13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Sat, 5 Sep 2009 20:41:29 +0000 (13:41 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

* 'for-linus' of git://
  Input: atkbd - add Compaq Presario R4000-series repeat quirk
  Input: i8042 - add Acer Aspire 5536 to the nomux list

13 years agoext2: fix unbalanced kmap()/kunmap()
Nicolas Pitre [Sat, 5 Sep 2009 04:25:37 +0000 (00:25 -0400)]
ext2: fix unbalanced kmap()/kunmap()

In ext2_rename(), dir_page is acquired through ext2_dotdot().  It is
then released through ext2_set_link() but only if old_dir != new_dir.
Failing that, the pkmap reference count is never decremented and the
page remains pinned forever.  Repeat that a couple times with highmem
pages and all pkmap slots get exhausted, and every further kmap() calls
end up stalling on the pkmap_map_wait queue at which point the whole
system comes to a halt.

Signed-off-by: Nicolas Pitre <>
Acked-by: Theodore Ts'o <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'upstream-linus' of git://
Linus Torvalds [Sat, 5 Sep 2009 20:38:37 +0000 (13:38 -0700)]
Merge branch 'upstream-linus' of git://git./linux/kernel/git/jlbec/ocfs2

* 'upstream-linus' of git://
  ocfs2: ocfs2_write_begin_nolock() should handle len=0
  ocfs2: invalidate dentry if its dentry_lock isn't initialized.

13 years agopty: don't limit the writes to 'pty_space()' inside 'pty_write()'
Linus Torvalds [Sat, 5 Sep 2009 20:27:10 +0000 (13:27 -0700)]
pty: don't limit the writes to 'pty_space()' inside 'pty_write()'

The whole write-room thing is something that is up to the _caller_ to
worry about, not the pty layer itself.  The total buffer space will
still be limited by the buffering routines themselves, so there is no
advantage or need in having pty_write() artificially limit the size

And what happened was that the caller (the n_tty line discipline, in
this case) may have verified that there is room for 2 bytes to be
written (for NL -> CRNL expansion), and it used to then do those writes
as two single-byte writes.  And if the first byte written (CR) then
caused a new tty buffer to be allocated, pty_space() may have returned
zero when trying to write the second byte (LF), and then incorrectly
failed the write - leading to a lost newline character.

This should finally fix

Reported-by: Mikael Pettersson <>
Acked-by: Alan Cox <>
Signed-off-by: Linus Torvalds <>
13 years agon_tty: do O_ONLCR translation as a single write
Linus Torvalds [Sat, 5 Sep 2009 19:46:07 +0000 (12:46 -0700)]
n_tty: do O_ONLCR translation as a single write

When translating CR to CRNL in the n_tty line discipline, we did it as
two tty_put_char() calls.  Which works, but is stupid, and has caused
problems before too with bad interactions with the write_room() logic.
The generic USB serial driver had that problem, for example.

Now the pty layer had similar issues after being moved to the generic
tty buffering code (in commit d945cb9cce20ac7143c2de8d88b187f62db99bdc:
"pty: Rework the pty layer to use the normal buffering logic").

So stop doing the silly separate two writes, and do it as a single write
instead.  That's what the n_tty layer already does for the space
expansion of tabs (XTABS), and it means that we'll now always have just
a single write for the CRNL to match the single 'tty_write_room()' test,
which hopefully means that the next time somebody screws up buffering,
it won't cause weeks of debugging.

Signed-off-by: Linus Torvalds <>
13 years agoexec: do not sleep in TASK_TRACED under ->cred_guard_mutex
Oleg Nesterov [Sat, 5 Sep 2009 18:17:13 +0000 (11:17 -0700)]
exec: do not sleep in TASK_TRACED under ->cred_guard_mutex

Tom Horsley reports that his debugger hangs when it tries to read
/proc/pid_of_tracee/maps, this happens since

"mm_for_maps: take ->cred_guard_mutex to fix the race with exec"

commit in 2.6.31.

But the root of the problem lies in the fact that do_execve() path calls
tracehook_report_exec() which can stop if the tracer sets PT_TRACE_EXEC.

The tracee must not sleep in TASK_TRACED holding this mutex.  Even if we
remove ->cred_guard_mutex from mm_for_maps() and proc_pid_attr_write(),
another task doing PTRACE_ATTACH should not hang until it is killed or the
tracee resumes.

With this patch do_execve() does not use ->cred_guard_mutex directly and
we do not hold it throughout, instead:

- introduce prepare_bprm_creds() helper, it locks the mutex
  and calls prepare_exec_creds() to initialize bprm->cred.

- install_exec_creds() drops the mutex after commit_creds(),
  and thus before tracehook_report_exec()->ptrace_stop().

  or, if exec fails,

  free_bprm() drops this mutex when bprm->cred != NULL which
  indicates install_exec_creds() was not called.

Reported-by: Tom Horsley <>
Signed-off-by: Oleg Nesterov <>
Acked-by: David Howells <>
Cc: Roland McGrath <>
Cc: James Morris <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agopage-allocator: always change pageblock ownership when anti-fragmentation is disabled
Mel Gorman [Sat, 5 Sep 2009 18:17:11 +0000 (11:17 -0700)]
page-allocator: always change pageblock ownership when anti-fragmentation is disabled

On low-memory systems, anti-fragmentation gets disabled as fragmentation
cannot be avoided on a sufficiently large boundary to be worthwhile.  Once
disabled, there is a period of time when all the pageblocks are marked
MOVABLE and the expectation is that they get marked UNMOVABLE at each call
to __rmqueue_fallback().

However, when MAX_ORDER is large the pageblocks do not change ownership
because the normal criteria are not met.  This has the effect of
prematurely breaking up too many large contiguous blocks.  This is most
serious on NOMMU systems which depend on high-order allocations to boot.
This patch causes pageblocks to change ownership on every fallback when
anti-fragmentation is disabled.  This prevents the large blocks being
prematurely broken up.

This is a fix to commit 49255c619fbd482d704289b5eb2795f8e3b7ff2e [page
allocator: move check for disabled anti-fragmentation out of fastpath] and
the problem affects 2.6.31-rc8.

Signed-off-by: Mel Gorman <>
Tested-by: Paul Mundt <>
Cc: David Howells <>
Cc: Pekka Enberg <>
Acked-by: Greg Ungerer <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agonommu: fix error handling in do_mmap_pgoff()
David Howells [Sat, 5 Sep 2009 18:17:07 +0000 (11:17 -0700)]
nommu: fix error handling in do_mmap_pgoff()

Fix the error handling in do_mmap_pgoff().  If do_mmap_shared_file() or
do_mmap_private() fail, we jump to the error_put_region label at which
point we cann __put_nommu_region() on the region - but we haven't yet
added the region to the tree, and so __put_nommu_region() may BUG
because the region tree is empty or it may corrupt the region tree.

To get around this, we can afford to add the region to the region tree
before calling do_mmap_shared_file() or do_mmap_private() as we keep
nommu_region_sem write-locked, so no-one can race with us by seeing a
transient region.

Signed-off-by: David Howells <>
Acked-by: Pekka Enberg <>
Acked-by: Paul Mundt <>
Cc: Mel Gorman <>
Acked-by: Greg Ungerer <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoworkqueues: introduce __cancel_delayed_work()
Oleg Nesterov [Sat, 5 Sep 2009 18:17:06 +0000 (11:17 -0700)]
workqueues: introduce __cancel_delayed_work()

cancel_delayed_work() has to use del_timer_sync() to guarantee the timer
function is not running after return.  But most users doesn't actually
need this, and del_timer_sync() has problems: it is not useable from
interrupt, and it depends on every lock which could be taken from irq.

Introduce __cancel_delayed_work() which calls del_timer() instead.

The immediate reason for this patch is
but hopefully this helper makes sense anyway.

As for 13757 bug, actually we need requeue_delayed_work(), but its
semantics are not yet clear.

Merge this patch early to resolves cross-tree interdependencies between
input and infiniband.

Signed-off-by: Oleg Nesterov <>
Cc: Dmitry Torokhov <>
Cc: Roland Dreier <>
Cc: Stefan Richter <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoocfs2: ocfs2_write_begin_nolock() should handle len=0
Sunil Mushran [Fri, 4 Sep 2009 18:12:01 +0000 (11:12 -0700)]
ocfs2: ocfs2_write_begin_nolock() should handle len=0

Bug introduced by mainline commit e7432675f8ca868a4af365759a8d4c3779a3d922
The bug causes ocfs2_write_begin_nolock() to oops when len=0.

Signed-off-by: Sunil Mushran <>
Signed-off-by: Joel Becker <>
13 years agoInput: atkbd - add Compaq Presario R4000-series repeat quirk
Dave Andrews [Fri, 4 Sep 2009 00:21:27 +0000 (17:21 -0700)]
Input: atkbd - add Compaq Presario R4000-series repeat quirk

Compaq Presario R4000-series laptops are not sending a "volume up button
release" and "volume down button release" signal in the PS/2 protocol for
atkbd. The URL below has some of confirmed reports:

Signed-off-by: Dave Andrews <>
Signed-off-by: Dmitry Torokhov <>
13 years agoautofs4 - fix missed case when changing to use struct path
Ian Kent [Tue, 1 Sep 2009 03:26:22 +0000 (11:26 +0800)]
autofs4 - fix missed case when changing to use struct path

In the recent change by Al Viro that changes verious subsystems
to use "struct path" one case was missed in the autofs4 module
which causes mounts to no longer expire.

Signed-off-by: Ian Kent <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'fix/hda' of git://
Linus Torvalds [Tue, 1 Sep 2009 03:36:10 +0000 (17:36 -1000)]
Merge branch 'fix/hda' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'fix/hda' of git://
  ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A
  ALSA: hda - Add missing mux check for VT1708

13 years agoMerge branch 'for_linus' of git://
Linus Torvalds [Tue, 1 Sep 2009 03:31:02 +0000 (17:31 -1000)]
Merge branch 'for_linus' of git://git./linux/kernel/git/mchehab/linux-2.6

* 'for_linus' of git://
  V4L/DVB (12564a): MAINTAINERS: Update gspca sn9c20x name style
  V4L/DVB (12502): gspca - sn9c20x: Fix gscpa sn9c20x build errors.
  V4L/DVB (12495): em28xx: Don't call em28xx_ir_init when disable_ir is true
  V4L/DVB (12457): zr364: wrong indexes
  V4L/DVB (12451): Update KConfig File to enable SDIO and USB interfaces
  V4L/DVB (12450): Siano: Fixed SDIO compilation bugs
  V4L/DVB (12449): adds webcam for Micron device MT9M111 0x143A to em28xx
  V4L/DVB (12446): sms1xxx: restore GPIO functionality for all Hauppauge devices

13 years agolmb: Also remove __init from lmb_end_of_RAM() declaration in lmb.h
Benjamin Herrenschmidt [Mon, 31 Aug 2009 03:48:16 +0000 (13:48 +1000)]
lmb: Also remove __init from lmb_end_of_RAM() declaration in lmb.h

My previous patch (commit 4f8ee2c9cc: "lmb: Remove __init from
lmb_end_of_DRAM()") removed __init in lmb.c but missed the fact that it
was also marked as such in the .h

Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Linus Torvalds <>
13 years agoata_piix: parallel scanning on PATA needs an extra locking
Bartlomiej Zolnierkiewicz [Sun, 30 Aug 2009 12:56:30 +0000 (14:56 +0200)]
ata_piix: parallel scanning on PATA needs an extra locking

Commit log for commit 517d3cc15b36392e518abab6bacbb72089658313
("[libata] ata_piix: Enable parallel scan") says:

    This patch turns on parallel scanning for the ata_piix driver.
    This driver is used on most netbooks (no AHCI for cheap storage it seems).
    The scan is the dominating time factor in the kernel boot for these
    devices; with this flag it gets cut in half for the device I used
    for testing (eeepc).
    Alan took a look at the driver source and concluded that it ought to be safe
    to do for this driver.  Alan has also checked with the hardware team.

and it is all true but once we put all things together additional
constraints for PATA controllers show up (some hardware registers
have per-host not per-port atomicity) and we risk misprogramming
the controller.

I used the following test to check whether the issue is real:

  @@ -736,8 +736,20 @@ static void piix_set_piomode(struct ata_
    (timings[pio][1] << 8);
    pci_write_config_word(dev, master_port, master_data);
  - if (is_slave)
  + if (is_slave) {
  + if (ap->port_no == 0) {
  + u8 tmp = slave_data;
  + while (slave_data == tmp) {
  + pci_read_config_byte(dev, slave_port, &tmp);
  + msleep(50);
  + }
  + dev_printk(KERN_ERR, &dev->dev, "PATA parallel scan "
  +    "race detected\n");
  + }
    pci_write_config_byte(dev, slave_port, slave_data);
  + }

    /* Ensure the UDMA bit is off - it will be turned back on if
       UDMA is selected */

and it indeed triggered the error message.

Lets fix all such races by adding an extra locking to ->set_piomode
and ->set_dmamode methods for PATA controllers.

[ Alan: would be better to take the host lock in libata-core for these
  cases so that we fix all the adapters in one swoop.  "Looks fine as a
  temproary quickfix tho" ]

Cc: Arjan van de Ven <>
Acked-by: Alan Cox <>
Cc: Jeff Garzik <>
Signed-off-by: Bartlomiej Zolnierkiewicz <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Tue, 1 Sep 2009 03:22:10 +0000 (17:22 -1000)]
Merge branch 'for-linus' of git://git./linux/kernel/git/anholt/drm-intel

* 'for-linus' of git://
  drm/i915: Improve CRTDDC mapping by using VBT info
  drm/i915: Fix CPU-spinning hangs related to fence usage by using an LRU.
  drm/i915: Set crtc/clone mask in different output devices
  drm/i915: Always use SDVO_B detect bit for SDVO output detection.
  drm/i915: Fix typo that broke SVID1 in intel_sdvo_multifunc_encoder()
  drm/i915: Check if BIOS enabled dual-channel LVDS on 8xx, not only on 9xx
  drm/i915: Set the multiplier for SDVO on G33 platform

13 years agoALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A
Takashi Iwai [Mon, 31 Aug 2009 06:15:26 +0000 (08:15 +0200)]
ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A

This patch fixes the wrong headphone output routing for MacBookPro 3,1/4,1
quirk with ALC889A codec, which caused the silent headphone output.
Also, this gives the individual Headphone and Speaker volume controls.

Reference: kernel bug#14078

Signed-off-by: Takashi Iwai <>
Cc: <>
13 years agoALSA: hda - Add missing mux check for VT1708
Takashi Iwai [Mon, 31 Aug 2009 06:12:29 +0000 (08:12 +0200)]
ALSA: hda - Add missing mux check for VT1708

In patch_vt1708(), the check of MUX nids is missing and this results in
the -EINVAL error in accessing Input Source mixer element.  Simpliy
adding the call of get_mux_nids() fixes the problem.

Reference: Novell bnc#534904

Signed-off-by: Takashi Iwai <>
13 years agoV4L/DVB (12564a): MAINTAINERS: Update gspca sn9c20x name style
Joe Perches [Sun, 16 Aug 2009 23:03:51 +0000 (20:03 -0300)]
V4L/DVB (12564a): MAINTAINERS: Update gspca sn9c20x name style

To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to
More majordomo info at

Signed-off-by: Joe Perches <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12502): gspca - sn9c20x: Fix gscpa sn9c20x build errors.
Randy Dunlap [Wed, 26 Aug 2009 06:34:16 +0000 (03:34 -0300)]
V4L/DVB (12502): gspca - sn9c20x: Fix gscpa sn9c20x build errors.

Reported-by: Toralf Forster <>
Signed-off-by: Randy Dunlap <>
Signed-off-by: Jean-Francois Moine <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12495): em28xx: Don't call em28xx_ir_init when disable_ir is true
Shine Liu [Fri, 21 Aug 2009 02:49:26 +0000 (23:49 -0300)]
V4L/DVB (12495): em28xx: Don't call em28xx_ir_init when disable_ir is true

We should call em28xx_ir_init(dev) only when disable_ir is true.

Signed-off-by: Shine Liu <>
Reviewed-by: Devin Heitmueller <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12457): zr364: wrong indexes
Roel Kluin [Tue, 11 Aug 2009 11:10:25 +0000 (08:10 -0300)]
V4L/DVB (12457): zr364: wrong indexes

The order of indexes is reversed

Signed-off-by: Roel Kluin <>
Signed-off-by: Antoine Jacquet <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12451): Update KConfig File to enable SDIO and USB interfaces
Udi Atar [Thu, 13 Aug 2009 19:30:25 +0000 (16:30 -0300)]
V4L/DVB (12451): Update KConfig File to enable SDIO and USB interfaces

Update KConfig file to enbale selection of SDIO and USB
interfaces, and add dependancy on relevant modules.

[ fix merge conflicts, remove default: m, add missing endmenu]

Signed-off-by: Udi Atar <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12450): Siano: Fixed SDIO compilation bugs
Udi Atar [Sun, 28 Jun 2009 07:22:55 +0000 (04:22 -0300)]
V4L/DVB (12450): Siano: Fixed SDIO compilation bugs

Fixed SDIO compilation bugs
Also fixed a memory overrun issue in buffer management.

Signed-off-by: Udi Atar <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12449): adds webcam for Micron device MT9M111 0x143A to em28xx
Mauro Carvalho Chehab [Wed, 12 Aug 2009 23:21:44 +0000 (20:21 -0300)]
V4L/DVB (12449): adds webcam for Micron device MT9M111 0x143A to em28xx

[ fix merge conflict and a few CodingStyle issues]
Signed-off-by: Steve Gotthardt <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agoV4L/DVB (12446): sms1xxx: restore GPIO functionality for all Hauppauge devices
Michael Krufky [Mon, 13 Jul 2009 02:30:14 +0000 (23:30 -0300)]
V4L/DVB (12446): sms1xxx: restore GPIO functionality for all Hauppauge devices

Previous changesets broke Hauppauge devices and their GPIO configurations.

This changeset restores the LED & LNA functionality.

Signed-off-by: Michael Krufky <>
Signed-off-by: Mauro Carvalho Chehab <>
13 years agodrm/i915: Improve CRTDDC mapping by using VBT info
David Müller (ELSOFT AG) [Sat, 29 Aug 2009 06:54:45 +0000 (08:54 +0200)]
drm/i915: Improve CRTDDC mapping by using VBT info

Use VBT information to determine which DDC bus to use for CRTDCC.
Fall back to GPIOA if VBT info is not available.

Signed-off-by: David Müller <>
Reviewed-by: Jesse Barnes <>
Signed-off-by: Eric Anholt <>
Tested on: 855 (David), and 945GM, 965GM, GM45, and G45 (anholt)

13 years agodrm/i915: Fix CPU-spinning hangs related to fence usage by using an LRU.
Eric Anholt [Sat, 29 Aug 2009 19:49:51 +0000 (12:49 -0700)]
drm/i915: Fix CPU-spinning hangs related to fence usage by using an LRU.

The lack of a proper LRU was partially worked around by taking the fence
from the object containing the oldest seqno.  But if there are multiple
objects inactive, then they don't have seqnos and the first fence reg
among them would be chosen.  If you were trying to copy data between two
mappings, this could result in each page fault stealing the fence from
the other argument, and your application hanging.

Cc: Stable Team <>
Signed-off-by: Eric Anholt <>
Reviewed-by: Jesse Barnes <>
Reviewed-by: Chris Wilson <>
13 years agoMerge branch 'release' of git://
Linus Torvalds [Sat, 29 Aug 2009 05:41:05 +0000 (19:41 -1000)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6

* 'release' of git://
  ACPI: don't free non-existent backlight in acpi video module
  toshiba_acpi: return on a fail path
  ACPICA: Windows compatibility fix: same buffer/string store

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Sat, 29 Aug 2009 05:39:44 +0000 (19:39 -1000)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  inotify: update the group mask on mark addition
  inotify: fix length reporting and size checking
  inotify: do not send a block of zeros when no pathname is available

13 years agoparisc: fix warning in traps.c
Grant Grundler [Fri, 28 Aug 2009 19:00:36 +0000 (15:00 -0400)]
parisc: fix warning in traps.c

On Tue, Aug 18, 2009 at 01:45:17PM -0400, John David Anglin wrote:
>  CC      arch/parisc/kernel/traps.o
> arch/parisc/kernel/traps.c: In function 'handle_interruption':
> arch/parisc/kernel/traps.c:535:18: warning: operation on 'regs->iasq[0]'
> may be undefined

Yes - Line 535 should use both [0] and [1].

Reported-by: John David Anglin <>
Signed-off-by: Grant Grundler <>
Signed-off-by: Kyle McMartin <>
Signed-off-by: Linus Torvalds <>
13 years agoSUNRPC: Fix rpc_task_force_reencode
Trond Myklebust [Fri, 28 Aug 2009 15:12:12 +0000 (11:12 -0400)]
SUNRPC: Fix rpc_task_force_reencode

This patch fixes the bug that was reported in

If we're in the case where we need to force a reencode and then resend of
the RPC request, due to xprt_transmit failing with a networking error, then
we _must_ retransmit the entire request.

Signed-off-by: Trond Myklebust <>
Signed-off-by: Linus Torvalds <>
13 years agomodules: Fix build error in the !CONFIG_KALLSYMS case
Ingo Molnar [Fri, 28 Aug 2009 08:44:56 +0000 (10:44 +0200)]
modules: Fix build error in the !CONFIG_KALLSYMS case

> James Bottomley (1):
>       module: workaround duplicate section names

-tip testing found that this patch breaks the build on x86 if
CONFIG_KALLSYMS is disabled:

 kernel/module.c: In function ‘load_module’:
 kernel/module.c:2367: error: ‘struct module’ has no member named ‘sect_attrs’
 distcc[8269] ERROR: compile kernel/module.c on ph/32 failed
 make[1]: *** [kernel/module.o] Error 1
 make: *** [kernel] Error 2
 make: *** Waiting for unfinished jobs....

Commit 1b364bf misses the fact that section attributes are only
built and dealt with if kallsyms is enabled. The patch below fixes

( note, technically speaking this should depend on CONFIG_SYSFS as
  well but this patch is correct too and keeps the #ifdef less
  intrusive - in the KALLSYMS && !SYSFS case the code is a NOP. )

Signed-off-by: Ingo Molnar <>
[ Replaced patch with a slightly cleaner variation by James Bottomley ]
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Sat, 29 Aug 2009 05:32:32 +0000 (19:32 -1000)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86: Fix vSMP boot crash
  x86, xen: Initialize cx to suppress warning
  x86, xen: Suppress WP test on Xen

13 years agoACPI: don't free non-existent backlight in acpi video module
Keith Packard [Thu, 6 Aug 2009 22:57:54 +0000 (15:57 -0700)]
ACPI: don't free non-existent backlight in acpi video module

acpi_video_put_one_device was attempting to remove sysfs entries and
unregister a backlight device without first checking that said backlight
device structure had been created.

Signed-off-by: Keith Packard <>
Acked-by: Zhang Rui <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Len Brown <>
13 years agotoshiba_acpi: return on a fail path
Jiri Slaby [Thu, 6 Aug 2009 22:57:51 +0000 (15:57 -0700)]
toshiba_acpi: return on a fail path

Return from bt_rfkill_poll() when hci_get_radio_state() fails.

value is invalid in that case and should not be assigned to the rfkill

This also fixes a double unlock bug.

Signed-off-by: Jiri Slaby <>
Cc: John W. Linville <>
Cc: Johannes Berg <>
Cc: Henrique de Moraes Holschuh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Len Brown <>
13 years agoACPICA: Windows compatibility fix: same buffer/string store
Lin Ming [Wed, 26 Aug 2009 01:01:34 +0000 (09:01 +0800)]
ACPICA: Windows compatibility fix: same buffer/string store

Fix a compatibility issue when the same buffer or string is
stored to itself. This has been seen in the field. Previously,
ACPICA would zero out the buffer/string. Now, the operation is
treated as a NOP.

Reported-by: Rezwanul Kabir <>
Signed-off-by: Lin Ming <>
Signed-off-by: Bob Moore <>
Signed-off-by: Len Brown <>
13 years agoinotify: update the group mask on mark addition
Eric Paris [Fri, 28 Aug 2009 16:50:47 +0000 (12:50 -0400)]
inotify: update the group mask on mark addition

Seperating the addition and update of marks in inotify resulted in a
regression in that inotify never gets events.  The inotify group mask is
always 0.  This mask should be updated any time a new mark is added.

Signed-off-by: Eric Paris <>
13 years agoinotify: fix length reporting and size checking
Eric Paris [Fri, 28 Aug 2009 15:57:55 +0000 (11:57 -0400)]
inotify: fix length reporting and size checking

0db501bd0610ee0c0 introduced a regresion in that it now sends a nul
terminator but the length accounting when checking for space or
reporting to userspace did not take this into account.  This corrects
all of the rounding logic.

Signed-off-by: Eric Paris <>
13 years agoinotify: do not send a block of zeros when no pathname is available
Brian Rogers [Fri, 28 Aug 2009 14:00:05 +0000 (10:00 -0400)]
inotify: do not send a block of zeros when no pathname is available

When an event has no pathname, there's no need to pad it with a null byte and
therefore generate an inotify_event sized block of zeros. This fixes a
regression introduced by commit 0db501bd0610ee0c0aca84d927f90bcccd09e2bd where
my system wouldn't finish booting because some process was being confused by

Signed-off-by: Brian Rogers <>
Signed-off-by: Eric Paris <>
13 years agoocfs2: invalidate dentry if its dentry_lock isn't initialized.
Tao Ma [Thu, 27 Aug 2009 06:46:56 +0000 (14:46 +0800)]
ocfs2: invalidate dentry if its dentry_lock isn't initialized.

In commit a5a0a630922a2f6a774b6dac19f70cb5abd86bb0, when
ocfs2_attch_dentry_lock fails, we call an extra iput and reset
dentry->d_fsdata to NULL. This resolve a bug, but it isn't
completed and the dentry is still there. When we want to use
it again, ocfs2_dentry_revalidate doesn't catch it and return
true. That make future ocfs2_dentry_lock panic out.
One bug is

The resolution is to add a check for dentry->d_fsdata in
revalidate process and return false if dentry->d_fsdata is NULL,
so that a new ocfs2_lookup will be called again.

Signed-off-by: Tao Ma <>
Signed-off-by: Joel Becker <>
13 years agoLinux 2.6.31-rc8 v2.6.31-rc8
Linus Torvalds [Fri, 28 Aug 2009 00:59:04 +0000 (17:59 -0700)]
Linux 2.6.31-rc8

13 years agomodule: workaround duplicate section names
James Bottomley [Wed, 26 Aug 2009 12:34:12 +0000 (22:04 +0930)]
module: workaround duplicate section names

The root cause is a duplicate section name (.text); is this legal?
[ Amerigo Wang: "AFAIK, yes." ]

However, there's a problem with commit
6d76013381ed28979cd122eb4b249a88b5e384fa in that if you fail to allocate
a mod->sect_attrs (in this case it's null because of the duplication),
it still gets used without checking in add_notes_attrs()

This should fix it

[ This patch leaves other problems, particularly the sections directory,
  but recent parisc toolchains seem to produce these modules and this
  prevents a crash and is a minimal change -- RR ]

Signed-off-by: James Bottomley <>
Signed-off-by: Rusty Russell <>
Tested-by: Helge Deller <>
Signed-off-by: Linus Torvalds <>
13 years agomodule: fix BUG_ON() for powerpc (and other function descriptor archs)
Rusty Russell [Wed, 26 Aug 2009 12:32:54 +0000 (22:02 +0930)]
module: fix BUG_ON() for powerpc (and other function descriptor archs)

The rarely-used symbol_put_addr() needs to use dereference_function_descriptor
on powerpc.

Reported-by: Paul Mackerras <>
Signed-off-by: Rusty Russell <
Signed-off-by: Linus Torvalds <>
13 years agoxenfb: connect to backend before registering fb
Jeremy Fitzhardinge [Thu, 27 Aug 2009 19:22:43 +0000 (12:22 -0700)]
xenfb: connect to backend before registering fb

As soon as the framebuffer is registered, our methods may be called by the
kernel. This leads to a crash as xenfb_refresh() gets called before we have
the irq.

Connect to the backend before registering our framebuffer with the kernel.

[ Fixes bug ]

Signed-off-by: Michal Schmidt <>
Signed-off-by: Jeremy Fitzhardinge <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 27 Aug 2009 19:26:02 +0000 (12:26 -0700)]
Merge branch 'for-linus' of git://

* 'for-linus' of git://
  inotify: Ensure we alwasy write the terminating NULL.
  inotify: fix locking around inotify watching in the idr
  inotify: do not BUG on idr entries at inotify destruction
  inotify: seperate new watch creation updating existing watches

13 years agolmb: Remove __init from lmb_end_of_DRAM()
Benjamin Herrenschmidt [Thu, 27 Aug 2009 07:20:30 +0000 (17:20 +1000)]
lmb: Remove __init from lmb_end_of_DRAM()

We call lmb_end_of_DRAM() to test whether a DMA mask is ok on a machine
without IOMMU, but this function is marked as __init.

I don't think there's a clean way to get the top of RAM max_pfn doesn't
appear to include highmem or I missed (or we have a bug :-) so for now,
let's just avoid having a broken 2.6.31 by making this function
non-__init and we can revisit later.

Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Linus Torvalds <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 27 Aug 2009 19:24:08 +0000 (12:24 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ericvh/v9fs

* 'for-linus' of git://
  9p: update documentation pointers
  9p: remove unnecessary v9fses->options which duplicates the mount string
  net/9p: insulate the client against an invalid error code sent by a 9p server
  9p: Add missing cast for the error return value in v9fs_get_inode
  9p: Remove redundant inode uid/gid assignment
  9p: Fix possible regressions when ->get_sb fails.
  9p: Fix v9fs show_options
  9p: Fix possible memleak in v9fs_inode_from fid.
  9p: minor comment fixes
  9p: Fix possible inode leak in v9fs_get_inode.
  9p: Check for error in return value of v9fs_fid_add

13 years agoipv4: make ip_append_data() handle NULL routing table
Julien TINNES [Thu, 27 Aug 2009 13:26:58 +0000 (15:26 +0200)]
ipv4: make ip_append_data() handle NULL routing table

Add a check in ip_append_data() for NULL *rtp to prevent future bugs in
callers from being exploitable.

Signed-off-by: Julien Tinnes <>
Signed-off-by: Tavis Ormandy <>
Acked-by: David S. Miller <>
Signed-off-by: Linus Torvalds <>
13 years agoAFS: Stop readlink() on AFS crashing due to NULL 'file' ptr
David Howells [Thu, 27 Aug 2009 12:09:06 +0000 (13:09 +0100)]
AFS: Stop readlink() on AFS crashing due to NULL 'file' ptr

kAFS crashes when asked to read a symbolic link because page_getlink()
passes a NULL file pointer to read_mapping_page(), but afs_readpage()
expects a file pointer from which to extract a key.

Modify afs_readpage() to request the appropriate key from the calling
process's keyrings if a file struct is not supplied with one attached.

Signed-off-by: David Howells <>
Acked-by: Anton Blanchard <>
Signed-off-by: Linus Torvalds <>
13 years agoinotify: Ensure we alwasy write the terminating NULL.
Eric W. Biederman [Thu, 27 Aug 2009 10:20:04 +0000 (03:20 -0700)]
inotify: Ensure we alwasy write the terminating NULL.

Before the rewrite copy_event_to_user always wrote a terqminating '\0'
byte to user space after the filename.  Since the rewrite that
terminating byte was skipped if your filename is exactly a multiple of
event_size.  Ouch!

So add one byte to name_size before we round up and use clear_user to
set userspace to zero like /dev/zero does instead of copying the
strange nul_inotify_event.  I can't quite convince myself len_to_zero
will never exceed 16 and even if it doesn't clear_user should be more
efficient and a more accurate reflection of what the code is trying to

Signed-off-by: Eric W. Biederman <>
Signed-off-by: Eric Paris <>
13 years agoinotify: fix locking around inotify watching in the idr
Eric Paris [Mon, 24 Aug 2009 20:03:35 +0000 (16:03 -0400)]
inotify: fix locking around inotify watching in the idr

The are races around the idr storage of inotify watches.  It's possible
that a watch could be found from sys_inotify_rm_watch() in the idr, but it
could be removed from the idr before that code does it's removal.  Move the
locking and the refcnt'ing so that these have to happen atomically.

Signed-off-by: Eric Paris <>
13 years agoinotify: do not BUG on idr entries at inotify destruction
Eric Paris [Mon, 24 Aug 2009 20:03:35 +0000 (16:03 -0400)]
inotify: do not BUG on idr entries at inotify destruction

If an inotify watch is left in the idr when an fsnotify group is destroyed
this will lead to a BUG.  This is not a dangerous situation and really
indicates a programming bug and leak of memory.  This patch changes it to
use a WARN and a printk rather than killing people's boxes.

Signed-off-by: Eric Paris <>
13 years agoinotify: seperate new watch creation updating existing watches
Eric Paris [Mon, 24 Aug 2009 20:03:35 +0000 (16:03 -0400)]
inotify: seperate new watch creation updating existing watches

There is nothing known wrong with the inotify watch addition/modification
but this patch seperates the two code paths to make them each easy to
verify as correct.

Signed-off-by: Eric Paris <>
13 years agoMerge git://
Linus Torvalds [Thu, 27 Aug 2009 03:54:48 +0000 (20:54 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  virtio: net refill on out-of-memory
  smc91x: fix compilation on SMP

13 years agoMerge branch 'merge' of git://
Linus Torvalds [Thu, 27 Aug 2009 03:39:31 +0000 (20:39 -0700)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc

* 'merge' of git://
  powerpc/ps3: Update ps3_defconfig
  powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration

13 years agopowerpc/ps3: Update ps3_defconfig
Geoff Levand [Tue, 25 Aug 2009 07:53:35 +0000 (07:53 +0000)]
powerpc/ps3: Update ps3_defconfig

Update ps3_defconfig.

 o Refresh for 2.6.31.
 o Remove MTD support.
 o Add more HID drivers.

Signed-off-by: Geoff Levand <>
Signed-off-by: Benjamin Herrenschmidt <>
13 years agopowerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration
Geert Uytterhoeven [Sun, 23 Aug 2009 22:54:32 +0000 (22:54 +0000)]
powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration

On non-PS3, we get:

| kernel BUG at drivers/rtc/rtc-ps3.c:36!

because the rtc-ps3 platform device is registered unconditionally in a kernel
with builtin support for PS3.

Reported-by: Sachin Sant <>
Signed-off-by: Geert Uytterhoeven <>
Acked-by: Geoff Levand <>
Signed-off-by: Benjamin Herrenschmidt <>
13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 27 Aug 2009 03:17:07 +0000 (20:17 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://
  IMA: iint put in ima_counts_get and put

13 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 27 Aug 2009 03:16:38 +0000 (20:16 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/geert/linux-m68k

* 'for-linus' of git://
  m68k,m68knommu: Wire up rt_tgsigqueueinfo and perf_counter_open
  m68k: Fix redefinition of pgprot_noncached
  arch/m68k/include/asm/motorola_pgalloc.h: fix kunmap arg
  m68k: cnt reaches -1, not 0
  m68k: count can reach 51, not 50

13 years agoleds: after setting inverted attribute, we must update the LED
Thadeu Lima de Souza Cascardo [Wed, 26 Aug 2009 21:29:32 +0000 (14:29 -0700)]
leds: after setting inverted attribute, we must update the LED

If we change the inverted attribute to another value, the LED will not be
inverted until we change the GPIO state.

Signed-off-by: Thadeu Lima de Souza Cascardo <>
Cc: Samuel R. C. Vale <>
Cc: Richard Purdie <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoleds: fix multiple requests and releases of IRQ for GPIO LED Trigger
Thadeu Lima de Souza Cascardo [Wed, 26 Aug 2009 21:29:31 +0000 (14:29 -0700)]
leds: fix multiple requests and releases of IRQ for GPIO LED Trigger

When setting the same GPIO number, multiple IRQ shared requests will be
done without freing the previous request.  It will also try to free a
failed request or an already freed IRQ if 0 was written to the gpio file.

All these oops and leaks were fixed with the following solution: keep the
previous allocated GPIO (if any) still allocated in case the new request
fails.  The alternative solution would desallocate the previous allocated
GPIO and set gpio as 0.

Signed-off-by: Thadeu Lima de Souza Cascardo <>
Signed-off-by: Samuel R. C. Vale <>
Cc: Richard Purdie <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoacpi processor: remove superfluous warning message
Frans Pop [Wed, 26 Aug 2009 21:29:30 +0000 (14:29 -0700)]
acpi processor: remove superfluous warning message

This failure is very common on many platforms.  Handling it in the ACPI
processor driver is enough, and we don't need a warning message unless

Based on a patch from Zhang Rui.


Signed-off-by: Frans Pop <>
Acked-by: Zhang Rui <>
Cc: Len Brown <>
Cc: "Rafael J. Wysocki" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoACPI processor: force throttling state when BIOS returns incorrect value
Frans Pop [Wed, 26 Aug 2009 21:29:29 +0000 (14:29 -0700)]
ACPI processor: force throttling state when BIOS returns incorrect value

If the BIOS reports an invalid throttling state (which seems to be
fairly common after system boot), a reset is done to state T0.
Because of a check in acpi_processor_get_throttling_ptc(), the reset
never actually gets executed, which results in the error reoccurring
on every access of for example /proc/acpi/processor/CPU0/throttling.

Add a 'force' option to acpi_processor_set_throttling() to ensure
the reset really takes effect.


This patch, together with the next one, fixes a regression introduced in
2.6.30, listed on the regression list. They have been available for 2.5
months now in bugzilla, but have not been picked up, despite various
reminders and without any reason given.

Google shows that numerous people are hitting this issue. The issue is in
itself relatively minor, but the bug in the code is clear.

The patches have been in all my kernels and today testing has shown that
throttling works correctly with the patches applied when the system
overheats (

Signed-off-by: Frans Pop <>
Acked-by: Zhang Rui <>
Cc: Len Brown <>
Cc: "Rafael J. Wysocki" <>
Cc: Rusty Russell <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agowmi: fix kernel panic when stack protection enabled.
Costantino Leandro [Wed, 26 Aug 2009 21:29:28 +0000 (14:29 -0700)]
wmi: fix kernel panic when stack protection enabled.

Kernel panic arise when stack protection is enabled, since strncat will
add a null terminating byte '\0'; So in functions
like this one (wmi_query_block):
        char wc[4]="WC";
strncat(method, block->object_id, 2);
the length of wc should be n+1 (wc[5]) or stack protection
fault will arise. This is not noticeable when stack protection is
disabled,but , isn't good either.

Panic Trace
       .... stack-protector: kernel stack corrupted in : fa7b182c
           [<c04a6c40>] ? panic+0x45/0xd9
   [<c012925d>] ? __stack_chk_fail+0x1c/0x40
   [<fa7b182c>] ? wmi_query_block+0x15a/0x162 [wmi]
   [<fa7b182c>] ? wmi_query_block+0x15a/0x162 [wmi]
   [<fa7e7000>] ? acer_wmi_init+0x00/0x61a [acer_wmi]
   [<fa7e7135>] ? acer_wmi_init+0x135/0x61a [acer_wmi]
   [<c0101159>] ? do_one_initcall+0x50+0x126


Signed-off-by: Costantino Leandro <>
Signed-off-by: Carlos Corbacho <>
Cc: Len Brown <>
Cc: Bjorn Helgaas <>
Cc: "Rafael J. Wysocki" <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoacpi: don't call acpi_processor_init if acpi is disabled
Yinghai Lu [Wed, 26 Aug 2009 21:29:26 +0000 (14:29 -0700)]
acpi: don't call acpi_processor_init if acpi is disabled

Jens reported early_ioremap messages with old ASUS board...

> [    1.507461] pci 0000:00:09.0: Firmware left e100 interrupts enabled; disabling
> [    1.532778] early_ioremap(3fffd0800000005c) [0] => Pid: 1, comm: swapper Not tainted 2.6.31-rc4 #36
> [    1.561007] Call Trace:
> [    1.568638]  [<c136e48b>] ? printk+0x18/0x1d
> [    1.581734]  [<c15513ff>] __early_ioremap+0x74/0x1e9
> [    1.596898]  [<c15515aa>] early_ioremap+0x1a/0x1c
> [    1.611270]  [<c154a187>] __acpi_map_table+0x18/0x1a
> [    1.626451]  [<c135a7f8>] acpi_os_map_memory+0x1d/0x25
> [    1.642129]  [<c119459c>] acpi_tb_verify_table+0x20/0x49
> [    1.658321]  [<c1193e50>] acpi_get_table_with_size+0x53/0xa1
> [    1.675553]  [<c1193eae>] acpi_get_table+0x10/0x15
> [    1.690192]  [<c155cc19>] acpi_processor_init+0x23/0xab
> [    1.706126]  [<c1001043>] do_one_initcall+0x33/0x180
> [    1.721279]  [<c155cbf6>] ? acpi_processor_init+0x0/0xab
> [    1.737479]  [<c106893a>] ? register_irq_proc+0xaa/0xc0
> [    1.753411]  [<c10689b7>] ? init_irq_proc+0x67/0x80
> [    1.768316]  [<c15405e7>] kernel_init+0x120/0x176
> [    1.782678]  [<c15404c7>] ? kernel_init+0x0/0x176
> [    1.797062]  [<c10038b7>] kernel_thread_helper+0x7/0x10
> [    1.812984] 00000080 + ffe00000

that is rather later.
acpi_gbl_permanent_mmap should be set in acpi_early_init()
if acpi is not disabled

and we have
> [    0.000000] ASUS P2B-DS detected: force use of acpi=ht

just don't load acpi_processor_init...

Reported-and-tested-by: Jens Rosenboom <>
Signed-off-by: Yinghai Lu <>
Acked-by: Ingo Molnar <>
Cc: Len Brown <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agothermal_sys: check get_temp return value
Michael Brunner [Wed, 26 Aug 2009 21:29:25 +0000 (14:29 -0700)]
thermal_sys: check get_temp return value

The return value of the get_temp function is not checked when doing a
thermal zone update.  This may lead to a critical shutdown if get_temp
fails and the content of the temp variable is incorrectly set higher than
the critical trip point.

This has been observed on a system with incorrect ACPI implementation
where the corresponding methods were not serialized and therefore
sometimes triggered ACPI errors (AE_ALREADY_EXISTS).  The following
critical shutdowns indicated a temperature of 2097 C, which was obviously

The patch adds a return value check that jumps over all trip point
evaluations printing a warning if get_temp fails.  The trip points are
evaluated again on the next polling interval with successful get_temp

Signed-off-by: Michael Brunner <>
Acked-by: Zhang Rui <>
Cc: Len Brown <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoclone(): fix race between copy_process() and de_thread()
Oleg Nesterov [Wed, 26 Aug 2009 21:29:24 +0000 (14:29 -0700)]
clone(): fix race between copy_process() and de_thread()

Spotted by Hiroshi Shimamoto who also provided the test-case below.

copy_process() uses signal->count as a reference counter, but it is not.
This test case

#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <pthread.h>

void *null_thread(void *p)
for (;;)

return NULL;

void *exec_thread(void *p)
execl("/bin/true", "/bin/true", NULL);

return null_thread(p);

int main(int argc, char **argv)
for (;;) {
pid_t pid;
int ret, status;

pid = fork();
if (pid < 0)

if (!pid) {
pthread_t tid;

pthread_create(&tid, NULL, exec_thread, NULL);
for (;;)
pthread_create(&tid, NULL, null_thread, NULL);

do {
ret = waitpid(pid, &status, 0);
} while (ret == -1 && errno == EINTR);

return 0;

quickly creates an unkillable task.

If copy_process(CLONE_THREAD) races with de_thread()
copy_signal()->atomic(signal->count) breaks the signal->notify_count
logic, and the execing thread can hang forever in kernel space.

Change copy_process() to increment count/live only when we know for sure
we can't fail.  In this case the forked thread will take care of its
reference to signal correctly.

If copy_process() fails, check CLONE_THREAD flag.  If it it set - do
nothing, the counters were not changed and current belongs to the same
thread group.  If it is not set, ->signal must be released in any case
(and ->count must be == 1), the forked child is the only thread in the
thread group.

We need more cleanups here, in particular signal->count should not be used
by de_thread/__exit_signal at all.  This patch only fixes the bug.

Reported-by: Hiroshi Shimamoto <>
Tested-by: Hiroshi Shimamoto <>
Signed-off-by: Oleg Nesterov <>
Acked-by: Roland McGrath <>
Cc: KAMEZAWA Hiroyuki <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agomm: fix for infinite churning of mlocked pages
Minchan Kim [Wed, 26 Aug 2009 21:29:23 +0000 (14:29 -0700)]
mm: fix for infinite churning of mlocked pages

An mlocked page might lose the isolatation race.  This causes the page to
clear PG_mlocked while it remains in a VM_LOCKED vma.  This means it can
be put onto the [in]active list.  We can rescue it by using try_to_unmap()
in shrink_page_list().

But now, As Wu Fengguang pointed out, vmscan has a bug.  If the page has
PG_referenced, it can't reach try_to_unmap() in shrink_page_list() but is
put into the active list.  If the page is referenced repeatedly, it can
remain on the [in]active list without being moving to the unevictable

This patch fixes it.

Reported-by: Wu Fengguang <>
Signed-off-by: Minchan Kim <>
Reviewed-by: KOSAKI Motohiro <<>
Cc: Lee Schermerhorn <>
Acked-by: Rik van Riel <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoflex_array: convert element_nr formals to unsigned
David Rientjes [Wed, 26 Aug 2009 21:29:22 +0000 (14:29 -0700)]
flex_array: convert element_nr formals to unsigned

It's problematic to allow signed element_nr's or total's to be passed as
part of the flex array API.

flex_array_alloc() allows total_nr_elements to be set to a negative
quantity, which is obviously erroneous.

flex_array_get() and flex_array_put() allows negative array indices in
dereferencing an array part, which could address memory mapped before
struct flex_array.

The fix is to convert all existing element_nr formals to be qualified as
unsigned.  Existing checks to compare it to total_nr_elements or the max
array size based on element_size need not be changed.

Signed-off-by: David Rientjes <>
Cc: Dave Hansen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoflex_array: declare parts member to have incomplete type
David Rientjes [Wed, 26 Aug 2009 21:29:21 +0000 (14:29 -0700)]
flex_array: declare parts member to have incomplete type

The `parts' member of struct flex_array should evaluate to an incomplete
type so that sizeof() cannot be used and C99 does not require the
zero-length specification.

Signed-off-by: David Rientjes <>
Acked-by: Dave Hansen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoflex_array: fix flex_array_free_parts comment
David Rientjes [Wed, 26 Aug 2009 21:29:20 +0000 (14:29 -0700)]
flex_array: fix flex_array_free_parts comment

flex_array_free_parts() does not take `src' or `element_nr' formals, so
remove their respective comments.

Signed-off-by: David Rientjes <>
Acked-by: Dave Hansen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoflex_array: fix get function for elements in base starting at non-zero
David Rientjes [Wed, 26 Aug 2009 21:29:20 +0000 (14:29 -0700)]
flex_array: fix get function for elements in base starting at non-zero

If all array elements fit into the base structure and data is copied using
flex_array_put() starting at a non-zero index, flex_array_get() will fail
to return the data.

This fixes the bug by only checking for NULL parts when all elements do
not fit in the base structure when flex_array_get() is used.  Otherwise,
fa_element_to_part_nr() will always be 0 since there are no parts
structures needed and such element may never have been put.  Thus, it will
remain NULL due to the kzalloc() of the base.

Additionally, flex_array_put() now only checks for a NULL part when all
elements do not fit in the base structure.  This is otherwise unnecessary
since the base structure is guaranteed to exist (or we would have already
hit a NULL pointer).

Signed-off-by: David Rientjes <>
Acked-by: Dave Hansen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agopps: fix incorrect verdict check
Joonwoo Park [Wed, 26 Aug 2009 21:29:18 +0000 (14:29 -0700)]
pps: fix incorrect verdict check

Fix incorrect verdict check and returns error if device_create failed,
otherwise driver triggers kernel oops.

Signed-off-by: Joonwoo Park<>
Cc: Rodolfo Giometti <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
13 years agoIMA: iint put in ima_counts_get and put
Eric Paris [Wed, 26 Aug 2009 18:56:48 +0000 (14:56 -0400)]
IMA: iint put in ima_counts_get and put

ima_counts_get() calls ima_iint_find_insert_get() which takes a reference
to the iint in question, but does not put that reference at the end of the
function.  This can lead to a nasty memory leak.  Easy enough to reproduce:

#include <sys/mman.h>
#include <stdio.h>

int main (void)
int i;
void *ptr;

for (i=0; i < 100000; i++) {
ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
if (ptr == MAP_FAILED)
return 2;
munmap(ptr, 4096);

return 0;

Signed-off-by: Eric Paris <>
Signed-off-by: James Morris <>
13 years agom68k,m68knommu: Wire up rt_tgsigqueueinfo and perf_counter_open
Geert Uytterhoeven [Fri, 21 Aug 2009 20:03:54 +0000 (22:03 +0200)]
m68k,m68knommu: Wire up rt_tgsigqueueinfo and perf_counter_open

Signed-off-by: Geert Uytterhoeven <>
Acked-by: Greg Ungerer <>
13 years agom68k: Fix redefinition of pgprot_noncached
Alexey Dobriyan [Thu, 9 Jul 2009 13:08:38 +0000 (17:08 +0400)]
m68k: Fix redefinition of pgprot_noncached

arch/m68k/include/asm/pgtable_mm.h:148:1: warning: "pgprot_noncached" redefined
In file included from arch/m68k/include/asm/pgtable_mm.h:138,
                 from arch/m68k/include/asm/pgtable.h:4,
                 from include/linux/mm.h:40,
                 from include/linux/pagemap.h:7,
                 from include/linux/blkdev.h:12,
                 from arch/m68k/emu/nfblock.c:17:
include/asm-generic/pgtable.h:133:1: warning: this is the location of the previous definition

pgprot_noncached() should be defined _before_ including asm-generic/pgtable.h

Signed-off-by: Alexey Dobriyan <>
Signed-off-by: Geert Uytterhoeven <>
13 years agoarch/m68k/include/asm/motorola_pgalloc.h: fix kunmap arg
Andrew Morton [Wed, 17 Jun 2009 20:13:58 +0000 (13:13 -0700)]
arch/m68k/include/asm/motorola_pgalloc.h: fix kunmap arg

arch/m68k/include/asm/motorola_pgalloc.h: In function 'pte_alloc_one':
arch/m68k/include/asm/motorola_pgalloc.h:44: warning: passing argument 1 of 'kunmap' from incompatible pointer type

Also, remove unneeded test for kmap() failure.

Signed-off-by: Andrew Morton <>
Signed-off-by: Geert Uytterhoeven <>
13 years agom68k: cnt reaches -1, not 0
Roel Kluin [Wed, 17 Jun 2009 20:13:57 +0000 (13:13 -0700)]
m68k: cnt reaches -1, not 0

With the postfix decrement cnt reaches -1 rather than 0.

Signed-off-by: Roel Kluin <>
Cc: Geert Uytterhoeven <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Geert Uytterhoeven <>
13 years agom68k: count can reach 51, not 50
Roel Kluin [Wed, 17 Jun 2009 20:13:56 +0000 (13:13 -0700)]
m68k: count can reach 51, not 50

With while (count++ < 50) { ...  } count can reach 51, not 50, so we
shouldn't give an error message on a count of 50.

[ coding-style fixes]
Signed-off-by: Roel Kluin <>
Cc: Geert Uytterhoeven <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Geert Uytterhoeven <>
13 years agovirtio: net refill on out-of-memory
Rusty Russell [Wed, 26 Aug 2009 19:22:32 +0000 (12:22 -0700)]
virtio: net refill on out-of-memory

If we run out of memory, use keventd to fill the buffer.  There's a
report of this happening: "Page allocation failures in guest",
Message-ID: <>

Signed-off-by: Rusty Russell <>
Signed-off-by: David S. Miller <>
13 years agosmc91x: fix compilation on SMP
Alexey Dobriyan [Wed, 26 Aug 2009 19:03:35 +0000 (12:03 -0700)]
smc91x: fix compilation on SMP

Signed-off-by: Alexey Dobriyan <>
Signed-off-by: David S. Miller <>
13 years agoInput: i8042 - add Acer Aspire 5536 to the nomux list
Dmitry Torokhov [Wed, 26 Aug 2009 02:24:10 +0000 (19:24 -0700)]
Input: i8042 - add Acer Aspire 5536 to the nomux list

When KBC is in active multiplexing mode, disabling and re-enabling the
touchpad with the special key leaves the touchpad dead. Since the laptop
does not have any external PS/2 ports disabling MUX mode should be safe.

Reported-by: Eugeniy Meshcheryakov <>
Signed-off-by: Dmitry Torokhov <>
13 years agox86: Fix vSMP boot crash
Yinghai Lu [Tue, 25 Aug 2009 20:44:44 +0000 (13:44 -0700)]
x86: Fix vSMP boot crash

2.6.31-rc7 does not boot on vSMP systems:

[    8.501108] CPU31: Thermal monitoring enabled (TM1)
[    8.501127] CPU 31 MCA banks SHD:2 SHD:3 SHD:5 SHD:6 SHD:8
[    8.650254] CPU31: Intel(R) Xeon(R) CPU           E5540  @ 2.53GHz stepping 04
[    8.710324] Brought up 32 CPUs
[    8.713916] Total of 32 processors activated (162314.96 BogoMIPS).
[    8.721489] ERROR: parent span is not a superset of domain->span
[    8.727686] ERROR: domain->groups does not contain CPU0
[    8.733091] ERROR: groups don't span domain->span
[    8.737975] ERROR: domain->cpu_power not set
[    8.742416]

Ravikiran Thirumalai bisected it to:

| commit 2759c3287de27266e06f1f4e82cbd2d65f6a044c
| x86: don't call read_apic_id if !cpu_has_apic

The problem is that on vSMP systems the CPUID derived
initial-APICIDs are overlapping - so we need to fall
back on hard_smp_processor_id() which reads the local

Both come from the hardware (influenced by firmware
though) so it's a tough call which one to trust.

Doing the quirk expresses the vSMP property properly
and also does not affect other systems, so we go for
this solution instead of a revert.

Reported-and-Tested-by: Ravikiran Thirumalai <>
Signed-off-by: Yinghai Lu <>
Cc: Linus Torvalds <>
Cc: Cyrill Gorcunov <>
Cc: Shai Fultheim <>
Cc: Suresh Siddha <>
LKML-Reference: <>
Signed-off-by: Ingo Molnar <>
13 years agoMerge git://
Linus Torvalds [Wed, 26 Aug 2009 04:24:49 +0000 (21:24 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  irda/sa1100_ir: fix broken netdev_ops conversion
  irda/au1k_ir: fix broken netdev_ops conversion
  pkt_sched: Fix bogon in tasklet_hrtimer changes.

13 years agoMerge git://
Linus Torvalds [Wed, 26 Aug 2009 04:24:26 +0000 (21:24 -0700)]
Merge git://git./linux/kernel/git/davem/sparc-2.6

* git://
  sparc64: Validate linear D-TLB misses.
  sparc64: Update defconfig.
  sparc32: Update defconfig.
  sparc32: Kill trap table freeing code.
  sparc: sys32.S incorrect compat-layer splice() system call
  sparc: Use page_fault_out_of_memory() for VM_FAULT_OOM.
  sparc64: Sign extend length arg to truncate syscalls when compat.
  sparc: Fix cleanup crash in bbc_envctrl_cleanup()

13 years agox86, xen: Initialize cx to suppress warning
H. Peter Anvin [Wed, 26 Aug 2009 04:06:03 +0000 (21:06 -0700)]
x86, xen: Initialize cx to suppress warning

Initialize cx before calling xen_cpuid(), in order to suppress the
"may be used uninitialized in this function" warning.

Signed-off-by: H. Peter Anvin <>
Cc: Jeremy Fitzhardinge <>
13 years agox86, xen: Suppress WP test on Xen
Jeremy Fitzhardinge [Tue, 25 Aug 2009 19:53:02 +0000 (12:53 -0700)]
x86, xen: Suppress WP test on Xen

Xen always runs on CPUs which properly support WP enforcement in
privileged mode, so there's no need to test for it.

This also works around a crash reported by Arnd Hannemann, though I
think its just a band-aid for that case.

Reported-by: Arnd Hannemann <>
Signed-off-by: Jeremy Fitzhardinge <>
Acked-by: Pekka Enberg <>
Signed-off-by: H. Peter Anvin <>
13 years agoirda/sa1100_ir: fix broken netdev_ops conversion
Alexander Beregalov [Wed, 26 Aug 2009 03:39:37 +0000 (20:39 -0700)]
irda/sa1100_ir: fix broken netdev_ops conversion

This patch is based on commit d2f3ad4 (pxaficp-ir: remove incorrect
net_device_ops). Do the same for sa1100_ir.

Signed-off-by: Alexander Beregalov <>
Signed-off-by: David S. Miller <>
13 years agoirda/au1k_ir: fix broken netdev_ops conversion
Alexander Beregalov [Wed, 26 Aug 2009 03:39:18 +0000 (20:39 -0700)]
irda/au1k_ir: fix broken netdev_ops conversion

This patch is based on commit d2f3ad4 (pxaficp-ir: remove incorrect
net_device_ops). Do the same for au1k_ir.

Signed-off-by: Alexander Beregalov <>
Signed-off-by: David S. Miller <>
13 years agosparc64: Validate linear D-TLB misses.
David S. Miller [Tue, 25 Aug 2009 23:47:46 +0000 (16:47 -0700)]
sparc64: Validate linear D-TLB misses.

When page alloc debugging is not enabled, we essentially accept any
virtual address for linear kernel TLB misses.  But with kgdb, kernel
address probing, and other facilities we can try to access arbitrary

So, make sure the address we miss on will translate to physical memory
that actually exists.

In order to make this work we have to embed the valid address bitmap
into the kernel image.  And in order to make that less expensive we
make an adjustment, in that the max physical memory address is
decreased to "1 << 41", even on the chips that support a 42-bit
physical address space.  We can do this because bit 41 indicates
"I/O space" and thus covers non-memory ranges.

The result of this is that:

1) kpte_linear_bitmap shrinks from 2K to 1K in size

2) we need 64K more for the valid address bitmap

We can't let the valid address bitmap be dynamically allocated
once we start using it to validate TLB misses, otherwise we have
crazy issues to deal with wrt. recursive TLB misses and such.

If we're in a TLB miss it could be the deepest trap level that's legal
inside of the cpu.  So if we TLB miss referencing the bitmap, the cpu
will be out of trap levels and enter RED state.

To guard against out-of-range accesses to the bitmap, we have to check
to make sure no bits in the physical address above bit 40 are set.  We
could export and use last_valid_pfn for this check, but that's just an
unnecessary extra memory reference.

On the plus side of all this, since we load all of these translations
into the special 4MB mapping TSB, and we check the TSB first for TLB
misses, there should be absolutely no real cost for these new checks
in the TLB miss path.

Signed-off-by: David S. Miller <>
13 years agoMerge branch 'perfcounters-fixes-for-linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 18:24:37 +0000 (11:24 -0700)]
Merge branch 'perfcounters-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'perfcounters-fixes-for-linus' of git://
  perf_counter: Fix typo in read() output generation
  perf tools: Check owner

13 years agoMerge branch 'core-fixes-for-linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 18:24:24 +0000 (11:24 -0700)]
Merge branch 'core-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'core-fixes-for-linus' of git://
  dma-debug: Fix check_unmap null pointer dereference

13 years agoMerge branch 'timers-fixes-for-linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 18:24:04 +0000 (11:24 -0700)]
Merge branch 'timers-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'timers-fixes-for-linus' of git://
  clockevent: Prevent dead lock on clockevents_lock
  timers: Drop write permission on /proc/timer_list

13 years agoMerge branch 'tracing-fixes-for-linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 18:23:43 +0000 (11:23 -0700)]
Merge branch 'tracing-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'tracing-fixes-for-linus' of git://
  tracing: Fix too large stack usage in do_one_initcall()
  tracing: handle broken names in ftrace filter
  ftrace: Unify effect of writing to trace_options and option/*

13 years agoMerge branch 'x86-fixes-for-linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 18:23:25 +0000 (11:23 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://
  x86: Fix build with older binutils and consolidate linker script
  x86: Fix an incorrect argument of reserve_bootmem()
  x86: add to targets in arch/x86/boot/compressed/Makefile
  xen: rearrange things to fix stackprotector
  x86: make sure load_percpu_segment has no stackprotector
  i386: Fix section mismatches for init code with !HOTPLUG_CPU
  x86, pat: Allow ISA memory range uncacheable mapping requests

13 years agoMerge branch 'for_linus' of git://
Linus Torvalds [Tue, 25 Aug 2009 16:47:36 +0000 (09:47 -0700)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs-2.6

* 'for_linus' of git://
  ext3: Improve error message that changing journaling mode on remount is not possible
  ext3: Update Kconfig description of EXT3_DEFAULTS_TO_ORDERED

13 years agoMerge branch 'fix/misc' of git://
Linus Torvalds [Tue, 25 Aug 2009 16:47:06 +0000 (09:47 -0700)]
Merge branch 'fix/misc' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'fix/misc' of git://
  sound: pcm_lib: fix unsorted list constraint handling
  sound: vx222: fix input level control range check
  ALSA: ali5451: fix timeout handling in snd_ali_{codecs,timer}_ready()

13 years agoMerge git://
Linus Torvalds [Tue, 25 Aug 2009 16:30:58 +0000 (09:30 -0700)]
Merge git://git./linux/kernel/git/wim/linux-2.6-watchdog

* git://
  [WATCHDOG] ar7_wdt: fix path to ar7-specific headers