* 'for-linus' of git://git.kernel.dk/linux-block:
  cfq-iosched: fix use-after-free of cfqq

With the changes in life time management between the cfq IO contexts
and the cfq queues, we now risk having cfqd->active_queue being
freed when cfq_slice_expired() is being called. cfq_preempt_queue()
caches this queue and uses it after calling said function, causing
a use-after-free condition. This triggers the following oops,
when cfqq_type() attempts to dereference it:

BUG: unable to handle kernel paging request at ffff8800746c4f0c
IP: [<ffffffff81266d59>] cfqq_type+0xb/0x20
PGD 18d4063 PUD 1fe15067 PMD 1ffb9067 PTE 80000000746c4160
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU 3
Modules linked in:

Pid: 1, comm: init Not tainted 3.2.0-josef+ #367 Bochs Bochs
RIP: 0010:[<ffffffff81266d59>]  [<ffffffff81266d59>] cfqq_type+0xb/0x20
RSP: 0018:ffff880079c11778  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff880076f3df08 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffff880074271888 RDI: ffff8800746c4f08
RBP: ffff880079c11778 R08: 0000000000000078 R09: 0000000000000001
R10: 09f911029d74e35b R11: 09f911029d74e35b R12: ffff880076f337f0
R13: ffff8800746c4f08 R14: ffff8800746c4f08 R15: 0000000000000002
FS:  00007f62fd44f700(0000) GS:ffff88007cd80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800746c4f0c CR3: 0000000076c21000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process init (pid: 1, threadinfo ffff880079c10000, task ffff880079c0a040)
Stack:
 ffff880079c117c8 ffffffff812683d8 ffff880079c117a8 ffffffff8125de43
 ffff8800744fcf48 ffff880074b43e98 ffff8800770c8828 ffff880074b43e98
 0000000000000003 0000000000000000 ffff880079c117f8 ffffffff81254149
Call Trace:
 [<ffffffff812683d8>] cfq_insert_request+0x3f5/0x47c
 [<ffffffff8125de43>] ? blk_recount_segments+0x20/0x31
 [<ffffffff81254149>] __elv_add_request+0x1ca/0x200
 [<ffffffff8125aa99>] blk_queue_bio+0x2ef/0x312
 [<ffffffff81258f7b>] generic_make_request+0x9f/0xe0
 [<ffffffff8125907b>] submit_bio+0xbf/0xca
 [<ffffffff81136ec7>] submit_bh+0xdf/0xfe
 [<ffffffff81176d04>] ext3_bread+0x50/0x99
 [<ffffffff811785b3>] dx_probe+0x38/0x291
 [<ffffffff81178864>] ext3_dx_find_entry+0x58/0x219
 [<ffffffff81178ad5>] ext3_find_entry+0xb0/0x406
 [<ffffffff8110c4d5>] ? cache_alloc_debugcheck_after.isra.46+0x14d/0x1a0
 [<ffffffff8110cfbd>] ? kmem_cache_alloc+0xef/0x191
 [<ffffffff8117a330>] ext3_lookup+0x39/0xe1
 [<ffffffff81119461>] d_alloc_and_lookup+0x45/0x6c
 [<ffffffff8111ac41>] do_lookup+0x1e4/0x2f5
 [<ffffffff8111aef6>] link_path_walk+0x1a4/0x6ef
 [<ffffffff8111b557>] path_lookupat+0x59/0x5ea
 [<ffffffff8127406c>] ? __strncpy_from_user+0x30/0x5a
 [<ffffffff8111bce0>] do_path_lookup+0x23/0x59
 [<ffffffff8111cfd6>] user_path_at_empty+0x53/0x99
 [<ffffffff8107b37b>] ? remove_wait_queue+0x51/0x56
 [<ffffffff8111d02d>] user_path_at+0x11/0x13
 [<ffffffff811141f5>] vfs_fstatat+0x3a/0x64
 [<ffffffff8111425a>] vfs_stat+0x1b/0x1d
 [<ffffffff81114359>] sys_newstat+0x1a/0x33
 [<ffffffff81060e12>] ? task_stopped_code+0x42/0x42
 [<ffffffff815d6712>] system_call_fastpath+0x16/0x1b
Code: 89 e6 48 89 c7 e8 fa ca fe ff 85 c0 74 06 4c 89 2b 41 b6 01 5b 44 89 f0 41 5c 41 5d 41 5e 5d c3 55 48 89 e5 66 66 66 66 90 31 c0 <8b> 57 04 f6 c6 01 74 0b 83 e2 20 83 fa 01 19 c0 83 c0 02 5d c3
RIP  [<ffffffff81266d59>] cfqq_type+0xb/0x20
 RSP <ffff880079c11778>
CR2: ffff8800746c4f0c

Get rid of the caching of cfqd->active_queue, and reorder the
check so that it happens before we expire the active queue.

Thanks to Tejun for pin pointing the error location.

Reported-by: Chris Mason <chris.mason@oracle.com>
Tested-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

Merge branch 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

* 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen/balloon: Move the registration from device to subsystem.

* 'next' of git://git.monstr.eu/linux-2.6-microblaze:
  USB: EHCI: Don't use NO_IRQ in xilinx ehci driver
  microblaze: Add topology init

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: virtuoso: Xonar DS: fix polarity of front output
  ALSA: Au88x0 - Reduce the number of playback subdevices of au8830 from 32 to 16
  ALSA: Au88x0 - Support 4 channels playback when AC97 codecs has SDAC bit
  ALSA: HDA: Fix internal microphone on Dell Studio 16 XPS 1645
  ALSA: Don't prompt for CONFIG_SND_COMPRESS_OFFLOAD
  ALSA: HDA: Use LPIB position fix for Macbook Pro 7,1

This field is unused since 2.6.28 (commit fe6e29fd

: "tty: simplify
ktermios allocation", to be exact)

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This reverts commit d2a7009f

.

J. R. Okajima explains:

 "After this commit, I am afraid access(2) on NFS may not work
  correctly.  The scenario based upon my guess.
   - access(2) overrides the credentials.
   - calls inode_permission() -- ... -- generic_permission() --
      ns_capable().
   - while the old ns_capable() calls security_capable(current_cred()),
     the new ns_capable() calls has_ns_capability(current) --
     security_capable(__task_cred(t)).

  current_cred() returns current->cred which is effective (overridden)
  credentials, but __task_cred(current) returns current->real_cred (the
  NFSD's credential).  And the overridden credentials by access(2) lost."

Requested-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'x86/rdrand' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  random: Adjust the number of loops when initializing
  random: Use arch-specific RNG to initialize the entropy store

* 'x86-syscall-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86: Move <asm/asm-offsets.h> from trace_syscalls.c to asm/syscall.h
  x86, um: Fix typo in 32-bit system call modifications
  um: Use $(srctree) not $(KBUILD_SRC)
  x86, um: Mark system call tables readonly
  x86, um: Use the same style generated syscall tables as native
  um: Generate headers before generating user-offsets.s
  um: Run host archheaders, allow use of host generated headers
  kbuild, headers.sh: Don't make archheaders explicitly
  x86, syscall: Allow syscall offset to be symbolic
  x86, syscall: Re-fix typo in comment
  x86: Simplify syscallhdr.sh
  x86: Generate system call tables and unistd_*.h from tables
  checksyscalls: Use arch/x86/syscalls/syscall_32.tbl as source
  x86: Machine-readable syscall tables and scripts to process them
  trace: Include <asm/asm-offsets.h> in trace_syscalls.c
  x86-64, ia32: Move compat_ni_syscall into C and its own file
  x86-64, syscall: Adjust comment spacing and remove typo
  kbuild: Add support for an "archheaders" target
  kbuild: Add support for installing generated asm headers

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest:
  ktest: Add INGORE_ERRORS to ignore warnings in boot up
  ktest: Still do reboot even for REBOOT_TYPE = script
  ktest: Fix compare script to test if options are not documented
  ktest: Detect typos in option names
  ktest: Have all values be set by defaults
  ktest: Change initialization of defaults hash to perl format
  ktest: Add options SWITCH_TO_GOOD and SWITCH_TO_TEST
  ktest: Allow overriding bisect test results
  ktest: Evaluate options before processing them
  ktest: Evaluate $KERNEL_VERSION in both install and post install
  ktest: Only ask options needed for install
  ktest: When creating a new config, ask for BUILD_OPTIONS
  ktest: Do not ask for some options if the only test is build
  ktest: Ask for type of test when creating a new config
  ktest: Allow bisect test to restart where it left off
  ktest: When creating new config, allow the use of ${THIS_DIR}
  ktest: Add default for ssh-user, build-target and target-image
  ktest: Allow success logs to be stored
  ktest: Save test output

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  ARM: OMAP3: fix build on !CONFIG_IOMMU_API

When suspending, there was a large list of warnings going something like:

	Device 'machinecheck1' does not have a release() function, it is broken and must be fixed

This patch turns the static mce_devices into dynamically allocated, and
properly frees them when they are removed from the system.  It solves
the warning messages on my laptop here.

Reported-by: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Djalal Harouni <tixxdz@opendz.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Borislav Petkov <bp@amd64.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'fixes' of git://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-arm:
  ARM: sa11x0: assabet: fix build warning
  ARM: Add arm_memblock_steal() to allocate memory away from the kernel
  ARM: 7275/1: LPAE: Check the CPU support for the long descriptor format
  ARM: 7274/1: NUC900: Rename nuc900-audio platform device to nuc900-ac97
  ARM: 7272/1: S3C24XX: Fix build error for missing <mach/system-reset.h>
  ARM: 7271/1: Fix typo in conversion of ARCH_NR_GPIOS to Kconfig

NFS client bugfixes and cleanups for Linux 3.3 (pull 2)

* tag 'nfs-for-3.3-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  pnfsblock: alloc short extent before submit bio
  pnfsblock: remove rpc_call_ops from struct parallel_io
  pnfsblock: move find lock page logic out of bl_write_pagelist
  pnfsblock: cleanup bl_mark_sectors_init
  pnfsblock: limit bio page count
  pnfsblock: don't spinlock when freeing block_dev
  pnfsblock: clean up _add_entry
  pnfsblock: set read/write tk_status to pnfs_error
  pnfsblock: acquire im_lock in _preload_range
  NFS4: fix compile warnings in nfs4proc.c
  nfs: check for integer overflow in decode_devicenotify_args()
  NFS: cleanup endian type in decode_ds_addr()
  NFS: add an endian notation

* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  hwmon: (sysfs-interface) Update tempX_type attribute to be more generic
  hwmon: (adm1031) Fix coding style issues
  hwmon: (it87) Add IT8728F support
  hwmon: (coretemp) Add missing section annotations
  hwmon: (lm90) Add range check to set_update_interval
  hwmon: (lm63) Support extended lookup table of LM96163
  hwmon: (lm63) Expose automatic fan speed control lookup table
  hwmon: (lm63) Fix incorrect comment about I2C address
  hwmon: (lm63) LM64 has a dedicated pin for tachometer
  hwmon: (lm63) Add sensor type attribute for external sensor on LM96163
  hwmon: (lm63) Add support for update_interval sysfs attribute
  hwmon: (lm63) Add support for writing the external critical temperature
  hwmon: (lm63) Add support for unsigned upper temperature limits
  hwmon: (lm63) Add support for LM96163
  hwmon: (lm63) Add support for external temperature offset register
  hwmon: (lm63) Fix checkpatch errors
  hwmon: (max1111) Change sysfs interface to in[0-3]_input in millivolts

* 'pm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / Hibernate: Drop the check of swap space size for compressed image
  PM / shmobile: fix A3SP suspend method
  PM / Domains: Skip governor functions for CONFIG_PM_RUNTIME unset
  PM / Domains: Fix build for CONFIG_PM_SLEEP unset
  PM: Make sysrq-o be available for CONFIG_PM unset

* 'misc' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  scripts/coccinelle: improve the coverage of some semantic patches
  coccinelle: semantic patches related to devm_ functions (part 2)
  coccinelle: semantic patches related to devm_ functions (part 1)
  coccinelle.txt: update documentation to include M= option
  coccicheck: add M= option to control which dir is processed
  ctags: remove struct forward declarations
  scripts/tags.sh: Add Page flag function magic

* 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  menuconfig: fix a regression when canceling the prompt dialog at exit
  kbuild: Fix compiler warning with assertion when calling 'fwrite'
  Improve update-po-config output
  menuconfig: let make not report error when not save configuration
  merge_config.sh: fix bug in final check
  merge_config.sh: whitespace cleanup
  merge_config.sh: use signal names compatible with dash and bash
  kconfig: add merge_config.sh script
  kconfig: use xfwrite wrapper function to silence warnings
  kconfig: fix set but not used warnings
  kconfig: fix warnings by specifing format arguments

* 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  Kbuild: Use dtc's -d (dependency) option
  dtc: Implement -d option to write out a dependency file
  kbuild: Fix comment in Makefile.lib
  scripts/genksyms: clean lex/yacc generated files
  kbuild: Correctly deal with make options which contain an "s"

Since a32618d2

 (ARM: pgtable: switch to use pgtable-nopud.h), assabet
warns as follows:

arch/arm/mach-sa1100/assabet.c: In function 'map_sa1100_gpio_regs':
arch/arm/mach-sa1100/assabet.c:264: warning: passing argument 1 of 'pmd_offset' from incompatible pointer type

Fix this by adding the necessary pud_offset() macro.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

The temp[1-*]_type attribute reports the temperature sensor type. Sensor type 1
is described as "PII/Celeron Diode", which is quite restrictive; other CPUs
may also have an embedded temperature sensor diode with similar characteristics.
Change description to "CPU embedded diode" to be more generic.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Fix almost all coding style issues except for the multi-line macro errors,
which do not really apply since the macros are not multi-line statements
but declarations.

Based on merged patch series from Zac Storer; fixed remaining checkpatch
errors and warnings.

Cc: Zac Storer <zac.3.14159@gmail.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Until we get a datasheet for the IT8728F, treat it as fully compatible
with the IT8721F, as it seems to work reasonably well.

This closes kernel bug #27262.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

Many functions in the coretemp driver lack a proper section
annotation. Add them to let the kernel free the memory after
initialization when possible.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Durgadoss R <durgadoss.r@intel.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>

When writing the update_interval attribute, the parameter value was
not range checked, which could cause an integer overflow and result
in an arbitrary update interval. Fix by limiting the value range to
<0, 100000>.

Reported-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

The LM96163 has an extended lookup table with 12 entries instead of 8,
add support for that.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Guenter Roeck <guenter.roeck@ericsson.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

The LM63 and compatible devices have a lookup table to control the fan
speed automatically. Expose it in sysfs. Values are cached for 5
seconds, independently of the other register values to avoid slowing
down "sensors". We might make the table values writable in the future.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Guenter Roeck <guenter.roeck@ericsson.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

What was true of the LM63 doesn't apply to the LM64.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

On the LM64, the tachometer function has a dedicated pin and fan speed
monitoring is always enabled.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>

On LM96163, the external temperature sensor type is configurable to
either a thermal diode or a 3904 transistor. The chip reports a wrong
temperature if misconfigured. Add writable attribute to support it.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

The update interval is configurable on LM63 and compatibles. Add
support for it.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

On LM64, the external critical temperature limit is always writable. On LM96163,
it is writable if the chip is configured for it. Add conditional support for
writing the register dependent on chip type and configuration.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

LM96163 supports unsigned upper limits for the external temperature sensor.
Add support for it.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

LM96163 is an enhanced version of LM63 with improved PWM resolution. Add chip
detection code as well as support for improved PWM resolution if the chip is
configured to use it.

Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Tested-by: Thierry Reding <thierry.reding@avionic-design.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

LM63 and compatibles support a temperature offset register for the external
temperature sensor. Add support for it.

Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Tested-by: Thierry Reding <thierry.reding@avionic-design.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

This patch fixed the inconsistent max1111 sysfs interface as pointed
out by Jean Delvare:

    It was pointed to me that the max1111 driver doesn't implement the
    standard sysfs interface for hwmon drivers (as described in
    Documentation/hwmon/sysfs-interface). It exports files adc[0-3]_in,
    which
    aren't part of the standard interface. Presumably these should be
    renamed to in[0-3]_input. Renaming them is probably not sufficient
    though, as I see no scaling done in the driver. As the MAX1111 chip has
    a documented full scale of 2.048V, I take it that the LSB of the ADC
    has a weight of 8 mV. Exporting raw register values to user-space is
    not OK.

Reported-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

When we are initializing using arch_get_random_long() we only need to
loop enough times to touch all the bytes in the buffer; using
poolwords for that does twice the number of operations necessary on a
64-bit machine, since in the random number generator code "word" means
32 bits.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Link: http://lkml.kernel.org/r/1324589281-31931-1-git-send-email-tytso@mit.edu

If there is an architecture-specific random number generator (such as
RDRAND for Intel architectures), use it to initialize /dev/random's
entropy stores.  Even in the worst case, if RDRAND is something like
AES(NSA_KEY, counter++), it won't hurt, and it will definitely help
against any other adversaries.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Link: http://lkml.kernel.org/r/1324589281-31931-1-git-send-email-tytso@mit.edu
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>

This commit fixes a bug, while introducing a new one..

commit 7203ddbd4be9720649e47d756a001e0c7d7f8ae2
Author: Wang YanQing <udknight@gmail.com>
Date:   Thu Jan 12 11:31:32 2012 +0800

    menuconfig: let make not report error when not save configuration

Pressing ESC should cancel the yes/no dialog and return back to
the main menu, but not exit from menuconfig.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Wang YanQing <udknight@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.cz>