13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Sat, 4 Oct 2008 01:22:36 +0000 (18:22 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://
  selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()

13 years agoACPI: Make /proc/acpi/wakeup interface handle PCI devices (again)
Rafael J. Wysocki [Fri, 3 Oct 2008 22:23:49 +0000 (15:23 -0700)]
ACPI: Make /proc/acpi/wakeup interface handle PCI devices (again)

Make the ACPI /proc/acpi/wakeup interface set the appropriate wake-up bits
of physical devices corresponding to the ACPI devices and make those bits
be set initially for devices that are enabled to wake up by default.  This
is needed to restore the 2.6.26 and earlier behavior for the PCI devices
that were previously handled correctly with the help of the
/proc/acpi/wakeup interface.

Signed-off-by: Rafael J. Wysocki <>
Cc: Len Brown <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoleds-pca955x: add proper error handling and fix bogus memory handling
Sven Wegener [Fri, 3 Oct 2008 22:23:48 +0000 (15:23 -0700)]
leds-pca955x: add proper error handling and fix bogus memory handling

Check the return value of led_classdev_register and unregister all
registered devices, if registering one device fails.  Also the dynamic
memory handling is totally bogus.  You can't allocate multiple chunks via
kzalloc() and expect them to be in order later.  I wonder how this ever

Signed-off-by: Sven Wegener <>
Acked-by: Nate Case <>
Tested-by: Nate Case <>
Acked-by: Richard Purdie <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoleds-fsg: change order of initialization and deinitialization
Sven Wegener [Fri, 3 Oct 2008 22:23:47 +0000 (15:23 -0700)]
leds-fsg: change order of initialization and deinitialization

On initialization, we first do the ioremap and then register the led devices.
On deinitialization, we do it in reverse order. This prevents someone calling
into the brightness_set functions with an invalid latch_address.

Signed-off-by: Sven Wegener <>
Acked-by: Rod Whitby <>
Acked-by: Richard Purdie <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agodw_dmac: fix copy/paste bug in tasklet
Haavard Skinnemoen [Fri, 3 Oct 2008 22:23:46 +0000 (15:23 -0700)]
dw_dmac: fix copy/paste bug in tasklet

The tasklet checks RAW.BLOCK twice, and does not check RAW.XFER. This is
obviously wrong, and could theoretically cause the driver to hang.

Reported-by: Nicolas Ferre <>
Signed-off-by: Haavard Skinnemoen <>
Acked-by: Dan Williams <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoDocumentation/HOWTO: info about interface changes should CC linux-api@vger
Michael Kerrisk [Fri, 3 Oct 2008 22:23:45 +0000 (15:23 -0700)]
Documentation/HOWTO: info about interface changes should CC linux-api@vger

The "Documentation" section of this file mentions that when an interface
change is made, I should be CCed with info about the change (so that
man-pages can document it).  Additionally request that this info be CCed
to the new list.

Signed-off-by: Michael Kerrisk <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoSubmitChecklist: interfaces changes should CC linux-api@
Michael Kerrisk [Fri, 3 Oct 2008 22:23:44 +0000 (15:23 -0700)]
SubmitChecklist: interfaces changes should CC linux-api@

Mention that patches that change the kernel-userland interface should
be CCed to the new list

Signed-off-by: Michael Kerrisk <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoMAINTAINERS: add mailing list for man-pages
Michael Kerrisk [Fri, 3 Oct 2008 22:23:44 +0000 (15:23 -0700)]
MAINTAINERS: add mailing list for man-pages

Nowadays, man-pages has an associated mailing list.  Mention that list

Signed-off-by: Michael Kerrisk <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agocpusets: remove pj from cpuset maintainers
Paul Jackson [Fri, 3 Oct 2008 22:23:42 +0000 (15:23 -0700)]
cpusets: remove pj from cpuset maintainers

Remove myself from the kernel MAINTAINERS file for cpusets.  I am leaving
SGI and probably will not be active in Linux kernel work.  I can be
reached at <>.  Contact Derek Fults <> for future
SGI+cpuset related issues.  I'm off to the next chapter of this good life.

Signed-off-by: Paul Jackson <>
Cc: Paul Menage <>
Cc: Derek Fults <>
Cc: John Hesterberg <>
Cc: Paul Jackson <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoinclude/linux/stacktrace.h: declare struct task_struct
Andrew Morton [Fri, 3 Oct 2008 22:23:41 +0000 (15:23 -0700)]
include/linux/stacktrace.h: declare struct task_struct

include/linux/stacktrace.h:13: warning:
 'struct task_struct' declared inside parameter list

(This might be a hard error on sparc64, which uses this header and has

Reported-by: "Randy.Dunlap" <>
Acked-by: Ingo Molnar <>
Cc: Peter Zijlstra <>
Cc: Arjan van de Ven <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoorion_spi: fix handling of default transfer speed
Lennert Buytenhek [Fri, 3 Oct 2008 22:23:39 +0000 (15:23 -0700)]
orion_spi: fix handling of default transfer speed

Accept zero (the default!) as a per-transfer clock speed override.

Signed-off-by: Lennert Buytenhek <>
Signed-off-by: David Brownell <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agofbdev: fix recursive notifier and locking when fbdev console is blanked
Krzysztof Helt [Fri, 3 Oct 2008 22:23:38 +0000 (15:23 -0700)]
fbdev: fix recursive notifier and locking when fbdev console is blanked

Fix infinite recursive notifier in the fbdev layer.  This causes recursive
locking.  Dmitry Baryshkov found the problem and confirmed that the patch
fixes the bug.

After doing
# echo 1 > /sys/class/graphics/fb0/blank
I got the following in my kernel log:

[ INFO: possible recursive locking detected ]
2.6.27-rc6-00086-gda63874-dirty #97
echo/1564 is trying to acquire lock:
 ((fb_notifier_list).rwsem){..--}, at: [<c005a384>] __blocking_notifier_call_chain+0x38/0x6c

but task is already holding lock:
 ((fb_notifier_list).rwsem){..--}, at: [<c005a384>] __blocking_notifier_call_chain+0x38/0x6c

other info that might help us debug this:
2 locks held by echo/1564:
 #0:  (&buffer->mutex){--..}, at: [<c00ddde0>] sysfs_write_file+0x30/0x80
 #1:  ((fb_notifier_list).rwsem){..--}, at: [<c005a384>] __blocking_notifier_call_chain+0x38/0x6c

stack backtrace:
[<c0029fe4>] (dump_stack+0x0/0x14) from [<c0060ce0>] (print_deadlock_bug+0xa4/0xd0)
[<c0060c3c>] (print_deadlock_bug+0x0/0xd0) from [<c0060e54>] (check_deadlock+0x148/0x17c)
 r6:c397a1e0 r5:c397a530 r4:c04fcf98
[<c0060d0c>] (check_deadlock+0x0/0x17c) from [<c00637e8>] (validate_chain+0x3c4/0x4f0)
[<c0063424>] (validate_chain+0x0/0x4f0) from [<c0063efc>] (__lock_acquire+0x5e8/0x6b4)
[<c0063914>] (__lock_acquire+0x0/0x6b4) from [<c006402c>] (lock_acquire+0x64/0x78)
[<c0063fc8>] (lock_acquire+0x0/0x78) from [<c0316ca8>] (down_read+0x4c/0x60)
 r7:00000009 r6:ffffffff r5:c0427a40 r4:c005a384
[<c0316c5c>] (down_read+0x0/0x60) from [<c005a384>] (__blocking_notifier_call_chain+0x38/0x6c)
 r5:c0427a40 r4:c0427a74
[<c005a34c>] (__blocking_notifier_call_chain+0x0/0x6c) from [<c005a3d8>] (blocking_notifier_call_chain+0x20/0x28)
 r8:00000009 r7:c086d640 r6:c3967940 r5:00000000 r4:c38984b8
[<c005a3b8>] (blocking_notifier_call_chain+0x0/0x28) from [<c014baa0>] (fb_notifier_call_chain+0x1c/0x24)
[<c014ba84>] (fb_notifier_call_chain+0x0/0x24) from [<c014c18c>] (fb_blank+0x64/0x70)
[<c014c128>] (fb_blank+0x0/0x70) from [<c0155978>] (fbcon_blank+0x114/0x1bc)
 r5:00000001 r4:c38984b8
[<c0155864>] (fbcon_blank+0x0/0x1bc) from [<c0170ea8>] (do_blank_screen+0x1e0/0x2a0)
[<c0170cc8>] (do_blank_screen+0x0/0x2a0) from [<c0154024>] (fbcon_fb_blanked+0x74/0x94)
 r5:c3967940 r4:00000001
[<c0153fb0>] (fbcon_fb_blanked+0x0/0x94) from [<c0154228>] (fbcon_event_notify+0x100/0x12c)
 r5:fffffffe r4:c39bc194
[<c0154128>] (fbcon_event_notify+0x0/0x12c) from [<c005a0d4>] (notifier_call_chain+0x38/0x7c)
[<c005a09c>] (notifier_call_chain+0x0/0x7c) from [<c005a3a0>] (__blocking_notifier_call_chain+0x54/0x6c)
 r8:c3b51ea0 r7:00000009 r6:ffffffff r5:c0427a40 r4:c0427a74
[<c005a34c>] (__blocking_notifier_call_chain+0x0/0x6c) from [<c005a3d8>] (blocking_notifier_call_chain+0x20/0x28)
 r8:00000001 r7:c3a7e000 r6:00000000 r5:00000000 r4:c38984b8
[<c005a3b8>] (blocking_notifier_call_chain+0x0/0x28) from [<c014baa0>] (fb_notifier_call_chain+0x1c/0x24)
[<c014ba84>] (fb_notifier_call_chain+0x0/0x24) from [<c014c18c>] (fb_blank+0x64/0x70)
[<c014c128>] (fb_blank+0x0/0x70) from [<c014e450>] (store_blank+0x54/0x7c)
 r5:c38984b8 r4:c3b51ec4
[<c014e3fc>] (store_blank+0x0/0x7c) from [<c017981c>] (dev_attr_store+0x28/0x2c)
 r8:00000001 r7:c042bf80 r6:c39eba10 r5:c3967c30 r4:c38e0140
[<c01797f4>] (dev_attr_store+0x0/0x2c) from [<c00ddaac>] (flush_write_buffer+0x54/0x68)
[<c00dda58>] (flush_write_buffer+0x0/0x68) from [<c00dde08>] (sysfs_write_file+0x58/0x80)
 r8:c3b51f78 r7:c3bcb070 r6:c39eba10 r5:00000001 r4:00000001
[<c00dddb0>] (sysfs_write_file+0x0/0x80) from [<c009de04>] (vfs_write+0xb8/0x148)
[<c009dd4c>] (vfs_write+0x0/0x148) from [<c009e384>] (sys_write+0x44/0x70)
 r7:00000004 r6:c3bcb070 r5:00000000 r4:00000000
[<c009e340>] (sys_write+0x0/0x70) from [<c0025d00>] (ret_fast_syscall+0x0/0x2c)
 r6:4001b000 r5:00000001 r4:401dc658

Signed-off-by: Krzysztof Helt <>
Reported-by: Dmitry Baryshkov <>
Testted-by: Dmitry Baryshkov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agortc: fix kernel panic on second use of SIGIO nofitication
Marcin Slusarz [Fri, 3 Oct 2008 22:23:36 +0000 (15:23 -0700)]
rtc: fix kernel panic on second use of SIGIO nofitication

When userspace uses SIGIO notification and forgets to disable it before
closing file descriptor, rtc->async_queue contains stale pointer to struct
file.  When user space enables again SIGIO notification in different
process, kernel dereferences this (poisoned) pointer and crashes.

So disable SIGIO notification on close.

Kernel panic:
(second run of qemu (requires echo 1024 > /sys/class/rtc/rtc0/max_user_freq))

general protection fault: 0000 [1] PREEMPT
Modules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro
Pid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363
RIP: 0010:[<ffffffff8024f891>]  [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
RSP: 0000:ffffffff80674cb8  EFLAGS: 00010002
RAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0
RBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001
R10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000
R13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000
FS:  00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080)
Stack:  ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000
 ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002
 0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a
Call Trace:
 <IRQ>  [<ffffffff8024fc7a>] lock_acquire+0x85/0xa9
 [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
 [<ffffffff80491d1f>] _read_lock+0x3e/0x4a
 [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
 [<ffffffff8029cb62>] send_sigio+0x2a/0x184
 [<ffffffff8024fb97>] ? __lock_acquire+0x6e1/0x73f
 [<ffffffff8029cd4d>] ? kill_fasync+0x2c/0x4e
 [<ffffffff8029cd10>] __kill_fasync+0x54/0x65
 [<ffffffff8029cd5b>] kill_fasync+0x3a/0x4e
 [<ffffffff80402896>] rtc_update_irq+0x9c/0xa5
 [<ffffffff80404640>] cmos_interrupt+0xae/0xc0
 [<ffffffff8025d1c1>] handle_IRQ_event+0x25/0x5a
 [<ffffffff8025e5e4>] handle_edge_irq+0xdd/0x123
 [<ffffffff8020da34>] do_IRQ+0xe4/0x144
 [<ffffffff8020bad6>] ret_from_intr+0x0/0xf
 <EOI>  [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
 [<ffffffff8033fe67>] ? clear_page_c+0x7/0x10
 [<ffffffff8026fc10>] ? get_page_from_freelist+0x385/0x450
 [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
 [<ffffffff80280aac>] ? anon_vma_prepare+0x2e/0xf6
 [<ffffffff80279400>] ? handle_mm_fault+0x227/0x6a5
 [<ffffffff80494716>] ? do_page_fault+0x494/0x83f
 [<ffffffff8049251d>] ? error_exit+0x0/0xa9

Code: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 <41> ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8
RIP  [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
 RSP <ffffffff80674cb8>
---[ end trace 431877d860448760 ]---
Kernel panic - not syncing: Aiee, killing interrupt handler!

Signed-off-by: Marcin Slusarz <>
Acked-by: Alessandro Zummo <>
Acked-by: David Brownell <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoselinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()
Paul Moore [Fri, 3 Oct 2008 14:51:15 +0000 (10:51 -0400)]
selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()

At some point during the 2.6.27 development cycle two new fields were added
to the SELinux context structure, a string pointer and a length field.  The
code in selinux_secattr_to_sid() was not modified and as a result these two
fields were left uninitialized which could result in erratic behavior,
including kernel panics, when NetLabel is used.  This patch fixes the
problem by fully initializing the context in selinux_secattr_to_sid() before
use and reducing the level of direct context manipulation done to help
prevent future problems.

Please apply this to the 2.6.27-rcX release stream.

Signed-off-by: Paul Moore <>
Signed-off-by: James Morris <>
13 years agoMerge branch 'upstream' of git://
Linus Torvalds [Fri, 3 Oct 2008 21:11:43 +0000 (14:11 -0700)]
Merge branch 'upstream' of git://

* 'upstream' of git://
  [MIPS] SMTC: Fix SMTC dyntick support.
  [MIPS] SMTC: Close tiny holes in the SMTC IPI replay system.
  [MIPS] SMTC: Fix holes in SMTC and FPU affinity support.
  [MIPS] SMTC: Build fix: Fix filename in Makefile
  [MIPS] Build fix: Fix irq flags type

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 3 Oct 2008 20:43:05 +0000 (13:43 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  [S390] qdio: prevent stack clobber
  [S390] nohz: Fix __udelay.

13 years agoFix init/main.c to use regular printk with '%pF' for initcall fn
Linus Torvalds [Fri, 3 Oct 2008 20:38:07 +0000 (13:38 -0700)]
Fix init/main.c to use regular printk with '%pF' for initcall fn

.. small detail, but the silly e1000e initcall warning debugging caused
me to look at this code.  Rather than gouge my eyes out with a spoon, I
just fixed it.

Signed-off-by: Linus Torvalds <>
13 years ago[S390] qdio: prevent stack clobber
Jan Glauber [Fri, 3 Oct 2008 19:55:00 +0000 (21:55 +0200)]
[S390] qdio: prevent stack clobber

Don't print more information than fits into the string on the
stack. Combine the informational output of qdio to fit into
one line.

Signed-off-by: Jan Glauber <>
Signed-off-by: Martin Schwidefsky <>
13 years ago[S390] nohz: Fix __udelay.
Heiko Carstens [Fri, 3 Oct 2008 19:54:59 +0000 (21:54 +0200)]
[S390] nohz: Fix __udelay.

This fixes a regression that came with 934b2857cc576ae53c92a66e63fce7ddcfa74691
("[S390] nohz/sclp: disable timer on synchronous waits.").
If udelay() gets called from a disabled context it sets the clock comparator
to a value where it expects the next interrupt. When the interrupt happens
the clock comparator gets not reset and therefore the interrupt condition
doesn't get cleared. The result is an endless timer interrupt loop.

In addition this patch fixes also the following:

rcutorture reveals that our __udelay implementation is still buggy,
since it might schedule tasklets, but prevents their execution:

NOHZ: local_softirq_pending 42
NOHZ: local_softirq_pending 02
NOHZ: local_softirq_pending 142
NOHZ: local_softirq_pending 02

To fix this we make sure that only the clock comparator interrupt
is enabled when the enabled wait psw is loaded.
Also no code gets called anymore which might schedule tasklets.

Signed-off-by: Heiko Carstens <>
Signed-off-by: Martin Schwidefsky <>
13 years ago[MIPS] SMTC: Fix SMTC dyntick support.
Kevin D. Kissell [Tue, 9 Sep 2008 19:48:52 +0000 (21:48 +0200)]
[MIPS] SMTC: Fix SMTC dyntick support.

Rework of SMTC support to make it work with the new clock event system,
allowing "tickless" operation, and to make it compatible with the use of
the "wait_irqoff" idle loop.  The new clocking scheme means that the
previously optional IPI instant replay mechanism is now required, and has
been made more robust.

Signed-off-by: Kevin D. Kissell <>
Signed-off-by: Ralf Baechle <>
13 years ago[MIPS] SMTC: Close tiny holes in the SMTC IPI replay system.
Kevin D. Kissell [Tue, 9 Sep 2008 19:35:01 +0000 (21:35 +0200)]
[MIPS] SMTC: Close tiny holes in the SMTC IPI replay system.

Signed-off-by: Kevin D. Kissell <>
Signed-off-by: Ralf Baechle <>
13 years ago[MIPS] SMTC: Fix holes in SMTC and FPU affinity support.
Kevin D. Kissell [Tue, 9 Sep 2008 19:33:36 +0000 (21:33 +0200)]
[MIPS] SMTC: Fix holes in SMTC and FPU affinity support.

Signed-off-by: Kevin D. Kissell <>
Signed-off-by: Ralf Baechle <>
13 years ago[MIPS] SMTC: Build fix: Fix filename in Makefile
Ralf Baechle [Wed, 1 Oct 2008 21:23:52 +0000 (22:23 +0100)]
[MIPS] SMTC: Build fix: Fix filename in Makefile

Signed-off-by: Ralf Baechle <>
13 years ago[MIPS] Build fix: Fix irq flags type
Ralf Baechle [Wed, 1 Oct 2008 20:52:41 +0000 (21:52 +0100)]
[MIPS] Build fix: Fix irq flags type

Though from a hardware perspective it would be sensible to use only a
32-bit unsigned int type Linux defines interrupt flags to be stored in
an unsigned long and nothing else.

Signed-off-by: Ralf Baechle <>
13 years agoe1000e: Fix incorrect debug warning
Linus Torvalds [Fri, 3 Oct 2008 16:18:17 +0000 (09:18 -0700)]
e1000e: Fix incorrect debug warning

Doing 'WARN_ON(preempt_count())' was horribly horribly wrong, and would
cause tons of warnings at bootup if PREEMPT was enabled because the
initcalls currently run with the kernel lock, which increments the
preempt count.

At the same time, the warning was also insufficient, since it didn't
check that interrupts were enabled.

The proper debug function to use for something that can sleep and wants
a warning if it's called in the wrong context is 'might_sleep()'.

Reported-by: Christian Borntraeger <>
Signed-off-by: Linus Torvalds <>
13 years agoCheck mapped ranges on sysfs resource files
Linus Torvalds [Fri, 3 Oct 2008 01:52:51 +0000 (18:52 -0700)]
Check mapped ranges on sysfs resource files

This is loosely based on a patch by Jesse Barnes to check the user-space
PCI mappings though the sysfs interfaces.  Quoting Jesse's original

  It's fairly common for applications to map PCI resources through sysfs.
  However, with the current implementation, it's possible for an application
  to map far more than the range corresponding to the resourceN file it
  opened.  This patch plugs that hole by checking the range at mmap time,
  similar to what is done on platforms like sparc64 in their lower level
  PCI remapping routines.

  It was initially put together to help debug the e1000e NVRAM corruption
  problem, since we initially thought an X driver might be walking past the
  end of one of its mappings and clobbering the NVRAM.  It now looks like
  that's not the case, but doing the check is still important for obvious

and this version of the patch differs in that it uses a helper function
to clarify the code, and does all the checks in pages (instead of bytes)
in order to avoid overflows when doing "<< PAGE_SHIFT" etc.

Acked-by: Jesse Barnes <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: update version from k4 to k6
Jesse Brandeburg [Thu, 2 Oct 2008 23:33:45 +0000 (16:33 -0700)]
e1000e: update version from k4 to k6

Signed-off-by: Jesse Brandeburg <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: debug contention on NVM SWFLAG
Thomas Gleixner [Thu, 2 Oct 2008 23:33:40 +0000 (16:33 -0700)]
e1000e: debug contention on NVM SWFLAG

This patch adds a mutex to the e1000e driver that would help
catch any collisions of two e1000e threads accessing hardware
at the same time.

description and patch updated by Jesse

Signed-off-by: Thomas Gleixner <>
Signed-off-by: Jesse Brandeburg <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: drop stats lock
Jesse Brandeburg [Thu, 2 Oct 2008 23:33:35 +0000 (16:33 -0700)]
e1000e: drop stats lock

the stats lock is left over from e1000, e1000e no longer
has the adjust tbi stats function that required the addition
of the stats lock to begin with.

adding a mutex to acquire_swflag helped catch this one too.

Signed-off-by: Jesse Brandeburg <>
Acked-by: Thomas Gleixner <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: remove phy read from inside spinlock
Jesse Brandeburg [Thu, 2 Oct 2008 23:33:30 +0000 (16:33 -0700)]
e1000e: remove phy read from inside spinlock

thanks to tglx, we're finding some interesting reentrancy issues.
this patch removes the phy read from inside a spinlock, paving
the way for removing the spinlock completely.  The phy read was
only feeding a statistic that wasn't used.

Signed-off-by: Jesse Brandeburg <>
Acked-by: Thomas Gleixner <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: do not ever sleep in interrupt context
Jesse Brandeburg [Thu, 2 Oct 2008 23:33:25 +0000 (16:33 -0700)]
e1000e: do not ever sleep in interrupt context

e1000e was apparently calling two functions that attempted to reserve
the SWFLAG bit for exclusive (to hardware and firmware) access to
the PHY and NVM (aka eeprom).  These accesses could possibly call
msleep to wait for the resource which is not allowed from interrupt

Signed-off-by: Jesse Brandeburg <>
Acked-by: Thomas Gleixner <>
Tested-by: Thomas Gleixner <>
Signed-off-by: Linus Torvalds <>
13 years agoe1000e: reset swflag after resetting hardware
Jesse Brandeburg [Thu, 2 Oct 2008 23:33:20 +0000 (16:33 -0700)]
e1000e: reset swflag after resetting hardware

in the process of debugging things, noticed that the swflag is not reset
by the driver after reset, and the swflag is probably not reset unless
management firmware clears it after 100ms.

Signed-off-by: Jesse Brandeburg <>
Signed-off-by: Linus Torvalds <>
13 years agomm: handle initialising compound pages at orders greater than MAX_ORDER
Andy Whitcroft [Thu, 2 Oct 2008 21:50:18 +0000 (14:50 -0700)]
mm: handle initialising compound pages at orders greater than MAX_ORDER

When we initialise a compound page we initialise the page flags and head
page pointer for all base pages spanned by that page.  When we initialise
a gigantic page (a page of order greater than or equal to MAX_ORDER) we
have to initialise more than MAX_ORDER_NR_PAGES pages.  Currently we
assume that all elements of the mem_map in this page are contigious in
memory.  However this is only guarenteed out to MAX_ORDER_NR_PAGES pages,
and with SPARSEMEM enabled they will not be contigious.  This leads us to
walk off the end of the first section and scribble on everything which
follows, BAD.

When we reach a MAX_ORDER_NR_PAGES boundary we much locate the next
section of the mem_map.  As gigantic pages can only be maximally aligned
we know this will occur at exact multiple of MAX_ORDER_NR_PAGES pages from
the start of the page.

This is a bug fix for the gigantic page support in hugetlbfs.

Credit to Mel Gorman for spotting the issue.

Signed-off-by: Andy Whitcroft <>
Cc: Mel Gorman <>
Cc: Jon Tollefson <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomm: tiny-shmem nommu fix
Nick Piggin [Thu, 2 Oct 2008 21:50:16 +0000 (14:50 -0700)]
mm: tiny-shmem nommu fix

The previous patch db203d53d474aa068984e409d807628f5841da1b ("mm:
tiny-shmem fix lock ordering: mmap_sem vs i_mutex") to fix the lock
ordering in tiny-shmem breaks shared anonymous and IPC memory on NOMMU
architectures because it was using the expanding truncate to signal ramfs
to allocate a physically contiguous RAM backing the inode (otherwise it is
unusable for "memory mapping" it to userspace).

However do_truncate is what caused the lock ordering error, due to it
taking i_mutex.  In this case, we can actually just call ramfs directly to
allocate memory for the mapping, rather than go via truncate.

Acked-by: David Howells <>
Acked-by: Hugh Dickins <>
Signed-off-by: Nick Piggin <>
Cc: Matt Mackall <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomemory hotplug: missing zone->lock in test_pages_isolated()
Gerald Schaefer [Thu, 2 Oct 2008 21:50:16 +0000 (14:50 -0700)]
memory hotplug: missing zone->lock in test_pages_isolated()

__test_page_isolated_in_pageblock() in mm/page_isolation.c has a comment
saying that the caller must hold zone->lock. But the only caller of that
function, test_pages_isolated(), does not hold zone->lock and the lock is
also not acquired anywhere before. This patch adds the missing zone->lock
to test_pages_isolated().

We reproducibly run into BUG_ON(!PageBuddy(page)) in __offline_isolated_pages()
during memory hotplug stress test, see trace below. This patch fixes that
problem, it would be good if we could have it in 2.6.27.

kernel BUG at /home/autobuild/BUILD/linux-2.6.26-20080909/mm/page_alloc.c:4561!
illegal operation: 0001 [#1] PREEMPT SMP
Modules linked in: dm_multipath sunrpc bonding qeth_l3 dm_mod qeth ccwgroup vmur
CPU: 1 Not tainted 2.6.26-29.x.20080909-s390default #1
Process memory_loop_all (pid: 10025, task: 2f444028, ksp: 2b10dd28)
Krnl PSW : 040c0000 801727ea (__offline_isolated_pages+0x18e/0x1c4)
 R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0
Krnl GPRS: 00000000 7e27fc00 00000000 7e27fc00
 00000000 00000400 00014000 7e27fc01
 00606f00 7e27fc00 00013fe0 2b10dd28
 00000005 80172662 801727b2 2b10dd28
Krnl Code: 801727de5810900c l %r1,12(%r9)
 801727e2a7f4ffb3 brc 15,80172748
 801727e6a7f40001 brc 15,801727e8
 >801727eaa7f4ffbc brc 15,80172762
 801727eea7f40001 brc 15,801727f0
 801727f2a7f4ffaf brc 15,80172750
 801727f6: 0707 bcr 0,%r7
 801727f8: 0017 unknown
Call Trace:
([<0000000000172772>] __offline_isolated_pages+0x116/0x1c4)
 [<00000000001953a2>] offline_isolated_pages_cb+0x22/0x34
 [<000000000013164c>] walk_memory_resource+0xcc/0x11c
 [<000000000019520e>] offline_pages+0x36a/0x498
 [<00000000001004d6>] remove_memory+0x36/0x44
 [<000000000028fb06>] memory_block_change_state+0x112/0x150
 [<000000000028ffb8>] store_mem_state+0x90/0xe4
 [<0000000000289c00>] sysdev_store+0x34/0x40
 [<00000000001ee048>] sysfs_write_file+0xd0/0x178
 [<000000000019b1a8>] vfs_write+0x74/0x118
 [<000000000019b9ae>] sys_write+0x46/0x7c
 [<000000000011160e>] sysc_do_restart+0x12/0x16
 [<0000000077f3e8ca>] 0x77f3e8ca

Signed-off-by: Gerald Schaefer <>
Acked-by: KAMEZAWA Hiroyuki <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agofix error-path NULL deref in alloc_posix_timer()
Dan Carpenter [Thu, 2 Oct 2008 21:50:14 +0000 (14:50 -0700)]
fix error-path NULL deref in alloc_posix_timer()

Found by static checker (

Signed-off-by: Dan Carpenter <>
Acked-by: Thomas Gleixner <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agobraille_console: only register notifiers when the braille console is used
Pascal Terjan [Thu, 2 Oct 2008 21:50:13 +0000 (14:50 -0700)]
braille_console: only register notifiers when the braille console is used

Only register the braille driver VT and keyboard notifiers when the
braille console is used.  Avoids eating insert or backspace keys.


Signed-off-by: Pascal Terjan <>
Signed-off-by: Samuel Thibault <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoinotify: fix lock ordering wrt do_page_fault's mmap_sem
Nick Piggin [Thu, 2 Oct 2008 21:50:12 +0000 (14:50 -0700)]
inotify: fix lock ordering wrt do_page_fault's mmap_sem

Fix inotify lock order reversal with mmap_sem due to holding locks over

Signed-off-by: Nick Piggin <>
Reported-by: "Daniel J Blueman" <>
Tested-by: "Daniel J Blueman" <>
Cc: Ingo Molnar <>
Cc: Peter Zijlstra <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agofbcon: fix monochrome color value calculation
David Winn [Thu, 2 Oct 2008 21:50:11 +0000 (14:50 -0700)]
fbcon: fix monochrome color value calculation

Commit 22af89aa0c0b4012a7431114a340efd3665a7617 ("fbcon: replace mono_col
macro with static inline") changed the order of operations for computing
monochrome color values.  This generates 0xffff000f instead of 0x0000000f
for a 4 bit monochrome color, leading to image corruption if it is passed
to cfb_imageblit or other similar functions.  Fix it up.

Cc: Harvey Harrison <>
Cc: "Antonino A. Daplas" <>
Cc: Krzysztof Helt <>
Cc: <> [2.6.26.x]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 2 Oct 2008 14:54:32 +0000 (07:54 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://
  ALSA: snd-powermac: HP detection for 1st iMac G3 SL
  ALSA: snd-powermac: mixers for PowerMac G4 AGP
  ASoC: Set correct name for WM8753 rec mixer output

13 years agoMerge branch 'asoc-fixes' into for-linus
Takashi Iwai [Thu, 2 Oct 2008 10:50:50 +0000 (12:50 +0200)]
Merge branch 'asoc-fixes' into for-linus

13 years agoALSA: snd-powermac: HP detection for 1st iMac G3 SL
Risto Suominen [Mon, 25 Aug 2008 06:04:23 +0000 (08:04 +0200)]
ALSA: snd-powermac: HP detection for 1st iMac G3 SL

Correct headphone detection for 1st generation iMac G3 Slot-loading (Screamer).

This patch fixes the regression in the recent snd-powermac which
doesn't support some G3/G4 PowerMacs:

Signed-off-by: Risto Suominen <>
Tested-by: Mariusz Kozlowski <>
Signed-off-by: Takashi Iwai <>
13 years agoALSA: snd-powermac: mixers for PowerMac G4 AGP
Risto Suominen [Mon, 25 Aug 2008 06:02:12 +0000 (08:02 +0200)]
ALSA: snd-powermac: mixers for PowerMac G4 AGP

Add mixer controls for PowerMac G4 AGP (Screamer).

This patch fixes the regression in the recent snd-powermac which
doesn't support some G3/G4 PowerMacs:

Signed-off-by: Risto Suominen <>
Tested-by: Mariusz Kozlowski <>
Signed-off-by: Takashi Iwai <>
13 years agoASoC: Set correct name for WM8753 rec mixer output
Rob Sims [Wed, 1 Oct 2008 19:47:31 +0000 (21:47 +0200)]
ASoC: Set correct name for WM8753 rec mixer output

Rob Sims wrote:

"I can't seem to turn on register 0x17, bit 3 in the sound chip, except
by codec_reg_write; the mixer lacks direct or indirect control.  It
seems there are two names for the output of the rec mixer:
Capture ST Mixer
Playback Mixer

Would the following do the trick?"

I confirm that this solves the audio problems I was having.

Signed-off-by: Jonas Bonn <>
Signed-off-by: Mark Brown <>
Signed-off-by: Takashi Iwai <>
13 years agopowerpc: Fix boot hang regression on MPC8544DS
Kumar Gala [Thu, 2 Oct 2008 05:58:49 +0000 (00:58 -0500)]
powerpc: Fix boot hang regression on MPC8544DS

Commit 00c5372d37a78990c1530184a9c792ee60a30067 caused the MPC8544DS
board to hang at boot.  The MPC8544DS is unique in that it doesn't use
the PCI slots on the ULI (unlike the MPC8572DS or MPC8610HPCD).  So
the dummy read at the end of the address space causes us to hang.

We can detect the situation by comparing the bridge's BARs versus
the root complex.

Signed-off-by: Kumar Gala <>
13 years agoe1000e: write protect ICHx NVM to prevent malicious write/erase
Bruce Allan [Thu, 2 Oct 2008 00:18:35 +0000 (17:18 -0700)]
e1000e: write protect ICHx NVM to prevent malicious write/erase

Set the hardware to ignore all write/erase cycles to the GbE region in
the ICHx NVM.  This feature can be disabled by the WriteProtectNVM module
parameter (enabled by default) only after a hardware reset, but
the machine must be power cycled before trying to enable writes.

Signed-off-by: Bruce Allan <>
Signed-off-by: Jesse Brandeburg <>
Signed-off-by: Linus Torvalds <>
13 years agopxa2xx_spi: fix build breakage
Mike Rapoport [Wed, 1 Oct 2008 17:39:24 +0000 (10:39 -0700)]
pxa2xx_spi: fix build breakage

This patch fixes a build error in the pxa2xx-spi driver,
introduced by commit 7e96445533ac3f4f7964646a202ff3620602fab4
("pxa2xx_spi: dma bugfixes")

  CC      drivers/spi/pxa2xx_spi.o
drivers/spi/pxa2xx_spi.c: In function 'map_dma_buffers':
drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
drivers/spi/pxa2xx_spi.c: In function 'pump_transfers':
drivers/spi/pxa2xx_spi.c:897: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'unsigned int'

[ fix warning too ]

Signed-off-by: Mike Rapoport <>
Acked-by: Eric Miao <>
Signed-off-by: Andrew Morton <>
Signed-off-by: David Brownell <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Wed, 1 Oct 2008 19:26:49 +0000 (12:26 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86, vmi: fix broken LDT access
  x86: fix typo in enable_mtrr_cleanup early parameter

13 years agoMN10300: Fix IRQ handling
David Howells [Wed, 1 Oct 2008 12:47:06 +0000 (13:47 +0100)]
MN10300: Fix IRQ handling

Fix the IRQ handling on the MN10300 arch.

This patch makes a number of significant changes:

 (1) It separates the irq_chip definition for edge-triggered interrupts from
     the one for level-triggered interrupts.

     This is necessary because the MN10300 PIC latches the IRQ channel's
     interrupt request bit (GxICR_REQUEST), even after the device has ceased to
     assert its interrupt line and the interrupt channel has been disabled in
     the PIC.  So for level-triggered interrupts we need to clear this bit when
     we re-enable - which is achieved by setting GxICR_DETECT but not
     GxICR_REQUEST when writing to the register.

     Not doing this results in spurious interrupts occurring because calling
     mask_ack() at the start of handle_level_irq() is insufficient - it fails
     to clear the REQUEST latch because the device that caused the interrupt is
     still asserting its interrupt line at this point.

 (2) IRQ disablement [irq_chip::disable_irq()] shouldn't clear the interrupt
     request flag for edge-triggered interrupts lest it lose an interrupt.

 (3) IRQ unmasking [irq_chip::unmask_irq()] also shouldn't clear the interrupt
     request flag for edge-triggered interrupts lest it lose an interrupt.

 (4) The end() operation is now left to the default (no-operation) as
     __do_IRQ() is compiled out.  This may affect misrouted_irq(), but
     according to Thomas Gleixner it's the correct thing to do.

 (5) handle_level_irq() is used for edge-triggered interrupts rather than
     handle_edge_irq() as the MN10300 PIC latches interrupt events even on
     masked IRQ channels, thus rendering IRQ_PENDING unnecessary.  It is
     sufficient to call mask_ack() at the start and unmask() at the end.

 (6) For level-triggered interrupts, ack() is now NULL as it's not used, and
     there is no effective ACK function on the PIC.  mask_ack() is now the
     same as mask() as the latch continues to latch, even when the channel is

Further, the patch discards the disable() op implementation as its now the same
as the mask() op implementation, which is used instead.

It also discards the enable() op implementations as they're now the same as
the unmask() op implementations, which are used instead.

Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge git://
Linus Torvalds [Wed, 1 Oct 2008 16:37:23 +0000 (09:37 -0700)]
Merge git://git./linux/kernel/git/agk/linux-2.6-dm

* git://
  dm mpath: add missing path switching locking
  dm: cope with access beyond end of device in dm_merge_bvec
  dm: always allow one page in dm_merge_bvec

13 years agoMerge git://
Linus Torvalds [Wed, 1 Oct 2008 16:37:04 +0000 (09:37 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  af_key: Free dumping state on socket close
  XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
  ipv6: NULL pointer dereferrence in tcp_v6_send_ack
  tcp: Fix NULL dereference in tcp_4_send_ack()
  sctp: Fix kernel panic while process protocol violation parameter
  iucv: Fix mismerge again.
  ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

13 years agodm mpath: add missing path switching locking
Chandra Seetharaman [Wed, 1 Oct 2008 13:39:27 +0000 (14:39 +0100)]
dm mpath: add missing path switching locking

Moving the path activation to workqueue along with scsi_dh patches introduced
a race. It is due to the fact that the current_pgpath (in the multipath data
structure) can be modified if changes happen in any of the paths leading to
the lun. If the changes lead to current_pgpath being set to NULL, then it
leads to the invalid access which results in the panic below.

This patch fixes that by storing the pgpath to activate in the multipath data
structure and properly protecting it.

Note that if activate_path is called twice in succession with different pgpath,
with the second one being called before the first one is done, then activate
path will be called twice for the second pgpath, which is fine.

Unable to handle kernel paging request for data at address 0x00000020
Faulting instruction address: 0xd000000000aa1844
cpu 0x1: Vector: 300 (Data Access) at [c00000006b987a80]
    pc: d000000000aa1844: .activate_path+0x30/0x218 [dm_multipath]
    lr: c000000000087a2c: .run_workqueue+0x114/0x204
    sp: c00000006b987d00
   msr: 8000000000009032
   dar: 20
 dsisr: 40000000
  current = 0xc0000000676bb3f0
  paca    = 0xc0000000006f3680
    pid   = 2528, comm = kmpath_handlerd
enter ? for help
[c00000006b987da0c000000000087a2c .run_workqueue+0x114/0x204
[c00000006b987e40c000000000088b58 .worker_thread+0x120/0x144
[c00000006b987f00c00000000008ca70 .kthread+0x78/0xc4
[c00000006b987f90c000000000027cc8 .kernel_thread+0x4c/0x68

Signed-off-by: Chandra Seetharaman <>
Signed-off-by: Alasdair G Kergon <>
13 years agodm: cope with access beyond end of device in dm_merge_bvec
Mikulas Patocka [Wed, 1 Oct 2008 13:39:24 +0000 (14:39 +0100)]
dm: cope with access beyond end of device in dm_merge_bvec

If for any reason dm_merge_bvec() is given an offset beyond the end of the
device, avoid an oops and always allow one page to be added to an empty bio.
We'll reject the I/O later after the bio is submitted.

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Alasdair G Kergon <>
13 years agodm: always allow one page in dm_merge_bvec
Mikulas Patocka [Wed, 1 Oct 2008 13:39:17 +0000 (14:39 +0100)]
dm: always allow one page in dm_merge_bvec

Some callers assume they can always add at least one page to an empty bio,
so dm_merge_bvec should not return 0 in this case: we'll reject the I/O
later after the bio is submitted.

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Alasdair G Kergon <>
13 years agoaf_key: Free dumping state on socket close
Timo Teras [Wed, 1 Oct 2008 12:17:54 +0000 (05:17 -0700)]
af_key: Free dumping state on socket close

Fix a xfrm_{state,policy}_walk leak if pfkey socket is closed while
dumping is on-going.

Signed-off-by: Timo Teras <>
Signed-off-by: David S. Miller <>
13 years agoXFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
Arnaud Ebalard [Wed, 1 Oct 2008 09:37:56 +0000 (02:37 -0700)]
XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep

ip6_dst_blackhole_ops.kmem_cachep is not expected to be NULL (i.e. to
be initialized) when dst_alloc() is called from ip6_dst_blackhole().
Otherwise, it results in the following (xfrm_larval_drop is now set to
1 by default):

[   78.697642] Unable to handle kernel paging request for data at address 0x0000004c
[   78.703449] Faulting instruction address: 0xc0097f54
[   78.786896] Oops: Kernel access of bad area, sig: 11 [#1]
[   78.792791] PowerMac
[   78.798383] Modules linked in: btusb usbhid bluetooth b43 mac80211 cfg80211 ehci_hcd ohci_hcd sungem sungem_phy usbcore ssb
[   78.804263] NIP: c0097f54 LR: c0334a28 CTR: c002d430
[   78.809997] REGS: eef19ad0 TRAP: 0300   Not tainted  (2.6.27-rc5)
[   78.815743] MSR: 00001032 <ME,IR,DR>  CR: 22242482  XER: 20000000
[   78.821550] DAR: 0000004c, DSISR: 40000000
[   78.827278] TASK = eef0df40[3035] 'mip6d' THREAD: eef18000
[   78.827408] GPR00: 00001032 eef19b80 eef0df40 00000000 00008020 eef19c30 00000001 00000000
[   78.833249] GPR08: eee5101c c05a5c10 ef9ad500 00000000 24242422 1005787c 00000000 1004f960
[   78.839151] GPR16: 00000000 10024e90 10050040 48030018 0fe44150 00000000 00000000 eef19c30
[   78.845046] GPR24: eef19e44 00000000 eef19bf8 efb37c14 eef19bf8 00008020 00009032 c0596064
[   78.856671] NIP [c0097f54] kmem_cache_alloc+0x20/0x94
[   78.862581] LR [c0334a28] dst_alloc+0x40/0xc4
[   78.868451] Call Trace:
[   78.874252] [eef19b80] [c03c1810] ip6_dst_lookup_tail+0x1c8/0x1dc (unreliable)
[   78.880222] [eef19ba0] [c0334a28] dst_alloc+0x40/0xc4
[   78.886164] [eef19bb0] [c03cd698] ip6_dst_blackhole+0x28/0x1cc
[   78.892090] [eef19be0] [c03d9be8] rawv6_sendmsg+0x75c/0xc88
[   78.897999] [eef19cb0] [c038bca4] inet_sendmsg+0x4c/0x78
[   78.903907] [eef19cd0] [c03207c8] sock_sendmsg+0xac/0xe4
[   78.909734] [eef19db0] [c03209e4] sys_sendmsg+0x1e4/0x2a0
[   78.915540] [eef19f00] [c03220a8] sys_socketcall+0xfc/0x210
[   78.921406] [eef19f40] [c0014b3c] ret_from_syscall+0x0/0x38
[   78.927295] --- Exception: c01 at 0xfe2d730
[   78.927297]     LR = 0xfe2d71c
[   78.939019] Instruction dump:
[   78.944835] 91640018 9144001c 900a0000 4bffff44 9421ffe0 7c0802a6 bf810010 7c9d2378
[   78.950694] 90010024 7fc000a6 57c0045e 7c000124 <83e3004c8383005c 2f9f0000 419e0050
[   78.956464] ---[ end trace 05fa1ed7972487a1 ]---

As commented by Benjamin Thery, the bug was introduced by
f2fc6a54585a1be6669613a31fbaba2ecbadcd36, while adding network
namespaces support to ipv6 routes.

Signed-off-by: Arnaud Ebalard <>
Acked-by: Benjamin Thery <>
Signed-off-by: David S. Miller <>
13 years agoipv6: NULL pointer dereferrence in tcp_v6_send_ack
Denis V. Lunev [Wed, 1 Oct 2008 09:13:16 +0000 (02:13 -0700)]
ipv6: NULL pointer dereferrence in tcp_v6_send_ack

The following actions are possible:
  skb->dev = NULL;
        req->rsk_ops->send_ack == tcp_v6_send_ack

So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace
from dst entry.

Thanks to Vitaliy Gusev <> for initial problem finding
in IPv4 code.

Signed-off-by: Denis V. Lunev <>
Signed-off-by: David S. Miller <>
13 years agotcp: Fix NULL dereference in tcp_4_send_ack()
Vitaliy Gusev [Wed, 1 Oct 2008 08:51:39 +0000 (01:51 -0700)]
tcp: Fix NULL dereference in tcp_4_send_ack()

Fix NULL dereference in tcp_4_send_ack().

As skb->dev is reset to NULL in tcp_v4_rcv() thus OOPS occurs:

BUG: unable to handle kernel NULL pointer dereference at 00000000000004d0
IP: [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250

Stack:  ffff810005dbb000 ffff810015c8acc0 e77b2c6e5f861600 a01610802e90cb6d
 0a08010100000000 88afffff88afffff 0000000080762be8 0000000115c872e8
 0004122000000000 0000000000000001 ffffffff80762b88 0000000000000020
Call Trace:
 <IRQ>  [<ffffffff80499c33>] tcp_v4_reqsk_send_ack+0x20/0x22
 [<ffffffff8049bce5>] tcp_check_req+0x108/0x14c
 [<ffffffff8047aaf7>] ? rt_intern_hash+0x322/0x33c
 [<ffffffff80499846>] tcp_v4_do_rcv+0x399/0x4ec
 [<ffffffff8045ce4b>] ? skb_checksum+0x4f/0x272
 [<ffffffff80485b74>] ? __inet_lookup_listener+0x14a/0x15c
 [<ffffffff8049babc>] tcp_v4_rcv+0x6a1/0x701
 [<ffffffff8047e739>] ip_local_deliver_finish+0x157/0x24a
 [<ffffffff8047ec9a>] ip_local_deliver+0x72/0x7c
 [<ffffffff8047e5bd>] ip_rcv_finish+0x38d/0x3b2
 [<ffffffff803d3548>] ? scsi_io_completion+0x19d/0x39e
 [<ffffffff8047ebe5>] ip_rcv+0x2a2/0x2e5
 [<ffffffff80462faa>] netif_receive_skb+0x293/0x303
 [<ffffffff80465a9b>] process_backlog+0x80/0xd0
 [<ffffffff802630b4>] ? __rcu_process_callbacks+0x125/0x1b4
 [<ffffffff8046560e>] net_rx_action+0xb9/0x17f
 [<ffffffff80234cc5>] __do_softirq+0xa3/0x164
 [<ffffffff8020c52c>] call_softirq+0x1c/0x28
 <EOI>  [<ffffffff8020de1c>] do_softirq+0x34/0x72
 [<ffffffff80234b8e>] local_bh_enable_ip+0x3f/0x50
 [<ffffffff804d43ca>] _spin_unlock_bh+0x12/0x14
 [<ffffffff804599cd>] release_sock+0xb8/0xc1
 [<ffffffff804a6f9a>] inet_stream_connect+0x146/0x25c
 [<ffffffff80243078>] ? autoremove_wake_function+0x0/0x38
 [<ffffffff8045751f>] sys_connect+0x68/0x8e
 [<ffffffff80291818>] ? fd_install+0x5f/0x68
 [<ffffffff80457784>] ? sock_map_fd+0x55/0x62
 [<ffffffff8020b39b>] system_call_after_swapgs+0x7b/0x80

Code: 41 10 11 d0 83 d0 00 4d 85 ed 89 45 c0 c7 45 c4 08 00 00 00 74 07 41 8b 45 04 89 45 c8 48 8b 43 20 8b 4d b8 48 8d 55 b0 48 89 de <48> 8b 80 d0 04 00 00 48 8b b8 60 01 00 00 e8 20 ae fe ff 65 48
RIP  [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250
 RSP <ffffffff80762b78>
CR2: 00000000000004d0

Signed-off-by: Vitaliy Gusev <>
Signed-off-by: David S. Miller <>
13 years agox86, vmi: fix broken LDT access
Zachary Amsden [Tue, 30 Sep 2008 18:02:12 +0000 (11:02 -0700)]
x86, vmi: fix broken LDT access

This one took a long time to rear up because LDT usage is not very
common, but the bug is quite serious.  It got introduced along with
another bug, already fixed, by 75b8bb3e56ca09a467fbbe5229bc68627f7445be

After investigating a JRE failure, I found this bug was introduced a long time
ago, and had already managed to survive another bugfix which occurred on the
same line.  The result is a total failure of the JRE due to LDT selectors not
working properly.

Signed-off-by: Zachary Amsden <>
Cc: Glauber de Oliveira Costa <>
Signed-off-by: Ingo Molnar <>
13 years agox86: Fix broken LDT access in VMI
Zachary Amsden [Tue, 30 Sep 2008 18:02:12 +0000 (11:02 -0700)]
x86: Fix broken LDT access in VMI

After investigating a JRE failure, I found this bug was introduced a
long time ago, and had already managed to survive another bugfix which
occurred on the same line.  The result is a total failure of the JRE due
to LDT selectors not working properly.

This one took a long time to rear up because LDT usage is not very
common, but the bug is quite serious.  It got introduced along with
another bug, already fixed, by 75b8bb3e56ca09a467fbbe5229bc68627f7445be

Signed-off-by: Zachary Amsden <>
Cc: Ingo Molnar <>
Cc: Glauber de Oliveira Costa <>
Cc: <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'release' of git://
Linus Torvalds [Tue, 30 Sep 2008 16:47:16 +0000 (09:47 -0700)]
Merge branch 'release' of git://git./linux/kernel/git/aegl/linux-2.6

* 'release' of git://
  [IA64] Put the space for cpu0 per-cpu area into .data section

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Tue, 30 Sep 2008 16:38:42 +0000 (09:38 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://
  ALSA: hda - Fix model for Dell Inspiron 1525
  ALSA: ASoC: Fix cs4270 error path

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Tue, 30 Sep 2008 15:42:21 +0000 (08:42 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  mfd: Fix asic3 compilation
  mfd: Fix Kconfig accroding to the new gpiolib symbols

13 years agoMerge branch 'merge' of git://
Linus Torvalds [Tue, 30 Sep 2008 15:40:46 +0000 (08:40 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

* 'merge' of git://
  powerpc: Fix failure to shutdown with CPU hotplug
  powerpc: Fix PCI in Holly device tree

13 years agoMerge branch 'timers-fixes-for-linus' of git://
Linus Torvalds [Tue, 30 Sep 2008 15:39:18 +0000 (08:39 -0700)]
Merge branch 'timers-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'timers-fixes-for-linus' of git://
  hrtimer: prevent migration of per CPU hrtimers
  hrtimer: mark migration state
  hrtimer: fix migration of CB_IRQSAFE_NO_SOFTIRQ hrtimers
  hrtimer: migrate pending list on cpu offline

Acked-by: Paul E. McKenney <>
Acked-by: Benjamin Herrenschmidt <>
Tested-by: Paul E. McKenney <>
13 years agosctp: Fix kernel panic while process protocol violation parameter
Wei Yongjun [Tue, 30 Sep 2008 12:32:24 +0000 (05:32 -0700)]
sctp: Fix kernel panic while process protocol violation parameter

Since call to function sctp_sf_abort_violation() need paramter 'arg' with
'struct sctp_chunk' type, it will read the chunk type and chunk length from
the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
always with 'struct sctp_paramhdr' type's parameter, it will be passed to
sctp_sf_abort_violation(). This may cause kernel panic.

     |-- sctp_sf_abort_violation()
        |-- sctp_make_abort_violation()

This patch fixed this problem. This patch also fix two place which called
sctp_sf_violation_paramlen() with wrong paramter type.

Signed-off-by: Wei Yongjun <>
Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
13 years agoALSA: hda - Fix model for Dell Inspiron 1525
Takashi Iwai [Tue, 30 Sep 2008 10:58:54 +0000 (12:58 +0200)]
ALSA: hda - Fix model for Dell Inspiron 1525

Dell Inspiron 1525 seems to have a buggy BIOS setup and screws up
the recent codec parser, as reported by Oleksandr Natalenko:

This patch adds the working model, dell-3stack, statically.

Signed-off-by: Takashi Iwai <>
Cc: <>
13 years agoALSA: ASoC: Fix cs4270 error path
Jean Delvare [Tue, 30 Sep 2008 09:40:37 +0000 (11:40 +0200)]
ALSA: ASoC: Fix cs4270 error path

The error path in cs4270_probe/cs4270_remove is pretty broken:
* If cs4270_probe fails, codec is leaked.
* If snd_soc_register_card fails, cs4270_i2c_driver stays registered.
* If I2C support is enabled but no I2C device is found, i2c_del_driver
  is never called (neither in cs4270_probe nor in cs4270_remove.

Fix all 3 problems by implementing a clean error path in cs4270_probe
and jumping to its labels as needed.

Signed-off-by: Jean Delvare <>
Acked-by: Timur Tabi <>
Signed-off-by: Takashi Iwai <>
13 years agoiucv: Fix mismerge again.
Heiko Carstens [Tue, 30 Sep 2008 10:03:35 +0000 (03:03 -0700)]
iucv: Fix mismerge again.

fb65a7c091529bfffb1262515252c0d0f6241c5c ("iucv: Fix bad merging.") fixed
a merge error, but in a wrong way. We now end up with the bug below.
This patch corrects the mismerge like it was intended.

BUG: scheduling while atomic: swapper/1/0x00000000
Modules linked in:
CPU: 1 Not tainted 2.6.27-rc7-00094-gc0f4d6d #9
Process swapper (pid: 1, task: 000000003fe7d988, ksp: 000000003fe838c0)
0000000000000000 000000003fe839b8 0000000000000002 0000000000000000
       000000003fe83a58 000000003fe839d0 000000003fe839d0 0000000000390de6
       000000000058acd8 00000000000000d0 000000003fe7dcd8 0000000000000000
       000000000000000c 000000000000000d 0000000000000000 000000003fe83a28
       000000000039c5b8 0000000000015e5e 000000003fe839b8 000000003fe83a00
Call Trace:
([<0000000000015d6a>] show_trace+0xe6/0x134)
 [<0000000000039656>] __schedule_bug+0xa2/0xa8
 [<0000000000391744>] schedule+0x49c/0x910
 [<0000000000391f64>] schedule_timeout+0xc4/0x114
 [<00000000003910d4>] wait_for_common+0xe8/0x1b4
 [<00000000000549ae>] call_usermodehelper_exec+0xa6/0xec
 [<00000000001af7b8>] kobject_uevent_env+0x418/0x438
 [<00000000001d08fc>] bus_add_driver+0x1e4/0x298
 [<00000000001d1ee4>] driver_register+0x90/0x18c
 [<0000000000566848>] netiucv_init+0x168/0x2c8
 [<00000000000120be>] do_one_initcall+0x3e/0x17c
 [<000000000054a31a>] kernel_init+0x1ce/0x248
 [<000000000001a97a>] kernel_thread_starter+0x6/0xc
 [<000000000001a974>] kernel_thread_starter+0x0/0xc
 iucv: NETIUCV driver initialized
initcall netiucv_init+0x0/0x2c8 returned with preemption imbalance

Signed-off-by: Heiko Carstens <>
Signed-off-by: David S. Miller <>
13 years agoipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
Herbert Xu [Tue, 30 Sep 2008 09:03:19 +0000 (02:03 -0700)]
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

We're never supposed to shrink the headroom or tailroom.  In fact,
shrinking the headroom is a fatal action.

Signed-off-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
13 years agox86: fix typo in enable_mtrr_cleanup early parameter
J.A. Magallón [Tue, 30 Sep 2008 08:02:52 +0000 (10:02 +0200)]
x86: fix typo in enable_mtrr_cleanup early parameter

Correct typo for 'enable_mtrr_cleanup' early boot param name.

Signed-off-by: J.A. Magallon <>
Signed-off-by: Ingo Molnar <>
13 years agomfd: Fix asic3 compilation
Samuel Ortiz [Wed, 24 Sep 2008 22:43:59 +0000 (00:43 +0200)]
mfd: Fix asic3 compilation

map_size was declared from the wrong place.

Signed-off-by: Samuel Ortiz <>
13 years agomfd: Fix Kconfig accroding to the new gpiolib symbols
Samuel Ortiz [Wed, 24 Sep 2008 22:39:05 +0000 (00:39 +0200)]
mfd: Fix Kconfig accroding to the new gpiolib symbols

HAVE_GPIO_LIB has basically been replaced by GPIOLIB

Signed-off-by: Samuel Ortiz <>
13 years agopowerpc: Fix failure to shutdown with CPU hotplug
Johannes Berg [Wed, 24 Sep 2008 22:56:25 +0000 (22:56 +0000)]
powerpc: Fix failure to shutdown with CPU hotplug

I tracked down the shutdown regression to CPUs not dying
when being shut down during power-off. This turns out to
be due to the system_state being SYSTEM_POWER_OFF, which
this code doesn't take as a valid state for shutting off
CPUs in.

This has never made sense to me, but when I added hotplug
code to implement hibernate I only "made it work" and did
not question the need to check the system_state. Thomas
Gleixner helped me dig, but the only thing we found is
that it was added with the original commit that added CPU
hotplug support.

Signed-off-by: Johannes Berg <>
Acked-by: Joel Schopp <>
Signed-off-by: Benjamin Herrenschmidt <>
13 years agopowerpc: Fix PCI in Holly device tree
David Gibson [Wed, 24 Sep 2008 16:39:04 +0000 (16:39 +0000)]
powerpc: Fix PCI in Holly device tree

The PCI bridge on the Holly board is incorrectly represented in the
device tree.  The current device tree node for the PCI bridge sits
under the tsi-bridge node.  That's not obviously wrong, but the PCI
bridge translates some PCI spaces into CPU address ranges which were
not translated by the "ranges" property in tsi-bridge node.

We used to get away with this problem because the PCI bridge discovery
code was also buggy, assuming incorrectly that PCI host bridge nodes
were always directly under the root bus and treating the translated
addresses as raw CPU addresses, rather than parent bus addresses.
This has since been fixed, thus breaking Holly.

This could be fixed by adding extra translations to the tsi-bridge
node, but this patch instead moves the Holly PCI bridge out of the
tsi-bridge node to the root bus.  This makes the tsi-bridge node
represent only the built-in IO devices in the bridge, with a
more-or-less contiguous address range.  This is the same convention
used on Freescale SoC chips, where the "soc" node represents only the
IMMR region, and the PCI and other bus bridges are separate nodes
under the root bus.

Signed-off-by: David Gibson <>
Acked-by: Josh Boyer <>
Signed-off-by: Benjamin Herrenschmidt <>
13 years ago[IA64] Put the space for cpu0 per-cpu area into .data section
Tony Luck [Mon, 29 Sep 2008 23:39:19 +0000 (16:39 -0700)]
[IA64] Put the space for cpu0 per-cpu area into .data section

Initial fix for making sure that we can access percpu variables
in all C code (commit: 10617bbe84628eb18ab5f723d3ba35005adde143)
inadvertantly allocated the memory in the "percpu" section of
the vmlinux ELF executable.  This confused kexec/dump.

Signed-off-by: Tony Luck <>
13 years agoLinux 2.6.27-rc8 v2.6.27-rc8
Linus Torvalds [Mon, 29 Sep 2008 22:24:02 +0000 (15:24 -0700)]
Linux 2.6.27-rc8

13 years agomm owner: fix race between swapoff and exit
Balbir Singh [Sun, 28 Sep 2008 22:09:31 +0000 (23:09 +0100)]
mm owner: fix race between swapoff and exit

There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on.  The condition occurs when
try_to_unuse() runs in parallel with an exiting task.  A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.

CPU0                                    CPU1
                                        looks at mm = task0->mm
                                        increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
                                        mmput(mm) decrements mm->mm_users
task0 freed
                                        dereferencing mm->owner fails

The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.

Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.

Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.

Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same.  And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.

Reported-by: Hugh Dickins <>
Signed-off-by: Balbir Singh <>
Signed-off-by: Jiri Slaby <>
Signed-off-by: Daisuke Nishimura <>
Signed-off-by: Hugh Dickins <>
Cc: KAMEZAWA Hiroyuki <>
Cc: Paul Menage <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:39:59 +0000 (08:39 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86: disable apm on the olpc

13 years agoMerge git://
Linus Torvalds [Mon, 29 Sep 2008 15:37:29 +0000 (08:37 -0700)]
Merge git://git./linux/kernel/git/bart/ide-2.6

* git://
  cdrom: update ioctl documentation
  ide: note that IDE generic may prevent other drivers from attaching
  ide-tape: fix vendor strings
  Swarm: Fix crash due to missing initialization

13 years agoMerge branch 'upstream' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:31:52 +0000 (08:31 -0700)]
Merge branch 'upstream' of git://

* 'upstream' of git://
  [SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices
  [MIPS] BCM47xx: Fix build error due to missing PCI functions
  [MIPS] IP27: Switch to dynamic interrupt routing avoding panic on error.
  [MIPS] au1000: Make sure GPIO value is zero or one

13 years agoMerge branch 'linux-m32r' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:30:47 +0000 (08:30 -0700)]
Merge branch 'linux-m32r' of git://

* 'linux-m32r' of git://
  m32r/kernel/: cleanups
  m32r: export __ndelay
  m32r: export empty_zero_page
  m32r: don't offer CONFIG_ISA
  m32r: remove the unused NOHIGHMEM option

13 years agoMerge branch 'for_linus' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:30:11 +0000 (08:30 -0700)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jwessel/linux-2.6-kgdb

* 'for_linus' of git://
  kgdboc,tty: Fix tty polling search to use name correctly
  kgdb, x86_64: fix PS CS SS registers in gdb serial
  kgdb, x86_64: gdb serial has BX and DX reversed
  kgdb, x86, arm, mips, powerpc: ignore user space single stepping
  kgdb: could not write to the last of valid memory with kgdb

13 years agohrtimer: prevent migration of per CPU hrtimers
Thomas Gleixner [Mon, 29 Sep 2008 13:47:42 +0000 (15:47 +0200)]
hrtimer: prevent migration of per CPU hrtimers

Impact: per CPU hrtimers can be migrated from a dead CPU

The hrtimer code has no knowledge about per CPU timers, but we need to
prevent the migration of such timers and warn when such a timer is
active at migration time.

Explicitely mark the timers as per CPU and use a more understandable
mode descriptor for the interrupts safe unlocked callback mode, which
is used by hrtimer_sleeper and the scheduler code.

Signed-off-by: Thomas Gleixner <>
13 years agohrtimer: mark migration state
Thomas Gleixner [Mon, 29 Sep 2008 13:44:46 +0000 (15:44 +0200)]
hrtimer: mark migration state

Impact: during migration active hrtimers can be seen as inactive

The migration code removes the hrtimers from the queues of the dead
CPU and sets the state temporary to INACTIVE. The enqueue code sets it

Prevent that the wrong state can be seen by using a separate migration
state bit.

Signed-off-by: Thomas Gleixner <>
13 years agohrtimer: fix migration of CB_IRQSAFE_NO_SOFTIRQ hrtimers
Thomas Gleixner [Mon, 29 Sep 2008 12:09:39 +0000 (14:09 +0200)]
hrtimer: fix migration of CB_IRQSAFE_NO_SOFTIRQ hrtimers

Impact: Stale timers after a CPU went offline.

commit 37bb6cb4097e29ffee970065b74499cbf10603a3
       hrtimer: unlock hrtimer_wakeup

changed the hrtimer sleeper callback mode to CB_IRQSAFE_NO_SOFTIRQ due
to locking problems. A result of this change is that when enqueue is
called for an already expired hrtimer the callback function is not
longer called directly from the enqueue code. The normal callers have
been fixed in the code, but the migration code which moves hrtimers
from a dead CPU to a live CPU was not made aware of this.

This can be fixed by checking the timer state after the call to
enqueue in the migration code.

Signed-off-by: Thomas Gleixner <>
13 years agohrtimer: migrate pending list on cpu offline
Thomas Gleixner [Mon, 29 Sep 2008 12:06:45 +0000 (14:06 +0200)]
hrtimer: migrate pending list on cpu offline

Impact: hrtimers which are on the pending list are not migrated at cpu
offline and can be stale forever

Add the pending list migration when CONFIG_HIGH_RES_TIMERS is enabled

Signed-off-by: Thomas Gleixner <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:08:16 +0000 (08:08 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://
  ALSA: ASoC: Fix another cs4270 error path
  ALSA: make the CS4270 driver a new-style I2C driver

13 years agoMerge git://
Linus Torvalds [Mon, 29 Sep 2008 15:07:46 +0000 (08:07 -0700)]
Merge git://git./linux/kernel/git/jejb/scsi-rc-fixes-2.6

* git://
  [SCSI] qlogicpti: fix sg list traversal error in continuation entries
  [SCSI] Fix hang with split requests
  [SCSI] qla2xxx: Defer enablement of RISC interrupts until ISP initialization completes.

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:07:04 +0000 (08:07 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  scsi: fix fall out of sg-chaining patch in qlogicpti

13 years agoMerge branch 'upstream-linus' of git://
Linus Torvalds [Mon, 29 Sep 2008 15:05:55 +0000 (08:05 -0700)]
Merge branch 'upstream-linus' of git://git./linux/kernel/git/jgarzik/libata-dev

* 'upstream-linus' of git://
  sata_nv: reinstate nv_hardreset() for non generic controllers

13 years agokconfig: readd lost change count [Mon, 29 Sep 2008 03:27:11 +0000 (05:27 +0200)]
kconfig: readd lost change count

Commit f072181e6403b0fe2e2aa800a005497b748fd284 ("kconfig: drop the
""trying to assign nonexistent symbol" warning") simply dropped the
warnings, but it does a little more than that, it also marks the current
.config as needed saving, so add this back.

Signed-off-by: Roman Zippel <>
Signed-off-by: Linus Torvalds <>
13 years agokconfig: fix silentoldconfig [Mon, 29 Sep 2008 03:27:10 +0000 (05:27 +0200)]
kconfig: fix silentoldconfig

Recent changes to oldconfig have mixed up the silentoldconfig handling,
so this fixes that by clearly separating that special mode, e.g.
KCONFIG_NOSILENTUPDATE is only relevant here, the .config is written as

This will also properly close Bug 11230.

Signed-off-by: Roman Zippel <>
Signed-off-by: Linus Torvalds <>
13 years agoFix NULL pointer dereference in proc_sys_compare
Linus Torvalds [Mon, 29 Sep 2008 14:42:57 +0000 (07:42 -0700)]
Fix NULL pointer dereference in proc_sys_compare

The VFS interface for the 'd_compare()' is a bit special (read: 'odd'),
because it really just essentially replaces a memcmp().  The filesystem
is supposed to just compare the two names with whatever case-independent
or other function.

And when I say 'is supposed to', I obviously mean that 'procfs does odd
things, and actually looks at the dentry that we don't even pass down,
rather than just the name'.  Which results in problems, because we
actually call d_compare before we have even verified that the dentry is
still hashed at all.

And that causes a problm since the inode that procfs looks at may have
been free'd and the d_inode pointer is NULL.  procfs just assumes that
all dentries are positive, since procfs itself never generates a
negative one.  But memory pressure will still result in the dentry
getting torn down, and as it is removed by RCU, it still remains visible
on some lists - and to d_compare.

If the filesystem just did a name comparison, we wouldn't care.  And we
could just fix procfs to know about negative dentries too.  But rather
than have the low-level filesystems know about internal VFS details,
just move the check for a unhashed dentry up a bit, so that we will only
call d_compare on dentries that are still active.

The actual oops this caused didn't look like a NULL pointer dereference
because procfs did a 'container_of(inode, struct proc_inode, vfs_inode)'
to get at its internal proc_inode information from the inode pointer,
and accessed a field below the inode. So the oops would look something

BUG: unable to handle kernel paging request at fffffffffffffff0
IP: [<ffffffff802bc6c6>] proc_sys_compare+0x36/0x50

and was seen on both x86-64 (Alexey Dobriyan and Hugh Dickins) and
ppc64 (Hugh Dickins).

Reported-by: Alexey Dobriyan <>
Acked-by: Hugh Dickins <>
Cc: Al Viro <>
Reviewed-by: "Eric W. Biederman" <>
Signed-of-by: Linus Torvalds <>
13 years agoALSA: ASoC: Fix another cs4270 error path
Jean Delvare [Sat, 27 Sep 2008 18:30:52 +0000 (20:30 +0200)]
ALSA: ASoC: Fix another cs4270 error path

Conversion to new-style i2c driver missed the error path of the
probe function. Fix it.

Signed-off-by: Jean Delvare <>
Cc: Timur Tabi <>
Signed-off-by: Takashi Iwai <>
13 years agoALSA: make the CS4270 driver a new-style I2C driver
Timur Tabi [Tue, 29 Jul 2008 21:35:52 +0000 (16:35 -0500)]
ALSA: make the CS4270 driver a new-style I2C driver

Update the CS4270 ALSA device driver to use the new-style I2C interface.
Starting with the 2.6.27 PowerPC kernel, I2C devices that have entries in the
device trees can no longer be probed by old-style I2C drivers.  The device
tree for Freescale MPC8610 HPCD has included an entry for the CS4270 since
2.6.25, but that entry was previously ignored by the PowerPC I2C subsystem.
Since that's no longer the case, the best solution is to update the CS4270
driver to a new-style interface, rather than try to revert the behavior of
new PowerPC I2C subsystem.

Signed-off-by: Timur Tabi <>
Signed-off-by: Takashi Iwai <>
13 years agoscsi: fix fall out of sg-chaining patch in qlogicpti
Boaz Harrosh [Mon, 29 Sep 2008 07:38:55 +0000 (09:38 +0200)]
scsi: fix fall out of sg-chaining patch in qlogicpti

Boaz writes:

"I've reviewed all patches since Matthew's, and I find one small

In the load_cmd() there is a compound loop where the first 4 sg's are
set then the rest are set into a memory structure in group of 7 sg's.

Well the second 7-group and on is a bug because sg pointer does not advance.
This is a fall out from Jens's patch."

The reporter, Meelis Roos <>, verified that this patch
does indeed fix his problem with qlogicpti.

Signed-off-by: Jens Axboe <>
13 years agosata_nv: reinstate nv_hardreset() for non generic controllers
Tejun Heo [Sat, 27 Sep 2008 22:39:01 +0000 (07:39 +0900)]
sata_nv: reinstate nv_hardreset() for non generic controllers

Commit 2fd673ecf0378ddeeeb87b3605e50212e0c0ddc6 which tried to remove
hardreset for generic accidentally removed it for all flavors as all
others were inheriting from nv_generic_ops.  This patch reinstates
nv_hardreset() and puts it into nv_common_ops which all flavors
inherit from.  nv_generic_ops now inherits from nv_common_ops and
overrides .hardreset to ATA_OP_NULL.

While at it, explain why nv_hardreset and ATA_OP_NULL override are

Signed-off-by: Tejun Heo <>
Signed-off-by: Jeff Garzik <>
13 years ago[SCSI] qlogicpti: fix sg list traversal error in continuation entries
Boaz Harrosh [Wed, 24 Sep 2008 09:00:22 +0000 (12:00 +0300)]
[SCSI] qlogicpti: fix sg list traversal error in continuation entries

The current sg list traversal logic for the continuation entries
doesn't advance the list pointer once all seven slots are used, so the
next continuation entry (if there is one) wrongly begins again at the
start of the sg list.

Fix by advancing the sg pointer after the for_each_sg().

Reported-by: Meelis Roos <>
Cc: David Miller <>
Signed-off-by: James Bottomley <>
13 years agocdrom: update ioctl documentation
Márton Németh [Sat, 27 Sep 2008 17:32:17 +0000 (19:32 +0200)]
cdrom: update ioctl documentation

Correct copy-paste problem: CDROMCLOSETRAY is about closing the tray,
not opening it.

Signed-off-by: Márton Németh <>
Signed-off-by: Andrew Morton <>
Cc: Jens Axboe <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>