The RDMACTXT_F_LAST_CTXT bit was getting set incorrectly
when the last chunk in the read-list spanned multiple pages. This
resulted in a kernel panic when the wrong context was used to
build the RPC iovec page list.

RDMA_READ is used to fetch RPC data from the client for
NFS_WRITE requests. A scatter-gather is used to map the
advertised client side buffer to the server-side iovec and
associated page list.

WR contexts are used to convey which scatter-gather entries are
handled by each WR. When the write data is large, a single RPC may
require multiple RDMA_READ requests so the contexts for a single RPC
are chained together in a linked list. The last context in this list
is marked with a bit RDMACTXT_F_LAST_CTXT so that when this WR completes,
the CQ handler code can enqueue the RPC for processing.

The code in rdma_read_xdr was setting this bit on the last two
contexts on this list when the last read-list chunk spanned multiple
pages. This caused the svc_rdma_recvfrom logic to incorrectly build
the RPC and caused the kernel to crash because the second-to-last
context doesn't contain the iovec page list.

Modified the condition that sets this bit so that it correctly detects
the last context for the RPC.
Signed-off-by: NTom Tucker <tom@opengridcomputing.com>
Tested-by: NRoland Dreier <rolandd@cisco.com>
Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This reverts commit 8fa5913d, which
caused various interesting problems for people, including wrong resource
allocations.  See for example bugzilla entry "2.6.25-rc2: ohci1394
problem (MMIO broken)" at

	http://bugzilla.kernel.org/show_bug.cgi?id=10080

And Gary Hade says:

 "The same change had also exposed an issue reported by Paul Martin that
  has been causing an Oops while hotplugging ThinkPads to a ThinkPad
  Dock II.  See

	http://lkml.org/lkml/2008/2/19/405
	http://bugzilla.kernel.org/show_bug.cgi?id=9961

  I have a fix for the ThinkPad docking Oops but if the issue being
  discussed here is caused by the transparent bridge sizing removal
  change I totally agree that it should be reverted."

  The transparent bridge sizing removal change was motivated by
  insufficient PCI memory resource for a transparent bridge window that
  was being created as a result of expansion ROM(s) being included in
  the transparent bridge sizing calculations.

  A later "PCI: Remove default PCI expansion ROM memory allocation"
  change ( re: http://lkml.org/lkml/2007/12/11/361 ) removes the
  expansion ROM(s) from the transparent bridge sizing calculations which
  actually resolves the original issue in a different manner.  So, even
  if the "PCI: remove transparent bridge sizing" is not problematic it
  is no longer needed anyway."
Identified-by: NIvan Kokshaysky <ink@jurassic.park.msu.ru>
Tested-by: NThomas Meyer <thomas@m3y3r.de>
Acked-by: NGary Hade <garyhade@us.ibm.com>
Acked-by: NIngo Molnar <mingo@elte.hu>
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This fixes the builtin RTL8139 NIC on the Medion MD9580-F laptop.  The
BIOS reports the interrupt routing incorrectly.  I recently added a
quirk to work around this, and this patch fixes a typo in the quirk.

We pad every ACPI pathname component to four characters, so ".ISA." will
never match anything.  We need ".ISA_." instead.

Thank you Johann-Nikolaus Andreae <johann-nikolaus.andreae@nacs.de>
for patiently testing this patch.

See http://bugzilla.kernel.org/show_bug.cgi?id=4773Signed-off-by: NBjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6:
  i2c: Fix docbook problem
  ASoC/TLV320AIC3X: Stop I2C driver ID abuse
  i2c-omap: Fix unhandled fault
  i2c-bfin-twi: Disable BF54x support for now

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/avi/kvm:
  KVM: MMU: Fix memory leak on guest demand faults
  KVM: VMX: convert init_rmode_tss() to slots_lock
  KVM: MMU: handle page removal with shadow mapping
  KVM: MMU: Fix is_rmap_pte() with io ptes
  KVM: VMX: Restore tss even on x86_64

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  [PATCH] get stack footprint of pathname resolution back to relative sanity
  [PATCH] double iput() on failure exit in hugetlb
  [PATCH] double dput() on failure exit in tiny-shmem
  [PATCH] fix up new filp allocators
  [PATCH] check for null vfsmount in dentry_open()
  [PATCH] reiserfs: eliminate private use of struct file in xattr
  [PATCH] sanitize hppfs
  hppfs pass vfsmount to dentry_open()
  [PATCH] restore export of do_kern_mount()

While backporting 72dc67a6, a gfn_to_page()
call was duplicated instead of moved (due to an unrelated patch not being
present in mainline).  This caused a page reference leak, resulting in a
fairly massive memory leak.

Fix by removing the extraneous gfn_to_page() call.
Signed-off-by: NAvi Kivity <avi@qumranet.com>

init_rmode_tss was forgotten during the conversion from mmap_sem to
slots_lock.

INFO: task qemu-system-x86:3748 blocked for more than 120 seconds.
Call Trace:
 [<ffffffff8053d100>] __down_read+0x86/0x9e
 [<ffffffff8053fb43>] do_page_fault+0x346/0x78e
 [<ffffffff8053d235>] trace_hardirqs_on_thunk+0x35/0x3a
 [<ffffffff8053dcad>] error_exit+0x0/0xa9
 [<ffffffff8035a7a7>] copy_user_generic_string+0x17/0x40
 [<ffffffff88099a8a>] :kvm:kvm_write_guest_page+0x3e/0x5f
 [<ffffffff880b661a>] :kvm_intel:init_rmode_tss+0xa7/0xf9
 [<ffffffff880b7d7e>] :kvm_intel:vmx_vcpu_reset+0x10/0x38a
 [<ffffffff8809b9a5>] :kvm:kvm_arch_vcpu_setup+0x20/0x53
 [<ffffffff8809a1e4>] :kvm:kvm_vm_ioctl+0xad/0x1cf
 [<ffffffff80249dea>] __lock_acquire+0x4f7/0xc28
 [<ffffffff8028fad9>] vfs_ioctl+0x21/0x6b
 [<ffffffff8028fd75>] do_vfs_ioctl+0x252/0x26b
 [<ffffffff8028fdca>] sys_ioctl+0x3c/0x5e
 [<ffffffff8020b01b>] system_call_after_swapgs+0x7b/0x80
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAvi Kivity <avi@qumranet.com>

Do not assume that a shadow mapping will always point to the same host
frame number.  Fixes crash with madvise(MADV_DONTNEED).

[avi: move after first printk(), add another printk()]
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAvi Kivity <avi@qumranet.com>

is_rmap_pte() doesn't take into account io ptes, which have the avail bit set.
Signed-off-by: NAvi Kivity <avi@qumranet.com>

The vmx hardware state restore restores the tss selector and base address, but
not its length.  Usually, this does not matter since most of the tss contents
is within the default length of 0x67.  However, if a process is using ioperm()
to grant itself I/O port permissions, an additional bitmap within the tss,
but outside the default length is consulted.  The effect is that the process
will receive a SIGSEGV instead of transparently accessing the port.

Fix by restoring the tss length.  Note that i386 had this working already.

Closes bugzilla 10246.
Signed-off-by: NAvi Kivity <avi@qumranet.com>

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  USB: Fix cut-and-paste error in rtl8150.c
  USB: ehci: stop vt6212 bus hogging
  USB: sierra: add another device id
  USB: sierra: dma fixes
  USB: add support for Motorola ROKR Z6 cellphone in mass storage mode
  USB: isd200: fix memory leak in isd200_get_inquiry_data
  USB: pl2303: another product ID
  USB: new quirk flag to avoid Set-Interface
  USB: fix gadgetfs class request delegation

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-2.6:
  driver core: debug for bad dev_attr_show() return value.
  UIO: add pgprot_noncached() to UIO mmap code

Revert as it is reported to cause problems for people.

commit 4348a2dc
Author: Shaohua Li <shaohua.li@intel.com>
Date:   Wed Oct 24 10:45:08 2007 +0800

    pcie: utilize pcie transaction pending bit

    PCIE has a mechanism to wait for Non-Posted request to complete. I think
    pci_disable_device is a good place to do this.
Signed-off-by: NShaohua Li <shaohua.li@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Due to the regression reported at
http://bugzilla.kernel.org/show_bug.cgi?id=10065

Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Soeren Sonnenburg <kernel@nn7.de>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

lockdep goes off on the iova copy_reserved_iova() because it and a function
it calls grabs locks in the from, and the to of the copy operation.

The function grab locks of the same lock classes triggering the warning.  The
first lock grabbed is for the constant reserved areas that is never accessed
after early boot.  Technically you could do without grabbing the locks for the
"from" structure its copying reserved areas from.

But dropping the from locks to me looks wrong, even though it would be ok.

The affected code only runs in early boot as its setting up the DMAR
engines.

This patch gives the reserved_ioval_list locks special lockdep classes.
Signed-off-by: NMark Gross <mgross@linux.intel.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Try to find the culprit who caused
http://bugzilla.kernel.org/show_bug.cgi?id=10150

Cc: <balajirrao@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Mapping of physical memory in UIO needs pgprot_noncached() to ensure
that IO memory is not cached. Without pgprot_noncached(), it (accidentally)
works on x86 and arm, but fails on PPC.
Signed-off-by: NJean-Samuel Chenard <jsamch@gmail.com>
Signed-off-by: NHans J Koch <hjk@linutronix.de>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Signed-off-by: NRobert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

The VIA VT6212 defaults to only waiting 1us between passes over EHCI's
async ring, which hammers PCI badly ... and by preventing other devices
from accessing the bus, causes problems like drops in IDE throughput,
a problem that's been bugging users of those chips for several years.

A (partial) datasheet for this chip eventually turned up, letting us
see how to make it use a VIA-specific register to switch over to the
the normal 10us value instead, as suggested by the EHCI specification
Solution noted by Lev A. Melnikovsky.

It's not clear whether this register exists on other VIA chips; we
know that it's ineffective on the vt8235.  So this patch only applies
to chips that seem to be incarnations of the (discrete) vt6212.
Signed-off-by: NRene Herman <rene.herman@gmail.com>
Tested-by: NLev A. Melnikovsky <melnikovsky@mail.ru>
Tested-by: NAlessandro Suardi <alessandro.suardi@gmail.com>
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Add support for the MC8775 device to the sierra driver.
Signed-off-by: NKevin Lloyd <klloyd@sierrawireless.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

while I was adding autosuspend to that driver I noticed a few issues.
You were having DMAed buffers as a part of a structure.
This will fail on platforms that are not DMA-coherent (arm, sparc, ppc, ...)
Please test this patch to fix it.
Signed-off-by: NKevin Lloyd <klloyd@sierrawireless.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Motorola ROKR Z6 cellphone has bugs in its USB, so it is impossible to use
it as mass storage. Patch describes new "unusual" USB device for it with
FIX_INQUIRY and FIX_CAPACITY flags and new BULK_IGNORE_TAG flag.
Last flag relaxes check for equality of bcs->Tag and us->tag in
usb_stor_Bulk_transport routine.
Signed-off-by: NConstantin Baranov <const@tltsu.ru>
Signed-off-by: NMatthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: NDaniel Drake <dsd@gentoo.org>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

If the inquiry fails then the info structure on us->extra was not freed.
Signed-off-by: NBoaz Harrosh <bharrosh@panasas.com>
Acked-by: NAlan Stern <stern@rowland.harvard.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Device like this http://aldiga.com/english/A-100-USB-EDGE10.htm
contains Prolific 2303 chip.
Actually their site a bit outdated - I have AlDiga AL-11U
GSM/GPRS/EDGE modem and it works with pl2303 module after adding
corresponding product ID.

By default modem uses baud rate 460800.  GSM chipset - SIMCom SIM600,
quad band 850/900/1800/1900 MHz

Device info:

T:  Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  5 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=067b ProdID=0611 Rev= 0.00
C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=pl2303
E:  Ad=81(I) Atr=03(Int.) MxPS=  10 Ivl=1ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=83(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms

From: Max Arnold <lwarxx@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1057) fixes a problem with the X-Rite/Gretag-Macbeth
Eye-One Pro display colorimeter; the device crashes when it receives a
Set-Interface request.  A new quirk (USB_QUIRK_NO_SET_INTF) is
introduced and a quirks entry is created for this device.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

gadgetfs (drivers/usb/gadget/inode.c) was not delegating all
non-device requests to userspace.  This patch makes the handling of
all request cases consistent.
Signed-off-by: NRoy Hashimoto <hashimot@alumni.caltech.edu>
Acked-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  [POWERPC] mpc5200: Fix incorrect compatible string for the mdio node
  [POWERPC] Update some defconfigs

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  [libata] ahci: SB600 workaround is suspect... play it safe for now
  sata_promise: fix hardreset hotplug events, take 2
  libata: improve HPA error handling
  libata: assume no device is attached if both IDENTIFYs are aborted
  pata_it821x: use raw nbytes in check_atapi_dma
  libata: implement ata_qc_raw_nbytes()

At least one report claims that a878539e
failed to solve lockups, whereas the old limit-to-32-bit trick worked.

Restore the 32-bit limit, but also leave the 255-sector limit in place,
because we know that's needed as well.
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>

* git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-linus:
  kbuild: soften modpost checks when doing cross builds

A Promise SATA controller will signal hotplug events when a hard
reset (COMRESET) is done on a port. These events aren't masked by
the driver, and the unexpected interrupts will cause a sequence
of failed reset attempts util libata's EH finally gives up.

This has not been a common problem so far, but the pending libata
hardreset-by-default changes makes it a critical issue.

The solution is to disable hotplug events before a reset, and to
reenable them afterwards. (Promise's driver does this too.)

This patch adds SATA-specific versions of ->freeze() and ->thaw()
that also disable and enable hotplug events. PATA ports continue
to use the old versions of ->freeze() and ->thaw().

Accesses to the hotplug register must be serialised via host->lock.
We rely on ap->lock == &ap->host->lock and that libata takes this
lock before ->freeze() and ->thaw(). Document this requirement.
The interrupt handler is adjusted so its hotplug register accesses
are inside the region protected by host->lock.

Tested on various chips (SATA300TX4, SATA300TX2plus, SATAII150TX4,
FastTrack TX4000) with various combinations of SATA and PATA disks,
with and without the pending hardreset-by-default changes.
Signed-off-by: NMikael Pettersson <mikpe@it.uu.se>
Acked-by: NTejun Heo <htejun@gmail.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

The printk() logic on when/how to get the console semaphore was
unreadable, this splits the code up into a few helper functions and
makes it easier to follow what is going on.
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

In case we're accounting from a sub-namespace, the tgids reported will not
refer to the right namespace.

Save the pid_namespace we're accounting in on the acct_glbs and use it in
do_acct_process.

Two less :) places using the task_struct.tgid member.
Signed-off-by: NPavel Emelyanov <xemul@openvz.org>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This is minor, but dereferencing even current real_parent is not safe on debug
kernels, since the memory, this points to, can be unmapped - RCU protection is
required.

Besides, the tgid field is deprecated and is to be replaced with task_tgid_xxx
call (the 2nd patch), so RCU will be required anyway.
Signed-off-by: NPavel Emelyanov <xemul@openvz.org>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Revert commit f1a9ee75:

  Author: Rik van Riel <riel@redhat.com>
  Date:   Thu Feb 7 00:14:08 2008 -0800

    kswapd should only wait on IO if there is IO

    The current kswapd (and try_to_free_pages) code has an oddity where the
    code will wait on IO, even if there is no IO in flight.  This problem is
    notable especially when the system scans through many unfreeable pages,
    causing unnecessary stalls in the VM.

    Additionally, tasks without __GFP_FS or __GFP_IO in the direct reclaim path
    will sleep if a significant number of pages are encountered that should be
    written out.  This gives kswapd a chance to write out those pages, while
    the direct reclaim task sleeps.
Signed-off-by: NRik van Riel <riel@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Because of large latencies and interactivity problems reported by Carlos,
here: http://lkml.org/lkml/2008/3/22/211

Cc: Rik van Riel <riel@redhat.com>
Cc: "Carlos R.  Mafra" <crmafra2@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Update documentation for the hw_random support to be current:

 - Documentation/hw_random.txt has been updated to reflect the
   current code:  it's a framework now, a "core" with a small
   sysfs interface, that hardware-specific drivers plug in to.
   Text specific to Intel hardware is now at the end.

 - Kconfig now references the Documentation/hw_random.txt file
   and better explains what this really does.

Both chunks of documentation now higlight the fact that the kernel entropy
pool is maintained by "rngd", and this driver has nothing directly to do with
that important task.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Older smackfs was parsing MAC rules by characters, thus a need of locking
write sessions on open() was needed.  This lock is no longer useful now since
each rule is handled by a single write() call.

This is also a bugfix since seq_open() was not called if an open() O_RDWR flag
was given, leading to a seq_read() without an initialized seq_file, thus an
Oops.
Signed-off-by: NAhmed S. Darwish <darwish.07@gmail.com>
Reported-by: NJonathan Corbet <corbet@lwn.net>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

As Paul pointed out, the ACCESS_ONCE are not needed because we already have
the explicit surrounding memory barriers.
Signed-off-by: NMathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Mike Mason <mmlnx@us.ibm.com>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Cc: David Smith <dsmith@redhat.com>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Adrian Bunk <adrian.bunk@movial.fi>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>