The header 'linux/moduleparam.h' is included twice in
'sound/isa/sb/emu8000_patch.c'. Once is enough.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
12 years agospi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
Danny Kukawka [Thu, 2 Feb 2012 13:20:30 +0000 (14:20 +0100)]
spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver

Rename static struct pci_driver pch_spi_pcidev to
pch_spi_pcidev_driver to get rid of warnings from modpost checks.

Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
12 years agospi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
Sylwester Nawrocki [Wed, 25 Jan 2012 16:20:59 +0000 (17:20 +0100)]
spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4

The spi-s3c64xx driver is also used on Exynos4 so update the dependency
to enable build on those platforms.

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
[grant.likely: relax depends to ARCH_EXYNOS instead of ARCH_EXYNOS4]
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
12 years agohwmon: (w83627ehf) Fix number of fans for NCT6776F
Guenter Roeck [Fri, 27 Jan 2012 13:43:59 +0000 (05:43 -0800)]
hwmon: (w83627ehf) Fix number of fans for NCT6776F

NCT6776F can select fan input pins for fans 3 to 5 with a secondary set of
chip register bits. Check that second set of bits in addition to the first set
to detect if fans 3..5 are monitored.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org # 3.0+
Acked-by: Jean Delvare <khali@linux-fr.org>
12 years agoMerge tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sat, 4 Feb 2012 23:21:39 +0000 (15:21 -0800)]
Merge tag 'pm-fixes-for-3.3-rc3' of git://git./linux/kernel/git/rafael/linux-pm

Power management fixes for 3.3-rc3

Three power management regression fixes, one for a recent regression introcuded
by the freezer changes during the 3.3 merge window and two for regressions
in cpuidle (resulting from PM QoS changes) and in the hibernate user space
interface, both introduced during the 3.2 development cycle.

They include:

* Two hibernate (s2disk) regression fixes from Srivatsa S. Bhat (for
 regressions introduced during the 3.3 merge window and during the 3.2
 development cycle).

* A cpuidle fix from Venki Pallipadi for a regression resulting from PM QoS
 changes during the 3.2 development cycle causing cpuidle to work incorrectly
 for CONFIG_PM unset.

* tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / QoS: CPU C-state breakage with PM Qos change
  PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
  PM / Hibernate: Thaw kernel threads in SNAPSHOT_CREATE_IMAGE ioctl path

12 years agoPM / QoS: CPU C-state breakage with PM Qos change
Venkatesh Pallipadi [Fri, 3 Feb 2012 21:22:25 +0000 (22:22 +0100)]
PM / QoS: CPU C-state breakage with PM Qos change

Looks like change "PM QoS: Move and rename the implementation files"
merged during the 3.2 development cycle made PM QoS depend on
CONFIG_PM which depends on (PM_SLEEP || PM_RUNTIME).

That breaks CPU C-states with kernels not having these CONFIGs, causing CPUs
to spend time in Polling loop idle instead of going into deep C-states,
consuming way way more power. This is with either acpi idle or intel idle
enabled.

Either CONFIG_PM should be enabled with any pm_qos users or
the !CONFIG_PM pm_qos_request() should return sane defaults not to break
the existing users. Here's is the patch for the latter option.

[rjw: Modified the changelog slightly.]

Signed-off-by: Venkatesh Pallipadi <venki@google.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Cc: stable@vger.kernel.org
12 years agoPM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
Srivatsa S. Bhat [Fri, 3 Feb 2012 21:22:41 +0000 (22:22 +0100)]
PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails

If freezing of kernel threads fails, we are expected to automatically
thaw tasks in the error recovery path. However, at times, we encounter
situations in which we would like the automatic error recovery path
to thaw only the kernel threads, because we want to be able to do
some more cleanup before we thaw userspace. Something like:

error = freeze_kernel_threads();
if (error) {
/* Do some cleanup */

/* Only then thaw userspace tasks*/
thaw_processes();
}

An example of such a situation is where we freeze/thaw filesystems
during suspend/hibernation. There, if freezing of kernel threads
fails, we would like to thaw the frozen filesystems before thawing
the userspace tasks.

So, modify freeze_kernel_threads() to thaw only kernel threads in
case of freezing failure. And change suspend_freeze_processes()
accordingly. (At the same time, let us also get rid of the rather
cryptic usage of the conditional operator (:?) in that function.)

[rjw: In fact, this patch fixes a regression introduced during the
 3.3 merge window, because without it thaw_processes() may be called
 before swsusp_free() in some situations and that may lead to massive
 memory allocation failures.]

Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Nigel Cunningham <nigel@tuxonice.net>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
12 years agoMerge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm...
Linus Torvalds [Sat, 4 Feb 2012 20:11:40 +0000 (12:11 -0800)]
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/arm/arm-soc

arm-soc fixes for 3.3-rc

* A series of OMAP regression fixes for merge window fallout
* Two patches for Davinci, one removes some misdefined clocks, the other
  is a regression fix for merge window fallout
* Two patches that makes Broadcom bcmring build again (and removes a
  bunch of unused code in the process)

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: bcmring: fix build failure in mach-bcmring/arch.c
  ARM: bcmring: remove unused DMA map code
  ARM: davinci: update mdio bus name
  ARM: OMAP2+: arch/arm/mach-omap2/smartreflex.c: add missing iounmap
  ARM: OMAP2+: arch/arm/mach-omap2/devices.c: introduce missing kfree
  ARM: OMAP: fix MMC2 loopback clock handling
  ARM: OMAP: fix erroneous mmc2 clock change on mmc3 setup
  ARM: OMAP2+: GPMC: fix device size setup
  ARM: OMAP2+: timer: Fix crash due to wrong arg to __omap_dm_timer_read_counter
  ARM: OMAP3: hwmod data: register dss hwmods after dss_core
  ARM: OMAP2/3: PRM: fix missing plat/irqs.h build breakage
  ARM: OMAP2+: io: fix compilation breakage on 2420-only configs
  ARM: OMAP4: hwmod data: Add names for DMIC memory address space
  ARM: OMAP3: hwmod data: add SYSC_HAS_ENAWAKEUP for dispc
  ARM: OMAP2+: hwmod data: split omap2/3 dispc hwmod class
  ARM: davinci: DA850: remove non-existing pll1_sysclk4-7 clocks
  ARM: OMAP2: fix regulator warnings
  ARM: OMAP2: fix omap3 touchbook kconfig warning
  i2c: OMAP: Fix OMAP1 build error

12 years agoARM: bcmring: fix build failure in mach-bcmring/arch.c
Paul Gortmaker [Sat, 4 Feb 2012 19:29:02 +0000 (11:29 -0800)]
ARM: bcmring: fix build failure in mach-bcmring/arch.c

Upstream commit d1fce9c115eeb93e01c01732dfe9a86cf76009cf

   "ARM: restart: bcmring: use new restart hook"

breaks building of this platform, since what used to be the
last field of the MACHINE_START/END block didn't have a
trailing comma.  Once another field was added below, we get:

arch/arm/mach-bcmring/arch.c:198: error: request for member 'restart' in something not a structure or union

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Acked-by: Jiandong Zheng <jdzheng@broadcom.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
12 years agoARM: bcmring: remove unused DMA map code
JD Zheng [Mon, 30 Jan 2012 18:59:01 +0000 (10:59 -0800)]
ARM: bcmring: remove unused DMA map code

Remove BCMRING DMA map code which is no longer used.

This also fixes a build error with dma.c introduced by
bfcd2ea6a40b33270564d706396f1b514a988d3c.

Signed-off-by: Jiandong Zheng <jdzheng@broadcom.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
12 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Linus Torvalds [Sat, 4 Feb 2012 18:57:42 +0000 (10:57 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist
  Input: serio_raw - return proper result when serio_raw_read fails
  Input: document device properties
  Input: twl4030_keypad - fix comment (trivial)
  Input: gpio_keys - fix struct device declared inside parameter list
  Input: evdev - fix variable initialisation

12 years agoMerge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
Linus Torvalds [Sat, 4 Feb 2012 18:54:26 +0000 (10:54 -0800)]
Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma

* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
  i.MX SDMA: Fix burstsize settings
  ARM: mach-shmobile: both USB DMAC instances on sh7372 are slave-only
  dma: sh_dma: not all SH DMAC implementations support MEMCPY
  at_hdmac: bugfix for enabling channel irq
  dmaengine: fix missing 'cnt' in ?: in dmatest

12 years agoMerge branch 'akpm'
Linus Torvalds [Sat, 4 Feb 2012 18:51:54 +0000 (10:51 -0800)]
Merge branch 'akpm'

* akpm:
  mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
  readahead: fix pipeline break caused by block plug
  kprobes: fix a memory leak in function pre_handler_kretprobe()
  drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
  lkdtm: avoid calling lkdtm_do_action() with spinlock held
  mm/filemap_xip.c: fix race condition in xip_file_fault()
  mm/memcontrol.c: fix warning with CONFIG_NUMA=n
  avr32: select generic atomic64_t support
  mm: postpone migrated page mapping reset
  xtensa: fix memscan()
  MAINTAINERS: update lguest F: patterns
  MAINTAINERS: remove staging sections
  MAINTAINERS: remove iMX5 section
  MAINTAINERS: update partitions block F: patterns

12 years agoMerge tag 'for-linus-3.3' of git://git.infradead.org/~dwmw2/mtd-3.3
Linus Torvalds [Sat, 4 Feb 2012 15:17:47 +0000 (07:17 -0800)]
Merge tag 'for-linus-3.3' of git://git.infradead.org/~dwmw2/mtd-3.3

 - Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
 - Fix breakage with MTD suspend caused by the API rework
 - Fix a problem with resetting the MX28 BCH module
 - A couple of other trivial fixes

* tag 'for-linus-3.3-20120204' of git://git.infradead.org/~dwmw2/mtd-3.3:
  Revert "mtd: atmel_nand: optimize read/write buffer functions"
  mtd: fix MTD suspend
  jffs2: do not initialize variable unnecessarily
  mtd: gpmi-nand bugfix: reset the BCH module when it is not MX23
  mtd: nand: fix typo in comment

12 years agoRevert "mtd: atmel_nand: optimize read/write buffer functions"
Artem Bityutskiy [Thu, 2 Feb 2012 11:54:25 +0000 (13:54 +0200)]
Revert "mtd: atmel_nand: optimize read/write buffer functions"

This reverts commit fb5427508abbd635e877fabdf55795488119c2d6.

The reason is that it breaks 16 bits NAND flash as it was reported by
Nikolaus Voss and confirmed by Eric BĂ©nard.

Nicolas Ferre <nicolas.ferre@atmel.com> alco confirmed:
"After double checking with designers, I must admit that I misunderstood
the way of optimizing accesses to SMC. 16 bit nand is not so common
those days..."

Reported-by: Nikolaus Voss <n.voss@weinmann.de>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Cc: stable@kernel.org [3.1+]
12 years agoMerge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
Linus Torvalds [Sat, 4 Feb 2012 00:57:40 +0000 (16:57 -0800)]
Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm

* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers
  ARM: 7302/1: Add TLB flushing for both entries in a PMD
  ARM: 7303/1: perf: add empty NODE event definitions for Cortex-A5 and Cortex-A15
  ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers
  ARM: 7307/1: vfp: fix ptrace regset modification race
  ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe
  Revert "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping"

12 years agomm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during...
Mel Gorman [Fri, 3 Feb 2012 23:37:18 +0000 (15:37 -0800)]
mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration

When isolating for migration, migration starts at the start of a zone
which is not necessarily pageblock aligned.  Further, it stops isolating
when COMPACT_CLUSTER_MAX pages are isolated so migrate_pfn is generally
not aligned.  This allows isolate_migratepages() to call pfn_to_page() on
an invalid PFN which can result in a crash.  This was originally reported
against a 3.0-based kernel with the following trace in a crash dump.

PID: 9902   TASK: d47aecd0  CPU: 0   COMMAND: "memcg_process_s"
 #0 [d72d3ad0] crash_kexec at c028cfdb
 #1 [d72d3b24] oops_end at c05c5322
 #2 [d72d3b38] __bad_area_nosemaphore at c0227e60
 #3 [d72d3bec] bad_area at c0227fb6
 #4 [d72d3c00] do_page_fault at c05c72ec
 #5 [d72d3c80] error_code (via page_fault) at c05c47a4
    EAX: 00000000  EBX: 000c0000  ECX: 00000001  EDX: 00000807  EBP: 000c0000
    DS:  007b      ESI: 00000001  ES:  007b      EDI: f3000a80  GS:  6f50
    CS:  0060      EIP: c030b15a  ERR: ffffffff  EFLAGS: 00010002
 #6 [d72d3cb4] isolate_migratepages at c030b15a
 #7 [d72d3d14] zone_watermark_ok at c02d26cb
 #8 [d72d3d2c] compact_zone at c030b8de
 #9 [d72d3d68] compact_zone_order at c030bba1
#10 [d72d3db4] try_to_compact_pages at c030bc84
#11 [d72d3ddc] __alloc_pages_direct_compact at c02d61e7
#12 [d72d3e08] __alloc_pages_slowpath at c02d66c7
#13 [d72d3e78] __alloc_pages_nodemask at c02d6a97
#14 [d72d3eb8] alloc_pages_vma at c030a845
#15 [d72d3ed4] do_huge_pmd_anonymous_page at c03178eb
#16 [d72d3f00] handle_mm_fault at c02f36c6
#17 [d72d3f30] do_page_fault at c05c70ed
#18 [d72d3fb0] error_code (via page_fault) at c05c47a4
    EAX: b71ff000  EBX: 00000001  ECX: 00001600  EDX: 00000431
    DS:  007b      ESI: 08048950  ES:  007b      EDI: bfaa3788
    SS:  007b      ESP: bfaa36e0  EBP: bfaa3828  GS:  6f50
    CS:  0073      EIP: 080487c8  ERR: ffffffff  EFLAGS: 00010202

It was also reported by Herbert van den Bergh against 3.1-based kernel
with the following snippet from the console log.

BUG: unable to handle kernel paging request at 01c00008
IP: [<c0522399>] isolate_migratepages+0x119/0x390
*pdpt = 000000002f7ce001 *pde = 0000000000000000

It is expected that it also affects 3.2.x and current mainline.

The problem is that pfn_valid is only called on the first PFN being
checked and that PFN is not necessarily aligned.  Lets say we have a case
like this

H = MAX_ORDER_NR_PAGES boundary
| = pageblock boundary
m = cc->migrate_pfn
f = cc->free_pfn
o = memory hole

H------|------H------|----m-Hoooooo|ooooooH-f----|------H

The migrate_pfn is just below a memory hole and the free scanner is beyond
the hole.  When isolate_migratepages started, it scans from migrate_pfn to
migrate_pfn+pageblock_nr_pages which is now in a memory hole.  It checks
pfn_valid() on the first PFN but then scans into the hole where there are
not necessarily valid struct pages.

This patch ensures that isolate_migratepages calls pfn_valid when
necessary.

Reported-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Tested-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoreadahead: fix pipeline break caused by block plug
Shaohua Li [Fri, 3 Feb 2012 23:37:17 +0000 (15:37 -0800)]
readahead: fix pipeline break caused by block plug

Herbert Poetzl reported a performance regression since 2.6.39.  The test
is a simple dd read, but with big block size.  The reason is:

T1: ra (A, A+128k), (A+128k, A+256k)
T2: lock_page for page A, submit the 256k
T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted
because of plug and there isn't any lock_page till we hit page A+256k
because all pages from A to A+256k is in memory
T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't
submitted again.
T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is
waitting for (A+256k, A+512k) finish.

There is no request to disk in T3 and T4, so readahead pipeline breaks.

We really don't need block plug for generic_file_aio_read() for buffered
I/O.  The readahead already has plug and has fine grained control when I/O
should be submitted.  Deleting plug for buffered I/O fixes the regression.

One side effect is plug makes the request size 256k, the size is 128k
without it.  This is because default ra size is 128k and not a reason we
need plug here.

Vivek said:

: We submit some readahead IO to device request queue but because of nested
: plug, queue never gets unplugged.  When read logic reaches a page which is
: not in page cache, it waits for page to be read from the disk
: (lock_page_killable()) and that time we flush the plug list.
:
: So effectively read ahead logic is kind of broken in parts because of
: nested plugging.  Removing top level plug (generic_file_aio_read()) for
: buffered reads, will allow unplugging queue earlier for readahead.

Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Reported-by: Herbert Poetzl <herbert@13thfloor.at>
Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agokprobes: fix a memory leak in function pre_handler_kretprobe()
Jiang Liu [Fri, 3 Feb 2012 23:37:16 +0000 (15:37 -0800)]
kprobes: fix a memory leak in function pre_handler_kretprobe()

In function pre_handler_kretprobe(), the allocated kretprobe_instance
object will get leaked if the entry_handler callback returns non-zero.
This may cause all the preallocated kretprobe_instance objects exhausted.

This issue can be reproduced by changing
samples/kprobes/kretprobe_example.c to probe "mutex_unlock".  And the fix
is straightforward: just put the allocated kretprobe_instance object back
onto the free_instances list.

[akpm@linux-foundation.org: use raw_spin_lock/unlock]
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Jim Keniston <jkenisto@us.ibm.com>
Acked-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agodrivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
Samuel Thibault [Fri, 3 Feb 2012 23:37:15 +0000 (15:37 -0800)]
drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer

KDFONTOP(GET) currently fails with EIO when being run in a 32bit userland
with a 64bit kernel if the font width is not 8.

This is because of the setting of the KD_FONT_FLAG_OLD flag, which makes
con_font_get return EIO in such case.

This flag should *not* be set for KDFONTOP, since it's actually the whole
point of this flag (see comment in con_font_set for instance).

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Arthur Taylor <art@ified.ca>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agolkdtm: avoid calling lkdtm_do_action() with spinlock held
Cong Wang [Fri, 3 Feb 2012 23:37:15 +0000 (15:37 -0800)]
lkdtm: avoid calling lkdtm_do_action() with spinlock held

lkdtm_do_action() may call sleeping functions like kmalloc(), so do not
call it with spin lock held.

Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agomm/filemap_xip.c: fix race condition in xip_file_fault()
Carsten Otte [Fri, 3 Feb 2012 23:37:14 +0000 (15:37 -0800)]
mm/filemap_xip.c: fix race condition in xip_file_fault()

Fix a race condition that shows in conjunction with xip_file_fault() when
two threads of the same user process fault on the same memory page.

In this case, the race winner will install the page table entry and the
unlucky loser will cause an oops: xip_file_fault calls vm_insert_pfn (via
vm_insert_mixed) which drops out at this check:

retval = -EBUSY;
if (!pte_none(*pte))
goto out_unlock;

The resulting -EBUSY return value will trigger a BUG_ON() in
xip_file_fault.

This fix simply considers the fault as fixed in this case, because the
race winner has successfully installed the pte.

[akpm@linux-foundation.org: use conventional (and consistent) comment layout]
Reported-by: David Sadler <dsadler@us.ibm.com>
Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Reported-by: Louis Alex Eisner <leisner@cs.ucsd.edu>
Cc: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agomm/memcontrol.c: fix warning with CONFIG_NUMA=n
Andrew Morton [Fri, 3 Feb 2012 23:37:14 +0000 (15:37 -0800)]
mm/memcontrol.c: fix warning with CONFIG_NUMA=n

mm/memcontrol.c: In function 'memcg_check_events':
mm/memcontrol.c:779: warning: unused variable 'do_numainfo'

Acked-by: Michal Hocko <mhocko@suse.cz>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Hiroyuki KAMEZAWA <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoavr32: select generic atomic64_t support
Fabio Baltieri [Fri, 3 Feb 2012 23:37:14 +0000 (15:37 -0800)]
avr32: select generic atomic64_t support

Enable use of the generic atomic64 implementation on AVR32 platforms.
Without this the kernel fails to build as the architecture does not
provide its version.

Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agomm: postpone migrated page mapping reset
Konstantin Khlebnikov [Fri, 3 Feb 2012 23:37:13 +0000 (15:37 -0800)]
mm: postpone migrated page mapping reset

Postpone resetting page->mapping until the final remove_migration_ptes().
Otherwise the expression PageAnon(migration_entry_to_page(entry)) does not
work.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoxtensa: fix memscan()
Akinobu Mita [Fri, 3 Feb 2012 23:37:13 +0000 (15:37 -0800)]
xtensa: fix memscan()

Defining memscan() as memchr() is wrong, because the return values of
memscan() and memchr() are different when the character is not found.  So
use the generic memscan() implementation to fix this.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Chris Zankel <chris@zankel.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMAINTAINERS: update lguest F: patterns
Joe Perches [Fri, 3 Feb 2012 23:37:13 +0000 (15:37 -0800)]
MAINTAINERS: update lguest F: patterns

commit 07fe9977b623 ("lguest: move the lguest tool to the tools
directory") moved the files, update the patterns.  Sort F: patterns
alphabetically too.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Davidlohr Bueso <dave@gnu.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMAINTAINERS: remove staging sections
Joe Perches [Fri, 3 Feb 2012 23:37:12 +0000 (15:37 -0800)]
MAINTAINERS: remove staging sections

Two commits moved files from staging to drivers/media/

commit d6ce55de3abcc ("[media] move cx25821 out of staging")
commit be30497085080 ("[media] move tm6000 to drivers/media/video")

Remove the sections.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMAINTAINERS: remove iMX5 section
Joe Perches [Fri, 3 Feb 2012 23:37:12 +0000 (15:37 -0800)]
MAINTAINERS: remove iMX5 section

commit 784a90c0a7d8f5 ("ARM i.MX: Merge i.MX5 support into mach-imx")
merged the files, remove the iMX5 section.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Amit Kucheria <amit.kucheria@canonical.com>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMAINTAINERS: update partitions block F: patterns
Joe Perches [Fri, 3 Feb 2012 23:37:11 +0000 (15:37 -0800)]
MAINTAINERS: update partitions block F: patterns

Commit 9be96f3fd101 ("move fs/partitions to block/") moved the files,
update the patterns.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 years agoMerge tag 'kmemleak-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas...
Linus Torvalds [Fri, 3 Feb 2012 20:41:31 +0000 (12:41 -0800)]
Merge tag 'kmemleak-fixes' of git://git./linux/kernel/git/cmarinas/linux

Trivial kmemleak bug-fixes:

 - Early logging doesn't stop when kmemleak is off by default.
 - Zero-size scanning areas should be ignored (currently it prints a
   warning).

* tag 'kmemleak-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux:
  kmemleak: Disable early logging when kmemleak is off by default
  kmemleak: Only scan non-zero-size areas