From: Greg Kroah-Hartman Date: Tue, 31 Jul 2007 04:50:00 +0000 (-0700) Subject: start 2.6.21.7 review cycle X-Git-Tag: v2.6.21.7~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f06f16ec72703c4e1880220bd6ba2933703af50e;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.21.7 review cycle --- diff --git a/queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch b/review-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch similarity index 100% rename from queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch rename to review-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch diff --git a/queue-2.6.21/bnx2-fix-netdev-watchdog-on-5708.patch b/review-2.6.21/bnx2-fix-netdev-watchdog-on-5708.patch similarity index 100% rename from queue-2.6.21/bnx2-fix-netdev-watchdog-on-5708.patch rename to review-2.6.21/bnx2-fix-netdev-watchdog-on-5708.patch diff --git a/queue-2.6.21/dm-crypt-disable-barriers.patch b/review-2.6.21/dm-crypt-disable-barriers.patch similarity index 100% rename from queue-2.6.21/dm-crypt-disable-barriers.patch rename to review-2.6.21/dm-crypt-disable-barriers.patch diff --git a/queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch b/review-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch similarity index 100% rename from queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch rename to review-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch diff --git a/queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch b/review-2.6.21/dm-crypt-fix-call-to-clone_init.patch similarity index 100% rename from queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch rename to review-2.6.21/dm-crypt-fix-call-to-clone_init.patch diff --git a/queue-2.6.21/dm-crypt-fix-remove-first_clone.patch b/review-2.6.21/dm-crypt-fix-remove-first_clone.patch similarity index 100% rename from queue-2.6.21/dm-crypt-fix-remove-first_clone.patch rename to review-2.6.21/dm-crypt-fix-remove-first_clone.patch diff --git a/queue-2.6.21/fix-show_mem-x86_64-sparsemem.patch b/review-2.6.21/fix-show_mem-x86_64-sparsemem.patch similarity index 100% rename from queue-2.6.21/fix-show_mem-x86_64-sparsemem.patch rename to review-2.6.21/fix-show_mem-x86_64-sparsemem.patch diff --git a/queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch b/review-2.6.21/futex-restore-the-dropped-ersch-fix.patch similarity index 100% rename from queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch rename to review-2.6.21/futex-restore-the-dropped-ersch-fix.patch diff --git a/queue-2.6.21/hpt366-disallow-ultra133-for-hpt374.patch b/review-2.6.21/hpt366-disallow-ultra133-for-hpt374.patch similarity index 100% rename from queue-2.6.21/hpt366-disallow-ultra133-for-hpt374.patch rename to review-2.6.21/hpt366-disallow-ultra133-for-hpt374.patch diff --git a/queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch b/review-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch similarity index 100% rename from queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch rename to review-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch diff --git a/queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch b/review-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch similarity index 100% rename from queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch rename to review-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch diff --git a/review-2.6.21/mbox b/review-2.6.21/mbox new file mode 100644 index 00000000000..448efa84ebe --- /dev/null +++ b/review-2.6.21/mbox @@ -0,0 +1,2863 @@ +From greg@blue.kroah.org Mon Jul 30 21:26:14 2007 +Message-Id: <20070731042614.312386804@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michael Chan , + "David S. Miller" , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 01/26] BNX2: Fix netdev watchdog on 5708. +Content-Disposition: inline; filename=bnx2-fix-netdev-watchdog-on-5708.patch +Content-Length: 2111 +Lines: 74 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +There's a bug in the driver that only initializes half of the context +memory on the 5708. Surprisingly, this works most of the time except +for some occasional netdev watchdogs when sending a lot of 64-byte +packets. This fix is to add the missing code to initialize the 2nd +half of the context memory. + +Update version to 1.5.8.2. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bnx2.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- linux-2.6.21.6.orig/drivers/net/bnx2.c ++++ linux-2.6.21.6/drivers/net/bnx2.c +@@ -54,8 +54,8 @@ + + #define DRV_MODULE_NAME "bnx2" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "1.5.8.1" +-#define DRV_MODULE_RELDATE "May 7, 2007" ++#define DRV_MODULE_VERSION "1.5.8.2" ++#define DRV_MODULE_RELDATE "June 5, 2007" + + #define RUN_AT(x) (jiffies + (x)) + +@@ -1550,6 +1550,7 @@ bnx2_init_context(struct bnx2 *bp) + vcid = 96; + while (vcid) { + u32 vcid_addr, pcid_addr, offset; ++ int i; + + vcid--; + +@@ -1570,16 +1571,20 @@ bnx2_init_context(struct bnx2 *bp) + pcid_addr = vcid_addr; + } + +- REG_WR(bp, BNX2_CTX_VIRT_ADDR, 0x00); +- REG_WR(bp, BNX2_CTX_PAGE_TBL, pcid_addr); ++ for (i = 0; i < (CTX_SIZE / PHY_CTX_SIZE); i++) { ++ vcid_addr += (i << PHY_CTX_SHIFT); ++ pcid_addr += (i << PHY_CTX_SHIFT); ++ ++ REG_WR(bp, BNX2_CTX_VIRT_ADDR, 0x00); ++ REG_WR(bp, BNX2_CTX_PAGE_TBL, pcid_addr); ++ ++ /* Zero out the context. */ ++ for (offset = 0; offset < PHY_CTX_SIZE; offset += 4) ++ CTX_WR(bp, 0x00, offset, 0); + +- /* Zero out the context. */ +- for (offset = 0; offset < PHY_CTX_SIZE; offset += 4) { +- CTX_WR(bp, 0x00, offset, 0); ++ REG_WR(bp, BNX2_CTX_VIRT_ADDR, vcid_addr); ++ REG_WR(bp, BNX2_CTX_PAGE_TBL, pcid_addr); + } +- +- REG_WR(bp, BNX2_CTX_VIRT_ADDR, vcid_addr); +- REG_WR(bp, BNX2_CTX_PAGE_TBL, pcid_addr); + } + } + + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:14 2007 +Message-Id: <20070731042614.512732272@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + andi@firstfloor.org, + johnstul@us.ibm.com, + Bernhard Walle , + Bob Picco , + acme@redhat.com, + Sripathi Kodi , + tglx@linutronix.de, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 02/26] sparsemem: fix oops in x86_64 show_mem +Content-Disposition: inline; filename=fix-show_mem-x86_64-sparsemem.patch +Content-Length: 1397 +Lines: 39 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +We aren't sampling for holes in memory. Thus we encounter a section hole with +empty section map pointer for SPARSEMEM and OOPs for show_mem. This issue +has been seen in 2.6.21, current git and current mm. This patch is for +2.6.21 stable. It was tested against sparsemem. + +Previous to commit f0a5a58aa812b31fd9f197c4ba48245942364eae memory_present +was called for node_start_pfn to node_end_pfn. This would cover the hole(s) +with reserved pages and valid sections. Most SPARSEMEM supported arches +do a pfn_valid check in show_mem before computing the page structure address. + +This issue was brought to my attention on IRC by Arnaldo Carvalho de Melo at +acme@redhat.com. Thanks to Arnaldo for testing. + +Signed-off-by: Bob Picco +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + arch/x86_64/mm/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.6.orig/arch/x86_64/mm/init.c ++++ linux-2.6.21.6/arch/x86_64/mm/init.c +@@ -72,6 +72,8 @@ void show_mem(void) + + for_each_online_pgdat(pgdat) { + for (i = 0; i < pgdat->node_spanned_pages; ++i) { ++ if (!pfn_valid(pgdat->node_start_pfn + i)) ++ continue; + page = pfn_to_page(pgdat->node_start_pfn + i); + total++; + if (PageReserved(page)) + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:14 2007 +Message-Id: <20070731042614.715274024@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + kuznet@ms2.inr.ac.ru, + mingo@elte.hu, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 03/26] rt-mutex: Fix stale return value +Content-Disposition: inline; filename=rt-mutex-fix-stale-return-value.patch +Content-Length: 1365 +Lines: 49 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Alexey Kuznetsov found some problems in the pi-futex code. + +The major problem is a stale return value in rt_mutex_slowlock(): + +When the pi chain walk returns -EDEADLK, but the waiter was woken up +during the phases where the locks were dropped, the rtmutex could be +acquired, but due to the stale return value -EDEADLK returned to the +caller. + +Reset the return value in the woken up path. + +Cc: Alexey Kuznetsov +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rtmutex.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- linux-2.6.21.6.orig/kernel/rtmutex.c ++++ linux-2.6.21.6/kernel/rtmutex.c +@@ -659,9 +659,16 @@ rt_mutex_slowlock(struct rt_mutex *lock, + * all over without going into schedule to try + * to get the lock now: + */ +- if (unlikely(!waiter.task)) ++ if (unlikely(!waiter.task)) { ++ /* ++ * Reset the return value. We might ++ * have returned with -EDEADLK and the ++ * owner released the lock while we ++ * were walking the pi chain. ++ */ ++ ret = 0; + continue; +- ++ } + if (unlikely(ret)) + break; + } + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:15 2007 +Message-Id: <20070731042614.915795222@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + kuznet@ms2.inr.ac.ru, + mingo@elte.hu, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 04/26] rt-mutex: Fix chain walk early wakeup bug +Content-Disposition: inline; filename=rt-mutex-fix-chain-walk-early-wakeup-bug.patch +Content-Length: 1325 +Lines: 48 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Alexey Kuznetsov found some problems in the pi-futex code. + +One of the root causes is: + +When a wakeup happens, we do not to stop the chain walk so we +we follow a non existing locking chain. + +Drop out when this happens. + +Cc: Alexey Kuznetsov +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rtmutex.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- linux-2.6.21.6.orig/kernel/rtmutex.c ++++ linux-2.6.21.6/kernel/rtmutex.c +@@ -212,6 +212,19 @@ static int rt_mutex_adjust_prio_chain(st + if (!waiter || !waiter->task) + goto out_unlock_pi; + ++ /* ++ * Check the orig_waiter state. After we dropped the locks, ++ * the previous owner of the lock might have released the lock ++ * and made us the pending owner: ++ */ ++ if (orig_waiter && !orig_waiter->task) ++ goto out_unlock_pi; ++ ++ /* ++ * Drop out, when the task has no waiters. Note, ++ * top_waiter can be NULL, when we are in the deboosting ++ * mode! ++ */ + if (top_waiter && (!task_has_pi_waiters(task) || + top_waiter != task_top_pi_waiter(task))) + goto out_unlock_pi; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:15 2007 +Message-Id: <20070731042615.117044698@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + kuznet@ms2.inr.ac.ru, + mingo@elte.hu, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 05/26] pi-futex: Fix exit races and locking problems +Content-Disposition: inline; filename=pi-futex-fix-exit-races-and-locking-problems.patch +Content-Length: 13463 +Lines: 445 + + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alexey Kuznetsov +1. New entries can be added to tsk->pi_state_list after task completed + exit_pi_state_list(). The result is memory leakage and deadlocks. + +2. handle_mm_fault() is called under spinlock. The result is obvious. + +3. results in self-inflicted deadlock inside glibc. + Sometimes futex_lock_pi returns -ESRCH, when it is not expected + and glibc enters to for(;;) sleep() to simulate deadlock. This problem + is quite obvious and I think the patch is right. Though it looks like + each "if" in futex_lock_pi() got some stupid special case "else if". :-) + +4. sometimes futex_lock_pi() returns -EDEADLK, + when nobody has the lock. The reason is also obvious (see comment + in the patch), but correct fix is far beyond my comprehension. + I guess someone already saw this, the chunk: + + if (rt_mutex_trylock(&q.pi_state->pi_mutex)) + ret = 0; + + is obviously from the same opera. But it does not work, because the + rtmutex is really taken at this point: wake_futex_pi() of previous + owner reassigned it to us. My fix works. But it looks very stupid. + I would think about removal of shift of ownership in wake_futex_pi() + and making all the work in context of process taking lock. + +From: Thomas Gleixner + +Fix 1) Avoid the tasklist lock variant of the exit race fix by adding + an additional state transition to the exit code. + + This fixes also the issue, when a task with recursive segfaults + is not able to release the futexes. + +Fix 2) Cleanup the lookup_pi_state() failure path and solve the -ESRCH + problem finally. + +Fix 3) Solve the fixup_pi_state_owner() problem which needs to do the fixup + in the lock protected section by using the in_atomic userspace access + functions. + + This removes also the ugly lock drop / unqueue inside of fixup_pi_state() + +Fix 4) Fix a stale lock in the error path of futex_wake_pi() + +Added some error checks for verification. + +The -EDEADLK problem is solved by the rtmutex fixups. + +Cc: Alexey Kuznetsov +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sched.h | 1 + kernel/exit.c | 22 +++++ + kernel/futex.c | 191 +++++++++++++++++++++++++++++++++----------------- + 3 files changed, 150 insertions(+), 64 deletions(-) + +--- linux-2.6.21.6.orig/kernel/futex.c ++++ linux-2.6.21.6/kernel/futex.c +@@ -396,10 +396,6 @@ static struct task_struct * futex_find_g + p = NULL; + goto out_unlock; + } +- if (p->exit_state != 0) { +- p = NULL; +- goto out_unlock; +- } + get_task_struct(p); + out_unlock: + rcu_read_unlock(); +@@ -467,7 +463,7 @@ lookup_pi_state(u32 uval, struct futex_h + struct futex_q *this, *next; + struct list_head *head; + struct task_struct *p; +- pid_t pid; ++ pid_t pid = uval & FUTEX_TID_MASK; + + head = &hb->chain; + +@@ -485,6 +481,8 @@ lookup_pi_state(u32 uval, struct futex_h + return -EINVAL; + + WARN_ON(!atomic_read(&pi_state->refcount)); ++ WARN_ON(pid && pi_state->owner && ++ pi_state->owner->pid != pid); + + atomic_inc(&pi_state->refcount); + me->pi_state = pi_state; +@@ -495,15 +493,33 @@ lookup_pi_state(u32 uval, struct futex_h + + /* + * We are the first waiter - try to look up the real owner and attach +- * the new pi_state to it, but bail out when the owner died bit is set +- * and TID = 0: ++ * the new pi_state to it, but bail out when TID = 0 + */ +- pid = uval & FUTEX_TID_MASK; +- if (!pid && (uval & FUTEX_OWNER_DIED)) ++ if (!pid) + return -ESRCH; + p = futex_find_get_task(pid); +- if (!p) +- return -ESRCH; ++ if (IS_ERR(p)) ++ return PTR_ERR(p); ++ ++ /* ++ * We need to look at the task state flags to figure out, ++ * whether the task is exiting. To protect against the do_exit ++ * change of the task flags, we do this protected by ++ * p->pi_lock: ++ */ ++ spin_lock_irq(&p->pi_lock); ++ if (unlikely(p->flags & PF_EXITING)) { ++ /* ++ * The task is on the way out. When PF_EXITPIDONE is ++ * set, we know that the task has finished the ++ * cleanup: ++ */ ++ int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN; ++ ++ spin_unlock_irq(&p->pi_lock); ++ put_task_struct(p); ++ return ret; ++ } + + pi_state = alloc_pi_state(); + +@@ -516,7 +532,6 @@ lookup_pi_state(u32 uval, struct futex_h + /* Store the key for possible exit cleanups: */ + pi_state->key = me->key; + +- spin_lock_irq(&p->pi_lock); + WARN_ON(!list_empty(&pi_state->list)); + list_add(&pi_state->list, &p->pi_state_list); + pi_state->owner = p; +@@ -583,15 +598,22 @@ static int wake_futex_pi(u32 __user *uad + * preserve the owner died bit.) + */ + if (!(uval & FUTEX_OWNER_DIED)) { ++ int ret = 0; ++ + newval = FUTEX_WAITERS | new_owner->pid; + + pagefault_disable(); + curval = futex_atomic_cmpxchg_inatomic(uaddr, uval, newval); + pagefault_enable(); ++ + if (curval == -EFAULT) +- return -EFAULT; ++ ret = -EFAULT; + if (curval != uval) +- return -EINVAL; ++ ret = -EINVAL; ++ if (ret) { ++ spin_unlock(&pi_state->pi_mutex.wait_lock); ++ return ret; ++ } + } + + spin_lock_irq(&pi_state->owner->pi_lock); +@@ -1149,6 +1171,7 @@ static int futex_lock_pi(u32 __user *uad + if (unlikely(ret != 0)) + goto out_release_sem; + ++ retry_unlocked: + hb = queue_lock(&q, -1, NULL); + + retry_locked: +@@ -1200,34 +1223,58 @@ static int futex_lock_pi(u32 __user *uad + ret = lookup_pi_state(uval, hb, &q); + + if (unlikely(ret)) { +- /* +- * There were no waiters and the owner task lookup +- * failed. When the OWNER_DIED bit is set, then we +- * know that this is a robust futex and we actually +- * take the lock. This is safe as we are protected by +- * the hash bucket lock. We also set the waiters bit +- * unconditionally here, to simplify glibc handling of +- * multiple tasks racing to acquire the lock and +- * cleanup the problems which were left by the dead +- * owner. +- */ +- if (curval & FUTEX_OWNER_DIED) { +- uval = newval; +- newval = current->pid | +- FUTEX_OWNER_DIED | FUTEX_WAITERS; ++ switch (ret) { + +- pagefault_disable(); +- curval = futex_atomic_cmpxchg_inatomic(uaddr, +- uval, newval); +- pagefault_enable(); ++ case -EAGAIN: ++ /* ++ * Task is exiting and we just wait for the ++ * exit to complete. ++ */ ++ queue_unlock(&q, hb); ++ up_read(&curr->mm->mmap_sem); ++ cond_resched(); ++ goto retry; + +- if (unlikely(curval == -EFAULT)) ++ case -ESRCH: ++ /* ++ * No owner found for this futex. Check if the ++ * OWNER_DIED bit is set to figure out whether ++ * this is a robust futex or not. ++ */ ++ if (get_futex_value_locked(&curval, uaddr)) + goto uaddr_faulted; +- if (unlikely(curval != uval)) +- goto retry_locked; +- ret = 0; ++ ++ /* ++ * There were no waiters and the owner task lookup ++ * failed. When the OWNER_DIED bit is set, then we ++ * know that this is a robust futex and we actually ++ * take the lock. This is safe as we are protected by ++ * the hash bucket lock. We also set the waiters bit ++ * unconditionally here, to simplify glibc handling of ++ * multiple tasks racing to acquire the lock and ++ * cleanup the problems which were left by the dead ++ * owner. ++ */ ++ if (curval & FUTEX_OWNER_DIED) { ++ uval = newval; ++ newval = current->pid | ++ FUTEX_OWNER_DIED | FUTEX_WAITERS; ++ ++ pagefault_disable(); ++ curval = futex_atomic_cmpxchg_inatomic(uaddr, ++ uval, ++ newval); ++ pagefault_enable(); ++ ++ if (unlikely(curval == -EFAULT)) ++ goto uaddr_faulted; ++ if (unlikely(curval != uval)) ++ goto retry_locked; ++ ret = 0; ++ } ++ default: ++ goto out_unlock_release_sem; + } +- goto out_unlock_release_sem; + } + + /* +@@ -1279,39 +1326,52 @@ static int futex_lock_pi(u32 __user *uad + list_add(&q.pi_state->list, ¤t->pi_state_list); + spin_unlock_irq(¤t->pi_lock); + +- /* Unqueue and drop the lock */ +- unqueue_me_pi(&q, hb); +- up_read(&curr->mm->mmap_sem); + /* + * We own it, so we have to replace the pending owner +- * TID. This must be atomic as we have preserve the ++ * TID. This must be atomic as we have to preserve the + * owner died bit here. + */ +- ret = get_user(uval, uaddr); ++ ret = get_futex_value_locked(&uval, uaddr); + while (!ret) { + newval = (uval & FUTEX_OWNER_DIED) | newtid; ++ ++ pagefault_disable(); + curval = futex_atomic_cmpxchg_inatomic(uaddr, + uval, newval); ++ pagefault_enable(); ++ + if (curval == -EFAULT) + ret = -EFAULT; + if (curval == uval) + break; + uval = curval; + } +- } else { ++ } else if (ret) { + /* + * Catch the rare case, where the lock was released + * when we were on the way back before we locked + * the hash bucket. + */ +- if (ret && q.pi_state->owner == curr) { +- if (rt_mutex_trylock(&q.pi_state->pi_mutex)) +- ret = 0; ++ if (q.pi_state->owner == curr && ++ rt_mutex_trylock(&q.pi_state->pi_mutex)) { ++ ret = 0; ++ } else { ++ /* ++ * Paranoia check. If we did not take the lock ++ * in the trylock above, then we should not be ++ * the owner of the rtmutex, neither the real ++ * nor the pending one: ++ */ ++ if (rt_mutex_owner(&q.pi_state->pi_mutex) == curr) ++ printk(KERN_ERR "futex_lock_pi: ret = %d " ++ "pi-mutex: %p pi-state %p\n", ret, ++ q.pi_state->pi_mutex.owner, ++ q.pi_state->owner); + } +- /* Unqueue and drop the lock */ +- unqueue_me_pi(&q, hb); +- up_read(&curr->mm->mmap_sem); + } ++ /* Unqueue and drop the lock */ ++ unqueue_me_pi(&q, hb); ++ up_read(&curr->mm->mmap_sem); + + if (!detect && ret == -EDEADLK && 0) + force_sig(SIGKILL, current); +@@ -1331,16 +1391,18 @@ static int futex_lock_pi(u32 __user *uad + * non-atomically. Therefore, if get_user below is not + * enough, we need to handle the fault ourselves, while + * still holding the mmap_sem. ++ * ++ * ... and hb->lock. :-) --ANK + */ ++ queue_unlock(&q, hb); ++ + if (attempt++) { +- if (futex_handle_fault((unsigned long)uaddr, attempt)) { +- ret = -EFAULT; +- goto out_unlock_release_sem; +- } +- goto retry_locked; ++ ret = futex_handle_fault((unsigned long)uaddr, attempt); ++ if (ret) ++ goto out_release_sem; ++ goto retry_unlocked; + } + +- queue_unlock(&q, hb); + up_read(&curr->mm->mmap_sem); + + ret = get_user(uval, uaddr); +@@ -1382,9 +1444,9 @@ retry: + goto out; + + hb = hash_futex(&key); ++retry_unlocked: + spin_lock(&hb->lock); + +-retry_locked: + /* + * To avoid races, try to do the TID -> 0 atomic transition + * again. If it succeeds then we can return without waking +@@ -1446,16 +1508,17 @@ pi_faulted: + * non-atomically. Therefore, if get_user below is not + * enough, we need to handle the fault ourselves, while + * still holding the mmap_sem. ++ * ++ * ... and hb->lock. :-) --ANK + */ ++ spin_unlock(&hb->lock); ++ + if (attempt++) { +- if (futex_handle_fault((unsigned long)uaddr, attempt)) { +- ret = -EFAULT; +- goto out_unlock; +- } +- goto retry_locked; ++ ret = futex_handle_fault((unsigned long)uaddr, attempt); ++ if (ret) ++ goto out; ++ goto retry_unlocked; + } +- +- spin_unlock(&hb->lock); + up_read(¤t->mm->mmap_sem); + + ret = get_user(uval, uaddr); +--- linux-2.6.21.6.orig/include/linux/sched.h ++++ linux-2.6.21.6/include/linux/sched.h +@@ -1138,6 +1138,7 @@ static inline void put_task_struct(struc + /* Not implemented yet, only for 486*/ + #define PF_STARTING 0x00000002 /* being created */ + #define PF_EXITING 0x00000004 /* getting shut down */ ++#define PF_EXITPIDONE 0x00000008 /* pi exit done on shut down */ + #define PF_FORKNOEXEC 0x00000040 /* forked but didn't exec */ + #define PF_SUPERPRIV 0x00000100 /* used super-user privileges */ + #define PF_DUMPCORE 0x00000200 /* dumped core */ +--- linux-2.6.21.6.orig/kernel/exit.c ++++ linux-2.6.21.6/kernel/exit.c +@@ -884,13 +884,29 @@ fastcall NORET_TYPE void do_exit(long co + if (unlikely(tsk->flags & PF_EXITING)) { + printk(KERN_ALERT + "Fixing recursive fault but reboot is needed!\n"); ++ /* ++ * We can do this unlocked here. The futex code uses ++ * this flag just to verify whether the pi state ++ * cleanup has been done or not. In the worst case it ++ * loops once more. We pretend that the cleanup was ++ * done as there is no way to return. Either the ++ * OWNER_DIED bit is set by now or we push the blocked ++ * task into the wait for ever nirwana as well. ++ */ ++ tsk->flags |= PF_EXITPIDONE; + if (tsk->io_context) + exit_io_context(); + set_current_state(TASK_UNINTERRUPTIBLE); + schedule(); + } + ++ /* ++ * tsk->flags are checked in the futex code to protect against ++ * an exiting task cleaning up the robust pi futexes. ++ */ ++ spin_lock_irq(&tsk->pi_lock); + tsk->flags |= PF_EXITING; ++ spin_unlock_irq(&tsk->pi_lock); + + if (unlikely(in_atomic())) + printk(KERN_INFO "note: %s[%d] exited with preempt_count %d\n", +@@ -957,6 +973,12 @@ fastcall NORET_TYPE void do_exit(long co + * Make sure we are holding no locks: + */ + debug_check_no_locks_held(tsk); ++ /* ++ * We can do this unlocked here. The futex code uses this flag ++ * just to verify whether the pi state cleanup has been done ++ * or not. In the worst case it loops once more. ++ */ ++ tsk->flags |= PF_EXITPIDONE; + + if (tsk->io_context) + exit_io_context(); + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:15 2007 +Message-Id: <20070731042615.323387988@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sergei Shtylyov , + Geller Sandor , + Bartlomiej Zolnierkiewicz , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 06/26] hpt366: disallow Ultra133 for HPT374 +Content-Disposition: inline; filename=hpt366-disallow-ultra133-for-hpt374.patch +Content-Length: 2064 +Lines: 55 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Eliminate UltraATA/133 support for HPT374 -- the chip isn't capable of this mode +according to the manual, and doesn't even seem to tolerate 66 MHz DPLL clock... + +Signed-off-by: Sergei Shtylyov +Cc: Geller Sandor +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ide/pci/hpt366.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- linux-2.6.21.6.orig/drivers/ide/pci/hpt366.c ++++ linux-2.6.21.6/drivers/ide/pci/hpt366.c +@@ -1,5 +1,5 @@ + /* +- * linux/drivers/ide/pci/hpt366.c Version 1.03 May 4, 2007 ++ * linux/drivers/ide/pci/hpt366.c Version 1.04 Jun 4, 2007 + * + * Copyright (C) 1999-2003 Andre Hedrick + * Portions Copyright (C) 2001 Sun Microsystems, Inc. +@@ -106,7 +106,8 @@ + * switch to calculating PCI clock frequency based on the chip's base DPLL + * frequency + * - switch to using the DPLL clock and enable UltraATA/133 mode by default on +- * anything newer than HPT370/A ++ * anything newer than HPT370/A (except HPT374 that is not capable of this ++ * mode according to the manual) + * - fold PCI clock detection and DPLL setup code into init_chipset_hpt366(), + * also fixing the interchanged 25/40 MHz PCI clock cases for HPT36x chips; + * unify HPT36x/37x timing setup code and the speedproc handlers by joining +@@ -365,7 +366,6 @@ static u32 sixty_six_base_hpt37x[] = { + }; + + #define HPT366_DEBUG_DRIVE_INFO 0 +-#define HPT374_ALLOW_ATA133_6 1 + #define HPT371_ALLOW_ATA133_6 1 + #define HPT302_ALLOW_ATA133_6 1 + #define HPT372_ALLOW_ATA133_6 1 +@@ -450,7 +450,7 @@ static struct hpt_info hpt370a __devinit + + static struct hpt_info hpt374 __devinitdata = { + .chip_type = HPT374, +- .max_mode = HPT374_ALLOW_ATA133_6 ? 4 : 3, ++ .max_mode = 3, + .dpll_clk = 48, + .settings = hpt37x_settings + }; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:15 2007 +Message-Id: <20070731042615.540263733@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Andrew Morton +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-raid@vger.kernel.org, + neilb@suse.de, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 07/26] md: Fix two raid10 bugs. +Content-Disposition: inline; filename=md-fix-two-raid10-bugs.patch +Content-Length: 1406 +Lines: 44 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +1/ When resyncing a degraded raid10 which has more than 2 copies of each block, + garbage can get synced on top of good data. + +2/ We round the wrong way in part of the device size calculation, which + can cause confusion. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/md/raid10.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff .prev/drivers/md/raid10.c ./drivers/md/raid10.c +--- linux-2.6.21.6.orig/drivers/md/raid10.c ++++ linux-2.6.21.6/drivers/md/raid10.c +@@ -1867,6 +1867,7 @@ static sector_t sync_request(mddev_t *md + int d = r10_bio->devs[i].devnum; + bio = r10_bio->devs[i].bio; + bio->bi_end_io = NULL; ++ clear_bit(BIO_UPTODATE, &bio->bi_flags); + if (conf->mirrors[d].rdev == NULL || + test_bit(Faulty, &conf->mirrors[d].rdev->flags)) + continue; +@@ -2037,6 +2038,11 @@ static int run(mddev_t *mddev) + /* 'size' is now the number of chunks in the array */ + /* calculate "used chunks per device" in 'stride' */ + stride = size * conf->copies; ++ ++ /* We need to round up when dividing by raid_disks to ++ * get the stride size. ++ */ ++ stride += conf->raid_disks - 1; + sector_div(stride, conf->raid_disks); + mddev->size = stride << (conf->chunk_shift-1); + + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:15 2007 +Message-Id: <20070731042615.731652664@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Andrew Morton +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-raid@vger.kernel.org, + neilb@suse.de, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 08/26] md: Fix bug in error handling during raid1 repair. +Content-Disposition: inline; filename=md-fix-bug-in-error-handling-during-raid1-repair.patch +Content-Length: 1906 +Lines: 57 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mike Accetta + +If raid1/repair (which reads all block and fixes any differences +it finds) hits a read error, it doesn't reset the bio for writing +before writing correct data back, so the read error isn't fixed, +and the device probably gets a zero-length write which it might +complain about. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/md/raid1.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c +--- linux-2.6.21.6.orig/drivers/md/raid1.c ++++ linux-2.6.21.6/drivers/md/raid1.c +@@ -1240,17 +1240,24 @@ static void sync_request_write(mddev_t * + } + r1_bio->read_disk = primary; + for (i=0; iraid_disks; i++) +- if (r1_bio->bios[i]->bi_end_io == end_sync_read && +- test_bit(BIO_UPTODATE, &r1_bio->bios[i]->bi_flags)) { ++ if (r1_bio->bios[i]->bi_end_io == end_sync_read) { + int j; + int vcnt = r1_bio->sectors >> (PAGE_SHIFT- 9); + struct bio *pbio = r1_bio->bios[primary]; + struct bio *sbio = r1_bio->bios[i]; +- for (j = vcnt; j-- ; ) +- if (memcmp(page_address(pbio->bi_io_vec[j].bv_page), +- page_address(sbio->bi_io_vec[j].bv_page), +- PAGE_SIZE)) +- break; ++ ++ if (test_bit(BIO_UPTODATE, &sbio->bi_flags)) { ++ for (j = vcnt; j-- ; ) { ++ struct page *p, *s; ++ p = pbio->bi_io_vec[j].bv_page; ++ s = sbio->bi_io_vec[j].bv_page; ++ if (memcmp(page_address(p), ++ page_address(s), ++ PAGE_SIZE)) ++ break; ++ } ++ } else ++ j = 0; + if (j >= 0) + mddev->resync_mismatches += r1_bio->sectors; + if (j < 0 || test_bit(MD_RECOVERY_CHECK, &mddev->recovery)) { + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:16 2007 +Message-Id: <20070731042615.932098779@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + agk@redhat.com, + Milan Broz , + Jens Axboe , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 09/26] dm crypt: disable barriers +Content-Disposition: inline; filename=dm-crypt-disable-barriers.patch +Content-Length: 1235 +Lines: 39 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Milan Broz + +Disable barriers in dm-crypt because of current workqueue processing can +reorder requests. + +This must be addresed later but for now disabling barriers is needed to +prevent data corruption. + +Signed-off-by: Milan Broz +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9c89f8be1a7d14aad9d2c3f7d90d7d88f82c61e2 + + drivers/md/dm-crypt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -954,6 +954,9 @@ static int crypt_map(struct dm_target *t + struct crypt_config *cc = ti->private; + struct crypt_io *io; + ++ if (bio_barrier(bio)) ++ return -EOPNOTSUPP; ++ + io = mempool_alloc(cc->io_pool, GFP_NOIO); + io->target = ti; + io->base_bio = bio; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:16 2007 +Message-Id: <20070731042616.133366065@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + agk@redhat.com, + Olaf Kirch , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 10/26] dm crypt: fix call to clone_init +Content-Disposition: inline; filename=dm-crypt-fix-call-to-clone_init.patch +Content-Length: 3043 +Lines: 91 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Olaf Kirch + +Call clone_init early + +We need to call clone_init as early as possible - at least before call +bio_put(clone) in any error path. Otherwise, the destructor will try to +dereference bi_private, which may still be NULL. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=027581f3515b5ec2218847dab578afa439a9d6b9 + + drivers/md/dm-crypt.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -107,6 +107,8 @@ struct crypt_config { + + static struct kmem_cache *_crypt_io_pool; + ++static void clone_init(struct crypt_io *, struct bio *); ++ + /* + * Different IV generation algorithms: + * +@@ -379,9 +381,10 @@ static int crypt_convert(struct crypt_co + * May return a smaller bio when running out of pages + */ + static struct bio * +-crypt_alloc_buffer(struct crypt_config *cc, unsigned int size, ++crypt_alloc_buffer(struct crypt_io *io, unsigned int size, + struct bio *base_bio, unsigned int *bio_vec_idx) + { ++ struct crypt_config *cc = io->target->private; + struct bio *clone; + unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; + gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM; +@@ -396,7 +399,7 @@ crypt_alloc_buffer(struct crypt_config * + if (!clone) + return NULL; + +- clone->bi_destructor = dm_crypt_bio_destructor; ++ clone_init(io, clone); + + /* if the last bio was not complete, continue where that one ended */ + clone->bi_idx = *bio_vec_idx; +@@ -562,6 +565,7 @@ static void clone_init(struct crypt_io * + clone->bi_end_io = crypt_endio; + clone->bi_bdev = cc->dev->bdev; + clone->bi_rw = io->base_bio->bi_rw; ++ clone->bi_destructor = dm_crypt_bio_destructor; + } + + static void process_read(struct crypt_io *io) +@@ -585,7 +589,6 @@ static void process_read(struct crypt_io + } + + clone_init(io, clone); +- clone->bi_destructor = dm_crypt_bio_destructor; + clone->bi_idx = 0; + clone->bi_vcnt = bio_segments(base_bio); + clone->bi_size = base_bio->bi_size; +@@ -615,7 +618,7 @@ static void process_write(struct crypt_i + * so repeat the whole process until all the data can be handled. + */ + while (remaining) { +- clone = crypt_alloc_buffer(cc, base_bio->bi_size, ++ clone = crypt_alloc_buffer(io, base_bio->bi_size, + io->first_clone, &bvec_idx); + if (unlikely(!clone)) { + dec_pending(io, -ENOMEM); +@@ -631,7 +634,6 @@ static void process_write(struct crypt_i + return; + } + +- clone_init(io, clone); + clone->bi_sector = cc->start + sector; + + if (!io->first_clone) { + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:16 2007 +Message-Id: <20070731042616.535754101@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:20 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + agk@redhat.com, + Olaf Kirch , + Jens Axboe , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 12/26] dm crypt: fix remove first_clone +Content-Disposition: inline; filename=dm-crypt-fix-remove-first_clone.patch +Content-Length: 3799 +Lines: 116 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Olaf Kirch + +Get rid of first_clone in dm-crypt + +This gets rid of first_clone, which is not really needed. Apparently, cloned +bios used to share their bvec some time way in the past - this is no longer +the case. Contrarily, this even hurts us if we try to create a clone off +first_clone after it has completed, and crypt_endio has destroyed its bvec. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f9941b6c55d70103c1bc3f2c7676acd9f20bf8a + + drivers/md/dm-crypt.c | 34 ++++++---------------------------- + 1 file changed, 6 insertions(+), 28 deletions(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -33,7 +33,6 @@ + struct crypt_io { + struct dm_target *target; + struct bio *base_bio; +- struct bio *first_clone; + struct work_struct work; + atomic_t pending; + int error; +@@ -380,9 +379,8 @@ static int crypt_convert(struct crypt_co + * This should never violate the device limitations + * May return a smaller bio when running out of pages + */ +-static struct bio * +-crypt_alloc_buffer(struct crypt_io *io, unsigned int size, +- struct bio *base_bio, unsigned int *bio_vec_idx) ++static struct bio *crypt_alloc_buffer(struct crypt_io *io, unsigned int size, ++ unsigned int *bio_vec_idx) + { + struct crypt_config *cc = io->target->private; + struct bio *clone; +@@ -390,12 +388,7 @@ crypt_alloc_buffer(struct crypt_io *io, + gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM; + unsigned int i; + +- if (base_bio) { +- clone = bio_alloc_bioset(GFP_NOIO, base_bio->bi_max_vecs, cc->bs); +- __bio_clone(clone, base_bio); +- } else +- clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs); +- ++ clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs); + if (!clone) + return NULL; + +@@ -498,9 +491,6 @@ static void dec_pending(struct crypt_io + if (!atomic_dec_and_test(&io->pending)) + return; + +- if (io->first_clone) +- bio_put(io->first_clone); +- + bio_endio(io->base_bio, io->base_bio->bi_size, io->error); + + mempool_free(io, cc->io_pool); +@@ -618,8 +608,7 @@ static void process_write(struct crypt_i + * so repeat the whole process until all the data can be handled. + */ + while (remaining) { +- clone = crypt_alloc_buffer(io, base_bio->bi_size, +- io->first_clone, &bvec_idx); ++ clone = crypt_alloc_buffer(io, base_bio->bi_size, &bvec_idx); + if (unlikely(!clone)) { + dec_pending(io, -ENOMEM); + return; +@@ -635,21 +624,11 @@ static void process_write(struct crypt_i + } + + clone->bi_sector = cc->start + sector; +- +- if (!io->first_clone) { +- /* +- * hold a reference to the first clone, because it +- * holds the bio_vec array and that can't be freed +- * before all other clones are released +- */ +- bio_get(clone); +- io->first_clone = clone; +- } +- + remaining -= clone->bi_size; + sector += bio_sectors(clone); + +- /* prevent bio_put of first_clone */ ++ /* Grab another reference to the io struct ++ * before we kick off the request */ + if (remaining) + atomic_inc(&io->pending); + +@@ -965,7 +944,6 @@ static int crypt_map(struct dm_target *t + io = mempool_alloc(cc->io_pool, GFP_NOIO); + io->target = ti; + io->base_bio = bio; +- io->first_clone = NULL; + io->error = io->post_process = 0; + atomic_set(&io->pending, 0); + kcryptd_queue_io(io); + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:16 2007 +Message-Id: <20070731042616.748892566@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:21 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + dean@arctic.org, + ak@suse.de, + agl@us.ibm.com, + bill.irwin@oracle.com, + clameter@sgi.com, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 13/26] hugetlb: fix get_policy for stacked shared memory files +Content-Disposition: inline; filename=hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch +Content-Length: 1636 +Lines: 56 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Adam Litke + +Here's another breakage as a result of shared memory stacked files :( + +The NUMA policy for a VMA is determined by checking the following (in the +order given): + +1) vma->vm_ops->get_policy() (if defined) +2) vma->vm_policy (if defined) +3) task->mempolicy (if defined) +4) Fall back to default_policy + +By switching to stacked files for shared memory, get_policy() is now always +set to shm_get_policy which is a wrapper function. This causes us to stop +at step 1, which yields NULL for hugetlb instead of task->mempolicy which +was the previous (and correct) result. + +This patch modifies the shm_get_policy() wrapper to maintain steps 1-3 for +the wrapped vm_ops. + +(akpm: the refcounting of mempolicies is busted and this patch does nothing to +improve it) + +Signed-off-by: Adam Litke +Acked-by: William Irwin +Cc: dean gaudet +Cc: Christoph Lameter +Cc: Andi Kleen +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + ipc/shm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/ipc/shm.c ++++ linux-2.6.21.6/ipc/shm.c +@@ -254,8 +254,10 @@ struct mempolicy *shm_get_policy(struct + + if (sfd->vm_ops->get_policy) + pol = sfd->vm_ops->get_policy(vma, addr); +- else ++ else if (vma->vm_policy) + pol = vma->vm_policy; ++ else ++ pol = current->mempolicy; + return pol; + } + #endif + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:17 2007 +Message-Id: <20070731042616.939910618@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + alan@lxorguk.ukuu.org.uk, + gregkh@suse.de, + vatsa@linux.vnet.ibm.com, + chrisw@sous-sol.org, + paulmck@linux.vnet.ibm.com, + clameter@sgi.com, + Ingo Molnar +Subject: [patch 14/26] sched: fix next_interval determination in idle_balance() +Content-Disposition: inline; filename=sched-fix-next_interval-determination-in-idle_balance.patch +Content-Length: 2301 +Lines: 72 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Christoph Lameter + +Fix massive SMP imbalance on NUMA nodes observed on 2.6.21.5 with CFS. +(and later on reproduced without CFS as well). + +The intervals of domains that do not have SD_BALANCE_NEWIDLE must be +considered for the calculation of the time of the next balance. +Otherwise we may defer rebalancing forever and nodes might stay idle for +very long times. + +Siddha also spotted that the conversion of the balance interval to +jiffies is missing. Fix that to. + +From: Srivatsa Vaddagiri + +also continue the loop if !(sd->flags & SD_LOAD_BALANCE). + +Tested-by: Paul E. McKenney + +It did in fact trigger under all three of mainline, CFS, and -rt +including CFS -- see below for a couple of emails from last Friday +giving results for these three on the AMD box (where it happened) and on +a single-quad NUMA-Q system (where it did not, at least not with such +severity). + +Signed-off-by: Christoph Lameter +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- linux-2.6.21.6.orig/kernel/sched.c ++++ linux-2.6.21.6/kernel/sched.c +@@ -2831,17 +2831,21 @@ static void idle_balance(int this_cpu, s + unsigned long next_balance = jiffies + 60 * HZ; + + for_each_domain(this_cpu, sd) { +- if (sd->flags & SD_BALANCE_NEWIDLE) { ++ unsigned long interval; ++ ++ if (!(sd->flags & SD_LOAD_BALANCE)) ++ continue; ++ ++ if (sd->flags & SD_BALANCE_NEWIDLE) + /* If we've pulled tasks over stop searching: */ + pulled_task = load_balance_newidle(this_cpu, +- this_rq, sd); +- if (time_after(next_balance, +- sd->last_balance + sd->balance_interval)) +- next_balance = sd->last_balance +- + sd->balance_interval; +- if (pulled_task) +- break; +- } ++ this_rq, sd); ++ ++ interval = msecs_to_jiffies(sd->balance_interval); ++ if (time_after(next_balance, sd->last_balance + interval)) ++ next_balance = sd->last_balance + interval; ++ if (pulled_task) ++ break; + } + if (!pulled_task) + /* + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:17 2007 +Message-Id: <20070731042617.140632901@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mingo@elte.hu, + drepper@redhat.com, + jan.kiszka@web.de, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 15/26] posix-timers: Prevent softirq starvation by small intervals and SIG_IGN +Content-Disposition: inline; filename=posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch +Content-Length: 3783 +Lines: 98 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +posix-timers which deliver an ignored signal are currently rearmed in +the timer softirq: This is necessary because the timer needs to be +delivered again when SIG_IGN is removed. This is not a problem, when +the interval is reasonable. + +With high resolution timers enabled one might arm a posix timer with a +very small interval and ignore the signal. This might lead to a +softirq starvation when the interval is so small that the timer is +requeued onto the softirq pending list right away. + +This problem was pointed out by Jan Kiszka. Thanks Jan ! + +The correct solution would be to stop the timer, when the signal is +ignored and rearm it when SIG_IGN is removed. Unfortunately this +requires modification in sigaction and involves non trivial sighand +locking. It's too late in the release cycle for such a change. + +For now we just keep the timer running and enforce that the timer only +fires every jiffie. This does not break anything as we keep the +overrun counter correct. It adds a little inaccuracy to the +timer_gettime() interface, but... + +The more complex change is necessary anyway to fix another short +coming of the current implementation, which I discovered while looking +at this problem: A pending signal is discarded when SIG_IGN is set. In +case that a posixtimer signal is pending then it is discarded as well, +but when SIG_IGN is removed later nothing rearms the timer. This is +not new, it's that way since posix timers have been merged. So nothing +to worry about right now. + +I have a working solution to fix all of this, but the impact is too +large for both stable and 2.6.22. I'm going to send it out for review +in the next days. + +This should go into 2.6.21.stable as well. + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Cc: Jan Kiszka +Cc: Ulrich Drepper +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/posix-timers.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +--- linux-2.6.21.6.orig/kernel/posix-timers.c ++++ linux-2.6.21.6/kernel/posix-timers.c +@@ -354,9 +354,40 @@ static enum hrtimer_restart posix_timer_ + * it should be restarted. + */ + if (timr->it.real.interval.tv64 != 0) { ++ ktime_t now = hrtimer_cb_get_time(timer); ++ ++ /* ++ * FIXME: What we really want, is to stop this ++ * timer completely and restart it in case the ++ * SIG_IGN is removed. This is a non trivial ++ * change which involves sighand locking ++ * (sigh !), which we don't want to do late in ++ * the release cycle. ++ * ++ * For now we just let timers with an interval ++ * less than a jiffie expire every jiffie to ++ * avoid softirq starvation in case of SIG_IGN ++ * and a very small interval, which would put ++ * the timer right back on the softirq pending ++ * list. By moving now ahead of time we trick ++ * hrtimer_forward() to expire the timer ++ * later, while we still maintain the overrun ++ * accuracy, but have some inconsistency in ++ * the timer_gettime() case. This is at least ++ * better than a starved softirq. A more ++ * complex fix which solves also another related ++ * inconsistency is already in the pipeline. ++ */ ++#ifdef CONFIG_HIGH_RES_TIMERS ++ { ++ ktime_t kj = ktime_set(0, NSEC_PER_SEC / HZ); ++ ++ if (timr->it.real.interval.tv64 < kj.tv64) ++ now = ktime_add(now, kj); ++ } ++#endif + timr->it_overrun += +- hrtimer_forward(timer, +- hrtimer_cb_get_time(timer), ++ hrtimer_forward(timer, now, + timr->it.real.interval); + ret = HRTIMER_RESTART; + ++timr->it_requeue_pending; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:17 2007 +Message-Id: <20070731042617.352284361@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@osdl.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + akpm@osdl.org, + drepper@redhat.com, + mingo@elte.hu, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 16/26] FUTEX: Restore the dropped ERSCH fix +Content-Disposition: inline; filename=futex-restore-the-dropped-ersch-fix.patch +Content-Length: 1221 +Lines: 46 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +The return value of futex_find_get_task() needs to be -ESRCH in case +that the search fails. This was part of the original futex fixes and +got accidentally dropped, when the futex-tidy-up patch was split out. + +Results in a NULL pointer dereference in case the search fails. + +Restore it. + +Signed-off-by: Thomas Gleixner +Cc: Ingo Molnar +Cc: Ulrich Drepper +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- linux-2.6.21.6.orig/kernel/futex.c ++++ linux-2.6.21.6/kernel/futex.c +@@ -390,14 +390,12 @@ static struct task_struct * futex_find_g + + rcu_read_lock(); + p = find_task_by_pid(pid); +- if (!p) +- goto out_unlock; +- if ((current->euid != p->euid) && (current->euid != p->uid)) { +- p = NULL; +- goto out_unlock; +- } +- get_task_struct(p); +-out_unlock: ++ ++ if (!p || ((current->euid != p->euid) && (current->euid != p->uid))) ++ p = ERR_PTR(-ESRCH); ++ else ++ get_task_struct(p); ++ + rcu_read_unlock(); + + return p; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:17 2007 +Message-Id: <20070731042617.548736165@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + tonyj@suse.de, + viro@zeniv.linux.org.uk, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 17/26] audit: fix oops removing watch if audit disabled +Content-Disposition: inline; filename=audit-fix-oops-removing-watch-if-audit-disabled.patch +Content-Length: 1112 +Lines: 38 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tony Jones + +Removing a watched file will oops if audit is disabled (auditctl -e 0). + +To reproduce: +- auditctl -e 1 +- touch /tmp/foo +- auditctl -w /tmp/foo +- auditctl -e 0 +- rm /tmp/foo (or mv) + +Signed-off-by: Tony Jones +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + kernel/auditfilter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/kernel/auditfilter.c ++++ linux-2.6.21.6/kernel/auditfilter.c +@@ -905,7 +905,7 @@ static void audit_update_watch(struct au + + /* If the update involves invalidating rules, do the inode-based + * filtering now, so we don't omit records. */ +- if (invalidating && ++ if (invalidating && current->audit_context && + audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) + audit_set_auditable(current->audit_context); + + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:17 2007 +Message-Id: <20070731042617.761392279@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Paul Mackerras , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 18/26] POWERPC: Fix subtle FP state corruption bug in signal return on SMP +Content-Disposition: inline; filename=powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch +Content-Length: 2043 +Lines: 55 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +This fixes a bug which can cause corruption of the floating-point state +on return from a signal handler. If we have a signal handler that has +used the floating-point registers, and it happens to context-switch to +another task while copying the interrupted floating-point state from the +user stack into the thread struct (e.g. because of a page fault, or +because it gets preempted), the context switch code will think that the +FP registers contain valid FP state that needs to be copied into the +thread_struct, and will thus overwrite the values that the signal return +code has put into the thread_struct. + +This can occur because we clear the MSR bits that indicate the presence +of valid FP state after copying the state into the thread_struct. To fix +this we just move the clearing of the MSR bits to before the copy. A +similar potential problem also occurs with the Altivec state, and this +fixes that in the same way. + +Signed-off-by: Paul Mackerras +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/signal_64.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- linux-2.6.21.6.orig/arch/powerpc/kernel/signal_64.c ++++ linux-2.6.21.6/arch/powerpc/kernel/signal_64.c +@@ -177,6 +177,13 @@ static long restore_sigcontext(struct pt + */ + discard_lazy_cpu_state(); + ++ /* ++ * Force reload of FP/VEC. ++ * This has to be done before copying stuff into current->thread.fpr/vr ++ * for the reasons explained in the previous comment. ++ */ ++ regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC); ++ + err |= __copy_from_user(¤t->thread.fpr, &sc->fp_regs, FP_REGS_SIZE); + + #ifdef CONFIG_ALTIVEC +@@ -198,9 +205,6 @@ static long restore_sigcontext(struct pt + current->thread.vrsave = 0; + #endif /* CONFIG_ALTIVEC */ + +- /* Force reload of FP/VEC */ +- regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC); +- + return err; + } + + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:18 2007 +Message-Id: <20070731042617.951156609@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + npiggin@suse.de, + petr@vmware.com, + andrea@suse.de, + hugh@veritas.com, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 19/26] mm: kill validate_anon_vma to avoid mapcount BUG +Content-Disposition: inline; filename=mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch +Content-Length: 2853 +Lines: 91 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Hugh Dickins + +validate_anon_vma gave a useful check on the integrity of the anon_vma list +when Andrea was developing obj rmap; but it was not enabled in SLES9 +itself, nor in mainline, until Nick changed commented-out RMAP_DEBUG to +configurable CONFIG_DEBUG_VM in 2.6.17. Now Petr Vandrovec reports that +its BUG_ON(mapcount > 100000) can easily crash a CONFIG_DEBUG_VM=y system. + +That limit was just an arbitrary number to protect against an infinite +loop. We could raise it to something enormous (depending on sizeof struct +vma and size of memory?); but I rather think validate_anon_vma has outlived +its usefulness, and is better just removed - which gives a magnificent +performance boost to anything like Petr's test program ;) + +Of course, a very long anon_vma list is bad news for preemption latency, +and I believe there has been one recent report of such: let's not forget +that, but validate_anon_vma only makes it worse not better. + +Signed-off-by: Hugh Dickins +Cc: Petr Vandrovec +Acked-by: Nick Piggin +Cc: Andrea Arcangeli +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + mm/rmap.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +--- linux-2.6.21.6.orig/mm/rmap.c ++++ linux-2.6.21.6/mm/rmap.c +@@ -53,24 +53,6 @@ + + struct kmem_cache *anon_vma_cachep; + +-static inline void validate_anon_vma(struct vm_area_struct *find_vma) +-{ +-#ifdef CONFIG_DEBUG_VM +- struct anon_vma *anon_vma = find_vma->anon_vma; +- struct vm_area_struct *vma; +- unsigned int mapcount = 0; +- int found = 0; +- +- list_for_each_entry(vma, &anon_vma->head, anon_vma_node) { +- mapcount++; +- BUG_ON(mapcount > 100000); +- if (vma == find_vma) +- found = 1; +- } +- BUG_ON(!found); +-#endif +-} +- + /* This must be called under the mmap_sem. */ + int anon_vma_prepare(struct vm_area_struct *vma) + { +@@ -121,10 +103,8 @@ void __anon_vma_link(struct vm_area_stru + { + struct anon_vma *anon_vma = vma->anon_vma; + +- if (anon_vma) { ++ if (anon_vma) + list_add_tail(&vma->anon_vma_node, &anon_vma->head); +- validate_anon_vma(vma); +- } + } + + void anon_vma_link(struct vm_area_struct *vma) +@@ -134,7 +114,6 @@ void anon_vma_link(struct vm_area_struct + if (anon_vma) { + spin_lock(&anon_vma->lock); + list_add_tail(&vma->anon_vma_node, &anon_vma->head); +- validate_anon_vma(vma); + spin_unlock(&anon_vma->lock); + } + } +@@ -148,7 +127,6 @@ void anon_vma_unlink(struct vm_area_stru + return; + + spin_lock(&anon_vma->lock); +- validate_anon_vma(vma); + list_del(&vma->anon_vma_node); + + /* We must garbage collect the anon_vma if it's empty */ + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:18 2007 +Message-Id: <20070731042618.152647051@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + jeffm@suse.com, + mchehab@infradead.org, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 20/26] saa7134: fix thread shutdown handling +Content-Disposition: inline; filename=saa7134-fix-thread-shutdown-handling.patch +Content-Length: 1558 +Lines: 42 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jeff Mahoney + +This patch changes the test for the thread pid from >= 0 to > 0. + +When the saa8134 driver initialization fails after a certain point, it goes +through the complete shutdown process for the driver. Part of shutting it +down includes tearing down the thread for tv audio. + +The test for tearing down the thread tests for >= 0. Since the dev +structure is kzalloc'd, the test will always be true if we haven't tried to +start the thread yet. We end up waiting on pid 0 to complete, which will +never happen, so we lock up. + +This bug was observed in Novell Bugzilla 284718, when request_irq() failed. + +Signed-off-by: Jeff Mahoney +Acked-by: Mauro Carvalho Chehab +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/media/video/saa7134/saa7134-tvaudio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/media/video/saa7134/saa7134-tvaudio.c ++++ linux-2.6.21.6/drivers/media/video/saa7134/saa7134-tvaudio.c +@@ -1006,7 +1006,7 @@ int saa7134_tvaudio_init2(struct saa7134 + int saa7134_tvaudio_fini(struct saa7134_dev *dev) + { + /* shutdown tvaudio thread */ +- if (dev->thread.pid >= 0) { ++ if (dev->thread.pid > 0) { + dev->thread.shutdown = 1; + wake_up_interruptible(&dev->thread.wq); + wait_for_completion(&dev->thread.exit); + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:18 2007 +Message-Id: <20070731042618.353275881@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mgreer@mvista.com, + jaylubo@motorola.com, + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 21/26] serial: clear proper MPSC interrupt cause bits +Content-Disposition: inline; filename=serial-clear-proper-mpsc-interrupt-cause-bits.patch +Content-Length: 1288 +Lines: 39 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jay Lubomirski + +The interrupt clearing code in mpsc_sdma_intr_ack() mistakenly clears the +interrupt for both controllers instead of just the one its supposed to. +This can result in the other controller appearing to hang because its +interrupt was effectively lost. + +So, don't clear the interrupt cause bits for both MPSC controllers when +clearing the interrupt for one of them. Just clear the one that is +supposed to be cleared. + +Signed-off-by: Jay Lubomirski +Acked-by: Mark A. Greer +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/serial/mpsc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/serial/mpsc.c ++++ linux-2.6.21.6/drivers/serial/mpsc.c +@@ -502,7 +502,8 @@ mpsc_sdma_intr_ack(struct mpsc_port_info + + if (pi->mirror_regs) + pi->shared_regs->SDMA_INTR_CAUSE_m = 0; +- writel(0, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE); ++ writeb(0x00, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE + ++ pi->port.line); + return; + } + + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:18 2007 +Message-Id: <20070731042618.564344691@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jason Wessel , + Jeremy Fitzhardinge , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 22/26] i386: fix infinite loop with singlestep int80 syscalls +Content-Disposition: inline; filename=i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch +Content-Length: 2921 +Lines: 111 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +The commit 635cf99a80f4ebee59d70eb64bb85ce829e4591f introduced a +regression. Executing a ptrace single step after certain int80 +accesses will infinitely loop and never advance the PC. + +The TIF_SINGLESTEP check should be done on the return from the syscall +and not before it. + +The new test case is below: + +/* Test whether singlestep through an int80 syscall works. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +static int child, status; +static struct user_regs_struct regs; + +static void do_child() +{ + char str[80] = "child: int80 test\n"; + + ptrace(PTRACE_TRACEME, 0, 0, 0); + kill(getpid(), SIGUSR1); + write(fileno(stdout),str,strlen(str)); + asm ("int $0x80" : : "a" (20)); /* getpid */ +} + +static void do_parent() +{ + unsigned long eip, expected = 0; +again: + waitpid(child, &status, 0); + if (WIFEXITED(status) || WIFSIGNALED(status)) + return; + + if (WIFSTOPPED(status)) { + ptrace(PTRACE_GETREGS, child, 0, ®s); + eip = regs.eip; + if (expected) + fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n", + eip, expected, + eip == expected ? "" : " <== ERROR"); + + if (*(unsigned short *)eip == 0x80cd) { + fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip); + expected = eip + 2; + } else + expected = 0; + + ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); + } + goto again; +} + +int main(int argc, char * const argv[]) +{ + child = fork(); + if (child) + do_parent(); + else + do_child(); + return 0; +} + + +Signed-off-by: Jason Wessel +Cc: Jeremy Fitzhardinge +Cc: Chuck Ebbert +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/i386/kernel/entry.S | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- linux-2.6.21.6.orig/arch/i386/kernel/entry.S ++++ linux-2.6.21.6/arch/i386/kernel/entry.S +@@ -371,10 +371,6 @@ ENTRY(system_call) + CFI_ADJUST_CFA_OFFSET 4 + SAVE_ALL + GET_THREAD_INFO(%ebp) +- testl $TF_MASK,PT_EFLAGS(%esp) +- jz no_singlestep +- orl $_TIF_SINGLESTEP,TI_flags(%ebp) +-no_singlestep: + # system call tracing in operation / emulation + /* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */ + testw $(_TIF_SYSCALL_EMU|_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT),TI_flags(%ebp) +@@ -389,6 +385,10 @@ syscall_exit: + # setting need_resched or sigpending + # between sampling and the iret + TRACE_IRQS_OFF ++ testl $TF_MASK,PT_EFLAGS(%esp) # If tracing set singlestep flag on exit ++ jz no_singlestep ++ orl $_TIF_SINGLESTEP,TI_flags(%ebp) ++no_singlestep: + movl TI_flags(%ebp), %ecx + testw $_TIF_ALLWORK_MASK, %cx # current->work + jne syscall_exit_work + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:18 2007 +Message-Id: <20070731042618.760038604@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@osdl.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + akpm@osdl.org, + johnstul@us.ibm.com, + mingo@elte.hu, + Vincent.Fortier1@EC.GC.CA, + Thomas Gleixner , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 23/26] NTP: remove clock_was_set() call to prevent deadlock +Content-Disposition: inline; filename=ntp-remove-clock_was_set-call-to-prevent-deadlock.patch +Content-Length: 1803 +Lines: 53 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +The clock_was_set() call in seconds_overflow() which happens only when +leap seconds are inserted / deleted is wrong in two aspects: + +1. it results in a call to on_each_cpu() with interrupts disabled +2. it is potential deadlock source vs. call_lock in smp_call_function() + +The only possible side effect of the removal might be, that an absolute +CLOCK_REALTIME timer fires 1 second too late, in the rare case of leap +second deletion and an absolute CLOCK_REALTIME timer which expires in +the affected time frame. It will never fire too early. + +This was probably observed by the reporter of a June 30th -> July 1st +hang: http://lkml.org/lkml/2007/7/3/ + +A similar problem was observed by Dave Jones, who provided a screen shot +with a lockdep back trace, which allowed to analyse the problem. + +Signed-off-by: Thomas Gleixner +Cc: john stultz +Cc: Dave Jones +Cc: Ingo Molnar +Cc: Vincent Fortier +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/ntp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- linux-2.6.21.6.orig/kernel/time/ntp.c ++++ linux-2.6.21.6/kernel/time/ntp.c +@@ -120,7 +120,6 @@ void second_overflow(void) + */ + time_interpolator_update(-NSEC_PER_SEC); + time_state = TIME_OOP; +- clock_was_set(); + printk(KERN_NOTICE "Clock: inserting leap second " + "23:59:60 UTC\n"); + } +@@ -135,7 +134,6 @@ void second_overflow(void) + */ + time_interpolator_update(NSEC_PER_SEC); + time_state = TIME_WAIT; +- clock_was_set(); + printk(KERN_NOTICE "Clock: deleting leap second " + "23:59:59 UTC\n"); + } + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:19 2007 +Message-Id: <20070731042618.961456407@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:32 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Hemminger , + Jeff Garzik , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 24/26] sky2: workaround for lost IRQ +Content-Disposition: inline; filename=sky2-workaround-for-lost-irq.patch +Content-Length: 1526 +Lines: 45 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +This patch restores a couple of workarounds from 2.6.16: + * restart transmit moderation timer in case it expires during IRQ routine + * default to having 10 HZ watchdog timer. +At this point it more important not to hang than to worry about the +power cost. + +Signed-off-by: Stephen Hemminger +Cc: Jeff Garzik +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/sky2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/net/sky2.c ++++ linux-2.6.21.6/drivers/net/sky2.c +@@ -95,7 +95,7 @@ static int disable_msi = 0; + module_param(disable_msi, int, 0); + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)"); + +-static int idle_timeout = 0; ++static int idle_timeout = 100; + module_param(idle_timeout, int, 0); + MODULE_PARM_DESC(idle_timeout, "Watchdog timer for lost interrupts (ms)"); + +@@ -2433,6 +2433,13 @@ static int sky2_poll(struct net_device * + + work_done = sky2_status_intr(hw, work_limit); + if (work_done < work_limit) { ++ /* Bug/Errata workaround? ++ * Need to kick the TX irq moderation timer. ++ */ ++ if (sky2_read8(hw, STAT_TX_TIMER_CTRL) == TIM_START) { ++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_STOP); ++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_START); ++ } + netif_rx_complete(dev0); + + sky2_read32(hw, B0_Y2_SP_LISR); + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:19 2007 +Message-Id: <20070731042619.161564120@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:33 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + v4l-dvb-maintainer@linuxtv.org, + xyzzy@speakeasy.org, + Mauro Carvalho Chehab , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 25/26] V4L: bttv: fix v4l1 api usage breaking the driver +Content-Disposition: inline; filename=v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch +Content-Length: 3301 +Lines: 96 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Trent Piepho + +If one uses a V4L *one* application, such as vlc or mplayer's v4l driver, as +the first user after the driver is loaded, the driver wedges itself and will +never capture properly. Even if one uses a V4L2 application later, it still +won't work. + +If one uses a V4L *two* application first, such as tvtime or mplayer's v4l2 +driver, then the driver will be ok. One can then run a V4L1 application, and +it will work. + +It turns out the problem is with norm changing and the crop support that was +added in 2.6.21. The driver defaults to PAL, and keeps the last norm it was +set too across opens. If one changes the norm via V4L1, the cropping +parameters are not reset like they should be, and they'll remain broken across +device opens. + +This patch removes the direct setting of btv->tvnorm in the V4L1 ioctl +VIDIOCSCHAN handler. The norm is set via the existing call to set_input(), +which calls set_tvnorm(), which will reset the cropping values now that it is +able to detect the norm change. + +Signed-off-by: Trent Piepho +Signed-off-by: Michael Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +(cherry picked from commit 333408f21590d50397f3004e3f87070fa8f52c51) + + drivers/media/video/bt8xx/bttv-driver.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- linux-2.6.21.6.orig/drivers/media/video/bt8xx/bttv-driver.c ++++ linux-2.6.21.6/drivers/media/video/bt8xx/bttv-driver.c +@@ -1313,7 +1313,7 @@ set_tvnorm(struct bttv *btv, unsigned in + + /* Call with btv->lock down. */ + static void +-set_input(struct bttv *btv, unsigned int input) ++set_input(struct bttv *btv, unsigned int input, unsigned int norm) + { + unsigned long flags; + +@@ -1332,7 +1332,7 @@ set_input(struct bttv *btv, unsigned int + } + audio_input(btv,(input == bttv_tvcards[btv->c.type].tuner ? + TVAUDIO_INPUT_TUNER : TVAUDIO_INPUT_EXTERN)); +- set_tvnorm(btv,btv->tvnorm); ++ set_tvnorm(btv, norm); + i2c_vidiocschan(btv); + } + +@@ -1423,7 +1423,7 @@ static void bttv_reinit_bt848(struct btt + + init_bt848(btv); + btv->pll.pll_current = -1; +- set_input(btv,btv->input); ++ set_input(btv, btv->input, btv->tvnorm); + } + + static int get_control(struct bttv *btv, struct v4l2_control *c) +@@ -1993,8 +1993,7 @@ static int bttv_common_ioctls(struct btt + return 0; + } + +- btv->tvnorm = v->norm; +- set_input(btv,v->channel); ++ set_input(btv, v->channel, v->norm); + mutex_unlock(&btv->lock); + return 0; + } +@@ -2130,7 +2129,7 @@ static int bttv_common_ioctls(struct btt + if (*i > bttv_tvcards[btv->c.type].video_inputs) + return -EINVAL; + mutex_lock(&btv->lock); +- set_input(btv,*i); ++ set_input(btv, *i, btv->tvnorm); + mutex_unlock(&btv->lock); + return 0; + } +@@ -4762,7 +4761,7 @@ static int __devinit bttv_probe(struct p + bt848_hue(btv,32768); + bt848_sat(btv,32768); + audio_mute(btv, 1); +- set_input(btv,0); ++ set_input(btv, 0, btv->tvnorm); + bttv_crop_reset(&btv->crop[0], btv->tvnorm); + btv->crop[1] = btv->crop[0]; /* current = default */ + disclaim_vbi_lines(btv); + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:19 2007 +Message-Id: <20070731042619.372908889@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + v4l-dvb-maintainer@linuxtv.org, + jelle@foks.8m.com, + Mauro Carvalho Chehab , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 26/26] V4L: cx88-blackbird: fix vidioc_g_tuner never ending list of tuners +Content-Disposition: inline; filename=v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch +Content-Length: 1268 +Lines: 40 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jelle Foks + +v4l-info and other programs would loop indefinitely while querying the +tuners for cx88-blackbird cards. + +The cause was that vidioc_g_tuner didn't return an error value for +qctrl->id != 0, making the application think there is a never ending +list of tuners... + +This patch adds the same index check as done in vidioc_g_tuner() in +cx88-video. + +Signed-off-by: Jelle Foks +Signed-off-by: Michael Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +(cherry picked from commit f057131fb6eb2c45f6023e3da41ccd6e4e71aee9) + + drivers/media/video/cx88/cx88-blackbird.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.6.orig/drivers/media/video/cx88/cx88-blackbird.c ++++ linux-2.6.21.6/drivers/media/video/cx88/cx88-blackbird.c +@@ -1034,6 +1034,8 @@ static int vidioc_g_tuner (struct file * + + if (unlikely(UNSET == core->tuner_type)) + return -EINVAL; ++ if (0 != t->index) ++ return -EINVAL; + + strcpy(t->name, "Television"); + t->type = V4L2_TUNER_ANALOG_TV; + +-- + +From greg@blue.kroah.org Mon Jul 30 21:26:14 2007 +Message-Id: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/26] 2.6.21.7 -stable review +Content-Length: 921 +Lines: 21 + +Very sorry for the long delay in getting these out, it should be the +last 2.6.21-stable release, unless there are some patches that people +point out to us that deserve a new .21.y release. + +This is the start of the stable review cycle for the 2.6.21.7 release. +There are 26 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the +Cc: line. If you wish to be a reviewer, please email stable@kernel.org +to add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by August 2, 2007, 00:00:00 UTC. Anything +received after that time might be too late. + +thanks, + +the -stable release team + +From greg@blue.kroah.org Mon Jul 30 21:26:16 2007 +Message-Id: <20070731042616.344878672@blue.kroah.org> +References: <20070731042108.546594256@blue.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 30 Jul 2007 21:21:19 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + agk@redhat.com, + Olaf Kirch , + Jens Axboe , + Chris Wright , + Greg Kroah-Hartman +Subject: [patch 11/26] dm crypt: fix avoid cloned bio ref after free +Content-Disposition: inline; filename=dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch +In-Reply-To: <20070731043047.GA3975@kroah.com> +Content-Length: 1282 +Lines: 42 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Olaf Kirch + +Do not access the bio after generic_make_request + +We should never access a bio after generic_make_request - there's no guarantee +it still exists. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=98221eb757de03d9aa6262b1eded2be708640ccc + + drivers/md/dm-crypt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -655,9 +655,12 @@ static void process_write(struct crypt_i + + generic_make_request(clone); + ++ /* Do not reference clone after this - it ++ * may be gone already. */ ++ + /* out of memory -> run queues */ + if (remaining) +- congestion_wait(bio_data_dir(clone), HZ/100); ++ congestion_wait(WRITE, HZ/100); + } + } + + +-- + diff --git a/queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch b/review-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch similarity index 100% rename from queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch rename to review-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch diff --git a/queue-2.6.21/md-fix-two-raid10-bugs.patch b/review-2.6.21/md-fix-two-raid10-bugs.patch similarity index 100% rename from queue-2.6.21/md-fix-two-raid10-bugs.patch rename to review-2.6.21/md-fix-two-raid10-bugs.patch diff --git a/queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch b/review-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch similarity index 100% rename from queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch rename to review-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch diff --git a/queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch b/review-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch similarity index 100% rename from queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch rename to review-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch diff --git a/queue-2.6.21/pi-futex-fix-exit-races-and-locking-problems.patch b/review-2.6.21/pi-futex-fix-exit-races-and-locking-problems.patch similarity index 100% rename from queue-2.6.21/pi-futex-fix-exit-races-and-locking-problems.patch rename to review-2.6.21/pi-futex-fix-exit-races-and-locking-problems.patch diff --git a/queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch b/review-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch similarity index 100% rename from queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch rename to review-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch diff --git a/queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch b/review-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch similarity index 100% rename from queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch rename to review-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch diff --git a/queue-2.6.21/rt-mutex-fix-chain-walk-early-wakeup-bug.patch b/review-2.6.21/rt-mutex-fix-chain-walk-early-wakeup-bug.patch similarity index 100% rename from queue-2.6.21/rt-mutex-fix-chain-walk-early-wakeup-bug.patch rename to review-2.6.21/rt-mutex-fix-chain-walk-early-wakeup-bug.patch diff --git a/queue-2.6.21/rt-mutex-fix-stale-return-value.patch b/review-2.6.21/rt-mutex-fix-stale-return-value.patch similarity index 100% rename from queue-2.6.21/rt-mutex-fix-stale-return-value.patch rename to review-2.6.21/rt-mutex-fix-stale-return-value.patch diff --git a/queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch b/review-2.6.21/saa7134-fix-thread-shutdown-handling.patch similarity index 100% rename from queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch rename to review-2.6.21/saa7134-fix-thread-shutdown-handling.patch diff --git a/queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch b/review-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch similarity index 100% rename from queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch rename to review-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch diff --git a/queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch b/review-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch similarity index 100% rename from queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch rename to review-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch diff --git a/queue-2.6.21/series b/review-2.6.21/series similarity index 100% rename from queue-2.6.21/series rename to review-2.6.21/series diff --git a/queue-2.6.21/sky2-workaround-for-lost-irq.patch b/review-2.6.21/sky2-workaround-for-lost-irq.patch similarity index 100% rename from queue-2.6.21/sky2-workaround-for-lost-irq.patch rename to review-2.6.21/sky2-workaround-for-lost-irq.patch diff --git a/queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch b/review-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch similarity index 100% rename from queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch rename to review-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch diff --git a/queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch b/review-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch similarity index 100% rename from queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch rename to review-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch