commit 62786b9e81a2dbe9c073a2ade52d33a2627d6d85 Merge: 27f4837... 03fa9e8... Author: Linus Torvalds Date: Mon Jun 23 16:25:11 2008 -0700 Merge branch 'hotfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 * 'hotfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6: NFS: nfs_updatepage(): don't mark page as dirty if an error occurred NFS: Fix filehandle size comparisons in the mount code NFS: Reduce the NFS mount code stack usage. commit 03fa9e84e5dc10aeacb0e4eb2f708cd9fc36a5b8 Author: Trond Myklebust Date: Thu Jun 5 16:02:35 2008 -0400 NFS: nfs_updatepage(): don't mark page as dirty if an error occurred Signed-off-by: Trond Myklebust commit b7e2445737ff69cef892b6fd9cd71cae2c9e9515 Author: Trond Myklebust Date: Thu Jun 19 15:21:11 2008 -0400 NFS: Fix filehandle size comparisons in the mount code Fix a sign issue in xdr_decode_fhstatus3() Fix incorrect comparison in nfs_validate_mount_data() Signed-off-by: Trond Myklebust commit 33852a1f2bb014e4047a844556c0d76a2f790c37 Author: Trond Myklebust Date: Thu Jun 19 14:20:11 2008 -0400 NFS: Reduce the NFS mount code stack usage. This appears to fix the Oops reported in http://bugzilla.kernel.org/show_bug.cgi?id=10826 Signed-off-by: Trond Myklebust commit 27f4837cbfd87126e733d098824544b6841a4eb8 Merge: 0e05373... 1b7558e... Author: Linus Torvalds Date: Mon Jun 23 12:49:22 2008 -0700 Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: futexes: fix fault handling in futex_lock_pi commit 0e053738b50836e9d1e94b2295ef2942eb471078 Merge: ee5c2ab... 198bb97... Author: Linus Torvalds Date: Mon Jun 23 12:48:50 2008 -0700 Merge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: sched: refactor wait_for_completion_timeout() sched: fix wait_for_completion_timeout() spurious failure under heavy load sched: rt: dont stop the period timer when there are tasks wanting to run commit ee5c2ab09b79d3aba3515a3eae7c5cf1e2cbc569 Merge: f6837bf... ebb9cfe... Author: Linus Torvalds Date: Mon Jun 23 12:48:17 2008 -0700 Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: xen: don't drop NX bit xen: mask unwanted pte bits in __supported_pte_mask xen: Use wmb instead of rmb in xen_evtchn_do_upcall(). x86: fix NULL pointer deref in __switch_to commit f6837bfa6506892e889ec79d8ab29931b4468826 Merge: 8dca7ff... 87afd44... Author: Linus Torvalds Date: Mon Jun 23 12:45:49 2008 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/mthca: Clear ICM pages before handing to FW commit 8dca7ffe2cdbcf8a2f188c8230044c3225b70418 Merge: 945754a... 3e14b50... Author: Linus Torvalds Date: Mon Jun 23 12:18:06 2008 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: sb - Fix wrong assertions ALSA: aw2 - Fix Oops at initialization commit 945754a1754f9d4c2974a8241ad4f92fad7f3a6a Author: Nick Piggin Date: Mon Jun 23 14:30:30 2008 +0200 mm: fix race in COW logic There is a race in the COW logic. It contains a shortcut to avoid the COW and reuse the page if we have the sole reference on the page, however it is possible to have two racing do_wp_page()ers with one causing the other to mistakenly believe it is safe to take the shortcut when it is not. This could lead to data corruption. Process 1 and process2 each have a wp pte of the same anon page (ie. one forked the other). The page's mapcount is 2. Then they both attempt to write to it around the same time... proc1 proc2 thr1 proc2 thr2 CPU0 CPU1 CPU3 do_wp_page() do_wp_page() trylock_page() can_share_swap_page() load page mapcount (==2) reuse = 0 pte unlock copy page to new_page pte lock page_remove_rmap(page); trylock_page() can_share_swap_page() load page mapcount (==1) reuse = 1 ptep_set_access_flags (allow W) write private key into page read from page ptep_clear_flush() set_pte_at(pte of new_page) Fix this by moving the page_remove_rmap of the old page after the pte clear and flush. Potentially the entire branch could be moved down here, but in order to stay consistent, I won't (should probably move all the *_mm_counter stuff with one patch). Signed-off-by: Nick Piggin Acked-by: Hugh Dickins Cc: Andrew Morton Signed-off-by: Linus Torvalds commit 672ca28e300c17bf8d792a2a7a8631193e580c74 Author: Linus Torvalds Date: Mon Jun 23 11:21:37 2008 -0700 Fix ZERO_PAGE breakage with vmware Commit 89f5b7da2a6bad2e84670422ab8192382a5aeb9f ("Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP") broke vmware, as reported by Jeff Chua: "This broke vmware 6.0.4. Jun 22 14:53:03.845: vmx| NOT_IMPLEMENTED /build/mts/release/bora-93057/bora/vmx/main/vmmonPosix.c:774" and the reason seems to be that there's an old bug in how we handle do FOLL_ANON on VM_SHARED areas in get_user_pages(), but since it only triggered if the whole page table was missing, nobody had apparently hit it before. The recent changes to 'follow_page()' made the FOLL_ANON logic trigger not just for whole missing page tables, but for individual pages as well, and exposed this problem. This fixes it by making the test for when FOLL_ANON is used more careful, and also makes the code easier to read and understand by moving the logic to a separate inline function. Reported-and-tested-by: Jeff Chua Signed-off-by: Linus Torvalds commit 96a331b1d6426726c37242ddbe939ee14b255790 Author: Gustavo Fernando Padovan Date: Mon Jun 23 12:07:06 2008 +0100 removed unused var real_tty on n_tty_ioctl() I noted that the 'struct tty_struct *real_tty' is not used in this function, so I removed the code about 'real_tty'. Signed-off-by: Gustavo Fernando Padovan Acked-by: Alan Cox Signed-off-by: Linus Torvalds commit 36c7343b4ecac2432430f5393314f1bdc2c219a5 Author: Alan Cox Date: Mon Jun 23 12:06:52 2008 +0100 tty_driver: Update required method documentation Some of the requirement rules are now more relaxed. Also correct a contradiction in the previous update Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds commit 87afd448b186c885d67a08b7417cd46253b6a9d6 Author: Eli Cohen Date: Mon Jun 23 09:29:58 2008 -0700 IB/mthca: Clear ICM pages before handing to FW Current memfree FW has a bug which in some cases, assumes that ICM pages passed to it are cleared. This patch uses __GFP_ZERO to allocate all ICM pages passed to the FW. Once firmware with a fix is released, we can make the workaround conditional on firmware version. This fixes the bug reported by Arthur Kepner here: http://lists.openfabrics.org/pipermail/general/2008-May/050026.html Cc: Signed-off-by: Eli Cohen [ Rewritten to be a one-liner using __GFP_ZERO instead of vmap()ing ICM memory and memset()ing it to 0. - Roland ] Signed-off-by: Roland Dreier commit 1b7558e457ed0de61023cfc913d2c342c7c3d9f2 Author: Thomas Gleixner Date: Mon Jun 23 11:21:58 2008 +0200 futexes: fix fault handling in futex_lock_pi This patch addresses a very sporadic pi-futex related failure in highly threaded java apps on large SMP systems. David Holmes reported that the pi_state consistency check in lookup_pi_state triggered with his test application. This means that the kernel internal pi_state and the user space futex variable are out of sync. First we assumed that this is a user space data corruption, but deeper investigation revieled that the problem happend because the pi-futex code is not handling a fault in the futex_lock_pi path when the user space variable needs to be fixed up. The fault happens when a fork mapped the anon memory which contains the futex readonly for COW or the page got swapped out exactly between the unlock of the futex and the return of either the new futex owner or the task which was the expected owner but failed to acquire the kernel internal rtmutex. The current futex_lock_pi() code drops out with an inconsistent in case it faults and returns -EFAULT to user space. User space has no way to fixup that state. When we wrote this code we thought that we could not drop the hash bucket lock at this point to handle the fault. After analysing the code again it turned out to be wrong because there are only two tasks involved which might modify the pi_state and the user space variable: - the task which acquired the rtmutex - the pending owner of the pi_state which did not get the rtmutex Both tasks drop into the fixup_pi_state() function before returning to user space. The first task which acquired the hash bucket lock faults in the fixup of the user space variable, drops the spinlock and calls futex_handle_fault() to fault in the page. Now the second task could acquire the hash bucket lock and tries to fixup the user space variable as well. It either faults as well or it succeeds because the first task already faulted the page in. One caveat is to avoid a double fixup. After returning from the fault handling we reacquire the hash bucket lock and check whether the pi_state owner has been modified already. Reported-by: David Holmes Signed-off-by: Thomas Gleixner Cc: Andrew Morton Cc: David Holmes Cc: Peter Zijlstra Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar kernel/futex.c | 93 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 20 deletions(-) commit 3e14b50dd4a3178f4f635267a2706b5d4f8c61ee Author: Takashi Iwai Date: Mon Jun 23 11:58:06 2008 +0200 ALSA: sb - Fix wrong assertions snd_assert() in save_mixer() and restore_mixer() in sb_mixer.c is just wrong. The debug code wasn't tested at all, obviously... Signed-off-by: Takashi Iwai commit 44e051773da465f8c92127914bc784770e0e2a28 Author: Takashi Iwai Date: Mon Jun 23 11:54:05 2008 +0200 ALSA: aw2 - Fix Oops at initialization The irq handler may be called before the proper initialization of hardware. Call snd_aw2_saa7146_setup() before the irq handler registration. Signed-off-by: Takashi Iwai commit 198bb971e256e4167e45e7df643c13ea66f67e3a Merge: ea71a54... 481c534... Author: Ingo Molnar Date: Mon Jun 23 11:00:26 2008 +0200 Merge branch 'linus' into sched/urgent commit 55d8538498f62ec72b5ba67aa386c7726f630475 Author: Linus Torvalds Date: Sun Jun 22 12:23:15 2008 -0700 Fix performance regression on lmbench select benchmark Christian Borntraeger reported that reinstating cond_resched() with CONFIG_PREEMPT caused a performance regression on lmbench: For example select file 500: 23 microseconds 32 microseconds and that's really because we totally unnecessarily do the cond_resched() in the innermost loop of select(), which is just silly. This moves it out from the innermost loop (which only ever loops ove the bits in a single "unsigned long" anyway), which makes the performance regression go away. Reported-and-tested-by: Christian Borntraeger Signed-off-by: Linus Torvalds commit 481c5346d0981940ee63037eb53e4e37b0735c10 Author: Christoph Lameter Date: Sat Jun 21 16:46:35 2008 -0700 Slab: Fix memory leak in fallback_alloc() The zonelist patches caused the loop that checks for available objects in permitted zones to not terminate immediately. One object per zone per allocation may be allocated and then abandoned. Break the loop when we have successfully allocated one object. Signed-off-by: Christoph Lameter Signed-off-by: Linus Torvalds commit 62a8efe632be1815b544845db643f1fcd9afcfb0 Merge: bec95aa... 2856922... Author: Linus Torvalds Date: Sat Jun 21 16:43:56 2008 -0700 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: Ext4: Fix online resize block group descriptor corruption commit bec95aab8c056ab490fe7fa54da822938562443d Merge: 71c2742... bcccc3a... Author: Linus Torvalds Date: Sat Jun 21 12:31:02 2008 -0700 Merge branch 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6 * 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6: hwmon: (lm75) sensor reading bugfix hwmon: (abituguru3) update driver detection hwmon: (w83791d) new maintainer hwmon: (abituguru3) Identify Abit AW8D board as such hwmon: Update the sysfs interface documentation hwmon: (adt7473) Initialize max_duty_at_overheat before use hwmon: (lm85) Fix function RANGE_TO_REG() commit 71c2742f5e6348d76ee62085cf0a13e5eff0f00e Author: Bernhard Walle Date: Sat Jun 21 19:01:02 2008 +0200 Add return value to reserve_bootmem_node() This patch changes the function reserve_bootmem_node() from void to int, returning -ENOMEM if the allocation fails. This fixes a build problem on x86 with CONFIG_KEXEC=y and CONFIG_NEED_MULTIPLE_NODES=y Signed-off-by: Bernhard Walle Reported-by: Adrian Bunk Signed-off-by: Linus Torvalds commit a19214430d27a3af6f1672ec26f3c893ef899ede Merge: b732d96... b9f75f4... Author: Linus Torvalds Date: Sat Jun 21 08:44:08 2008 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: netns: Don't receive new packets in a dead network namespace. sctp: Make sure N * sizeof(union sctp_addr) does not overflow. pppoe: warning fix ipv6: Drop packets for loopback address from outside of the box. ipv6: Remove options header when setsockopt's optlen is 0 mac80211: detect driver tx bugs commit b9f75f45a6b46a0ab4eb0857d437a0845871f314 Author: Eric W. Biederman Date: Fri Jun 20 22:16:51 2008 -0700 netns: Don't receive new packets in a dead network namespace. Alexey Dobriyan writes: > Subject: ICMP sockets destruction vs ICMP packets oops > After icmp_sk_exit() nuked ICMP sockets, we get an interrupt. > icmp_reply() wants ICMP socket. > > Steps to reproduce: > > launch shell in new netns > move real NIC to netns > setup routing > ping -i 0 > exit from shell > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 > IP: [] icmp_sk+0x17/0x30 > PGD 17f3cd067 PUD 17f3ce067 PMD 0 > Oops: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC > CPU 0 > Modules linked in: usblp usbcore > Pid: 0, comm: swapper Not tainted 2.6.26-rc6-netns-ct #4 > RIP: 0010:[] [] icmp_sk+0x17/0x30 > RSP: 0018:ffffffff8057fc30 EFLAGS: 00010286 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81017c7db900 > RDX: 0000000000000034 RSI: ffff81017c7db900 RDI: ffff81017dc41800 > RBP: ffffffff8057fc40 R08: 0000000000000001 R09: 000000000000a815 > R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8057fd28 > R13: ffffffff8057fd00 R14: ffff81017c7db938 R15: ffff81017dc41800 > FS: 0000000000000000(0000) GS:ffffffff80525000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b > CR2: 0000000000000000 CR3: 000000017fcda000 CR4: 00000000000006e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process swapper (pid: 0, threadinfo ffffffff8053a000, task ffffffff804fa4a0) > Stack: 0000000000000000 ffff81017c7db900 ffffffff8057fcf0 ffffffff803fcfe4 > ffffffff804faa38 0000000000000246 0000000000005a40 0000000000000246 > 000000000001ffff ffff81017dd68dc0 0000000000005a40 0000000055342436 > Call Trace: > [] icmp_reply+0x44/0x1e0 > [] ? ip_route_input+0x23a/0x1360 > [] icmp_echo+0x65/0x70 > [] icmp_rcv+0x180/0x1b0 > [] ip_local_deliver+0xf4/0x1f0 > [] ip_rcv+0x33b/0x650 > [] netif_receive_skb+0x27a/0x340 > [] process_backlog+0x9d/0x100 > [] net_rx_action+0x18d/0x250 > [] __do_softirq+0x75/0x100 > [] call_softirq+0x1c/0x30 > [] do_softirq+0x65/0xa0 > [] irq_exit+0x97/0xa0 > [] do_IRQ+0xa8/0x130 > [] ? mwait_idle+0x0/0x60 > [] ret_from_intr+0x0/0xf > [] ? mwait_idle+0x4c/0x60 > [] ? mwait_idle+0x43/0x60 > [] ? cpu_idle+0x57/0xa0 > [] ? rest_init+0x70/0x80 > Code: 10 5b 41 5c 41 5d 41 5e c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 > 48 83 ec 08 48 8b 9f 78 01 00 00 e8 2b c7 f1 ff 89 c0 <48> 8b 04 c3 48 83 c4 08 > 5b c9 c3 66 66 66 66 66 2e 0f 1f 84 00 > RIP [] icmp_sk+0x17/0x30 > RSP > CR2: 0000000000000000 > ---[ end trace ea161157b76b33e8 ]--- > Kernel panic - not syncing: Aiee, killing interrupt handler! Receiving packets while we are cleaning up a network namespace is a racy proposition. It is possible when the packet arrives that we have removed some but not all of the state we need to fully process it. We have the choice of either playing wack-a-mole with the cleanup routines or simply dropping packets when we don't have a network namespace to handle them. Since the check looks inexpensive in netif_receive_skb let's just drop the incoming packets. Signed-off-by: Eric W. Biederman Signed-off-by: David S. Miller commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 Author: David S. Miller Date: Fri Jun 20 22:04:34 2008 -0700 sctp: Make sure N * sizeof(union sctp_addr) does not overflow. As noticed by Gabriel Campana, the kmalloc() length arg passed in by sctp_getsockopt_local_addrs_old() can overflow if ->addr_num is large enough. Therefore, enforce an appropriate limit. Signed-off-by: David S. Miller commit 2645a3c3761ac25498db2e627271016c849c68e1 Author: Stephen Hemminger Date: Fri Jun 20 21:58:02 2008 -0700 pppoe: warning fix Fix warning: drivers/net/pppoe.c: In function 'pppoe_recvmsg': drivers/net/pppoe.c:945: warning: comparison of distinct pointer types lacks a cast because skb->len is unsigned int and total_len is size_t Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller commit b732d9680b7a2968823851f1163507ad9c45c8cb Merge: a744e01... e0c6d97... Author: Linus Torvalds Date: Fri Jun 20 17:10:04 2008 -0700 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6 * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6: [IA64] SN2: security hole in sn2_ptc_proc_write commit a744e0160ac5804b763449aa34d3991dc21af0be Author: Ivan Kokshaysky Date: Sat Jun 21 03:28:54 2008 +0400 alpha: resurrect Cypress IDE quirk Which was removed in the hope that generic legacy IDE quirk in drivers/pci/probe.c is sufficient for Cypress IDE. It isn't, as this controller has non-standard BAR layout: secondary channel registers are in the BAR0-1 of the second PCI function - not in the BAR2-3 of the same function, as the generic quirk routine assumes. Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds commit d559d4a24a3fed75bd890abcc1f95cd8d8dad6e1 Author: Ivan Kokshaysky Date: Sat Jun 21 03:28:31 2008 +0400 alpha: fix compile failures with gcc-4.3 (bug #10438) Vast majority of these build failures are gcc-4.3 warnings about static functions and objects being referenced from non-static (read: "extern inline") functions, in conjunction with our -Werror. We cannot just convert "extern inline" to "static inline", as people keep suggesting all the time, because "extern inline" logic is crucial for generic kernel build. So - just make sure that all callees of critical "extern inline" functions are also "extern inline"; - use "static inline", wherever it's possible. traps.c: work around gcc-4.3 being too smart about array bounds-checking. TODO: add "gnu_inline" attribute to all our "extern inline" functions to ensure desired behaviour with future compilers. Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds commit ede426923b25414f5ec9c00fefe6727d9721dd13 Author: Ivan Kokshaysky Date: Sat Jun 21 03:26:21 2008 +0400 alpha: link failure fix With built-in scsi disk driver, the final link fails with a following error: `.exit.text' referenced in section `.rodata' of drivers/built-in.o: defined in discarded section `.exit.text' of drivers/built-in.o This happens with -Os (CONFIG_CC_OPTIMIZE_FOR_SIZE=y) with all gcc-4 versions, and also with -O2 and gcc-4.3. The problem is in sd.c:sd_major() being inlined into __exit function exit_sd(), and the compiler generating a jump table in .rodata section for the 'switch' statement in sd_major(). So we have references to discarded section. Fixed with a big hammer in the form of -fno-jump-tables. Note that jump tables vs. discarded sections is a generic problem, other architectures are just lucky not to suffer from it. But with a slightly more complex switch/case statement it can be reproduced on x86 as well. So maybe at some point we should consider -fno-jump-tables as a generic compile option... Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds commit 9267b4b3880d00dc2dab90f1d817c856939114f7 Author: Ivan Kokshaysky Date: Sat Jun 21 03:25:39 2008 +0400 alpha: fix module load failures on smp (bug #10926) To calculate addresses of locally defined variables, GCC uses 32-bit displacement from the GP. Which doesn't work for per cpu variables in modules, as an offset to the kernel per cpu area is way above 4G. The workaround is to force allocation of a GOT entry for per cpu variable using ldq instruction with a 'literal' relocation. I had to use custom asm/percpu.h, as a required argument magic doesn't work with asm-generic/percpu.h macros. Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds commit e0c6d97c65e0784aade7e97b9411f245a6c543e7 Author: Cliff Wickman Date: Fri Jun 20 12:02:00 2008 -0700 [IA64] SN2: security hole in sn2_ptc_proc_write Security hole in sn2_ptc_proc_write It is possible to overrun a buffer with a write to this /proc file. Signed-off-by: Cliff Wickman Signed-off-by: Tony Luck commit 2856922c158605514ec5974a03097eaec91f4c0d Author: Frederic Bohe Date: Fri Jun 20 11:48:48 2008 -0400 Ext4: Fix online resize block group descriptor corruption This is the patch for the group descriptor table corruption during online resize pointed out by Theodore Tso. The problem was caused by the fact that the ext4 group descriptor can be either 32 or 64 bytes long. Only the 64 bytes structure was taken into account. Signed-off-by: Frederic Bohe Signed-off-by: Mingming Cao Signed-off-by: "Theodore Ts'o" commit ea71a546706dfdad72462624394e1e472c6bf34f Author: Oleg Nesterov Date: Fri Jun 20 18:32:20 2008 +0400 sched: refactor wait_for_completion_timeout() Simplify the code and fix the boundary condition of wait_for_completion_timeout(,0). We can kill the first __remove_wait_queue() as well. Signed-off-by: Ingo Molnar Acked-by: Peter Zijlstra commit ebb9cfe20fe167f29960a5e913193a684fac50bf Author: Jeremy Fitzhardinge Date: Mon Jun 16 15:01:56 2008 -0700 xen: don't drop NX bit Because NX is now enforced properly, we must put the hypercall page into the .text segment so that it is executable. Signed-off-by: Jeremy Fitzhardinge Cc: Stable Kernel Cc: the arch/x86 maintainers Signed-off-by: Ingo Molnar commit 05345b0f006ac226d0d25d48fcb2d792ac44a071 Author: Jeremy Fitzhardinge Date: Mon Jun 16 15:01:53 2008 -0700 xen: mask unwanted pte bits in __supported_pte_mask [ Stable: this isn't a bugfix in itself, but it's a pre-requiste for "xen: don't drop NX bit" ] Signed-off-by: Jeremy Fitzhardinge Cc: Stable Kernel Cc: the arch/x86 maintainers Signed-off-by: Ingo Molnar commit 46539383791a0e59a4af7412056dfbfc5240af0a Author: Isaku Yamahata Date: Mon Jun 16 14:58:13 2008 -0700 xen: Use wmb instead of rmb in xen_evtchn_do_upcall(). This patch is ported one from 534:77db69c38249 of linux-2.6.18-xen.hg. Use wmb instead of rmb to enforce ordering between evtchn_upcall_pending and evtchn_pending_sel stores in xen_evtchn_do_upcall(). Cc: Samuel Thibault Signed-off-by: Isaku Yamahata Cc: Nick Piggin Cc: the arch/x86 maintainers Signed-off-by: Ingo Molnar commit 54481cf88bc59923ea30f2ca345a73c60155e901 Author: Suresh Siddha Date: Thu Jun 19 09:41:22 2008 -0700 x86: fix NULL pointer deref in __switch_to I am able to reproduce the oops reported by Simon in __switch_to() with lguest. My debug showed that there is at least one lguest specific issue (which should be present in 2.6.25 and before aswell) and it got exposed with a kernel oops with the recent fpu dynamic allocation patches. In addition to the previous possible scenario (with fpu_counter), in the presence of lguest, it is possible that the cpu's TS bit it still set and the lguest launcher task's thread_info has TS_USEDFPU still set. This is because of the way the lguest launcher handling the guest's TS bit. (look at lguest_set_ts() in lguest_arch_run_guest()). This can result in a DNA fault while doing unlazy_fpu() in __switch_to(). This will end up causing a DNA fault in the context of new process thats getting context switched in (as opossed to handling DNA fault in the context of lguest launcher/helper process). This is wrong in both pre and post 2.6.25 kernels. In the recent 2.6.26-rc series, this is showing up as NULL pointer dereferences or sleeping function called from atomic context(__switch_to()), as we free and dynamically allocate the FPU context for the newly created threads. Older kernels might show some FPU corruption for processes running inside of lguest. With the appended patch, my test system is running for more than 50 mins now. So atleast some of your oops (hopefully all!) should get fixed. Please give it a try. I will spend more time with this fix tomorrow. Reported-by: Simon Holm Thøgersen Reported-by: Patrick McHardy Signed-off-by: Suresh Siddha Signed-off-by: Ingo Molnar commit bb10ed0994927d433f6dbdf274fdb26cfcf516b7 Author: Roland Dreier Date: Thu Jun 19 15:04:07 2008 -0700 sched: fix wait_for_completion_timeout() spurious failure under heavy load It seems that the current implementaton of wait_for_completion_timeout() has a small problem under very high load for the common pattern: if (!wait_for_completion_timeout(&done, timeout)) /* handle failure */ because the implementation very roughly does (lots of code deleted to show the basic flow): static inline long __sched do_wait_for_common(struct completion *x, long timeout, int state) { if (x->done) return timeout; do { timeout = schedule_timeout(timeout); if (!timeout) return timeout; } while (!x->done); return timeout; } so if the system is very busy and x->done is not set when do_wait_for_common() is entered, it is possible that the first call to schedule_timeout() returns 0 because the task doing wait_for_completion doesn't get rescheduled for a long time, even if it is woken up early enough. In this case, wait_for_completion_timeout() returns 0 without even checking x->done again, and the code above falls into its failure case purely for scheduler reasons, even if the hardware event or whatever was being waited for happened early enough. It would make sense to add an extra test to do_wait_for() in the timeout case and return 1 if x->done is actually set. A quick audit (not exhaustive) of wait_for_completion_timeout() callers seems to indicate that no one actually cares about the return value in the success case -- they just test for 0 (timed out) versus non-zero (wait succeeded). Signed-off-by: Ingo Molnar commit 8a8cde163ea724baf74e7752a31a69d3121a240e Author: Peter Zijlstra Date: Thu Jun 19 14:22:28 2008 +0200 sched: rt: dont stop the period timer when there are tasks wanting to run So if the group ever gets throttled, it will never wake up again. Reported-by: "Daniel K." Signed-off-by: Peter Zijlstra Tested-by: Daniel K. Signed-off-by: Ingo Molnar commit f630e43a215a3129d0c1173cae0bce6ea4855cf7 Author: YOSHIFUJI Hideaki Date: Thu Jun 19 16:33:57 2008 -0700 ipv6: Drop packets for loopback address from outside of the box. [ Based upon original report and patch by Karsten Keil. Karsten has verified that this fixes the TAHI test case "ICMPv6 test v6LC.5.1.2 Part F". -DaveM ] Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller commit aea7427f70cce5fa8f99ce447b213e9e3b49f24c Author: Shan Wei Date: Thu Jun 19 16:29:39 2008 -0700 ipv6: Remove options header when setsockopt's optlen is 0 Remove the sticky Hop-by-Hop options header by calling setsockopt() for IPV6_HOPOPTS with a zero option length, per RFC3542. Routing header and Destination options header does the same as Hop-by-Hop options header. Signed-off-by: Shan Wei Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller commit bcccc3a28e9cbb44549cde326852c26203a53a56 Author: David Brownell Date: Sat May 3 19:19:16 2008 -0700 hwmon: (lm75) sensor reading bugfix LM75 sensor reading bugfix: never save error status as valid sensor output. This could be improved, but at least this prevents certain rude failure modes. Signed-off-by: David Brownell Acked-by: Jean Delvare Signed-off-by: Mark M. Hoffman commit b3aeab0cdbd0fe5339a3a5918b59eebf148cbcd1 Author: Hans de Goede Date: Fri May 23 16:10:41 2008 +0200 hwmon: (abituguru3) update driver detection It has been reported that the abituguru3 driver fails to load after a BIOS update. This patch fixes this by loosening the detection routine so that it will work after the BIOS update too. To compensate for the now very loose detection an additional check is added on the DMI Base Board vendor string to make sure we only load on Abit motherboards, this is the same as the check in the abituguru (1 / 2) driver. Signed-of-by: Hans de Goede Signed-off-by: Alistair John Strachan Signed-off-by: Mark M. Hoffman commit 25845c22647fad2a0852cf6bf277d84e8a7a6b4a Author: Marc Hulsman Date: Sun Jun 8 10:59:41 2008 -0400 hwmon: (w83791d) new maintainer Signed-off-by: Charles Spirakis Acked-by: Jean Delvare Signed-off-by: Mark M. Hoffman commit 1604e78b7d6e6087ae9bde6e7a6b41cda80d6557 Author: Hans de Goede Date: Tue Feb 26 19:34:48 2008 +0100 hwmon: (abituguru3) Identify Abit AW8D board as such This patch identifies the Abit AW8D board as such, and adds support for its aux5 fan connector Signed-off-by: Hans de Goede Acked-by: Jean Delvare Signed-off-by: Mark M. Hoffman commit 125ff8087fca28e922e7ad6e082efcf04fe2f0f4 Author: Jean Delvare Date: Sat Feb 23 10:57:53 2008 +0100 hwmon: Update the sysfs interface documentation * Document the characteristics of libsensors 3.0.0 and 3.0.1. * The sysfs interface is no longer subject to changes. Signed-off-by: Jean Delvare Acked-by: Juerg Haefliger Signed-off-by: Mark M. Hoffman commit ed4ec814e45ae8b1596aea0a29b92f6c3614acaa Author: Jean Delvare Date: Sat Apr 26 16:34:26 2008 +0200 hwmon: (adt7473) Initialize max_duty_at_overheat before use data->max_duty_at_overheat is not updated in adt7473_update_device, so it might be used before it is initialized (if the user reads from sysfs file max_duty_at_crit before writing to it.) Signed-off-by: Jean Delvare Acked-by: Darrick J. Wong Signed-off-by: Mark M. Hoffman commit d38b149794e7444a55e741446717147e7f0467f8 Author: Jean Delvare Date: Thu Apr 3 10:40:39 2008 +0200 hwmon: (lm85) Fix function RANGE_TO_REG() Function RANGE_TO_REG() is broken. For a requested range of 2000 (2 degrees C), it will return an index value of 15, i.e. 80.0 degrees C, instead of the expected index value of 0. All other values are handled properly, just 2000 isn't. The bug was introduced back in November 2004 by this patch: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=1c28d80f1992240373099d863e4996cdd5d646d0 While this can be fixed easily with the current code, I'd rather rewrite the whole function in a way which is more obviously correct. Signed-off-by: Jean Delvare Cc: Justin Thiessen Signed-off-by: Mark M. Hoffman commit ef3a62d272f033989e83eb1f26505f93f93e3e69 Author: Johannes Berg Date: Wed Jun 18 15:39:48 2008 -0700 mac80211: detect driver tx bugs When a driver rejects a frame in it's ->tx() callback, it must also stop queues, otherwise mac80211 can go into a loop here. Detect this situation and abort the loop after five retries, warning about the driver bug. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller