commit 95b866d5afcafee00fc9ad70665e48c86d8c4e0f Author: Linus Torvalds Date: Fri Oct 3 09:18:17 2008 -0700 e1000e: Fix incorrect debug warning Doing 'WARN_ON(preempt_count())' was horribly horribly wrong, and would cause tons of warnings at bootup if PREEMPT was enabled because the initcalls currently run with the kernel lock, which increments the preempt count. At the same time, the warning was also insufficient, since it didn't check that interrupts were enabled. The proper debug function to use for something that can sleep and wants a warning if it's called in the wrong context is 'might_sleep()'. Reported-by: Christian Borntraeger Signed-off-by: Linus Torvalds commit b5ff7df3df9efab511244d5a299fce706c71af48 Author: Linus Torvalds Date: Thu Oct 2 18:52:51 2008 -0700 Check mapped ranges on sysfs resource files This is loosely based on a patch by Jesse Barnes to check the user-space PCI mappings though the sysfs interfaces. Quoting Jesse's original explanation: It's fairly common for applications to map PCI resources through sysfs. However, with the current implementation, it's possible for an application to map far more than the range corresponding to the resourceN file it opened. This patch plugs that hole by checking the range at mmap time, similar to what is done on platforms like sparc64 in their lower level PCI remapping routines. It was initially put together to help debug the e1000e NVRAM corruption problem, since we initially thought an X driver might be walking past the end of one of its mappings and clobbering the NVRAM. It now looks like that's not the case, but doing the check is still important for obvious reasons. and this version of the patch differs in that it uses a helper function to clarify the code, and does all the checks in pages (instead of bytes) in order to avoid overflows when doing "<< PAGE_SHIFT" etc. Acked-by: Jesse Barnes Signed-off-by: Linus Torvalds commit 6f92a6a7ddba5ae7ca0f0255d46410465dcf2ba6 Author: Jesse Brandeburg Date: Thu Oct 2 16:33:45 2008 -0700 e1000e: update version from k4 to k6 Signed-off-by: Jesse Brandeburg Signed-off-by: Linus Torvalds commit 717d438d1fde94decef874b9808379d1f4523453 Author: Thomas Gleixner Date: Thu Oct 2 16:33:40 2008 -0700 e1000e: debug contention on NVM SWFLAG This patch adds a mutex to the e1000e driver that would help catch any collisions of two e1000e threads accessing hardware at the same time. description and patch updated by Jesse Signed-off-by: Thomas Gleixner Signed-off-by: Jesse Brandeburg Signed-off-by: Linus Torvalds commit 4fa7553a075918e1e02a6039f9e826c8872b7049 Author: Jesse Brandeburg Date: Thu Oct 2 16:33:35 2008 -0700 e1000e: drop stats lock the stats lock is left over from e1000, e1000e no longer has the adjust tbi stats function that required the addition of the stats lock to begin with. adding a mutex to acquire_swflag helped catch this one too. Signed-off-by: Jesse Brandeburg Acked-by: Thomas Gleixner Signed-off-by: Linus Torvalds commit 23033fad5be0a2c7838cb9e1579919b64af713f6 Author: Jesse Brandeburg Date: Thu Oct 2 16:33:30 2008 -0700 e1000e: remove phy read from inside spinlock thanks to tglx, we're finding some interesting reentrancy issues. this patch removes the phy read from inside a spinlock, paving the way for removing the spinlock completely. The phy read was only feeding a statistic that wasn't used. Signed-off-by: Jesse Brandeburg Acked-by: Thomas Gleixner Signed-off-by: Linus Torvalds commit a8f88ff5a5abc2ce9f7d7d2694178b2c617d713a Author: Jesse Brandeburg Date: Thu Oct 2 16:33:25 2008 -0700 e1000e: do not ever sleep in interrupt context e1000e was apparently calling two functions that attempted to reserve the SWFLAG bit for exclusive (to hardware and firmware) access to the PHY and NVM (aka eeprom). These accesses could possibly call msleep to wait for the resource which is not allowed from interrupt context. Signed-off-by: Jesse Brandeburg Acked-by: Thomas Gleixner Tested-by: Thomas Gleixner Signed-off-by: Linus Torvalds commit 37f40239f49fbc0b489d0327a700fee5b3898ac2 Author: Jesse Brandeburg Date: Thu Oct 2 16:33:20 2008 -0700 e1000e: reset swflag after resetting hardware in the process of debugging things, noticed that the swflag is not reset by the driver after reset, and the swflag is probably not reset unless management firmware clears it after 100ms. Signed-off-by: Jesse Brandeburg Signed-off-by: Linus Torvalds commit 6babc32c41e3642d875372cb6afbd9ade7a9f311 Author: Andy Whitcroft Date: Thu Oct 2 14:50:18 2008 -0700 mm: handle initialising compound pages at orders greater than MAX_ORDER When we initialise a compound page we initialise the page flags and head page pointer for all base pages spanned by that page. When we initialise a gigantic page (a page of order greater than or equal to MAX_ORDER) we have to initialise more than MAX_ORDER_NR_PAGES pages. Currently we assume that all elements of the mem_map in this page are contigious in memory. However this is only guarenteed out to MAX_ORDER_NR_PAGES pages, and with SPARSEMEM enabled they will not be contigious. This leads us to walk off the end of the first section and scribble on everything which follows, BAD. When we reach a MAX_ORDER_NR_PAGES boundary we much locate the next section of the mem_map. As gigantic pages can only be maximally aligned we know this will occur at exact multiple of MAX_ORDER_NR_PAGES pages from the start of the page. This is a bug fix for the gigantic page support in hugetlbfs. Credit to Mel Gorman for spotting the issue. Signed-off-by: Andy Whitcroft Cc: Mel Gorman Cc: Jon Tollefson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 4b19de6d1cb07c8bcb6778e771f9cfd5bcfdfd3e Author: Nick Piggin Date: Thu Oct 2 14:50:16 2008 -0700 mm: tiny-shmem nommu fix The previous patch db203d53d474aa068984e409d807628f5841da1b ("mm: tiny-shmem fix lock ordering: mmap_sem vs i_mutex") to fix the lock ordering in tiny-shmem breaks shared anonymous and IPC memory on NOMMU architectures because it was using the expanding truncate to signal ramfs to allocate a physically contiguous RAM backing the inode (otherwise it is unusable for "memory mapping" it to userspace). However do_truncate is what caused the lock ordering error, due to it taking i_mutex. In this case, we can actually just call ramfs directly to allocate memory for the mapping, rather than go via truncate. Acked-by: David Howells Acked-by: Hugh Dickins Signed-off-by: Nick Piggin Cc: Matt Mackall Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 6c1b7f680dd4f550fa6f91f148cc6fa2c4bd0737 Author: Gerald Schaefer Date: Thu Oct 2 14:50:16 2008 -0700 memory hotplug: missing zone->lock in test_pages_isolated() __test_page_isolated_in_pageblock() in mm/page_isolation.c has a comment saying that the caller must hold zone->lock. But the only caller of that function, test_pages_isolated(), does not hold zone->lock and the lock is also not acquired anywhere before. This patch adds the missing zone->lock to test_pages_isolated(). We reproducibly run into BUG_ON(!PageBuddy(page)) in __offline_isolated_pages() during memory hotplug stress test, see trace below. This patch fixes that problem, it would be good if we could have it in 2.6.27. kernel BUG at /home/autobuild/BUILD/linux-2.6.26-20080909/mm/page_alloc.c:4561! illegal operation: 0001 [#1] PREEMPT SMP Modules linked in: dm_multipath sunrpc bonding qeth_l3 dm_mod qeth ccwgroup vmur CPU: 1 Not tainted 2.6.26-29.x.20080909-s390default #1 Process memory_loop_all (pid: 10025, task: 2f444028, ksp: 2b10dd28) Krnl PSW : 040c0000 801727ea (__offline_isolated_pages+0x18e/0x1c4) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0 Krnl GPRS: 00000000 7e27fc00 00000000 7e27fc00 00000000 00000400 00014000 7e27fc01 00606f00 7e27fc00 00013fe0 2b10dd28 00000005 80172662 801727b2 2b10dd28 Krnl Code: 801727de: 5810900c l %r1,12(%r9) 801727e2: a7f4ffb3 brc 15,80172748 801727e6: a7f40001 brc 15,801727e8 >801727ea: a7f4ffbc brc 15,80172762 801727ee: a7f40001 brc 15,801727f0 801727f2: a7f4ffaf brc 15,80172750 801727f6: 0707 bcr 0,%r7 801727f8: 0017 unknown Call Trace: ([<0000000000172772>] __offline_isolated_pages+0x116/0x1c4) [<00000000001953a2>] offline_isolated_pages_cb+0x22/0x34 [<000000000013164c>] walk_memory_resource+0xcc/0x11c [<000000000019520e>] offline_pages+0x36a/0x498 [<00000000001004d6>] remove_memory+0x36/0x44 [<000000000028fb06>] memory_block_change_state+0x112/0x150 [<000000000028ffb8>] store_mem_state+0x90/0xe4 [<0000000000289c00>] sysdev_store+0x34/0x40 [<00000000001ee048>] sysfs_write_file+0xd0/0x178 [<000000000019b1a8>] vfs_write+0x74/0x118 [<000000000019b9ae>] sys_write+0x46/0x7c [<000000000011160e>] sysc_do_restart+0x12/0x16 [<0000000077f3e8ca>] 0x77f3e8ca Signed-off-by: Gerald Schaefer Acked-by: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit aa94fbd5ccd840c8ab26d02439ec799b03a72547 Author: Dan Carpenter Date: Thu Oct 2 14:50:14 2008 -0700 fix error-path NULL deref in alloc_posix_timer() Found by static checker (http://repo.or.cz/w/smatch.git). Signed-off-by: Dan Carpenter Acked-by: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c0c9209ddd96bc4f1d70a8b9958710671e076080 Author: Pascal Terjan Date: Thu Oct 2 14:50:13 2008 -0700 braille_console: only register notifiers when the braille console is used Only register the braille driver VT and keyboard notifiers when the braille console is used. Avoids eating insert or backspace keys. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11242 Signed-off-by: Pascal Terjan Signed-off-by: Samuel Thibault Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 16dbc6c9616363fe53811abcbd935336dc0a0f01 Author: Nick Piggin Date: Thu Oct 2 14:50:12 2008 -0700 inotify: fix lock ordering wrt do_page_fault's mmap_sem Fix inotify lock order reversal with mmap_sem due to holding locks over copy_to_user. Signed-off-by: Nick Piggin Reported-by: "Daniel J Blueman" Tested-by: "Daniel J Blueman" Cc: Ingo Molnar Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 08650869e0ec581f8d88cfdb563d37f5383abfe2 Author: David Winn Date: Thu Oct 2 14:50:11 2008 -0700 fbcon: fix monochrome color value calculation Commit 22af89aa0c0b4012a7431114a340efd3665a7617 ("fbcon: replace mono_col macro with static inline") changed the order of operations for computing monochrome color values. This generates 0xffff000f instead of 0x0000000f for a 4 bit monochrome color, leading to image corruption if it is passed to cfb_imageblit or other similar functions. Fix it up. Cc: Harvey Harrison Cc: "Antonino A. Daplas" Cc: Krzysztof Helt Cc: [2.6.26.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 550ac958791399266c20e15e8048cd12bfce08ae Merge: 1fce2d0... 591d8a2... Author: Linus Torvalds Date: Thu Oct 2 07:54:32 2008 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: snd-powermac: HP detection for 1st iMac G3 SL ALSA: snd-powermac: mixers for PowerMac G4 AGP ASoC: Set correct name for WM8753 rec mixer output commit 591d8a25c7c242f6b00be120ed378e585a5afb47 Merge: 030b655... 4037314... Author: Takashi Iwai Date: Thu Oct 2 12:50:50 2008 +0200 Merge branch 'asoc-fixes' into for-linus commit 030b655b062fe5190fc490e0091ea50307d7a86f Author: Risto Suominen Date: Mon Aug 25 08:04:23 2008 +0200 ALSA: snd-powermac: HP detection for 1st iMac G3 SL Correct headphone detection for 1st generation iMac G3 Slot-loading (Screamer). This patch fixes the regression in the recent snd-powermac which doesn't support some G3/G4 PowerMacs: http://lkml.org/lkml/2008/10/1/220 Signed-off-by: Risto Suominen Tested-by: Mariusz Kozlowski Cc: stable@kernel.org Signed-off-by: Takashi Iwai commit 4dbf95ba6c344186ec6d38ff514dc675da464bec Author: Risto Suominen Date: Mon Aug 25 08:02:12 2008 +0200 ALSA: snd-powermac: mixers for PowerMac G4 AGP Add mixer controls for PowerMac G4 AGP (Screamer). This patch fixes the regression in the recent snd-powermac which doesn't support some G3/G4 PowerMacs: http://lkml.org/lkml/2008/10/1/220 Signed-off-by: Risto Suominen Tested-by: Mariusz Kozlowski Cc: stable@kernel.org Signed-off-by: Takashi Iwai commit 4037314afc6eea3eab7e0447884c12b57a081f63 Author: Rob Sims Date: Wed Oct 1 21:47:31 2008 +0200 ASoC: Set correct name for WM8753 rec mixer output Rob Sims wrote: "I can't seem to turn on register 0x17, bit 3 in the sound chip, except by codec_reg_write; the mixer lacks direct or indirect control. It seems there are two names for the output of the rec mixer: Capture ST Mixer Playback Mixer Would the following do the trick?" I confirm that this solves the audio problems I was having. Signed-off-by: Jonas Bonn Signed-off-by: Mark Brown Signed-off-by: Takashi Iwai commit 1fce2d01dff65a76cd08c1b145acd9d3c20021d2 Author: Kumar Gala Date: Thu Oct 2 00:58:49 2008 -0500 powerpc: Fix boot hang regression on MPC8544DS Commit 00c5372d37a78990c1530184a9c792ee60a30067 caused the MPC8544DS board to hang at boot. The MPC8544DS is unique in that it doesn't use the PCI slots on the ULI (unlike the MPC8572DS or MPC8610HPCD). So the dummy read at the end of the address space causes us to hang. We can detect the situation by comparing the bridge's BARs versus the root complex. Signed-off-by: Kumar Gala commit 4a7703582836f55a1cbad0e2c1c6ebbee3f9b3a7 Author: Bruce Allan Date: Wed Oct 1 17:18:35 2008 -0700 e1000e: write protect ICHx NVM to prevent malicious write/erase Set the hardware to ignore all write/erase cycles to the GbE region in the ICHx NVM. This feature can be disabled by the WriteProtectNVM module parameter (enabled by default) only after a hardware reset, but the machine must be power cycled before trying to enable writes. Signed-off-by: Bruce Allan Signed-off-by: Jesse Brandeburg CC: arjan@linux.intel.com Signed-off-by: Linus Torvalds commit 20b918dc77b383e9779dafceee3f2198a6f7b0e5 Author: Mike Rapoport Date: Wed Oct 1 10:39:24 2008 -0700 pxa2xx_spi: fix build breakage This patch fixes a build error in the pxa2xx-spi driver, introduced by commit 7e96445533ac3f4f7964646a202ff3620602fab4 ("pxa2xx_spi: dma bugfixes") CC drivers/spi/pxa2xx_spi.o drivers/spi/pxa2xx_spi.c: In function 'map_dma_buffers': drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary & drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary & drivers/spi/pxa2xx_spi.c: In function 'pump_transfers': drivers/spi/pxa2xx_spi.c:897: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'unsigned int' [dbrownell@users.sourceforge.net: fix warning too ] Signed-off-by: Mike Rapoport Acked-by: Eric Miao Signed-off-by: Andrew Morton Signed-off-by: David Brownell Signed-off-by: Linus Torvalds commit edfd222fc54664b789cec01e78d442ce9461e79b Merge: d6478fa... dc63b52... Author: Linus Torvalds Date: Wed Oct 1 12:26:49 2008 -0700 Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86, vmi: fix broken LDT access x86: fix typo in enable_mtrr_cleanup early parameter commit d6478fad430e37148b56f642c87301ba72476675 Author: David Howells Date: Wed Oct 1 13:47:06 2008 +0100 MN10300: Fix IRQ handling Fix the IRQ handling on the MN10300 arch. This patch makes a number of significant changes: (1) It separates the irq_chip definition for edge-triggered interrupts from the one for level-triggered interrupts. This is necessary because the MN10300 PIC latches the IRQ channel's interrupt request bit (GxICR_REQUEST), even after the device has ceased to assert its interrupt line and the interrupt channel has been disabled in the PIC. So for level-triggered interrupts we need to clear this bit when we re-enable - which is achieved by setting GxICR_DETECT but not GxICR_REQUEST when writing to the register. Not doing this results in spurious interrupts occurring because calling mask_ack() at the start of handle_level_irq() is insufficient - it fails to clear the REQUEST latch because the device that caused the interrupt is still asserting its interrupt line at this point. (2) IRQ disablement [irq_chip::disable_irq()] shouldn't clear the interrupt request flag for edge-triggered interrupts lest it lose an interrupt. (3) IRQ unmasking [irq_chip::unmask_irq()] also shouldn't clear the interrupt request flag for edge-triggered interrupts lest it lose an interrupt. (4) The end() operation is now left to the default (no-operation) as __do_IRQ() is compiled out. This may affect misrouted_irq(), but according to Thomas Gleixner it's the correct thing to do. (5) handle_level_irq() is used for edge-triggered interrupts rather than handle_edge_irq() as the MN10300 PIC latches interrupt events even on masked IRQ channels, thus rendering IRQ_PENDING unnecessary. It is sufficient to call mask_ack() at the start and unmask() at the end. (6) For level-triggered interrupts, ack() is now NULL as it's not used, and there is no effective ACK function on the PIC. mask_ack() is now the same as mask() as the latch continues to latch, even when the channel is masked. Further, the patch discards the disable() op implementation as its now the same as the mask() op implementation, which is used instead. It also discards the enable() op implementations as they're now the same as the unmask() op implementations, which are used instead. Signed-off-by: David Howells Signed-off-by: Linus Torvalds commit 7ac9c1c24c0e68bdb89524e8c99e13fffcb2fcfb Merge: ae1cfb1... 7253a33... Author: Linus Torvalds Date: Wed Oct 1 09:37:23 2008 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm * git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm: dm mpath: add missing path switching locking dm: cope with access beyond end of device in dm_merge_bvec dm: always allow one page in dm_merge_bvec commit ae1cfb1174c87b43b0639e35e782b7b2c95fb4ff Merge: de59985... 0523820... Author: Linus Torvalds Date: Wed Oct 1 09:37:04 2008 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: af_key: Free dumping state on socket close XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep ipv6: NULL pointer dereferrence in tcp_v6_send_ack tcp: Fix NULL dereference in tcp_4_send_ack() sctp: Fix kernel panic while process protocol violation parameter iucv: Fix mismerge again. ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space commit 7253a33434245ee8243897559188186df65f3611 Author: Chandra Seetharaman Date: Wed Oct 1 14:39:27 2008 +0100 dm mpath: add missing path switching locking Moving the path activation to workqueue along with scsi_dh patches introduced a race. It is due to the fact that the current_pgpath (in the multipath data structure) can be modified if changes happen in any of the paths leading to the lun. If the changes lead to current_pgpath being set to NULL, then it leads to the invalid access which results in the panic below. This patch fixes that by storing the pgpath to activate in the multipath data structure and properly protecting it. Note that if activate_path is called twice in succession with different pgpath, with the second one being called before the first one is done, then activate path will be called twice for the second pgpath, which is fine. Unable to handle kernel paging request for data at address 0x00000020 Faulting instruction address: 0xd000000000aa1844 cpu 0x1: Vector: 300 (Data Access) at [c00000006b987a80] pc: d000000000aa1844: .activate_path+0x30/0x218 [dm_multipath] lr: c000000000087a2c: .run_workqueue+0x114/0x204 sp: c00000006b987d00 msr: 8000000000009032 dar: 20 dsisr: 40000000 current = 0xc0000000676bb3f0 paca = 0xc0000000006f3680 pid = 2528, comm = kmpath_handlerd enter ? for help [c00000006b987da0] c000000000087a2c .run_workqueue+0x114/0x204 [c00000006b987e40] c000000000088b58 .worker_thread+0x120/0x144 [c00000006b987f00] c00000000008ca70 .kthread+0x78/0xc4 [c00000006b987f90] c000000000027cc8 .kernel_thread+0x4c/0x68 Signed-off-by: Chandra Seetharaman Signed-off-by: Alasdair G Kergon commit b01cd5ac43b00c49759c126c21e7d22c7e80b245 Author: Mikulas Patocka Date: Wed Oct 1 14:39:24 2008 +0100 dm: cope with access beyond end of device in dm_merge_bvec If for any reason dm_merge_bvec() is given an offset beyond the end of the device, avoid an oops and always allow one page to be added to an empty bio. We'll reject the I/O later after the bio is submitted. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon commit 5037108acd4dc40c210321cc83b0bf8352eda95a Author: Mikulas Patocka Date: Wed Oct 1 14:39:17 2008 +0100 dm: always allow one page in dm_merge_bvec Some callers assume they can always add at least one page to an empty bio, so dm_merge_bvec should not return 0 in this case: we'll reject the I/O later after the bio is submitted. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon commit 0523820482dcb42784572ffd2296c2f08c275a2b Author: Timo Teras Date: Wed Oct 1 05:17:54 2008 -0700 af_key: Free dumping state on socket close Fix a xfrm_{state,policy}_walk leak if pfkey socket is closed while dumping is on-going. Signed-off-by: Timo Teras Signed-off-by: David S. Miller commit 5dc121e9a7a8a3721cefeb07f3559f50fbedc67e Author: Arnaud Ebalard Date: Wed Oct 1 02:37:56 2008 -0700 XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep ip6_dst_blackhole_ops.kmem_cachep is not expected to be NULL (i.e. to be initialized) when dst_alloc() is called from ip6_dst_blackhole(). Otherwise, it results in the following (xfrm_larval_drop is now set to 1 by default): [ 78.697642] Unable to handle kernel paging request for data at address 0x0000004c [ 78.703449] Faulting instruction address: 0xc0097f54 [ 78.786896] Oops: Kernel access of bad area, sig: 11 [#1] [ 78.792791] PowerMac [ 78.798383] Modules linked in: btusb usbhid bluetooth b43 mac80211 cfg80211 ehci_hcd ohci_hcd sungem sungem_phy usbcore ssb [ 78.804263] NIP: c0097f54 LR: c0334a28 CTR: c002d430 [ 78.809997] REGS: eef19ad0 TRAP: 0300 Not tainted (2.6.27-rc5) [ 78.815743] MSR: 00001032 CR: 22242482 XER: 20000000 [ 78.821550] DAR: 0000004c, DSISR: 40000000 [ 78.827278] TASK = eef0df40[3035] 'mip6d' THREAD: eef18000 [ 78.827408] GPR00: 00001032 eef19b80 eef0df40 00000000 00008020 eef19c30 00000001 00000000 [ 78.833249] GPR08: eee5101c c05a5c10 ef9ad500 00000000 24242422 1005787c 00000000 1004f960 [ 78.839151] GPR16: 00000000 10024e90 10050040 48030018 0fe44150 00000000 00000000 eef19c30 [ 78.845046] GPR24: eef19e44 00000000 eef19bf8 efb37c14 eef19bf8 00008020 00009032 c0596064 [ 78.856671] NIP [c0097f54] kmem_cache_alloc+0x20/0x94 [ 78.862581] LR [c0334a28] dst_alloc+0x40/0xc4 [ 78.868451] Call Trace: [ 78.874252] [eef19b80] [c03c1810] ip6_dst_lookup_tail+0x1c8/0x1dc (unreliable) [ 78.880222] [eef19ba0] [c0334a28] dst_alloc+0x40/0xc4 [ 78.886164] [eef19bb0] [c03cd698] ip6_dst_blackhole+0x28/0x1cc [ 78.892090] [eef19be0] [c03d9be8] rawv6_sendmsg+0x75c/0xc88 [ 78.897999] [eef19cb0] [c038bca4] inet_sendmsg+0x4c/0x78 [ 78.903907] [eef19cd0] [c03207c8] sock_sendmsg+0xac/0xe4 [ 78.909734] [eef19db0] [c03209e4] sys_sendmsg+0x1e4/0x2a0 [ 78.915540] [eef19f00] [c03220a8] sys_socketcall+0xfc/0x210 [ 78.921406] [eef19f40] [c0014b3c] ret_from_syscall+0x0/0x38 [ 78.927295] --- Exception: c01 at 0xfe2d730 [ 78.927297] LR = 0xfe2d71c [ 78.939019] Instruction dump: [ 78.944835] 91640018 9144001c 900a0000 4bffff44 9421ffe0 7c0802a6 bf810010 7c9d2378 [ 78.950694] 90010024 7fc000a6 57c0045e 7c000124 <83e3004c> 8383005c 2f9f0000 419e0050 [ 78.956464] ---[ end trace 05fa1ed7972487a1 ]--- As commented by Benjamin Thery, the bug was introduced by f2fc6a54585a1be6669613a31fbaba2ecbadcd36, while adding network namespaces support to ipv6 routes. Signed-off-by: Arnaud Ebalard Acked-by: Benjamin Thery Signed-off-by: David S. Miller commit 2a5b82751f73a0bf6f604ce56d34adba6da1b246 Author: Denis V. Lunev Date: Wed Oct 1 02:13:16 2008 -0700 ipv6: NULL pointer dereferrence in tcp_v6_send_ack The following actions are possible: tcp_v6_rcv skb->dev = NULL; tcp_v6_do_rcv tcp_v6_hnd_req tcp_check_req req->rsk_ops->send_ack == tcp_v6_send_ack So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace from dst entry. Thanks to Vitaliy Gusev for initial problem finding in IPv4 code. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller commit 4dd7972d1204c3851a4092cecd2207e05eb29b09 Author: Vitaliy Gusev Date: Wed Oct 1 01:51:39 2008 -0700 tcp: Fix NULL dereference in tcp_4_send_ack() Fix NULL dereference in tcp_4_send_ack(). As skb->dev is reset to NULL in tcp_v4_rcv() thus OOPS occurs: BUG: unable to handle kernel NULL pointer dereference at 00000000000004d0 IP: [] tcp_v4_send_ack+0x203/0x250 Stack: ffff810005dbb000 ffff810015c8acc0 e77b2c6e5f861600 a01610802e90cb6d 0a08010100000000 88afffff88afffff 0000000080762be8 0000000115c872e8 0004122000000000 0000000000000001 ffffffff80762b88 0000000000000020 Call Trace: [] tcp_v4_reqsk_send_ack+0x20/0x22 [] tcp_check_req+0x108/0x14c [] ? rt_intern_hash+0x322/0x33c [] tcp_v4_do_rcv+0x399/0x4ec [] ? skb_checksum+0x4f/0x272 [] ? __inet_lookup_listener+0x14a/0x15c [] tcp_v4_rcv+0x6a1/0x701 [] ip_local_deliver_finish+0x157/0x24a [] ip_local_deliver+0x72/0x7c [] ip_rcv_finish+0x38d/0x3b2 [] ? scsi_io_completion+0x19d/0x39e [] ip_rcv+0x2a2/0x2e5 [] netif_receive_skb+0x293/0x303 [] process_backlog+0x80/0xd0 [] ? __rcu_process_callbacks+0x125/0x1b4 [] net_rx_action+0xb9/0x17f [] __do_softirq+0xa3/0x164 [] call_softirq+0x1c/0x28 [] do_softirq+0x34/0x72 [] local_bh_enable_ip+0x3f/0x50 [] _spin_unlock_bh+0x12/0x14 [] release_sock+0xb8/0xc1 [] inet_stream_connect+0x146/0x25c [] ? autoremove_wake_function+0x0/0x38 [] sys_connect+0x68/0x8e [] ? fd_install+0x5f/0x68 [] ? sock_map_fd+0x55/0x62 [] system_call_after_swapgs+0x7b/0x80 Code: 41 10 11 d0 83 d0 00 4d 85 ed 89 45 c0 c7 45 c4 08 00 00 00 74 07 41 8b 45 04 89 45 c8 48 8b 43 20 8b 4d b8 48 8d 55 b0 48 89 de <48> 8b 80 d0 04 00 00 48 8b b8 60 01 00 00 e8 20 ae fe ff 65 48 RIP [] tcp_v4_send_ack+0x203/0x250 RSP CR2: 00000000000004d0 Signed-off-by: Vitaliy Gusev Signed-off-by: David S. Miller commit dc63b52673d71f9d49b9d72d263a9f32df18c3ee Author: Zachary Amsden Date: Tue Sep 30 11:02:12 2008 -0700 x86, vmi: fix broken LDT access This one took a long time to rear up because LDT usage is not very common, but the bug is quite serious. It got introduced along with another bug, already fixed, by 75b8bb3e56ca09a467fbbe5229bc68627f7445be After investigating a JRE failure, I found this bug was introduced a long time ago, and had already managed to survive another bugfix which occurred on the same line. The result is a total failure of the JRE due to LDT selectors not working properly. Signed-off-by: Zachary Amsden Cc: Glauber de Oliveira Costa Cc: stable@kernel.org Signed-off-by: Ingo Molnar commit de59985e3a623d4d5d6207f1777398ca0606ab1c Author: Zachary Amsden Date: Tue Sep 30 11:02:12 2008 -0700 x86: Fix broken LDT access in VMI After investigating a JRE failure, I found this bug was introduced a long time ago, and had already managed to survive another bugfix which occurred on the same line. The result is a total failure of the JRE due to LDT selectors not working properly. This one took a long time to rear up because LDT usage is not very common, but the bug is quite serious. It got introduced along with another bug, already fixed, by 75b8bb3e56ca09a467fbbe5229bc68627f7445be Signed-off-by: Zachary Amsden Cc: Ingo Molnar Cc: Glauber de Oliveira Costa Cc: Signed-off-by: Linus Torvalds commit d3a47e82b6bc3724dd60f3ee4e84fe4479104382 Merge: 99c3563... c459ce8... Author: Linus Torvalds Date: Tue Sep 30 09:47:16 2008 -0700 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6 * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6: [IA64] Put the space for cpu0 per-cpu area into .data section commit 99c3563e64cf887cca0b181149c0f85c39569276 Merge: 022d5bc... 24918b6... Author: Linus Torvalds Date: Tue Sep 30 09:38:42 2008 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: hda - Fix model for Dell Inspiron 1525 ALSA: ASoC: Fix cs4270 error path commit 022d5bcd49e0b3c3a3fde60491837414f96cc20e Merge: 95237b8... 6cac6e8... Author: Linus Torvalds Date: Tue Sep 30 08:42:21 2008 -0700 Merge branch 'for-linus' of git://git.o-hand.com/linux-mfd * 'for-linus' of git://git.o-hand.com/linux-mfd: mfd: Fix asic3 compilation mfd: Fix Kconfig accroding to the new gpiolib symbols commit 95237b80a3021ce5abb4d9ad330355549026f9c3 Merge: cf4b0b2... 61e9916... Author: Linus Torvalds Date: Tue Sep 30 08:40:46 2008 -0700 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: powerpc: Fix failure to shutdown with CPU hotplug powerpc: Fix PCI in Holly device tree commit cf4b0b2c9520728e170f7a3061e24dbae0b56ed4 Merge: 94aca1d... ccc7dad... Author: Linus Torvalds Date: Tue Sep 30 08:39:18 2008 -0700 Merge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: hrtimer: prevent migration of per CPU hrtimers hrtimer: mark migration state hrtimer: fix migration of CB_IRQSAFE_NO_SOFTIRQ hrtimers hrtimer: migrate pending list on cpu offline Acked-by: Paul E. McKenney Acked-by: Benjamin Herrenschmidt Tested-by: Paul E. McKenney commit ba0166708ef4da7eeb61dd92bbba4d5a749d6561 Author: Wei Yongjun Date: Tue Sep 30 05:32:24 2008 -0700 sctp: Fix kernel panic while process protocol violation parameter Since call to function sctp_sf_abort_violation() need paramter 'arg' with 'struct sctp_chunk' type, it will read the chunk type and chunk length from the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen() always with 'struct sctp_paramhdr' type's parameter, it will be passed to sctp_sf_abort_violation(). This may cause kernel panic. sctp_sf_violation_paramlen() |-- sctp_sf_abort_violation() |-- sctp_make_abort_violation() This patch fixed this problem. This patch also fix two place which called sctp_sf_violation_paramlen() with wrong paramter type. Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller commit 24918b61b55c21e09a3e07cd82e1b3a8154782dc Author: Takashi Iwai Date: Tue Sep 30 12:58:54 2008 +0200 ALSA: hda - Fix model for Dell Inspiron 1525 Dell Inspiron 1525 seems to have a buggy BIOS setup and screws up the recent codec parser, as reported by Oleksandr Natalenko: http://lkml.org/lkml/2008/9/12/203 This patch adds the working model, dell-3stack, statically. Signed-off-by: Takashi Iwai Cc: commit e3145dfb7b4262fa55907006b75da799de8c1be3 Author: Jean Delvare Date: Tue Sep 30 11:40:37 2008 +0200 ALSA: ASoC: Fix cs4270 error path The error path in cs4270_probe/cs4270_remove is pretty broken: * If cs4270_probe fails, codec is leaked. * If snd_soc_register_card fails, cs4270_i2c_driver stays registered. * If I2C support is enabled but no I2C device is found, i2c_del_driver is never called (neither in cs4270_probe nor in cs4270_remove. Fix all 3 problems by implementing a clean error path in cs4270_probe and jumping to its labels as needed. Signed-off-by: Jean Delvare Acked-by: Timur Tabi Signed-off-by: Takashi Iwai commit 8b122efd13a227d35d5ca242561770db1b5e3658 Author: Heiko Carstens Date: Tue Sep 30 03:03:35 2008 -0700 iucv: Fix mismerge again. fb65a7c091529bfffb1262515252c0d0f6241c5c ("iucv: Fix bad merging.") fixed a merge error, but in a wrong way. We now end up with the bug below. This patch corrects the mismerge like it was intended. BUG: scheduling while atomic: swapper/1/0x00000000 Modules linked in: CPU: 1 Not tainted 2.6.27-rc7-00094-gc0f4d6d #9 Process swapper (pid: 1, task: 000000003fe7d988, ksp: 000000003fe838c0) 0000000000000000 000000003fe839b8 0000000000000002 0000000000000000 000000003fe83a58 000000003fe839d0 000000003fe839d0 0000000000390de6 000000000058acd8 00000000000000d0 000000003fe7dcd8 0000000000000000 000000000000000c 000000000000000d 0000000000000000 000000003fe83a28 000000000039c5b8 0000000000015e5e 000000003fe839b8 000000003fe83a00 Call Trace: ([<0000000000015d6a>] show_trace+0xe6/0x134) [<0000000000039656>] __schedule_bug+0xa2/0xa8 [<0000000000391744>] schedule+0x49c/0x910 [<0000000000391f64>] schedule_timeout+0xc4/0x114 [<00000000003910d4>] wait_for_common+0xe8/0x1b4 [<00000000000549ae>] call_usermodehelper_exec+0xa6/0xec [<00000000001af7b8>] kobject_uevent_env+0x418/0x438 [<00000000001d08fc>] bus_add_driver+0x1e4/0x298 [<00000000001d1ee4>] driver_register+0x90/0x18c [<0000000000566848>] netiucv_init+0x168/0x2c8 [<00000000000120be>] do_one_initcall+0x3e/0x17c [<000000000054a31a>] kernel_init+0x1ce/0x248 [<000000000001a97a>] kernel_thread_starter+0x6/0xc [<000000000001a974>] kernel_thread_starter+0x0/0xc iucv: NETIUCV driver initialized initcall netiucv_init+0x0/0x2c8 returned with preemption imbalance Signed-off-by: Heiko Carstens Signed-off-by: David S. Miller commit d01dbeb6af7a0848063033f73c3d146fec7451f3 Author: Herbert Xu Date: Tue Sep 30 02:03:19 2008 -0700 ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space We're never supposed to shrink the headroom or tailroom. In fact, shrinking the headroom is a fatal action. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit 3dcd7e269d2223126f6ee9bc893f5a6166e1770d Author: J.A. Magallón Date: Tue Sep 30 10:02:52 2008 +0200 x86: fix typo in enable_mtrr_cleanup early parameter Correct typo for 'enable_mtrr_cleanup' early boot param name. Signed-off-by: J.A. Magallon Signed-off-by: Ingo Molnar commit 6cac6e8489af6c419cb6af6911535a280e6b6c2e Author: Samuel Ortiz Date: Thu Sep 25 00:43:59 2008 +0200 mfd: Fix asic3 compilation map_size was declared from the wrong place. Signed-off-by: Samuel Ortiz commit 2eedd6047b050f82f4e596a50704686ec989c1c8 Author: Samuel Ortiz Date: Thu Sep 25 00:39:05 2008 +0200 mfd: Fix Kconfig accroding to the new gpiolib symbols HAVE_GPIO_LIB has basically been replaced by GPIOLIB Signed-off-by: Samuel Ortiz commit 61e9916eba35dfb76d38013a5aae9a59cc50877a Author: Johannes Berg Date: Wed Sep 24 22:56:25 2008 +0000 powerpc: Fix failure to shutdown with CPU hotplug I tracked down the shutdown regression to CPUs not dying when being shut down during power-off. This turns out to be due to the system_state being SYSTEM_POWER_OFF, which this code doesn't take as a valid state for shutting off CPUs in. This has never made sense to me, but when I added hotplug code to implement hibernate I only "made it work" and did not question the need to check the system_state. Thomas Gleixner helped me dig, but the only thing we found is that it was added with the original commit that added CPU hotplug support. Signed-off-by: Johannes Berg Acked-by: Joel Schopp Signed-off-by: Benjamin Herrenschmidt commit ad611045ce5d059af84a9855b22ca3f7a99d47be Author: David Gibson Date: Wed Sep 24 16:39:04 2008 +0000 powerpc: Fix PCI in Holly device tree The PCI bridge on the Holly board is incorrectly represented in the device tree. The current device tree node for the PCI bridge sits under the tsi-bridge node. That's not obviously wrong, but the PCI bridge translates some PCI spaces into CPU address ranges which were not translated by the "ranges" property in tsi-bridge node. We used to get away with this problem because the PCI bridge discovery code was also buggy, assuming incorrectly that PCI host bridge nodes were always directly under the root bus and treating the translated addresses as raw CPU addresses, rather than parent bus addresses. This has since been fixed, thus breaking Holly. This could be fixed by adding extra translations to the tsi-bridge node, but this patch instead moves the Holly PCI bridge out of the tsi-bridge node to the root bus. This makes the tsi-bridge node represent only the built-in IO devices in the bridge, with a more-or-less contiguous address range. This is the same convention used on Freescale SoC chips, where the "soc" node represents only the IMMR region, and the PCI and other bus bridges are separate nodes under the root bus. Signed-off-by: David Gibson Acked-by: Josh Boyer Signed-off-by: Benjamin Herrenschmidt commit c459ce8b5a7d933a3bcf6915ab17ac1e036e2ac4 Author: Tony Luck Date: Mon Sep 29 16:39:19 2008 -0700 [IA64] Put the space for cpu0 per-cpu area into .data section Initial fix for making sure that we can access percpu variables in all C code (commit: 10617bbe84628eb18ab5f723d3ba35005adde143) inadvertantly allocated the memory in the "percpu" section of the vmlinux ELF executable. This confused kexec/dump. Signed-off-by: Tony Luck commit ccc7dadf736639da86f3e0c86832c11a66fc8221 Author: Thomas Gleixner Date: Mon Sep 29 15:47:42 2008 +0200 hrtimer: prevent migration of per CPU hrtimers Impact: per CPU hrtimers can be migrated from a dead CPU The hrtimer code has no knowledge about per CPU timers, but we need to prevent the migration of such timers and warn when such a timer is active at migration time. Explicitely mark the timers as per CPU and use a more understandable mode descriptor for the interrupts safe unlocked callback mode, which is used by hrtimer_sleeper and the scheduler code. Signed-off-by: Thomas Gleixner commit b00c1a99e7758f794923c61e5cd55268d61c9469 Author: Thomas Gleixner Date: Mon Sep 29 15:44:46 2008 +0200 hrtimer: mark migration state Impact: during migration active hrtimers can be seen as inactive The migration code removes the hrtimers from the queues of the dead CPU and sets the state temporary to INACTIVE. The enqueue code sets it to ACTIVE/PENDING again. Prevent that the wrong state can be seen by using a separate migration state bit. Signed-off-by: Thomas Gleixner commit 41e1022eae71707f1ce6801a746f70b1e57b7567 Author: Thomas Gleixner Date: Mon Sep 29 14:09:39 2008 +0200 hrtimer: fix migration of CB_IRQSAFE_NO_SOFTIRQ hrtimers Impact: Stale timers after a CPU went offline. commit 37bb6cb4097e29ffee970065b74499cbf10603a3 hrtimer: unlock hrtimer_wakeup changed the hrtimer sleeper callback mode to CB_IRQSAFE_NO_SOFTIRQ due to locking problems. A result of this change is that when enqueue is called for an already expired hrtimer the callback function is not longer called directly from the enqueue code. The normal callers have been fixed in the code, but the migration code which moves hrtimers from a dead CPU to a live CPU was not made aware of this. This can be fixed by checking the timer state after the call to enqueue in the migration code. Signed-off-by: Thomas Gleixner commit 7659e349672bb0d378ef8d7d62bae4c53d2bdd18 Author: Thomas Gleixner Date: Mon Sep 29 14:06:45 2008 +0200 hrtimer: migrate pending list on cpu offline Impact: hrtimers which are on the pending list are not migrated at cpu offline and can be stale forever Add the pending list migration when CONFIG_HIGH_RES_TIMERS is enabled Signed-off-by: Thomas Gleixner