Oleg noticed that the call of task_pid_nr_ns() in proc_pid_readdir
is racy with respect to tasks exiting.

After a bit of examination it also appears that the call itself
is completely unnecessary.

So to fix the problem this patch modifies next_tgid() to return
both a tgid and the task struct in question.

A structure is introduced to return these values because it is
slightly cleaner and easier to optimize, and the resulting code
is a little shorter.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

wait_task_stopped(WNOWAIT) does task_pid_nr_ns() without tasklist/rcu lock,
we can read an already freed memory.  Use the cached pid_t value.
Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru>
Looks-good-to: Roland McGrath <roland@redhat.com>
Acked-by: NPavel Emelyanov <xemul@openvz.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

proc_kill_inodes() can clear ->i_fop in the middle of vfs_readdir resulting in
NULL dereference during "file->f_op->readdir(file, buf, filler)".

The solution is to remove proc_kill_inodes() completely:

a) we don't have tricky modules implementing their tricky readdir hooks which
   could keeping this revoke from hell.

b) In a situation when module is gone but PDE still alive, standard
   readdir will return only "." and "..", because pde->next was cleared by
   remove_proc_entry().

c) the race proc_kill_inode() destined to prevent is not completely
   fixed, just race window made smaller, because vfs_readdir() is run
   without sb_lock held and without file_list_lock held.  Effectively,
   ->i_fop is cleared at random moment, which can't fix properly anything.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
printing eip: c1061205 *pdpt = 0000000005b22001 *pde = 0000000000000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: foo af_packet ipv6 cpufreq_ondemand loop serio_raw sr_mod k8temp cdrom hwmon amd_rng
Pid: 2033, comm: find Not tainted (2.6.24-rc1-b1d08ac0 #2)
EIP: 0060:[<c1061205>] EFLAGS: 00010246 CPU: 0
EIP is at vfs_readdir+0x47/0x74
EAX: c6b6a780 EBX: 00000000 ECX: c1061040 EDX: c5decf94
ESI: c6b6a780 EDI: fffffffe EBP: c9797c54 ESP: c5decf78
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process find (pid: 2033, ti=c5dec000 task=c64bba90 task.ti=c5dec000)
Stack: c5decf94 c1061040 fffffff7 0805ffbc 00000000 c6b6a780 c1061295 0805ffbc
       00000000 00000400 00000000 00000004 0805ffbc 4588eff4 c5dec000 c10026ba
       00000004 0805ffbc 00000400 0805ffbc 4588eff4 bfdc6c70 000000dc 0000007b
Call Trace:
 [<c1061040>] filldir64+0x0/0xc5
 [<c1061295>] sys_getdents64+0x63/0xa5
 [<c10026ba>] sysenter_past_esp+0x5f/0x85
 =======================
Code: 49 83 78 18 00 74 43 8d 6b 74 bf fe ff ff ff 89 e8 e8 b8 c0 12 00 f6 83 2c 01 00 00 10 75 22 8b 5e 10 8b 4c 24 04 89 f0 8b 14 24 <ff> 53 18 f6 46 1a 04 89 c7 75 0b 8b 56 0c 8b 46 08 e8 c8 66 00
EIP: [<c1061205>] vfs_readdir+0x47/0x74 SS:ESP 0068:c5decf78

hch: "Nice, getting rid of this is a very good step formwards.
      Unfortunately we have another copy of this junk in
      security/selinux/selinuxfs.c:sel_remove_entries() which would need the
      same treatment."
Signed-off-by: NAlexey Dobriyan <adobriyan@sw.ru>
Acked-by: NChristoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

On some systems the number of resources(IO,MEM) returnedy by PNP device is
greater than the PNP constant, for example motherboard devices.  It brings
that some resources can't be reserved and resource confilicts.  This will
cause PCI resources are assigned wrongly in some systems, and cause hang.
This is a regression since we deleted ACPI motherboard driver and use PNP
system driver.

[akpm@linux-foundation.org: fix text and coding-style a bit]
Signed-off-by: NLi Shaohua <shaohua.li@intel.com>
Signed-off-by: NZhao Yakui <yakui.zhao@intel.com>
Cc: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: Thomas Renninger <trenn@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

_PAGE_PCD maps a page with caching disabled, which is typically used for
mapping harware registers.  Xen never allows it to be set on a mapping, and
unprivileged guests never need it since they can't see the real underlying
hardware.  However, some uncached mappings are made early when probing the
(non-existent) APIC, and its OK to mask off the PCD flag in these cases.

This became necessary because Xen started checking for this bit, rather
than silently masking it off.
Signed-off-by: NJeremy Fitzhardinge <jeremy@xensource.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

include/asm-um/arch points to the non-existed include/asm-i386 directory.
Signed-off-by: NWANG Cong <xiyou.wangcong@gmail.com>
Cc: Jeff Dike <jdike@karaya.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Ordinarily the size of a pageblock is determined at compile-time based on the
hugepage size. On PPC64, the hugepage size is determined at runtime based on
what is supported by the machine. With legacy machines such as iSeries that
do not support hugepages, HPAGE_SHIFT is 0. This results in pageblock_order
being set to -PAGE_SHIFT and a crash results shortly afterwards.

This patch adds a function to select a sensible value for pageblock order by
default when HUGETLB_PAGE_SIZE_VARIABLE is set. It checks that HPAGE_SHIFT
is a sensible value before using the hugepage size; if it is not MAX_ORDER-1
is used.

This is a fix for 2.6.24.

Credit goes to Stephen Rothwell for identifying the bug and testing candidate
patches.  Additional credit goes to Andy Whitcroft for spotting a problem
with respects to IA-64 before releasing. Additional credit to David Gibson
for testing with the libhugetlbfs test suite.
Signed-off-by: NMel Gorman <mel@csn.ul.ie>
Tested-by: NStephen Rothwell <sfr@canb.auug.org.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: NPaul Mackerras <paulus@samba.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

- Limit video memory size to avoid crossing a 256 MiB boundary in IOIF space.
- Pass the actual amount of video memory used to lv1_gpu_memory_allocate().
Signed-off-by: NGeert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

- vuart.ko -> ps3-vuart.ko
- sys-manager.ko -> ps3-sys-manager.ko
Signed-off-by: NGeert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Make the atmel_spi driver label GPIOs according to the device for which
they're acting as a chipselect.  This way the debugfs dump of gpio state is
more informative.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Cc: Haavard Skinnemoen <hskinnemoen@atmel.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This version brings a new terse output mode as well as many improvements to
the unary detection and bare type regcognition.  It also brings the usual
updates for false positives, though these seem to be slowing markedly
now that the unary detector is no longer just putting its finger in the
air and guessing.  Of note:

  - new --terse mode producing a single line per report
  - loosening of the block brace checks
  - new checks for enum/union/struch brace placements
  - hugely expanded "bare type" detection
  - checks for inline usage
  - better handling of already open comment blocks
  - handle patches which introduce or remove lines without newlines

Andy Whitcroft (19):
      Version: 0.12
      style fixes as spotted by checkpatch
      add a --terse options of a single line of output per report
      block brace checks should only apply for single line blocks
      all new bare type detector
      check spacing for open braces with enum, union and struct
      check for LINUX_VERSION_CODE
      macros definition bracketing checks need to ignore -ve context
      clean up the mail-back mode, -q et al
      expand possible type matching to declarations
      allow const and sparse annotations on possible types
      handle possible types as regular types everywhere
      prefer plain inline over __inline__ and __inline
      all new open comment detection
      fix up conditional extraction for if assignment checks
      add const to the possible type matcher
      unary checks: a for loop is a conditional too
      possible types: detect function pointer definitions
      handle missind newlines at end of file, report addition
Signed-off-by: NAndy Whitcroft <apw@shadowen.org>
Acked-by: NIngo Molnar <mingo@elte.hu>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (25 commits)
  USB: s3c2410 gadget: ensure vbus pin in input mode during read
  USB: s3c2410 gadget: allow sharing of vbus irq
  USB: s3c2410 gadget: Header move fixups
  USB: usb-storage: unusual_devs entry for JetFlash TS1GJF2A
  USB: fix up EHCI startup synchronization
  USB: make the microtek driver and HAL cooperate
  USB: uevent environment key fix
  USB: keep track of whether interface sysfs files exist
  USB: sierra: new product id
  USB HCD: avoid duplicate local_irq_disable()
  USB: mailing lists have changed
  USB: remove USB HUB entry from MAINTAINERS
  USB: fix directory references in usb/README
  USB: add support for an older firmware revision for the Nikon D200
  USB: FIx locks and urb->status in adutux (updated)
  USB: power-management documenation update
  USB: Fix signr comment in usbdevice_fs.h
  usbserial: fix inconsistent lock state
  USB: fix usbled disconnect read race #2
  USB: free memory when writing fails in usb/serial/mos7840.c
  ...

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/pci-2.6:
  pci hotplug: kernel-doc fixes
  pci-aer: fix kernel-doc mistakes
  PCI: drivers/pci/pci-sysfs.c: Add missing pci_dev_put
  PCI: pcie portdriver: initialize returned value

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-2.6:
  sysfs: fix off-by-one error in fill_read_buffer()
  kobject: two typo fixes
  UIO: add UIO documentation target to DocBook Makefile
  UIO: fix up the UIO documentation
  create /sys/.../power when CONFIG_PM is set
  allow LEGACY_PTYS to be set to 0

acpiphp.h: not using kernel-doc, so change /** to /*
acpiphp_core.c: lots of kernel-doc cleanups
acpiphp_glue.c: lots of kernel-doc cleanups
acpiphp_ibm.c: lots of kernel-doc cleanups
cpqphp_core.c: lots of kernel-doc cleanups
cpqphp_ctrl.c: lots of kernel-doc cleanups
fakephp.c:  correct kernel-doc notation
pciehp_ctrl.c: correct kernel-doc notation
rpadlpar_core.c: correct function names & kernel-doc notation
rpaphp_core.c: correct kernel-doc notation
shpchp_ctrl.c: correct kernel-doc notation
Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
Cc: Kristen Accardi <kristen.c.accardi@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Fix kernel-doc parameter names and ending block comments (change **/
to */).
Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
Acked-by: NLinas Vepstas <linas@linas.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

There should be a pci_dev_put when breaking out of a loop that iterates
over calls to pci_get_device and similar functions.

This was fixed using the following semantic patch.

// <smpl>
@@
identifier d;
type T;
expression e;
iterator for_each_pci_dev;
@@

T *d;
...
for_each_pci_dev(d)
  {... when != pci_dev_put(d)
       when != e = d
(
   return d;
|
+  pci_dev_put(d);
?  return ...;
)
...}
// </smpl>
Signed-off-by: NJulia Lawall <julia@diku.dk>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

The pcie protdrv status can be returned uninitialized,
if there are no children under a device. This leads to
bad responses downstream. Fix this.
Signed-off-by: NLinas Vepstas <linas@austin.ibm.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Some CPUs in the S3C24XX series do not support readback of the
value of a pin when the pin has been configured to an IRQ.
Signed-off-by: NBen Dooks <ben-linux@fluff.org>
Acked-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

If another driver wants to claim the vbus pin, say
to notify the user of an connect/disconnect then allow
the IRQ to be shared by specifiying IRQ_SHARED in the
flags.
Signed-off-by: NBen Dooks <ben-linux@fluff.org>
Acked-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Fixup the fallout from the arch moves earlier in the kernel
series.
Signed-off-by: NBen Dooks <ben-linux@fluff.org>
Acked-by: NDavid Brownell <dbrownell@users.sourceforge.net>

This patch (as1018) adds an unusual_devs entry for the JetFlash
TS1GJF2A.  This device doesn't like read requests for more than 188
sectors.  Setting max_sectors down to 64 is overkill, but at least
it will work without errors.

For the torturous debugging history, see this thread:

	http://marc.info/?t=118745764700005&r=1&w=2Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

A recent patch added software synchronization during EHCI startup,
so ports aren't switched away from the companion controllers after
resets have started.  This patch adds a short delay letting hardware
finish that port switching before any new resets begin ... so both
ends of that hardware race window are closed.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Cc: Dave Miller <davem@davemloft.net>
Cc: Dely Sy <dely.l.sy@intel.com>
Cc: stable <stable@kernel.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

to make HAL like the microtek driver's devices the parent must be
correctly set.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1010) was written by both Kay Sievers and me.  It solves
the problem of duplicated keys in USB uevent structures by refactoring
the uevent subroutines, taking advantage of the way the hotplug core
calls uevent handlers for the device's bus and for the device's type.
Keys needed for both USB-device and USB-interface events are added in
usb_uevent(), which is the bus handler.  Keys appropriate only for
USB-device or USB-interface events are added in usb_dev_uevent() or
usb_if_uevent() respectively, the type handlers.

In addition, unnecessary tests for NULL pointers are removed as are
duplicated debugging log statements.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1009) solves the problem of multiple registrations for
USB sysfs files in a more satisfying way than the existing code.  It
simply adds a flag to keep track of whether or not the files have been
created; that way the files can be created or removed as needed.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>

Per the maintainer of the usbserial/sierra.c driver, the patch below adds
a new id to the list of supported cards for the sierra driver. Tested and
working for me on Fedora 8, kernel 2.6.23 and on the more recent sierra.c
available in
http://www.sierrawireless.com/resources/support/Software/Linux/v.1.2.6b(kernel2.6.21).zip

Hardware is a MiniPCI card in a Lenovo T61p.
Signed-off-by: NAndrew Gilmore <agilmore@wirelessbeehive.com>
Cc: Kevin Lloyd <linux@sierrawireless.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Arnd Bergmann wrote:

usb_hcd_flush_endpoint() has a retry loop that starts with a spin_lock_irq(),
but only gives up the spinlock, not the irq_disable before jumping to the
rescan label.

Alan Stern:

I agree with your sentiment, but it would be better to solve this
problem without using local_irq_disable().
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

The linux-usb-devel and linux-usb-users are now hosted in the same list
at vger.kernel.org
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Digging through old mail, I found a note about needing to remove the
separate entry for the USB HUB driver.  It's not been separable from
usbcore (host side!) since quite early in the 2.4 kernel series.
And Johanness certainly isn't involved with it any more.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Another one in the "ok, this is trivial to fix" list... :-)

[PATCH] fix directory references in usb/README
Signed-off-by: NDirk Hohndel <hohndel@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This is a resubmission of the patch to upgrade the unusual_devs.h file to
support an older firmware revision of the Nikon D200. This patch includes the
requested /proc/bus/usb/devices information.

T:  Bus=01 Lev=01 Prnt=01 Port=09 Cnt=02 Dev#=  6 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=04b0 ProdID=040f Rev= 1.00
S:  Manufacturer=NIKON
S:  Product=NIKON DSC D200
S:  SerialNumber=0000000
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=  2mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: NMike Pagano <mpagano@gentoo.org>
Signed-off-by: NPhil Dibowitz <phil@ipom.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Two main issues fixed here are:
 - An improper use of in-struct lock to protect an open count
 - Use of urb status for -EINPROGRESS

Also, along the way:
 - Change usb_unlink_urb to usb_kill_urb. Apparently there's no need
   to use usb_unlink_urb whatsoever in this driver, and the old use of
   usb_kill_urb was outright racy (it unlinked and immediately freed).
 - Fix indentation in adu_write. Looks like it was damaged by a script.
 - Vitaly wants -EBUSY on multiply opens.
 - bInterval was taken from a wrong endpoint.
Signed-off-by: NPete Zaitcev <zaitcev@redhat.com>
Signed-off-by: NVitaliy Ivanov <vitalivanov@gmail.com>
Tested-by: NVitaliy Ivanov <vitalivanov@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1014) was partly written by Tilman Schmidt.  It
clarifies the USB power-management documentation by explaining that
when a disconnect occurs, a suspend method call might not be followed
by either a resume or a reset_resume call.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NTilman Schmidt <tilman@imap.cc>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This trivial documentation patch corrects a comment in usbdevice_fs.h; it
previously suggested that the signal would only be sent on error, but I am
told that it is sent on both successful and unsuccessful completion, and
that zero indicates that no signal should be sent.
Signed-off-by: NPhil Endecott <spam_from_usb_devel@chezphil.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

In commit acd2a847 usb_serial_generic_write()
disables interrupts when taking &port->lock which is also taken in
usb_serial_generic_read_bulk_callback() resulting in an inconsistent lock state
due to the latter not disabling interrupts on the local cpu. Fix that by
disabling interrupts in the latter call site also.
Signed-off-by: NBorislav Petkov <bbpetkov@yahoo.de>
Acked-by: NJiri Kosina <jkosina@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

usbled has a race where show methods for attributes in sysfs can
follow a NULL pointer during disconnect. The correct ordering fixes
it.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Free buffer when writing ZLP_REG5 failed
Signed-off-by: NRoel Kluin <12o3l@tiscali.nl>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Fixes priority mistakes similar to '!x & y'
Signed-off-by: NRoel Kluin <12o3l@tiscali.nl>
Acked-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1000) sets the SCSI allow_restart flag for USB disk
devices.  In theory this should never hurt, and there definitely are
devices out there (such as the Seagate 250-GB external drive) which
need the flag to be set.
Signed-off-by: NMauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>