The install_special_mapping routine (used, for example, to setup the
vdso) skips the security check before insert_vm_struct, allowing a local
attacker to bypass the mmap_min_addr security restriction by limiting
the available pages for special mappings.

bprm_mm_init() also skips the check, and although I don't think this can
be used to bypass any restrictions, I don't see any reason not to have
the security check.

  $ uname -m
  x86_64
  $ cat /proc/sys/vm/mmap_min_addr
  65536
  $ cat install_special_mapping.s
  section .bss
      resb BSS_SIZE
  section .text
      global _start
      _start:
          mov     eax, __NR_pause
          int     0x80
  $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
  $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
  $ ./install_special_mapping &
  [1] 14303
  $ cat /proc/14303/maps
  0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
  00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
  00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]

It's worth noting that Red Hat are shipping with mmap_min_addr set to
4096.
Signed-off-by: Tavis Ormandy <taviso@google.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Acked-by: Robert Swiecki <swiecki@google.com>
[ Changed to not drop the error code - akpm ]
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: It is likely that WORKER_NOT_RUNNING is true
  MAINTAINERS: Add workqueue entry
  workqueue: check the allocation of system_unbound_wq

* 'for-linus' of git://neil.brown.name/md:
  md: protect against NULL reference when waiting to start a raid10.
  md: fix bug with re-adding of partially recovered device.
  md: fix possible deadlock in handling flush requests.
  md: move code in to submit_flushes.
  md: remove handling of flush_pending in md_submit_flush_data

There is a possibility that the last word of a transaction will be lost
if data is not ready.  Re-read in poll_transfer() to solve this issue
when poll_mode is enabled.

Verified on SPI touch screen device.
Signed-off-by: Major Lee <major_lee@wistron.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This gets caught by the new sanity check code. Instead of the slash use a
different symbol. This was originally found by Major Lee who proposed a
rather more complex patch which changed the name according to the chip
type.

On the basis that we are in a late -rc and making Linus grumpy isn't always
a good idea (however fun) this is a simple alternative.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: wire up accept4 syscall (non-multiplexed path)
  sh: Enable deprecated IRQ chip APIs for MFD and GPIOLIB drivers.

Merge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6

* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
  OMAP2: PRCM: fix some SHIFT macros that were actually bitmasks
  OMAP2+: PM/serial: fix console semaphore acquire during suspend
  OMAP1: SRAM: fix size for OMAP1611 SoCs
  arm: omap2: io: fix clk_get() error check
  arm: plat-omap: counter_32k: use IS_ERR() instead of NULL check
  omap: nand: remove hardware ECC as default
  omap: zoom: wl1271 slot is MMC_CAP_POWER_OFF_CARD
  omap: PM debug: fix wake-on-timer debugfs dependency

* master.kernel.org:/home/rmk/linux-2.6-arm:
  ARM: 6535/1: V6 MPCore v6_dma_inv_range and v6_dma_flush_range RWFO fix
  ARM: 6534/1: Make CONFIG_FPE_NWFPE depend on !CONFIG_THUMB2_KERNEL
  ARM: 6533/1: Thumb-2: Make CONFIG_THUMB2_KERNEL depend on !CPU_V6
  Change bcmring Maintainer list.
  ARM: Update mach-types
  ARM: 6528/1: Use CTR for the I-cache line size on ARMv7
  ARM: 6527/1: Use CTR instead of CCSIDR for the D-cache line size on ARMv7
  ARM: pxa/palm: fix ifdef around gen_nand driver registration
  ARM: pxa: fix pxa2xx-flash section mismatch
  ARM: mmp2: remove not used clk_rtc

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
  sparc: Write to prom console using indirect buffer.
  sparc: Delete prom_*getchar().
  sparc: Pass buffer pointer all the way down to prom_{get,put}char().
  sparc: Do not export prom_nb{get,put}char().
  sparc64: Delete prom_setcallback().
  sparc64: Unexport prom_service_exists().
  sparc: Kill prom devops_{32,64}.c
  sparc: Remove prom_pathtoinode()
  sparc64: Delete prom_puts() unused.
  SPARC/LEON: removed constant timer initialization as if HZ=100, now it reflects the value of HZ

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (75 commits)
  pppoe.c: Fix kernel panic caused by __pppoe_xmit
  WAN: Fix a TX IRQ causing BUG() in PC300 and PCI200SYN drivers.
  bnx2x: Advance a version number to 1.60.01-0
  bnx2x: Fixed a compilation warning
  bnx2x: LSO code was broken on BE platforms
  qlge: Fix deadlock when cancelling worker.
  net: fix skb_defer_rx_timestamp()
  cxgb4vf: Ingress Queue Entry Size needs to be 64 bytes
  phy: add the IC+ IP1001 driver
  atm: correct sysfs 'device' link creation and parent relationships
  MAINTAINERS: remove me from tulip
  SCTP: Fix SCTP_SET_PEER_PRIMARY_ADDR to accpet v4mapped address
  enic: Bug Fix: Pass napi reference to the isr that services receive queue
  ipv6: fix nl group when advertising a new link
  connector: add module alias
  net: Document the kernel_recvmsg() function
  r8169: Fix runtime power management
  hso: IP checksuming doesn't work on GE0301 option cards
  xfrm: Fix xfrm_state_migrate leak
  net: Convert netpoll blocking api in bonding driver to be a counter
  ...

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] hpsa: fix redefinition of PCI_DEVICE_ID_CISSF
  [SCSI] qla2xxx: Update version number to 8.03.05-k0.
  [SCSI] qla2xxx: Properly set the return value in qla2xxx_eh_abort function.
  [SCSI] qla2xxx: Correct issue where NPIV-config data was not being allocated for 82xx parts.
  [SCSI] qla2xxx: Change MSI initialization from using incorrect request_irq parameter.
  [SCSI] qla2xxx: Populate Command Type 6 LUN field properly.
  [SCSI] zfcp: Issue FCP command without holding SCSI host_lock
  [SCSI] zfcp: Prevent usage w/o holding a reference
  [SCSI] zfcp: No ERP escalation on gpn_ft eval
  [SCSI] zfcp: Correct false abort data assignment.
  [SCSI] zfcp: Fix common FCP request reception
  [SCSI] Eliminate error handler overload of the SCSI serial number
  [SCSI] pmcraid: disable msix and expand device config entry
  [SCSI] bsg: correct fault if queue object removed while dev_t open
  [SCSI] osd: checking NULL instead of ERR_PTR()

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jwessel/linux-2.6-kgdb:
  kgdboc,input: Fix regression with keyboard release key and early debugging

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
  ACPI / PM: Do not save/restore NVS on Sony Vaio VGN-NW130D
  ACPI/HEST: adjust section selection
  ACPI: eliminate unused variable warning for !ACPI_SLEEP
  ACPI/PNP: avoid section mismatch warning
  ACPI thermal: remove two unused functions
  ACPI: fix a section mismatch
  ACPI, APEI, use raw spinlock in ERST
  ACPI: video: fix build for CONFIG_ACPI=n
  ACPI: video: fix build for VIDEO_OUTPUT_CONTROL=n
  ACPI: fix allowing to add/remove multiple _OSI strings
  acpi: fix _OSI string setup regression
  ACPI: EC: Add another dmi match entry for MSI hardware
  ACPI battery: update status upon sysfs query
  ACPI ac: update AC status upon sysfs query
  ACPI / PM: Do not refcount power resources that can't be turned on
  ACPI / PM: Check device state before refcounting power resources

* 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
  intel_idle: recognize ARAT on WSM-EX

Cache ownership must be acquired by reading/writing data from the
cache line to make cache operation have the desired effect on the
SMP MPCore CPU. However, the ownership is never acquired in the
v6_dma_inv_range function when cleaning the first line and
flushing the last one, in case the address is not aligned
to D_CACHE_LINE_SIZE boundary.
Fix this by reading/writing data if needed, before performing
cache operations.
While at it, fix v6_dma_flush_range to prevent RWFO outside
the buffer.

Cc: stable@kernel.org
Signed-off-by: Valentine Barshak <vbarshak@mvista.com>
Signed-off-by: George G. Davis <gdavis@mvista.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

Because the nwfpe support is unlikely to be used on new platforms
and requires CONFIG_OABI_COMPAT, which is not generally used with
ARMv7+, we shouldn't expect to build nwfpe support into a Thumb-2
kernel.

At present, nwfpe contains assembly code which isn't Thumb-2
compatible, and for now it doesn't appear useful to port this
code.

All ARMv7-A/R platforms necessarily have VFPv3 hardware floating-
point natively, making emulation unnecessary.
Signed-off-by: Dave Martin <dave.martin@linaro.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Acked-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

This makes sense, because Thumb-2 code can't execute on plain
ARMv6 processors.

This will avoid accidentally configuring a broken kernel where the
config otherwise would allow multiple architecture versions to
coexist in the same kernel.

Not adding !CPU_V5 etc., because the chance of anyone trying to
put v5 and v7 in the same kernel is low, and I'm not aware of
any mach which can do this.  These could be added later if it
matters.

Note that the rules may need to be refined if support for the
ARM1156J(F)-S processor is later added to the kernel, since this
processor supports the rare ARMv6T2 extensions, which add support
for Thumb-2 and a few other ARMv7 features.
Signed-off-by: Dave Martin <dave.martin@linaro.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Acked-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

I am Jiandong Zheng working on BCMRING in Broadcom Canada Ltd. I am
replacing Leo Chen (leochen@broadcom.com) as "ARM/BCMRING ARM
ARCHITECTURE" and "ARM/BCMRING MTD NAND DRIVER" maintainer from
Broadcom as he is no longer the maintainer of these components.
Signed-off-by: Jiandong Zheng <jdzheng@broadcom.com>
Acked-by: Scott Branden <sbranden@broadcom.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

Merge branch 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6

* 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6:
  fbdev: Fix fb_find_nearest_mode refresh comparison

* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
  hwmon: (ltc4215) make sysfs file match the alarm cause

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx:
  dmaengine: at_hdmac: fix buffer transfer size specification
  fsldma: fix issue of slow dma
  dmaengine i.MX SDMA: initialize on module_init
  dma : EG20T PCH: Fix miss-setting DMA descriptor
  intel_mid_dma: fix section mismatch warnings
  dmaengine: imx-sdma: fix bug in buffer descriptor initialization
  drivers/dma/ppc4xx: Use printf extension %pR for struct resource
  drivers/dma/ioat: Use the ccflag-y instead of EXTRA_CFLAGS
  drivers/dma/: Use the ccflag-y instead of EXTRA_CFLAGS
  dma: intel_mid_dma: fix double free on mid_setup_dma error path
  dma: imx-dma: fix imxdma_probe error path

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/uverbs: Handle large number of entries in poll CQ

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: fix regression with Agere FW643 rev 06, disable MSI
  firewire: ohci: fix regression with VIA VT6315, disable MSI

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
  regulator: tps6586x: correct register table
  regulator: tps6586x: Handle both enable reg/bits being the same
  regulator: tps6586x: Fix TPS6586X_DVM to store goreg/bit
  regulator: tps6586x: Add missing bit mask generation

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: HDA: Quirk for Dell Vostro 320 to make microphone work
  ALSA: hda - Reset sample sizes and max bitrates when reading ELD
  ALSA: hda - Always allow basic audio irrespective of ELD info
  ALSA: hda - Do not wrongly restrict min_channels based on ELD
  ASoC: Correct WM8962 interrupt mask register read
  ASoC: WM8580: Debug BCLK and sample size
  ASoC: Fix resource leak if soc_register_ac97_dai_link failed
  ASoC: Hold client_mutex while calling snd_soc_instantiate_cards()
  ASoC: Fix swap of left and right channels for WM8993/4 speaker boost gain
  ASoC: Fix off by one error in WM8994 EQ register bank size
  ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on internal mic
  ALSA: hda - Enable jack sense for Thinkpad Edge 13
  ALSA: hda - Fix ThinkPad T410[s] docking station line-out
  ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
  amd64_edac: Fix interleaving check
  EDAC: Correct MiB_TO_PAGES() macro
  EDAC: Fix workqueue-related crashes

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP
  drm: use after free in drm_queue_vblank_event()
  drm/kms: remove spaces from connector names (v2)

* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  hwmon: (adm1026) Allow 1 as a valid divider value
  hwmon: (adm1026) Fix setting fan_div
  hwmon: (it87) Fix manual fan speed control on IT8721F

* 'for-2.6.37' of git://linux-nfs.org/~bfields/linux:
  nfsd: Fix possible BUG_ON firing in set_change_info
  sunrpc: prevent use-after-free on clearing XPT_BUSY

* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: prevent RAID level downgrades when space is low
  Btrfs: account for missing devices in RAID allocation profiles
  Btrfs: EIO when we fail to read tree roots
  Btrfs: fix compiler warnings
  Btrfs: Make async snapshot ioctl more generic
  Btrfs: pwrite blocked when writing from the mmaped buffer of the same page
  Btrfs: Fix a crash when mounting a subvolume
  Btrfs: fix sync subvol/snapshot creation
  Btrfs: Fix page leak in compressed writeback path
  Btrfs: do not BUG if we fail to remove the orphan item for dead snapshots
  Btrfs: fixup return code for btrfs_del_orphan_item
  Btrfs: do not do fast caching if we are allocating blocks for tree_root
  Btrfs: deal with space cache errors better
  Btrfs: fix use after free in O_DIRECT

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
  fuse: verify ioctl retries
  fuse: fix ioctl when server is 32bit

* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  xfs: log timestamp changes to the source inode in rename

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  ceph: fix ioctl magic
  ceph: Behave better when handling file lock replies.
  ceph: pass lock information by struct file_lock instead of as individual params.
  ceph: Handle file locks in replies from the MDS.
  ceph: avoid possible null deref in readdir after dir llseek

* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
  NFS: Fix panic after nfs_umount()
  nfs: remove extraneous and problematic calls to nfs_clear_request
  nfs: kernel should return EPROTONOSUPPORT when not support NFSv4
  NFS: Fix fcntl F_GETLK not reporting some conflicts
  nfs: Discard ACL cache on mode update
  NFS: Readdir cleanups
  NFS: nfs_readdir_search_for_cookie() don't mark as eof if cookie not found
  NFS: Fix a memory leak in nfs_readdir
  Call the filesystem back whenever a page is removed from the page cache
  NFS: Ensure we use the correct cookie in nfs_readdir_xdr_filler

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: remove bogus remapping of error in cifs_filldir()
  cifs: allow calling cifs_build_path_to_root on incomplete cifs_sb
  cifs: fix check of error return from is_path_accessable
  cifs: remove Local_System_Name
  cifs: fix use of CONFIG_CIFS_ACL
  cifs: add attribute cache timeout (actimeo) tunable

Running the annotate branch profiler on three boxes, including my
main box that runs firefox, evolution, xchat, and is part of the distcc farm,
showed this with the likelys in the workqueue code:

 correct incorrect  %        Function                  File              Line
 ------- ---------  -        --------                  ----              ----
      96   996253  99 wq_worker_sleeping             workqueue.c          703
      96   996247  99 wq_worker_waking_up            workqueue.c          677

The likely()s in this case were assuming that WORKER_NOT_RUNNING will
most likely be false. But this is not the case. The reason is
(and shown by adding trace_printks and testing it) that most of the time
WORKER_PREP is set.

In worker_thread() we have:

	worker_clr_flags(worker, WORKER_PREP);

	[ do work stuff ]

	worker_set_flags(worker, WORKER_PREP, false);

(that 'false' means not to wake up an idle worker)

The wq_worker_sleeping() is called from schedule when a worker thread
is putting itself to sleep. Which happens most of the time outside
of that [ do work stuff ].

The wq_worker_waking_up is called by the wakeup worker code, which
is also callod outside that [ do work stuff ].

Thus, the likely and unlikely used by those two functions are actually
backwards.

Remove the annotation and let gcc figure it out.
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Tejun Heo <tj@kernel.org>

Signed-off-by: Tejun Heo <tj@kernel.org>

Refresh rate nearness is not calculated or reset when nearest resolution
changes.

This patch resets the refresh rate differential measurement whenever a
new nearest resolution is discovered.  This fixes two error cases;
first, wherein the first mode's refresh rate differential is never
calculated and second, when the closest refresh rate from a previous
nearest resolution is erroneously preserved.
Signed-off-by: Andrew Kephart <andrew.kephart@alereon.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>

Signed-off-by: Carmelo Amoroso <carmelo.amoroso@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>

Buffer transfer size is the number of transfers to be performed in
relation with the width of the _source_ interface.
So in the DMA_FROM_DEVICE case, it should be the register width that
should be taken into account.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>