commit 08c4f1b096cc2468908ea58a77d2ef92ef765c52 Merge: 2b1f5c3 691c9ae Author: Linus Torvalds Date: Mon Feb 8 11:07:10 2010 -0800 Merge branch 'v4l_for_linus' of git://linuxtv.org/fixes * 'v4l_for_linus' of git://linuxtv.org/fixes: V4L/DVB: dvb-core: fix initialization of feeds list in demux filter V4L/DVB: dvb_demux: Don't use vmalloc at dvb_dmx_swfilter_packet V4L/DVB: Fix the risk of an oops at dvb_dmx_release commit 2b1f5c3ac3ebcf9d1cb3f87b4fd929201324e2bb Merge: 9d2bc1a a601341 Author: Linus Torvalds Date: Mon Feb 8 10:10:36 2010 -0800 Merge branch 'for-linus' of git://git.monstr.eu/linux-2.6-microblaze * 'for-linus' of git://git.monstr.eu/linux-2.6-microblaze: microblaze: Invalidate dcache before enabling it commit 9d2bc1a4ccc0da617bab6bba3278705e894365ca Merge: 8bd7380 36350e0 Author: Linus Torvalds Date: Mon Feb 8 10:10:18 2010 -0800 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: powerpc/pseries: Fix kexec regression caused by CPPR tracking commit 8bd73803e18354add19b050d05770b646ecbffd0 Merge: 6339204 1af0b2f Author: Linus Torvalds Date: Mon Feb 8 10:09:55 2010 -0800 Merge branch 'sh/for-2.6.33' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6 * 'sh/for-2.6.33' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6: sh: Remove superfluous setup_frame_reg call sh: Don't continue unwinding across interrupts sh: Setup frame pointer in handle_exception path sh: Correct the offset of the return address in ret_from_exception usb: r8a66597-hcd: Fix up spinlock recursion in root hub polling. usb: r8a66597-hcd: Flush the D-cache for the pipe-in transfer buffers. commit 691c9ae099b9bcb5c27125af00a4a90120977458 Author: Francesco Lavra Date: Sun Feb 7 09:49:58 2010 -0300 V4L/DVB: dvb-core: fix initialization of feeds list in demux filter A DVB demultiplexer device can be used to set up either a PES filter or a section filter. In the former case, the ts field of the feed union of struct dmxdev_filter is used, in the latter case the sec field of the same union is used. The ts field is a struct list_head, and is currently initialized in the open() method of the demux device. When for a given demuxer a section filter is set up, the sec field is played with, thus if a PES filter needs to be set up after that the ts field will be corrupted, causing a kernel oops. This fix moves the list head initialization to dvb_dmxdev_pes_filter_set(), so that the ts field is properly initialized every time a PES filter is set up. Signed-off-by: Francesco Lavra Cc: stable Reviewed-by: Andy Walls Tested-by: hermann pitton Signed-off-by: Mauro Carvalho Chehab commit bc081cc8693800ebb118cc2cc6a859dd0b45921b Author: Mauro Carvalho Chehab Date: Mon Feb 1 11:50:42 2010 -0300 V4L/DVB: dvb_demux: Don't use vmalloc at dvb_dmx_swfilter_packet As dvb_dmx_swfilter_packet() is protected by a spinlock, it shouldn't sleep. However, vmalloc() may call sleep. So, move the initialization of dvb_demux::cnt_storage field to a better place. Reviewed-by: Andy Walls Signed-off-by: Mauro Carvalho Chehab commit adefdceef4c1cefee2678724cd57824c8ca80091 Author: Mauro Carvalho Chehab Date: Mon Feb 1 10:35:22 2010 -0300 V4L/DVB: Fix the risk of an oops at dvb_dmx_release dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed. If the second vmalloc fails, filter is freed, but the pointer keeps pointing to the old place. Later, when dvb_dmx_release() is called, it will try to free an already freed memory, causing an OOPS. Reviewed-by: Andy Walls Signed-off-by: Mauro Carvalho Chehab commit a6013411118a6c8c34f1bd8b047b36fdf9711590 Author: Michal Simek Date: Mon Feb 1 12:15:58 2010 +0100 microblaze: Invalidate dcache before enabling it We found that on write-trough kernel is necessary to do that invalidation. One WB is possible to use invalidation too. Signed-off-by: Michal Simek commit 36350e00696df148507246c817cf6f86329479fd Author: Mark Nelson Date: Sun Feb 7 16:45:12 2010 +0000 powerpc/pseries: Fix kexec regression caused by CPPR tracking The code to track the CPPR values added by commit 49bd3647134ea47420067aea8d1401e722bf2aac ("powerpc/pseries: Track previous CPPR values to correctly EOI interrupts") broke kexec on pseries because the kexec code in xics.c calls xics_set_cpu_priority() before the IPI has been EOI'ed. This wasn't a problem previously but it now triggers a BUG_ON in xics_set_cpu_priority() because os_cppr->index isn't 0. Fix this problem by setting the index on the CPPR stack to 0 before calling xics_set_cpu_priority() in xics_teardown_cpu(). Also make it clear that we only want to set the priority when there's just one CPPR value in the stack, and enforce it by updating the value of os_cppr->stack[0] rather than os_cppr->stack[os_cppr->index]. While we're at it change the BUG_ON to a WARN_ON. Reported-by: Anton Blanchard Signed-off-by: Mark Nelson Signed-off-by: Benjamin Herrenschmidt commit 1af0b2fc676009d9b5b71a82ea6a3c2b20b7ea56 Author: Matt Fleming Date: Sat Jan 30 17:37:25 2010 +0000 sh: Remove superfluous setup_frame_reg call There's no need to setup the frame pointer again in call_handle_tlbmiss. The frame pointer will already have been setup in handle_interrupt. Signed-off-by: Matt Fleming Signed-off-by: Paul Mundt commit 944a3438615da65f11e2559840404a2cac5f65ea Author: Matt Fleming Date: Sat Jan 30 17:36:20 2010 +0000 sh: Don't continue unwinding across interrupts Unfortunately, due to poor DWARF info in current toolchains, unwinding through interrutps cannot be done reliably. The problem is that the DWARF info for function epilogues is wrong. Take this standard epilogue sequence, 80003cc4: e3 6f mov r14,r15 80003cc6: 26 4f lds.l @r15+,pr 80003cc8: f6 6e mov.l @r15+,r14 <---- interrupt here 80003cca: f6 6b mov.l @r15+,r11 80003ccc: f6 6a mov.l @r15+,r10 80003cce: f6 69 mov.l @r15+,r9 80003cd0: 0b 00 rts If we take an interrupt at the highlighted point, the DWARF info will bogusly claim that the return address can be found at some offset from the frame pointer, even though the frame pointer was just restored. The worst part is if the unwinder finds a text address at the bogus stack address - unwinding will continue, for a bit, until it finally comes across an unexpected address on the stack and blows up. The only solution is to stop unwinding once we've calculated the function that was executing when the interrupt occurred. This PC can be easily calculated from pt_regs->pc. Signed-off-by: Matt Fleming Signed-off-by: Paul Mundt commit 1dca56f13899b9e256f56198026019835aaf9a3a Author: Matt Fleming Date: Wed Jan 27 20:44:59 2010 +0000 sh: Setup frame pointer in handle_exception path In order to allow the DWARF unwinder to unwind through exceptions we need to setup the frame pointer register (r14). Signed-off-by: Matt Fleming Signed-off-by: Paul Mundt commit 142698282ceb6811ad3482c218b7292037cb67ff Author: Matt Fleming Date: Wed Jan 27 20:05:20 2010 +0000 sh: Correct the offset of the return address in ret_from_exception The address that ret_from_exception and ret_from_irq will return to is found in the stack slot for SPC, not PR. This error was causing the DWARF unwinder to pick up the wrong return address on the stack and then unwind using the unwind tables for the wrong function. While I'm here I might as well add CFI annotations for the other registers since they could be useful when unwinding. Signed-off-by: Matt Fleming Signed-off-by: Paul Mundt commit 6339204ecc2aa2067a99595522de0403f0854bb8 Merge: 80e1e82 89068c5 Author: Linus Torvalds Date: Sun Feb 7 11:18:28 2010 -0800 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: Take ima_file_free() to proper place. ima: rename PATH_CHECK to FILE_CHECK ima: rename ima_path_check to ima_file_check ima: initialize ima before inodes can be allocated fix ima breakage Take ima_path_check() in nfsd past dentry_open() in nfsd_open() freeze_bdev: don't deactivate successfully frozen MS_RDONLY sb befs: fix leak commit 80e1e823989ec44d8e35bdfddadbddcffec90424 Author: Linus Torvalds Date: Sun Feb 7 10:11:23 2010 -0800 Fix race in tty_fasync() properly This reverts commit 703625118069 ("tty: fix race in tty_fasync") and commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/ restore") that tried to fix up some of the fallout but was incomplete. It turns out that we really cannot hold 'tty->ctrl_lock' over calling __f_setown, because not only did that cause problems with interrupt disables (which the second commit fixed), it also causes a potential ABBA deadlock due to lock ordering. Thanks to Tetsuo Handa for following up on the issue, and running lockdep to show the problem. It goes roughly like this: - f_getown gets filp->f_owner.lock for reading without interrupts disabled, so an interrupt that happens while that lock is held can cause a lockdep chain from f_owner.lock -> sighand->siglock. - at the same time, the tty->ctrl_lock -> f_owner.lock chain that commit 703625118069 introduced, together with the pre-existing sighand->siglock -> tty->ctrl_lock chain means that we have a lock dependency the other way too. So instead of extending tty->ctrl_lock over the whole __f_setown() call, we now just take a reference to the 'pid' structure while holding the lock, and then release it after having done the __f_setown. That still guarantees that 'struct pid' won't go away from under us, which is all we really ever needed. Reported-and-tested-by: Tetsuo Handa Acked-by: Greg Kroah-Hartman Acked-by: Américo Wang Cc: stable@kernel.org Signed-off-by: Linus Torvalds commit 89068c576bf324ef6fbd50dfc745148f7def202c Author: Al Viro Date: Sun Feb 7 03:07:29 2010 -0500 Take ima_file_free() to proper place. Hooks: Just Say No. Signed-off-by: Al Viro commit 1e93d0052d9a6b3d0b382eedceb18b519d603baf Author: Mimi Zohar Date: Tue Jan 26 17:02:41 2010 -0500 ima: rename PATH_CHECK to FILE_CHECK With the movement of the ima hooks functions were renamed from *path* to *file* since they always deal with struct file. This patch renames some of the ima internal flags to make them consistent with the rest of the code. Signed-off-by: Mimi Zohar Signed-off-by: Eric Paris Signed-off-by: Al Viro commit 9bbb6cad0173e6220f3ac609e26beb48dab3b7cd Author: Mimi Zohar Date: Tue Jan 26 17:02:40 2010 -0500 ima: rename ima_path_check to ima_file_check ima_path_check actually deals with files! call it ima_file_check instead. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Al Viro commit 54bb6552bd9405dc7685653157a4ec260c77a71c Author: Eric Paris Date: Wed Dec 9 15:29:01 2009 -0500 ima: initialize ima before inodes can be allocated ima wants to create an inode information struct (iint) when inodes are allocated. This means that at least the part of ima which does this allocation (the allocation is filled with information later) should before any inodes are created. To accomplish this we split the ima initialization routine placing the kmem cache allocator inside a security_initcall() function. Since this makes use of radix trees we also need to make sure that is initialized before security_initcall(). Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Al Viro commit 8eb988c70e7709b7bd1a69f0ec53d19ac20dea84 Author: Mimi Zohar Date: Wed Jan 20 15:35:41 2010 -0500 fix ima breakage The "Untangling ima mess, part 2 with counters" patch messed up the counters. Based on conversations with Al Viro, this patch streamlines ima_path_check() by removing the counter maintaince. The counters are now updated independently, from measuring the file, in __dentry_open() and alloc_file() by calling ima_counts_get(). ima_path_check() is called from nfsd and do_filp_open(). It also did not measure all files that should have been measured. Reason: ima_path_check() got bogus value passed as mask. [AV: mea culpa] [AV: add missing nfsd bits] Signed-off-by: Mimi Zohar Signed-off-by: Al Viro commit 1e41568d7378d1ba8c64ba137b9ddd00b59f893a Author: Al Viro Date: Tue Jan 26 05:43:08 2010 -0500 Take ima_path_check() in nfsd past dentry_open() in nfsd_open() Signed-off-by: Al Viro commit 4b06e5b9ad8abb20105b2b25e42c509ebe9b2d76 Author: Jun'ichi Nomura Date: Fri Jan 29 09:56:22 2010 +0900 freeze_bdev: don't deactivate successfully frozen MS_RDONLY sb Thanks Thomas and Christoph for testing and review. I removed 'smp_wmb()' before up_write from the previous patch, since up_write() should have necessary ordering constraints. (I.e. the change of s_frozen is visible to others after up_write) I'm quite sure the change is harmless but if you are uncomfortable with Tested-by/Reviewed-by on the modified patch, please remove them. If MS_RDONLY, freeze_bdev should just up_write(s_umount) instead of deactivate_locked_super(). Also, keep sb->s_frozen consistent so that remount can check the frozen state. Otherwise a crash reported here can happen: http://lkml.org/lkml/2010/1/16/37 http://lkml.org/lkml/2010/1/28/53 This patch should be applied for 2.6.32 stable series, too. Reviewed-by: Christoph Hellwig Tested-by: Thomas Backlund Signed-off-by: Jun'ichi Nomura Cc: stable@kernel.org Signed-off-by: Al Viro commit 8dd5ca532c2d2c2b85f16bc038ebfff05b8853e1 Author: Al Viro Date: Thu Jan 28 22:11:38 2010 -0500 befs: fix leak Signed-off-by: Al Viro commit 2c940db250c1610d95ea5331dc819b8bd4db96ae Author: Paul Mundt Date: Thu Feb 4 06:58:28 2010 +0000 usb: r8a66597-hcd: Fix up spinlock recursion in root hub polling. The current root hub polling code exhibits a spinlock recursion on the private controller lock. r8a66597_root_hub_control() is called from r8a66597_timer() which grabs the lock and disables IRQs. The following chain emerges: r8a66597_timer() <-- lock taken r8a66597_root_hub_control() r8a66597_check_syssts() usb_hcd_poll_rh_status() <-- acquires the same lock /* insert death here */ The entire chain requires IRQs to be disabled, so we just unlock and relock around the call to usb_hcd_poll_rh_status() while leaving the IRQ state unchanged. Signed-off-by: Paul Mundt Acked-by: Yoshihiro Shimoda commit 2717568e7c44fe7dc3f4f52ea823811cfeede2b5 Author: Paul Mundt Date: Thu Feb 4 06:57:58 2010 +0000 usb: r8a66597-hcd: Flush the D-cache for the pipe-in transfer buffers. This implements the same D-cache flushing logic for r8a66597-hcd as Catalin's isp1760 (http://patchwork.kernel.org/patch/76391/) change, with the same note applying here as well: When the HDC driver writes the data to the transfer buffers it pollutes the D-cache (unlike DMA drivers where the device writes the data). If the corresponding pages get mapped into user space, there are no additional cache flushing operations performed and this causes random user space faults on architectures with separate I and D caches (Harvard) or those with aliasing D-cache. This fixes up crashes during USB boot on SH7724 and others: http://marc.info/?l=linux-sh&m=126439837308912&w=2 Reported-by: Goda Yusuke Tested-by: Goda Yusuke Cc: stable@kernel.org Signed-off-by: Paul Mundt Acked-by: Yoshihiro Shimoda