OSDN Git Service
Chih-Wei Huang [Thu, 13 Jan 2011 09:45:11 +0000 (17:45 +0800)]
eeepc-wmi: add extra keymaps for EP121
Chih-Wei Huang [Sat, 1 Jan 2011 16:36:51 +0000 (00:36 +0800)]
android-x86_defconfig: set CONFIG_SQUASHFS_XATTRS=y
Funky Android Ltd [Wed, 17 Nov 2010 06:59:16 +0000 (06:59 +0000)]
Add updated driver from Stephane Lajeunesse
Funky Android Ltd [Mon, 8 Nov 2010 16:43:59 +0000 (16:43 +0000)]
Added support for hanvon touchscreen as supplied by Stephane Lajeunesse
Chih-Wei Huang [Mon, 8 Nov 2010 07:06:41 +0000 (15:06 +0800)]
android-x86: more generic and more drivers
Chia-I Wu [Wed, 27 Oct 2010 06:39:14 +0000 (14:39 +0800)]
drm/i915: Fix current fb blocking for page flip.
Block execbuffer for the fb to be flipped away, not the one that is to
be flipped in.
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
Chih-Wei Huang [Mon, 25 Oct 2010 10:18:00 +0000 (18:18 +0800)]
android-x86: add android-x86_defconfig
Chih-Wei Huang [Mon, 5 Jul 2010 17:01:44 +0000 (01:01 +0800)]
fix x86 compiling errors
Chih-Wei Huang [Mon, 5 Jul 2010 17:01:06 +0000 (01:01 +0800)]
kconfig: add nonint_oldconfig target from Fedora kernel
This patch adds a "make nonint_oldconfig" which is non-interactive and
also gives a list of missing options at the end. Useful for automated
builds (as used in the buildsystem).
Yi Sun [Tue, 5 Jan 2010 22:30:37 +0000 (14:30 -0800)]
atkbd: fix keyevents on resuming
Change keyboard driver to push up all the keyevents even the ones before
resume so that Android PM can work correctly. This is a Android-x86 only
change and should not be in the upstream.
Yi Sun [Tue, 17 Nov 2009 22:58:24 +0000 (14:58 -0800)]
cgroup: fix typo
Yi Sun [Tue, 17 Nov 2009 21:16:53 +0000 (13:16 -0800)]
rtc: add save_time_delta on i386
Yi Sun [Tue, 21 Jul 2009 05:00:47 +0000 (22:00 -0700)]
Input: disable synaptic touchpad by default
It simulates a tochscreen and we can not support it. Disable
it will trigger the system to use generic touchpad driver.
Chih-Wei Huang [Thu, 16 Jul 2009 06:43:09 +0000 (14:43 +0800)]
ALSA: add audio support for Eee PC 1004
Chih-Wei Huang [Thu, 16 Jul 2009 02:05:22 +0000 (10:05 +0800)]
ALSA: add audio support for Eee PC 900
Yi Sun [Thu, 2 Jul 2009 08:59:56 +0000 (16:59 +0800)]
fix S3 suspend and resume
Dmitry Shmidt [Thu, 4 Nov 2010 17:38:08 +0000 (10:38 -0700)]
net: wireless: bcm4329: Add check for out of bounds scan buffer
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dmitry Shmidt [Wed, 3 Nov 2010 23:08:25 +0000 (16:08 -0700)]
net: wireless: bcm4329: Check for out of bounds in scan results parsing
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Theodore Ts'o [Thu, 28 Oct 2010 01:30:13 +0000 (21:30 -0400)]
ext4: fix kernel oops if the journal superblock has a non-zero j_errno
Commit
84061e0 fixed an accounting bug only to introduce the
possibility of a kernel OOPS if the journal has a non-zero j_errno
field indicating that the file system had detected a fs inconsistency.
After the journal replay, if the journal superblock indicates that the
file system has an error, this indication is transfered to the file
system and then ext4_commit_super() is called to write this to the
disk.
But since the percpu counters are now initialized after the journal
replay, the call to ext4_commit_super() will cause a kernel oops since
it needs to use the percpu counters the ext4 superblock structure.
The fix is to skip setting the ext4 free block and free inode fields
if the percpu counter has not been set.
Thanks to Ken Sumrall for reporting and analyzing the root causes of
this bug.
Addresses-Google-Bug: #
3054080
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Brian Swetland [Thu, 21 Oct 2010 21:19:31 +0000 (14:19 -0700)]
staging: remove Greg's TODO, now obsolete.
Signed-off-by: Brian Swetland <swetland@google.com>
Dima Zavin [Thu, 14 Oct 2010 22:59:27 +0000 (15:59 -0700)]
yaffs: Import yaffs from Thu Oct 7 10:05:05 2010 +1300
commit
b07263adb5c642fcb911125a77b9e7f4bb8af64c
Author: Timothy Manning <tfhmanning@gmail.com>
Date: Thu Oct 7 10:05:05 2010 +1300
yaffs Further mods to python browser.
Fixed the Makefile by adding an extra symlink.
Gave the python browser the ablity to create files and folders.
Signed-off-by: Timothy Manning <tfhmanning@gmail.com>
Change-Id: Icc9caf07c88569f551f41dcbb2f9e61ff09c0593
Signed-off-by: Dima Zavin <dima@android.com>
Dima Zavin [Thu, 14 Oct 2010 19:57:15 +0000 (12:57 -0700)]
pmem: remove the extra up_write on data sem in a rare path
Change-Id: Ifd0311044a0d3ff87381b8b33db93619fe350bee
Signed-off-by: Dima Zavin <dima@android.com>
Dmitry Shmidt [Thu, 14 Oct 2010 21:37:27 +0000 (14:37 -0700)]
mmc: Fix pm_notifier obeying deferred resume (part 2)
Skip mmc_detect_change() in PM_POST_SUSPEND if Manual resume is used
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dmitry Shmidt [Wed, 13 Oct 2010 22:30:28 +0000 (15:30 -0700)]
mmc: Fix pm_notifier obeying deferred resume
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dima Zavin [Mon, 11 Oct 2010 22:07:23 +0000 (15:07 -0700)]
mmc: make pm_notifier obey deferred resume
Change-Id: I5e004c1a367f2a50507a97b14c82bb7d0cd1a1dd
Signed-off-by: Dima Zavin <dima@android.com>
Dmitry Shmidt [Thu, 7 Oct 2010 21:39:16 +0000 (14:39 -0700)]
mmc: Add "ignore mmc pm notify" functionality
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dima Zavin [Fri, 8 Oct 2010 21:37:48 +0000 (14:37 -0700)]
Merge remote branch 'stable/linux-2.6.35.y' into android-2.6.35
Conflicts:
drivers/mmc/core/core.c
Change-Id: If12b25725eccb07b385f5898be75d052ff75a3f2
Dima Zavin [Fri, 8 Oct 2010 21:34:15 +0000 (14:34 -0700)]
Revert "net: Fix CONFIG_RPS option to be turned off"
This reverts commit
bc344f6ba89d5a60334105702f829bc3464d41ef.
Colin Cross [Wed, 6 Oct 2010 05:08:01 +0000 (22:08 -0700)]
[ARM] fiq glue: Align fiq stacks
Change-Id: Ia117c12e9c26de61c4acbb3efeb4fed2bed0d873
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Sat, 2 Oct 2010 06:41:38 +0000 (23:41 -0700)]
[ARM] fiq debugger: Allow selection of target cpu
Change-Id: I606452828d260cb533a11d558d53581d6152964a
Signed-off-by: Colin Cross <ccross@android.com>
Shawn Bohrer [Tue, 28 Sep 2010 23:12:05 +0000 (01:12 +0200)]
epoll: make epoll_wait use the hrtimer range feature
This make epoll use hrtimers for the timeout value which prevents
epoll_wait() from timing out up to a millisecond early.
This mirrors the behavior of select() and poll().
Change-Id: Ibcd2dc9ce5b4fae4aa97934835ef5906af73d116
Signed-off-by: Shawn Bohrer <shawn.bohrer@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Andrew Morton [Tue, 28 Sep 2010 23:12:04 +0000 (01:12 +0200)]
select: rename estimate_accuracy to select_estimate_accuracy
Make it a subsystem-specific identifier because we wish to amke it
non-static in the next patch ("epoll: make epoll_wait() use the hrtimer
range feature").
Change-Id: I2b1654d51699b4c0753673228cec7e90485c9806
Cc: Shawn Bohrer <shawn.bohrer@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Colin Cross [Mon, 16 Aug 2010 21:51:51 +0000 (14:51 -0700)]
ARM: fiq debugger: Add tty to fiq debugger
Change-Id: I80347cdb70cda104b96562c63f972c1f217e3822
Signed-off-by: Colin Cross <ccross@google.com>
Iliyan Malchev [Sun, 6 Jun 2010 00:36:24 +0000 (17:36 -0700)]
ARM: Add generic fiq serial debugger
Change-Id: Ibb536c88f0dbaf4766d0599296907e35e42cbfd6
Signed-off-by: Iliyan Malchev <malchev@google.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Arve Hjønnevåg [Tue, 28 Sep 2010 00:50:00 +0000 (17:50 -0700)]
ARM: Add fiq_glue
Change-Id: I27d2554e07d9de204e0a06696d38db51608d9f6b
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Colin Cross <ccross@android.com>
Dima Zavin [Wed, 29 Sep 2010 00:35:31 +0000 (17:35 -0700)]
sched: use the old min_vruntime when normalizing on dequeue
After pulling the thread off the run-queue during a cgroup change,
the cfs_rq.min_vruntime gets recalculated. The dequeued thread's vruntime
then gets normalized to this new value. This can then lead to the thread
getting an unfair boost in the new group if the vruntime of the next
task in the old run-queue was way further ahead.
Cc: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Dima Zavin <dima@android.com>
Dima Zavin [Wed, 29 Sep 2010 00:24:51 +0000 (17:24 -0700)]
sched: normalize sleeper's vruntime during group change
If you switch the cgroup of a sleeping thread, its vruntime does
not get adjusted correctly for the difference between the
min_vruntime values of the two groups.
This patch adds a new callback, prep_move_task, to struct sched_class
to give sched_fair the opportunity to adjust the task's vruntime
just before setting its new group. This allows us to properly normalize
a sleeping task's vruntime when moving it between different cgroups.
More details about the problem:
http://lkml.org/lkml/2010/9/28/24
Cc: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Dima Zavin <dima@android.com>
Dmitry Shmidt [Thu, 30 Sep 2010 21:44:14 +0000 (14:44 -0700)]
net: wireless: bcm4329: Fix setting HT clock race conditions in driver start
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Arve Hjønnevåg [Thu, 3 Jun 2010 23:33:07 +0000 (16:33 -0700)]
Allow CONFIG_STACKTRACE to be enabled by itself.
This allows us to get a kernel stacktrace for a thread though /proc.
Also enable it by default.
Change-Id: If8c21cd02feaf9863f4841ace524fa30c7328d49
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Dmitry Shmidt [Wed, 29 Sep 2010 17:22:59 +0000 (10:22 -0700)]
net: wireless: bcm4329: Fix setting HT clock race conditions
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Greg Kroah-Hartman [Wed, 29 Sep 2010 01:09:08 +0000 (18:09 -0700)]
Linux 2.6.35.7
Done at LinuxCon Tokyo 2010
James Dingwall [Mon, 27 Sep 2010 08:37:17 +0000 (09:37 +0100)]
Xen: fix typo in previous patch
Correctly name the irq_chip structure to fix an immediate failure when booting
as a xen pv_ops guest with a NULL pointer exception. The missing 'x' was
introduced in commit [
fb412a178502dc498430723b082a932f797e4763] applied to
2.6.3[25]-stable trees. The commit to mainline was
[
aaca49642b92c8a57d3ca5029a5a94019c7af69f] which did not have the problem.
Signed-off-by: James Dingwall <james@dingwall.me.uk>
Reported-by: Pawel Zuzelski <pawelz@pld-linux.org>
Tested-by: Pawel Zuzelski <pawelz@pld-linux.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 27 Sep 2010 00:19:16 +0000 (17:19 -0700)]
Linux 2.6.35.6
Michael Cree [Wed, 1 Sep 2010 15:25:17 +0000 (11:25 -0400)]
alpha: Fix printk format errors
commit
3e073367a57d41e506f20aebb98e308387ce3090 upstream.
When compiling alpha generic build get errors such as:
arch/alpha/kernel/err_marvel.c: In function ‘marvel_print_err_cyc’:
arch/alpha/kernel/err_marvel.c:119: error: format ‘%ld’ expects type ‘long int’, but argument 6 has type ‘u64’
Replaced a number of %ld format specifiers with %lld since u64
is unsigned long long.
Signed-off-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Chris Wilson [Sun, 12 Sep 2010 17:25:19 +0000 (18:25 +0100)]
drm/i915: Ensure that the crtcinfo is populated during mode_fixup()
commit
897493504addc5609f04a2c4f73c37ab972c29b2 upstream.
This should fix the mysterious mode setting failures reported during
boot up and after resume, generally for i8xx class machines.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=16478
Reported-and-tested-by: Xavier Chantry <chantry.xavier@gmail.com>
Buzilla: https://bugs.freedesktop.org/show_bug.cgi?id=29413
Tested-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vlad Yasevich [Wed, 15 Sep 2010 14:00:26 +0000 (10:00 -0400)]
sctp: Do not reset the packet during sctp_packet_config().
commit
4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
sctp_packet_config() is called when getting the packet ready
for appending of chunks. The function should not touch the
current state, since it's possible to ping-pong between two
transports when sending, and that can result packet corruption
followed by skb overlfow crash.
Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel J Blueman [Tue, 17 Aug 2010 22:56:55 +0000 (23:56 +0100)]
Fix unprotected access to task credentials in waitid()
commit
f362b73244fb16ea4ae127ced1467dd8adaa7733 upstream.
Using a program like the following:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
int main() {
id_t id;
siginfo_t infop;
pid_t res;
id = fork();
if (id == 0) { sleep(1); exit(0); }
kill(id, SIGSTOP);
alarm(1);
waitid(P_PID, id, &infop, WCONTINUED);
return 0;
}
to call waitid() on a stopped process results in access to the child task's
credentials without the RCU read lock being held - which may be replaced in the
meantime - eliciting the following warning:
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
kernel/exit.c:1460 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 1
2 locks held by waitid02/22252:
#0: (tasklist_lock){.?.?..}, at: [<
ffffffff81061ce5>] do_wait+0xc5/0x310
#1: (&(&sighand->siglock)->rlock){-.-...}, at: [<
ffffffff810611da>]
wait_consider_task+0x19a/0xbe0
stack backtrace:
Pid: 22252, comm: waitid02 Not tainted 2.6.35-323cd+ #3
Call Trace:
[<
ffffffff81095da4>] lockdep_rcu_dereference+0xa4/0xc0
[<
ffffffff81061b31>] wait_consider_task+0xaf1/0xbe0
[<
ffffffff81061d15>] do_wait+0xf5/0x310
[<
ffffffff810620b6>] sys_waitid+0x86/0x1f0
[<
ffffffff8105fce0>] ? child_wait_callback+0x0/0x70
[<
ffffffff81003282>] system_call_fastpath+0x16/0x1b
This is fixed by holding the RCU read lock in wait_task_continued() to ensure
that the task's current credentials aren't destroyed between us reading the
cred pointer and us reading the UID from those credentials.
Furthermore, protect wait_task_stopped() in the same way.
We don't need to keep holding the RCU read lock once we've read the UID from
the credentials as holding the RCU read lock doesn't stop the target task from
changing its creds under us - so the credentials may be outdated immediately
after we've read the pointer, lock or no lock.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luck, Tony [Tue, 24 Aug 2010 18:44:18 +0000 (11:44 -0700)]
guard page for stacks that grow upwards
commit
8ca3eb08097f6839b2206e2242db4179aee3cfb3 upstream.
pa-risc and ia64 have stacks that grow upwards. Check that
they do not run into other mappings. By making VM_GROWSUP
0x0 on architectures that do not ever use it, we can avoid
some unpleasant #ifdefs in check_stack_guard_page().
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mel Gorman [Thu, 9 Sep 2010 23:38:16 +0000 (16:38 -0700)]
mm: page allocator: update free page counters after pages are placed on the free list
commit
72853e2991a2702ae93aaf889ac7db743a415dd3 upstream.
When allocating a page, the system uses NR_FREE_PAGES counters to
determine if watermarks would remain intact after the allocation was made.
This check is made without interrupts disabled or the zone lock held and
so is race-prone by nature. Unfortunately, when pages are being freed in
batch, the counters are updated before the pages are added on the list.
During this window, the counters are misleading as the pages do not exist
yet. When under significant pressure on systems with large numbers of
CPUs, it's possible for processes to make progress even though they should
have been stalled. This is particularly problematic if a number of the
processes are using GFP_ATOMIC as the min watermark can be accidentally
breached and in extreme cases, the system can livelock.
This patch updates the counters after the pages have been added to the
list. This makes the allocator more cautious with respect to preserving
the watermarks and mitigates livelock possibilities.
[akpm@linux-foundation.org: avoid modifying incoming args]
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Christoph Lameter [Thu, 9 Sep 2010 23:38:17 +0000 (16:38 -0700)]
mm: page allocator: calculate a better estimate of NR_FREE_PAGES when memory is low and kswapd is awake
commit
aa45484031ddee09b06350ab8528bfe5b2c76d1c upstream.
Ordinarily watermark checks are based on the vmstat NR_FREE_PAGES as it is
cheaper than scanning a number of lists. To avoid synchronization
overhead, counter deltas are maintained on a per-cpu basis and drained
both periodically and when the delta is above a threshold. On large CPU
systems, the difference between the estimated and real value of
NR_FREE_PAGES can be very high. If NR_FREE_PAGES is much higher than
number of real free page in buddy, the VM can allocate pages below min
watermark, at worst reducing the real number of pages to zero. Even if
the OOM killer kills some victim for freeing memory, it may not free
memory if the exit path requires a new page resulting in livelock.
This patch introduces a zone_page_state_snapshot() function (courtesy of
Christoph) that takes a slightly more accurate view of an arbitrary vmstat
counter. It is used to read NR_FREE_PAGES while kswapd is awake to avoid
the watermark being accidentally broken. The estimate is not perfect and
may result in cache line bounces but is expected to be lighter than the
IPI calls necessary to continually drain the per-cpu counters while kswapd
is awake.
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mel Gorman [Thu, 9 Sep 2010 23:38:18 +0000 (16:38 -0700)]
mm: page allocator: drain per-cpu lists after direct reclaim allocation fails
commit
9ee493ce0a60bf42c0f8fd0b0fe91df5704a1cbf upstream.
When under significant memory pressure, a process enters direct reclaim
and immediately afterwards tries to allocate a page. If it fails and no
further progress is made, it's possible the system will go OOM. However,
on systems with large amounts of memory, it's possible that a significant
number of pages are on per-cpu lists and inaccessible to the calling
process. This leads to a process entering direct reclaim more often than
it should increasing the pressure on the system and compounding the
problem.
This patch notes that if direct reclaim is making progress but allocations
are still failing that the system is already under heavy pressure. In
this case, it drains the per-cpu lists and tries the allocation a second
time before continuing.
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Islam Amer [Thu, 24 Jun 2010 17:39:47 +0000 (13:39 -0400)]
dell-wmi: Add support for eject key on Dell Studio 1555
commit
d5164dbf1f651d1e955b158fb70a9c844cc91cd1 upstream.
Fixes pressing the eject key on Dell Studio 1555 does not work and produces
message :
dell-wmi: Unknown key 0 pressed
Signed-off-by: Islam Amer <pharon@gmail.com>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Morten H. Larsen [Wed, 1 Sep 2010 02:29:13 +0000 (22:29 -0400)]
Fix call to replaced SuperIO functions
commit
59b25ed91400ace98d6cf0d59b1cb6928ad5cd37 upstream.
This patch fixes the failure to compile Alpha Generic because of
previously overlooked calls to ns87312_enable_ide(). The function has
been replaced by newer SuperIO code.
Tested-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Morten H. Larsen <m-larsen@post6.tele.dk>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel J Blueman [Tue, 3 Aug 2010 10:09:13 +0000 (11:09 +0100)]
ALSA: hda - Fix beep frequency on IDT 92HD73xx and 92HD71Bxx codecs
commit
1b0e372d7b52c9fc96348779015a6db7df7f286e upstream.
Fix HDA beep frequency on IDT 92HD73xx and 92HD71Bxx codecs.
These codecs use the standard beep frequency calculation although the
datasheet says it's linear frequency.
Other IDT/STAC codecs might have the same problem. They should be
fixed individually later.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: أحمد المحمودي <aelmahmoudy@sabily.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luca Barbieri [Thu, 12 Aug 2010 14:00:35 +0000 (07:00 -0700)]
x86, asm: Use a lower case name for the end macro in atomic64_386_32.S
commit
417484d47e115774745ef025bce712a102b6f86f upstream.
Use a lowercase name for the end macro, which somehow fixes a binutils 2.16
problem.
Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
LKML-Reference: <tip-
30246557a06bb20618bed906a06d1e1e0faa8bb4@git.kernel.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rafael J. Wysocki [Sat, 11 Sep 2010 18:58:27 +0000 (20:58 +0200)]
PM / Hibernate: Avoid hitting OOM during preallocation of memory
commit
6715045ddc7472a22be5e49d4047d2d89b391f45 upstream.
There is a problem in hibernate_preallocate_memory() that it calls
preallocate_image_memory() with an argument that may be greater than
the total number of available non-highmem memory pages. If that's
the case, the OOM condition is guaranteed to trigger, which in turn
can cause significant slowdown to occur during hibernation.
To avoid that, make preallocate_image_memory() adjust its argument
before calling preallocate_image_pages(), so that the total number of
saveable non-highem pages left is not less than the minimum size of
a hibernation image. Change hibernate_preallocate_memory() to try to
allocate from highmem if the number of pages allocated by
preallocate_image_memory() is too low.
Modify free_unnecessary_pages() to take all possible memory
allocation patterns into account.
Reported-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Tested-by: M. Vefa Bicakci <bicave@superonline.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Colin Cross [Thu, 2 Sep 2010 23:24:07 +0000 (01:24 +0200)]
PM: Prevent waiting forever on asynchronous resume after failing suspend
commit
152e1d592071c8b312bb898bc1118b64e4aea535 upstream.
During suspend, the power.completion is expected to be set when a
device has not yet started suspending. Set it on init to fix a
corner case where a device is resumed when its parent has never
suspended.
Consider three drivers, A, B, and C. The parent of A is C, and C
has async_suspend set. On boot, C->power.completion is initialized
to 0.
During the first suspend:
suspend_devices_and_enter(...)
dpm_resume(...)
device_suspend(A)
device_suspend(B) returns error, aborts suspend
dpm_resume_end(...)
dpm_resume(...)
device_resume(A)
dpm_wait(A->parent == C)
wait_for_completion(C->power.completion)
The wait_for_completion will never complete, because
complete_all(C->power.completion) will only be called from
device_suspend(C) or device_resume(C), neither of which is called
if suspend is aborted before C.
After a successful suspend->resume cycle, where B doesn't abort
suspend, C->power.completion is left in the completed state by the
call to device_resume(C), and the same call path will work if B
aborts suspend.
Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nicolas Ferre [Fri, 20 Aug 2010 14:44:33 +0000 (16:44 +0200)]
AT91: change dma resource index
commit
8d2602e0778299e2d6084f03086b716d6e7a1e1e upstream.
Reported-by: Dan Liang <dan.liang@atmel.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Wed, 15 Sep 2010 23:08:24 +0000 (19:08 -0400)]
drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
commit
b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca upstream.
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user. This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Mon, 6 Sep 2010 22:24:57 +0000 (18:24 -0400)]
xfs: prevent reading uninitialized stack memory
commit
a122eb2fdfd78b58c6dd992d6f4b1aaef667eef9 upstream.
The XFS_IOC_FSGETXATTR ioctl allows unprivileged users to read 12
bytes of uninitialized stack memory, because the fsxattr struct
declared on the stack in xfs_ioc_fsgetxattr() does not alter (or zero)
the 12-byte fsx_pad member before copying it back to the user. This
patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Alex Elder <aelder@sgi.com>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Howells [Fri, 10 Sep 2010 08:59:51 +0000 (09:59 +0100)]
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
commit
3d96406c7da1ed5811ea52a3b0905f4f0e295376 upstream.
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].
This results in the following oops:
BUG: unable to handle kernel NULL pointer dereference at
00000000000000a0
IP: [<
ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
...
Call Trace:
[<
ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
[<
ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
[<
ffffffff811af98c>] sys_keyctl+0xb4/0xb8
[<
ffffffff81001eab>] system_call_fastpath+0x16/0x1b
if the parent process has no session keyring.
If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Howells [Fri, 10 Sep 2010 08:59:46 +0000 (09:59 +0100)]
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
commit
9d1ac65a9698513d00e5608d93fca0c53f536c14 upstream.
There's an protected access to the parent process's credentials in the middle
of keyctl_session_to_parent(). This results in the following RCU warning:
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
1 lock held by keyctl-session-/2137:
#0: (tasklist_lock){.+.+..}, at: [<
ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
stack backtrace:
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
Call Trace:
[<
ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
[<
ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
[<
ffffffff811af77e>] sys_keyctl+0xb4/0xb6
[<
ffffffff81001eab>] system_call_fastpath+0x16/0x1b
The code should take the RCU read lock to make sure the parents credentials
don't go away, even though it's holding a spinlock and has IRQ disabled.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Petr Tesarik [Wed, 15 Sep 2010 22:35:48 +0000 (15:35 -0700)]
IA64: Optimize ticket spinlocks in fsys_rt_sigprocmask
commit
2d2b6901649a62977452be85df53eda2412def24 upstream.
Tony's fix (
f574c843191728d9407b766a027f779dcd27b272) has a small bug,
it incorrectly uses "r3" as a scratch register in the first of the two
unlock paths ... it is also inefficient. Optimize the fast path again.
Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tony Luck [Thu, 9 Sep 2010 22:16:56 +0000 (15:16 -0700)]
IA64: fix siglock
commit
f574c843191728d9407b766a027f779dcd27b272 upstream.
When ia64 converted to using ticket locks, an inline implementation
of trylock/unlock in fsys.S was missed. This was not noticed because
in most circumstances it simply resulted in using the slow path because
the siglock was apparently not available (under old spinlock rules).
Problems occur when the ticket spinlock has value 0x0 (when first
initialised, or when it wraps around). At this point the fsys.S
code acquires the lock (changing the 0x0 to 0x1. If another process
attempts to get the lock at this point, it will change the value from
0x1 to 0x2 (using new ticket lock rules). Then the fsys.S code will
free the lock using old spinlock rules by writing 0x0 to it. From
here a variety of bad things can happen.
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Avi Kivity [Fri, 17 Sep 2010 16:13:18 +0000 (13:13 -0300)]
KVM: VMX: Fix host GDT.LIMIT corruption
commit
3444d7da1839b851eefedd372978d8a982316c36 upstream.
vmx does not restore GDT.LIMIT to the host value, instead it sets it to 64KB.
This means host userspace can learn a few bits of host memory.
Fix by reloading GDTR when we load other host state.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andrea Arcangeli [Fri, 17 Sep 2010 16:13:17 +0000 (13:13 -0300)]
KVM: MMU: fix mmu notifier invalidate handler for huge spte
commit
6e3e243c3b6e0bbd18c6ce0fbc12bc3fe2d77b34 upstream.
The index wasn't calculated correctly (off by one) for huge spte so KVM guest
was unstable with transparent hugepages.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Gleb Natapov [Fri, 17 Sep 2010 16:13:16 +0000 (13:13 -0300)]
KVM: x86: emulator: inc/dec can have lock prefix
commit
c0e0608cb902af1a1fd8d413ec0a07ee1e62c652 upstream.
Mark inc (0xfe/0 0xff/0) and dec (0xfe/1 0xff/1) as lock prefix capable.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Xiao Guangrong [Fri, 17 Sep 2010 16:13:15 +0000 (13:13 -0300)]
KVM: MMU: fix direct sp's access corrupted
commit
9e7b0e7fba45ca3c6357aeb7091ebc281f1de365 upstream.
If the mapping is writable but the dirty flag is not set, we will find
the read-only direct sp and setup the mapping, then if the write #PF
occur, we will mark this mapping writable in the read-only direct sp,
now, other real read-only mapping will happily write it without #PF.
It may hurt guest's COW
Fixed by re-install the mapping when write #PF occur.
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Avi Kivity [Fri, 17 Sep 2010 16:13:14 +0000 (13:13 -0300)]
KVM: Prevent internal slots from being COWed
commit
7ac77099ce88a0c31b75acd0ec5ef3da4415a6d8 upstream.
If a process with a memory slot is COWed, the page will change its address
(despite having an elevated reference count). This breaks internal memory
slots which have their physical addresses loaded into vmcs registers (see
the APIC access memory slot).
Signed-off-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Avi Kivity [Fri, 17 Sep 2010 16:13:13 +0000 (13:13 -0300)]
KVM: Keep slot ID in memory slot structure
commit
e36d96f7cfaa71870c407131eb4fbd38ea285c01 upstream.
May be used for distinguishing between internal and user slots, or for sorting
slots in size order.
Signed-off-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ryan Kuester [Mon, 26 Apr 2010 23:11:54 +0000 (18:11 -0500)]
SCSI: mptsas: fix hangs caused by ATA pass-through
commit
2a1b7e575b80ceb19ea50bfa86ce0053ea57181d upstream.
I may have an explanation for the LSI 1068 HBA hangs provoked by ATA
pass-through commands, in particular by smartctl.
First, my version of the symptoms. On an LSI SAS1068E B3 HBA running
01.29.00.00 firmware, with SATA disks, and with smartd running, I'm seeing
occasional task, bus, and host resets, some of which lead to hard faults of
the HBA requiring a reboot. Abusively looping the smartctl command,
# while true; do smartctl -a /dev/sdb > /dev/null; done
dramatically increases the frequency of these failures to nearly one per
minute. A high IO load through the HBA while looping smartctl seems to
improve the chance of a full scsi host reset or a non-recoverable hang.
I reduced what smartctl was doing down to a simple test case which
causes the hang with a single IO when pointed at the sd interface. See
the code at the bottom of this e-mail. It uses an SG_IO ioctl to issue
a single pass-through ATA identify device command. If the buffer
userspace gives for the read data has certain alignments, the task is
issued to the HBA but the HBA fails to respond. If run against the sg
interface, neither the test code nor smartctl causes a hang.
sd and sg handle the SG_IO ioctl slightly differently. Unless you
specifically set a flag to do direct IO, sg passes a buffer of its own,
which is page-aligned, to the block layer and later copies the result
into the userspace buffer regardless of its alignment. sd, on the other
hand, always does direct IO unless the userspace buffer fails an
alignment test at block/blk-map.c line 57, in which case a page-aligned
buffer is created and used for the transfer.
The alignment test currently checks for word-alignment, the default
setup by scsi_lib.c; therefore, userspace buffers of almost any
alignment are given directly to the HBA as DMA targets. The LSI 1068
hardware doesn't seem to like at least a couple of the alignments which
cross a page boundary (see the test code below). Curiously, many
page-boundary-crossing alignments do work just fine.
So, either the hardware has an bug handling certain alignments or the
hardware has a stricter alignment requirement than the driver is
advertising. If stricter alignment is required, then in no case should
misaligned buffers from userspace be allowed through without being
bounced or at least causing an error to be returned.
It seems the mptsas driver could use blk_queue_dma_alignment() to advertise
a stricter alignment requirement. If it does, sd does the right thing and
bounces misaligned buffers (see block/blk-map.c line 57). The following
patch to 2.6.34-rc5 makes my symptoms go away. I'm sure this is the wrong
place for this code, but it gets my idea across.
Acked-by: Kashyap Desai <Kashyap.Desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Paris [Wed, 28 Jul 2010 14:18:37 +0000 (10:18 -0400)]
inotify: send IN_UNMOUNT events
commit
611da04f7a31b2208e838be55a42c7a1310ae321 upstream.
Since the .31 or so notify rewrite inotify has not sent events about
inodes which are unmounted. This patch restores those events.
Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Marcin Slusarz [Sun, 22 Aug 2010 18:54:08 +0000 (20:54 +0200)]
drm/nv50: initialize ramht_refs list for faked 0 channel
commit
615661f3948a066fd22a36fe8ea0c528b75ee373 upstream.
We need it for PFIFO_INTR_CACHE_ERROR interrupt handling,
because nouveau_fifo_swmthd looks for matching gpuobj in
ramht_refs list.
It fixes kernel panic in nouveau_gpuobj_ref_find.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Steven Whitehouse [Thu, 9 Sep 2010 13:45:00 +0000 (14:45 +0100)]
GFS2: gfs2_logd should be using interruptible waits
commit
5f4874903df3562b9d5649fc1cf7b8c6bb238e42 upstream.
Looks like this crept in, in a recent update.
Reported-by: Krzysztof Urbaniak <urban@bash.org.pl>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thomas Renninger [Fri, 21 May 2010 14:18:09 +0000 (16:18 +0200)]
x86 platform drivers: hp-wmi Reorder event id processing
commit
751ae808f6b29803228609f51aa1ae057f5c576e upstream.
Event id 0x4 defines the hotkey event.
No need (or even wrong) to query HPWMI_HOTKEY_QUERY if event id is != 0x4.
Reorder the eventcode conditionals and use switch case instead of if/else.
Use an enum for the event ids cases.
Signed-off-by: Thomas Renninger <trenn@suse.de>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
CC: linux-acpi@vger.kernel.org
CC: platform-driver-x86@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Moyer [Fri, 10 Sep 2010 21:16:00 +0000 (14:16 -0700)]
aio: check for multiplication overflow in do_io_submit
commit
75e1c70fc31490ef8a373ea2a4bea2524099b478 upstream.
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
checking on the passed-in iocb array:
if (unlikely(nr < 0))
return -EINVAL;
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
return -EFAULT; ^^^^^^^^^^^^^^^^^^
The attached patch checks for overflow, and if it is detected, the
number of iocbs submitted is scaled down to a number that will fit in
the long. This is an ok thing to do, as sys_io_submit is documented as
returning the number of iocbs submitted, so callers should handle a
return value of less than the 'nr' argument passed in.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jan Kara [Wed, 22 Sep 2010 20:05:03 +0000 (13:05 -0700)]
aio: do not return ERESTARTSYS as a result of AIO
commit
a0c42bac79731276c9b2f28d54f9e658fcf843a2 upstream.
OCFS2 can return ERESTARTSYS from its write function when the process is
signalled while waiting for a cluster lock (and the filesystem is mounted
with intr mount option). Generally, it seems reasonable to allow
filesystems to return this error code from its IO functions. As we must
not leak ERESTARTSYS (and similar error codes) to userspace as a result of
an AIO operation, we have to properly convert it to EINTR inside AIO code
(restarting the syscall isn't really an option because other AIO could
have been already submitted by the same io_submit syscall).
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Zach Brown <zach.brown@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tejun Heo [Tue, 21 Sep 2010 05:57:19 +0000 (07:57 +0200)]
percpu: fix pcpu_last_unit_cpu
commit
46b30ea9bc3698bc1d1e6fd726c9601d46fa0a91 upstream.
pcpu_first/last_unit_cpu are used to track which cpu has the first and
last units assigned. This in turn is used to determine the span of a
chunk for man/unmap cache flushes and whether an address belongs to
the first chunk or not in per_cpu_ptr_to_phys().
When the number of possible CPUs isn't power of two, a chunk may
contain unassigned units towards the end of a chunk. The logic to
determine pcpu_last_unit_cpu was incorrect when there was an unused
unit at the end of a chunk. It failed to ignore the unused unit and
assigned the unused marker NR_CPUS to pcpu_last_unit_cpu.
This was discovered through kdump failure which was caused by
malfunctioning per_cpu_ptr_to_phys() on a kvm setup with 50 possible
CPUs by CAI Qian.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Minchan Kim [Wed, 22 Sep 2010 20:05:01 +0000 (13:05 -0700)]
vmscan: check all_unreclaimable in direct reclaim path
commit
d1908362ae0b97374eb8328fbb471576332f9fb1 upstream.
M. Vefa Bicakci reported 2.6.35 kernel hang up when hibernation on his
32bit 3GB mem machine.
(https://bugzilla.kernel.org/show_bug.cgi?id=16771). Also he bisected
the regression to
commit
bb21c7ce18eff8e6e7877ca1d06c6db719376e3c
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date: Fri Jun 4 14:15:05 2010 -0700
vmscan: fix do_try_to_free_pages() return value when priority==0 reclaim failure
At first impression, this seemed very strange because the above commit
only chenged function return value and hibernate_preallocate_memory()
ignore return value of shrink_all_memory(). But it's related.
Now, page allocation from hibernation code may enter infinite loop if the
system has highmem. The reasons are that vmscan don't care enough OOM
case when oom_killer_disabled.
The problem sequence is following as.
1. hibernation
2. oom_disable
3. alloc_pages
4. do_try_to_free_pages
if (scanning_global_lru(sc) && !all_unreclaimable)
return 1;
If kswapd is not freozen, it would set zone->all_unreclaimable to 1 and
then shrink_zones maybe return true(ie, all_unreclaimable is true). So at
last, alloc_pages could go to _nopage_. If it is, it should have no
problem.
This patch adds all_unreclaimable check to protect in direct reclaim path,
too. It can care of hibernation OOM case and help bailout
all_unreclaimable case slightly.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Minchan Kim <minchan.kim@gmail.com>
Reported-by: M. Vefa Bicakci <bicave@superonline.com>
Reported-by: <caiqian@redhat.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Tested-by: <caiqian@redhat.com>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Arnd Bergmann [Wed, 22 Sep 2010 20:04:54 +0000 (13:04 -0700)]
/proc/vmcore: fix seeking
commit
c227e69028473c7c7994a9b0a2cc0034f3f7e0fe upstream.
Commit
73296bc611 ("procfs: Use generic_file_llseek in /proc/vmcore")
broke seeking on /proc/vmcore. This changes it back to use default_llseek
in order to restore the original behaviour.
The problem with generic_file_llseek is that it only allows seeks up to
inode->i_sb->s_maxbytes, which is zero on procfs and some other virtual
file systems. We should merge generic_file_llseek and default_llseek some
day and clean this up in a proper way, but for 2.6.35/36, reverting vmcore
is the safer solution.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Wed, 22 Sep 2010 18:32:56 +0000 (14:32 -0400)]
Prevent freeing uninitialized pointer in compat_do_readv_writev
commit
767b68e96993e29e3480d7ecdd9c4b84667c5762 upstream.
In 32-bit compatibility mode, the error handling for
compat_do_readv_writev() may free an uninitialized pointer, potentially
leading to all sorts of ugly memory corruption. This is reliably
triggerable by unprivileged users by invoking the readv()/writev()
syscalls with an invalid iovec pointer. The below patch fixes this to
emulate the non-compat version.
Introduced by commit
b83733639a49 ("compat: factor out
compat_rw_copy_check_uvector from compat_do_readv_writev")
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vladimir Zapolskiy [Wed, 22 Sep 2010 20:05:13 +0000 (13:05 -0700)]
rtc: s3c: balance state changes of wakeup flag
commit
f501ed524b26ba1b739b7f7feb0a0e1496878769 upstream.
This change resolves a problem about unbalanced calls of
enable_irq_wakeup() and disable_irq_wakeup() for alarm interrupt.
Bug reproduction:
root@eb600:~# echo 0 > /sys/class/rtc/rtc0/wakealarm
WARNING: at kernel/irq/manage.c:361 set_irq_wake+0x7c/0xe4()
Unbalanced IRQ 46 wake disable
Modules linked in:
[<
c0025708>] (unwind_backtrace+0x0/0xd8) from [<
c003358c>] (warn_slowpath_common+0x44/0x5c)
[<
c003358c>] (warn_slowpath_common+0x44/0x5c) from [<
c00335dc>] (warn_slowpath_fmt+0x24/0x30)
[<
c00335dc>] (warn_slowpath_fmt+0x24/0x30) from [<
c0058c20>] (set_irq_wake+0x7c/0xe4)
[<
c0058c20>] (set_irq_wake+0x7c/0xe4) from [<
c01b5e80>] (s3c_rtc_setalarm+0xa8/0xb8)
[<
c01b5e80>] (s3c_rtc_setalarm+0xa8/0xb8) from [<
c01b47a0>] (rtc_set_alarm+0x60/0x74)
[<
c01b47a0>] (rtc_set_alarm+0x60/0x74) from [<
c01b5a98>] (rtc_sysfs_set_wakealarm+0xc8/0xd8)
[<
c01b5a98>] (rtc_sysfs_set_wakealarm+0xc8/0xd8) from [<
c01891ec>] (dev_attr_store+0x20/0x24)
[<
c01891ec>] (dev_attr_store+0x20/0x24) from [<
c00be934>] (sysfs_write_file+0x104/0x13c)
[<
c00be934>] (sysfs_write_file+0x104/0x13c) from [<
c0080e7c>] (vfs_write+0xb0/0x158)
[<
c0080e7c>] (vfs_write+0xb0/0x158) from [<
c0080fcc>] (sys_write+0x3c/0x68)
[<
c0080fcc>] (sys_write+0x3c/0x68) from [<
c0020ec0>] (ret_fast_syscall+0x0/0x28)
Signed-off-by: Vladimir Zapolskiy <vzapolskiy@gmail.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Ben Dooks <ben@fluff.org.uk>
Cc: Atul Dahiya <atul.dahiya@samsung.com>
Cc: Taekgyun Ko <taeggyun.ko@samsung.com>
Cc: Kukjin Kim <kgene.kim@samsung.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Wed, 22 Sep 2010 20:05:09 +0000 (13:05 -0700)]
drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
commit
fd02db9de73faebc51240619c7c7f99bee9f65c7 upstream.
The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
of uninitialized stack memory, because the "reserved" member of the
fb_vblank struct declared on the stack is not altered or zeroed before
being copied back to the user. This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andrea Arcangeli [Wed, 22 Sep 2010 20:05:12 +0000 (13:05 -0700)]
mmap: call unlink_anon_vmas() in __split_vma() in case of error
commit
2aeadc30de45a72648f271603203ab392b80f607 upstream.
If __split_vma fails because of an out of memory condition the
anon_vma_chain isn't teardown and freed potentially leading to rmap walks
accessing freed vma information plus there's a memleak.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <jweiner@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andrew Morton [Wed, 22 Sep 2010 20:05:11 +0000 (13:05 -0700)]
drivers/pci/intel-iommu.c: fix build with older gcc's
commit
df08cdc7ef606509debe7677c439be0ca48790e4 upstream.
drivers/pci/intel-iommu.c: In function `__iommu_calculate_agaw':
drivers/pci/intel-iommu.c:437: sorry, unimplemented: inlining failed in call to 'width_to_agaw': function body not available
drivers/pci/intel-iommu.c:445: sorry, unimplemented: called from here
Move the offending function (and its siblings) to top-of-file, remove the
forward declaration.
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=17441
Reported-by: Martin Mokrejs <mmokrejs@ribosome.natur.cuni.cz>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jan Kara [Tue, 21 Sep 2010 09:49:01 +0000 (11:49 +0200)]
char: Mark /dev/zero and /dev/kmem as not capable of writeback
commit
371d217ee1ff8b418b8f73fb2a34990f951ec2d4 upstream.
These devices don't do any writeback but their device inodes still can get
dirty so mark bdi appropriately so that bdi code does the right thing and files
inodes to lists of bdi carrying the device inodes.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jan Kara [Tue, 21 Sep 2010 09:48:55 +0000 (11:48 +0200)]
bdi: Initialize noop_backing_dev_info properly
commit
976e48f8a5b02fc33f3e5cad87fb3fcea041a49c upstream.
Properly initialize this backing dev info so that writeback code does not
barf when getting to it e.g. via sb->s_bdi.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Chris Wilson [Fri, 17 Sep 2010 07:22:30 +0000 (08:22 +0100)]
drm/i915,agp/intel: Add second set of PCI-IDs for B43
commit
41a51428916ab04587bacee2dda61c4a0c4fc02f upstream.
There is a second revision of B43 (a desktop gen4 part) floating around,
functionally equivalent to the original B43, so simply add the new
PCI-IDs.
Bugzilla: https://bugs.freedesktop.org/show_bugs.cgi?id=30221
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Patrick Simmons [Wed, 8 Sep 2010 14:34:28 +0000 (10:34 -0400)]
oprofile: Add Support for Intel CPU Family 6 / Model 22 (Intel Celeron 540)
commit
c33f543d320843e1732534c3931da4bbd18e6c14 upstream.
This patch adds CPU type detection for the Intel Celeron 540, which is
part of the Core 2 family according to Wikipedia; the family and ID pair
is absent from the Volume 3B table referenced in the source code
comments. I have tested this patch on an Intel Celeron 540 machine
reporting itself as Family 6 Model 22, and OProfile runs on the machine
without issue.
Spec:
http://download.intel.com/design/mobile/SPECUPDT/317667.pdf
Signed-off-by: Patrick Simmons <linuxrocks123@netscape.net>
Acked-by: Andi Kleen <ak@linux.intel.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Robert Richter <robert.richter@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stanislaw Gruszka [Tue, 14 Sep 2010 14:35:14 +0000 (16:35 +0200)]
sched: Fix user time incorrectly accounted as system time on 32-bit
commit
e75e863dd5c7d96b91ebbd241da5328fc38a78cc upstream.
We have 32-bit variable overflow possibility when multiply in
task_times() and thread_group_times() functions. When the
overflow happens then the scaled utime value becomes erroneously
small and the scaled stime becomes i erroneously big.
Reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=633037
https://bugzilla.kernel.org/show_bug.cgi?id=16559
Reported-by: Michael Chapman <redhat-bugzilla@very.puzzling.org>
Reported-by: Ciriaco Garcia de Celis <sysman@etherpilot.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
LKML-Reference: <
20100914143513.GB8415@redhat.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Paul E. McKenney [Wed, 1 Sep 2010 00:00:18 +0000 (17:00 -0700)]
pid: make setpgid() system call use RCU read-side critical section
commit
950eaaca681c44aab87a46225c9e44f902c080aa upstream.
[ 23.584719]
[ 23.584720] ===================================================
[ 23.585059] [ INFO: suspicious rcu_dereference_check() usage. ]
[ 23.585176] ---------------------------------------------------
[ 23.585176] kernel/pid.c:419 invoked rcu_dereference_check() without protection!
[ 23.585176]
[ 23.585176] other info that might help us debug this:
[ 23.585176]
[ 23.585176]
[ 23.585176] rcu_scheduler_active = 1, debug_locks = 1
[ 23.585176] 1 lock held by rc.sysinit/728:
[ 23.585176] #0: (tasklist_lock){.+.+..}, at: [<
ffffffff8104771f>] sys_setpgid+0x5f/0x193
[ 23.585176]
[ 23.585176] stack backtrace:
[ 23.585176] Pid: 728, comm: rc.sysinit Not tainted 2.6.36-rc2 #2
[ 23.585176] Call Trace:
[ 23.585176] [<
ffffffff8105b436>] lockdep_rcu_dereference+0x99/0xa2
[ 23.585176] [<
ffffffff8104c324>] find_task_by_pid_ns+0x50/0x6a
[ 23.585176] [<
ffffffff8104c35b>] find_task_by_vpid+0x1d/0x1f
[ 23.585176] [<
ffffffff81047727>] sys_setpgid+0x67/0x193
[ 23.585176] [<
ffffffff810029eb>] system_call_fastpath+0x16/0x1b
[ 24.959669] type=1400 audit(
1282938522.956:4): avc: denied { module_request } for pid=766 comm="hwclock" kmod="char-major-10-135" scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclas
It turns out that the setpgid() system call fails to enter an RCU
read-side critical section before doing a PID-to-task_struct translation.
This commit therefore does rcu_read_lock() before the translation, and
also does rcu_read_unlock() after the last use of the returned pointer.
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Matt Helsley [Mon, 13 Sep 2010 20:01:18 +0000 (13:01 -0700)]
hw breakpoints: Fix pid namespace bug
commit
068e35eee9ef98eb4cab55181977e24995d273be upstream.
Hardware breakpoints can't be registered within pid namespaces
because tsk->pid is passed rather than the pid in the current
namespace.
(See https://bugzilla.kernel.org/show_bug.cgi?id=17281 )
This is a quick fix demonstrating the problem but is not the
best method of solving the problem since passing pids internally
is not the best way to avoid pid namespace bugs. Subsequent patches
will show a better solution.
Much thanks to Frederic Weisbecker <fweisbec@gmail.com> for doing
the bulk of the work finding this bug.
Reported-by: Robin Green <greenrd@greenrd.org>
Signed-off-by: Matt Helsley <matthltc@us.ibm.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Prasad <prasad@linux.vnet.ibm.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
LKML-Reference: <
f63454af09fb1915717251570423eb9ddd338340.
1284407762.git.matthltc@us.ibm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Zhenyu Wang [Sun, 19 Sep 2010 02:28:54 +0000 (10:28 +0800)]
agp/intel: fix dma mask bits on sandybridge
[This is backport patch from upstream
877fdacf.]
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Zhenyu Wang [Sun, 19 Sep 2010 02:28:53 +0000 (10:28 +0800)]
agp/intel: fix physical address mask bits for sandybridge
[This is backport patch from upstream
8dfc2b14.]
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Zhenyu Wang [Sun, 19 Sep 2010 02:28:52 +0000 (10:28 +0800)]
intel_agp, drm/i915: Add all sandybridge graphics devices support
New pci ids for all sandybridge graphics versions on desktop/mobile/server.
[This is backport patch from upstream commit
4fefe435 and
85540480.]
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Hans de Goede [Thu, 16 Sep 2010 09:13:08 +0000 (14:43 +0530)]
virtio: console: Fix poll blocking even though there is data to read
commit
6df7aadcd9290807c464675098b5dd2dc9da5075 upstream.
I found this while working on a Linux agent for spice, the symptom I was
seeing was select blocking on the spice vdagent virtio serial port even
though there were messages queued up there.
virtio_console's port_fops_poll checks port->inbuf != NULL to determine
if read won't block. However if an application reads enough bytes from
inbuf through port_fops_read, to empty the current port->inbuf,
port->inbuf will be NULL even though there may be buffers left in the
virtqueue.
This causes poll() to block even though there is data to be read,
this patch fixes this by using will_read_block(port) instead of the
port->inbuf != NULL check.
Signed-off-By: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Amit Shah [Tue, 14 Sep 2010 07:56:16 +0000 (13:26 +0530)]
virtio: console: Prevent userspace from submitting NULL buffers
commit
65745422a898741ee0e7068ef06624ab06e8aefa upstream.
A userspace could submit a buffer with 0 length to be written to the
host. Prevent such a situation.
This was not needed previously, but recent changes in the way write()
works exposed this condition to trigger a virtqueue event to the host,
causing a NULL buffer to be sent across.
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Hugh Dickins [Mon, 20 Sep 2010 02:40:22 +0000 (19:40 -0700)]
mm: further fix swapin race condition
commit
31c4a3d3a0f84a5847665f8aa0552d188389f791 upstream.
Commit
4969c1192d15 ("mm: fix swapin race condition") is now agreed to
be incomplete. There's a race, not very much less likely than the
original race envisaged, in which it is further necessary to check that
the swapcache page's swap has not changed.
Here's the reasoning: cast in terms of reuse_swap_page(), but probably
could be reformulated to rely on try_to_free_swap() instead, or on
swapoff+swapon.
A, faults into do_swap_page(): does page1 = lookup_swap_cache(swap1) and
comes through the lock_page(page1).
B, a racing thread of the same process, faults on the same address: does
page1 = lookup_swap_cache(swap1) and now waits in lock_page(page1), but
for whatever reason is unlucky not to get the lock any time soon.
A carries on through do_swap_page(), a write fault, but cannot reuse the
swap page1 (another reference to swap1). Unlocks the page1 (but B
doesn't get it yet), does COW in do_wp_page(), page2 now in that pte.
C, perhaps the parent of A+B, comes in and write faults the same swap
page1 into its mm, reuse_swap_page() succeeds this time, swap1 is freed.
kswapd comes in after some time (B still unlucky) and swaps out some
pages from A+B and C: it allocates the original swap1 to page2 in A+B,
and some other swap2 to the original page1 now in C. But does not
immediately free page1 (actually it couldn't: B holds a reference),
leaving it in swap cache for now.
B at last gets the lock on page1, hooray! Is PageSwapCache(page1)? Yes.
Is pte_same(*page_table, orig_pte)? Yes, because page2 has now been
given the swap1 which page1 used to have. So B proceeds to insert page1
into A+B's page_table, though its content now belongs to C, quite
different from what A wrote there.
B ought to have checked that page1's swap was still swap1.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andrea Arcangeli [Thu, 9 Sep 2010 23:37:52 +0000 (16:37 -0700)]
mm: fix swapin race condition
commit
4969c1192d15afa3389e7ae3302096ff684ba655 upstream.
The pte_same check is reliable only if the swap entry remains pinned (by
the page lock on swapcache). We've also to ensure the swapcache isn't
removed before we take the lock as try_to_free_swap won't care about the
page pin.
One of the possible impacts of this patch is that a KSM-shared page can
point to the anon_vma of another process, which could exit before the page
is freed.
This can leave a page with a pointer to a recycled anon_vma object, or
worse, a pointer to something that is no longer an anon_vma.
[Backport to 2.6.35.5 (anon_vma instead of anon_vma->root in ksm.h) by Hugh]
[riel@redhat.com: changelog help]
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Carpenter [Fri, 10 Sep 2010 01:56:16 +0000 (01:56 +0000)]
net/llc: make opt unsigned in llc_ui_setsockopt()
commit
339db11b219f36cf7da61b390992d95bb6b7ba2e upstream.
The members of struct llc_sock are unsigned so if we pass a negative
value for "opt" it can cause a sign bug. Also it can cause an integer
overflow when we multiply "opt * HZ".
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>