Permalink
Commits on Oct 13, 2012
  1. Merge branch 'configs-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  2. configs-3.6: update dell-vostro-3360.config

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  3. Merge branch 'distro-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  4. Merge branch 'version-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  5. distro-3.6: bump to v3.6.3-pf

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  6. version-3.6: bump to v3.6.3-pf

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  7. Merge branch 'ck-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  8. ck-3.6: update -ck patchset to official one

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  9. Merge branch 'uksm-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
  10. uksm-3.6: update UKSM to official release for Linux 3.6 kernel

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 13, 2012
Commits on Oct 12, 2012
  1. fix merge coflict

    Oleksandr Natalenko
    Oleksandr Natalenko committed Oct 12, 2012
  2. Linux 3.6.2

    gregkh committed Oct 12, 2012
  3. Convert properly UTF-8 to UTF-16

    freddy77 authored and gregkh committed Aug 7, 2012
    commit fd3ba42 upstream.
    
    wchar_t is currently 16bit so converting a utf8 encoded characters not
    in plane 0 (>= 0x10000) to wchar_t (that is calling char2uni) lead to a
    -EINVAL return. This patch detect utf8 in cifs_strtoUTF16 and add special
    code calling utf8s_to_utf16s.
    
    Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
    Acked-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <smfrench@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. cifs: reinstate the forcegid option

    jtlayton authored and gregkh committed Oct 3, 2012
    commit 72bd481 upstream.
    
    Apparently this was lost when we converted to the standard option
    parser in 8830d7e
    
    Reported-by: Gregory Lee Bartholomew <gregory.lee.bartholomew@gmail.com>
    Cc: Sachin Prabhu <sprabhu@redhat.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <smfrench@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. JFFS2: don't fail on bitflips in OOB

    computersforpeace authored and gregkh committed Aug 31, 2012
    commit 74d83be upstream.
    
    JFFS2 was designed without thought for OOB bitflips, it seems, but they
    can occur and will be reported to JFFS2 via mtd_read_oob()[1]. We don't
    want to fail on these transactions, since the data was corrected.
    
    [1] Few drivers report bitflips for OOB-only transactions. With such
        drivers, this patch should have no effect.
    
    Signed-off-by: Brian Norris <computersforpeace@gmail.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  6. JFFS2: fix unmount regression

    dedekind authored and gregkh committed Aug 23, 2012
    commit a445f78 upstream.
    
    This patch fixes regression introduced by
    "8bdc81c jffs2: get rid of jffs2_sync_super". We submit a delayed work in order
    to make sure the write-buffer is synchronized at some point. But we do not
    flush it when we unmount, which causes an oops when we unmount the file-system
    and then the delayed work is executed.
    
    This patch fixes the issue by adding a "cancel_delayed_work_sync()" infocation
    in the '->sync_fs()' handler. This will make sure the delayed work is canceled
    on sync, unmount and re-mount. And because VFS always callse 'sync_fs()' before
    unmounting or remounting, this fixes the issue.
    
    Reported-by: Ludovic Desroches <ludovic.desroches@atmel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Tested-by: Ludovic Desroches <ludovic.desroches@atmel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  7. mmc: sh-mmcif: avoid oops on spurious interrupts

    lyakh authored and gregkh committed Sep 18, 2012
    commit 8464dd5 upstream.
    
    On some systems, e.g., kzm9g, MMCIF interfaces can produce spurious
    interrupts without any active request. To prevent the Oops, that results
    in such cases, don't dereference the mmc request pointer until we make
    sure, that we are indeed processing such a request.
    
    Reported-by: Tetsuyuki Kobayashi <koba@kmckk.co.jp>
    Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. mmc: slot-gpio: Fix missing assignment to ctx->ro_gpio

    cjb authored and gregkh committed Sep 10, 2012
    commit 15e8a8e upstream.
    
    mmc_gpio_request_ro() doesn't store the requested gpio in ctx->ro_gpio.
    As a result, subsequent calls to mmc_gpio_get_ro() will always fail
    with -ENOSYS because the gpio number isn't available to that function.
    
    Acked-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. mmc: omap_hsmmc: Pass on the suspend failure to the PM core

    VaibhavBedia-xx authored and gregkh committed Sep 13, 2012
    commit c4c8eeb upstream.
    
    In some cases mmc_suspend_host() is not able to claim the
    host and proceed with the suspend process. The core returns
    -EBUSY to the host controller driver. Unfortunately, the
    host controller driver does not pass on this information
    to the PM core and hence the system suspend process continues.
    
    	ret = mmc_suspend_host(host->mmc);
    	if (ret) {
    		host->suspended = 0;
    		if (host->pdata->resume) {
    			ret = host->pdata->resume(dev, host->slot_id);
    
    The return status from mmc_suspend_host() is overwritten by return
    status from host->pdata->resume. So the original return status is lost.
    
    In these cases the MMC core gets to an unexpected state
    during resume and multiple issues related to MMC crop up.
    1. Host controller driver starts accessing the device registers
    before the clocks are enabled which leads to a prefetch abort.
    2. A file copy thread which was launched before suspend gets
    stuck due to the host not being reclaimed during resume.
    
    To avoid such problems pass on the -EBUSY status to the PM core
    from the host controller driver. With this change, MMC core
    suspend might still fail but it does not end up making the
    system unusable. Suspend gets aborted and the user can try
    suspending the system again.
    
    Signed-off-by: Vaibhav Bedia <vaibhav.bedia@ti.com>
    Signed-off-by: Hebbar, Gururaja <gururaja.hebbar@ti.com>
    Acked-by: Venkatraman S <svenkatr@ti.com>
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. mtd: omap2: fix module loading

    Andreas Bießmann authored and gregkh committed Aug 31, 2012
    commit 4d3d688 upstream.
    
    Unloading the omap2 nand driver missed to release the memory region which will
    result in not being able to request it again if one want to load the driver
    later on.
    
    This patch fixes following error when loading omap2 module after unloading:
    ---8<---
    ~ $ rmmod omap2
    ~ $ modprobe omap2
    [   37.420928] omap2-nand: probe of omap2-nand.0 failed with error -16
    ~ $
    --->8---
    
    This error was introduced in 67ce04b which
    was the first commit of this driver.
    
    Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. mtd: omap2: fix omap_nand_remove segfault

    Andreas Bießmann authored and gregkh committed Aug 31, 2012
    commit 7d9b110 upstream.
    
    Do not kfree() the mtd_info; it is handled in the mtd subsystem and
    already freed by nand_release(). Instead kfree() the struct
    omap_nand_info allocated in omap_nand_probe which was not freed before.
    
    This patch fixes following error when unloading the omap2 module:
    
    ---8<---
    ~ $ rmmod omap2
    ------------[ cut here ]------------
    kernel BUG at mm/slab.c:3126!
    Internal error: Oops - BUG: 0 [#1] PREEMPT ARM
    Modules linked in: omap2(-)
    CPU: 0    Not tainted  (3.6.0-rc3-00230-g155e36d-dirty #3)
    PC is at cache_free_debugcheck+0x2d4/0x36c
    LR is at kfree+0xc8/0x2ac
    pc : [<c01125a0>]    lr : [<c0112efc>]    psr: 200d0193
    sp : c521fe08  ip : c0e8ef90  fp : c521fe5c
    r10: bf0001fc  r9 : c521e000  r8 : c0d99c8c
    r7 : c661ebc0  r6 : c065d5a4  r5 : c65c4060  r4 : c78005c0
    r3 : 00000000  r2 : 00001000  r1 : c65c4000  r0 : 00000001
    Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 86694019  DAC: 00000015
    Process rmmod (pid: 549, stack limit = 0xc521e2f0)
    Stack: (0xc521fe08 to 0xc5220000)
    fe00:                   c008a874 c00bf44c c515c6d0 200d0193 c65c4860 c515c240
    fe20: c521fe3c c521fe30 c008a9c0 c008a854 c521fe5c c65c4860 c78005c0 bf0001fc
    fe40: c780ff40 a00d0113 c521e000 00000000 c521fe84 c521fe60 c0112efc c01122d8
    fe60: c65c4860 c0673778 c06737ac 00000000 00070013 00000000 c521fe9c c521fe88
    fe80: bf0001fc c0112e40 c0673778 bf001ca8 c521feac c521fea0 c02ca11c bf0001ac
    fea0: c521fec4 c521feb0 c02c82c4 c02ca100 c0673778 bf001ca8 c521fee4 c521fec8
    fec0: c02c8dd8 c02c8250 00000000 bf001ca8 bf001ca8 c0804ee0 c521ff04 c521fee8
    fee0: c02c804c c02c8d20 bf001924 00000000 bf001ca8 c521e000 c521ff1c c521ff08
    ff00: c02c950c c02c7fbc bf001d48 00000000 c521ff2c c521ff20 c02ca3a4 c02c94b8
    ff20: c521ff3c c521ff30 bf001938 c02ca394 c521ffa4 c521ff40 c009beb4 bf001930
    ff40: c521ff6c 70616d6f b6fe0032 c0014f84 70616d6f b6fe0032 00000081 60070010
    ff60: c521ff84 c521ff70 c008e1f4 c00bf328 0001a004 70616d6f c521ff94 0021ff88
    ff80: c008e368 0001a004 70616d6f b6fe0032 00000081 c0015028 00000000 c521ffa8
    ffa0: c0014dc0 c009bcd0 0001a004 70616d6f bec2ab38 00000880 bec2ab38 00000880
    ffc0: 0001a004 70616d6f b6fe0032 00000081 00000319 00000000 b6fe1000 00000000
    ffe0: bec2ab30 bec2ab20 00019f00 b6f539c0 60070010 bec2ab38 aaaaaaaa aaaaaaaa
    Backtrace:
    [<c01122cc>] (cache_free_debugcheck+0x0/0x36c) from [<c0112efc>] (kfree+0xc8/0x2ac)
    [<c0112e34>] (kfree+0x0/0x2ac) from [<bf0001fc>] (omap_nand_remove+0x5c/0x64 [omap2])
    [<bf0001a0>] (omap_nand_remove+0x0/0x64 [omap2]) from [<c02ca11c>] (platform_drv_remove+0x28/0x2c)
     r5:bf001ca8 r4:c0673778
    [<c02ca0f4>] (platform_drv_remove+0x0/0x2c) from [<c02c82c4>] (__device_release_driver+0x80/0xdc)
    [<c02c8244>] (__device_release_driver+0x0/0xdc) from [<c02c8dd8>] (driver_detach+0xc4/0xc8)
     r5:bf001ca8 r4:c0673778
    [<c02c8d14>] (driver_detach+0x0/0xc8) from [<c02c804c>] (bus_remove_driver+0x9c/0x104)
     r6:c0804ee0 r5:bf001ca8 r4:bf001ca8 r3:00000000
    [<c02c7fb0>] (bus_remove_driver+0x0/0x104) from [<c02c950c>] (driver_unregister+0x60/0x80)
     r6:c521e000 r5:bf001ca8 r4:00000000 r3:bf001924
    [<c02c94ac>] (driver_unregister+0x0/0x80) from [<c02ca3a4>] (platform_driver_unregister+0x1c/0x20)
     r5:00000000 r4:bf001d48
    [<c02ca388>] (platform_driver_unregister+0x0/0x20) from [<bf001938>] (omap_nand_driver_exit+0x14/0x1c [omap2])
    [<bf001924>] (omap_nand_driver_exit+0x0/0x1c [omap2]) from [<c009beb4>] (sys_delete_module+0x1f0/0x2ec)
    [<c009bcc4>] (sys_delete_module+0x0/0x2ec) from [<c0014dc0>] (ret_fast_syscall+0x0/0x48)
     r8:c0015028 r7:00000081 r6:b6fe0032 r5:70616d6f r4:0001a004
    Code: e1a00005 eb0d9172 e7f001f2 e7f001f2 (e7f001f2)
    ---[ end trace 6a30b24d8c0cc2ee ]---
    Segmentation fault
    --->8---
    
    This error was introduced in 67ce04b which
    was the first commit of this driver.
    
    Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. mtd: nand: Use the mirror BBT descriptor when reading its version

    shmull authored and gregkh committed Jun 10, 2012
    commit 7bb9c75 upstream.
    
    The code responsible for reading the version of the mirror bbt was
    incorrectly using the descriptor of the main bbt.
    
    Pass the mirror bbt descriptor to 'scan_read_raw' when reading the
    version of the mirror bbt.
    
    Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
    Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. mtd: nandsim: bugfix: fail if overridesize is too big

    rgenoud authored and gregkh committed Sep 12, 2012
    commit bb0a13a upstream.
    
    If override size is too big, the module was actually loaded instead of
    failing, because retval was not set.
    
    This lead to memory corruption with the use of the freed structs nandsim
    and nand_chip.
    
    Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. mtd: autcpu12-nvram: Fix compile breakage

    shcgit authored and gregkh committed Aug 15, 2012
    commit d1f55c6 upstream.
    
    Update driver autcpu12-nvram.c so it compiles; map_read32/map_write32
    no longer exist in the kernel so the driver is totally broken.
    Additionally, map_info name passed to simple_map_init is incorrect.
    
    Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. mtd: mtdpart: break it as soon as we parse out the partitions

    zyzii authored and gregkh committed Aug 18, 2012
    commit c51803d upstream.
    
    We may cause a memory leak when the @types has more then one parser.
    
    Take the `default_mtd_part_types` for example. The default_mtd_part_types has
    two parsers now: `cmdlinepart` and `ofpart`.
    
    Assume the following case:
    The kernel command line sets the partitions like:
    	#gpmi-nand:20m(boot),20m(kernel),1g(rootfs),-(user)
    But the devicetree file(such as arch/arm/boot/dts/imx28-evk.dts) also sets
    the same partitions as the kernel command line does.
    
    In the current code, the partitions parsed out by the `ofpart` will
    overwrite the @pparts which has already set by the `cmdlinepart` parser,
    and the the partitions parsed out by the `cmdlinepart` is missed.
    A memory leak occurs.
    
    So we should break the code as soon as we parse out the partitions,
    In actually, this patch makes a priority order between the parsers.
    If one parser has already parsed out the partitions successfully,
    it's no need to use another parser anymore.
    
    Signed-off-by: Huang Shijie <shijie8@gmail.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. ALSA: hda - Fix hang caused by race during suspend.

    Dylan Reid authored and gregkh committed Sep 28, 2012
    commit d17344b upstream.
    
    There was a race condition when the system suspends while hda_power_work
    is running in the work queue.  If system suspend (snd_hda_suspend)
    happens after the work queue releases power_lock but before it calls
    hda_call_codec_suspend,  codec_suspend runs with power_on=0, causing the
    codec to power up for register reads, and hanging when it calls
    cancel_delayed_work_sync from the running work queue.
    
    The call chain from the work queue will look like this:
    hda_power_work <<- power_on = 1, unlock, then power_on cleard by suspend
      hda_call_codec_suspend
        hda_set_power_state
          snd_hda_codec_read
            codec_exec_verb
              snd_hda_power_up
    	    snd_hda_power_save
    	      __snd_hda_power_up
    	        cancel_delayed_work_sync <<-- cancelling executing wq
    
    Fix this by waiting for the work queue to finish before starting suspend
    if suspend is not happening on the work queue.
    
    Signed-off-by: Dylan Reid <dgreid@chromium.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. asix: Adds support for Lenovo 10/100 USB dongle.

    qpfiffer authored and gregkh committed Sep 28, 2012
    commit 66dc81e upstream.
    
    This dongle ships with the X1 Carbon, and has an AX88772B
    usb to ethernet chip in it.
    
    Signed-off-by: Quinlan Pfiffer <qpfiffer@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. sched: Fix load avg vs. cpu-hotplug

    Peter Zijlstra authored and gregkh committed Sep 5, 2012
    commit 08bedae upstream.
    
    Commit f319da0 ("sched: Fix load avg vs cpu-hotplug") was an
    incomplete fix:
    
    In particular, the problem is that at the point it calls
    calc_load_migrate() nr_running := 1 (the stopper thread), so move the
    call to CPU_DEAD where we're sure that nr_running := 0.
    
    Also note that we can call calc_load_migrate() without serialization, we
    know the state of rq is stable since its cpu is dead, and we modify the
    global state using appropriate atomic ops.
    
    Suggested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1346882630.2600.59.camel@twins
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. em28xx: regression fix: use DRX-K sync firmware requests on em28xx

    Mauro Carvalho Chehab authored and gregkh committed Oct 2, 2012
    commit 2425bb3 upstream.
    
    As em28xx-dvb will always be initialized asynchronously, there's
    no need anymore for a separate thread to load the DRX-K firmware.
    
    Fixes a known regression with kernel 3.6 with tda18271 driver
    and asynchronous DRX-K firmware load.
    
    Antti tested it with the following hardware:
            Hauppauge WinTV HVR 930C
            MaxMedia UB425-TC
            PCTV QuatroStick nano (520e)
    
    Tested-by: Antti Palosaari <crope@iki.fi>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. efi: initialize efi.runtime_version to make query_variable_info/updat…

    Seiji Aguchi authored and gregkh committed Jul 24, 2012
    …e_capsule workable
    
    commit d6cf86d upstream.
    
    A value of efi.runtime_version is checked before calling
    update_capsule()/query_variable_info() as follows.
    But it isn't initialized anywhere.
    
    <snip>
    static efi_status_t virt_efi_query_variable_info(u32 attr,
                                                     u64 *storage_space,
                                                     u64 *remaining_space,
                                                     u64 *max_variable_size)
    {
            if (efi.runtime_version < EFI_2_00_SYSTEM_TABLE_REVISION)
                    return EFI_UNSUPPORTED;
    <snip>
    
    This patch initializes a value of efi.runtime_version at boot time.
    
    Signed-off-by: Seiji Aguchi <seiji.aguchi@hds.com>
    Acked-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>
    Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21. efi: Build EFI stub with EFI-appropriate options

    Matthew Garrett authored and gregkh committed Jul 26, 2012
    commit 9dead5b upstream.
    
    We can't assume the presence of the red zone while we're still in a boot
    services environment, so we should build with -fno-red-zone to avoid
    problems. Change the size of wchar at the same time to make string handling
    simpler.
    
    Signed-off-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>
    Acked-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22. mempolicy: fix a memory corruption by refcount imbalance in alloc_pag…

    Mel Gorman authored and gregkh committed Oct 8, 2012
    …es_vma()
    
    commit 00442ad upstream.
    
    Commit cc9a6c8 ("cpuset: mm: reduce large amounts of memory barrier
    related damage v3") introduced a potential memory corruption.
    shmem_alloc_page() uses a pseudo vma and it has one significant unique
    combination, vma->vm_ops=NULL and vma->policy->flags & MPOL_F_SHARED.
    
    get_vma_policy() does NOT increase a policy ref when vma->vm_ops=NULL
    and mpol_cond_put() DOES decrease a policy ref when a policy has
    MPOL_F_SHARED.  Therefore, when a cpuset update race occurs,
    alloc_pages_vma() falls in 'goto retry_cpuset' path, decrements the
    reference count and frees the policy prematurely.
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. mempolicy: fix refcount leak in mpol_set_shared_policy()

    kosaki authored and gregkh committed Oct 8, 2012
    commit 63f74ca upstream.
    
    When shared_policy_replace() fails to allocate new->policy is not freed
    correctly by mpol_set_shared_policy().  The problem is that shared
    mempolicy code directly call kmem_cache_free() in multiple places where
    it is easy to make a mistake.
    
    This patch creates an sp_free wrapper function and uses it. The bug was
    introduced pre-git age (IOW, before 2.6.12-rc2).
    
    [mgorman@suse.de: Editted changelog]
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>