Merge branch 'stable/for-linus-fixes-3.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

* 'stable/for-linus-fixes-3.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  Revert "xen/pv-on-hvm kexec: add xs_reset_watches to shutdown watches from old kernel"

* 'sh-fixes-for-linus' of git://github.com/pmundt/linux-sh:
  sh: fix build warning in board-sh7757lcr

* 'rmobile-fixes-for-linus' of git://github.com/pmundt/linux-sh:
  ARM: mach-shmobile: SH73A0 external Ethernet fix
  ARM: mach-shmobile: AG5EVM GIC Sparse IRQ fix
  ARM: mach-shmobile: Kota2 TPU LED platform data
  ARM: mach-shmobile: Kota2 GIC Sparse IRQ fix
  ARM: mach-shmobile: Kota2 PINT fix

* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  NFS: Fix a regression in nfs_file_llseek()
  NFSv4: Do not accept delegated opens when a delegation recall is in effect
  NFSv4: Ensure correct locking when accessing the 'lock_states' list
  NFSv4.1: Ensure that we handle _all_ SEQUENCE status bits.
  NFSv4: Don't error if we handled it in nfs4_recovery_handle_error
  SUNRPC: Ensure we always bump the backlog queue in xprt_free_slot
  SUNRPC: Fix the execution time statistics in the face of RPC restarts

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  vmwgfx: Clip cliprects against screen boundaries in present and dirty
  vmwgfx: Resend the cursor after legacy modeset
  vmwgfx: Do better culling of presents
  vmwgfx: Refactor kms code to use vmw_user_lookup_handle helper
  vmwgfx: Add helper function to get surface or dmabuf
  vmwgfx: Refactor cursor update
  vmwgfx: Remove dmabuf check in present ioctl
  vmwgfx: Use the revised fifo hw version register when present

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (31 commits)
  Revert "[media] af9015: limit I2C access to keep FW happy"
  [media] s5p-fimc: Fix camera input configuration in subdev operations
  [media] m5mols: Fix logic in sanity check
  [media] ati_remote: switch to single-byte scancodes
  [media] V4L: mt9m111: fix uninitialised mutex
  [media] V4L: omap1_camera: fix missing <linux/module.h> include
  [media] V4L: mt9t112: use after free in mt9t112_probe()
  [media] V4L: soc-camera: fix compiler warnings on 64-bit platforms
  [media] s5p_mfc_enc: fix s/H264/H263/ typo
  [media] omap_vout: Fix compile error in 3.1
  [media] au0828: add missing models 72101, 72201 & 72261 to the model matrix
  [media] au0828: add missing USB ID 2040:7213
  [media] au0828: add missing USB ID 2040:7260
  [media] [trivial] omap24xxcam-dma: Fix logical test
  [media] omap_vout: fix crash if no driver for a display
  [media] media: video: s5p-tv: fix build break
  [media] omap3isp: fix compilation of ispvideo.c
  [media] m5mols: Fix set_fmt to return proper pixel format code
  [media] s5p-fimc: Use correct fourcc for RGB565 colour format
  [media] s5p-fimc: Fail driver probing when sensor configuration is wrong
  ...

binary_sysctl() calls sysctl_getname() which allocates from names_cache
slab usin __getname()

The matching function to free the name is __putname(), and not putname()
which should be used only to match getname() allocations.

This is because when auditing is enabled, putname() calls audit_putname
*instead* (not in addition) to __putname().  Then, if a syscall is in
progress, audit_putname does not release the name - instead, it expects
the name to get released when the syscall completes, but that will happen
only if audit_getname() was called previously, i.e.  if the name was
allocated with getname() rather than the naked __getname().  So,
__getname() followed by putname() ends up leaking memory.
Signed-off-by: NMichel Lespinasse <walken@google.com>
Acked-by: NAl Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Static storage is not required for the struct vmap_area in
__get_vm_area_node.

Removing "static" to store this variable on the stack instead.
Signed-off-by: NKautuk Consul <consul.kautuk@gmail.com>
Acked-by: NDavid Rientjes <rientjes@google.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

If the BMC gets reset, it will return 0x80 response errors.

In less than a week
# grep "Error 80 on cmd 22" /var/log/kernel |wc -l
378681

In this case, it is probably a good idea to restore the IPMI settings.
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
Tested-by: NArkadiusz Miśkiewicz <a.miskiewicz@gmail.com>
Reported-by: NArkadiusz Miśkiewicz <a.miskiewicz@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

An integer overflow will happen on 64bit archs if task's sum of rss,
swapents and nr_ptes exceeds (2^31)/1000 value.  This was introduced by
commit

f755a042 oom: use pte pages in OOM score

where the oom score computation was divided into several steps and it's no
longer computed as one expression in unsigned long(rss, swapents, nr_pte
are unsigned long), where the result value assigned to points(int) is in
range(1..1000).  So there could be an int overflow while computing

176          points *= 1000;

and points may have negative value. Meaning the oom score for a mem hog task
will be one.

196          if (points <= 0)
197                  return 1;

For example:
[ 3366]     0  3366 35390480 24303939   5       0             0 oom01
Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child

Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical
memory, but it's oom score is one.

In this situation the mem hog task is skipped and oom killer kills another and
most probably innocent task with oom score greater than one.

The points variable should be of type long instead of int to prevent the
int overflow.
Signed-off-by: NFrantisek Hrbata <fhrbata@redhat.com>
Acked-by: NKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: NOleg Nesterov <oleg@redhat.com>
Acked-by: NDavid Rientjes <rientjes@google.com>
Cc: <stable@vger.kernel.org>		[2.6.36+]
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

If the request is to create non-root group and we fail to meet it, we
should leave the root unchanged.
Signed-off-by: NHillf Danton <dhillf@gmail.com>
Acked-by: NHugh Dickins <hughd@google.com>
Acked-by: NKAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: NMichal Hocko <mhocko@suse.cz>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

There is a potential integer overflow in nilfs_ioctl_clean_segments().
When a large argv[n].v_nmembs is passed from the userspace, the subsequent
call to vmalloc() will allocate a buffer smaller than expected, which
leads to out-of-bound access in nilfs_ioctl_move_blocks() and
lfs_clean_segments().

The following check does not prevent the overflow because nsegs is also
controlled by the userspace and could be very large.

		if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
			goto out_free;

This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
returns -EINVAL when overflow.
Signed-off-by: NHaogang Chen <haogangchen@gmail.com>
Signed-off-by: NRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

commit 828b1c50 ("nilfs2: add compat ioctl") incidentally broke all
other NILFS compat ioctls.  Make them work again.
Signed-off-by: NThomas Meyer <thomas@m3y3r.de>
Signed-off-by: NRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: NRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: <stable@vger.kernel.org> [3.0+]
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Kernels where MAX_NUMNODES > BITS_PER_LONG may temporarily see an empty
nodemask in a tsk's mempolicy if its previous nodemask is remapped onto a
new set of allowed cpuset nodes where the two nodemasks, as a result of
the remap, are now disjoint.

c0ff7453 ("cpuset,mm: fix no node to alloc memory when changing
cpuset's mems") adds get_mems_allowed() to prevent the set of allowed
nodes from changing for a thread.  This causes any update to a set of
allowed nodes to stall until put_mems_allowed() is called.

This stall is unncessary, however, if at least one node remains unchanged
in the update to the set of allowed nodes.  This was addressed by
89e8a244 ("cpusets: avoid looping when storing to mems_allowed if one
node remains set"), but it's still possible that an empty nodemask may be
read from a mempolicy because the old nodemask may be remapped to the new
nodemask during rebind.  To prevent this, only avoid the stall if there is
no mempolicy for the thread being changed.

This is a temporary solution until all reads from mempolicy nodemasks can
be guaranteed to not be empty without the get_mems_allowed()
synchronization.

Also moves the check for nodemask intersection inside task_lock() so that
tsk->mems_allowed cannot change.  This ensures that nothing can set this
tsk's mems_allowed out from under us and also protects tsk->mempolicy.
Reported-by: NMiao Xie <miaox@cn.fujitsu.com>
Signed-off-by: NDavid Rientjes <rientjes@google.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <paul@paulmenage.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/qib: Correct sense on freectxts increment and decrement
  RDMA/cma: Verify private data length
  IB/mlx4: Fix shutdown crash accessing a non-existent bitmap

* 'for-3.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
  percpu: fix per_cpu_ptr_to_phys() handling of non-page-aligned addresses

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: synaptics - fix touchpad not working after S2R on Vostro V13
  Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
  Input: wacom - add product id used by Samsung Slate 7

Commit 53ab1c64 ("IB/qib: Correct nfreectxts for multiple HCAs")
reversed the increments and decrements of dd->nfreectxts.  Fix it.
Reviewed-by: NRam Vepa <ram.vepa@qlogic.com>
Signed-off-by: NMike Marciniszyn <mike.marciniszyn@qlogic.com>
Signed-off-by: NRoland Dreier <roland@purestorage.com>

private_data_len is defined as a u8.  If the user specifies a large
private_data size (> 220 bytes), we will calculate a total length that
exceeds 255, resulting in private_data_len wrapping back to 0.  This
can lead to overwriting random kernel memory.  Avoid this by verifying
that the resulting size fits into a u8.
Reported-by: NB. Thery <benjamin.thery@bull.net>
Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
Signed-off-by: NSean Hefty <sean.hefty@intel.com>
Signed-off-by: NRoland Dreier <roland@purestorage.com>

This reverts commit ddacf5ef.
As when booting the kernel under Amazon EC2 as an HVM guest it ends up
hanging during startup. Reverting this we loose the fix for kexec
booting to the crash kernels.

Fixes Canonical BZ #901305 (http://bugs.launchpad.net/bugs/901305)
Tested-by: NAlessandro Salvatori <sandr8@gmail.com>
Reported-by: NStefan Bader <stefan.bader@canonical.com>
Acked-by: NIan Campbell <Ian.Campbell@citrix.com>
Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Doesn't protect any error code and only gets in the way of debugging.
Signed-off-by: NJakob Bornecrantz <jakob@vmware.com>
Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

The driver implements the needed resource management required
to use that register.
Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: NJakob Bornecrantz <jakob@vmware.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: (22 commits)
  [SCSI] fcoe: fix fcoe in a DCB environment by adding DCB notifiers to set skb priority
  [SCSI] bnx2i: Fixed kernel panic caused by unprotected task->sc->request deref
  [SCSI] qla4xxx: check for failed conn setup
  [SCSI] qla4xxx: a small loop fix
  [SCSI] qla4xxx: fix flash/ddb support
  [SCSI] zfcp: return early from slave_destroy if slave_alloc returned early
  [SCSI] fcoe: Fix preempt count leak in fcoe_filter_frames()
  [SCSI] qla2xxx: Update version number to 8.03.07.12-k.
  [SCSI] qla2xxx: Submit all chained IOCBs for passthrough commands on request queue 0.
  [SCSI] qla2xxx: Correct fc_host port_state display.
  [SCSI] qla2xxx: Disable generating pause frames when firmware hang detected for ISP82xx.
  [SCSI] qla2xxx: Clear mailbox busy flag during premature mailbox completion for ISP82xx.
  [SCSI] qla2xxx: Encapsulate prematurely completing mailbox commands during ISP82xx firmware hang.
  [SCSI] qla2xxx: Display IPE error message for ISP82xx.
  [SCSI] qla2xxx: Return the correct value for a mailbox command if 82xx is in reset recovery.
  [SCSI] qla2xxx: Enable Minidump by default with default capture mask 0x1f.
  [SCSI] qla2xxx: Stop unconditional completion of mailbox commands issued in interrupt mode during firmware hang.
  [SCSI] qla2xxx: Revert back the request queue mapping to request queue 0.
  [SCSI] qla2xxx: Don't call alloc_fw_dump for ISP82XX.
  [SCSI] qla2xxx: Check for SCSI status on underruns.
  ...

* 'for-linus/i2c-32-rc6' of git://git.fluff.org/bjdooks/linux:
  i2c-eg20t: correct the driver init order of pch_i2c_probe()
  I2C: OMAP: fix FIFO usage for OMAP4
  i2c-s3c2410: Fix return code of s3c24xx_i2c_parse_dt_gpio
  i2c: i2c-s3c2410: Add a cpu_relax() to busy wait for bus idle

I noticed that hotplug of one setup does not work with recent change in
pci tree.

After checking the bridge conf setup, I noticed that the bridges get
assigned but do not get enabled.

The reason is the following commit, while simply ignores bridge
resources when enabling a pci device:

| commit bbef98ab
| Author: Ram Pai <linuxram@us.ibm.com>
| Date:   Sun Nov 6 10:33:10 2011 +0800
|
|    PCI: defer enablement of SRIOV BARS
|...
|    NOTE: Note, there is subtle change in the pci_enable_device() API.  Any
|    driver that depends on SRIOV BARS to be enabled in pci_enable_device()
|    can fail.

Put back bridge resource and ROM resource checking to fix the problem.

That should fix regression like BIOS does not assign correct resource to
bridge.

Discussion can be found at:
	http://www.spinics.net/lists/linux-pci/msg12874.htmlSigned-off-by: NYinghai Lu <yinghai@kernel.org>
Acked-by: NJesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Before registering an adapter to i2c subsystem, we need make sure
driver is ready for incoming i2c xfer, becasue the i2c_add_adapter()
may trigger a i2c device driver's proble function which may start
some real i2c xfer. I met this issue when integrating a TSC2007 i2c
touch screen device with the i2c-eg20t driver.

This patch will call request_irq() and hw init before calling
i2c_add_adapter().
Signed-off-by: NFeng Tang <feng.tang@intel.com>
Signed-off-by: NBen Dooks <ben-linux@fluff.org>

Currently the fifo depth is set to zero for OMAP4 which disables
the FIFO usage. This patch enables the FIFO usage for I2C transactions
on OMAP4 also.

Tested on omap4430 and 3430.
Tested-and-Reported-by: NNishanth Menon <nm@ti.com>
Signed-off-by: NShubhrajyoti D <shubhrajyoti@ti.com>
Signed-off-by: NKevin Hilman <khilman@ti.com>
Signed-off-by: NBen Dooks <ben-linux@fluff.org>

s3c24xx_i2c_parse_dt_gpio is called when cfg_gpio is not defined
in the platform data of the i2c device. When DT is not enabled,
the above function always returns -EINVAL. Since there can be
some i2c devices which don't need to configure any gpio lines,
the probe of such devices would fail here. Changing the default
return value to success would fix this issue.
Signed-off-by: NTushar Behera <tushar.behera@linaro.org>
Signed-off-by: NBen Dooks <ben-linux@fluff.org>

Be a bit more friendly.
Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: NBen Dooks <ben-linux@fluff.org>

Merge branches 'perf-urgent-for-linus' and 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf events: Fix ring_buffer_wakeup() brown paperbag bug

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched: Fix select_idle_sibling() regression in selecting an idle SMT sibling
  MAINTAINERS: Update tip.git related git trees

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci:
  PCI: Set device power state to PCI_D0 for device without native PM support
  PCI hotplug: Always allow acpiphp to handle non-PCIe bridges
  PCI: fix ats compile failure
  PCI: defer enablement of SRIOV BARS

This reverts commit eb1711bb.

It blows up the i915 seqno tracking, resulting in the

	BUG_ON(seqno == 0);

in i915_wait_request() triggering, which will cause lock-ups.

See for example
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/903010
  https://lkml.org/lkml/2011/12/14/395Reported-requested-and-tested-by: NDirk Hohndel <dirk@hohndel.org>
Reported-by: NRichard Eames <Richard.Eames@flinders.edu.au>
Reported-by: NRocko Requin <rockorequin@hotmail.com>
Acked-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Keith Packard <keithp@keithp.com>
Cc: Eric Anholt <eric@anholt.net>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>