commit a9a5c1f8a527bd150ce044b8c9acce1c97c557a4 Author: Greg Kroah-Hartman Date: Wed May 26 14:27:20 2010 -0700 Linux 2.6.27.47 commit c0ac27236d86f07e1b24126bd7ee0eeb9008eaaf Author: Junjiro R. Okajima Date: Tue Dec 2 10:31:46 2008 -0800 nfsd: fix vm overcommit crash fix #2 commit 1b79cd04fab80be61dcd2732e2423aafde9a4c1c upstream. The previous patch from Alan Cox ("nfsd: fix vm overcommit crash", commit 731572d39fcd3498702eda4600db4c43d51e0b26) fixed the problem where knfsd crashes on exported shmemfs objects and strict overcommit is set. But the patch forgot supporting the case when CONFIG_SECURITY is disabled. This patch copies a part of his fix which is mainly for detecting a bug earlier. Acked-by: James Morris Signed-off-by: Alan Cox Signed-off-by: Junjiro R. Okajima Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3f955fe683ffdda7fd68e0b61779001cb9b50011 Author: Alan Cox Date: Wed Oct 29 14:01:20 2008 -0700 nfsd: fix vm overcommit crash commit 731572d39fcd3498702eda4600db4c43d51e0b26 upstream. Junjiro R. Okajima reported a problem where knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm based modifier to the overcommit goes through a NULL pointer. We could simply check for NULL and skip the modifier but we've caught other real bugs in the past from mm being NULL here - cases where we did need a valid mm set up (eg the exec bug about a year ago). To preserve the checks and get the logic we want shuffle the checking around and add a new helper to the vm_ security wrappers Also fix a current->mm reference in nommu that should use the passed mm [akpm@linux-foundation.org: coding-style fixes] [akpm@linux-foundation.org: fix build] Reported-by: Junjiro R. Okajima Acked-by: James Morris Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0ce0dd4ec9890eefb7b656c74bc5256c60626a85 Author: Jean Delvare Date: Fri Feb 5 17:48:13 2010 +0100 i2c-tiny-usb: Fix on big-endian systems commit 1c010ff8912cbc08d80e865aab9c32b6b00c527d upstream. The functionality bit vector is always returned as a little-endian 32-bit number by the device, so it must be byte-swapped to the host endianness. On the other hand, the delay value is handled by the USB stack, so no byte swapping is needed on our side. This fixes bug #15105: http://bugzilla.kernel.org/show_bug.cgi?id=15105 Reported-by: Jens Richter Signed-off-by: Jean Delvare Tested-by: Jens Richter Cc: Till Harbaum Signed-off-by: Greg Kroah-Hartman commit ae3936ed1af0224a2d38d6b6b1ee62fb8f4c3a5c Author: Jean Delvare Date: Sat Mar 13 20:56:53 2010 +0100 i2c-i801: Don't use the block buffer for I2C block writes commit c074c39d62306efa5ba7c69c1a1531bc7333d252 upstream. Experience has shown that the block buffer can only be used for SMBus (not I2C) block transactions, even though the datasheet doesn't mention this limitation. Reported-by: Felix Rubinstein Signed-off-by: Jean Delvare Cc: Oleg Ryjkov Signed-off-by: Greg Kroah-Hartman commit 6dfbed036e8116f31015d33377cba2c156889dd2 Author: Jean Delvare Date: Fri Feb 5 19:58:36 2010 +0100 hwmon: (w83781d) Request I/O ports individually for probing commit b0bcdd3cd0adb85a7686b396ba50493871b1135c upstream. Different motherboards have different PNP declarations for W83781D/W83782D chips. Some declare the whole range of I/O ports (8 ports), some declare only the useful ports (2 ports at offset 5) and some declare fancy ranges, for example 4 ports at offset 4. To properly handle all cases, request all ports individually for probing. After we have determined that we really have a W83781D or W83782D chip, the useful port range will be requested again, as a single block. I did not see a board which needs this yet, but I know of one for lm78 driver and I'd like to keep the logic of these two drivers in sync. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 60f30297ff9403dec857f23292bc82ecdc5b4a57 Author: Tom Tucker Date: Mon Jan 5 15:21:19 2009 -0600 svc: Clean up deferred requests on transport destruction commit 22945e4a1c7454c97f5d8aee1ef526c83fef3223 upstream. A race between svc_revisit and svc_delete_xprt can result in deferred requests holding references on a transport that can never be recovered because dead transports are not enqueued for subsequent processing. Check for XPT_DEAD in revisit to clean up completing deferrals on a dead transport and sweep a transport's deferred queue to do the same for queued but unprocessed deferrals. Signed-off-by: Tom Tucker Signed-off-by: J. Bruce Fields Cc: roma1390 Signed-off-by: Greg Kroah-Hartman commit ce58c0ab4bcf38482dfc095af0c4ed55a5a88698 Author: Tejun Heo Date: Thu Jan 14 16:18:09 2010 +0900 libata: retry FS IOs even if it has failed with AC_ERR_INVALID commit 534ead709235b967b659947c55d9130873a432c4 upstream. libata currently doesn't retry if a command fails with AC_ERR_INVALID assuming that retrying won't get it any further even if retried. However, a failure may be classified as invalid through hardware glitch (incorrect reading of the error register or firmware bug) and there isn't whole lot to gain by not retrying as actually invalid commands will be failed immediately. Also, commands serving FS IOs are extremely unlikely to be invalid. Retry FS IOs even if it's marked invalid. Transient and incorrect invalid failure was seen while debugging firmware related issue on Samsung n130 on bko#14314. http://bugzilla.kernel.org/show_bug.cgi?id=14314 Signed-off-by: Tejun Heo Reported-by: Johannes Stezenbach Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit bf3d0e3c484815ea68c671a4da71fd2e01cc1ac6 Author: Jeff Garzik Date: Thu Apr 22 21:59:13 2010 -0400 libata: ensure NCQ error result taskfile is fully initialized before returning it via qc->result_tf. commit a09bf4cd53b8ab000197ef81f15d50f29ecf973c upstream. Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit ba1531fcc11249827750298495c27e34f869b629 Author: Jean Delvare Date: Tue May 4 11:09:28 2010 +0200 i2c: Fix probing of FSC hardware monitoring chips commit b1d4b390ea4bb480e65974ce522a04022608a8df upstream. Some FSC hardware monitoring chips (Syleus at least) doesn't like quick writes we typically use to probe for I2C chips. Use a regular byte read instead for the address they live at (0x73). These are the only known chips living at this address on PC systems. For clarity, this fix should not be needed for kernels 2.6.30 and later, as we started instantiating the hwmon devices explicitly based on DMI data. Still, this fix is valuable in the following two cases: * Support for recent FSC chips on older kernels. The DMI-based device instantiation is more difficult to backport than the device support itself. * Case where the DMI-based device instantiation fails, whatever the reason. We fall back to probing in that case, so it should work. This fixes kernel bug #15634: https://bugzilla.kernel.org/show_bug.cgi?id=15634 Signed-off-by: Jean Delvare Acked-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit e3f8d35996e73d5192c33ce5e6f11b4770a7062d Author: Chuck Lever Date: Thu Apr 22 15:35:56 2010 -0400 NFS: rsize and wsize settings ignored on v4 mounts commit 356e76b855bdbfd8d1c5e75bcf0c6bf0dfe83496 upstream. NFSv4 mounts ignore the rsize and wsize mount options, and always use the default transfer size for both. This seems to be because all NFSv4 mounts are now cloned, and the cloning logic doesn't copy the rsize and wsize settings from the parent nfs_server. I tested Fedora's 2.6.32.11-99 and it seems to have this problem as well, so I'm guessing that .33, .32, and perhaps older kernels have this issue as well. Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 5ea176dcda8200cce3ca9e208fba5ab49ebb786d Author: Al Viro Date: Thu Apr 29 03:10:43 2010 +0100 nfs d_revalidate() is too trigger-happy with d_drop() commit d9e80b7de91db05c1c4d2e5ebbfd70b3b3ba0e0f upstream. If dentry found stale happens to be a root of disconnected tree, we can't d_drop() it; its d_hash is actually part of s_anon and d_drop() would simply hide it from shrink_dcache_for_umount(), leading to all sorts of fun, including busy inodes on umount and oopsen after that. Bug had been there since at least 2006 (commit c636eb already has it), so it's definitely -stable fodder. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d130b918879aa06a82cfac3bec5ec88e79a05f30 Author: Dan Carpenter Date: Thu Apr 22 12:00:52 2010 +0200 USB: fix testing the wrong variable in fs_create_by_name() commit fa7fe7af146a7b613e36a311eefbbfb5555325d1 upstream. There is a typo here. We should be testing "*dentry" which was just assigned instead of "dentry". This could result in dereferencing an ERR_PTR inside either usbfs_mkdir() or usbfs_create(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit dc116e1abdbfe4afc934e62c42f1963806469e6b Author: Neil Brown Date: Tue Apr 20 12:16:52 2010 +1000 nfsd4: bug in read_buf commit 2bc3c1179c781b359d4f2f3439cb3df72afc17fc upstream. When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered thsi in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 843447c62b771a9ad12f0e7f4a791804b4cc99f5 Author: Suresh Siddha Date: Thu Apr 22 11:47:51 2010 +0200 clockevent: Prevent dead lock on clockevents_lock This is a merge of two mainline commits, intended for stable@kernel.org submission for 2.6.27 kernel. commit f833bab87fca5c3ce13778421b1365845843b976 and commit 918aae42aa9b611a3663b16ae849fdedc67c2292 Changelog of both: Currently clockevents_notify() is called with interrupts enabled at some places and interrupts disabled at some other places. This results in a deadlock in this scenario. cpu A holds clockevents_lock in clockevents_notify() with irqs enabled cpu B waits for clockevents_lock in clockevents_notify() with irqs disabled cpu C doing set_mtrr() which will try to rendezvous of all the cpus. This will result in C and A come to the rendezvous point and waiting for B. B is stuck forever waiting for the spinlock and thus not reaching the rendezvous point. Fix the clockevents code so that clockevents_lock is taken with interrupts disabled and thus avoid the above deadlock. Also call lapic_timer_propagate_broadcast() on the destination cpu so that we avoid calling smp_call_function() in the clockevents notifier chain. This issue left us wondering if we need to change the MTRR rendezvous logic to use stop machine logic (instead of smp_call_function) or add a check in spinlock debug code to see if there are other spinlocks which gets taken under both interrupts enabled/disabled conditions. Signed-off-by: Suresh Siddha Cc: "Brown Len" Cc: stable@kernel.org LKML-Reference: <1250544899.2709.210.camel@sbs-t61.sc.intel.com> Signed-off-by: Thomas Gleixner I got following warning on ia64 box: In function 'acpi_processor_power_verify': 642: warning: passing argument 2 of 'smp_call_function_single' from incompatible pointer type This smp_call_function_single() was introduced by a commit f833bab87fca5c3ce13778421b1365845843b976: The problem is that the lapic_timer_propagate_broadcast() has 2 versions: One is real code that modified in the above commit, and the other is NOP code that used when !ARCH_APICTIMER_STOPS_ON_C3: static void lapic_timer_propagate_broadcast(struct acpi_processor *pr) { } So I got warning because of !ARCH_APICTIMER_STOPS_ON_C3. We really want to do nothing here on !ARCH_APICTIMER_STOPS_ON_C3, so modify lapic_timer_propagate_broadcast() of real version to use smp_call_function_single() in it. Signed-off-by: Hidetoshi Seto Acked-by: Suresh Siddha Signed-off-by: Len Brown Signed-off-by: Thomas Renninger Signed-off-by: Greg Kroah-Hartman commit 0851f4563b9e0770d4b3c071e605cb5e150c6ed3 Author: Wang Sheng-Hui Date: Tue Apr 13 21:04:10 2010 +0800 trace: Fix inappropriate substraction on tracing_pages_allocated in trace_free_page() [No matching upstream git commit id as it was fixed differently due to a rewrite of the tracing code there.] For normal case, the code in trace_free_page() do once more substraction on tracing_pages_allocated, but for CONFIG_TRACER_MAX_TRACE  it doesn't take the freed page into account. That's not consistent with trace_alloc_page(). Well, for there are no message related with this, so we cannot observe its incorrect state when the kernel doesn't define "CONFIG_TRACER_MAX_TRACE". If you add some pr_info() as trace_alloc_page(), you may notice it. Cc: Steven Rostedt Cc: Frederic Weisbecker Cc: Ingo Molnar Cc: Li Zefan Signed-off-by: Wang Sheng-Hui Signed-off-by: Greg Kroah-Hartman commit 4531e534fec25888d8645ef9b2ecf6146e96c2a7 Author: Tomas Henzl Date: Thu Feb 11 18:01:50 2010 +0100 megaraid_sas: fix for 32bit apps commit b3dc1a212e5167984616445990c76056034f8eeb upstream. It looks like this patch - commit 7b2519afa1abd1b9f63aa1e90879307842422dae Author: Yang, Bo Date: Tue Oct 6 14:52:20 2009 -0600 [SCSI] megaraid_sas: fix 64 bit sense pointer truncation has caused a problem for 32bit programs with 64bit os - http://bugzilla.kernel.org/show_bug.cgi?id=15001 fix by converting the user space 32bit pointer to a 64 bit one when needed. [jejb: fix up some 64 bit warnings] Signed-off-by: Tomas Henzl Cc: Bo Yang Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1ae9213b109c56470b79df5af1e36e780916eb57 Author: Oleg Nesterov Date: Fri Apr 2 18:05:12 2010 +0200 tty: release_one_tty() forgets to put pids commit 6da8d866d0d39e9509ff826660f6a86a6757c966 upstream. release_one_tty(tty) can be called when tty still has a reference to pgrp/session. In this case we leak the pid. Signed-off-by: Oleg Nesterov Reported-by: Catalin Marinas Reported-and-tested-by: Tetsuo Handa Acked-by: Linus Torvalds Acked-by: Eric W. Biederman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c18cb57f81d42eb408fa7f0fb15b9f4f3f9998fb Author: Aneesh Kumar K.V Date: Mon Mar 15 20:26:02 2010 -0400 vfs: Remove the range_cont writeback mode. commit 74baaaaec8b4f22e1ae279f5ecca4ff705b28912 upstream. Ext4 was the only user of range_cont writeback mode and ext4 switched to a different method. So remove the range_cont mode which is not used in the kernel. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" CC: linux-fsdevel@vger.kernel.org Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit c5b9b87a471f1226978d2dcca15e5fd72ac07af5 Author: Aneesh Kumar K.V Date: Mon Mar 15 20:26:01 2010 -0400 ext4: Use tag dirty lookup during mpage_da_submit_io commit af6f029d3836eb7264cd3fbb13a6baf0e5fdb5ea upstream. This enables us to drop the range_cont writeback mode use from ext4_da_writepages. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit df104d2bff4a2d6cf32c29aa599c79d8009fe1a7 Author: Aneesh Kumar K.V Date: Mon Mar 15 20:26:00 2010 -0400 ext4: Retry block allocation if we have free blocks left commit df22291ff0fde0d350cf15dac3e5cc33ac528875 upstream. When we truncate files, the meta-data blocks released are not reused untill we commit the truncate transaction. That means delayed get_block request will return ENOSPC even if we have free blocks left. Force a journal commit and retry block allocation if we get ENOSPC with free blocks left. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Mingming Cao Signed-off-by: "Theodore Ts'o" Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 8afab7e6fc2a9cedba2d0d3663046c140ef6d60b Author: Aneesh Kumar K.V Date: Mon Mar 15 20:25:59 2010 -0400 ext4: Retry block reservation commit 030ba6bc67b4f2bc5cd174f57785a1745c929abe upstream. During block reservation if we don't have enough blocks left, retry block reservation with smaller block counts. This makes sure we try fallocate and DIO with smaller request size and don't fail early. The delayed allocation reservation cannot try with smaller block count. So retry block reservation to handle temporary disk full conditions. Also print free blocks details if we fail block allocation during writepages. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Mingming Cao Signed-off-by: "Theodore Ts'o" Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit afb4e5de9ec8ca49e2f4a043117b39dbb94d6227 Author: Aneesh Kumar K.V Date: Mon Mar 15 20:25:58 2010 -0400 ext4: Add percpu dirty block accounting. commit 6bc6e63fcd7dac9e633ea29f1fddd9580ab28f3f upstream. This patch adds dirty block accounting using percpu_counters. Delayed allocation block reservation is now done by updating dirty block counter. In a later patch we switch to non delalloc mode if the filesystem free blocks is greater than 150% of total filesystem dirty blocks Signed-off-by: Aneesh Kumar K.V Signed-off-by: Mingming Cao Signed-off-by: "Theodore Ts'o" Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 05b6ea26438ab615144075c14a484d0d7940934f Author: Aneesh Kumar K.V Date: Mon Mar 15 20:25:57 2010 -0400 ext4: Make sure all the block allocation paths reserve blocks commit a30d542a0035b886ffaafd0057ced0a2b28c3a4f upstream. With delayed allocation we need to make sure block are reserved before we attempt to allocate them. Otherwise we get block allocation failure (ENOSPC) during writepages which cannot be handled. This would mean silent data loss (We do a printk stating data will be lost). This patch updates the DIO and fallocate code path to do block reservation before block allocation. This is needed to make sure parallel DIO and fallocate request doesn't take block out of delayed reserve space. When free blocks count go below a threshold we switch to a slow patch which looks at other CPU's accumulated percpu counter values. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit ac6016e3a8c7967cf8e3fe9102a9b87d7092b4bf Author: Mingming Cao Date: Mon Mar 15 20:25:56 2010 -0400 percpu counter: clean up percpu_counter_sum_and_set() commit 1f7c14c62ce63805f9574664a6c6de3633d4a354 upstream. percpu_counter_sum_and_set() and percpu_counter_sum() is the same except the former updates the global counter after accounting. Since we are taking the fbc->lock to calculate the precise value of the counter in percpu_counter_sum() anyway, it should simply set fbc->count too, as the percpu_counter_sum_and_set() does. This patch merges these two interfaces into one. Signed-off-by: Mingming Cao Acked-by: Peter Zijlstra Cc: Signed-off-by: Andrew Morton Signed-off-by: "Theodore Ts'o" Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o commit ee39e52e834ebfd523980bd518943ae4ca340868 Author: Aneesh Kumar K.V Date: Mon Mar 15 20:25:55 2010 -0400 ext4: invalidate pages if delalloc block allocation fails. commit c4a0c46ec92c194c873232b88debce4e1a448483 upstream. We are a bit agressive in invalidating all the pages. But it is ok because we really don't know why the block allocation failed and it is better to come of the writeback path so that user can look for more info. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Jayson R. King Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 8a63de3a1462918dcba19f19ba0304284654a193 Author: Dan Carpenter Date: Tue Apr 6 19:31:26 2010 +0300 ALSA: mixart: range checking proc file commit b0cc58a25d04160d39a80e436847eaa2fbc5aa09 upstream. The original code doesn't take into consideration that the value of MIXART_BA0_SIZE - pos can be less than zero which would lead to a large unsigned value for "count". Also I moved the check that read size is a multiple of 4 bytes below the code that adjusts "count". Signed-off-by: Dan Carpenter Acked-by: Linus Torvalds Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman