The following actions are possible:
tcp_v6_rcv
  skb->dev = NULL;
  tcp_v6_do_rcv
    tcp_v6_hnd_req
      tcp_check_req
        req->rsk_ops->send_ack == tcp_v6_send_ack

So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace
from dst entry.

Thanks to Vitaliy Gusev <vgusev@openvz.org> for initial problem finding
in IPv4 code.
Signed-off-by: NDenis V. Lunev <den@openvz.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix NULL dereference in tcp_4_send_ack().

As skb->dev is reset to NULL in tcp_v4_rcv() thus OOPS occurs:

BUG: unable to handle kernel NULL pointer dereference at 00000000000004d0
IP: [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250

Stack:  ffff810005dbb000 ffff810015c8acc0 e77b2c6e5f861600 a01610802e90cb6d
 0a08010100000000 88afffff88afffff 0000000080762be8 0000000115c872e8
 0004122000000000 0000000000000001 ffffffff80762b88 0000000000000020
Call Trace:
 <IRQ>  [<ffffffff80499c33>] tcp_v4_reqsk_send_ack+0x20/0x22
 [<ffffffff8049bce5>] tcp_check_req+0x108/0x14c
 [<ffffffff8047aaf7>] ? rt_intern_hash+0x322/0x33c
 [<ffffffff80499846>] tcp_v4_do_rcv+0x399/0x4ec
 [<ffffffff8045ce4b>] ? skb_checksum+0x4f/0x272
 [<ffffffff80485b74>] ? __inet_lookup_listener+0x14a/0x15c
 [<ffffffff8049babc>] tcp_v4_rcv+0x6a1/0x701
 [<ffffffff8047e739>] ip_local_deliver_finish+0x157/0x24a
 [<ffffffff8047ec9a>] ip_local_deliver+0x72/0x7c
 [<ffffffff8047e5bd>] ip_rcv_finish+0x38d/0x3b2
 [<ffffffff803d3548>] ? scsi_io_completion+0x19d/0x39e
 [<ffffffff8047ebe5>] ip_rcv+0x2a2/0x2e5
 [<ffffffff80462faa>] netif_receive_skb+0x293/0x303
 [<ffffffff80465a9b>] process_backlog+0x80/0xd0
 [<ffffffff802630b4>] ? __rcu_process_callbacks+0x125/0x1b4
 [<ffffffff8046560e>] net_rx_action+0xb9/0x17f
 [<ffffffff80234cc5>] __do_softirq+0xa3/0x164
 [<ffffffff8020c52c>] call_softirq+0x1c/0x28
 <EOI>  [<ffffffff8020de1c>] do_softirq+0x34/0x72
 [<ffffffff80234b8e>] local_bh_enable_ip+0x3f/0x50
 [<ffffffff804d43ca>] _spin_unlock_bh+0x12/0x14
 [<ffffffff804599cd>] release_sock+0xb8/0xc1
 [<ffffffff804a6f9a>] inet_stream_connect+0x146/0x25c
 [<ffffffff80243078>] ? autoremove_wake_function+0x0/0x38
 [<ffffffff8045751f>] sys_connect+0x68/0x8e
 [<ffffffff80291818>] ? fd_install+0x5f/0x68
 [<ffffffff80457784>] ? sock_map_fd+0x55/0x62
 [<ffffffff8020b39b>] system_call_after_swapgs+0x7b/0x80

Code: 41 10 11 d0 83 d0 00 4d 85 ed 89 45 c0 c7 45 c4 08 00 00 00 74 07 41 8b 45 04 89 45 c8 48 8b 43 20 8b 4d b8 48 8d 55 b0 48 89 de <48> 8b 80 d0 04 00 00 48 8b b8 60 01 00 00 e8 20 ae fe ff 65 48
RIP  [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250
 RSP <ffffffff80762b78>
CR2: 00000000000004d0
Signed-off-by: NVitaliy Gusev <vgusev@openvz.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Since call to function sctp_sf_abort_violation() need paramter 'arg' with
'struct sctp_chunk' type, it will read the chunk type and chunk length from
the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
always with 'struct sctp_paramhdr' type's parameter, it will be passed to
sctp_sf_abort_violation(). This may cause kernel panic.

   sctp_sf_violation_paramlen()
     |-- sctp_sf_abort_violation()
        |-- sctp_make_abort_violation()

This patch fixed this problem. This patch also fix two place which called
sctp_sf_violation_paramlen() with wrong paramter type.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

fb65a7c0 ("iucv: Fix bad merging.") fixed
a merge error, but in a wrong way. We now end up with the bug below.
This patch corrects the mismerge like it was intended.

BUG: scheduling while atomic: swapper/1/0x00000000
Modules linked in:
CPU: 1 Not tainted 2.6.27-rc7-00094-gc0f4d6d4 #9
Process swapper (pid: 1, task: 000000003fe7d988, ksp: 000000003fe838c0)
0000000000000000 000000003fe839b8 0000000000000002 0000000000000000
       000000003fe83a58 000000003fe839d0 000000003fe839d0 0000000000390de6
       000000000058acd8 00000000000000d0 000000003fe7dcd8 0000000000000000
       000000000000000c 000000000000000d 0000000000000000 000000003fe83a28
       000000000039c5b8 0000000000015e5e 000000003fe839b8 000000003fe83a00
Call Trace:
([<0000000000015d6a>] show_trace+0xe6/0x134)
 [<0000000000039656>] __schedule_bug+0xa2/0xa8
 [<0000000000391744>] schedule+0x49c/0x910
 [<0000000000391f64>] schedule_timeout+0xc4/0x114
 [<00000000003910d4>] wait_for_common+0xe8/0x1b4
 [<00000000000549ae>] call_usermodehelper_exec+0xa6/0xec
 [<00000000001af7b8>] kobject_uevent_env+0x418/0x438
 [<00000000001d08fc>] bus_add_driver+0x1e4/0x298
 [<00000000001d1ee4>] driver_register+0x90/0x18c
 [<0000000000566848>] netiucv_init+0x168/0x2c8
 [<00000000000120be>] do_one_initcall+0x3e/0x17c
 [<000000000054a31a>] kernel_init+0x1ce/0x248
 [<000000000001a97a>] kernel_thread_starter+0x6/0xc
 [<000000000001a974>] kernel_thread_starter+0x0/0xc
 iucv: NETIUCV driver initialized
initcall netiucv_init+0x0/0x2c8 returned with preemption imbalance
Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

We're never supposed to shrink the headroom or tailroom.  In fact,
shrinking the headroom is a fatal action.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on.  The condition occurs when
try_to_unuse() runs in parallel with an exiting task.  A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.

CPU0                                    CPU1
                                        try_to_unuse
                                        looks at mm = task0->mm
                                        increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
                                        mmput(mm) decrements mm->mm_users
task0 freed
                                        dereferencing mm->owner fails

The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.

Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.

Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.

Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same.  And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.
Reported-by: NHugh Dickins <hugh@veritas.com>
Signed-off-by: NBalbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: NJiri Slaby <jirislaby@gmail.com>
Signed-off-by: NDaisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: NHugh Dickins <hugh@veritas.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86: disable apm on the olpc

* git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6:
  cdrom: update ioctl documentation
  ide: note that IDE generic may prevent other drivers from attaching
  ide-tape: fix vendor strings
  Swarm: Fix crash due to missing initialization

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices
  [MIPS] BCM47xx: Fix build error due to missing PCI functions
  [MIPS] IP27: Switch to dynamic interrupt routing avoding panic on error.
  [MIPS] au1000: Make sure GPIO value is zero or one

* 'linux-m32r' of git://www.linux-m32r.org/git/takata/linux-2.6_dev:
  m32r/kernel/: cleanups
  m32r: export __ndelay
  m32r: export empty_zero_page
  m32r: don't offer CONFIG_ISA
  m32r: remove the unused NOHIGHMEM option

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jwessel/linux-2.6-kgdb:
  kgdboc,tty: Fix tty polling search to use name correctly
  kgdb, x86_64: fix PS CS SS registers in gdb serial
  kgdb, x86_64: gdb serial has BX and DX reversed
  kgdb, x86, arm, mips, powerpc: ignore user space single stepping
  kgdb: could not write to the last of valid memory with kgdb

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: ASoC: Fix another cs4270 error path
  ALSA: make the CS4270 driver a new-style I2C driver

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] qlogicpti: fix sg list traversal error in continuation entries
  [SCSI] Fix hang with split requests
  [SCSI] qla2xxx: Defer enablement of RISC interrupts until ISP initialization completes.

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  scsi: fix fall out of sg-chaining patch in qlogicpti

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  sata_nv: reinstate nv_hardreset() for non generic controllers

Commit f072181e ("kconfig: drop the
""trying to assign nonexistent symbol" warning") simply dropped the
warnings, but it does a little more than that, it also marks the current
.config as needed saving, so add this back.
Signed-off-by: NRoman Zippel <zippel@linux-m68k.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Recent changes to oldconfig have mixed up the silentoldconfig handling,
so this fixes that by clearly separating that special mode, e.g.
KCONFIG_NOSILENTUPDATE is only relevant here, the .config is written as
needed.

This will also properly close Bug 11230.
Signed-off-by: NRoman Zippel <zippel@linux-m68k.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The VFS interface for the 'd_compare()' is a bit special (read: 'odd'),
because it really just essentially replaces a memcmp().  The filesystem
is supposed to just compare the two names with whatever case-independent
or other function.

And when I say 'is supposed to', I obviously mean that 'procfs does odd
things, and actually looks at the dentry that we don't even pass down,
rather than just the name'.  Which results in problems, because we
actually call d_compare before we have even verified that the dentry is
still hashed at all.

And that causes a problm since the inode that procfs looks at may have
been free'd and the d_inode pointer is NULL.  procfs just assumes that
all dentries are positive, since procfs itself never generates a
negative one.  But memory pressure will still result in the dentry
getting torn down, and as it is removed by RCU, it still remains visible
on some lists - and to d_compare.

If the filesystem just did a name comparison, we wouldn't care.  And we
could just fix procfs to know about negative dentries too.  But rather
than have the low-level filesystems know about internal VFS details,
just move the check for a unhashed dentry up a bit, so that we will only
call d_compare on dentries that are still active.

The actual oops this caused didn't look like a NULL pointer dereference
because procfs did a 'container_of(inode, struct proc_inode, vfs_inode)'
to get at its internal proc_inode information from the inode pointer,
and accessed a field below the inode. So the oops would look something
like

	BUG: unable to handle kernel paging request at fffffffffffffff0
	IP: [<ffffffff802bc6c6>] proc_sys_compare+0x36/0x50

and was seen on both x86-64 (Alexey Dobriyan and Hugh Dickins) and
ppc64 (Hugh Dickins).
Reported-by: NAlexey Dobriyan <adobriyan@gmail.com>
Acked-by: NHugh Dickins <hugh@veritas.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: N"Eric W. Biederman" <ebiederm@xmission.com>
Signed-of-by: NLinus Torvalds <torvalds@linux-foundation.org>

Conversion to new-style i2c driver missed the error path of the
probe function. Fix it.
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Cc: Timur Tabi <timur@freescale.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Update the CS4270 ALSA device driver to use the new-style I2C interface.
Starting with the 2.6.27 PowerPC kernel, I2C devices that have entries in the
device trees can no longer be probed by old-style I2C drivers.  The device
tree for Freescale MPC8610 HPCD has included an entry for the CS4270 since
2.6.25, but that entry was previously ignored by the PowerPC I2C subsystem.
Since that's no longer the case, the best solution is to update the CS4270
driver to a new-style interface, rather than try to revert the behavior of
new PowerPC I2C subsystem.
Signed-off-by: NTimur Tabi <timur@freescale.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Boaz writes:

"I've reviewed all patches since Matthew's, and I find one small
problem.

In the load_cmd() there is a compound loop where the first 4 sg's are
set then the rest are set into a memory structure in group of 7 sg's.

Well the second 7-group and on is a bug because sg pointer does not advance.
This is a fall out from Jens's patch."

The reporter, Meelis Roos <mroos@ut.ee>, verified that this patch
does indeed fix his problem with qlogicpti.
Signed-off-by: NJens Axboe <jens.axboe@oracle.com>

Commit 2fd673ec which tried to remove
hardreset for generic accidentally removed it for all flavors as all
others were inheriting from nv_generic_ops.  This patch reinstates
nv_hardreset() and puts it into nv_common_ops which all flavors
inherit from.  nv_generic_ops now inherits from nv_common_ops and
overrides .hardreset to ATA_OP_NULL.

While at it, explain why nv_hardreset and ATA_OP_NULL override are
necessary.
Signed-off-by: NTejun Heo <tj@kernel.org>
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>

The current sg list traversal logic for the continuation entries
doesn't advance the list pointer once all seven slots are used, so the
next continuation entry (if there is one) wrongly begins again at the
start of the sg list.

Fix by advancing the sg pointer after the for_each_sg().
Reported-by: NMeelis Roos <mroos@ut.ee>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>

Correct copy-paste problem: CDROMCLOSETRAY is about closing the tray,
not opening it.
Signed-off-by: NMárton Németh <nm127@freemail.hu>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Enabling IDE generic may prevent ATA controllers located on legacy
ports from being attached to more proper driver or can prevent other
controllers which share the IRQ from working.  Note it in the help
message.
Signed-off-by: NTejun Heo <tj@kernel.org>
Cc: xerces8 <xerces8@butn.net>
Cc: Jeff Garzik <jgarzik@pobox.com>
Cc: stein@hermes.si
[bart: s/will grab/may grab/ since Borislav has fixed PCI-case for .28]
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Remove superfluous two bytes from each string buffer and add proper length
format specifiers.
Signed-off-by: NBorislav Petkov <petkovbb@gmail.com>
Tested-by: NMark de Wever <koraq@xs4all.nl>
Acked-by: NSergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

If things are just right this will result in the hws[0]->parent being
passed to ide_host_add() being non-zero and an ooops a little later.
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

For SSB_BUSTYPE_SSB type devices, we need to initialize dma_mask using
coherent_dma_mask so that calls to dma_set_mask() succeed.

It fixes the regression on the b44 driver introduced by commit
f225763aSigned-off-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This patch defines pcibios_map_irq() and pcibios_plat_dev_init() for
the BCM47xx platform.

It fixes the regression introduced by commit
aab547ce.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

pcibios_map_irq is no way of returning an error but on IP27 an interrupt
is possibly not routable when running out of resources.  So do the
interrupt routing at pcibios_enable_device time.
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

David Brownell <david-b@pacbell.net> wrote:
>       The problem is that "value" is zero-or-nonzero.
>       This code wrongly assumes it's zero-or-one.
>       Possible fix:  "((!!value) << gpio)".
Signed-off-by: NBruno Randolf <br1@einfach.org>
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This patch contains the following cleanups:
- make the following needlessly global code static:
  - entry.S: resume_userspace
  - process.c: pm_idle
  - process.c: default_idle()
  - smp.c: send_IPI_allbutself()
  - time.c: timer_interrupt()
  - time.c: struct irq0
  - traps.c: set_eit_vector_entries()
  - traps.c: kstack_depth_to_print
  - traps.c: show_trace()
  - traps.c: die_lock
- remove the following unused code:
  - head.S: startup_32
  - process.c: hlt_counter
  - process.c: disable_hlt()
  - process.c: enable_hlt()
  - process.c: dump_task_regs()
- remove the following variables and their usages since they were
  always 0:
  - irq.c: irq_err_count
  - irq.c: irq_mis_count
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>

ERROR: "__ndelay" [drivers/spi/spi_bitbang.ko] undefined!
Reported-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>

ERROR: "empty_zero_page" [fs/ext4/ext4dev.ko] undefined!
Reported-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>

As far as I know no M32R hardware actually has ISA slots.

And ISA drivers don't compile on M32R.
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>

Remove the unused NOHIGHMEM option.
Reviewed-by: NRobert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NHirokazu Takata <takata@linux-m32r.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: remove unneeded power_mutex lock in snd_pcm_drop
  ALSA: fix locking in snd_pcm_open*() and snd_rawmidi_open*()

* git://oss.sgi.com:8090/xfs/linux-2.6:
  [XFS] Remove xfs_iext_irec_compact_full()
  [XFS] Fix extent list corruption in xfs_iext_irec_compact_full().

Delete ARM's own cnt32_to_63.h as the copy in include/linux/ should now be
used instead.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>