commit cdf71a10c7b6432d9b48e292cca2c62a0b9fa6cf Author: Thomas Gleixner Date: Tue Jan 8 19:47:38 2008 +0100 futex: Prevent stale futex owner when interrupted/timeout Roland Westrelin did a great analysis of a long standing thinko in the return path of futex_lock_pi. While we fixed the lock steal case long ago, which was easy to trigger, we never had a test case which exposed this problem and stupidly never thought about the reverse lock stealing scenario and the return to user space with a stale state. When a blocked tasks returns from rt_mutex_timed_locked without holding the rt_mutex (due to a signal or timeout) and at the same time the task holding the futex is releasing the futex and assigning the ownership of the futex to the returning task, then it might happen that a third task acquires the rt_mutex before the final rt_mutex_trylock() of the returning task happens under the futex hash bucket lock. The returning task returns to user space with ETIMEOUT or EINTR, but the user space futex value is assigned to this task. The task which acquired the rt_mutex fixes the user space futex value right after the hash bucket lock has been released by the returning task, but for a short period of time the user space value is wrong. Detailed description is available at: https://bugzilla.redhat.com/show_bug.cgi?id=400541 The fix for this is the same as we do when the rt_mutex was acquired by a higher priority task via lock stealing from the designated new owner. In that case we already fix the user space value and the internal pi_state up before we return. This mechanism can be used to fixup the above corner case as well. When the returning task, which failed to acquire the rt_mutex, notices that it is the designated owner of the futex, then it fixes up the stale user space value and the pi_state, before returning to user space. This happens with the futex hash bucket lock held, so the task which acquired the rt_mutex is guaranteed to be blocked on the hash bucket lock. We can access the rt_mutex owner, which gives us the pid of the new owner, safely here as the owner is not able to modify (release) it while waiting on the hash bucket lock. Rename the "curr" argument of fixup_pi_state_owner() to "newowner" to avoid confusion with current and add the check for the stale state into the failure path of rt_mutex_trylock() in the return path of unlock_futex_pi(). If the situation is detected use fixup_pi_state_owner() to assign everything to the owner of the rt_mutex. Pointed-out-and-tested-by: Roland Westrelin Signed-off-by: Ingo Molnar Signed-off-by: Thomas Gleixner Signed-off-by: Linus Torvalds commit bf5e5834bffc62b50cd4a201804506eb11ef1af8 Author: Alan Cox Date: Tue Jan 8 14:55:51 2008 +0000 pl2303: Fix mode switching regression Cleaning out all the incorrect 'no change made' checks for termios settings showed up a problem with the PL2303. The hardware here seems to lose sync and bits if you tell it to make no changes. This shows up with a real world application. To fix this the driver check for meaningful hardware changes is restored but doing the tests correctly and as a tty layer function so it doesn't get duplicated wrongly everywhere if other drivers turn out to need it. Signed-off-by: Alan Cox Tested-by: Mirko Parthey Signed-off-by: Linus Torvalds commit cf0594625083111ae522496dc1c256f7476939c2 Author: Eric Sandeen Date: Tue Jan 8 15:33:20 2008 -0800 hfs: handle more on-disk corruptions without oopsing hfs seems prone to bad things when it encounters on disk corruption. Many values are read from disk, and used as lengths to memcpy, as an example. This patch fixes up several of these problematic cases. o sanity check the on-disk maximum key lengths on mount (these are set to a defined value at mkfs time and shouldn't differ) o check on-disk node keylens against the maximum key length for each tree o fix hfs_btree_open so that going out via free_tree: doesn't wind up in hfs_releasepage, which wants to follow the very pointer we were trying to set up: HFS_SB(sb)->cat_tree = hfs_btree_open() ... failure gets to hfs_releasepage and tries to follow HFS_SB(sb)->cat_tree Tested with the fsfuzzer; it survives more than it used to. Signed-off-by: Eric Sandeen Cc: Roman Zippel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 467bc461d2845f6a04b124bca1ae6ecc554e1ee5 Author: Thomas Bogendoerfer Date: Tue Jan 8 15:33:11 2008 -0800 Fix crash with FLAT_MEMORY and ARCH_PFN_OFFSET != 0 When using FLAT_MEMORY and ARCH_PFN_OFFSET is not 0, the kernel crashes in memmap_init_zone(). This bug got introduced by commit c713216deebd95d2b0ab38fef8bb2361c0180c2d Signed-off-by: Thomas Bogendoerfer Acked-by: Mel Gorman Cc: Bob Picco Cc: Dave Hansen Cc: Andy Whitcroft Cc: Andi Kleen Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "Keith Mannthey" Cc: "Luck, Tony" Cc: KAMEZAWA Hiroyuki Cc: Yasunori Goto Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22a860a9e22fa077300e1e72170afb82bf695617 Author: Jean Delvare Date: Tue Jan 8 15:33:10 2008 -0800 snd_mixer_oss_build_input(): fix for __you_cannot_kmalloc_that_much failure with gcc-3.2 Rework this functions so that gcc-3.2 can successfully perform constant-folding. Signed-off-by: Jean Delvare Cc: Jaroslav Kysela Cc: Takashi Iwai Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit ce8c628abadaf16a44953301c68b9f54cf6898cc Author: Jean Delvare Date: Tue Jan 8 15:33:08 2008 -0800 dmi-id: fix for __you_cannot_kmalloc_that_much failure gcc 3.2 has a hard time coping with the code in dmi_id_init(): drivers/built-in.o(.init.text+0x789e): In function `dmi_id_init': : undefined reference to `__you_cannot_kmalloc_that_much' make: *** [.tmp_vmlinux1] Error 1 Moving half of the code to a separate function seems to help. This is a no-op for gcc 4.1 which will successfully inline the code anyway. Signed-off-by: Jean Delvare Cc: Dave Airlie Tested-by: Kamalesh Babulal Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 83a08e7c6ed533a47631794e7f618a98094b4129 Author: Ken'ichi Ohmichi Date: Tue Jan 8 15:33:05 2008 -0800 vmcoreinfo: add the array length of "free_list" for filtering free pages This patch adds the array length of "free_area.free_list" to the vmcoreinfo data so that makedumpfile (dump filtering command) can exclude all free pages in linux-2.6.24. makedumpfile creates a small dumpfile by excluding unnecessary pages for the analysis. To distinguish unnecessary pages, makedumpfile gets the vmcoreinfo data which has the minimum debugging information only for dump filtering. In 2.6.24-rc1 or later, the free_area.free_list is an array which has one list for each migrate types instead of a single list. makedumpfile needs the array length of "free_area.free_list" and the vmcoreinfo data should contain it. Signed-off-by: Huang Ying Tested-by: Ken'ichi Ohmichi Acked-by: Simon Horman Cc: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit caeeeecfdaeada2998eb3c29c3ebd59afb79ef06 Author: Michael Halcrow Date: Tue Jan 8 15:33:02 2008 -0800 eCryptfs: fix dentry handling on create error, unlink, and inode destroy This patch corrects some erroneous dentry handling in eCryptfs. If there is a problem creating the lower file, then there is nothing that the persistent lower file can do to really help us. This patch makes a vfs_create() failure in the lower filesystem always lead to an unconditional do_create failure in eCryptfs. Under certain sequences of operations, the eCryptfs dentry can remain in the dcache after an unlink. This patch calls d_drop() on the eCryptfs dentry to correct this. eCryptfs has no business calling d_delete() directly on a lower filesystem's dentry. This patch removes the call to d_delete() on the lower persistent file's dentry in ecryptfs_destroy_inode(). (Thanks to David Kleikamp, Eric Sandeen, and Jeff Moyer for helping identify and resolve this issue) Signed-off-by: Michael Halcrow Cc: Dave Kleikamp Cc: Eric Sandeen Cc: Jeff Moyer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c51b1a160b63304720d49479986915e4c475a2cf Author: Akinobu Mita Date: Tue Jan 8 15:32:57 2008 -0800 xip: fix get_zeroed_page with __GFP_HIGHMEM The use of get_zeroed_page() with __GFP_HIGHMEM is invalid. Use alloc_page() with __GFP_ZERO instead of invalid get_zeroed_page(). (This patch is only compile tested) Cc: Carsten Otte Signed-off-by: Akinobu Mita Acked-by: Hugh Dickins Acked-by: Carsten Otte Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0f94e87cdeaaac9f0f9a28a5dd2a5070b87cd3e8 Author: Dan Williams Date: Tue Jan 8 15:32:53 2008 -0800 md: fix data corruption when a degraded raid5 array is reshaped We currently do not wait for the block from the missing device to be computed from parity before copying data to the new stripe layout. The change in the raid6 code is not techincally needed as we don't delay data block recovery in the same way for raid6 yet. But making the change now is safer long-term. This bug exists in 2.6.23 and 2.6.24-rc Cc: Signed-off-by: Dan Williams Acked-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 5b7741b3325d0d94c88b2ad46657a536890aaa2f Author: Sebastian Siewior Date: Tue Jan 8 15:32:47 2008 -0800 KEYS: fix macro Commit 664cceb0093b755739e56572b836a99104ee8a75 changed the parameters of the function make_key_ref(). The macros that are used in case CONFIG_KEY is not defined did not change. Cc: David Howells Signed-off-by: Sebastian Siewior Acked-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9f966be8996f2829406324c68e4c67c2d64d864b Author: OGAWA Hirofumi Date: Tue Jan 8 15:32:41 2008 -0800 fat: optimize fat_count_free_clusters() On large partition, scanning the free clusters is very slow if users doesn't use "usefree" option. For optimizing it, this patch uses sb_breadahead() to read of FAT sectors. On some user's 15GB partition, this patch improved it very much (1min => 600ms). The following is the result of 2GB partition on my machine. without patch: root@devron (/)# time df -h > /dev/null real 0m1.202s user 0m0.000s sys 0m0.440s with patch: root@devron (/)# time df -h > /dev/null real 0m0.378s user 0m0.012s sys 0m0.168s Signed-off-by: OGAWA Hirofumi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d52df2e2ea2d881b1439bbdec7f67c27e0f47941 Author: David Brownell Date: Tue Jan 8 15:32:40 2008 -0800 spi_bitbang: always grab lock with irqs blocked Fix a glitch reported by lockdep in the spi_bitbang code: it needs to consistently block IRQs when holding that spinlock. Signed-off-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a2b484a29cc9f565b013c0e7f1e0cc22dec12456 Author: Thomas Gleixner Date: Wed Jan 9 00:18:28 2008 +0100 x86: fix do_fork_idle section mismatch With CPU_HOTPLUG=n: WARNING: vmlinux.o(.text+0x104f8): Section mismatch: reference to .init.text:fork_idle (between 'do_fork_idle' and 'lapic_timer_broadcast') do_fork_idle() needs to be __cpuinit. It can be static as well. Signed-off-by: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds commit 165e4694dade7224f23785f9c3a89f3e9c3a9c14 Merge: d238998... ad69698... Author: Linus Torvalds Date: Tue Jan 8 12:29:52 2008 -0800 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/srp: Release transport before removing host IB/mlx4: Fix value of pkey_index in QP1 completions MAINTAINERS: Update Sean Hefty's email address commit ad696989b4a2fce8494964814376aef41da3ff55 Author: Dave Dillow Date: Thu Jan 3 22:35:41 2008 -0500 IB/srp: Release transport before removing host The documented call sequence for removing a host is to call the transport xxx_remove_host() prior to scsi_remove_host(). The SRP transport used to crash when that order was followed, but as it is now fixed, use the documented order. Signed-off-by: David Dillow Acked-by: FUJITA Tomonori Signed-off-by: Roland Dreier commit e1bb7843e4c25e6e331890a2ca512581e844bbaa Author: Dotan Barak Date: Mon Jan 7 09:01:25 2008 +0200 IB/mlx4: Fix value of pkey_index in QP1 completions Fix the value of pkey_index in completions to get a valid value for GSI QPs. Without this fix, incoming GSI packets on port 2 get an invalid P_Key index in the completion, which prevents the MAD layer from sending back a response, which can make the second port of ConnectX HCAs completely useless. Signed-off-by: Dotan Barak Signed-off-by: Roland Dreier commit d238998fbfa49f30b02f0a5de5294ca53c58348c Author: Linus Torvalds Date: Tue Jan 8 11:46:37 2008 -0800 Revert "hda_intel suspend latency: shorten codec read" This reverts commit 57a04513cb35086d54bcb2cb92e6627fc8fa0fae. Harald Dunkel reports that it broke sound for him: "Alsa stopped working for me. I still can access /dev/dsp, change the volume and so on, but the speakers are quiet." Reverting it fixed things for him. Reported-and-tested-by: Harald Dunkel Acked-by: Takashi Iwai Acked-by: Ingo Molnar Signed-off-by: Linus Torvalds commit ed96f2470bf5d315770dc199f0250c1b8d3c2f3c Author: Sean Hefty Date: Wed Jan 2 12:00:24 2008 -0800 MAINTAINERS: Update Sean Hefty's email address My Unix email account is being discontinued at end of Q1 '08. Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit b59f8197c5ddd0d5d74b663650be5449dacd34aa Author: Roland McGrath Date: Mon Jan 7 14:23:34 2008 -0800 acct: real_parent ppid The ac_ppid field reported in process accounting records should match what getppid() would have returned to that process, regardless of whether a debugger is attached. Signed-off-by: Roland McGrath Signed-off-by: Linus Torvalds commit 45626bb26a6ecd163e5eeddd14a6137052ec4495 Author: Roland McGrath Date: Mon Jan 7 14:22:44 2008 -0800 core dump: real_parent ppid The pr_ppid field reported in core dumps should match what getppid() would have returned to that process, regardless of whether a debugger is attached. Signed-off-by: Roland McGrath Signed-off-by: Linus Torvalds commit e4c6d3c6b14bd20fb8087acd51b29ee54a66ef77 Merge: 89a30a8... ba820c5... Author: Linus Torvalds Date: Mon Jan 7 13:31:03 2008 -0800 Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus * 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: [MIPS] Fix CONFIG_BOOT_RAW. [MIPS] Assume R4000/R4400 newer than 3.0 don't have the mfc0 count bug [MIPS] Fix IP32 breakage [MIPS] Alchemy: Fix use of __init code bug exposed by modpost warning [MIPS] Move inclusing of kernel/time/Kconfig menu to appropriate place commit 89a30a8388c9592579f237bc06988808f2c454d4 Merge: 2b300d2... 89dab35... Author: Linus Torvalds Date: Mon Jan 7 13:29:39 2008 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb * git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb: V4L/DVB (6916): ivtv: udelay has to be changed *after* the eeprom was read, not before V4L/DVB (6944a): Fix Regression VIDIOCGMBUF ioctl hangs on bttv driver commit ba820c5c51296343be202c9afb072b7b943099cb Author: Ralf Baechle Date: Mon Jan 7 15:09:50 2008 +0000 [MIPS] Fix CONFIG_BOOT_RAW. This was broken by 017e3a492683b32d17dcd1b13b279745cc656073 (lmo) / 396a2ae08e5080b140330645743ab2567f6bc426 (kernel.org). Signed-off-by: Ralf Baechle commit ce202cbb9e0b623671e8ecb3d53afdd42b8e458f Author: Thomas Bogendoerfer Date: Fri Jan 4 23:38:31 2008 +0100 [MIPS] Assume R4000/R4400 newer than 3.0 don't have the mfc0 count bug This seems as reasonable assumption and gets some SNI machines to work which currently must rely on the cp0 counter as clocksource. Signed-off-by: Thomas Bogendoerfer Signed-off-by: Ralf Baechle commit c990081bf87bf5afcd6d39d8bfce9c6d60b1f2eb Author: Thomas Bogendoerfer Date: Sat Jan 5 12:13:11 2008 +0100 [MIPS] Fix IP32 breakage - suppress master aborts during config read - set io_map_base - only fixup end of iomem resource to avoid failing request_resource in serial driver - killed useless setting of crime_int bit, which caused wrong interrupts - use physcial address for serial port platform device and let 8250 driver do the ioremap Signed-off-by: Thomas Bogendoerfer Signed-off-by: Ralf Baechle commit 9cfacb790f581000a7ec8455785d131aca923ded Author: Sergei Shtylyov Date: Tue Dec 25 21:00:45 2007 +0300 [MIPS] Alchemy: Fix use of __init code bug exposed by modpost warning WARNING: vmlinux.o(.text+0x1ca608): Section mismatch: reference to .init.text: add_wired_entry (between 'config_access' and 'config_read') by refactoring the code calling add_wired_entry() from config_access() to a separate function which is called from aau1x_pci_setup(). While at it: - make some unnecassarily global variables 'static'; - fix the letter case, whitespace, etc. in the comments... Signed-off-by: Sergei Shtylyov Signed-off-by: Ralf Baechle commit c4eee283e004751143fb81dbf4f8cfe7b8dcc970 Author: Atsushi Nemoto Date: Mon Nov 12 01:05:16 2007 +0900 [MIPS] Move inclusing of kernel/time/Kconfig menu to appropriate place CONFIG_NO_HZ, CONFIG_HIGH_RES_TIMERS should be selected in "Kernel type" menu, not in "CPU selection" menu. Signed-off-by: Atsushi Nemoto Signed-off-by: Ralf Baechle commit 89dab3573aa1d95fd222ee4551f964bfa4c16823 Author: Hans Verkuil Date: Mon Jan 7 06:46:26 2008 -0200 V4L/DVB (6916): ivtv: udelay has to be changed *after* the eeprom was read, not before The eeprom decides which Hauppauge model it is, so the decision whether to use an udelay of 5 or 10 needs to be taken after reading the eeprom, not before. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab commit d9030f573031244dcffee026cc5e7e2f96f972ce Author: Gregor Jasny Date: Sun Jan 6 11:15:54 2008 -0300 V4L/DVB (6944a): Fix Regression VIDIOCGMBUF ioctl hangs on bttv driver Fix bttv VIDIOCGMBUF locking like done in commit 820eacd84cff23b76693f4be1e28feb672f4488f. Signed-off-by: Gregor Jasny Signed-off-by: Mauro Carvalho Chehab commit 2b300d204738a70fa62c38583905a6989b3cedcd Merge: 3ce5445... 430cb43... Author: Linus Torvalds Date: Sun Jan 6 14:35:19 2008 -0800 Merge master.kernel.org:/home/rmk/linux-2.6-arm * master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] 4691/1: add missing i2c_board_info struct for at91rm9200 [ARM] 4735/1: Unbreak pxa25x suspend/resume commit 430cb436103ce1b58cb80e7c3d44f4d4a8110caa Author: Jan Altenberg Date: Mon Dec 10 10:06:40 2007 +0100 [ARM] 4691/1: add missing i2c_board_info struct for at91rm9200 - Add missing i2c_board_info struct for at91rm9200 Signed-off-by: Jan Altenberg Acked-by: Andrew Victor Signed-off-by: Russell King commit 56b11288cb92104d3589930efdc7d0f50b8f4328 Author: Richard Purdie Date: Wed Jan 2 00:54:49 2008 +0100 [ARM] 4735/1: Unbreak pxa25x suspend/resume Suspend/resume on the pxa25x was fairly obviously broken in revision 711be5ccfe9a02ba560aa918a008c31ea4760163. This patch fixes the damage by adding back the missing code. Signed-off-by: Richard Purdie Acked-by: Eric Miao Signed-off-by: Russell King