Commit 1ae5c187 ("IB/uverbs: Don't store struct file * for event
files") changed the way that closed files are handled in the uverbs
code.  However, after the conversion, is_closed flag is checked
incorrectly in ib_uverbs_async_handler().  As a result, no async
events are ever passed to applications.

Found by: Ronni Zimmerman <ronniz@mellanox.co.il>
Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: NRoland Dreier <rolandd@cisco.com>

nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512
rather than just testing for strict >, because page_count is
essentially used as an index into an array with 1024 * 512 entries, so
allowing the loop to continue with page_count == 1024 * 512 means that
memory after the end of the array is corrupted.  This leads to a crash
triggerable by a userspace application that requests registration of a
too-big region.

Also get rid of the call to pci_free_consistent() here to avoid
corrupting state with a double free, since the same memory will be
freed in the code jumped to at reg_user_mr_err.
Signed-off-by: NRoland Dreier <rolandd@cisco.com>

Cc: Michal Ostrowski <mostrows@earthlink.net>
Signed-off-by: NChris Wright <chrisw@sous-sol.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/core: Remove IB_DEVICE_SEND_W_INV capability flag
  IB/umem: Avoid sign problems when demoting npages to integer

* git://git.infradead.org/users/cbou/battery-2.6.26:
  power_supply: Fix race in power_supply_uevent

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/blackfin-2.6:
  Blackfin serial driver: fix up tty core set_ldisc API change breakage bug
  Blackfin arch: protect only the SPI bus controller with CONFIG_SPI_BFIN
  Blackfin arch: fixup warnings with the new cplb saved values
  Blackfin Serial Driver: Clean up BF54x macro in blackfin UART driver.

Commit 54d29ad3 (Power Supply: fix race
in device_create) introduced a race in power_supply_uevent. Previously it
checked that power_supply is available by checking for dev->driver_data.
But now dev->driver_data is set before power_supply->dev is initialised.
Signed-off-by: NDmitry Baryshkov <dbaryshkov@gmail.com>
Signed-off-by: NAnton Vorontsov <cbouatmailru@gmail.com>

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
  [CPUFREQ] Fix format string bug.

Format string bug.  Not exploitable, as this is only writable by root,
but worth fixing all the same.
Spotted-by: NIlja van Sprundel <ilja@netric.org>
Signed-off-by: NDave Jones <davej@redhat.com>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  [ALSA] hda - Fix "alc262_sony_unsol[]" hda_verb array

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  [POWERPC] ehea: Remove dependency on MEMORY_HOTPLUG
  [POWERPC] Make walk_memory_resource available with MEMORY_HOTPLUG=n
  [POWERPC] Use dev_set_name in pci_64.c
  [POWERPC] Fix incorrect enabling of VMX when building signal or user context
  [POWERPC] boot/Makefile CONFIG_ variable fixes

* git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6.26:
  sh: Add -mno-fdpic to default flags.
  sh: add resource of USB host for SH7723
  usb: r8a66597-hcd: Add support for SH7723 USB host
  sh: Fix compile error SH7763 setup code
  sh: Add SH7723 SCIF support

Minor source code cleanup of page flags in mm/page_alloc.c.
Move the definition of the groups of bits to page-flags.h.

The purpose of this clean up is that the next patch will
conditionally add a page flag to the groups.  Doing that
in a header file is cleaner than adding #ifdefs to the
C code.
Signed-off-by: NRuss Anderson <rja@sgi.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Commit 30f2f0eb ("block: do_mounts -
accept root=<non-existant partition>") extended blk_lookup_devt() to be
able to look up partitions that had not yet been registered, but in the
process made the assumption that the '&block_class.devices' list only
contains disk devices and that you can do 'dev_to_disk(dev)' on them.

That isn't actually true.  The block_class device list also contains the
partitions we've discovered so far, and you can't just do a
'dev_to_disk()' on those.

So make sure to only work on devices that block/genhd.c has registered
itself, something we can test by checking the 'dev->type' member.  This
makes the loop in blk_lookup_devt() match the other such loops in this
file.

[ We may want to do an alternate version that knows to handle _either_
  whole-disk devices or partitions, but for now this is the minimal fix
  for a series of crashes reported by Mariusz Kozlowski in

	http://lkml.org/lkml/2008/5/25/25

  and Ingo in

	http://lkml.org/lkml/2008/6/9/39 ]
Reported-by: NMariusz Kozlowski <m.kozlowski@tuxland.pl>
Reported-by: NIngo Molnar <mingo@elte.hu>
Cc: Neil Brown <neilb@suse.de>
Cc: Joao Luis Meloni Assirati <assirati@nonada.if.usp.br>
Acked-by: NKay Sievers <kay.sievers@vrfy.org>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

In 2.6.26, we added some support for send with invalidate work
requests, including a device capability flag to indicate whether a
device supports such requests.  However, the support was incomplete:
the completion structure was not extended with a field for the key
contained in incoming send with invalidate requests.

Full support for memory management extensions (send with invalidate,
local invalidate, fast register through a send queue, etc) is planned
for 2.6.27.  Since send with invalidate is not very useful by itself,
just remove the IB_DEVICE_SEND_W_INV bit before the 2.6.26 final
release; we will add an IB_DEVICE_MEM_MGT_EXTENSIONS bit in 2.6.27,
which makes things simpler for applications, since they will not have
quite as confusing an array of fine-grained bits to check.
Signed-off-by: NRoland Dreier <rolandd@cisco.com>

I think that hda_verb array must have "terminator (empty array)".
But alc262_sony_unsol[] does not have it.
And it causes gcc-4.3's buggy behavior
with snd_hda_sequence_write().
Signed-off-by: NAkio Idehara <zbe64533@gmail.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>

Presently the --fdpic specifier and the --isa matching clash when
building with FDPIC toolchains. As we have no interest in building the
kernel with --fdpic in the first place, always try to add in -mno-fdpic
to the default flags.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

Signed-off-by: NYoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

R8A66597 is similar to SH7723 USB 2.0 Host/Function module.
In addition, the USB of SH7366 is compatible with SH7723.
It can support SH7723 USB host by changing Kconfig.
Signed-off-by: NYoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Acked-by: NGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

SH7763's setup code use old DECLARE_INTC_DESC.
There was a compile error because of this.
Signed-off-by: NNobuhiro Iwamatsu <iwamatsu.nobuhiro@renesas.com>
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

Signed-off-by: NYusuke Goda <goda.yusuke@renesas.com>
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

Now that walk_memory_resource() is available regardless of
MEMORY_HOTPLUG's setting, this dependency is not needed.
Signed-off-by: NNathan Lynch <ntl@pobox.com>
Acked-by: NJeff Garzik <jeff@garzik.org>
Acked-by: NYasunori Goto <y-goto@jp.fujitsu.com>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

The ehea driver was recently changed[1] to use walk_memory_resource() to
detect the system's memory layout.  However, walk_memory_resource() is
available only when memory hotplug is enabled.  So CONFIG_EHEA was
made to depend on MEMORY_HOTPLUG [2], but it is inappropriate for a
network driver to have such a dependency.

Make the declaration of walk_memory_resource() and its powerpc
implementation (ehea is powerpc-specific) unconditionally available.

[1] 48cfb14f
    "ehea: Add DLPAR memory remove support"

[2] fb7b6ca2
    "ehea: Add dependency to Kconfig"
Signed-off-by: NNathan Lynch <ntl@pobox.com>
Acked-by: NBadari Pulavarty <pbadari@us.ibm.com>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

During the next merge window, pci_name()'s return value will become
const, so use the new dev_set_name() instead to avoid the warning (from
linux-next):

arch/powerpc/kernel/pci_64.c: In function 'of_create_pci_dev':
arch/powerpc/kernel/pci_64.c:193: warning: passing argument 1 of 'sprintf' discards qualifiers from pointer target type

Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

When building a signal or a ucontext, we can incorrectly set the MSR_VEC
bit of the kernel pt_regs->msr before returning to userspace if the task
-ever- used VMX.

This can lead to funny result if that stack used it in the past, then
"lost" it (ie. it wasn't enabled after a context switch for example)
and then called get_context.  It can end up with VMX enabled and the
registers containing values from some other task.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

This corrects the names of two CONFIG_ variables.

Note that the CONFIG_MPC86XADS fix uncovers another bug
(with mpc866_ads_defconfig) that will require fixing:

<--  snip  -->

...
arch/powerpc/boot/dtc -O dtb -o arch/powerpc/boot/mpc866ads.dtb -b 0  /home/bunk/linux/kernel-2.6/git/linux-2.6/arch/powerpc/boot/dts/mpc866ads.dts
DTC: dts->dtb  on file "/home/bunk/linux/kernel-2.6/git/linux-2.6/arch/powerpc/boot/dts/mpc866ads.dts"
  WRAP    arch/powerpc/boot/cuImage.mpc866ads
powerpc64-linux-ld: arch/powerpc/boot/cuboot-mpc866ads.o: No such file: No such file or directory
make[2]: *** [arch/powerpc/boot/cuImage.mpc866ads] Error 1

<--  snip  -->
Reported-by: NRobert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

Commit 73f20e58 ("FAT_VALID_MEDIA():
remove pointless test") wrongly added the new fat_valid_media() function
to the userspace-visible part of include/linux/msdos_fs.h

Move it to the part of include/linux/msdos_fs.h that is not exported to
userspace.
Reported-by: NOnur Küçük <onur@pardus.org.tr>
Reported-by: NS.Çağlar Onur <caglar@pardus.org.tr>
Signed-off-by: NAdrian Bunk <bunk@kernel.org>
Acked-by: NOGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This is the patch that follows Linus's modification about set_ldisc.
Graf has built and tested it on BF537 using Linus's git Tree.
Signed-off-by: NGraf Yang <graf.yang@analog.com>
Signed-off-by: NBryan Wu <cooloney@kernel.org>

Signed-off-by: NMike Frysinger <vapier.adi@gmail.com>
Signed-off-by: NBryan Wu <cooloney@kernel.org>

On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely

	min_t(int, npages, PAGE_SIZE / sizeof (struct page *))

will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
since the code boils down to:

	while (npages) {
		ret = get_user_pages(...);
		npages -= ret;
	}

Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.

The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief.  But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.

Cc: <stable@kernel.org>
Signed-off-by: NRoland Dreier <rolandd@cisco.com>

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: enable barriers by default
  jbd2: Fix barrier fallback code to re-lock the buffer head
  ext4: Display the journal_async_commit mount option in /proc/mounts
  jbd2: If a journal checksum error is detected, propagate the error to ext4
  jbd2: Fix memory leak when verifying checksums in the journal
  ext4: fix online resize bug
  ext4: Fix uninit block group initialization with FLEX_BG
  ext4: Fix use of uninitialized data with debug enabled.

use_mm() was changed to use switch_mm() instead of activate_mm(), since
then nobody calls (and nobody should call) activate_mm() with
PF_BORROWED_MM bit set.

As Jeff Dike pointed out, we can also remove the "old != new" check, it is
always true.
Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/ipath: Fix SM trap forwarding
  IB/ehca: Reject send WRs only for RESET, INIT and RTR state
  MAINTAINERS: Update NetEffect (iw_nes) entry
  IB/ipath: Fix device capability flags
  IB/ipath: Avoid test_bit() on u64 SDMA status value

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6:
  x86/PCI: add workaround for bug in ASUS A7V600 BIOS (rev 1005)
  PCI/x86: fix up PCI stuff so that PCI_GOANY supports OLPC

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  sound: emu10k1 - fix system hang with Audigy2 ZS Notebook PCMCIA card

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/chrisw/lsm-2.6:
  capabilities: remain source compatible with 32-bit raw legacy capability support.
  LSM: remove stale web site from MAINTAINERS

* git://git.infradead.org/~dwmw2/mtd-2.6.26:
  [MTD] m25p80.c mutex unlock fix

Packet sending is driven by two flags, tx_ready and tx_queued.
It was possible, that there were queued data for sending and
hardware was flagged as blocked but in fact it was not.

The tx_queued was indicator but should be really a counter else
first fragmented packet resets tx_queued flag, but there may be
pending packets which do not get sent.

New semantics:
tx_ready - set, if hw is ready to send packet, no packet is being
           transferred right now
           set the flag right at the place where data are copied
           into hw memory and not earlier without checking if it
           was succesful
tx_queued - count of enqueued packets, including fragments
Tested-by: NMichal Rokos <michal.rokos@gmail.com>
Signed-off-by: NDavid Sterba <dsterba@suse.cz>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

To get zeroed out memory from a particular NUMA node.  To be used by
sunrpc.
Signed-off-by: NJeff Layton <jlayton@redhat.com>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Just a quick explanation of the pagemap interface from a userspace point
of view, and an example of how to use it (in English, not code).
Signed-off-by: NThomas  Tuttle <ttuttle@google.com>
Cc: Matt Mackall <mpm@selenic.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>