17 files changed, 98 insertions, 105 deletions

diff --git a/Documentation/devices.txt b/Documentation/devices.txt
index 8de132a02ba9..6c46730c631a 100644
--- a/Documentation/devices.txt
+++ b/Documentation/devices.txt
@@ -94,6 +94,8 @@ Your cooperation is appreciated.
                   9 = /dev/urandom      Faster, less secure random number gen.
                  10 = /dev/aio          Asynchronous I/O notification interface
                  11 = /dev/kmsg         Writes to this come out as printk's
+                 12 = /dev/oldmem       Used by crashdump kernels to access
+                                        the memory of the kernel that crashed.
 
   1 block       RAM disk
                   0 = /dev/ram0         First RAM disk
diff --git a/arch/arm/kernel/bios32.c b/arch/arm/kernel/bios32.c
index 240c448ec31c..a2dd930d11ef 100644
--- a/arch/arm/kernel/bios32.c
+++ b/arch/arm/kernel/bios32.c
@@ -338,7 +338,7 @@ pbus_assign_bus_resources(struct pci_bus *bus, struct pci_sys_data *root)
  * pcibios_fixup_bus - Called after each bus is probed,
  * but before its children are examined.
  */
-void __devinit pcibios_fixup_bus(struct pci_bus *bus)
+void pcibios_fixup_bus(struct pci_bus *bus)
 {
         struct pci_sys_data *root = bus->sysdata;
         struct pci_dev *dev;
@@ -419,7 +419,7 @@ void __devinit pcibios_fixup_bus(struct pci_bus *bus)
 /*
  * Convert from Linux-centric to bus-centric addresses for bridge devices.
  */
-void __devinit
+void
 pcibios_resource_to_bus(struct pci_dev *dev, struct pci_bus_region *region,
                          struct resource *res)
 {
diff --git a/arch/x86_64/vdso/voffset.h b/arch/x86_64/vdso/voffset.h
index 5304204911f2..4af67c79085f 100644
--- a/arch/x86_64/vdso/voffset.h
+++ b/arch/x86_64/vdso/voffset.h
@@ -1 +1 @@
-#define VDSO_TEXT_OFFSET 0x500
+#define VDSO_TEXT_OFFSET 0x600
diff --git a/drivers/char/vt_ioctl.c b/drivers/char/vt_ioctl.c
index c6f6f4209739..c799b7f7bbb3 100644
--- a/drivers/char/vt_ioctl.c
+++ b/drivers/char/vt_ioctl.c
@@ -770,6 +770,7 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                 /*
                  * Switching-from response
                  */
+                acquire_console_sem();
                 if (vc->vt_newvt >= 0) {
                         if (arg == 0)
                                 /*
@@ -784,7 +785,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                                  * complete the switch.
                                  */
                                 int newvt;
-                                acquire_console_sem();
                                 newvt = vc->vt_newvt;
                                 vc->vt_newvt = -1;
                                 i = vc_allocate(newvt);
@@ -798,7 +798,6 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                                  * other console switches..
                                  */
                                 complete_change_console(vc_cons[newvt].d);
-                                release_console_sem();
                         }
                 }
 
@@ -810,9 +809,12 @@ int vt_ioctl(struct tty_struct *tty, struct file * file,
                         /*
                          * If it's just an ACK, ignore it
                          */
-                        if (arg != VT_ACKACQ)
+                        if (arg != VT_ACKACQ) {
+                                release_console_sem();
                                 return -EINVAL;
+                        }
                 }
+                release_console_sem();
 
                 return 0;
 
@@ -1208,15 +1210,18 @@ void change_console(struct vc_data *new_vc)
                 /*
                  * Send the signal as privileged - kill_pid() will
                  * tell us if the process has gone or something else
-                 * is awry
+                 * is awry.
+                 *
+                 * We need to set vt_newvt *before* sending the signal or we
+                 * have a race.
                  */
+                vc->vt_newvt = new_vc->vc_num;
                 if (kill_pid(vc->vt_pid, vc->vt_mode.relsig, 1) == 0) {
                         /*
                          * It worked. Mark the vt to switch to and
                          * return. The process needs to send us a
                          * VT_RELDISP ioctl to complete the switch.
                          */
-                        vc->vt_newvt = new_vc->vc_num;
                         return;
                 }
 
diff --git a/drivers/media/video/ivtv/ivtv-fileops.c b/drivers/media/video/ivtv/ivtv-fileops.c
index 0285c4a830eb..66ea3cbc369c 100644
--- a/drivers/media/video/ivtv/ivtv-fileops.c
+++ b/drivers/media/video/ivtv/ivtv-fileops.c
@@ -754,9 +754,11 @@ static void ivtv_stop_decoding(struct ivtv_open_id *id, int flags, u64 pts)
                 ivtv_yuv_close(itv);
         }
         if (s->type == IVTV_DEC_STREAM_TYPE_YUV && itv->output_mode == OUT_YUV)
-            itv->output_mode = OUT_NONE;
+                itv->output_mode = OUT_NONE;
+        else if (s->type == IVTV_DEC_STREAM_TYPE_YUV && itv->output_mode == OUT_UDMA_YUV)
+                itv->output_mode = OUT_NONE;
         else if (s->type == IVTV_DEC_STREAM_TYPE_MPG && itv->output_mode == OUT_MPG)
-            itv->output_mode = OUT_NONE;
+                itv->output_mode = OUT_NONE;
 
         itv->speed = 0;
         clear_bit(IVTV_F_I_DEC_PAUSED, &itv->i_flags);
diff --git a/drivers/net/mv643xx_eth.c b/drivers/net/mv643xx_eth.c
index 456d1e1c98bd..34288fe038c3 100644
--- a/drivers/net/mv643xx_eth.c
+++ b/drivers/net/mv643xx_eth.c
@@ -534,7 +534,7 @@ static irqreturn_t mv643xx_eth_int_handler(int irq, void *dev_id)
         }
 
         /* PHY status changed */
-        if (eth_int_cause_ext & ETH_INT_CAUSE_PHY) {
+        if (eth_int_cause_ext & (ETH_INT_CAUSE_PHY | ETH_INT_CAUSE_STATE)) {
                 struct ethtool_cmd cmd;
 
                 if (mii_link_ok(&mp->mii)) {
diff --git a/drivers/net/mv643xx_eth.h b/drivers/net/mv643xx_eth.h
index 82f8c0cbfb64..565b96696aca 100644
--- a/drivers/net/mv643xx_eth.h
+++ b/drivers/net/mv643xx_eth.h
@@ -64,7 +64,9 @@
 #define ETH_INT_CAUSE_TX_ERROR  (ETH_TX_QUEUES_ENABLED << 8)
 #define ETH_INT_CAUSE_TX        (ETH_INT_CAUSE_TX_DONE | ETH_INT_CAUSE_TX_ERROR)
 #define ETH_INT_CAUSE_PHY       0x00010000
-#define ETH_INT_UNMASK_ALL_EXT  (ETH_INT_CAUSE_TX | ETH_INT_CAUSE_PHY)
+#define ETH_INT_CAUSE_STATE     0x00100000
+#define ETH_INT_UNMASK_ALL_EXT  (ETH_INT_CAUSE_TX | ETH_INT_CAUSE_PHY | \
+                                        ETH_INT_CAUSE_STATE)
 
 #define ETH_INT_MASK_ALL        0x00000000
 #define ETH_INT_MASK_ALL_EXT    0x00000000
diff --git a/drivers/net/wireless/Makefile b/drivers/net/wireless/Makefile
index ef35bc6c4a22..4eb6d9752881 100644
--- a/drivers/net/wireless/Makefile
+++ b/drivers/net/wireless/Makefile
@@ -43,7 +43,7 @@ obj-$(CONFIG_PCMCIA_RAYCS)	+= ray_cs.o
 obj-$(CONFIG_PCMCIA_WL3501)     += wl3501_cs.o
 
 obj-$(CONFIG_USB_ZD1201)        += zd1201.o
-obj-$(CONFIG_LIBERTAS_USB)     += libertas/
+obj-$(CONFIG_LIBERTAS)          += libertas/
 
 rtl8187-objs            := rtl8187_dev.o rtl8187_rtl8225.o
 obj-$(CONFIG_RTL8187)   += rtl8187.o
diff --git a/fs/splice.c b/fs/splice.c
index c010a72ca2d2..e95a36228863 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1224,6 +1224,33 @@ static long do_splice(struct file *in, loff_t __user *off_in,
 }
 
 /*
+ * Do a copy-from-user while holding the mmap_semaphore for reading, in a
+ * manner safe from deadlocking with simultaneous mmap() (grabbing mmap_sem
+ * for writing) and page faulting on the user memory pointed to by src.
+ * This assumes that we will very rarely hit the partial != 0 path, or this
+ * will not be a win.
+ */
+static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
+{
+        int partial;
+
+        pagefault_disable();
+        partial = __copy_from_user_inatomic(dst, src, n);
+        pagefault_enable();
+
+        /*
+         * Didn't copy everything, drop the mmap_sem and do a faulting copy
+         */
+        if (unlikely(partial)) {
+                up_read(&current->mm->mmap_sem);
+                partial = copy_from_user(dst, src, n);
+                down_read(&current->mm->mmap_sem);
+        }
+
+        return partial;
+}
+
+/*
  * Map an iov into an array of pages and offset/length tupples. With the
  * partial_page structure, we can map several non-contiguous ranges into
  * our ones pages[] map instead of splitting that operation into pieces.
@@ -1236,31 +1263,26 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 {
         int buffers = 0, error = 0;
 
-        /*
-         * It's ok to take the mmap_sem for reading, even
-         * across a "get_user()".
-         */
         down_read(&current->mm->mmap_sem);
 
         while (nr_vecs) {
                 unsigned long off, npages;
+                struct iovec entry;
                 void __user *base;
                 size_t len;
                 int i;
 
-                /*
-                 * Get user address base and length for this iovec.
-                 */
-                error = get_user(base, &iov->iov_base);
-                if (unlikely(error))
-                        break;
-                error = get_user(len, &iov->iov_len);
-                if (unlikely(error))
+                error = -EFAULT;
+                if (copy_from_user_mmap_sem(&entry, iov, sizeof(entry)))
                         break;
 
+                base = entry.iov_base;
+                len = entry.iov_len;
+
                 /*
                  * Sanity check this iovec. 0 read succeeds.
                  */
+                error = 0;
                 if (unlikely(!len))
                         break;
                 error = -EFAULT;
diff --git a/fs/xfs/xfs_buf_item.h b/fs/xfs/xfs_buf_item.h
index fa25b7dcc6c3..d7e136143066 100644
--- a/fs/xfs/xfs_buf_item.h
+++ b/fs/xfs/xfs_buf_item.h
@@ -52,11 +52,6 @@ typedef struct xfs_buf_log_format_t {
 #define XFS_BLI_UDQUOT_BUF      0x4
 #define XFS_BLI_PDQUOT_BUF      0x8
 #define XFS_BLI_GDQUOT_BUF      0x10
-/*
- * This flag indicates that the buffer contains newly allocated
- * inodes.
- */
-#define XFS_BLI_INODE_NEW_BUF   0x20
 
 #define XFS_BLI_CHUNK           128
 #define XFS_BLI_SHIFT           7
diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 7174991f4bef..8ae6e8e5f3db 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -1874,7 +1874,6 @@ xlog_recover_do_inode_buffer(
 /*ARGSUSED*/
 STATIC void
 xlog_recover_do_reg_buffer(
-        xfs_mount_t             *mp,
         xlog_recover_item_t     *item,
         xfs_buf_t               *bp,
         xfs_buf_log_format_t    *buf_f)
@@ -1885,50 +1884,6 @@ xlog_recover_do_reg_buffer(
         unsigned int            *data_map = NULL;
         unsigned int            map_size = 0;
         int                     error;
-        int                     stale_buf = 1;
-
-        /*
-         * Scan through the on-disk inode buffer and attempt to
-         * determine if it has been written to since it was logged.
-         *
-         * - If any of the magic numbers are incorrect then the buffer is stale
-         * - If any of the modes are non-zero then the buffer is not stale
-         * - If all of the modes are zero and at least one of the generation
-         *   counts is non-zero then the buffer is stale
-         *
-         * If the end result is a stale buffer then the log buffer is replayed
-         * otherwise it is skipped.
-         *
-         * This heuristic is not perfect.  It can be improved by scanning the
-         * entire inode chunk for evidence that any of the inode clusters have
-         * been updated.  To fix this problem completely we will need a major
-         * architectural change to the logging system.
-         */
-        if (buf_f->blf_flags & XFS_BLI_INODE_NEW_BUF) {
-                xfs_dinode_t    *dip;
-                int             inodes_per_buf;
-                int             mode_count = 0;
-                int             gen_count = 0;
-
-                stale_buf = 0;
-                inodes_per_buf = XFS_BUF_COUNT(bp) >> mp->m_sb.sb_inodelog;
-                for (i = 0; i < inodes_per_buf; i++) {
-                        dip = (xfs_dinode_t *)xfs_buf_offset(bp,
-                                i * mp->m_sb.sb_inodesize);
-                        if (be16_to_cpu(dip->di_core.di_magic) !=
-                                        XFS_DINODE_MAGIC) {
-                                stale_buf = 1;
-                                break;
-                        }
-                        if (dip->di_core.di_mode)
-                                mode_count++;
-                        if (dip->di_core.di_gen)
-                                gen_count++;
-                }
-
-                if (!mode_count && gen_count)
-                        stale_buf = 1;
-        }
 
         switch (buf_f->blf_type) {
         case XFS_LI_BUF:
@@ -1962,7 +1917,7 @@ xlog_recover_do_reg_buffer(
                                                -1, 0, XFS_QMOPT_DOWARN,
                                                "dquot_buf_recover");
                 }
-                if (!error && stale_buf)
+                if (!error)
                         memcpy(xfs_buf_offset(bp,
                                 (uint)bit << XFS_BLI_SHIFT),    /* dest */
                                 item->ri_buf[i].i_addr,         /* source */
@@ -2134,7 +2089,7 @@ xlog_recover_do_dquot_buffer(
         if (log->l_quotaoffs_flag & type)
                 return;
 
-        xlog_recover_do_reg_buffer(mp, item, bp, buf_f);
+        xlog_recover_do_reg_buffer(item, bp, buf_f);
 }
 
 /*
@@ -2235,7 +2190,7 @@ xlog_recover_do_buffer_trans(
                   (XFS_BLI_UDQUOT_BUF|XFS_BLI_PDQUOT_BUF|XFS_BLI_GDQUOT_BUF)) {
                 xlog_recover_do_dquot_buffer(mp, log, item, bp, buf_f);
         } else {
-                xlog_recover_do_reg_buffer(mp, item, bp, buf_f);
+                xlog_recover_do_reg_buffer(item, bp, buf_f);
         }
         if (error)
                 return XFS_ERROR(error);
diff --git a/fs/xfs/xfs_trans_buf.c b/fs/xfs/xfs_trans_buf.c
index 95fff6872a2f..60b6b898022b 100644
--- a/fs/xfs/xfs_trans_buf.c
+++ b/fs/xfs/xfs_trans_buf.c
@@ -966,7 +966,6 @@ xfs_trans_inode_alloc_buf(
         ASSERT(atomic_read(&bip->bli_refcount) > 0);
 
         bip->bli_flags |= XFS_BLI_INODE_ALLOC_BUF;
-        bip->bli_format.blf_flags |= XFS_BLI_INODE_NEW_BUF;
 }
 
 
diff --git a/include/asm-i386/system.h b/include/asm-i386/system.h
index 609756c61676..d69ba937e092 100644
--- a/include/asm-i386/system.h
+++ b/include/asm-i386/system.h
@@ -214,11 +214,6 @@ static inline unsigned long get_limit(unsigned long segment)
  */
  
 
-/* 
- * Actually only lfence would be needed for mb() because all stores done 
- * by the kernel should be already ordered. But keep a full barrier for now. 
- */
-
 #define mb() alternative("lock; addl $0,0(%%esp)", "mfence", X86_FEATURE_XMM2)
 #define rmb() alternative("lock; addl $0,0(%%esp)", "lfence", X86_FEATURE_XMM2)
 
diff --git a/kernel/futex.c b/kernel/futex.c
index e8935b195e88..fcc94e7b4086 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1943,9 +1943,10 @@ static inline int fetch_robust_entry(struct robust_list __user **entry,
 void exit_robust_list(struct task_struct *curr)
 {
         struct robust_list_head __user *head = curr->robust_list;
-        struct robust_list __user *entry, *pending;
-        unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
+        struct robust_list __user *entry, *next_entry, *pending;
+        unsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;
         unsigned long futex_offset;
+        int rc;
 
         /*
          * Fetch the list head (which was registered earlier, via
@@ -1965,12 +1966,14 @@ void exit_robust_list(struct task_struct *curr)
         if (fetch_robust_entry(&pending, &head->list_op_pending, &pip))
                 return;
 
-        if (pending)
-                handle_futex_death((void __user *)pending + futex_offset,
-                                   curr, pip);
-
+        next_entry = NULL;      /* avoid warning with gcc */
         while (entry != &head->list) {
                 /*
+                 * Fetch the next entry in the list before calling
+                 * handle_futex_death:
+                 */
+                rc = fetch_robust_entry(&next_entry, &entry->next, &next_pi);
+                /*
                  * A pending lock might already be on the list, so
                  * don't process it twice:
                  */
@@ -1978,11 +1981,10 @@ void exit_robust_list(struct task_struct *curr)
                         if (handle_futex_death((void __user *)entry + futex_offset,
                                                 curr, pi))
                                 return;
-                /*
-                 * Fetch the next entry in the list:
-                 */
-                if (fetch_robust_entry(&entry, &entry->next, &pi))
+                if (rc)
                         return;
+                entry = next_entry;
+                pi = next_pi;
                 /*
                  * Avoid excessively long or circular lists:
                  */
@@ -1991,6 +1993,10 @@ void exit_robust_list(struct task_struct *curr)
 
                 cond_resched();
         }
+
+        if (pending)
+                handle_futex_death((void __user *)pending + futex_offset,
+                                   curr, pip);
 }
 
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index 7e52eb051f22..2c2e2954b713 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -38,10 +38,11 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
 void compat_exit_robust_list(struct task_struct *curr)
 {
         struct compat_robust_list_head __user *head = curr->compat_robust_list;
-        struct robust_list __user *entry, *pending;
-        unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
-        compat_uptr_t uentry, upending;
+        struct robust_list __user *entry, *next_entry, *pending;
+        unsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;
+        compat_uptr_t uentry, next_uentry, upending;
         compat_long_t futex_offset;
+        int rc;
 
         /*
          * Fetch the list head (which was registered earlier, via
@@ -61,11 +62,16 @@ void compat_exit_robust_list(struct task_struct *curr)
         if (fetch_robust_entry(&upending, &pending,
                                &head->list_op_pending, &pip))
                 return;
-        if (pending)
-                handle_futex_death((void __user *)pending + futex_offset, curr, pip);
 
+        next_entry = NULL;      /* avoid warning with gcc */
         while (entry != (struct robust_list __user *) &head->list) {
                 /*
+                 * Fetch the next entry in the list before calling
+                 * handle_futex_death:
+                 */
+                rc = fetch_robust_entry(&next_uentry, &next_entry,
+                        (compat_uptr_t __user *)&entry->next, &next_pi);
+                /*
                  * A pending lock might already be on the list, so
                  * dont process it twice:
                  */
@@ -74,12 +80,11 @@ void compat_exit_robust_list(struct task_struct *curr)
                                                 curr, pi))
                                 return;
 
-                /*
-                 * Fetch the next entry in the list:
-                 */
-                if (fetch_robust_entry(&uentry, &entry,
-                                       (compat_uptr_t __user *)&entry->next, &pi))
+                if (rc)
                         return;
+                uentry = next_uentry;
+                entry = next_entry;
+                pi = next_pi;
                 /*
                  * Avoid excessively long or circular lists:
                  */
@@ -88,6 +93,9 @@ void compat_exit_robust_list(struct task_struct *curr)
 
                 cond_resched();
         }
+        if (pending)
+                handle_futex_death((void __user *)pending + futex_offset,
+                                   curr, pip);
 }
 
 asmlinkage long
diff --git a/kernel/sys.c b/kernel/sys.c
index 1b33b05d346b..8ae2e636eb1b 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -32,6 +32,7 @@
 #include <linux/getcpu.h>
 #include <linux/task_io_accounting_ops.h>
 #include <linux/seccomp.h>
+#include <linux/cpu.h>
 
 #include <linux/compat.h>
 #include <linux/syscalls.h>
@@ -878,6 +879,7 @@ void kernel_power_off(void)
         kernel_shutdown_prepare(SYSTEM_POWER_OFF);
         if (pm_power_off_prepare)
                 pm_power_off_prepare();
+        disable_nonboot_cpus();
         sysdev_shutdown();
         printk(KERN_EMERG "Power down.\n");
         machine_power_off();
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 84c795ee2d65..eab8c428cc93 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -42,7 +42,7 @@ static void clear_huge_page(struct page *page, unsigned long addr)
         might_sleep();
         for (i = 0; i < (HPAGE_SIZE/PAGE_SIZE); i++) {
                 cond_resched();
-                clear_user_highpage(page + i, addr);
+                clear_user_highpage(page + i, addr + i * PAGE_SIZE);
         }
 }