Pull networking changes from David Miller:
 "The most important bit here is the TCP syncookies issue, which seems
  to have been busted for some time.  That fix has been verified in
  production by the reporter.

  1) Persistent TUN devices erroneously hold on to the network namespace
     in such a way that it cannot be shutdown.  Fix from Stanislav
     Kinsbursky with help from Eric Dumazet.

  2) TCP SYN cookies have been broken for a while due to how the route
     lookup flow key is managed, connections can be delayed by as much
     as 20 seconds due to this bug.  Fix from Eric Dumazet.

  3) Missing jiffies.h include in lib/dynamic_queue_limits.c can break
     the build, from Tom Herbert.

  4) Add USB device ID for Sitecom LN-031, from Joerg Neikes.

  5) Fix OOPS in delayed workqueue in iwlegacy, from Stanislaw Gruszka.

  6) rt2x00 TX queue can be disabled forever due to races, fix by
     synchronizing pause/unpause with a lock.  Also from Stanislaw
     Gruszka.

  7) Statistics and endian fix in bnx2x driver from Yuval Mintz, Eilon
     Greenstein, and Ariel Elior."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  tun: don't hold network namespace by tun sockets
  bnx2x: FCoE statistics id fixed
  bnx2x: dcb bit indices flags used as bits
  bnx2x: added cpu_to_le16 when preparing ramrod's data
  bnx2x: pfc statistics counts pfc events twice
  rt2x00: fix random stalls
  iwl3945: fix possible il->txq NULL pointer dereference in delayed works
  dql: Fix undefined jiffies
  tcp: fix syncookie regression
  usb: asix: Patch for Sitecom LN-031

Pull arch/tile update from Chris Metcalf
 "These include a couple of queued-up minor bug fixes from the
  community, a fix to unbreak the sysfs hooks in tile, and syncing up
  the defconfigs."

Ugh.  defconfigs updates without "make minconfig".  Tons of ugly
pointless lines there, I suspect.

* 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  tile: Use set_current_blocked() and block_sigmask()
  arch/tile: misplaced parens near likely
  arch/tile: sync up the defconfig files to the tip
  arch/tile: Fix up from commit 8a25a2fd

Pull perf fixes from Ingo Molnar.

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf record: Fix buffer overrun bug in tracepoint_id_to_path()
  perf/x86: Fix local vs remote memory events for NHM/WSM

Pull CIFS fixes from Steve French.

* git://git.samba.org/sfrench/cifs-2.6:
  CIFS: Do not kmalloc under the flocks spinlock
  cifs: possible memory leak in xattr.

Pull vfs fixes from Al Viro:
 "A bunch of assorted fixes; Jan's freezing stuff still _not_ in there
  and neither is mm fun ;-/"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  restore smp_mb() in unlock_new_inode()
  vfs: fix return value from do_last()
  vfs: fix double put after complete_walk()
  udf: Fix deadlock in udf_release_file()
  vfs: Correctly set the dir i_mutex lockdep class

As described in e6fa16ab ("signal: sigprocmask() should do
retarget_shared_pending()") the modification of current->blocked is
incorrect as we need to check whether the signal we're about to block
is pending in the shared queue.

Also, use the new helper function introduced in commit 5e6292c0
("signal: add block_sigmask() for adding sigmask to current->blocked")
which centralises the code for updating current->blocked after
successfully delivering a signal and reduces the amount of duplicate
code across architectures. In the past some architectures got this
code wrong, so using this helper function should stop that from
happening again.

Cc: Arnd Bergmann <arnd@arndb.de>
Acked-by: NOleg Nesterov <oleg@redhat.com>
Signed-off-by: NMatt Fleming <matt.fleming@intel.com>
Signed-off-by: NChris Metcalf <cmetcalf@tilera.com>

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem

This patch fixes a buffer overrun bug in
tracepoint_id_to_path(). The bug manisfested itself as a memory
error reported by perf record. I ran into it with perf sched:

 $ perf sched rec noploop 2 noploop for 2 seconds
 [ perf record: Woken up 14 times to write data ]
 [ perf record: Captured and wrote 42.701 MB perf.data (~1865622 samples) ]
 Fatal: No memory to alloc tracepoints list

It turned out that tracepoint_id_to_path() was reading the
tracepoint id using read() but the buffer was not large enough
to include the \n terminator for id with 4 digits or more.

The patch fixes the problem by extending the buffer to a more
reasonable size covering all possible id length include \n
terminator. Note that atoll() stops at the first non digit
character, thus it is not necessary to clear the buffer between
each read.
Signed-off-by: NStephane Eranian <eranian@google.com>
Acked-by: NArnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
Cc: fweisbec@gmail.com
Cc: dsahern@gmail.com
Link: http://lkml.kernel.org/r/20120313155102.GA6465@quadSigned-off-by: NIngo Molnar <mingo@elte.hu>

Pull x86 platfrm driver fixes from Matthew Garrett:
 "Some trivial patches that fix wifi on some Lenovos and avoid a
  potential memory corruption issue on some Panasonics, plus two
  straightforward new drivers that touch no existing code."

* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
  panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
  acer-wmi: No wifi rfkill on Lenovo machines
  Fujitsu tablet extras driver
  x86: Add amilo-rfkill driver for some Fujitsu-Siemens Amilo laptops

Pull PCI changes from Jesse Barnes:
 "A single fix for a regression that affects some people who try to
  disable ASPM for whatever reason."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci:
  PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled

Pull SuperH fixes from Paul Mundt.

* tag 'sh-for-linus' of git://github.com/pmundt/linux-sh:
  sh-sci / PM: Avoid deadlocking runtime PM
  sh: fix up the ubc clock definition for sh7785.
  sh: add parameter for RSPI in clock-sh7757
  sh: Fix sh2a vbr table for more than 255 irqs

Pull SH/R-Mobile fixes from Paul Mundt.

* tag 'rmobile-for-linus' of git://github.com/pmundt/linux-sh:
  ARM: mach-shmobile: ap4evb: fixup fsi2_ak4643_info typo
  ARM: mach-shmobile: mackerel: Reserve DMA memory for the frame buffer
  ARM: mach-shmobile: Fix ag5evm compilation by including linux/videodev2.h
  ARM: mach-shmobile: Fix bonito compile breakage

v3: added previously removed sock_put() to the tun_release() callback, because
sk_release_kernel() doesn't drop the socket reference.

v2: sk_release_kernel() used for socket release. Dummy tun_release() is
required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
call.

TUN was designed to destroy it's socket on network namesapce shutdown. But this
will never happen for persistent device, because it's socket holds network
namespace.
This patch removes of holding network namespace by TUN socket and replaces it
by creating socket in init_net and then changing it's net it to desired one. On
shutdown socket is moved back to init_net prior to final put.
Signed-off-by: NStanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

FCoE statistics ids were distinguished from the L2's statistics ids.
However, not all of the change was committed. This causes a possible
collision of indices when FCoE is present.

This patch fixes the issue.
Signed-off-by: NYuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

DCB flags were updated using the flags' bit offsets instead of
the actual bits. This is now fixed.
Signed-off-by: NYuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fixed endianess issue when passing arguments to FW.
Signed-off-by: NAriel Elior <ariele@broadcom.com>
Signed-off-by: NYuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When pfc statistics were counted, the delta change from last count
was summed twice. This fixes the issue.
Signed-off-by: NYuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Verified using the below proglet.. before:

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
remote write

 Performance counter stats for './numa 0':

         2,101,554 node-stores
         2,096,931 node-store-misses

       5.021546079 seconds time elapsed

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
local write

 Performance counter stats for './numa 1':

           501,137 node-stores
               199 node-store-misses

       5.124451068 seconds time elapsed

After:

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
remote write

 Performance counter stats for './numa 0':

         2,107,516 node-stores
         2,097,187 node-store-misses

       5.012755149 seconds time elapsed

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
local write

 Performance counter stats for './numa 1':

         2,063,355 node-stores
               165 node-store-misses

       5.082091494 seconds time elapsed

#define _GNU_SOURCE

#include <sched.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <dirent.h>
#include <signal.h>
#include <unistd.h>
#include <numaif.h>
#include <stdlib.h>

#define SIZE (32*1024*1024)

volatile int done;

void sig_done(int sig)
{
	done = 1;
}

int main(int argc, char **argv)
{
	cpu_set_t *mask, *mask2;
	size_t size;
	int i, err, t;
	int nrcpus = 1024;
	char *mem;
	unsigned long nodemask = 0x01; /* node 0 */
	DIR *node;
	struct dirent *de;
	int read = 0;
	int local = 0;

	if (argc < 2) {
		printf("usage: %s [0-3]\n", argv[0]);
		printf("  bit0 - local/remote\n");
		printf("  bit1 - read/write\n");
		exit(0);
	}

	switch (atoi(argv[1])) {
	case 0:
		printf("remote write\n");
		break;
	case 1:
		printf("local write\n");
		local = 1;
		break;
	case 2:
		printf("remote read\n");
		read = 1;
		break;
	case 3:
		printf("local read\n");
		local = 1;
		read = 1;
		break;
	}

	mask = CPU_ALLOC(nrcpus);
	size = CPU_ALLOC_SIZE(nrcpus);
	CPU_ZERO_S(size, mask);

	node = opendir("/sys/devices/system/node/node0/");
	if (!node)
		perror("opendir");
	while ((de = readdir(node))) {
		int cpu;

		if (sscanf(de->d_name, "cpu%d", &cpu) == 1)
			CPU_SET_S(cpu, size, mask);
	}
	closedir(node);

	mask2 = CPU_ALLOC(nrcpus);
	CPU_ZERO_S(size, mask2);
	for (i = 0; i < size; i++)
		CPU_SET_S(i, size, mask2);
	CPU_XOR_S(size, mask2, mask2, mask); // invert

	if (!local)
		mask = mask2;

	err = sched_setaffinity(0, size, mask);
	if (err)
		perror("sched_setaffinity");

	mem = mmap(0, SIZE, PROT_READ|PROT_WRITE,
			MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
	err = mbind(mem, SIZE, MPOL_BIND, &nodemask, 8*sizeof(nodemask), MPOL_MF_MOVE);
	if (err)
		perror("mbind");

	signal(SIGALRM, sig_done);
	alarm(5);

	if (!read) {
		while (!done) {
			for (i = 0; i < SIZE; i++)
				mem[i] = 0x01;
		}
	} else {
		while (!done) {
			for (i = 0; i < SIZE; i++)
				t += *(volatile char *)(mem + i);
		}
	}

	return 0;
}
Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: <stable@kernel.org>
Link: http://lkml.kernel.org/n/tip-tq73sxus35xmqpojf7ootxgs@git.kernel.orgSigned-off-by: NIngo Molnar <mingo@elte.hu>

Parentheses were missing.
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NChris Metcalf <cmetcalf@tilera.com>

This was inspired by mchehab@redhat.com's observation that we
didn't have EDAC configured on by default in both files.  In addition,
we were setting INITRAMFS_SOURCE to a non-empty string, which isn't
a very common default and required editing to do test builds.
Signed-off-by: NChris Metcalf <cmetcalf@tilera.com>

This was Kay Siever's bombing to convert 'cpu' to a regular subsystem.
The change left a bogus second argument to sysfs_create_file().
Signed-off-by: NChris Metcalf <cmetcalf@tilera.com>

Is possible that we stop queue and then do not wake up it again,
especially when packets are transmitted fast. That can be easily
reproduced with modified tx queue entry_num to some small value e.g. 16.

If mac80211 already hold local->queue_stop_reason_lock, then we can wait
on that lock in both rt2x00queue_pause_queue() and
rt2x00queue_unpause_queue(). After drooping ->queue_stop_reason_lock
is possible that __ieee80211_wake_queue() will be performed before
__ieee80211_stop_queue(), hence we stop queue and newer wake up it
again.

Another race condition is possible when between rt2x00queue_threshold()
check and rt2x00queue_pause_queue() we will process all pending tx
buffers on different cpu. This might happen if for example interrupt
will be triggered on cpu performing rt2x00mac_tx().

To prevent race conditions serialize pause/unpause by queue->tx_lock.

Cc: stable@vger.kernel.org
Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
Acked-by: NGertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

On il3945_down procedure we free tx queue data and nullify il->txq
pointer. After that we drop mutex and then cancel delayed works. There
is possibility, that after drooping mutex and before the cancel, some
delayed work will start and crash while trying to send commands to
the device. For example, here is reported crash in
il3945_bg_reg_txpower_periodic():
https://bugzilla.kernel.org/show_bug.cgi?id=42766#c10

Patch fix problem by adding il->txq check on works that send commands,
hence utilize tx queue.
Reported-by: NClemens Eisserer <linuxhippy@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.
Signed-off-by: NXi Wang <xi.wang@gmail.com>
Signed-off-by: NMatthew Garrett <mjg@redhat.com>

We have several reports which says acer-wmi is loaded on ideapads
and register rfkill for wifi which can not be unblocked.

Since ideapad-laptop also register rfkill for wifi and it works
reliably, it will be fine acer-wmi is not going to register rfkill
for wifi once VPC2004 is found.

Also put IBM0068/LEN0068 in the list. Though thinkpad_acpi has no
wifi rfkill capability, there are reports which says acer-wmi also
block wireless on Thinkpad E520/E420.
Signed-off-by: NIke Panhc <ike.pan@canonical.com>
Signed-off-by: NMatthew Garrett <mjg@redhat.com>

This patch adds support for some of the devices within a wide variety
of Fujitsu Tablet Computers, both convertibles and slates. Primarily
it allows for the automatic detection of the tablet/notebook mode for
convertible tablet pc's, and orientation for docked slates. It also
adds support for the application panel buttons usually found next to
the tablet screen, and docking station detection for slates.
Signed-off-by: NRobert Gerlach <khnz@gmx.de>
Signed-off-by: NMatthew Garrett <mjg@redhat.com>

An rfkill driver based on the fsaa1655g and fsam7440 drivers for
Fujitsu-Siemens Amilo A1655 and M7440 models found at:

http://sourceforge.net/projects/fsaa1655g/
http://sourceforge.net/projects/fsam7440/

This adds DMI matching, replaces the procfs files with rfkill devices,
and uses the proper functions to write to the i8042 safely.
Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
Signed-off-by: NMatthew Garrett <mjg@redhat.com>

In some configurations, jiffies may be undefined in
lib/dynamic_queue_limits.c.  Adding include of jiffies.h to avoid
this.
Signed-off-by: NTom Herbert <therbert@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

commit ea4fc0d6 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
added a serious regression on synflood handling.

Simon Kirby discovered a successful connection was delayed by 20 seconds
before being responsive.

In my tests, I discovered that xmit frames were lost, and needed ~4
retransmits and a socket dst rebuild before being really sent.

In case of syncookie initiated connection, we use a different path to
initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.

As ip_queue_xmit() now depends on inet flow being setup, fix this by
copying the temp flowi4 we use in cookie_v4_check().
Reported-by: NSimon Kirby <sim@netnation.com>
Bisected-by: NSimon Kirby <sim@netnation.com>
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Tested-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This patch adds support for the Sitecom LN-031 USB adapter with a AX88178 chip.

Added USB id to find correct driver for AX88178 1000 Ethernet adapter.
Signed-off-by: NJoerg Neikes <j.neikes@midlandgate.de>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

wait_on_inode() doesn't have ->i_lock
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
which is complete nonsense.
Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
CC: stable@vger.kernel.org
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

complete_walk() already puts nd->path, no need to do it again at cleanup time.

This would result in Oopses if triggered, apparently the codepath is not too
well exercised.
Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
CC: stable@vger.kernel.org
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
i_mutex is not needed in udf_release_file() anymore since protection by
i_data_sem is enough to protect from races with write and truncate.
Reported-by: NAl Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: NNamjae Jeon <linkinjeon@gmail.com>
Signed-off-by: NJan Kara <jack@suse.cz>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

9a7aa12f introduced additional logic around setting the i_mutex
lockdep class for directory inodes. The idea was that some filesystems
may want their own special lockdep class for different directory
inodes and calling unlock_new_inode() should not clobber one of
those special classes.

I believe that the added conditional, around the *negated* return value
of lockdep_match_class(), caused directory inodes to be placed in the
wrong lockdep class.

inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
all inodes. If the filesystem did not change the class during inode
initialization, then the conditional mentioned above was false and the
directory inode was incorrectly left in the non-directory lockdep class.
If the filesystem did set a special lockdep class, then the conditional
mentioned above was true and that class was clobbered with
i_mutex_dir_key.

This patch removes the negation from the conditional so that the i_mutex
lockdep class is properly set for directory inodes. Special classes are
preserved and directory inodes with unmodified classes are set with
i_mutex_dir_key.
Signed-off-by: NTyler Hicks <tyhicks@canonical.com>
Reviewed-by: NJan Kara <jack@suse.cz>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Current code has put_ioctx() called asynchronously from aio_fput_routine();
that's done *after* we have killed the request that used to pin ioctx,
so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
from progressing.  As the result, we can end up with async call of
put_ioctx() being the last one and possibly happening during exit_mmap()
or elf_core_dump(), neither of which expects stray munmap() being done
to them...

We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
with that, but that's all we care about - neither io_destroy() nor
exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
does really_put_req(), so the ioctx teardown won't be done until then
and we don't care about the contents of ioctx past that point.

Since actual freeing of these suckers is RCU-delayed, we don't need to
bump ioctx refcount when request goes into list for async removal.
All we need is rcu_read_lock held just over the ->ctx_lock-protected
area in aio_fput_routine().
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Reviewed-by: NJeff Moyer <jmoyer@redhat.com>
Acked-by: NBenjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Have ioctx_alloc() return an extra reference, so that caller would drop it
on success and not bother with re-grabbing it on failure exit.  The current
code is obviously broken - io_destroy() from another thread that managed
to guess the address io_setup() would've returned would free ioctx right
under us; gets especially interesting if aio_context_t * we pass to
io_setup() points to PROT_READ mapping, so put_user() fails and we end
up doing io_destroy() on kioctx another thread has just got freed...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Acked-by: NBenjamin LaHaise <bcrl@kvack.org>
Reviewed-by: NJeff Moyer <jmoyer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Pull btrfs updates from Chris Mason:
 "I have two additional and btrfs fixes in my for-linus branch.  One is
  a casting error that leads to memory corruption on i386 during scrub,
  and the other fixes a corner case in the backref walking code (also
  triggered by scrub)."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: fix casting error in scrub reada code
  btrfs: fix locking issues in find_parent_nodes()

Respectfully revert commit e6ca7b89 "memcg: fix mapcount check
in move charge code for anonymous page" for the 3.3 release, so that
it behaves exactly like releases 2.6.35 through 3.2 in this respect.

Horiguchi-san's commit is correct in itself, 1 makes much more sense
than 2 in that check; but it does not go far enough - swapcount
should be considered too - if we really want such a check at all.

We appear to have reached agreement now, and expect that 3.4 will
remove the mapcount check, but had better not make 3.3 different.
Signed-off-by: NHugh Dickins <hughd@google.com>
Reviewed-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>