When read_buf is called to move over to the next page in the pagelist
of an NFSv4 request, it sets argp->end to essentially a random
number, certainly not an address within the page which argp->p now
points to.  So subsequent calls to READ_BUF will think there is much
more than a page of spare space (the cast to u32 ensures an unsigned
comparison) so we can expect to fall off the end of the second
page.

We never encountered thsi in testing because typically the only
operations which use more than two pages are write-like operations,
which have their own decoding logic.  Something like a getattr after a
write may cross a page boundary, but it would be very unusual for it to
cross another boundary after that.

Cc: stable@kernel.org
Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>

* anonvma:
  anonvma: when setting up page->mapping, we need to pick the _oldest_ anonvma
  anon_vma: clone the anon_vma chain in the right order
  vma_adjust: fix the copying of anon_vma chains
  Simplify and comment on anon_vma re-use for anon_vma_prepare()

* master.kernel.org:/home/rmk/linux-2.6-arm: (21 commits)
  ARM: Fix ioremap_cached()/ioremap_wc() for SMP platforms
  ARM: 6043/1: AT91 slow-clock resume: Don't wait for a disabled PLL to lock
  ARM: 6031/1: fix Thumb-2 decompressor
  ARM: 6029/1: ep93xx: gpio.c: local functions should be static
  ARM: 6028/1: ARM: add MAINTAINERS for U300
  ARM: 6024/1: bcmring: fix missing down on semaphore in dma.c
  MXC: mach_armadillo5x0: Add USB Host support.
  ARM mach-mx3: duplicated include
  ARM mach-mx3: duplicated include
  imx31: add watchdog device on litekit board.
  imx3: Add watchdog platform device support
  MXC: mach-mx31_3ds: add support for freescale mc13783 power management device.
  MXC: mach-mx31_3ds: Add SPI1 device support.
  MXC: mach-mx31_3ds: Add support for on board NAND Flash.
  MXC: mach-mx31_3ds: Update variable names over recent mach name modification.
  imx31: fix parent clock for rtc
  i.MX51: remove NFC AXI static mapping
  i.MX51: determine silicon revision dynamically
  i.MX51: map TZIC dynamically
  i.MX51: Use correct clock for gpt
  ...

* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: make sure the chunk allocator doesn't create zero length chunks
  Btrfs: fix data enospc check overflow

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6:
  quota: Fix possible dq_flags corruption
  quota: Hide warnings about writes to the filesystem before quota was turned on
  ext3: symlink must be handled via filesystem specific operation
  ext2: symlink must be handled via filesystem specific operation

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-udf-2.6:
  udf: add speciffic ->setattr callback
  udf: potential integer overflow

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: (36 commits)
  MIPS: Calculate proper ebase value for 64-bit kernels
  MIPS: Alchemy: DB1200: Remove custom wait implementation
  MIPS: Big Sur: Make defconfig more useful.
  MIPS: Fix __vmalloc() etc. on MIPS for non-GPL modules
  MIPS: Sibyte: Fix M3 TLB exception handler workaround.
  MIPS: BCM63xx: Fix build failure in board_bcm963xx.c
  MIPS: uasm: Add OR instruction.
  MIPS: Sibyte: Apply M3 workaround only on affected chip types and versions.
  MIPS: BCM63xx: Initialize gpio_out_low & out_high to current value at boot.
  MIPS: BCM63xx: Register SSB SPROM fallback in board's first stage callback
  MIPS: BCM63xx: Fix typo in cpu-feature-overrides file.
  MIPS: BCM63xx: Add support for second uart.
  MIPS: BCM63xx: Fix double gpio registration.
  MIPS: BCM63xx: Add DWVS0 board
  MIPS: BCM63xx: Add the RTA1025W-16 BCM6348-based board to suppported boards.
  MIPS: BCM63xx: Fix BCM6338 and BCM6345 gpio count
  MIPS: libgcc.h: Checkpatch cleanup
  MIPS: Loongson-2F: Flush the branch target history in BTB and RAS
  MIPS: Move signal trampolines off of the stack.
  MIPS: Preliminary VDSO
  ...

* 'for-2.6.34' of git://linux-nfs.org/~bfields/linux:
  svcrdma: RDMA support not yet compatible with RPC6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
  nilfs2: fix typo "numer" -> "number" in alloc.c
  nilfs2: Remove an uninitialization warning in nilfs_btree_propagate_v()
  nilfs2: fix a wrong type conversion in nilfs_ioctl()

Otherwise we might be mapping in a page in a new mapping, but that page
(through the swapcache) would later be mapped into an old mapping too.
The page->mapping must be the case that works for everybody, not just
the mapping that happened to page it in first.

Here's the scenario:

 - page gets allocated/mapped by process A. Let's call the anon_vma we
   associate the page with 'A' to keep it easy to track.

 - Process A forks, creating process B. The anon_vma in B is 'B', and has
   a chain that looks like 'B' -> 'A'. Everything is fine.

 - Swapping happens. The page (with mapping pointing to 'A') gets swapped
   out (perhaps not to disk - it's enough to assume that it's just not
   mapped any more, and lives entirely in the swap-cache)

 - Process B pages it in, which goes like this:

        do_swap_page ->
          page = lookup_swap_cache(entry);
         ...
          set_pte_at(mm, address, page_table, pte);
          page_add_anon_rmap(page, vma, address);

   And think about what happens here!

   In particular, what happens is that this will now be the "first"
   mapping of that page, so page_add_anon_rmap() used to do

        if (first)
                __page_set_anon_rmap(page, vma, address);

   and notice what anon_vma it will use? It will use the anon_vma for
   process B!

   What happens then? Trivial: process 'A' also pages it in (nothing
   happens, it's not the first mapping), and then process 'B' execve's
   or exits or unmaps, making anon_vma B go away.

   End result: process A has a page that points to anon_vma B, but
   anon_vma B does not exist any more.  This can go on forever.  Forget
   about RCU grace periods, forget about locking, forget anything like
   that.  The bug is simply that page->mapping points to an anon_vma
   that was correct at one point, but was _not_ the one that was shared
   by all users of that possible mapping.

Changing it to always use the deepest anon_vma in the anonvma chain gets
us to the safest model.

This can be improved in certain cases: if we know the page is private to
just this particular mapping (for example, it's a new page, or it is the
only swapcache entry), we could pick the top (most specific) anon_vma.

But that's a future optimization. Make it _work_ reliably first.
Reviewed-by: NRik van Riel <riel@redhat.com>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Tested-by: Borislav Petkov <bp@alien8.de> [ "What do you know, I think you fixed it!" ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

We want to walk the chain in reverse order when cloning it, so that the
order of the result chain will be the same as the order in the source
chain.  When we add entries to the chain, they go at the head of the
chain, so we want to add the source head last.
Reviewed-by: NRik van Riel <riel@redhat.com>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Tested-by: Borislav Petkov <bp@alien8.de> [ "No, it still oopses" ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

When we move the boundaries between two vma's due to things like
mprotect, we need to make sure that the anon_vma of the pages that got
moved from one vma to another gets properly copied around.  And that was
not always the case, in this rather hard-to-follow code sequence.

Clarify the code, and fix it so that it copies the anon_vma from the
right source.
Reviewed-by: NRik van Riel <riel@redhat.com>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Tested-by: Borislav Petkov <bp@alien8.de> [ "Yeah, not so much this one either" ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This changes the anon_vma reuse case to require that we only reuse
simple anon_vma's - ie the case when the vma only has a single anon_vma
associated with it.

This means that a reuse of an anon_vma from an adjacent vma will always
guarantee that both vma's are associated not only with the same
anon_vma, they will also have the same anon_vma chain (of just a single
entry in this case).

And since anon_vma re-use was the only case where the same anon_vma
might be associated with different chains of anon_vma's, we now have the
case that every vma that shares the same anon_vma will always also have
the same chain.  That makes it much easier to think about merging vma's
that share the same anon_vma's: you can always just drop the other
anon_vma chain in anon_vma_merge() since you know that they are always
identical.

This also splits up the function to validate the anon_vma re-use, and
adds a lot of commentary about the possible races.
Reviewed-by: NRik van Riel <riel@redhat.com>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Tested-by: Borislav Petkov <bp@alien8.de> [ "That didn't fix it" ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

dq_flags are modified non-atomically in do_set_dqblk via __set_bit calls and
atomically for example in mark_dquot_dirty or clear_dquot_dirty.  Hence a
change done by an atomic operation can be overwritten by a change done by a
non-atomic one. Fix the problem by using atomic bitops even in do_set_dqblk.
Signed-off-by: NAndrew Perepechko <andrew.perepechko@sun.com>
Signed-off-by: NJan Kara <jack@suse.cz>

For a root filesystem write to the filesystem before quota is turned on happens
regularly and there's no way around it because of writes to syslog, /etc/mtab,
and similar. So the warning is rather pointless for ordinary users. It's
still useful during development so we just hide the warning behind
__DQUOT_PARANOIA config option.
Signed-off-by: NJan Kara <jack@suse.cz>

generic setattr implementation is no longer responsible for
quota transfer so synlinks must be handled via ext3_setattr.
Signed-off-by: NDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: NJan Kara <jack@suse.cz>

generic setattr implementation is no longer responsible for
quota transfer so synlinks must be handled via ext2_setattr.
Signed-off-by: NDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: NJan Kara <jack@suse.cz>

The ebase is relative to CKSEG0 not CAC_BASE.  On a 32-bit kernel they
are the same thing, for a 64-bit kernel they are not.

It happens to kind of work on a 64-bit kernel as they both reference
the same physical memory.  However since the CPU uses the CKSEG0 base,
determining if a J instruction will reach always gives the wrong result
unless we use the same number the CPU uses.
Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1093/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

While playing with the out-of-tree MAE driver module, the system would
panic after a while in the db1200 custom wait code after wakeup due to
a clobbered k0 register being used as target address of a store op.

Remove the custom wait implementation and revert back to the Alchemy-
recommended implementation already set as default.
Signed-off-by: NManuel Lauss <manuel.lauss@gmail.com>
To: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: http://patchwork.linux-mips.org/patch/1092/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Commit b3594a089f1c17ff919f8f78505c3f20e1f6f8ce (lmo) rsp.
35133692 (kernel.org) break non-GPL modules
that use __vmalloc() or any of the vmap(), vm_map_ram(), etc functions on
MIPS.

All those functions are EXPORT_SYMBOL() so are meant to be allowed to be
used by non-GPL kernel modules.  These calls all take page protection as
an argument which is normally a constant like PAGE_KERNEL.

This commit causes all protection constants like PAGE_KERNEL to not be
constants and instead to contain the GPL-only symbol _page_cachable_default.

This means that all calls to __vmalloc(), vmap(), etc, cause non-GPL
modules to fail to link with the complaint that they are trying to use the
GPL-only symbol _page_cachable_default...

Change EXPORT_SYMBOL_GPL(_page_cachable_default) to EXPORT_SYMBOL() for
non-GPL modules that call __vmalloc(), vmap(), vm_map_ram() etc.
Signed-off-by: NAnton Altaparmakov <aia21@cantab.net>
Cc: Chris Dearman <chris@mips.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: http://patchwork.linux-mips.org/patch/1084/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

The M3 workaround needs to cmpare the region and VPN2 fields only.
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Since 2083e8327aeeaf818b0e4522a9d2539835c60423, the SPROM is now registered
in the board_prom_init callback, but it references variables and functions
which are declared below.  Move the variables and functions above
board_prom_init.
Signed-off-by: NFlorian Fainelli <ffainelli@freebox.fr>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1077/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This is needed for the fix of the M3 workaround.
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Previously it was unconditionally used on all Sibyte family SOCs.  The
M3 bug has to be handled in the TLB exception handler which is extremly
performance sensitive, so this modification is expected to deliver around
2-3% performance improvment.  This is important as required changes to the
M3 workaround will make it more costly.
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

To avoid a glitch during GPIO initialisation read GPIO output register
values left by the firmware.
Signed-off-by: NMaxime Bizon <mbizon@freebox.fr>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/903/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Signed-off-by: NFlorian Fainelli <ffainelli@freebox.fr>
To: Maxime Bizon <mbizon@freebox.fr>
Cc: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1017/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Fix typo: CONFIG_BCMCPU_IS_63xx does not exist;
CONFIG_BCM63XX_CPU_63xx is the valid config option.
Signed-off-by: NMaxime Bizon <mbizon@freebox.fr>
To: linux-mips@linux-mips.org
Cc: Maxime Bizon <mbizon@freebox.fr>
Patchwork: http://patchwork.linux-mips.org/patch/901/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

The BCm63xx SOC has two uarts.  Some boards use the second one for
bluetooth.  This patch changes platform device registration code to
handle this.  Changes to the UART driver were already merged in
6a2c7eab.
Signed-off-by: NMaxime Bizon <mbizon@freebox.fr>
To: linux-mips@linux-mips.org
Cc: Maxime Bizon <mbizon@freebox.fr>
Patchwork: http://patchwork.linux-mips.org/patch/900/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

bcm63xx_gpio_init is already called from prom_init to allow board to use
them early, so we can remove the unneeded arch_initcall.
Signed-off-by: NMaxime Bizon <mbizon@freebox.fr>
To: linux-mips@linux-mips.org
Cc: Maxime Bizon <mbizon@freebox.fr>
Patchwork: http://patchwork.linux-mips.org/patch/899/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

The DWVS0 board is a BCM6358-based board with an on-board OHCI controler.
Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1015/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1014/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

The number of GPIOs on BCM6338 is 8, while BCM6345 has only 16 GPIOs
available.
Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1016/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

arch/mips/lib/libgcc.h:21: ERROR: open brace '{' following union go on the same line
Signed-off-by: NAndrea Gelmini <andrea.gelmini@gelma.net>
To: linux-kernel@vger.kernel.org
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: linux-mips@linux-mips.org
Cc: linux-sh@vger.kernel.org
Patchwork: http://patchwork.linux-mips.org/patch/1007/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

As per chapter 15 "Errata: Issue of Out-of-order in loongson"[1] to work
around the Loongson 2F erratum we need to do:

"When switching from user mode to kernel mode, you should flush the
branch target history such as BTB and RAS."

[1] Chinese version: http://www.loongson.cn/uploadfile/file/200808211
[2] English version of chapter 15:
    http://groups.google.com.hk/group/loongson-dev/msg/e0d2e220958f10a6?dmode=sourceSigned-off-by: NWu Zhangjin <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: Shinya Kuribayashi <shinya.kuribayashi@necel.com>
Patchwork: http://patchwork.linux-mips.org/patch/1066/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This is a follow on to the vdso patch.

Since all processes now have signal trampolines permanently mapped, we
can use those instead of putting the trampoline on the stack and
invalidating the corresponding icache across all CPUs.  We also get rid
of a bunch of ICACHE_REFILLS_WORKAROUND_WAR code.

[Ralf: GDB 7.1 which has the necessary modifications to allow backtracing
over signal frames will supposedly be released tomorrow.  The old signal
frame format obsoleted by this patch exists in two variations, for sane
processors and for those requiring ICACHE_REFILLS_WORKAROUND_WAR.  So
there was never a GDB which did support backtracing over signal frames
on all MIPS systems.  This convinved me this series should be applied and
pushed upstream as soon as possible.]
Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/974/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This is a preliminary patch to add a vdso to all user processes.  Still
missing are ELF headers and .eh_frame information.  But it is enough to
allow us to move signal trampolines off of the stack.  Note that emulation
of branch delay slots in the FPU emulator still requires the stack.

We allocate a single page (the vdso) and write all possible signal
trampolines into it.  The stack is moved down by one page and the vdso is
mapped into this space.
Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/975/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/976/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

The SSB PCIcore code reused the IO resource fixup code from the original
2.4.x Broadcom patch for BCM47xx based devices, which was a quick hack
for doing PCI IO resource configuration back then (the boot loader
doesn't configure PCI devices on this platform).

However, this code is no longer necessary since the kernel now can do
PCI resource management fine all by itself, so remove the old code.

When removing the code, it becomes obvious that the mem_offset setting
in the PCIcore driver was wrong, however this was masked by the fixup
code before, except in a few cases involving yenta_socket. For BCM47xx,
the correct offset is 0, and since this is the only device using PCIcore
in host mode, the offset can simply be removed unconditionally.
Signed-off-by: NAndreas Ferber <af@chaos-agency.de>
Signed-off-by: NMichael Buesch <mb@bu3sch.de>
Cc: Markus Wigge <markus@cultcom.de>
Cc: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/1070/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>