Thomas Gleixner [Sat, 5 Mar 2011 01:36:23 +0000 (17:36 -0800)]
pps: make pps_gen_parport depend on BROKEN
This driver causes hard lockups, when the active clock soure is jiffies.
The reason is that it loops with interrupts disabled waiting for a
timestamp to be reached by polling getnstimeofday(). Though with a
jiffies clocksource, when that code runs on the same CPU which is
responsible for updating jiffies, then we loop in circles for ever
simply because the timer interrupt cannot update jiffies. So both UP
and SMP can be affected.
There is no easy fix for that problem so make it depend on BROKEN for
now.
Linus Torvalds [Sat, 5 Mar 2011 01:31:43 +0000 (17:31 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
Blackfin: iflush: update anomaly 05000491 workaround
Blackfin: outs[lwb]: make sure count is greater than 0
Linus Torvalds [Sat, 5 Mar 2011 01:31:01 +0000 (17:31 -0800)]
Merge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6
* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
sh: Change __nosave_XXX symbols to long
sh: Flush executable pages in copy_user_highpage
sh: Ensure ST40-300 BogoMIPS value is consistent
sh: sh7750: Fix incompatible pointer type
sh: sh7750: move machtypes.h to include/generated
It occurs because an skb with a fraglist was freed from the tcp
retransmit queue when it was acked, but a page on that fraglist had
PG_Slab set (indicating it was allocated from the Slab allocator (which
means the free path above can't safely free it via put_page.
We tracked this back to an nfsv4 setacl operation, in which the nfs code
attempted to fill convert the passed in buffer to an array of pages in
__nfs4_proc_set_acl, which gets used by the skb->frags list in
xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer
to a page struct via virt_to_page, but the vfs allocates the buffer via
kmalloc, meaning the PG_slab bit is set. We can't create a buffer with
kmalloc and free it later in the tcp ack path with put_page, so we need
to either:
1) ensure that when we create the list of pages, no page struct has
PG_Slab set
or
2) not use a page list to send this data
Given that these buffers can be multiple pages and arbitrarily sized, I
think (1) is the right way to go. I've written the below patch to
allocate a page from the buddy allocator directly and copy the data over
to it. This ensures that we have a put_page free-able page for every
entry that winds up on an skb frag list, so it can be safely freed when
the frame is acked. We do a put page on each entry after the
rpc_call_sync call so as to drop our own reference count to the page,
leaving only the ref count taken by tcp_sendpages. This way the data
will be properly freed when the ack comes in
Successfully tested by myself to solve the above oops.
Note, as this is the result of a setacl operation that exceeded a page
of data, I think this amounts to a local DOS triggerable by an
uprivlidged user, so I'm CCing security on this as well.
Sage Weil [Fri, 4 Mar 2011 20:25:05 +0000 (12:25 -0800)]
libceph: fix msgr standby handling
The standby logic used to be pretty dependent on the work requeueing
behavior that changed when we switched to WQ_NON_REENTRANT. It was also
very fragile.
Restructure things so that:
- We clear WRITE_PENDING when we set STANDBY. This ensures we will
requeue work when we wake up later.
- con_work backs off if STANDBY is set. There is nothing to do if we are
in standby.
- clear_standby() helper is called by both con_send() and con_keepalive(),
the two actions that can wake us up again. Move the connect_seq++
logic here.
Sage Weil [Fri, 4 Mar 2011 20:24:28 +0000 (12:24 -0800)]
libceph: fix msgr backoff
With commit f363e45f we replaced a bunch of hacky workqueue mutual
exclusion logic with the WQ_NON_REENTRANT flag. One pieces of fallout is
that the exponential backoff breaks in certain cases:
* con_work attempts to connect.
* we get an immediate failure, and the socket state change handler queues
immediate work.
* con_work calls con_fault, we decide to back off, but can't queue delayed
work.
In this case, we add a BACKOFF bit to make con_work reschedule delayed work
next time it runs (which should be immediately).
Al Viro [Fri, 4 Mar 2011 18:14:21 +0000 (13:14 -0500)]
minimal fix for do_filp_open() race
failure exits on the no-O_CREAT side of do_filp_open() merge with
those of O_CREAT one; unfortunately, if do_path_lookup() returns
-ESTALE, we'll get out_filp:, notice that we are about to return
-ESTALE without having trying to create the sucker with LOOKUP_REVAL
and jump right into the O_CREAT side of code. And proceed to try
and create a file. Usually that'll fail with -ESTALE again, but
we can race and get that attempt of pathname resolution to succeed.
open() without O_CREAT really shouldn't end up creating files, races
or not. The real fix is to rearchitect the whole do_filp_open(),
but for now splitting the failure exits will do.
Linus Torvalds [Fri, 4 Mar 2011 17:23:30 +0000 (09:23 -0800)]
Mark ptrace_{traceme,attach,detach} static
They are only used inside kernel/ptrace.c, and have been for a long
time. We don't want to go back to the bad-old-days when architectures
did things on their own, so make them static and private.
Balbir Singh [Thu, 3 Mar 2011 11:34:35 +0000 (17:04 +0530)]
sched: Fix sched rt group scheduling when hierachy is enabled
The current sched rt code is broken when it comes to hierarchical
scheduling, this patch fixes two problems
1. It adds redundant enqueuing (harmless) when it finds a queue
has tasks enqueued, but it has no run time and it is not
throttled.
2. The most important change is in sched_rt_rq_enqueue/dequeue.
The code just picks the rt_rq belonging to the current cpu
on which the period timer runs, the patch fixes it, so that
the correct rt_se is enqueued/dequeued.
Tested with a simple hierarchy
/c/d, c and d assigned similar runtimes of 50,000 and a while
1 loop runs within "d". Both c and d get throttled, without
the patch, the task just stops running and never runs (depends
on where the sched_rt b/w timer runs). With the patch, the
task is throttled and runs as expected.
[ bharata, suggestions on how to pick the rt_se belong to the
rt_rq and correct cpu ]
Mark Brown [Thu, 3 Mar 2011 23:24:15 +0000 (08:24 +0900)]
ARM: S3C64XX: Update regulator names for debugfs compatiblity on SMDK6410
The debugfs support added to the regulator API (which has been merged
in during this merge window) creates directories for regulators named
after the display names for the regulators so replace / as a separator
for multiple supplies with + in the SMDK6410 machine.
Ben Dooks [Thu, 3 Mar 2011 22:55:44 +0000 (07:55 +0900)]
ARM: S3C64XX: Reduce output of s3c64xx_dma_init1()
Reduce the logging output of s3c64xx_dma_init1() as it is not useful
for normal bootup (and we get an overall indication of the registration
of the PL180 DMA block).
Mark Brown [Thu, 3 Mar 2011 22:55:44 +0000 (07:55 +0900)]
ARM: S3C64XX: Tone down SDHCI debugging
The MMC core calls s3c6400_setup_sdhcp_cfg_card() very frequently, causing
the log message in there at KERN_INFO to be displayed a lot which is slow
and overly chatty. Convert the message into a pr_debug() to tone this down.
Ben Dooks [Wed, 2 Mar 2011 06:19:15 +0000 (15:19 +0900)]
ARM: S3C64XX: Fix keypad setup to configure correct number of rows
The call to s3c_gpio_cfgrange_nopull() takes a size and base
but this looks like it is trying to do base and end. This means
it is configuring too many GPIOs and on the case of the Cragganmore
means we're seeing an overflow of the ROW pins causing problems
with the keyboard driver.
ARM: S3C2440: Fix usage gpio bank j pin definitions on GTA02
The gta02 header file still uses the old S3C2410_GPJx defines instead of the
S3C2410_GPJ(x) macro. Since the S3C2410_GPJx defines have already been removed
this causes the following build failure:
sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_set_spk':
sound/soc/samsung/neo1973_wm8753.c:259: error: 'S3C2440_GPJ2' undeclared (first use in this function)
sound/soc/samsung/neo1973_wm8753.c:259: error: (Each undeclared identifier is reported only once
sound/soc/samsung/neo1973_wm8753.c:259: error: for each function it appears in.)
sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_get_spk':
sound/soc/samsung/neo1973_wm8753.c:267: error: 'S3C2440_GPJ2' undeclared (first use in this function)
sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_event':
sound/soc/samsung/neo1973_wm8753.c:276: error: 'S3C2440_GPJ1' undeclared (first use in this function)
sound/soc/samsung/neo1973_wm8753.c: At top level:
sound/soc/samsung/neo1973_wm8753.c:439: error: 'S3C2440_GPJ2' undeclared here (not in a function)
sound/soc/samsung/neo1973_wm8753.c:440: error: 'S3C2440_GPJ1' undeclared here (not in a function)
This patches fixes the issue by doing a s,S3C2410_GPJ([\d]+),S3C2410_GPJ(\1),g
on the file.
Banajit Goswami [Mon, 28 Feb 2011 07:53:36 +0000 (16:53 +0900)]
ARM: S5P64X0: Fix number of GPIO lines in Bank F
This patch modifies the number of total GPIO lines for Bank F
for Samsung S5P6440 and S5P6450 SoCs from 2 to 16.
This is necessary as the GPIO lines from 0 to 13 are reserved
and only lines 14 and 15 are used. As during initialization,
the line number starts at 0, putting 2 does not solve the
intended purpose.
ARM: S3C2440: Select missing S3C_DEV_USB_HOST on GTA02
The gta02 mach file references the ohci device.
So we need to select S3C_DEV_USB_HOST to have the device available.
This fixes the following linker errors:
arch/arm/mach-s3c2440/built-in.o: In function 'gta02_machine_init':
mach-gta02.c:(.init.text+0x370): undefined reference to 's3c_ohci_set_platdata'
arch/arm/mach-s3c2440/built-in.o:(.init.data+0xac): undefined reference to 's3c_device_ohci'
Ben Skeggs [Thu, 3 Mar 2011 23:58:36 +0000 (09:58 +1000)]
drm/nouveau: allocate kernel's notifier object at end of block
The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
object which, it turns out, doesn't like its DMA object to not be
aligned to a 4KiB boundary.
Linus Torvalds [Thu, 3 Mar 2011 23:48:01 +0000 (15:48 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
MAINTAINERS: Add Andy Gospodarek as co-maintainer.
r8169: disable ASPM
RxRPC: Fix v1 keys
AF_RXRPC: Handle receiving ACKALL packets
cnic: Fix lost interrupt on bnx2x
cnic: Prevent status block race conditions with hardware
net: dcbnl: check correct ops in dcbnl_ieee_set()
e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
igb: fix sparse warning
e1000: fix sparse warning
netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
dccp: fix oops on Reset after close
ipvs: fix dst_lock locking on dest update
davinci_emac: Add Carrier Link OK check in Davinci RX Handler
bnx2x: update driver version to 1.62.00-6
bnx2x: properly calculate lro_mss
bnx2x: perform statistics "action" before state transition.
bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
bnx2x: Fix nvram test for single port devices.
...
Linus Torvalds [Thu, 3 Mar 2011 23:42:35 +0000 (15:42 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
block: kill loop_mutex
blktrace: Remove blk_fill_rwbs_rq.
block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
block: add @force_kblockd to __blk_run_queue()
block: fix kernel-doc format for blkdev_issue_zeroout
blk-throttle: Do not use kblockd workqueue for throtl work
David Howells [Thu, 3 Mar 2011 11:28:58 +0000 (11:28 +0000)]
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].
Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.
Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.
What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
dns-break: read_key: No such device or address
but instead the kernel oopses.
This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data. Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.
The oops looks like:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
PGD 3bdf8067 PUD 385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:
Sage Weil [Thu, 3 Mar 2011 20:14:53 +0000 (12:14 -0800)]
libceph: retry after authorization failure
If we mark the connection CLOSED we will give up trying to reconnect to
this server instance. That is appropriate for things like a protocol
version mismatch that won't change until the server is restarted, at which
point we'll get a new addr and reconnect. An authorization failure like
this is probably due to the server not properly rotating it's secret keys,
however, and should be treated as transient so that the normal backoff and
retry behavior kicks in.
Sage Weil [Thu, 3 Mar 2011 00:55:21 +0000 (16:55 -0800)]
libceph: fix handling of short returns from get_user_pages
get_user_pages() can return fewer pages than we ask for. We were returning
a bogus pointer/error code in that case. Instead, loop until we get all
the pages we want or get an error we can return to the caller.
For some time is known that ASPM is causing troubles on r8169, i.e. make
device randomly stop working without any errors in dmesg.
Currently Tomi Leppikangas reports that system with r8169 device hangs
with MCE errors when ASPM is enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4
Lets disable ASPM for r8169 devices at all, to avoid problems with
r8169 PCIe devices at least for some users.
Hari Kanigeri [Wed, 2 Mar 2011 22:14:18 +0000 (22:14 +0000)]
omap: mailbox: resolve hang issue
omap4 interrupt disable bits is different. On rx kfifo full, the mbox rx
interrupts wasn't getting disabled, and this is causing the rcm stress tests
to hang.
Sage Weil [Mon, 28 Feb 2011 20:49:15 +0000 (12:49 -0800)]
ceph: do not clear I_COMPLETE from d_release
First, this was racy anyway: d_release isn't called until well after the
dentry is unhashed. Second, this runs afoul of the recent dcache change
that clears d_parent prior to calling d_release (949854d0), causing a NULL
pointer dereference.
The 34xx and 3590 tape driver uses the system work queue to defer work
from the interrupt function to process context, e.g. a medium sense
after an unsolicited interrupt. The tape commands started by the work
handler need to be asynchronous, otherwise a deadlock on the system
work queue can occur.
[S390] xpram: remove __initdata attribute from module parameters
The module parameter 'devs' and 'sizes' are marked as __initdata. The
memory for the parameters are freed after module_init completed. This
can lead to kernel crashes in param_free_charp. Remove the __initdata
attribute to fix the problem.
Tao Ma [Thu, 3 Mar 2011 15:53:20 +0000 (10:53 -0500)]
blktrace: Remove blk_fill_rwbs_rq.
If we enable trace events to trace block actions, We use
blk_fill_rwbs_rq to analyze the corresponding actions
in request's cmd_flags, but we only choose the minor 2 bits
from it, so most of other flags(e.g, REQ_SYNC) are missing.
For example, with a sync write we get:
write_test-2409 [001] 160.013869: block_rq_insert: 3,64 W 0 () 258135 + =
8 [write_test]
Since now we have integrated the flags of both bio and request,
it is safe to pass rq->cmd_flags directly to blk_fill_rwbs and
blk_fill_rwbs_rq isn't needed any more.
With this patch, after a sync write we get:
write_test-2417 [000] 226.603878: block_rq_insert: 3,64 WS 0 () 258135 +=
8 [write_test]
Takashi Iwai [Thu, 3 Mar 2011 13:54:19 +0000 (14:54 +0100)]
ALSA: hda - Don't set to D3 in Cirrus errata init verbs
The errata init verbs for CS42xx codecs contain the verbs to set
the power-state of SPDIF nodes to D3, which seem to break the SPDIF
output on some MacBooks. Since this is executed during the power-up
initialization, we shouldn't turn them down there.
Al Viro [Wed, 2 Mar 2011 14:35:13 +0000 (09:35 -0500)]
fix reiserfs mkdir() breakage
if directory has so many subdirectories that its link count is set
to 1 (i.e. "can't tell accurately") and reiserfs_new_inode() fails,
we shouldn't decrement the parent's link count in cleanup path;
that's what DEC_DIR_INODE_NLINK() is for. As it is, we end up
with parent suddenly getting zero i_nlink, with very unpleasant
effects.
Linus Torvalds [Thu, 3 Mar 2011 04:01:57 +0000 (20:01 -0800)]
Merge branch 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6
* 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6:
of/promtree: allow DT device matching by fixing 'name' brokenness (v5)
x86: OLPC: have prom_early_alloc BUG rather than return NULL
of/flattree: Drop an uninteresting message to pr_debug level
of: Add missing of_address.h to xilinx ehci driver
Linus Torvalds [Thu, 3 Mar 2011 04:01:07 +0000 (20:01 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
mfd: Avoid tps6586x burst writes
mfd: Don't suspend WM8994 if the CODEC is not suspended
mfd: Fix DaVinci voice codec device name
mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
mfd: Fix ASIC3 build with GENERIC_HARDIRQS_NO_DEPRECATED
Linus Torvalds [Thu, 3 Mar 2011 03:58:31 +0000 (19:58 -0800)]
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
[CPUFREQ] p4-clockmod: print EST-capable warning message only once
[CPUFREQ] fix BUG on cpufreq policy init failure
[CPUFREQ] Fix another notifier leak in powernow-k8.
[CPUFREQ] Missing "unregister_cpu_notifier" in powernow-k8.c
Linus Torvalds [Thu, 3 Mar 2011 03:58:14 +0000 (19:58 -0800)]
Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc: Fix call to flush_ptrace_hw_breakpoint()
powerpc/kexec: Restore ppc_md.machine_kexec
powerpc/mm: Make hpte_need_flush() safe for preemption
Michael Chan [Wed, 2 Mar 2011 13:00:50 +0000 (13:00 +0000)]
cnic: Fix lost interrupt on bnx2x
We service 2 queues (kcq1 and kcq2) in cnic_service_bnx2x_bh(). If
the status block index has changed when servicing the kcq2, we must
go back and check kcq1. The latest status block index will be used
to acknowledge the interrupt, and without looping back to check kcq1,
we may miss events on kcq1.
Michael Chan [Wed, 2 Mar 2011 13:00:49 +0000 (13:00 +0000)]
cnic: Prevent status block race conditions with hardware
The status block index is used to acknowledge interrupt events and must
be read before checking for the interrupt events, so we need to add rmb()
to guarantee that.
Andres Salomon [Thu, 24 Feb 2011 06:38:22 +0000 (22:38 -0800)]
of/promtree: allow DT device matching by fixing 'name' brokenness (v5)
Commit e2f2a93b, "of/promtree: add package-to-path support to pdt"
changed dp->name from using the 'name' property to using
package-to-path. This fixed /proc/device-tree creation by eliminating
conflicts between names (the 'name' property provides names like
'battery', whereas package-to-path provides names like
'/foo/bar/battery@0', which we stripped to 'battery@0'). However, it
also breaks of_device_id table matching.
The fix that we _really_ wanted was to keep dp->name based upon
the name property ('battery'), but based dp->full_name upon
package-to-path ('battery@0'). This patch does just that.
This changes all users (except SPARC) of promtree to use the full
result from package-to-path for full_name, rather than stripping the
directory out. In practice, the strings end up being exactly the
same; this change saves time, code, and memory.
SPARC continues to use the existing build_path_component() code.
v2: combine two patches and revert of_pdt_node_name to original version
v3: use dp->phandle instead of passing around node
v4: warn/bail out for non-sparc archs if pkg2path is not set
v5: split of_pdt_build_full_name into sparc & non-sparc versions
v6: Pass NULL to pkg2path before buf gets assigned.
Drop check for pkg2path hook on each and every node.
v7: Don't BUG() when unable to get the full_path; create a
known-unique name instead.
Michal Simek [Mon, 14 Feb 2011 10:40:09 +0000 (11:40 +0100)]
of: Add missing of_address.h to xilinx ehci driver
Build log:
In file included from drivers/usb/host/ehci-hcd.c:1208:
drivers/usb/host/ehci-xilinx-of.c: In function 'ehci_hcd_xilinx_of_probe':
drivers/usb/host/ehci-xilinx-of.c:168: error: implicit declaration of function 'of_address_to_resource'
projects / linux.git / log