1. 09 Feb, 2012 5 commits
    • Russell King's avatar
      pcmcia: fix socket refcount decrementing on each resume · 025e4ab3
      Russell King authored
      This fixes a memory-corrupting bug: not only does it cause the warning,
      but as a result of dropping the refcount to zero, it causes the
      pcmcia_socket0 device structure to be freed while it still has
      references, causing slab caches corruption.  A fatal oops quickly
      follows this warning - often even just a 'dmesg' following the warning
      causes the kernel to oops.
      
      While testing suspend/resume on an ARM device with PCMCIA support, and a
      CF card inserted, I found that after five suspend and resumes, the
      kernel would complain, and shortly die after with slab corruption.
      
        WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
      
      As the message doesn't give a clue about which kobject, and the built-in
      debugging in drivers/base/power/main.c happens too late, this was added
      right before each get_device():
      
        printk("%s: %p [%s] %u\n", __func__, dev, kobject_name(&dev->kobj), atomic_read(&dev->kobj.kref.refcount));
      
      and on the 3rd s2ram cycle, the following behaviour observed:
      
      On the 3rd suspend/resume cycle:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 3
        dpm_suspend: c1a0d998 [pcmcia_socket0] 3
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 3
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 3
        dpm_resume: c1a0d998 [pcmcia_socket0] 3
        dpm_complete: c1a0d998 [pcmcia_socket0] 2
      
      4th:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 2
        dpm_suspend: c1a0d998 [pcmcia_socket0] 2
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 2
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 2
        dpm_resume: c1a0d998 [pcmcia_socket0] 2
        dpm_complete: c1a0d998 [pcmcia_socket0] 1
      
      5th:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 1
        dpm_suspend: c1a0d998 [pcmcia_socket0] 1
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 1
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 1
        dpm_resume: c1a0d998 [pcmcia_socket0] 1
        dpm_complete: c1a0d998 [pcmcia_socket0] 0
        ------------[ cut here ]------------
        WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
        Modules linked in: ucb1x00_core
        Backtrace:
        [<c0212090>] (dump_backtrace+0x0/0x110) from [<c04799dc>] (dump_stack+0x18/0x1c)
        [<c04799c4>] (dump_stack+0x0/0x1c) from [<c021cba0>] (warn_slowpath_common+0x50/0x68)
        [<c021cb50>] (warn_slowpath_common+0x0/0x68) from [<c021cbdc>] (warn_slowpath_null+0x24/0x28)
        [<c021cbb8>] (warn_slowpath_null+0x0/0x28) from [<c0335374>] (kobject_get+0x28/0x50)
        [<c033534c>] (kobject_get+0x0/0x50) from [<c03804f4>] (get_device+0x1c/0x24)
        [<c0388c90>] (dpm_complete+0x0/0x1a0) from [<c0389cc0>] (dpm_resume_end+0x1c/0x20)
        ...
      
      Looking at commit 7b24e798 ("pcmcia: split up central event handler"),
      the following change was made to cs.c:
      
                      return 0;
              }
       #endif
      -
      -       send_event(skt, CS_EVENT_PM_RESUME, CS_EVENT_PRI_LOW);
      +       if (!(skt->state & SOCKET_CARDBUS) && (skt->callback))
      +               skt->callback->early_resume(skt);
              return 0;
       }
      
      And the corresponding change in ds.c is from:
      
      -static int ds_event(struct pcmcia_socket *skt, event_t event, int priority)
      -{
      -       struct pcmcia_socket *s = pcmcia_get_socket(skt);
      ...
      -       switch (event) {
      ...
      -       case CS_EVENT_PM_RESUME:
      -               if (verify_cis_cache(skt) != 0) {
      -                       dev_dbg(&skt->dev, "cis mismatch - different card\n");
      -                       /* first, remove the card */
      -                       ds_event(skt, CS_EVENT_CARD_REMOVAL, CS_EVENT_PRI_HIGH);
      -                       mutex_lock(&s->ops_mutex);
      -                       destroy_cis_cache(skt);
      -                       kfree(skt->fake_cis);
      -                       skt->fake_cis = NULL;
      -                       s->functions = 0;
      -                       mutex_unlock(&s->ops_mutex);
      -                       /* now, add the new card */
      -                       ds_event(skt, CS_EVENT_CARD_INSERTION,
      -                                CS_EVENT_PRI_LOW);
      -               }
      -               break;
      ...
      -    }
      
      -    pcmcia_put_socket(s);
      
      -    return 0;
      -} /* ds_event */
      
      to:
      
      +static int pcmcia_bus_early_resume(struct pcmcia_socket *skt)
      +{
      +       if (!verify_cis_cache(skt)) {
      +               pcmcia_put_socket(skt);
      +               return 0;
      +       }
      
      +       dev_dbg(&skt->dev, "cis mismatch - different card\n");
      
      +       /* first, remove the card */
      +       pcmcia_bus_remove(skt);
      +       mutex_lock(&skt->ops_mutex);
      +       destroy_cis_cache(skt);
      +       kfree(skt->fake_cis);
      +       skt->fake_cis = NULL;
      +       skt->functions = 0;
      +       mutex_unlock(&skt->ops_mutex);
      
      +       /* now, add the new card */
      +       pcmcia_bus_add(skt);
      +       return 0;
      +}
      
      As can be seen, the original function called pcmcia_get_socket() and
      pcmcia_put_socket() around the guts, whereas the replacement code
      calls pcmcia_put_socket() only in one path.  This creates an imbalance
      in the refcounting.
      
      Testing with pcmcia_put_socket() put removed shows that the bug is gone:
      
        dpm_suspend: c1a10998 [pcmcia_socket0] 5
        dpm_suspend_noirq: c1a10998 [pcmcia_socket0] 5
        dpm_resume_noirq: c1a10998 [pcmcia_socket0] 5
        dpm_resume: c1a10998 [pcmcia_socket0] 5
        dpm_complete: c1a10998 [pcmcia_socket0] 5
      Tested-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      025e4ab3
    • Hugh Dickins's avatar
      mm: fix UP THP spin_is_locked BUGs · b9980cdc
      Hugh Dickins authored
      Fix CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_SMP=n CONFIG_DEBUG_VM=y
      CONFIG_DEBUG_SPINLOCK=n kernel: spin_is_locked() is then always false,
      and so triggers some BUGs in Transparent HugePage codepaths.
      
      asm-generic/bug.h mentions this problem, and provides a WARN_ON_SMP(x);
      but being too lazy to add VM_BUG_ON_SMP, BUG_ON_SMP, WARN_ON_SMP_ONCE,
      VM_WARN_ON_SMP_ONCE, just test NR_CPUS != 1 in the existing VM_BUG_ONs.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b9980cdc
    • Axel Lin's avatar
      drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax · ec44fd42
      Axel Lin authored
      In current code, pltfm->als_vmin is set to LM3530_ALS_WINDOW_mV and
      pltfm->als_vmax is 0.  This does not make sense.  I think what we want
      here is setting pltfm->als_vmax to LM3530_ALS_WINDOW_mV.
      
      Both als_vmin and als_vmax local variables will be set to
      pltfm->als_vmin and pltfm->als_vmax by a few lines latter.  Thus also
      remove a redundant assignment for als_vmin and als_vmax in this patch.
      Signed-off-by: default avatarAxel Lin <axel.lin@gmail.com>
      Cc: Shreshtha Kumar Sahu <shreshthakumar.sahu@stericsson.com>
      Acked-by: default avatarMilo(Woogyom) Kim <milo.kim@ti.com>
      Tested-by: default avatarMilo(Woogyom) Kim <milo.kim@ti.com>
      Cc: Richard Purdie <rpurdie@rpsys.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ec44fd42
    • Mel Gorman's avatar
      mm: compaction: check for overlapping nodes during isolation for migration · dc908600
      Mel Gorman authored
      When isolating pages for migration, migration starts at the start of a
      zone while the free scanner starts at the end of the zone.  Migration
      avoids entering a new zone by never going beyond the free scanned.
      
      Unfortunately, in very rare cases nodes can overlap.  When this happens,
      migration isolates pages without the LRU lock held, corrupting lists
      which will trigger errors in reclaim or during page free such as in the
      following oops
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: [<ffffffff810f795c>] free_pcppages_bulk+0xcc/0x450
        PGD 1dda554067 PUD 1e1cb58067 PMD 0
        Oops: 0000 [#1] SMP
        CPU 37
        Pid: 17088, comm: memcg_process_s Tainted: G            X
        RIP: free_pcppages_bulk+0xcc/0x450
        Process memcg_process_s (pid: 17088, threadinfo ffff881c2926e000, task ffff881c2926c0c0)
        Call Trace:
          free_hot_cold_page+0x17e/0x1f0
          __pagevec_free+0x90/0xb0
          release_pages+0x22a/0x260
          pagevec_lru_move_fn+0xf3/0x110
          putback_lru_page+0x66/0xe0
          unmap_and_move+0x156/0x180
          migrate_pages+0x9e/0x1b0
          compact_zone+0x1f3/0x2f0
          compact_zone_order+0xa2/0xe0
          try_to_compact_pages+0xdf/0x110
          __alloc_pages_direct_compact+0xee/0x1c0
          __alloc_pages_slowpath+0x370/0x830
          __alloc_pages_nodemask+0x1b1/0x1c0
          alloc_pages_vma+0x9b/0x160
          do_huge_pmd_anonymous_page+0x160/0x270
          do_page_fault+0x207/0x4c0
          page_fault+0x25/0x30
      
      The "X" in the taint flag means that external modules were loaded but but
      is unrelated to the bug triggering.  The real problem was because the PFN
      layout looks like this
      
        Zone PFN ranges:
          DMA      0x00000010 -> 0x00001000
          DMA32    0x00001000 -> 0x00100000
          Normal   0x00100000 -> 0x01e80000
        Movable zone start PFN for each node
        early_node_map[14] active PFN ranges
            0: 0x00000010 -> 0x0000009b
            0: 0x00000100 -> 0x0007a1ec
            0: 0x0007a354 -> 0x0007a379
            0: 0x0007f7ff -> 0x0007f800
            0: 0x00100000 -> 0x00680000
            1: 0x00680000 -> 0x00e80000
            0: 0x00e80000 -> 0x01080000
            1: 0x01080000 -> 0x01280000
            0: 0x01280000 -> 0x01480000
            1: 0x01480000 -> 0x01680000
            0: 0x01680000 -> 0x01880000
            1: 0x01880000 -> 0x01a80000
            0: 0x01a80000 -> 0x01c80000
            1: 0x01c80000 -> 0x01e80000
      
      The fix is straight-forward.  isolate_migratepages() has to make a
      similar check to isolate_freepage to ensure that it never isolates pages
      from a zone it does not hold the LRU lock for.
      
      This was discovered in a 3.0-based kernel but it affects 3.1.x, 3.2.x
      and current mainline.
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dc908600
    • Xi Wang's avatar
      nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() · 1ecd3c7e
      Xi Wang authored
      nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
      * sizeof(__u64) in the subsequent call to memdup_user().
      
      This patch complements 481fe17e ("nilfs2: potential integer overflow
      in nilfs_ioctl_clean_segments()").
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Cc: Haogang Chen <haogangchen@gmail.com>
      Acked-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1ecd3c7e
  2. 07 Feb, 2012 12 commits
  3. 06 Feb, 2012 6 commits
  4. 05 Feb, 2012 1 commit
  5. 04 Feb, 2012 16 commits
    • Linus Torvalds's avatar
      Merge tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 23783f81
      Linus Torvalds authored
      Power management fixes for 3.3-rc3
      
      Three power management regression fixes, one for a recent regression introcuded
      by the freezer changes during the 3.3 merge window and two for regressions
      in cpuidle (resulting from PM QoS changes) and in the hibernate user space
      interface, both introduced during the 3.2 development cycle.
      
      They include:
      
      * Two hibernate (s2disk) regression fixes from Srivatsa S. Bhat (for
       regressions introduced during the 3.3 merge window and during the 3.2
       development cycle).
      
      * A cpuidle fix from Venki Pallipadi for a regression resulting from PM QoS
       changes during the 3.2 development cycle causing cpuidle to work incorrectly
       for CONFIG_PM unset.
      
      * tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / QoS: CPU C-state breakage with PM Qos change
        PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
        PM / Hibernate: Thaw kernel threads in SNAPSHOT_CREATE_IMAGE ioctl path
      23783f81
    • Venkatesh Pallipadi's avatar
      PM / QoS: CPU C-state breakage with PM Qos change · d020283d
      Venkatesh Pallipadi authored
      Looks like change "PM QoS: Move and rename the implementation files"
      merged during the 3.2 development cycle made PM QoS depend on
      CONFIG_PM which depends on (PM_SLEEP || PM_RUNTIME).
      
      That breaks CPU C-states with kernels not having these CONFIGs, causing CPUs
      to spend time in Polling loop idle instead of going into deep C-states,
      consuming way way more power. This is with either acpi idle or intel idle
      enabled.
      
      Either CONFIG_PM should be enabled with any pm_qos users or
      the !CONFIG_PM pm_qos_request() should return sane defaults not to break
      the existing users. Here's is the patch for the latter option.
      
      [rjw: Modified the changelog slightly.]
      Signed-off-by: default avatarVenkatesh Pallipadi <venki@google.com>
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      Cc: stable@vger.kernel.org
      d020283d
    • Srivatsa S. Bhat's avatar
      PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails · 379e0be8
      Srivatsa S. Bhat authored
      If freezing of kernel threads fails, we are expected to automatically
      thaw tasks in the error recovery path. However, at times, we encounter
      situations in which we would like the automatic error recovery path
      to thaw only the kernel threads, because we want to be able to do
      some more cleanup before we thaw userspace. Something like:
      
      error = freeze_kernel_threads();
      if (error) {
      	/* Do some cleanup */
      
      	/* Only then thaw userspace tasks*/
      	thaw_processes();
      }
      
      An example of such a situation is where we freeze/thaw filesystems
      during suspend/hibernation. There, if freezing of kernel threads
      fails, we would like to thaw the frozen filesystems before thawing
      the userspace tasks.
      
      So, modify freeze_kernel_threads() to thaw only kernel threads in
      case of freezing failure. And change suspend_freeze_processes()
      accordingly. (At the same time, let us also get rid of the rather
      cryptic usage of the conditional operator (:?) in that function.)
      
      [rjw: In fact, this patch fixes a regression introduced during the
       3.3 merge window, because without it thaw_processes() may be called
       before swsusp_free() in some situations and that may lead to massive
       memory allocation failures.]
      Signed-off-by: default avatarSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarNigel Cunningham <nigel@tuxonice.net>
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      379e0be8
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · d9142025
      Linus Torvalds authored
      arm-soc fixes for 3.3-rc
      
      * A series of OMAP regression fixes for merge window fallout
      * Two patches for Davinci, one removes some misdefined clocks, the other
        is a regression fix for merge window fallout
      * Two patches that makes Broadcom bcmring build again (and removes a
        bunch of unused code in the process)
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: bcmring: fix build failure in mach-bcmring/arch.c
        ARM: bcmring: remove unused DMA map code
        ARM: davinci: update mdio bus name
        ARM: OMAP2+: arch/arm/mach-omap2/smartreflex.c: add missing iounmap
        ARM: OMAP2+: arch/arm/mach-omap2/devices.c: introduce missing kfree
        ARM: OMAP: fix MMC2 loopback clock handling
        ARM: OMAP: fix erroneous mmc2 clock change on mmc3 setup
        ARM: OMAP2+: GPMC: fix device size setup
        ARM: OMAP2+: timer: Fix crash due to wrong arg to __omap_dm_timer_read_counter
        ARM: OMAP3: hwmod data: register dss hwmods after dss_core
        ARM: OMAP2/3: PRM: fix missing plat/irqs.h build breakage
        ARM: OMAP2+: io: fix compilation breakage on 2420-only configs
        ARM: OMAP4: hwmod data: Add names for DMIC memory address space
        ARM: OMAP3: hwmod data: add SYSC_HAS_ENAWAKEUP for dispc
        ARM: OMAP2+: hwmod data: split omap2/3 dispc hwmod class
        ARM: davinci: DA850: remove non-existing pll1_sysclk4-7 clocks
        ARM: OMAP2: fix regulator warnings
        ARM: OMAP2: fix omap3 touchbook kconfig warning
        i2c: OMAP: Fix OMAP1 build error
      d9142025
    • Paul Gortmaker's avatar
      ARM: bcmring: fix build failure in mach-bcmring/arch.c · ca43784d
      Paul Gortmaker authored
      Upstream commit d1fce9c1
      
         "ARM: restart: bcmring: use new restart hook"
      
      breaks building of this platform, since what used to be the
      last field of the MACHINE_START/END block didn't have a
      trailing comma.  Once another field was added below, we get:
      
      arch/arm/mach-bcmring/arch.c:198: error: request for member 'restart' in something not a structure or union
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Acked-by: default avatarJiandong Zheng <jdzheng@broadcom.com>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      ca43784d
    • JD Zheng's avatar
      ARM: bcmring: remove unused DMA map code · 864e5e36
      JD Zheng authored
      Remove BCMRING DMA map code which is no longer used.
      
      This also fixes a build error with dma.c introduced by
      bfcd2ea6.
      Signed-off-by: default avatarJiandong Zheng <jdzheng@broadcom.com>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      864e5e36
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 31c150a1
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist
        Input: serio_raw - return proper result when serio_raw_read fails
        Input: document device properties
        Input: twl4030_keypad - fix comment (trivial)
        Input: gpio_keys - fix struct device declared inside parameter list
        Input: evdev - fix variable initialisation
      31c150a1
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 4554c135
      Linus Torvalds authored
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        i.MX SDMA: Fix burstsize settings
        ARM: mach-shmobile: both USB DMAC instances on sh7372 are slave-only
        dma: sh_dma: not all SH DMAC implementations support MEMCPY
        at_hdmac: bugfix for enabling channel irq
        dmaengine: fix missing 'cnt' in ?: in dmatest
      4554c135
    • Linus Torvalds's avatar
      Merge branch 'akpm' · 82bdc843
      Linus Torvalds authored
      * akpm:
        mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
        readahead: fix pipeline break caused by block plug
        kprobes: fix a memory leak in function pre_handler_kretprobe()
        drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
        lkdtm: avoid calling lkdtm_do_action() with spinlock held
        mm/filemap_xip.c: fix race condition in xip_file_fault()
        mm/memcontrol.c: fix warning with CONFIG_NUMA=n
        avr32: select generic atomic64_t support
        mm: postpone migrated page mapping reset
        xtensa: fix memscan()
        MAINTAINERS: update lguest F: patterns
        MAINTAINERS: remove staging sections
        MAINTAINERS: remove iMX5 section
        MAINTAINERS: update partitions block F: patterns
      82bdc843
    • Linus Torvalds's avatar
      Merge tag 'for-linus-3.3' of git://git.infradead.org/~dwmw2/mtd-3.3 · 71b1b20b
      Linus Torvalds authored
       - Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
       - Fix breakage with MTD suspend caused by the API rework
       - Fix a problem with resetting the MX28 BCH module
       - A couple of other trivial fixes
      
      * tag 'for-linus-3.3-20120204' of git://git.infradead.org/~dwmw2/mtd-3.3:
        Revert "mtd: atmel_nand: optimize read/write buffer functions"
        mtd: fix MTD suspend
        jffs2: do not initialize variable unnecessarily
        mtd: gpmi-nand bugfix: reset the BCH module when it is not MX23
        mtd: nand: fix typo in comment
      71b1b20b
    • Artem Bityutskiy's avatar
      Revert "mtd: atmel_nand: optimize read/write buffer functions" · 50082319
      Artem Bityutskiy authored
      This reverts commit fb542750.
      
      The reason is that it breaks 16 bits NAND flash as it was reported by
      Nikolaus Voss and confirmed by Eric Bénard.
      
      Nicolas Ferre <nicolas.ferre@atmel.com> alco confirmed:
      "After double checking with designers, I must admit that I misunderstood
      the way of optimizing accesses to SMC. 16 bit nand is not so common
      those days..."
      Reported-by: default avatarNikolaus Voss <n.voss@weinmann.de>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Cc: stable@kernel.org [3.1+]
      50082319
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · d1256667
      Linus Torvalds authored
      * 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers
        ARM: 7302/1: Add TLB flushing for both entries in a PMD
        ARM: 7303/1: perf: add empty NODE event definitions for Cortex-A5 and Cortex-A15
        ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers
        ARM: 7307/1: vfp: fix ptrace regset modification race
        ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe
        Revert "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping"
      d1256667
    • Mel Gorman's avatar
      mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block... · 0bf380bc
      Mel Gorman authored
      mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
      
      When isolating for migration, migration starts at the start of a zone
      which is not necessarily pageblock aligned.  Further, it stops isolating
      when COMPACT_CLUSTER_MAX pages are isolated so migrate_pfn is generally
      not aligned.  This allows isolate_migratepages() to call pfn_to_page() on
      an invalid PFN which can result in a crash.  This was originally reported
      against a 3.0-based kernel with the following trace in a crash dump.
      
      PID: 9902   TASK: d47aecd0  CPU: 0   COMMAND: "memcg_process_s"
       #0 [d72d3ad0] crash_kexec at c028cfdb
       #1 [d72d3b24] oops_end at c05c5322
       #2 [d72d3b38] __bad_area_nosemaphore at c0227e60
       #3 [d72d3bec] bad_area at c0227fb6
       #4 [d72d3c00] do_page_fault at c05c72ec
       #5 [d72d3c80] error_code (via page_fault) at c05c47a4
          EAX: 00000000  EBX: 000c0000  ECX: 00000001  EDX: 00000807  EBP: 000c0000
          DS:  007b      ESI: 00000001  ES:  007b      EDI: f3000a80  GS:  6f50
          CS:  0060      EIP: c030b15a  ERR: ffffffff  EFLAGS: 00010002
       #6 [d72d3cb4] isolate_migratepages at c030b15a
       #7 [d72d3d14] zone_watermark_ok at c02d26cb
       #8 [d72d3d2c] compact_zone at c030b8de
       #9 [d72d3d68] compact_zone_order at c030bba1
      #10 [d72d3db4] try_to_compact_pages at c030bc84
      #11 [d72d3ddc] __alloc_pages_direct_compact at c02d61e7
      #12 [d72d3e08] __alloc_pages_slowpath at c02d66c7
      #13 [d72d3e78] __alloc_pages_nodemask at c02d6a97
      #14 [d72d3eb8] alloc_pages_vma at c030a845
      #15 [d72d3ed4] do_huge_pmd_anonymous_page at c03178eb
      #16 [d72d3f00] handle_mm_fault at c02f36c6
      #17 [d72d3f30] do_page_fault at c05c70ed
      #18 [d72d3fb0] error_code (via page_fault) at c05c47a4
          EAX: b71ff000  EBX: 00000001  ECX: 00001600  EDX: 00000431
          DS:  007b      ESI: 08048950  ES:  007b      EDI: bfaa3788
          SS:  007b      ESP: bfaa36e0  EBP: bfaa3828  GS:  6f50
          CS:  0073      EIP: 080487c8  ERR: ffffffff  EFLAGS: 00010202
      
      It was also reported by Herbert van den Bergh against 3.1-based kernel
      with the following snippet from the console log.
      
      BUG: unable to handle kernel paging request at 01c00008
      IP: [<c0522399>] isolate_migratepages+0x119/0x390
      *pdpt = 000000002f7ce001 *pde = 0000000000000000
      
      It is expected that it also affects 3.2.x and current mainline.
      
      The problem is that pfn_valid is only called on the first PFN being
      checked and that PFN is not necessarily aligned.  Lets say we have a case
      like this
      
      H = MAX_ORDER_NR_PAGES boundary
      | = pageblock boundary
      m = cc->migrate_pfn
      f = cc->free_pfn
      o = memory hole
      
      H------|------H------|----m-Hoooooo|ooooooH-f----|------H
      
      The migrate_pfn is just below a memory hole and the free scanner is beyond
      the hole.  When isolate_migratepages started, it scans from migrate_pfn to
      migrate_pfn+pageblock_nr_pages which is now in a memory hole.  It checks
      pfn_valid() on the first PFN but then scans into the hole where there are
      not necessarily valid struct pages.
      
      This patch ensures that isolate_migratepages calls pfn_valid when
      necessary.
      Reported-by: default avatarHerbert van den Bergh <herbert.van.den.bergh@oracle.com>
      Tested-by: default avatarHerbert van den Bergh <herbert.van.den.bergh@oracle.com>
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0bf380bc
    • Shaohua Li's avatar
      readahead: fix pipeline break caused by block plug · 3deaa719
      Shaohua Li authored
      Herbert Poetzl reported a performance regression since 2.6.39.  The test
      is a simple dd read, but with big block size.  The reason is:
      
      T1: ra (A, A+128k), (A+128k, A+256k)
      T2: lock_page for page A, submit the 256k
      T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted
      because of plug and there isn't any lock_page till we hit page A+256k
      because all pages from A to A+256k is in memory
      T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't
      submitted again.
      T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is
      waitting for (A+256k, A+512k) finish.
      
      There is no request to disk in T3 and T4, so readahead pipeline breaks.
      
      We really don't need block plug for generic_file_aio_read() for buffered
      I/O.  The readahead already has plug and has fine grained control when I/O
      should be submitted.  Deleting plug for buffered I/O fixes the regression.
      
      One side effect is plug makes the request size 256k, the size is 128k
      without it.  This is because default ra size is 128k and not a reason we
      need plug here.
      
      Vivek said:
      
      : We submit some readahead IO to device request queue but because of nested
      : plug, queue never gets unplugged.  When read logic reaches a page which is
      : not in page cache, it waits for page to be read from the disk
      : (lock_page_killable()) and that time we flush the plug list.
      :
      : So effectively read ahead logic is kind of broken in parts because of
      : nested plugging.  Removing top level plug (generic_file_aio_read()) for
      : buffered reads, will allow unplugging queue earlier for readahead.
      Signed-off-by: default avatarShaohua Li <shaohua.li@intel.com>
      Signed-off-by: default avatarWu Fengguang <fengguang.wu@intel.com>
      Reported-by: default avatarHerbert Poetzl <herbert@13thfloor.at>
      Tested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Vivek Goyal <vgoyal@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3deaa719
    • Jiang Liu's avatar
      kprobes: fix a memory leak in function pre_handler_kretprobe() · 55ca6140
      Jiang Liu authored
      In function pre_handler_kretprobe(), the allocated kretprobe_instance
      object will get leaked if the entry_handler callback returns non-zero.
      This may cause all the preallocated kretprobe_instance objects exhausted.
      
      This issue can be reproduced by changing
      samples/kprobes/kretprobe_example.c to probe "mutex_unlock".  And the fix
      is straightforward: just put the allocated kretprobe_instance object back
      onto the free_instances list.
      
      [akpm@linux-foundation.org: use raw_spin_lock/unlock]
      Signed-off-by: default avatarJiang Liu <jiang.liu@huawei.com>
      Acked-by: default avatarJim Keniston <jkenisto@us.ibm.com>
      Acked-by: default avatarAnanth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      55ca6140
    • Samuel Thibault's avatar
      drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer · cbcb8346
      Samuel Thibault authored
      KDFONTOP(GET) currently fails with EIO when being run in a 32bit userland
      with a 64bit kernel if the font width is not 8.
      
      This is because of the setting of the KD_FONT_FLAG_OLD flag, which makes
      con_font_get return EIO in such case.
      
      This flag should *not* be set for KDFONTOP, since it's actually the whole
      point of this flag (see comment in con_font_set for instance).
      Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@suse.de>
      Cc: Arthur Taylor <art@ified.ca>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cbcb8346