From: Andreas Gruenbacher <agruen@suse.de>

There is a race between unshare_files() and the following steal_locks().
As a consequence, steal_locks() may steal some additional FL_POSIX locks
that don't belong to the current thread.  This triggers a BUG in
locks_remove_flock().

In detail, the current thread shares its files struct with other threads.
This causes unshare_files() to associate the current thread with a copy of
its files_struct.  The copy shares all file objects with the original files
struct.  In the time between unshare_files() and steal_locks(), another
thread creates a new file and a FL_POSIX lock on it.  The current thread
gets into steal_locks() and takes over all FL_POSIX locks that refer to the
previous files_struct, including the new lock.  We do
put_files_struct(original files_struct).  This causes the file handle to
the new file to be closed.  We get into locks_remove_posix() and miss the
lock, because its fl_owner field now refers to the new files_struct. 
Finally we get into locks_remove_flock(), and stumble upon the lock.

While looking into this bug report I gathered the following data with a
SUSE kernel (oops and LKCD dump from Chris):

kernel BUG at fs/locks.c:1736!
invalid operand: 0000 [#1]
SMP
CPU:    0
EIP:    0060:[<c01844fb>]    Tainted: G  U
EFLAGS: 00010246   (2.6.5-0-testing)
EIP is at locks_remove_flock+0x8b/0x130
eax: f7b89998   ebx: f61df3fc   ecx: f61df354   edx: 00000000
esi: f61df354   edi: f6702b80   ebp: f6179c24   esp: f6179c08
ds: 007b   es: 007b   ss: 0068
Process owcimomd (pid: 1713, threadinfo=f6178000 task=f66d0d60)
Stack: c1e1fdac c1e1fdac f7fe83c0 00000296 f6702b80 f7fe87c0 f61df354 f6179c3c
       c016ce00 f61ddadc f6702b80 00000000 f6703b00 f6179c54 c0168b1f c0000000
       0000026f 00000012 f6703b00 f6179c6c c0124ba7 00000001 f6179e5c f6179d88
Call Trace:
 [<c016ce00>] __fput+0x30/0x120
 [<c0168b1f>] filp_close+0x4f/0x90
 [<c0124ba7>] put_files_struct+0x67/0xc0
 [<c019d285>] load_elf_binary+0x3f5/0x1596
 [<c018a5af>] update_atime+0x9f/0xc0
 [<c01478fd>] __generic_file_aio_read+0x1cd/0x200
 [<c0145060>] file_read_actor+0x0/0xd0
 [<c01784b7>] search_binary_handler+0x97/0x270
 [<c017a072>] do_execve+0x172/0x200
 [<c0105fb2>] sys_execve+0x32/0x70
 [<c0107e21>] sysenter_past_esp+0x52/0x71

Code: 0f 0b c8 06 eb 74 35 c0 eb db b8 00 e0 ff ff 21 e0 8b 10 8b

put_files_struct+0x67 is equivalent to fs/binfmt_elf.c:681 in 2.6.6

current->files == fl->fl_owner
fl->fl_file = 0xf6702b80 (a valid struct file)

current->files =
  max_fds=32
  max_fdset=1024
  next_fd=3
  fd=[0xf6927080 0xf6951b80  0xf6951b80 0 ...]

Here's a proposed fix.  As a side effect, steal_locks no longer walks the
global list of locks, but only the locks of all open inodes.

What are the reasons (other than historic ones) for not getting rid of
fl_owner and using fl_pid instead, by the way?  I think that would clean up
the whole mess with file locks a bit.
Signed-off-by: Andrew Morton <akpm@osdl.org>

From: Tom Rini <trini@kernel.crashing.org>

Fix arch/ppc/boot/ so that everything now works with 'make O='.

Partially by: Geoffrey LEVAND <geoffrey.levand@am.sony.com>.
Signed-off-by: Tom Rini <trini@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>

From: Anton Blanchard <anton@samba.org>

From: Dave Hansen

This patch is obviously of the utmost importance.  It probably doesn't matter
as much for kernel error messages, but one of these mistakes is in a
user-readable /proc file.  
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Dave Hansen <haveblue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>

into ppc970.osdl.org:/home/torvalds/v2.6/linux

into ppc970.osdl.org:/home/torvalds/v2.6/linux

This fixes a bug where, if we try to set the affinity on an unused
virtual IRQ number on a logically-partitioned pSeries system, we call
the firmware with physical IRQ number = -1, which it doesn't like.

With this patch we just ignore the attempt.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

msleep() does msecs to jiffies conversion correctly regardless
of HZ value and sets the current task's state in a safe way.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

Noticed by Christoph Hellwig <hch@lst.de>.

Probably somebody got the logic wrong while adding
#ifndef CONFIG_BLK_DEV_IDECS back in 2.4.0-test2.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

ide-disk only checks for drive->blocked and blk_fs_request() if TASKFILE_IO
is defined.  Move these checks (and TCQ check too) to upper function.
Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

ptep_establish() is used to establish a new mapping at COW time,
and it always replaces a non-writable page mapping with a totally
new page mapping that is dirty (and likely writable, although ptrace
may cause a non-writable new mapping). Because it was nonwritable,
we don't have to worry about losing concurrent dirty page bit updates.

ptep_update_access_flags() leaves the same page mapping, but updates
the accessed/dirty/writable bits (it only ever sets them, and never
removes any permissions). Often easier, but it may race with a dirty
bit update on another CPU.

Booted on x86 and ppc64.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

into kernel.bkbits.net:/home/davem/net-2.6

(TBF does not allow attaching filters as it has only one class,
filter should be attached either to TBF's parent or to its child)

PAGE_SIZE isn't even always defined at this point,
which makes us test undefined preprocessor symbols.

It so happens that the test works in that case,
but since the test is a bit pointless in the first
place...

some rather subtle C type expansion rules.

This makes sparse happier.

This helps reduce sparse noise.

into ppc970.osdl.org:/home/torvalds/v2.6/linux

into kernel.bkbits.net:/home/davem/tg3-2.6

into ppc970.osdl.org:/home/torvalds/v2.6/linux

into kernel.bkbits.net:/home/davem/net-2.6

When trying to spddelete individual entries using setkey, spddelete always 
fails.  The culprit is in net/af_key.c; spdadd sets the family field of the 
selector when creating an entry, but spddelete doesn't when building a 
selector to match for xfrm_policy_bysel.  Trivial fix is to have spddelete 
set the family field in the selector in same way spdadd does.

helper function to write-back the dirty and accessed bits from
ptep_establish().

Right now this defaults to the same old "set_pte()" that we've
always done, except for x86 where we now fix the (unlikely)
race in updating accessed bits and dropping a concurrent dirty
bit.

preparation for pte update race fix.

This does not actually use the information yet, but
the next few patches will start to put it to some
good use.

Fix over long nodemask clearing in get_mem_policy() by using the
right size for the node mask.

In xfrm_state_find, the larval state never actually matures with
Openswan so it only ever gets deleted by the timer which means
that the time crash can't happen :)  It becomes a (possible) memory
leak instead.

Trent Jarvi <taj@www.linux.org.uk> noticed this.  The file was out of date
with current web site and maintainer.  Please apply to 2.4 and 2.6.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

into nuts.davemloft.net:/disk1/BK/net-2.6

Even with a 16kB stack, we have been seeing stack overflows on PPC64
under stress.  This patch implements separate per-cpu stacks for
processing interrupts and softirqs, along the lines of the
CONFIG_4KSTACKS stuff on x86.  At the moment the stacks are still 16kB
but I hope we can reduce that to 8kB in future.  (Gcc is capable of
adding instructions to the function prolog to check the stack pointer
whenever it moves it downwards, and I want to use that when I try
using 8kB stacks so I can be confident that we aren't overflowing the
stack.)
Signed-off-by: Paul Mackerras <paulus@samba.org>

This patch, from Venkatesh Pallipadi, changes x86 IO-APICs to use fixed
interrupt delivery instead of lowest priority to support larger number
of CPUs.  Only bigsmp is affected by this cleanup. 

From: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

Signed-off-by: Marcus Meissner <meissner@suse.de>

Added missing DM_REMOVE_ALL call.

Signed-off-by: Ingo Molnar <mingo@elte.hu>

We can avoid the local_irq_enable() in sched_yield() because schedule()
unconditionally enables interrupts anyway.

Signed-off-by: Christian Meder <chris@onestepahead.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

sched.h typo fix from Christian Meder.

Signed-off-by: Ingo Molnar <mingo@elte.hu>

Add a warning that "idle=poll" is a performance hit on hyperthreaded CPUs.

From: Bart Samwel <bart@samwel.tk>

Currently the ACPI binding script in the Laptop Mode doc always says "20
seconds" and "2 hours" for the timeouts it uses.  This is incorrect if the
user changed the config values, so we print something more general.

From: William Lee Irwin III <wli@holomorphy.com>

PMD_SIZE is not a compile-time constant on sparc.  Use min() in there so
that the cluster size will be evaluated at runtime if the architecture
insists on doing that.

It's initialising slot 24 in two places.  Gerd Knorr <kraxel@bytesex.org> says
"This one should be 23.".