Pull ARM fixes from Russell King:
 "The usual collection of random fixes.  Also some further fixes to the
  last set of security fixes, and some more from Will (which you may
  already have in a slightly different form)"

* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: 7807/1: kexec: validate CPU hotplug support
  ARM: 7812/1: rwlocks: retry trylock operation if strex fails on free lock
  ARM: 7811/1: locks: use early clobber in arch_spin_trylock
  ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event()
  ARM: 7809/1: perf: fix event validation for software group leaders
  ARM: Fix FIQ code on VIVT CPUs
  ARM: Fix !kuser helpers case
  ARM: Fix the world famous typo with is_gate_vma()

Pull m68k fixes from Geert Uytterhoeven:
 "These are two critical fixes, needed by distro kernels, and thus also
  destined for stable:

   - The do_div() commit fixes a crash in mounting btrfs volumes, which
     was a regression from 3.2,

   - The ARAnyM fix allows to have NatFeat drivers as loadable modules,
     which is needed for initrds"

* 'for-3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
  m68k: Truncate base in do_div()
  m68k/atari: ARAnyM - Fix NatFeat module support

Pull clock controller fixes from Michael Turquette:
 "Two small fixes for the Zynq clock controller introduced in 3.11-rc1
  and another Exynos clock patch which fixes a regression that prevents
  the video pipeline from functioning on that platform"

* tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux:
  clk: exynos4: Add CLK_GET_RATE_NOCACHE flag for the Exynos4x12 ISP clocks
  clk/zynq/clkc: Add CLK_SET_RATE_PARENT flag to ethernet muxes
  clk/zynq/clkc: Add dedicated spinlock for the SWDT

Pull power management fix from Rafael Wysocki:
 "The removal of delayed_work_pending() checks from kernel/power/qos.c
  done in 3.9 introduced a deadlock in pm_qos_work_fn().

  Fix from Stephen Boyd"

* tag 'pm-3.11-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / QoS: Fix workqueue deadlock when using pm_qos_update_request_timeout()

Pull sound fixes from Takashi Iwai:
 "This batch contains a few USB audio fixes, a couple of HD-audio
  quirks, various small ASoC driver fixes in addition to an ASoC core
  fix that may lead to memory corruption.

  Unfortunately slightly more volume than the previous pull request, but
  all are reasonable regression fixes"

* tag 'sound-3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Add a fixup for Gateway LT27
  ASoC: tegra: fix Tegra30 I2S capture parameter setup
  ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam C525
  ALSA: hda - Fix missing mute controls for CX5051
  ALSA: usb-audio: fix automatic Roland/Yamaha MIDI detection
  ALSA: 6fire: make buffers DMA-able (midi)
  ALSA: 6fire: make buffers DMA-able (pcm)
  ALSA: hda - Add pinfix for LG LW25 laptop
  ASoC: cs42l52: Add new TLV for Beep Volume
  ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume
  ASoC: dapm: Fix empty list check in dapm_new_mux()
  ASoC: sgtl5000: fix buggy 'Capture Attenuate Switch' control
  ASoC: sgtl5000: prevent playback to be muted when terminating concurrent capture

Pull USB fixes from Greg KH:
 "Here are some small USB fixes for 3.11-rc6 that have accumulated.

  Nothing huge, a EHCI fix that solves a much-reported audio USB
  problem, some usb-serial driver endian fixes and other minor fixes, a
  wireless USB oops fix, and two new quirks"

* tag 'usb-3.11-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: keyspan: fix null-deref at disconnect and release
  USB: mos7720: fix broken control requests
  usb: add two quirky touchscreen
  USB: ti_usb_3410_5052: fix big-endian firmware handling
  USB: adutux: fix big-endian device-type reporting
  USB: usbtmc: fix big-endian probe of Rigol devices
  USB: mos7840: fix big-endian probe
  USB-Serial: Fix error handling of usb_wwan
  wusbcore: fix kernel panic when disconnecting a wireless USB->serial device
  USB: EHCI: accept very late isochronous URBs

Pull networking fixes from David Miller:

 1) Fix SKB leak in 8139cp, from Dave Jones.

 2) Fix use of *_PAGES interfaces with mlx5 firmware, from Moshe Lazar.

 3) RCU conversion of macvtap introduced two races, fixes by Eric
    Dumazet

 4) Synchronize statistic flows in bnx2x driver to prevent corruption,
    from Dmitry Kravkov

 5) Undo optimization in IP tunneling, we were using the inner IP header
    in some cases to inherit the IP ID, but that isn't correct in some
    circumstances.  From Pravin B Shelar

 6) Use correct struct size when parsing netlink attributes in
    rtnl_bridge_getlink().  From Asbjoern Sloth Toennesen

 7) Length verifications in tun_get_user() are bogus, from Weiping Pan
    and Dan Carpenter

 8) Fix bad merge resolution during 3.11 networking development in
    openvswitch, albeit a harmless one which added some unreachable
    code.  From Jesse Gross

 9) Wrong size used in flexible array allocation in openvswitch, from
    Pravin B Shelar

10) Clear out firmware capability flags the be2net driver isn't ready to
    handle yet, from Sarveshwar Bandi

11) Revert DMA mapping error checking addition to cxgb3 driver, it's
    buggy.  From Alexey Kardashevskiy

12) Fix regression in packet scheduler rate limiting when working with a
    link layer of ATM.  From Jesper Dangaard Brouer

13) Fix several errors in TCP Cubic congestion control, in particular
    overflow errors in timestamp calculations.  From Eric Dumazet and
    Van Jacobson

14) In ipv6 routing lookups, we need to backtrack if subtree traversal
    don't result in a match.  From Hannes Frederic Sowa

15) ipgre_header() returns incorrect packet offset.  Fix from Timo Teräs

16) Get "low latency" out of the new MIB counter names.  From Eliezer
    Tamir

17) State check in ndo_dflt_fdb_del() is inverted, from Sridhar
    Samudrala

18) Handle TCP Fast Open properly in netfilter conntrack, from Yuchung
    Cheng

19) Wrong memcpy length in pcan_usb driver, from Stephane Grosjean

20) Fix dealock in TIPC, from Wang Weidong and Ding Tianhong

21) call_rcu() call to destroy SCTP transport is done too early and
    might result in an oops.  From Daniel Borkmann

22) Fix races in genetlink family dumps, from Johannes Berg

23) Flags passed into macvlan by the user need to be validated properly,
    from Michael S Tsirkin

24) Fix skge build on 32-bit, from Stephen Hemminger

25) Handle malformed TCP headers properly in xt_TCPMSS, from Pablo Neira
    Ayuso

26) Fix handling of stacked vlans in vlan_dev_real_dev(), from Nikolay
    Aleksandrov

27) Eliminate MTU calculation overflows in esp{4,6}, from Daniel
    Borkmann

28) neigh_parms need to be setup before calling the ->ndo_neigh_setup()
    method.  From Veaceslav Falico

29) Kill out-of-bounds prefetch in fib_trie, from Eric Dumazet

30) Don't dereference MLD query message if the length isn't value in the
    bridge multicast code, from Linus Lüssing

31) Fix VXLAN IGMP join regression due to an inverted check, from Cong
    Wang

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (70 commits)
  net/mlx5_core: Support MANAGE_PAGES and QUERY_PAGES firmware command changes
  tun: signedness bug in tun_get_user()
  qlcnic: Fix diagnostic interrupt test for 83xx adapters
  qlcnic: Fix beacon state return status handling
  qlcnic: Fix set driver version command
  net: tg3: fix NULL pointer dereference in tg3_io_error_detected and tg3_io_slot_reset
  net_sched: restore "linklayer atm" handling
  drivers/net/ethernet/via/via-velocity.c: update napi implementation
  Revert "cxgb3: Check and handle the dma mapping errors"
  be2net: Clear any capability flags that driver is not interested in.
  openvswitch: Reset tunnel key between input and output.
  openvswitch: Use correct type while allocating flex array.
  openvswitch: Fix bad merge resolution.
  tun: compare with 0 instead of total_len
  rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
  ethernet/arc/arc_emac - fix NAPI "work > weight" warning
  ip_tunnel: Do not use inner ip-header-id for tunnel ip-header-id.
  bnx2x: prevent crash in shutdown flow with CNIC
  bnx2x: fix PTE write access error
  bnx2x: fix memory leak in VF
  ...

Ben Tebulin reported:

 "Since v3.7.2 on two independent machines a very specific Git
  repository fails in 9/10 cases on git-fsck due to an SHA1/memory
  failures.  This only occurs on a very specific repository and can be
  reproduced stably on two independent laptops.  Git mailing list ran
  out of ideas and for me this looks like some very exotic kernel issue"

and bisected the failure to the backport of commit 53a59fc6 ("mm:
limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").

That commit itself is not actually buggy, but what it does is to make it
much more likely to hit the partial TLB invalidation case, since it
introduces a new case in tlb_next_batch() that previously only ever
happened when running out of memory.

The real bug is that the TLB gather virtual memory range setup is subtly
buggered.  It was introduced in commit 597e1c35 ("mm/mmu_gather:
enable tlb flush range in generic mmu_gather"), and the range handling
was already fixed at least once in commit e6c495a9 ("mm: fix the TLB
range flushed when __tlb_remove_page() runs out of slots"), but that fix
was not complete.

The problem with the TLB gather virtual address range is that it isn't
set up by the initial tlb_gather_mmu() initialization (which didn't get
the TLB range information), but it is set up ad-hoc later by the
functions that actually flush the TLB.  And so any such case that forgot
to update the TLB range entries would potentially miss TLB invalidates.

Rather than try to figure out exactly which particular ad-hoc range
setup was missing (I personally suspect it's the hugetlb case in
zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
did), this patch just gets rid of the problem at the source: make the
TLB range information available to tlb_gather_mmu(), and initialize it
when initializing all the other tlb gather fields.

This makes the patch larger, but conceptually much simpler.  And the end
result is much more understandable; even if you want to play games with
partial ranges when invalidating the TLB contents in chunks, now the
range information is always there, and anybody who doesn't want to
bother with it won't introduce subtle bugs.

Ben verified that this fixes his problem.
Reported-bisected-and-tested-by: NBen Tebulin <tebulin@googlemail.com>
Build-testing-by: NStephen Rothwell <sfr@canb.auug.org.au>
Build-testing-by: NRichard Weinberger <richard.weinberger@gmail.com>
Reviewed-by: NMichal Hocko <mhocko@suse.cz>
Acked-by: NPeter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Gateway LT27 needs a fixup for the inverted digital mic.
Reported-by: N"Nathanael D. Noblet" <nathanael@gnat.ca>
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

In the previous QUERY_PAGES command version we used one command to get the
required amount of boot, init and post init pages.  The new version uses the
op_mod field to specify whether the query is for the required amount of boot,
init or post init pages. In addition the output field size for the required
amount of pages increased from 16 to 32 bits.

In MANAGE_PAGES command the input_num_entries and output_num_entries fields
sizes changed from 16 to 32 bits and the PAS tables offset changed to 0x10.

In the pages request event the num_pages field also changed to 32 bits.

In the HCA-capabilities-layout the size and location of max_qp_mcg field has
been changed to support 24 bits.

This patch isn't compatible with firmware versions < 5; however, it  turns out that the
first GA firmware we will publish will not support previous versions so this should be OK.
Signed-off-by: NMoshe Lazer <moshel@mellanox.com>
Signed-off-by: NEli Cohen <eli@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The recent fix d9bf5f13 "tun: compare with 0 instead of total_len" is
not totally correct.  Because "len" and "sizeof()" are size_t type, that
means they are never less than zero.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

o Do not allow interrupt test when adapter is resetting.
Signed-off-by: NManish Chopra <manish.chopra@qlogic.com>
Signed-off-by: NSucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

o Driver was misinterpreting the return status for beacon
  state query leading to incorrect interpretation of beacon
  state and logging an error message for successful status.
  Fixed the driver to properly interpret the return status.
Signed-off-by: NSucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Driver was issuing set driver version command through all
functions in the adapter. Fix the driver to issue set driver
version once per adapter, through function 0.
Signed-off-by: NHimanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: NSucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Commit d8af4dfd ("net/tg3: Fix kernel crash") introduced a possible
NULL pointer dereference in tg3 driver when !netdev || !netif_running(netdev)
condition is met and netdev is NULL. Then, the jump to the 'done' label
calls dev_close() with a netdevice that is NULL. Therefore, only call
dev_close() when we have a netdevice, but one that is not running.

[ Add the same checks in tg3_io_slot_reset() per Gavin Shan - by Nithin
Nayak Sujir ]
Reported-by: NDave Jones <davej@redhat.com>
Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
Cc: Gavin Shan <shangw@linux.vnet.ibm.com>
Cc: Michael Chan <mchan@broadcom.com>
Signed-off-by: NNithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: NNithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: NMichael Chan <mchan@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Merge tag 'asoc-v3.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v3.11

A few driver specific fixes here plus one core fix for a memory
corruption issue in DAPM initialisation which could lead to crashes.

The Tegra30 I2S driver was writing the AHUB interface parameters to the
playback path register rather than the capture path register. This
caused the capture parameters not to be configured at all, so if
capturing using non-HW-default parameters (e.g. 16-bit stereo rather
than 8-bit mono) the audio would be corrupted.

With this fixed, audio capture from an analog microphone works correctly
on the Cardhu board.

Cc: stable@vger.kernel.org
Signed-off-by: NStephen Warren <swarren@nvidia.com>
Signed-off-by: NMark Brown <broonie@linaro.org>

commit 56b765b7 ("htb: improved accuracy at high rates")
broke the "linklayer atm" handling.

 tc class add ... htb rate X ceil Y linklayer atm

The linklayer setting is implemented by modifying the rate table
which is send to the kernel.  No direct parameter were
transferred to the kernel indicating the linklayer setting.

The commit 56b765b7 ("htb: improved accuracy at high rates")
removed the use of the rate table system.

To keep compatible with older iproute2 utils, this patch detects
the linklayer by parsing the rate table.  It also supports future
versions of iproute2 to send this linklayer parameter to the
kernel directly. This is done by using the __reserved field in
struct tc_ratespec, to convey the choosen linklayer option, but
only using the lower 4 bits of this field.

Linklayer detection is limited to speeds below 100Mbit/s, because
at high rates the rtab is gets too inaccurate, so bad that
several fields contain the same values, this resembling the ATM
detect.  Fields even start to contain "0" time to send, e.g. at
1000Mbit/s sending a 96 bytes packet cost "0", thus the rtab have
been more broken than we first realized.
Signed-off-by: NJesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Jesse Gross says:

====================
Three bug fixes that are fairly small either way but resolve obviously
incorrect code. For net/3.11.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Drivers supporting NAPI should use a NAPI-specific function for receiving
packets.  Hence netif_rx is changed to netif_receive_skb.

Furthermore netif_napi_del should be used in the probe and remove function
to clean up the NAPI resource information.

Thanks to Francois Romieu, David Shwatrz and Rami Rosen for their help on
this patch.
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This reverts commit f83331ba.

As the tests PPC64 (powernv platform) show, IOMMU pages are leaking
when transferring big amount of small packets (<=64 bytes),
"ping -f" and waiting for 15 seconds is the simplest way to confirm the bug.

Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Santosh Rastapur <santosh@chelsio.com>
Cc: Jay Fenlason <fenlason@redhat.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Divy Le ray <divy@chelsio.com>
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Acked-by: NDivy Le Ray <divy@chelsio.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

It is possible for some versions of firmware to advertise capabilities that driver
is not ready to handle. This may lead to controller stall. Since the driver is
interested only in subset of flags, clearing the rest.
Signed-off-by: NSarveshwar Bandi <sarveshwar.bandi@emulex.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

It doesn't make sense to output a tunnel packet using the same
parameters that it was received with since that will generally
just result in the packet going back to us. As a result, userspace
assumes that the tunnel key is cleared when transitioning through
the switch. In the majority of cases this doesn't matter since a
packet is either going to a tunnel port (in which the key is
overwritten with new values) or to a non-tunnel port (in which
case the key is ignored). However, it's theoreticaly possible that
userspace could rely on the documented behavior, so this corrects
it.
Signed-off-by: NJesse Gross <jesse@nicira.com>

Flex array is used to allocate hash buckets which is type struct
hlist_head, but we use `struct hlist_head *` to calculate
array size.  Since hlist_head is of size pointer it works fine.

Following patch use correct type.
Signed-off-by: NPravin B Shelar <pshelar@nicira.com>
Signed-off-by: NJesse Gross <jesse@nicira.com>

git silently included an extra hunk in vport_cmd_set() during
automatic merging. This code is unreachable so it does not actually
introduce a problem but it is clearly incorrect.
Signed-off-by: NJesse Gross <jesse@nicira.com>

Make sure to fail properly if the device is not accepted during attach
in order to avoid null-pointer derefs (of missing interface private
data) at disconnect or release.

Cc: stable@vger.kernel.org
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The parallel-port code of the drivers used a stack allocated
control-request buffer for asynchronous (and possibly deferred) control
requests. This not only violates the no-DMA-from-stack requirement but
could also lead to corrupt control requests being submitted.

Cc: stable@vger.kernel.org
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

These devices tend to become unresponsive after S3
Signed-off-by: NOliver Neukum <oneukum@suse.de>
CC: stable@vger.kernel.org
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge a bunch of fixes from Andrew Morton.

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
  arch: *: Kconfig: add "kernel/Kconfig.freezer" to "arch/*/Kconfig"
  ocfs2: fix null pointer dereference in ocfs2_dir_foreach_blk_id()
  x86 get_unmapped_area(): use proper mmap base for bottom-up direction
  ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
  ocfs2: Revert 40bd62eb to avoid regression in extended allocation
  drivers/rtc/rtc-stmp3xxx.c: provide timeout for potentially endless loop polling a HW bit
  hugetlb: fix lockdep splat caused by pmd sharing
  aoe: adjust ref of head for compound page tails
  microblaze: fix clone syscall
  mm: save soft-dirty bits on file pages
  mm: save soft-dirty bits on swapped pages
  memcg: don't initialize kmem-cache destroying work for root caches

Explicitly truncate the second operand of do_div() to 32 bits to guard
against bogus code calling it with a 64-bit divisor.

[Thorsten]

After upgrading from 3.2 to 3.10, mounting a btrfs volume fails with:

btrfs: setting nodatacow, compression disabled
btrfs: enabling auto recovery
btrfs: disk space caching is enabled
*** ZERO DIVIDE ***   FORMAT=2
Current process id is 722
BAD KERNEL TRAP: 00000000
Modules linked in: evdev mac_hid ext4 crc16 jbd2 mbcache btrfs xor lzo_compress zlib_deflate raid6_pq crc32c libcrc32c
PC: [<319535b2>] __btrfs_map_block+0x11c/0x119a [btrfs]
SR: 2000  SP: 30c1fab4  a2: 30f0faf0
d0: 00000000    d1: 00001000    d2: 00000000    d3: 00000000
d4: 00010000    d5: 00000000    a0: 3085c72c    a1: 3085c72c
Process mount (pid: 722, task=30f0faf0)
Frame format=2 instr addr=319535ae
Stack from 30c1faec:
        00000000 00000020 00000000 00001000 00000000 01401000 30253928 300ffc00
        00a843ac 3026f640 00000000 00010000 0009e250 00d106c0 00011220 00000000
        00001000 301c6830 0009e32a 000000ff 00000009 3085c72c 00000000 00000000
        30c1fd14 00000000 00000020 00000000 30c1fd14 0009e26c 00000020 00000003
        00000000 0009dd8a 300b0b6c 30253928 00a843ac 00001000 00000000 00000000
        0000a008 3194e76a 30253928 00a843ac 00001000 00000000 00000000 00000002
Call Trace: [<00001000>] kernel_pg_dir+0x0/0x1000

    [...]

Code: 222e ff74 2a2e ff5c 2c2e ff60 4c45 1402 <2d40> ff64 2d41 ff68 2205 4c2e 1800 ff68 4c04 0800 2041 d1c0 2206 4c2e 1400 ff68

[Geert]

As diagnosed by Andreas, fs/btrfs/volumes.c:__btrfs_map_block()
calls

    do_div(stripe_nr, stripe_len);

with stripe_len u64, while do_div() assumes the divisor is a 32-bit number.

Due to the lack of truncation in the m68k-specific implementation of
do_div(), the division is performed using the upper 32-bit word of
stripe_len, which is zero.

This was introduced by commit 53b381b3
("Btrfs: RAID5 and RAID6"), which changed the divisor from
map->stripe_len (struct map_lookup.stripe_len is int) to a 64-bit temporary.
Reported-by: NThorsten Glaser <tg@debian.org>
Signed-off-by: NAndreas Schwab <schwab@linux-m68k.org>
Tested-by: NThorsten Glaser <tg@debian.org>
Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org

As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls
should be physical addresses, not virtual addresses.

Fortunately on Atari, physical and virtual kernel addresses are the same,
as long as normal kernel memory is concerned, so this usually worked fine
without conversion.

But for modules, pointers to literal strings are located in vmalloc()ed
memory. Depending on the version of ARAnyM, this causes the nf_get_id()
call to just fail, or worse, crash ARAnyM itself with e.g.

    Gotcha! Illegal memory access. Atari PC = $968c

This is a big issue for distro kernels, who want to have all drivers as
loadable modules in an initrd.

Add a wrapper for nf_get_id() that copies the literal to the stack to
work around this issue.
Reported-by: NThorsten Glaser <tg@debian.org>
Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org

Since we set "len = total_len" in the beginning of tun_get_user(),
so we should compare the new len with 0, instead of total_len,
or the if statement always returns false.
Signed-off-by: NWeiping Pan <wpan@redhat.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix the iproute2 command `bridge vlan show`, after switching from
rtgenmsg to ifinfomsg.

Let's start with a little history:

Feb 20:   Vlad Yasevich got his VLAN-aware bridge patchset included in
          the 3.9 merge window.
          In the kernel commit 6cbdceeb, he added attribute support to
          bridge GETLINK requests sent with rtgenmsg.

Mar 6th:  Vlad got this iproute2 reference implementation of the bridge
          vlan netlink interface accepted (iproute2 9eff0e5c)

Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
          http://patchwork.ozlabs.org/patch/239602/
          http://marc.info/?t=136680900700007

Apr 28th: Linus released 3.9

Apr 30th: Stephen released iproute2 3.9.0

The `bridge vlan show` command haven't been working since the switch to
ifinfomsg, or in a released version of iproute2. Since the kernel side
only supports rtgenmsg, which iproute2 switched away from just prior to
the iproute2 3.9.0 release.

I haven't been able to find any documentation, about neither rtgenmsg
nor ifinfomsg, and in which situation to use which, but kernel commit
88c5b5ce seams to suggest that ifinfomsg should be used.

Fixing this in kernel will break compatibility, but I doubt that anybody
have been using it due to this bug in the user space reference
implementation, at least not without noticing this bug. That said the
functionality is still fully functional in 3.9, when reversing iproute2
commit 63338dca.

This could also be fixed in iproute2, but thats an ugly patch that would
reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
like rtgenmsg usage is discouraged. I'm assuming that the only reason
that Vlad implemented the kernel side to use rtgenmsg, was because
iproute2 was using it at the time.
Signed-off-by: NAsbjoern Sloth Toennesen <ast@fiberby.net>
Reviewed-by: NVlad Yasevich <vyasevich@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Recently we met quite a lot of random kernel panic issues after enabling
CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
to do with following bug in pagemap:

In struct pagemapread:

  struct pagemapread {
      int pos, len;
      pagemap_entry_t *buffer;
      bool v2;
  };

pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
buffer, it is a mistake to compare pos and len in add_page_map() for
checking buffer is full or not, and this can lead to buffer overflow and
random kernel panic issue.

Correct len to be total number of PM_ENTRY_BYTES in buffer.

[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
Signed-off-by: NYonghua Zheng <younghua.zheng@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

All architectures include "kernel/Kconfig.freezer" except three left, so
let them include it too, or 'allmodconfig' will report error.

The related errors: (with allmodconfig for openrisc):

    CC      kernel/cgroup_freezer.o
  kernel/cgroup_freezer.c: In function 'freezer_css_online':
  kernel/cgroup_freezer.c:133:15: error: 'system_freezing_cnt' undeclared (first use in this function)
  kernel/cgroup_freezer.c:133:15: note: each undeclared identifier is reported only once for each function it appears in
  kernel/cgroup_freezer.c: In function 'freezer_css_offline':
  kernel/cgroup_freezer.c:157:15: error: 'system_freezing_cnt' undeclared (first use in this function)
  kernel/cgroup_freezer.c: In function 'freezer_attach':
  kernel/cgroup_freezer.c:200:4: error: implicit declaration of function 'freeze_task'
  kernel/cgroup_freezer.c: In function 'freezer_apply_state':
  kernel/cgroup_freezer.c:371:16: error: 'system_freezing_cnt' undeclared (first use in this function)
Signed-off-by: NChen Gang <gang.chen@asianux.com>
Cc: Richard Kuo <rkuo@codeaurora.org>
Cc: Jonas Bonn <jonas@southpole.se>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fix a NULL pointer deference while removing an empty directory, which
was introduced by commit 3704412b ("[readdir] convert ocfs2").

  BUG: unable to handle kernel NULL pointer dereference at (null)
  IP: [<(null)>]           (null)
  PGD 6da85067 PUD 6da89067 PMD 0
  Oops: 0010 [#1] SMP
  CPU: 0 PID: 6564 Comm: rmdir Tainted: G           O 3.11.0-rc1 #4
  RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
  Call Trace:
    ocfs2_dir_foreach+0x49/0x50 [ocfs2]
    ocfs2_empty_dir+0x12c/0x3e0 [ocfs2]
    ocfs2_unlink+0x56e/0xc10 [ocfs2]
    vfs_rmdir+0xd5/0x140
    do_rmdir+0x1cb/0x1e0
    SyS_rmdir+0x16/0x20
    system_call_fastpath+0x16/0x1b
  Code:  Bad RIP value.
  RIP  [<          (null)>]           (null)
  RSP <ffff88006daddc10>
  CR2: 0000000000000000

[dan.carpenter@oracle.com: fix pointer math]
Signed-off-by: NJie Liu <jeff.liu@oracle.com>
Reported-by: NDavid Weber <wb@munzinger.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Mark Fasheh <mfasheh@suse.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>