I'm seeing an oops condition when kvm-intel and kvm-amd are modprobe'd
during boot (say on an Intel system) and then rmmod'd:

   # modprobe kvm-intel
     kvm_init()
     kvm_init_debug()
     kvm_arch_init()  <-- stores debugfs dentries internally
     (success, etc)

   # modprobe kvm-amd
     kvm_init()
     kvm_init_debug() <-- second initialization clobbers kvm's
                          internal pointers to dentries
     kvm_arch_init()
     kvm_exit_debug() <-- and frees them

   # rmmod kvm-intel
     kvm_exit()
     kvm_exit_debug() <-- double free of debugfs files!

     *BOOM*

If execution gets to the end of kvm_init(), then the calling module has been
established as the kvm provider.  Move the debugfs initialization to the end of
the function, and remove the now-unnecessary call to kvm_exit_debug() from the
error path.  That way we avoid trampling on the debugfs entries and freeing
them twice.

Cc: stable@kernel.org
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

On a 32 bits compile, commit 3da0dd43
introduced the following warnings:

arch/x86/kvm/mmu.c: In function ‘kvm_set_pte_rmapp’:
arch/x86/kvm/mmu.c:770: warning: cast to pointer from integer of different size
arch/x86/kvm/mmu.c: In function ‘kvm_set_spte_hva’:
arch/x86/kvm/mmu.c:849: warning: cast from pointer to integer of different size

The following patch uses 'unsigned long' instead of u64 to match the
pointer size on both arches.
Signed-off-by: Frederik Deweerdt <frederik.deweerdt@xprog.eu>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

hrtimer->base can be temporarily NULL due to racing hrtimer_start.
See switch_hrtimer_base/lock_hrtimer_base.

Use hrtimer_get_remaining which is robust against it.

CC: stable@kernel.org
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

* 'docs-next' of git://git.lwn.net/linux-2.6:
  Update flex_arrays.txt

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm:
  dlm: fix socket fd translation
  dlm: fix lowcomms_connect_node for sctp

Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  Revert "x86: linker script syntax nits"
  x86, perf_event: Rename 'performance counter interrupt'

The destination keyring specified to request_key() and co. is made available to
the process that instantiates the key (the slave process started by
/sbin/request-key typically).  This is passed in the request_key_auth struct as
the dest_keyring member.

keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
to get the keyring to attach the newly constructed key to at the end of
instantiation.  This may be given a specific keyring into which a link will be
made later, or it may be asked to find the keyring passed to request_key().  In
the former case, it returns a keyring with the refcount incremented by
lookup_user_key(); in the latter case, it returns the keyring from the
request_key_auth struct - and does _not_ increment the refcount.

The latter case will eventually result in an oops when the keyring prematurely
runs out of references and gets destroyed.  The effect may take some time to
show up as the key is destroyed lazily.

To fix this, the keyring returned by get_instantiation_keyring() must always
have its refcount incremented, no matter where it comes from.

This can be tested by setting /etc/request-key.conf to:

#OP	TYPE	DESCRIPTION	CALLOUT INFO	PROGRAM ARG1 ARG2 ARG3 ...
#======	=======	===============	===============	===============================
create  *	test:*		*		|/bin/false %u %g %d %{user:_display}
negate	*	*		*		/bin/keyctl negate %k 10 @u

and then doing:

	keyctl add user _display aaaaaaaa @u
        while keyctl request2 user test:x test:x @u &&
        keyctl list @u;
        do
                keyctl request2 user test:x test:x @u;
                sleep 31;
                keyctl list @u;
        done

which will oops eventually.  Changing the negate line to have @u rather than
%S at the end is important as that forces the latter case by passing a special
keyring ID rather than an actual keyring ID.
Reported-by: Alexander Zangerl <az@bond.edu.au>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Alexander Zangerl <az@bond.edu.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
  powerpc/pci: Fix MODPOST warning
  powerpc/oprofile: Add ppc750 CL as supported by oprofile
  powerpc: warning: allocated section `.data_nosave' not in segment
  powerpc/kgdb: Fix build failure caused by "kgdb.c: unused variable 'acc'"
  powerpc: Fix hypervisor TLB batching
  powerpc/mm: Fix hang accessing top of vmalloc space
  powerpc: Fix memory leak in axon_msi.c
  powerpc/pmac: Fix issues with sleep on some powerbooks
  powerpc64/ftrace: use PACA to retrieve TOC in mod_return_to_handler
  powerpc/ftrace: show real return addresses in modules

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
  ACPI button: don't try to use a non-existent lid device
  ACPI: video: Loosen strictness of video bus detection code
  eeepc-laptop: Prevent a panic when disabling RT2860 wireless when associated
  eeepc-laptop: Properly annote eeepc_enable_camera().
  ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2)
  fujitsu-laptop: address missed led-class ifdef fixup
  ACPI: Kconfig, fix proc aggregator text
  ACPI: add AC/DC notifier

Merge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6

* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
  OMAP2xxx clock: set up clockdomain pointer in struct clk
  OMAP: Fix race condition with autodeps
  omap: McBSP: Fix incorrect receiver stop in omap_mcbsp_stop
  omap: Initialization of SDRC params on Zoom2
  omap: RX-51: Drop I2C-1 speed to 2200
  omap: SDMA: Fixing bug in omap_dma_set_global_params()
  omap: CONFIG_ISP1301_OMAP redefined in Beagle defconfig

* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: always pin metadata in discard mode
  Btrfs: enable discard support
  Btrfs: add -o discard option
  Btrfs: properly wait log writers during log sync
  Btrfs: fix possible ENOSPC problems with truncate
  Btrfs: fix btrfs acl #ifdef checks
  Btrfs: streamline tree-log btree block writeout
  Btrfs: avoid tree log commit when there are no changes
  Btrfs: only write one super copy during fsync

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6:
  tty: fix vt_compat_ioctl

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6:
  sysfs: Allow sysfs_notify_dirent to be called from interrupt context.
  sysfs: Allow sysfs_move_dir(..., NULL) again.

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  USB: gadget: Fix EEM driver comments and VID/PID
  usb-storage: Workaround devices with bogus sense size
  USB: ehci: Fix IST boundary checking interval math.
  USB: option: Support for AIRPLUS MCD650 Datacard
  USB: whci-hcd: always do an update after processing a halted qTD
  USB: whci-hcd: handle early deletion of endpoints
  USB: wusb: don't use the stack to read security descriptor
  USB: rename Documentation/ABI/.../sysfs-class-usb_host

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6:
  Staging: rt2860sta: prevent a panic when disabling when associated
  staging: more sched.h fixes
  Staging: et131x: Fix the add_10bit macro
  Staging: et131x: Correct WRAP bit handling
  staging: Complete sched.h removal from interrupt.h
  Staging: vme: fix sched.h build breakage
  Staging: poch: fix sched.h build breakage
  Staging: b3dfg: fix sched.h build breakage
  Staging: comedi: fix sched.h build breakage
  Staging: iio: Fix missing include <linux/sched.h>

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (53 commits)
  vmxnet: fix 2 build problems
  net: add support for STMicroelectronics Ethernet controllers.
  net: ks8851_mll uses mii interfaces
  net/fec_mpc52xx: Fix kernel panic on FEC error
  net: Fix OF platform drivers coldplug/hotplug when compiled as modules
  TI DaVinci EMAC: Clear statistics register properly.
  r8169: partial support and phy init for the 8168d
  irda/sa1100_ir: check return value of startup hook
  udp: Fix udp_poll() and ioctl()
  WAN: fix Cisco HDLC handshaking.
  tcp: fix tcp_defer_accept to consider the timeout
  3c574_cs: spin_lock the set_multicast_list function
  net: Teach pegasus driver to ignore bluetoother adapters with clashing Vendor:Product IDs
  netxen: fix pci bar mapping
  ethoc: fix warning from 32bit build
  libertas: fix build
  net: VMware virtual Ethernet NIC driver: vmxnet3
  net: Fix IXP 2000 network driver building.
  libertas: fix build
  mac80211: document ieee80211_rx() context requirement
  ...

* branch 'tty-fixes'
  tty: use the new 'flush_delayed_work()' helper to do ldisc flush
  workqueue: add 'flush_delayed_work()' to run and wait for delayed work
  tty: Make flush_to_ldisc() locking more robust

The 2.6.32 merge window brought a number of changes to the flexible array
API; this patch updates the documentation to match the new state of
affairs.
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>

This reverts commit e9a63a4e.

This breaks older binutils, where sink-less asserts are broken.

See this commit for further details:

  d2ba8b21: x86: Fix assert syntax in vmlinux.lds.S
Acked-by: "H. Peter Anvin" <hpa@zytor.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
LKML-Reference: <4AD6523D.5030909@zytor.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

Merge reason: pull in latest, to be able to revert a patch there.
Signed-off-by: Ingo Molnar <mingo@elte.hu>

vmxnet3 uses in_dev* interfaces so it should depend on INET.
Also fix so that the driver builds when CONFIG_PCI_MSI is disabled.

vmxnet3_drv.c:(.text+0x2a88cb): undefined reference to `in_dev_finish_destroy'

drivers/net/vmxnet3/vmxnet3_drv.c:1335: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
drivers/net/vmxnet3/vmxnet3_drv.c:1384: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
drivers/net/vmxnet3/vmxnet3_drv.c:2137: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
drivers/net/vmxnet3/vmxnet3_drv.c:2138: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Bhavesh davda <bhavesh@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Call compat_unimap_ioctl, not do_unimap_ioctl.

This was broken by commit e9216651.

The compat_unimap_ioctl was originally called do_unimap_ioctl in
fs/compat_ioctl.h which got moved to drivers/char/vt_ioctl.c.
In that patch, the caller was not updated and consequently called
the native handler.
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

clock24xx.c is missing a omap2_init_clk_clkdm() in its
omap2_clk_init() function.  Among other bad effects, this causes the
OMAP hwmod layer to oops on boot.

Thanks to Carlos Aguiar <carlos.aguiar@indt.org.br> and Stefano
Panella <Stefano.Panella@csr.com> for reporting this bug.  Thanks to Tony
Lindgren <tony@atomide.com> for N800 booting advice.
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Cc: Carlos Aguiar <carlos.aguiar@indt.org.br>
Cc: Stefano Panella <Stefano.Panella@csr.com>
Cc: Tony Lindgren <tony@atomide.com>

There is a possible race condition in clockdomain
code handling hw supported idle transitions.

When multiple autodeps dependencies are being added
or removed, a transition of still remaining dependent
powerdomain can result in false readings of the
state counter. This is especially fatal for off mode
state counter, as it could result in a driver not
noticing a context loss.

Fixed by disabling hw supported state transitions
when autodeps are being changed.
Signed-off-by: Kalle Jokiniemi <kalle.jokiniemi@digia.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: sbp2: provide fallback if mgt_ORB_timeout is missing
  ieee1394: add documentation entry to MAINTAINERS
  ieee1394: update URLs in debugging-via-ohci1394.txt

* branch 'tty-fixes':
  tty: use the new 'flush_delayed_work()' helper to do ldisc flush
  workqueue: add 'flush_delayed_work()' to run and wait for delayed work
  Make flush_to_ldisc properly handle parallel calls

Merge branch 'topic/x86-lds-nits' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland

* 'topic/x86-lds-nits' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland:
  x86: linker script syntax nits

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
  watchdog: Fix rio watchdog probe function
  sparc64: Set IRQF_DISABLED on LDC channel IRQs.
  sparc64: Fix D-cache flushing on swapin from SW devices.
  sparc64: Fix niagara2 perf IRQ bits.

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] sclp_vt220 build fix
  [S390] cio: change misleading console logic
  [S390] call home support: fix proc handler
  [S390] dasd: use idal for device characteristics
  [S390] Add highgprs facility to /proc/cpuinfo
  [S390] dasd: fix locking bug
  [S390] tape390: Fix request queue handling in block driver
  [S390] hypfs: Use subcode 6 if subcode 7 is not available

* 'sh/for-2.6.32' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: Fix a TRACE_IRQS_OFF typo.
  sh: Optimize the setup_rt_frame() I-cache flush.
  sh: Populate initial secondary CPU info from boot_cpu_data.
  sh: Tidy up SMP cpuinfo.
  sh: Use boot_cpu_data for FPU tests in sigcontext paths.
  sh: ftrace: Fix up syscall tracepoint support.
  sh: force dcache flush if dcache_dirty bit set.
  sh: update die() output.

Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  oprofile: warn on freeing event buffer too early
  oprofile: fix race condition in event_buffer free
  lockdep: Use cpu_clock() for lockstat

Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  perf events: Update MAINTAINERS entry file patterns
  perf tools: Remove static debugfs path from parse-events
  perf tools: Fix the NO_64BIT build on pure 64-bit systems
  perf tools: Fix const char type propagation

Merge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  sched: Fix missing kernel-doc notation
  Revert "x86, timers: Check for pending timers after (device) interrupts"
  sched: Update the clock of runqueue select_task_rq() selected