From: Greg Kroah-Hartman Date: Fri, 3 Dec 2010 23:49:11 +0000 (-0800) Subject: .33 stuff X-Git-Tag: v2.6.27.57~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97f84e490a59ea1016806e18161177cd17ac30d1;p=thirdparty%2Fkernel%2Fstable-queue.git .33 stuff --- diff --git a/queue-2.6.33/drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch b/queue-2.6.33/drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch new file mode 100644 index 00000000000..1395336df37 --- /dev/null +++ b/queue-2.6.33/drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch @@ -0,0 +1,72 @@ +From 1e0ad2881d50becaeea70ec696a80afeadf944d2 Mon Sep 17 00:00:00 2001 +From: Graham Gower +Date: Wed, 27 Oct 2010 15:33:00 -0700 +Subject: drivers/char/vt_ioctl.c: fix VT_OPENQRY error value + +From: Graham Gower + +commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream. + +When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before +returning it to userspace as an int. VT255 is not the next available +console. + +Signed-off-by: Graham Gower +Cc: Greg KH +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/vt_ioctl.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/char/vt_ioctl.c ++++ b/drivers/char/vt_ioctl.c +@@ -503,6 +503,7 @@ int vt_ioctl(struct tty_struct *tty, str + struct kbd_struct * kbd; + unsigned int console; + unsigned char ucval; ++ unsigned int uival; + void __user *up = (void __user *)arg; + int i, perm; + int ret = 0; +@@ -657,7 +658,7 @@ int vt_ioctl(struct tty_struct *tty, str + break; + + case KDGETMODE: +- ucval = vc->vc_mode; ++ uival = vc->vc_mode; + goto setint; + + case KDMAPDISP: +@@ -695,7 +696,7 @@ int vt_ioctl(struct tty_struct *tty, str + break; + + case KDGKBMODE: +- ucval = ((kbd->kbdmode == VC_RAW) ? K_RAW : ++ uival = ((kbd->kbdmode == VC_RAW) ? K_RAW : + (kbd->kbdmode == VC_MEDIUMRAW) ? K_MEDIUMRAW : + (kbd->kbdmode == VC_UNICODE) ? K_UNICODE : + K_XLATE); +@@ -717,9 +718,9 @@ int vt_ioctl(struct tty_struct *tty, str + break; + + case KDGKBMETA: +- ucval = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT); ++ uival = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT); + setint: +- ret = put_user(ucval, (int __user *)arg); ++ ret = put_user(uival, (int __user *)arg); + break; + + case KDGETKEYCODE: +@@ -949,7 +950,7 @@ int vt_ioctl(struct tty_struct *tty, str + for (i = 0; i < MAX_NR_CONSOLES; ++i) + if (! VT_IS_IN_USE(i)) + break; +- ucval = i < MAX_NR_CONSOLES ? (i+1) : -1; ++ uival = i < MAX_NR_CONSOLES ? (i+1) : -1; + goto setint; + + /* diff --git a/queue-2.6.33/ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch b/queue-2.6.33/ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch new file mode 100644 index 00000000000..801adda1e5a --- /dev/null +++ b/queue-2.6.33/ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch @@ -0,0 +1,50 @@ +From 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 23 Sep 2010 02:35:04 -0500 +Subject: eCryptfs: Clear LOOKUP_OPEN flag when creating lower file + +From: Tyler Hicks + +commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream. + +eCryptfs was passing the LOOKUP_OPEN flag through to the lower file +system, even though ecryptfs_create() doesn't support the flag. A valid +filp for the lower filesystem could be returned in the nameidata if the +lower file system's create() function supported LOOKUP_OPEN, possibly +resulting in unencrypted writes to the lower file. + +However, this is only a potential problem in filesystems (FUSE, NFS, +CIFS, CEPH, 9p) that eCryptfs isn't known to support today. + +https://bugs.launchpad.net/ecryptfs/+bug/641703 + +Reported-by: Kevin Buhr +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -69,15 +69,19 @@ ecryptfs_create_underlying_file(struct i + struct vfsmount *lower_mnt = ecryptfs_dentry_to_lower_mnt(dentry); + struct dentry *dentry_save; + struct vfsmount *vfsmount_save; ++ unsigned int flags_save; + int rc; + + dentry_save = nd->path.dentry; + vfsmount_save = nd->path.mnt; ++ flags_save = nd->flags; + nd->path.dentry = lower_dentry; + nd->path.mnt = lower_mnt; ++ nd->flags &= ~LOOKUP_OPEN; + rc = vfs_create(lower_dir_inode, lower_dentry, mode, nd); + nd->path.dentry = dentry_save; + nd->path.mnt = vfsmount_save; ++ nd->flags = flags_save; + return rc; + } + diff --git a/queue-2.6.33/hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch b/queue-2.6.33/hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch new file mode 100644 index 00000000000..950aed71f63 --- /dev/null +++ b/queue-2.6.33/hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch @@ -0,0 +1,77 @@ +From 96e9694df446d1154ec2f4fdba8908588b9cba38 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Tue, 26 Oct 2010 14:22:13 -0700 +Subject: hpet: fix unwanted interrupt due to stale irq status bit + +From: Clemens Ladisch + +commit 96e9694df446d1154ec2f4fdba8908588b9cba38 upstream. + +Jaswinder Singh Rajput wrote: +> By executing Documentation/timers/hpet_example.c +> +> for polling, I requested for 3 iterations but it seems iteration work +> for only 2 as first expired time is always very small. +> +> # ./hpet_example poll /dev/hpet 10 3 +> -hpet: executing poll +> hpet_poll: info.hi_flags 0x0 +> hpet_poll: expired time = 0x13 +> hpet_poll: revents = 0x1 +> hpet_poll: data 0x1 +> hpet_poll: expired time = 0x1868c +> hpet_poll: revents = 0x1 +> hpet_poll: data 0x1 +> hpet_poll: expired time = 0x18645 +> hpet_poll: revents = 0x1 +> hpet_poll: data 0x1 + +Clearing the HPET interrupt enable bit disables interrupt generation +but does not disable the timer, so the interrupt status bit will still +be set when the timer elapses. If another interrupt arrives before +the timer has been correctly programmed (due to some other device on +the same interrupt line, or CONFIG_DEBUG_SHIRQ), this results in an +extra unwanted interrupt event because the status bit is likely to be +set from comparator matches that happened before the device was opened. + +Therefore, we have to ensure that the interrupt status bit is and +stays cleared until we actually program the timer. + +Signed-off-by: Clemens Ladisch +Reported-by: Jaswinder Singh Rajput +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: john stultz +Cc: Bob Picco +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hpet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -476,6 +476,21 @@ static int hpet_ioctl_ieon(struct hpet_d + if (irq) { + unsigned long irq_flags; + ++ if (devp->hd_flags & HPET_SHARED_IRQ) { ++ /* ++ * To prevent the interrupt handler from seeing an ++ * unwanted interrupt status bit, program the timer ++ * so that it will not fire in the near future ... ++ */ ++ writel(readl(&timer->hpet_config) & ~Tn_TYPE_CNF_MASK, ++ &timer->hpet_config); ++ write_counter(read_counter(&hpet->hpet_mc), ++ &timer->hpet_compare); ++ /* ... and clear any left-over status. */ ++ isr = 1 << (devp - devp->hd_hpets->hp_dev); ++ writel(isr, &hpet->hpet_isr); ++ } ++ + sprintf(devp->hd_name, "hpet%d", (int)(devp - hpetp->hp_dev)); + irq_flags = devp->hd_flags & HPET_SHARED_IRQ + ? IRQF_SHARED : IRQF_DISABLED; diff --git a/queue-2.6.33/hpet-unmap-unused-i-o-space.patch b/queue-2.6.33/hpet-unmap-unused-i-o-space.patch new file mode 100644 index 00000000000..ee4afe30eab --- /dev/null +++ b/queue-2.6.33/hpet-unmap-unused-i-o-space.patch @@ -0,0 +1,88 @@ +From a56d5318716d120e040294bb258901ba89fb9c90 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Tue, 26 Oct 2010 14:22:11 -0700 +Subject: hpet: unmap unused I/O space + +From: Jiri Slaby + +commit a56d5318716d120e040294bb258901ba89fb9c90 upstream. + +When the initialization code in hpet finds a memory resource and does not +find an IRQ, it does not unmap the memory resource previously mapped. + +There are buggy BIOSes which report resources exactly like this and what +is worse the memory region bases point to normal RAM. This normally would +not matter since the space is not touched. But when PAT is turned on, +ioremap causes the page to be uncached and sets this bit in page->flags. + +Then when the page is about to be used by the allocator, it is reported +as: + +BUG: Bad page state in process md5sum pfn:3ed00 +page:ffffea0000dbd800 count:0 mapcount:0 mapping:(null) index:0x0 +page flags: 0x20000001000000(uncached) +Pid: 7956, comm: md5sum Not tainted 2.6.34-12-desktop #1 +Call Trace: + [] bad_page+0xb1/0x100 + [] prep_new_page+0x1a5/0x1c0 + [] get_page_from_freelist+0x3a1/0x640 + [] __alloc_pages_nodemask+0x10f/0x6b0 +... + +In this particular case: + +1) HPET returns 3ed00000 as memory region base, but it is not in +reserved ranges reported by the BIOS (excerpt): + BIOS-e820: 0000000000100000 - 00000000af6cf000 (usable) + BIOS-e820: 00000000af6cf000 - 00000000afdcf000 (reserved) + +2) there is no IRQ resource reported by HPET method. On the other +hand, the Intel HPET specs (1.0a) says (3.2.5.1): +_CRS ( + // Report 1K of memory consumed by this Timer Block + memory range consumed + // Optional: only used if BIOS allocates Interrupts [1] + IRQs consumed +) + +[1] For case where Timer Block is configured to consume IRQ0/IRQ8 AND +Legacy 8254/Legacy RTC hardware still exists, the device objects +associated with 8254 & RTC devices should not report IRQ0/IRQ8 as +"consumed resources". + +So in theory we should check whether if it is the case and use those +interrupts instead. + +Anyway the address reported by the BIOS here is bogus, so non-presence +of IRQ doesn't mean the "optional" part in point 2). + +Since I got no reply previously, fix this by simply unmapping the space +when IRQ is not found and memory region was mapped previously. It would +be probably more safe to walk the resources again and unmap appropriately +depending on type. But as we now use only ioremap for both 2 memory +resource types, it is not necessarily needed right now. + +Addresses https://bugzilla.novell.com/show_bug.cgi?id=629908 + +Reported-by: Olaf Hering +Signed-off-by: Jiri Slaby +Acked-by: Clemens Ladisch +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hpet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -982,6 +982,8 @@ static int hpet_acpi_add(struct acpi_dev + return -ENODEV; + + if (!data.hd_address || !data.hd_nirqs) { ++ if (data.hd_address) ++ iounmap(data.hd_address); + printk("%s: no address or irqs in _CRS\n", __func__); + return -ENODEV; + } diff --git a/queue-2.6.33/hwmon-lm85-fix-adt7468-frequency-table.patch b/queue-2.6.33/hwmon-lm85-fix-adt7468-frequency-table.patch new file mode 100644 index 00000000000..f9dfbf8535f --- /dev/null +++ b/queue-2.6.33/hwmon-lm85-fix-adt7468-frequency-table.patch @@ -0,0 +1,30 @@ +From fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Thu, 28 Oct 2010 20:31:50 +0200 +Subject: hwmon: (lm85) Fix ADT7468 frequency table + +From: Jean Delvare + +commit fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 upstream. + +The ADT7468 uses the same frequency table as the ADT7463. + +Signed-off-by: Jean Delvare +Cc: Darrick J. Wong +Acked-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm85.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hwmon/lm85.c ++++ b/drivers/hwmon/lm85.c +@@ -1259,6 +1259,7 @@ static int lm85_probe(struct i2c_client + switch (data->type) { + case adm1027: + case adt7463: ++ case adt7468: + case emc6d100: + case emc6d102: + data->freq_map = adm1027_freq_map; diff --git a/queue-2.6.33/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch b/queue-2.6.33/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch new file mode 100644 index 00000000000..3b1b7f78a25 --- /dev/null +++ b/queue-2.6.33/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch @@ -0,0 +1,74 @@ +From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 27 Oct 2010 15:34:17 -0700 +Subject: ipc: initialize structure memory to zero for compat functions + +From: Dan Rosenberg + +commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream. + +This takes care of leaking uninitialized kernel stack memory to +userspace from non-zeroed fields in structs in compat ipc functions. + +Signed-off-by: Dan Rosenberg +Cc: Manfred Spraul +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/compat.c | 6 ++++++ + ipc/compat_mq.c | 5 +++++ + 2 files changed, 11 insertions(+) + +--- a/ipc/compat.c ++++ b/ipc/compat.c +@@ -242,6 +242,8 @@ long compat_sys_semctl(int first, int se + struct semid64_ds __user *up64; + int version = compat_ipc_parse_version(&third); + ++ memset(&s64, 0, sizeof(s64)); ++ + if (!uptr) + return -EINVAL; + if (get_user(pad, (u32 __user *) uptr)) +@@ -422,6 +424,8 @@ long compat_sys_msgctl(int first, int se + int version = compat_ipc_parse_version(&second); + void __user *p; + ++ memset(&m64, 0, sizeof(m64)); ++ + switch (second & (~IPC_64)) { + case IPC_INFO: + case IPC_RMID: +@@ -595,6 +599,8 @@ long compat_sys_shmctl(int first, int se + int err, err2; + int version = compat_ipc_parse_version(&second); + ++ memset(&s64, 0, sizeof(s64)); ++ + switch (second & (~IPC_64)) { + case IPC_RMID: + case SHM_LOCK: +--- a/ipc/compat_mq.c ++++ b/ipc/compat_mq.c +@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const + void __user *p = NULL; + if (u_attr && oflag & O_CREAT) { + struct mq_attr attr; ++ ++ memset(&attr, 0, sizeof(attr)); ++ + p = compat_alloc_user_space(sizeof(attr)); + if (get_compat_mq_attr(&attr, u_attr) || + copy_to_user(p, &attr, sizeof(attr))) +@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr + struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p)); + long ret; + ++ memset(&mqstat, 0, sizeof(mqstat)); ++ + if (u_mqstat) { + if (get_compat_mq_attr(&mqstat, u_mqstat) || + copy_to_user(p, &mqstat, sizeof(mqstat))) diff --git a/queue-2.6.33/ipc-shm-fix-information-leak-to-userland.patch b/queue-2.6.33/ipc-shm-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..3fa88b57dfe --- /dev/null +++ b/queue-2.6.33/ipc-shm-fix-information-leak-to-userland.patch @@ -0,0 +1,32 @@ +From 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 30 Oct 2010 18:22:49 +0400 +Subject: ipc: shm: fix information leak to userland + +From: Vasiliy Kulikov + +commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream. + +The shmid_ds structure is copied to userland with shm_unused{,2,3} +fields unitialized. It leads to leaking of contents of kernel stack +memory. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -476,6 +476,7 @@ static inline unsigned long copy_shmid_t + { + struct shmid_ds out; + ++ memset(&out, 0, sizeof(out)); + ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); + out.shm_segsz = in->shm_segsz; + out.shm_atime = in->shm_atime; diff --git a/queue-2.6.33/md-fix-return-value-of-rdev_size_change.patch b/queue-2.6.33/md-fix-return-value-of-rdev_size_change.patch new file mode 100644 index 00000000000..75a542b40b2 --- /dev/null +++ b/queue-2.6.33/md-fix-return-value-of-rdev_size_change.patch @@ -0,0 +1,45 @@ +From c26a44ed1e552aaa1d4ceb71842002d235fe98d7 Mon Sep 17 00:00:00 2001 +From: Justin Maggard +Date: Wed, 24 Nov 2010 16:36:17 +1100 +Subject: md: fix return value of rdev_size_change() + +From: Justin Maggard + +commit c26a44ed1e552aaa1d4ceb71842002d235fe98d7 upstream. + +When trying to grow an array by enlarging component devices, +rdev_size_store() expects the return value of rdev_size_change() to be +in sectors, but the actual value is returned in KBs. + +This functionality was broken by commit + dd8ac336c13fd8afdb082ebacb1cddd5cf727889 +so this patch is suitable for any kernel since 2.6.30. + +Signed-off-by: Justin Maggard +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1255,7 +1255,7 @@ super_90_rdev_size_change(mdk_rdev_t *rd + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); + md_super_wait(rdev->mddev); +- return num_sectors / 2; /* kB for sysfs */ ++ return num_sectors; + } + + +@@ -1617,7 +1617,7 @@ super_1_rdev_size_change(mdk_rdev_t *rde + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); + md_super_wait(rdev->mddev); +- return num_sectors / 2; /* kB for sysfs */ ++ return num_sectors; + } + + static struct super_type super_types[] = { diff --git a/queue-2.6.33/md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch b/queue-2.6.33/md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch new file mode 100644 index 00000000000..706f04b18f4 --- /dev/null +++ b/queue-2.6.33/md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch @@ -0,0 +1,42 @@ +From 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 24 Nov 2010 16:39:46 +1100 +Subject: md/raid1: really fix recovery looping when single good device fails. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: NeilBrown + +commit 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 upstream. + +Commit 4044ba58dd15cb01797c4fd034f39ef4a75f7cc3 supposedly fixed a +problem where if a raid1 with just one good device gets a read-error +during recovery, the recovery would abort and immediately restart in +an infinite loop. + +However it depended on raid1_remove_disk removing the spare device +from the array. But that does not happen in this case. So add a test +so that in the 'recovery_disabled' case, the device will be removed. + +This suitable for any kernel since 2.6.29 which is when +recovery_disabled was introduced. + +Reported-by: Sebastian Färber +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1196,6 +1196,7 @@ static int raid1_remove_disk(mddev_t *md + * is not possible. + */ + if (!test_bit(Faulty, &rdev->flags) && ++ !mddev->recovery_disabled && + mddev->degraded < conf->raid_disks) { + err = -EBUSY; + goto abort; diff --git a/queue-2.6.33/mm-fix-is_mem_section_removable-page_order-bug_on-check.patch b/queue-2.6.33/mm-fix-is_mem_section_removable-page_order-bug_on-check.patch new file mode 100644 index 00000000000..c40125dd1ad --- /dev/null +++ b/queue-2.6.33/mm-fix-is_mem_section_removable-page_order-bug_on-check.patch @@ -0,0 +1,51 @@ +From 572438f9b52236bd8938b1647cc15e027d27ef55 Mon Sep 17 00:00:00 2001 +From: KAMEZAWA Hiroyuki +Date: Tue, 26 Oct 2010 14:22:08 -0700 +Subject: mm: fix is_mem_section_removable() page_order BUG_ON check + +From: KAMEZAWA Hiroyuki + +commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream. + +page_order() is called by memory hotplug's user interface to check the +section is removable or not. (is_mem_section_removable()) + +It calls page_order() withoug holding zone->lock. +So, even if the caller does + + if (PageBuddy(page)) + ret = page_order(page) ... +The caller may hit BUG_ON(). + +For fixing this, there are 2 choices. + 1. add zone->lock. + 2. remove BUG_ON(). + +is_mem_section_removable() is used for some "advice" and doesn't need to +be 100% accurate. This is_removable() can be called via user program.. +We don't want to take this important lock for long by user's request. So, +this patch removes BUG_ON(). + +Signed-off-by: KAMEZAWA Hiroyuki +Acked-by: Wu Fengguang +Acked-by: Michal Hocko +Acked-by: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -62,7 +62,7 @@ extern bool is_free_buddy_page(struct pa + */ + static inline unsigned long page_order(struct page *page) + { +- VM_BUG_ON(!PageBuddy(page)); ++ /* PageBuddy() must be checked by the caller */ + return page_private(page); + } + diff --git a/queue-2.6.33/mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch b/queue-2.6.33/mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch new file mode 100644 index 00000000000..145e798eec1 --- /dev/null +++ b/queue-2.6.33/mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch @@ -0,0 +1,38 @@ +From f8f72ad5396987e05a42cf7eff826fb2a15ff148 Mon Sep 17 00:00:00 2001 +From: KAMEZAWA Hiroyuki +Date: Tue, 26 Oct 2010 14:21:10 -0700 +Subject: mm: fix return value of scan_lru_pages in memory unplug + +From: KAMEZAWA Hiroyuki + +commit f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream. + +scan_lru_pages returns pfn. So, it's type should be "unsigned long" +not "int". + +Note: I guess this has been work until now because memory hotplug tester's + machine has not very big memory.... + physical address < 32bit << PAGE_SHIFT. + +Reported-by: KOSAKI Motohiro +Signed-off-by: KAMEZAWA Hiroyuki +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory_hotplug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -629,7 +629,7 @@ static int test_pages_in_a_zone(unsigned + * Scanning pfn is much easier than scanning lru list. + * Scan pfn from start to end and Find LRU page. + */ +-int scan_lru_pages(unsigned long start, unsigned long end) ++unsigned long scan_lru_pages(unsigned long start, unsigned long end) + { + unsigned long pfn; + struct page *page; diff --git a/queue-2.6.33/net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch b/queue-2.6.33/net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch new file mode 100644 index 00000000000..9526da496f7 --- /dev/null +++ b/queue-2.6.33/net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch @@ -0,0 +1,37 @@ +From 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Fri, 22 Oct 2010 04:38:26 +0000 +Subject: net: NETIF_F_HW_CSUM does not imply FCoE CRC offload + +From: Ben Hutchings + +commit 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream. + +NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit +checksum with the checksum of an arbitrary part of the packet data, +whereas the FCoE CRC is something entirely different. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/dev.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1590,10 +1590,10 @@ EXPORT_SYMBOL(netif_device_attach); + + static bool can_checksum_protocol(unsigned long features, __be16 protocol) + { +- return ((features & NETIF_F_GEN_CSUM) || +- ((features & NETIF_F_IP_CSUM) && ++ return ((features & NETIF_F_NO_CSUM) || ++ ((features & NETIF_F_V4_CSUM) && + protocol == htons(ETH_P_IP)) || +- ((features & NETIF_F_IPV6_CSUM) && ++ ((features & NETIF_F_V6_CSUM) && + protocol == htons(ETH_P_IPV6)) || + ((features & NETIF_F_FCOE_CRC) && + protocol == htons(ETH_P_FCOE))); diff --git a/queue-2.6.33/numa-fix-slab_node-mpol_bind.patch b/queue-2.6.33/numa-fix-slab_node-mpol_bind.patch new file mode 100644 index 00000000000..6ec1975a21a --- /dev/null +++ b/queue-2.6.33/numa-fix-slab_node-mpol_bind.patch @@ -0,0 +1,39 @@ +From 800416f799e0723635ac2d720ad4449917a1481c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 27 Oct 2010 19:33:43 +0200 +Subject: numa: fix slab_node(MPOL_BIND) + +From: Eric Dumazet + +commit 800416f799e0723635ac2d720ad4449917a1481c upstream. + +When a node contains only HighMem memory, slab_node(MPOL_BIND) +dereferences a NULL pointer. + +[ This code seems to go back all the way to commit 19770b32609b: "mm: + filter based on a nodemask as well as a gfp_mask". Which was back in + April 2008, and it got merged into 2.6.26. - Linus ] + +Signed-off-by: Eric Dumazet +Cc: Mel Gorman +Cc: Christoph Lameter +Cc: Lee Schermerhorn +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1480,7 +1480,7 @@ unsigned slab_node(struct mempolicy *pol + (void)first_zones_zonelist(zonelist, highest_zoneidx, + &policy->v.nodes, + &zone); +- return zone->node; ++ return zone ? zone->node : numa_node_id(); + } + + default: diff --git a/queue-2.6.33/olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch b/queue-2.6.33/olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch new file mode 100644 index 00000000000..5413083a0c2 --- /dev/null +++ b/queue-2.6.33/olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch @@ -0,0 +1,60 @@ +From 7cfbb29466633e6ecdc14f76a693c8478c2b22af Mon Sep 17 00:00:00 2001 +From: Richard A. Smith +Date: Sat, 25 Sep 2010 19:19:26 +0100 +Subject: olpc_battery: Fix endian neutral breakage for s16 values + +From: Richard A. Smith + +commit 7cfbb29466633e6ecdc14f76a693c8478c2b22af upstream. + +When the driver was updated to be endian neutral (8e9c7716c) +the signed part of the s16 values was lost. This is because be16_to_cpu() +returns an unsigned value. This patch casts the values back to a s16 +number prior to the the implicit cast up to an int. + +Signed-off-by: Richard A. Smith +Signed-off-by: Daniel Drake +Signed-off-by: Anton Vorontsov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/olpc_battery.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/power/olpc_battery.c ++++ b/drivers/power/olpc_battery.c +@@ -271,14 +271,14 @@ static int olpc_bat_get_property(struct + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 9760L / 32; ++ val->intval = (s16)be16_to_cpu(ec_word) * 9760L / 32; + break; + case POWER_SUPPLY_PROP_CURRENT_AVG: + ret = olpc_ec_cmd(EC_BAT_CURRENT, NULL, 0, (void *)&ec_word, 2); + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 15625L / 120; ++ val->intval = (s16)be16_to_cpu(ec_word) * 15625L / 120; + break; + case POWER_SUPPLY_PROP_CAPACITY: + ret = olpc_ec_cmd(EC_BAT_SOC, NULL, 0, &ec_byte, 1); +@@ -299,7 +299,7 @@ static int olpc_bat_get_property(struct + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256; + break; + case POWER_SUPPLY_PROP_TEMP_AMBIENT: + ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2); +@@ -313,7 +313,7 @@ static int olpc_bat_get_property(struct + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 6250 / 15; ++ val->intval = (s16)be16_to_cpu(ec_word) * 6250 / 15; + break; + case POWER_SUPPLY_PROP_SERIAL_NUMBER: + ret = olpc_ec_cmd(EC_BAT_SERIAL, NULL, 0, (void *)&ser_buf, 8); diff --git a/queue-2.6.33/percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch b/queue-2.6.33/percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch new file mode 100644 index 00000000000..3b60a9a5cca --- /dev/null +++ b/queue-2.6.33/percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch @@ -0,0 +1,58 @@ +From 8474b591faf3bb0a1e08a60d21d6baac498f15e4 Mon Sep 17 00:00:00 2001 +From: Masanori ITOH +Date: Tue, 26 Oct 2010 14:21:20 -0700 +Subject: percpu: fix list_head init bug in __percpu_counter_init() + +From: Masanori ITOH + +commit 8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream. + +WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81() +Hardware name: Express5800/B120a [N8400-085] +list_add corruption. next->prev should be prev (ffffffff81a7ea00), but was dead000000200200. (next=ffff88080b872d58). +Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe] +Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1 +Call Trace: +[] warn_slowpath_common+0x7c/0x94 +[] warn_slowpath_fmt+0x41/0x43 +[] __list_add+0x3f/0x81 +[] __percpu_counter_init+0x59/0x6b +[] bdi_init+0x118/0x17e +[] blk_alloc_queue_node+0x79/0x143 +[] blk_alloc_queue+0x11/0x13 +[] aoeblk_gdalloc+0x8e/0x1c9 [aoe] +[] aoecmd_sleepwork+0x25/0xa8 [aoe] +[] worker_thread+0x1a9/0x237 +[] ? aoecmd_sleepwork+0x0/0xa8 [aoe] +[] ? autoremove_wake_function+0x0/0x39 +[] ? worker_thread+0x0/0x237 +[] kthread+0x7f/0x87 +[] kernel_thread_helper+0x4/0x10 +[] ? kthread+0x0/0x87 +[] ? kernel_thread_helper+0x0/0x10 + +It's because there is no initialization code for a list_head contained in +the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up +when block device drivers calling blk_alloc_queue() are used. In case of +me, I got them by using aoe. + +Signed-off-by: Masanori Itoh +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/percpu_counter.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/percpu_counter.c ++++ b/lib/percpu_counter.c +@@ -76,6 +76,7 @@ int __percpu_counter_init(struct percpu_ + if (!fbc->counters) + return -ENOMEM; + #ifdef CONFIG_HOTPLUG_CPU ++ INIT_LIST_HEAD(&fbc->list); + mutex_lock(&percpu_counters_lock); + list_add(&fbc->list, &percpu_counters); + mutex_unlock(&percpu_counters_lock); diff --git a/queue-2.6.33/series b/queue-2.6.33/series index 2b8395e9445..fe0a173af76 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -106,3 +106,26 @@ reiserfs-don-t-acquire-lock-recursively-in-reiserfs_acl_chmod.patch staging-asus_oled-fix-up-some-sysfs-attribute-permissions.patch staging-asus_oled-fix-up-my-fixup-for-some-sysfs-attribute-permissions.patch staging-line6-fix-up-some-sysfs-attribute-permissions.patch +hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch +hpet-unmap-unused-i-o-space.patch +olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch +percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch +um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch +um-fix-global-timer-issue-when-using-config_no_hz.patch +numa-fix-slab_node-mpol_bind.patch +hwmon-lm85-fix-adt7468-frequency-table.patch +mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch +mm-fix-is_mem_section_removable-page_order-bug_on-check.patch +ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch +sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch +xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch +xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch +ipc-initialize-structure-memory-to-zero-for-compat-functions.patch +ipc-shm-fix-information-leak-to-userland.patch +sys_semctl-fix-kernel-stack-leakage.patch +net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch +drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch +viafb-use-proper-register-for-colour-when-doing-fill-ops.patch +ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch +md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch +md-fix-return-value-of-rdev_size_change.patch diff --git a/queue-2.6.33/sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch b/queue-2.6.33/sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch new file mode 100644 index 00000000000..ce776d77d53 --- /dev/null +++ b/queue-2.6.33/sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch @@ -0,0 +1,63 @@ +From c22c7aeff69796f46ae0fcec141538e28f50b24e Mon Sep 17 00:00:00 2001 +From: Robin@sgi.com +Date: Wed, 24 Nov 2010 12:56:59 -0800 +Subject: sgi-xpc: XPC fails to discover partitions with all nasids above 128 + +From: Robin@sgi.com + +commit c22c7aeff69796f46ae0fcec141538e28f50b24e upstream. + +UV hardware defines 256 memory protection regions versus the baseline 64 +with increasing size for the SN2 ia64. This was overlooked when XPC was +modified to accomodate both UV and SN2. + +Without this patch, a user could reconfigure their existing system and +suddenly disable cross-partition communications with no indication of what +has gone wrong. It also prevents larger configurations from using +cross-partition communication. + +Signed-off-by: Robin Holt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-xp/xpc_partition.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/misc/sgi-xp/xpc_partition.c ++++ b/drivers/misc/sgi-xp/xpc_partition.c +@@ -438,18 +438,23 @@ xpc_discovery(void) + * nodes that can comprise an access protection grouping. The access + * protection is in regards to memory, IOI and IPI. + */ +- max_regions = 64; + region_size = xp_region_size; + +- switch (region_size) { +- case 128: +- max_regions *= 2; +- case 64: +- max_regions *= 2; +- case 32: +- max_regions *= 2; +- region_size = 16; +- DBUG_ON(!is_shub2()); ++ if (is_uv()) ++ max_regions = 256; ++ else { ++ max_regions = 64; ++ ++ switch (region_size) { ++ case 128: ++ max_regions *= 2; ++ case 64: ++ max_regions *= 2; ++ case 32: ++ max_regions *= 2; ++ region_size = 16; ++ DBUG_ON(!is_shub2()); ++ } + } + + for (region = 0; region < max_regions; region++) { diff --git a/queue-2.6.33/ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch b/queue-2.6.33/ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch new file mode 100644 index 00000000000..23a79de7709 --- /dev/null +++ b/queue-2.6.33/ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch @@ -0,0 +1,41 @@ +From 1d8638d4038eb8709edc80e37a0bbb77253d86e9 Mon Sep 17 00:00:00 2001 +From: Daniel Klaffenbach +Date: Fri, 19 Nov 2010 21:25:21 -0600 +Subject: ssb: b43-pci-bridge: Add new vendor for BCM4318 + +From: Daniel Klaffenbach + +commit 1d8638d4038eb8709edc80e37a0bbb77253d86e9 upstream. + +Add new vendor for Broadcom 4318. + +Signed-off-by: Daniel Klaffenbach +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/b43_pci_bridge.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/ssb/b43_pci_bridge.c ++++ b/drivers/ssb/b43_pci_bridge.c +@@ -24,6 +24,7 @@ static const struct pci_device_id b43_pc + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4312) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4315) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4318) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_BCM_GVC, 0x4318) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4319) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4320) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4321) }, +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2039,6 +2039,7 @@ + #define PCI_DEVICE_ID_AFAVLAB_P030 0x2182 + #define PCI_SUBDEVICE_ID_AFAVLAB_P061 0x2150 + ++#define PCI_VENDOR_ID_BCM_GVC 0x14a4 + #define PCI_VENDOR_ID_BROADCOM 0x14e4 + #define PCI_DEVICE_ID_TIGON3_5752 0x1600 + #define PCI_DEVICE_ID_TIGON3_5752M 0x1601 diff --git a/queue-2.6.33/sys_semctl-fix-kernel-stack-leakage.patch b/queue-2.6.33/sys_semctl-fix-kernel-stack-leakage.patch new file mode 100644 index 00000000000..bdb113d21e4 --- /dev/null +++ b/queue-2.6.33/sys_semctl-fix-kernel-stack-leakage.patch @@ -0,0 +1,45 @@ +From 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Thu, 30 Sep 2010 15:15:31 -0700 +Subject: sys_semctl: fix kernel stack leakage + +From: Dan Rosenberg + +commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream. + +The semctl syscall has several code paths that lead to the leakage of +uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, +IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete +version of the semid_ds struct. + +The copy_semid_to_user() function declares a semid_ds struct on the stack +and copies it back to the user without initializing or zeroing the +"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers, +allowing the leakage of 16 bytes of kernel stack memory. + +The code is still reachable on 32-bit systems - when calling semctl() +newer glibc's automatically OR the IPC command with the IPC_64 flag, but +invoking the syscall directly allows users to use the older versions of +the struct. + +Signed-off-by: Dan Rosenberg +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/sem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -608,6 +608,8 @@ static unsigned long copy_semid_to_user( + { + struct semid_ds out; + ++ memset(&out, 0, sizeof(out)); ++ + ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); + + out.sem_otime = in->sem_otime; diff --git a/queue-2.6.33/um-fix-global-timer-issue-when-using-config_no_hz.patch b/queue-2.6.33/um-fix-global-timer-issue-when-using-config_no_hz.patch new file mode 100644 index 00000000000..d27db6b3c15 --- /dev/null +++ b/queue-2.6.33/um-fix-global-timer-issue-when-using-config_no_hz.patch @@ -0,0 +1,37 @@ +From 482db6df1746c4fa7d64a2441d4cb2610249c679 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 26 Oct 2010 14:21:13 -0700 +Subject: um: fix global timer issue when using CONFIG_NO_HZ + +From: Richard Weinberger + +commit 482db6df1746c4fa7d64a2441d4cb2610249c679 upstream. + +This fixes a issue which was introduced by fe2cc53e ("uml: track and make +up lost ticks"). + +timeval_to_ns() returns long long and not int. Due to that UML's timer +did not work properlt and caused timer freezes. + +Signed-off-by: Richard Weinberger +Acked-by: Pekka Enberg +Cc: Jeff Dike +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/os-Linux/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/os-Linux/time.c ++++ b/arch/um/os-Linux/time.c +@@ -60,7 +60,7 @@ static inline long long timeval_to_ns(co + long long disable_timer(void) + { + struct itimerval time = ((struct itimerval) { { 0, 0 }, { 0, 0 } }); +- int remain, max = UM_NSEC_PER_SEC / UM_HZ; ++ long long remain, max = UM_NSEC_PER_SEC / UM_HZ; + + if (setitimer(ITIMER_VIRTUAL, &time, &time) < 0) + printk(UM_KERN_ERR "disable_timer - setitimer failed, " diff --git a/queue-2.6.33/um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch b/queue-2.6.33/um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch new file mode 100644 index 00000000000..c4473f18d85 --- /dev/null +++ b/queue-2.6.33/um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch @@ -0,0 +1,49 @@ +From 6915e04f8847bea16d0890f559694ad8eedd026c Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 26 Oct 2010 14:21:16 -0700 +Subject: um: remove PAGE_SIZE alignment in linker script causing kernel segfault. + +From: Richard Weinberger + +commit 6915e04f8847bea16d0890f559694ad8eedd026c upstream. + +The linker script cleanup that I did in commit 5d150a97f93 ("um: Clean up +linker script using standard macros.") (2.6.32) accidentally introduced an +ALIGN(PAGE_SIZE) when converting to use INIT_TEXT_SECTION; Richard +Weinberger reported that this causes the kernel to segfault with +CONFIG_STATIC_LINK=y. + +I'm not certain why this extra alignment is a problem, but it seems likely +it is because previously + +__init_begin = _stext = _text = _sinittext + +and with the extra ALIGN(PAGE_SIZE), _sinittext becomes different from the +rest. So there is likely a bug here where something is assuming that +_sinittext is the same as one of those other symbols. But reverting the +accidental change fixes the regression, so it seems worth committing that +now. + +Signed-off-by: Tim Abbott +Reported-by: Richard Weinberger +Cc: Jeff Dike +Tested by: Antoine Martin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/kernel/uml.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/kernel/uml.lds.S ++++ b/arch/um/kernel/uml.lds.S +@@ -22,7 +22,7 @@ SECTIONS + _text = .; + _stext = .; + __init_begin = .; +- INIT_TEXT_SECTION(PAGE_SIZE) ++ INIT_TEXT_SECTION(0) + . = ALIGN(PAGE_SIZE); + + .text : diff --git a/queue-2.6.33/viafb-use-proper-register-for-colour-when-doing-fill-ops.patch b/queue-2.6.33/viafb-use-proper-register-for-colour-when-doing-fill-ops.patch new file mode 100644 index 00000000000..aeda7c4e1a7 --- /dev/null +++ b/queue-2.6.33/viafb-use-proper-register-for-colour-when-doing-fill-ops.patch @@ -0,0 +1,46 @@ +From efd4f6398dc92b5bf392670df862f42a19f34cf2 Mon Sep 17 00:00:00 2001 +From: Florian Tobias Schandinat +Date: Wed, 22 Sep 2010 02:33:52 +0000 +Subject: viafb: use proper register for colour when doing fill ops + +From: Florian Tobias Schandinat + +commit efd4f6398dc92b5bf392670df862f42a19f34cf2 upstream. + +The colour was written to a wrong register for fillrect operations. +This sometimes caused empty console space (for example after 'clear') +to have a different colour than desired. Fix this by writing to the +correct register. +Many thanks to Daniel Drake and Jon Nettleton for pointing out this +issue and pointing me in the right direction for the fix. + +Fixes http://dev.laptop.org/ticket/9323 + +Signed-off-by: Florian Tobias Schandinat +Cc: Joseph Chan +Cc: Daniel Drake +Cc: Jon Nettleton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/via/accel.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/video/via/accel.c ++++ b/drivers/video/via/accel.c +@@ -277,11 +277,12 @@ static int hw_bitblt_2(void __iomem *eng + writel(tmp, engine + 0x1C); + } + +- if (op != VIA_BITBLT_COLOR) ++ if (op == VIA_BITBLT_FILL) { ++ writel(fg_color, engine + 0x58); ++ } else if (op == VIA_BITBLT_MONO) { + writel(fg_color, engine + 0x4C); +- +- if (op == VIA_BITBLT_MONO) + writel(bg_color, engine + 0x50); ++ } + + if (op == VIA_BITBLT_FILL) + ge_cmd |= fill_rop << 24 | 0x00002000 | 0x00000001; diff --git a/queue-2.6.33/xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch b/queue-2.6.33/xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch new file mode 100644 index 00000000000..c9666f758a7 --- /dev/null +++ b/queue-2.6.33/xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch @@ -0,0 +1,41 @@ +From 31e323cca9d5c8afd372976c35a5d46192f540d1 Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Mon, 29 Nov 2010 14:16:53 -0800 +Subject: xen: don't bother to stop other cpus on shutdown/reboot + +From: Jeremy Fitzhardinge + +commit 31e323cca9d5c8afd372976c35a5d46192f540d1 upstream. + +Xen will shoot all the VCPUs when we do a shutdown hypercall, so there's +no need to do it manually. + +In any case it will fail because all the IPI irqs have been pulled +down by this point, so the cross-CPU calls will simply hang forever. + +Until change 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce the function calls +were not synchronously waited for, so this wasn't apparent. However after +that change the calls became synchronous leading to a hang on shutdown +on multi-VCPU guests. + +Signed-off-by: Jeremy Fitzhardinge +Cc: Alok Kataria +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/enlighten.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -999,10 +999,6 @@ static void xen_reboot(int reason) + { + struct sched_shutdown r = { .reason = reason }; + +-#ifdef CONFIG_SMP +- stop_other_cpus(); +-#endif +- + if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r)) + BUG(); + } diff --git a/queue-2.6.33/xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch b/queue-2.6.33/xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch new file mode 100644 index 00000000000..35b7751123c --- /dev/null +++ b/queue-2.6.33/xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch @@ -0,0 +1,40 @@ +From b0097adeec27e30223c989561ab0f7aa60d1fe93 Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Fri, 8 Oct 2010 16:59:12 +0100 +Subject: xen: ensure that all event channels start off bound to VCPU 0 + +From: Ian Campbell + +commit b0097adeec27e30223c989561ab0f7aa60d1fe93 upstream. + +All event channels startbound to VCPU 0 so ensure that cpu_evtchn_mask +is initialised to reflect this. Otherwise there is a race after registering an +event channel but before the affinity is explicitly set where the event channel +can be delivered. If this happens then the event channel remains pending in the +L1 (evtchn_pending) array but is cleared in L2 (evtchn_pending_sel), this means +the event channel cannot be reraised until another event channel happens to +trigger the same L2 entry on that VCPU. + +sizeof(cpu_evtchn_mask(0))==sizeof(unsigned long*) which is not correct, and +causes only the first 32 or 64 event channels (depending on architecture) to be +initially bound to VCPU0. Use sizeof(struct cpu_evtchn_s) instead. + +Signed-off-by: Ian Campbell +Cc: Jeremy Fitzhardinge +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/events.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/events.c ++++ b/drivers/xen/events.c +@@ -254,7 +254,7 @@ static void init_evtchn_cpu_bindings(voi + } + #endif + +- memset(cpu_evtchn_mask(0), ~0, sizeof(cpu_evtchn_mask(0))); ++ memset(cpu_evtchn_mask(0), ~0, sizeof(struct cpu_evtchn_s)); + } + + static inline void clear_evtchn(int port)