According to the datasheet for Winbond W83627DHG the proper way to exit
the Extended Function Mode is to write 0xaa to the EFER(0x2e or 0x4e).
Signed-off-by: Jonas Jonsson <jonas@ludd.ltu.se>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

It is unnecessary and wrong to call hwmon_device_unregister in error
handling before hwmon_device_register is called.
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
Reviewed-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: stable@kernel.org
Signed-off-by: Jean Delvare <khali@linux-fr.org>

All bits in the values read from registers to be used for the next
write were getting overwritten, avoid doing so to not mess with the
current configuration.
Signed-off-by: Guillem Jover <guillem@hadrons.org>
Cc: Riku Voipio <riku.voipio@iki.fi>
Cc: stable@kernel.org
Signed-off-by: Jean Delvare <khali@linux-fr.org>

The spec notes that fan0 and fan1 control mode bits are located in bits
7-6 and 5-4 respectively, but the FAN_CTRL_MODE macro was making the
bits shift by 5 instead of by 4.
Signed-off-by: Guillem Jover <guillem@hadrons.org>
Cc: Riku Voipio <riku.voipio@iki.fi>
Cc: stable@kernel.org
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Guenter Roeck volunteered to adopt the hwmon subsystem as long as he
wasn't the only maintainer. As this was also my own condition, we can
add the two of us as co-maintainers of the hwmon subsystem.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

If CONFIG_PM was selected and lis3lv02d_platform_data was NULL,
the kernel will be panic when halt command run.
Reported-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Acked-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Sigend-off-by: Jean Delvare <khali@linux-fr.org>

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: fix potential double put of TCP session reference

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] Optimize ticket spinlocks in fsys_rt_sigprocmask

* '2.6.36-fixes' of git://github.com/schandinat/linux-2.6:
  drivers/video/via/ioctl.c: prevent reading uninitialized stack memory

* 'urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6:
  pcmcia pcnet_cs: try setting io_lines to 16 if card setup fails
  pcmcia: per-device, not per-socket debug messages
  pcmcia serial_cs.c: fix multifunction card handling

* git://git.infradead.org/users/cbou/battery-2.6.36:
  apm_power: Add missing break statement
  intel_pmic_battery: Fix battery charging status on mrst

* git://git.kernel.org/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog:
  watchdog: Enable NXP LPC32XX support in Kconfig (resend)
  watchdog: ts72xx_wdt: disable watchdog at probe
  watchdog: sb_wdog: release irq and reboot notifier in error path and module_exit()

* 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  arch/tile: fix formatting bug in register dumps
  arch/tile: fix memcpy_fromio()/memcpy_toio() signatures
  arch/tile: Save and restore extra user state for tilegx
  arch/tile: Change struct sigcontext to be more useful
  arch/tile: finish const-ifying sys_execve()

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
  regulator: wm8350-regulator - fix the logic of checking REGULATOR_MODE_STANDBY mode
  regulator: wm831x-ldo - fix the logic to set REGULATOR_MODE_IDLE and REGULATOR_MODE_STANDBY modes
  regulator: ab8500 - fix off-by-one value range checking for selector
  regulator: 88pm8607 - fix value range checking for accessing info->vol_table
  regulator: isl6271a-regulator - fix regulator_desc parameter for regulator_register()
  regulator: ad5398 - fix a memory leak
  regulator: Update e-mail address for Liam Girdwood
  regulator: set max8998->dev to &pdev->dev.
  regulator: tps6586x-regulator - fix bit_mask parameter for tps6586x_set_bits()
  regulator: tps6586x-regulator - fix value range checking for val
  regulator: max8998 - set max8998->num_regulators
  regulator: max8998 - fix memory allocation size for max8998->rdev
  regulator: tps6507x - remove incorrect comments
  regulator: max1586 - improve the logic of choosing selector
  regulator: ab8500 - fix the logic to remove already registered regulators in error path
  regulator: ab3100 - fix the logic to remove already registered regulators in error path
  regulator/ab8500: move dereference below the check for NULL

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: add documentation

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: only warn on mipmap size checks in r600 cs checker (v2)
  drm/radeon/kms: force legacy pll algo for RV620 LVDS
  drm: fix race between driver loading and userspace open.
  drm: Use a nondestructive mode for output detect when polling (v2)
  drm/radeon/kms: fix the colorbuffer CS checker for r300-r500
  drm/radeon/kms: increase lockup detection interval to 10 sec for r100-r500
  drm/radeon/kms/evergreen: fix backend setup
  drm: Use a nondestructive mode for output detect when polling
  drm/radeon: add some missing copyright headers
  drm: Only decouple the old_fb from the crtc is we call mode_set*
  drm/radeon/kms: don't enable underscan with interlaced modes
  drm/radeon/kms: add connector table for Mac x800
  drm/radeon/kms: fix regression in RMX code (v2)
  drm: Fix regression in disable polling e58f637b

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user.  This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>

Tony's fix (f574c843) has a small bug,
it incorrectly uses "r3" as a scratch register in the first of the two
unlock paths ... it is also inefficient.  Optimize the fast path again.
Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Signed-off-by: Tony Luck <tony.luck@intel.com>

The NXP LPC32XX processor use the same watchdog as the Philips
PNX4008 processor.
Signed-off-by: Kevin Wells <wellsk40@gmail.com>
Tested-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>

Since it may be already enabled by bootloader or some other utility. This patch
makes sure that the watchdog is disabled before any userspace daemon opens the
device. It is also required by the watchdog API.
Signed-off-by: Mika Westerberg <mika.westerberg@iki.fi>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>

irq and reboot notifier are acquired in module_init() but never released.
They should be released correctly, otherwise reloading the module or error
during module_init() will cause a problem.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Andrew Sharp <andy.sharp@lsi.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>

Some pcnet_cs compatible cards require an exact 16-lines match
of the ioport areas specified in CIS, but set the "iolines"
value in the CIS incorrectly. We can easily work around this
issue -- same as we do in serial_cs -- by first trying setting
iolines to the CIS-specified value, and then trying a 16-line
match.
Reported-and-tested-by: Wolfram Sang <w.sang@pengutronix.de>
Hardware-supplied-by: Jochen Frieling <j.frieling@pengutronix.de>
CC: netdev@vger.kernel.org
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>

As the iomem / ioport setup differs per device, it is much better
to print out the device instead of the socket.
Tested-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>

We shouldn't overwrite pre-set values, and we should also
set the port address to the beginning, and not the end of
the 8-port range.

CC: linux-serial@vger.kernel.org
Reported-by: Komuro <komurojun-mbn@nifty.com>
Hardware-supplied-by: Jochen Frieling <j.frieling@pengutronix.de>
Tested-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>

This cut-and-paste bug was caused by rewriting the register dump
code to use only a single printk per line of output.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

This tripped up a driver (not yet committed to git).  Fix it now.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

During context switch, save and restore a couple of additional bits of
tilegx user state that can be persistently modified by userspace.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

Rather than just using pt_regs, it now contains the actual saved
state explicitly, similar to pt_regs.  By doing it this way, we
provide a cleaner API for userspace (or equivalently, we avoid the
need for libc to provide its own definition of sigcontext).

While we're at it, move PT_FLAGS_xxx to where they are not visible
from userspace.  And always pass siginfo and mcontext to signal
handlers, even if they claim they don't need it, since sometimes
they actually try to use it anyway in practice.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

The sys_execve() implementation was properly const-ified but not
the declaration, the syscall wrappers, or the compat version.
This change completes the constification process.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

The texture base address registers are in units of 256 bytes.
The original CS checker treated these offsets as bytes, so the
original check was wrong.  I fixed the units in a patch during
the 2.6.36 cycle, but this ended up breaking some existing
userspace (probably due to a bug in either userspace texture allocation
or the drm texture mipmap checker).  So for now, until we come
up with a better fix, just warn if the mipmap size it too large.
This will keep existing userspace working and it should be just
as safe as before when we were checking the wrong units.  These
are GPU MC addresses, so if they fall outside of the VRAM or
GART apertures, they end up at the GPU default page, so this should
be safe from a security perspective.

v2: Just disable the warning.  It just spams the log and there's
nothing the user can do about it.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: Jerome Glisse <glisse@freedesktop.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>

* ssh://master.kernel.org/home/hpa/tree/sec:
  x86-64, compat: Retruncate rax after ia32 syscall entry tracing
  x86-64, compat: Test %rax for the syscall number, not %eax
  compat: Make compat_alloc_user_space() incorporate the access_ok()

Fix up the IRQ names for the MN10300 on-chip serial ports in the driver as
request_interrupt() no longer allows names containing slashes, giving a warning
like the following if one is encountered:

	------------[ cut here ]------------
	WARNING: at fs/proc/generic.c:323 __xlate_proc_name+0x62/0x7c()
	name 'ttySM0/Rx'
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* git://git.infradead.org/mtd-2.6:
  mtd: pxa3xx: fix build error when CONFIG_MTD_PARTITIONS is not defined
  mtd: mxc_nand: configure pages per block for v2 controller
  mtd: OneNAND: Fix loop hang when DMA error at Samsung SoCs
  mtd: OneNAND: Fix 2KiB pagesize handling at Samsung SoCs
  mtd: Blackfin NFC: fix invalid free in remove()
  mtd: Blackfin NFC: fix build error after nand_scan_ident() change
  mxc_nand: Do not do byte accesses to the NFC buffer.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: fix hiddev's use of usb_find_interface
  HID: fixup blacklist entry for Asus T91MT
  HID: add device ID for new Asus Multitouch Controller
  HID: add no-get quirk for eGalax touch controller
  HID: Add quirk for eGalax touch controler.
  HID: add support for another BTC Emprex remote control
  HID: Set Report ID properly for Output reports on the Control endpoint.
  HID: Kanvus Note A5 tablet needs HID_QUIRK_MULTI_INPUT
  HID: Add support for chicony multitouch screens.

* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
  SUNRPC: Fix the NFSv4 and RPCSEC_GSS Kconfig dependencies
  statfs() gives ESTALE error
  NFS: Fix a typo in nfs_sockaddr_match_ipaddr6
  sunrpc: increase MAX_HASHTABLE_BITS to 14
  gss:spkm3 miss returning error to caller when import security context
  gss:krb5 miss returning error to caller when import security context
  Remove incorrect do_vfs_lock message
  SUNRPC: cleanup state-machine ordering
  SUNRPC: Fix a race in rpc_info_open
  SUNRPC: Fix race corrupting rpc upcall
  Fix null dereference in call_allocate

Tavis Ormandy pointed out that do_io_submit does not do proper bounds
checking on the passed-in iocb array:

       if (unlikely(nr < 0))
               return -EINVAL;

       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^

The attached patch checks for overflow, and if it is detected, the
number of iocbs submitted is scaled down to a number that will fit in
the long.  This is an ok thing to do, as sys_io_submit is documented as
returning the number of iocbs submitted, so callers should handle a
return value of less than the 'nr' argument passed in.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

cifs_get_smb_ses must be called on a server pointer on which it holds an
active reference. It first does a search for an existing SMB session. If
it finds one, it'll put the server reference and then try to ensure that
the negprot is done, etc.

If it encounters an error at that point then it'll return an error.
There's a potential problem here though. When cifs_get_smb_ses returns
an error, the caller will also put the TCP server reference leading to a
double-put.

Fix this by having cifs_get_smb_ses only put the server reference if
it found an existing session that it could use and isn't returning an
error.

Cc: stable@kernel.org
Reviewed-by: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

In commit d4d67150, we reopened an old hole for a 64-bit ptracer touching a
32-bit tracee in system call entry.  A %rax value set via ptrace at the
entry tracing stop gets used whole as a 32-bit syscall number, while we
only check the low 32 bits for validity.

Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
in addition to testing the full 64 bits as has already been added.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>

On 64 bits, we always, by necessity, jump through the system call
table via %rax.  For 32-bit system calls, in theory the system call
number is stored in %eax, and the code was testing %eax for a valid
system call number.  At one point we loaded the stored value back from
the stack to enforce zero-extension, but that was removed in checkin
d4d67150.  An actual 32-bit process
will not be able to introduce a non-zero-extended number, but it can
happen via ptrace.

Instead of re-introducing the zero-extension, test what we are
actually going to use, i.e. %rax.  This only adds a handful of REX
prefixes to the code.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: <stable@kernel.org>
Cc: Roland McGrath <roland@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>

compat_alloc_user_space() expects the caller to independently call
access_ok() to verify the returned area.  A missing call could
introduce problems on some architectures.

This patch incorporates the access_ok() check into
compat_alloc_user_space() and also adds a sanity check on the length.
The existing compat_alloc_user_space() implementations are renamed
arch_compat_alloc_user_space() and are used as part of the
implementation of the new global function.

This patch assumes NULL will cause __get_user()/__put_user() to either
fail or access userspace on all architectures.  This should be
followed by checking the return value of compat_access_user_space()
for NULL in the callers, at which time the access_ok() in the callers
can also be removed.
Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Tony Luck <tony.luck@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Helge Deller <deller@gmx.de>
Cc: James Bottomley <jejb@parisc-linux.org>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: <stable@kernel.org>