I have observed the following bug trigger:

1. userspace calls GET_DIRTY_LOG
2. kvm_mmu_slot_remove_write_access is called and makes a page ro
3. page fault happens and makes the page writeable
   fault is logged in the bitmap appropriately
4. kvm_vm_ioctl_get_dirty_log swaps slot pointers

a lot of time passes

5. guest writes into the page
6. userspace calls GET_DIRTY_LOG

At point (5), bitmap is clean and page is writeable,
thus, guest modification of memory is not logged
and GET_DIRTY_LOG returns an empty bitmap.

The rule is that all pages are either dirty in the current bitmap,
or write-protected, which is violated here.

It seems that just moving kvm_mmu_slot_remove_write_access down
to after the slot pointer swap should fix this bug.

KVM-Stable-Tag.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

Fix regression introduced by commit 79da826a ("writeback: report
dirty thresholds in /proc/vmstat").

The incorrect pointer arithmetic can result in problems like this:

  BUG: unable to handle kernel paging request at 07c06d16
  IP: [<c050c336>] strnlen+0x6/0x20
  Call Trace:
   [<c050a249>] ? string+0x39/0xe0
   [<c042be6b>] ? __wake_up_common+0x4b/0x80
   [<c050afcc>] ? vsnprintf+0x1ec/0x380
   [<c04b380e>] ? seq_printf+0x2e/0x60
   [<c04829a6>] ? vmstat_show+0x26/0x30
   [<c04b3bb6>] ? seq_read+0xa6/0x380
   [<c04b3b10>] ? seq_read+0x0/0x380
   [<c04d5d2f>] ? proc_reg_read+0x5f/0x90
   [<c049c4a1>] ? vfs_read+0xa1/0x140
   [<c04d5cd0>] ? proc_reg_read+0x0/0x90
   [<c049c981>] ? sys_read+0x41/0x70
   [<c0402bd0>] ? sysenter_do_call+0x12/0x26

Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Michael Rubin <mrubin@google.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ASoC: tpa6130a2: Get rid of compile warning from tpa6130a2_power
  ALSA: hda - MacBookAir3,1(3,2) alsa support
  ASoC: fix the building issue of missing codec field in 'struct snd_soc_card'
  ALSA: usb-audio - Support for Power/Status LED on Creative USB X-Fi S51
  ALSA: asihpi - Unsafe memory management when allocating control cache
  ASoC: Update WARN uses in wm_hubs
  ASoC: Include cx20442 to SND_SOC_ALL_CODECS
  ASoC: Fix SND_SOC_ALL_CODECS typo for jz4740
  ASoC: Remove volatility from WM8900 POWER1 register
  ALSA: lx6464es - make 1 bit signed bitfield unsigned
  ALSA: cs46xx memory management fixes for cs46xx_dsp_spos_create()
  ALSA: usb - driver neglects kmalloc return value check and may deref NULL
  ASoC: tpa6130a2: Fix unbalanced regulator disables
  ASoC: tlv320dac33: Mode1 FIFO auto configuration fix
  ASoC: tlv320dac33: Limit the US_TO_SAMPLES macro
  ASoC: tlv320dac33: Error handling for broken chip
  ASoC: Check return value of struct_strtoul() in pmdown_time_set()

Patch "ASoC: tpa6130a2: Fix unbalanced regulator disables" introduced a
compiler warning "‘ret’ may be used uninitialized in this function".
Initialize ret to zero to get rid of it and making sure that the function
does not return any random error code when the code is falling through.

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Merge branch 'for-2.6.37' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/asoc-2.6 into fix/asoc

This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the alsa
sound system.

Signed-off-by: Edgar (gimli) Hucek <gimli@dark-green.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This slipped by when unifying the filemap and swap versions of
lock_page_or_retry()...

Signed-off-by: Michel Lespinasse <walken@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus noted, and complained to me, that doing while lots of "git diff"'s
of kernel sources, these spinlocks were responsible for 27% of the
spinlock cost on his two-processor system as reported by perf.

Git was doing lots of parallel stats, and this was putting a lot of
pressure on ext4_getattr().  A spinlock to protect a single
memory-to-memory copy is pointless, so remove it.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>

The preempt count logic tries to take the BKL into account, which breaks
when CONFIG_BKL is not set.

Use the same preempt_count offset that we use without CONFIG_PREEMPT
when CONFIG_BKL is disabled.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-and-tested-by: Kirill A. Shutemov <kirill@shutemov.name>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This patch adds support for Power/Status LED on Creative USB X-Fi S51.
There is just one LED on the device. The LED can either be On or it
can be set to Blink. There doesn't seem to be a way to switch it off.
The control message to change LED status is similar to that of
audigy2nx except that the index is to be set to 0 and value is 1 for
Blink and 0 for On.

The 'Power LED' control in alsamixer when muted will cause the LED to
Blink continuously. When unmuted  the LED will stay On. The Creative
driver under Windows sets the LED to blink whenever audio is muted.
This LED can be treated as the CMSS LED but I figured since there is
just one LED, it should be treated as the Power LED. Is that alright?

I've also changed the comment "Usb X-Fi" to "Usb X-Fi S51" as there
are other external X-Fi devices from Creative like Usb X-Fi Go and
Xmod. The volume knob and LED support patch doesn't apply to them.

Signed-off-by: Mandar Joshi <emailmandar@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Eliot Blennerhassett <linux@audioscience.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When expanding a parameterised string we may run out of space, this
triggers a realloc.  When computing the new allocation size we do not
allow for the terminating '\0'.  Allow for this when calculating the new
length.

Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Commit 7d945a3a ("logfs get_sb, part 3") broke the logfs build when
CONFIG_MTD is set due to a mangled logfs_get_sb_mtd() definition.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Add missing newlines.

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>

Include jz4740.c to SND_SOC_ALL_CODECS when the dependencies are met.

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>

Not all bits can be read back from POWER1 so avoid corruption when using
a read/modify/write cycle by marking it non-volatile - the only thing we
read back from it is the chip revision which has diagnostic value only.
We can re-add later but that's a more invasive change than is suitable
for a bugfix.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Cc: stable@kernel.org

* 'for-linus' of git://www.jni.nu/cris:
  CRIS: Add paths for CRISv10 serial driver
  CRIS: Fix RS485 delay handling.
  Add missing "struct" to in sizeof.

* 'next-spi' of git://git.secretlab.ca/git/linux-2.6:
  spi/pl022: fix erroneous platform data in U300
  spi: fixed odd static string conventions in core code
  spi/bfin_spi: only request GPIO on first load
  spi/bfin_spi: handle error/status changes after data interrupts
  spi: enable spi_board_info to be registered after spi_master

Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>

converts a 1 bit signed bitfield to an unsigned.

Reported-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: Tim Blechmann <tim@klingt.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When reading through sound/pci/cs46xx/dsp_spos.c I noticed a couple of
things in cs46xx_dsp_spos_create().

It seems to me that we don't always free the various memory buffers we
allocate and we also do some work (structure member assignment) early,
that is completely pointless if some of the memory allocations fail and
we end up just aborting the whole thing.

I don't have hardware to test, so the patch below is compile tested only,
but it makes the following changes:

- Make sure we always free all allocated memory on failures.
- Don't do pointless work assigning to structure members before we know
  all memory allocations, that may abort progress, have completed
  successfully.
- Remove some trailing whitespace.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Tested-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

sound/usb/pcm.c::snd_usb_pcm_check_knot() fails to check the return value
from kmalloc() and may end up dereferencing a null pointer.
The patch below (compile tested only) should take care of that little
problem.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This fixes an erroneous use of LSB first in the U300 machine, the
PL022 used in U300 is a standard ARM core that doesn't support this
bit so it should never have been set.

Cc: Kevin Wells <wellsk40@gmail.com>OA
Signed-off-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>

We were forgetting to set up proper return value in success path causing
ir_getkeycode() to fail intermittently:

drivers/media/IR/ir-keytable.c: In function 'ir_getkeycode':
drivers/media/IR/ir-keytable.c:363: warning: 'retval' may be used
uninitialized in this function

Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  i2c-i801: Add PCI idents for Patsburg 'IDF' SMBus controllers
  i2c-i801: Handle multiple instances instead of keeping global state
  i2c-i801: Add Intel Patsburg device ID
  i2c: Drop unused I2C_CLASS_TV flags

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: appletouch - remove extra KERN_DEBUG use from dprintk
  Input: bu21013_ts - fix null dereference in error handling
  Input: ad7879 - prevent invalid finger data reports

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6: (70 commits)
  [SCSI] pmcraid: add support for set timestamp command and other fixes
  [SCSI] pmcraid: remove duplicate struct member
  [SCSI] qla4xxx: Fix cmd check in qla4xxx_cmd_wait
  [SCSI] megaraid_sas: Version and documentation update
  [SCSI] megaraid_sas: Add three times Online controller reset
  [SCSI] megaraid_sas: Add input parameter for max_sectors
  [SCSI] megaraid_sas: support devices update flag
  [SCSI] libosd: write/read_sg_kern API
  [SCSI] libosd: Support for scatter gather write/read commands
  [SCSI] libosd: Free resources in reverse order of allocation
  [SCSI] libosd: Fix bug in attr_page handling
  [SCSI] lpfc 8.3.18: Update lpfc driver version to 8.3.18
  [SCSI] lpfc 8.3.18: Add new WQE support
  [SCSI] lpfc 8.3.18: Fix critical errors
  [SCSI] lpfc 8.3.18: Adapter Shutdown and Unregistration cleanup
  [SCSI] lpfc 8.3.18: Add logic to detect last devloss timeout
  [SCSI] lpfc 8.3.18: Add support of received ELS commands
  [SCSI] lpfc 8.3.18: FC/FCoE Discovery fixes
  [SCSI] ipr: add definitions for a new adapter
  [SCSI] bfa: fix comments for c files
  ...

Merge branches 'irq-core-for-linus' and 'core-locking-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  genirq: Fix up irq_node() for irq_data changes.
  genirq: Add single IRQ reservation helper
  genirq: Warn if enable_irq is called before irq is set up

* 'core-locking-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  semaphore: Remove mutex emulation
  staging: Final semaphore cleanup
  jbd2: Convert jbd2_slab_create_sem to mutex
  hpfs: Convert sbi->hpfs_creation_de to mutex

Fix up trivial change/delete conflicts with deleted 'dream' drivers
(drivers/staging/dream/camera/{mt9d112.c,mt9p012_fox.c,mt9t013.c,s5k3e2fx.c})

These are the extra 'Integrated Device Function' SMBus controllers found
on the Patsburg chipset. Mention the absence of slave mode support.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

It's poor form to keep driver state in global variables rather than
per-instance. It never really mattered in practice when there was only
one controller on the chipset, but the latest chipsets do have more
than one controller, so now we care.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Add support for the Intel Patsburg PCH SMBus Controller.

Signed-off-by: Seth Heasley <seth.heasley@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

There are no users left for I2C_CLASS_TV_ANALOG and
I2C_CLASS_TV_DIGITAL, so we can get rid of them.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

This one was only used for a nasty hack in nfsd, which has recently
been removed.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The caller allocated it, the caller should free it.

The only issue so far is that we could change the flp pointer even on an
error return if the fl_change callback failed.  But we can simply move
the flp assignment after the fl_change invocation, as the callers don't
care about the flp return value if the setlease call failed.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>