--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jun 23 17:25:29 2007
+Message-Id: <200706240016.l5O0GlIh030858@imap1.linux-foundation.org>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sat, 23 Jun 2007 17:16:47 -0700
+Cc: akpm@linux-foundation.org, tonyj@suse.de, viro@zeniv.linux.org.uk
+Subject: audit: fix oops removing watch if audit disabled
+
+From: Tony Jones <tonyj@suse.de>
+
+Removing a watched file will oops if audit is disabled (auditctl -e 0).
+
+To reproduce:
+- auditctl -e 1
+- touch /tmp/foo
+- auditctl -w /tmp/foo
+- auditctl -e 0
+- rm /tmp/foo (or mv)
+
+Signed-off-by: Tony Jones <tonyj@suse.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ kernel/auditfilter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/kernel/auditfilter.c
++++ linux-2.6.21.6/kernel/auditfilter.c
+@@ -905,7 +905,7 @@ static void audit_update_watch(struct au
+
+ /* If the update involves invalidating rules, do the inode-based
+ * filtering now, so we don't omit records. */
+- if (invalidating &&
++ if (invalidating && current->audit_context &&
+ audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
+ audit_set_auditable(current->audit_context);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 13 12:56:49 2007
+Message-ID: <46704BF7.4010104@redhat.com>
+Date: Wed, 13 Jun 2007 15:56:39 -0400
+From: Chuck Ebbert <cebbert@redhat.com>
+To: stable@kernel.org
+Cc: Dave Jones <davej@redhat.com>, agk@redhat.com
+Subject: dm crypt: disable barriers
+
+From: Milan Broz <mbroz@redhat.com>
+
+Disable barriers in dm-crypt because of current workqueue processing can
+reorder requests.
+
+This must be addresed later but for now disabling barriers is needed to
+prevent data corruption.
+
+Signed-off-by: Milan Broz <mbroz@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9c89f8be1a7d14aad9d2c3f7d90d7d88f82c61e2
+
+ drivers/md/dm-crypt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c
++++ linux-2.6.21.6/drivers/md/dm-crypt.c
+@@ -954,6 +954,9 @@ static int crypt_map(struct dm_target *t
+ struct crypt_config *cc = ti->private;
+ struct crypt_io *io;
+
++ if (bio_barrier(bio))
++ return -EOPNOTSUPP;
++
+ io = mempool_alloc(cc->io_pool, GFP_NOIO);
+ io->target = ti;
+ io->base_bio = bio;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 13 12:59:23 2007
+Message-ID: <46704C94.7050903@redhat.com>
+Date: Wed, 13 Jun 2007 15:59:16 -0400
+From: Chuck Ebbert <cebbert@redhat.com>
+To: stable@kernel.org
+Cc: Dave Jones <davej@redhat.com>, agk@redhat.com
+Subject: dm crypt: fix avoid cloned bio ref after free
+
+From: Olaf Kirch <olaf.kirch@oracle.com>
+
+Do not access the bio after generic_make_request
+
+We should never access a bio after generic_make_request - there's no guarantee
+it still exists.
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=98221eb757de03d9aa6262b1eded2be708640ccc
+
+ drivers/md/dm-crypt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c
++++ linux-2.6.21.6/drivers/md/dm-crypt.c
+@@ -655,9 +655,12 @@ static void process_write(struct crypt_i
+
+ generic_make_request(clone);
+
++ /* Do not reference clone after this - it
++ * may be gone already. */
++
+ /* out of memory -> run queues */
+ if (remaining)
+- congestion_wait(bio_data_dir(clone), HZ/100);
++ congestion_wait(WRITE, HZ/100);
+ }
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 13 12:57:56 2007
+Message-ID: <46704C3E.20608@redhat.com>
+Date: Wed, 13 Jun 2007 15:57:50 -0400
+From: Chuck Ebbert <cebbert@redhat.com>
+To: stable@kernel.org
+Cc: Dave Jones <davej@redhat.com>, agk@redhat.com
+Subject: dm crypt: fix call to clone_init
+
+From: Olaf Kirch <olaf.kirch@oracle.com>
+
+Call clone_init early
+
+We need to call clone_init as early as possible - at least before call
+bio_put(clone) in any error path. Otherwise, the destructor will try to
+dereference bi_private, which may still be NULL.
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=027581f3515b5ec2218847dab578afa439a9d6b9
+
+ drivers/md/dm-crypt.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c
++++ linux-2.6.21.6/drivers/md/dm-crypt.c
+@@ -107,6 +107,8 @@ struct crypt_config {
+
+ static struct kmem_cache *_crypt_io_pool;
+
++static void clone_init(struct crypt_io *, struct bio *);
++
+ /*
+ * Different IV generation algorithms:
+ *
+@@ -379,9 +381,10 @@ static int crypt_convert(struct crypt_co
+ * May return a smaller bio when running out of pages
+ */
+ static struct bio *
+-crypt_alloc_buffer(struct crypt_config *cc, unsigned int size,
++crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
+ struct bio *base_bio, unsigned int *bio_vec_idx)
+ {
++ struct crypt_config *cc = io->target->private;
+ struct bio *clone;
+ unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM;
+@@ -396,7 +399,7 @@ crypt_alloc_buffer(struct crypt_config *
+ if (!clone)
+ return NULL;
+
+- clone->bi_destructor = dm_crypt_bio_destructor;
++ clone_init(io, clone);
+
+ /* if the last bio was not complete, continue where that one ended */
+ clone->bi_idx = *bio_vec_idx;
+@@ -562,6 +565,7 @@ static void clone_init(struct crypt_io *
+ clone->bi_end_io = crypt_endio;
+ clone->bi_bdev = cc->dev->bdev;
+ clone->bi_rw = io->base_bio->bi_rw;
++ clone->bi_destructor = dm_crypt_bio_destructor;
+ }
+
+ static void process_read(struct crypt_io *io)
+@@ -585,7 +589,6 @@ static void process_read(struct crypt_io
+ }
+
+ clone_init(io, clone);
+- clone->bi_destructor = dm_crypt_bio_destructor;
+ clone->bi_idx = 0;
+ clone->bi_vcnt = bio_segments(base_bio);
+ clone->bi_size = base_bio->bi_size;
+@@ -615,7 +618,7 @@ static void process_write(struct crypt_i
+ * so repeat the whole process until all the data can be handled.
+ */
+ while (remaining) {
+- clone = crypt_alloc_buffer(cc, base_bio->bi_size,
++ clone = crypt_alloc_buffer(io, base_bio->bi_size,
+ io->first_clone, &bvec_idx);
+ if (unlikely(!clone)) {
+ dec_pending(io, -ENOMEM);
+@@ -631,7 +634,6 @@ static void process_write(struct crypt_i
+ return;
+ }
+
+- clone_init(io, clone);
+ clone->bi_sector = cc->start + sector;
+
+ if (!io->first_clone) {
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 13 13:00:52 2007
+Message-ID: <46704CDE.50004@redhat.com>
+Date: Wed, 13 Jun 2007 16:00:30 -0400
+From: Chuck Ebbert <cebbert@redhat.com>
+To: stable@kernel.org
+Cc: Dave Jones <davej@redhat.com>, agk@redhat.com
+Subject: dm crypt: fix remove first_clone
+
+From: Olaf Kirch <olaf.kirch@oracle.com>
+
+Get rid of first_clone in dm-crypt
+
+This gets rid of first_clone, which is not really needed. Apparently, cloned
+bios used to share their bvec some time way in the past - this is no longer
+the case. Contrarily, this even hurts us if we try to create a clone off
+first_clone after it has completed, and crypt_endio has destroyed its bvec.
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f9941b6c55d70103c1bc3f2c7676acd9f20bf8a
+
+ drivers/md/dm-crypt.c | 34 ++++++----------------------------
+ 1 file changed, 6 insertions(+), 28 deletions(-)
+
+--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c
++++ linux-2.6.21.6/drivers/md/dm-crypt.c
+@@ -33,7 +33,6 @@
+ struct crypt_io {
+ struct dm_target *target;
+ struct bio *base_bio;
+- struct bio *first_clone;
+ struct work_struct work;
+ atomic_t pending;
+ int error;
+@@ -380,9 +379,8 @@ static int crypt_convert(struct crypt_co
+ * This should never violate the device limitations
+ * May return a smaller bio when running out of pages
+ */
+-static struct bio *
+-crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
+- struct bio *base_bio, unsigned int *bio_vec_idx)
++static struct bio *crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
++ unsigned int *bio_vec_idx)
+ {
+ struct crypt_config *cc = io->target->private;
+ struct bio *clone;
+@@ -390,12 +388,7 @@ crypt_alloc_buffer(struct crypt_io *io,
+ gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM;
+ unsigned int i;
+
+- if (base_bio) {
+- clone = bio_alloc_bioset(GFP_NOIO, base_bio->bi_max_vecs, cc->bs);
+- __bio_clone(clone, base_bio);
+- } else
+- clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs);
+-
++ clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs);
+ if (!clone)
+ return NULL;
+
+@@ -498,9 +491,6 @@ static void dec_pending(struct crypt_io
+ if (!atomic_dec_and_test(&io->pending))
+ return;
+
+- if (io->first_clone)
+- bio_put(io->first_clone);
+-
+ bio_endio(io->base_bio, io->base_bio->bi_size, io->error);
+
+ mempool_free(io, cc->io_pool);
+@@ -618,8 +608,7 @@ static void process_write(struct crypt_i
+ * so repeat the whole process until all the data can be handled.
+ */
+ while (remaining) {
+- clone = crypt_alloc_buffer(io, base_bio->bi_size,
+- io->first_clone, &bvec_idx);
++ clone = crypt_alloc_buffer(io, base_bio->bi_size, &bvec_idx);
+ if (unlikely(!clone)) {
+ dec_pending(io, -ENOMEM);
+ return;
+@@ -635,21 +624,11 @@ static void process_write(struct crypt_i
+ }
+
+ clone->bi_sector = cc->start + sector;
+-
+- if (!io->first_clone) {
+- /*
+- * hold a reference to the first clone, because it
+- * holds the bio_vec array and that can't be freed
+- * before all other clones are released
+- */
+- bio_get(clone);
+- io->first_clone = clone;
+- }
+-
+ remaining -= clone->bi_size;
+ sector += bio_sectors(clone);
+
+- /* prevent bio_put of first_clone */
++ /* Grab another reference to the io struct
++ * before we kick off the request */
+ if (remaining)
+ atomic_inc(&io->pending);
+
+@@ -965,7 +944,6 @@ static int crypt_map(struct dm_target *t
+ io = mempool_alloc(cc->io_pool, GFP_NOIO);
+ io->target = ti;
+ io->base_bio = bio;
+- io->first_clone = NULL;
+ io->error = io->post_process = 0;
+ atomic_set(&io->pending, 0);
+ kcryptd_queue_io(io);
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jun 23 02:48:55 2007
+From: Thomas Gleixner <tglx@linutronix.de>
+To: torvalds@osdl.org
+Date: Sat, 23 Jun 2007 11:48:40 +0200
+Message-Id: <1182592120.20203.181.camel@chaos>
+Cc: akpm@osdl.org, drepper@redhat.com, mingo@elte.hu
+Subject: FUTEX: Restore the dropped ERSCH fix
+
+The return value of futex_find_get_task() needs to be -ESRCH in case
+that the search fails. This was part of the original futex fixes and
+got accidentally dropped, when the futex-tidy-up patch was split out.
+
+Results in a NULL pointer dereference in case the search fails.
+
+Restore it.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ kernel/futex.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- linux-2.6.21.6.orig/kernel/futex.c
++++ linux-2.6.21.6/kernel/futex.c
+@@ -390,14 +390,12 @@ static struct task_struct * futex_find_g
+
+ rcu_read_lock();
+ p = find_task_by_pid(pid);
+- if (!p)
+- goto out_unlock;
+- if ((current->euid != p->euid) && (current->euid != p->uid)) {
+- p = NULL;
+- goto out_unlock;
+- }
+- get_task_struct(p);
+-out_unlock:
++
++ if (!p || ((current->euid != p->euid) && (current->euid != p->uid)))
++ p = ERR_PTR(-ESRCH);
++ else
++ get_task_struct(p);
++
+ rcu_read_unlock();
+
+ return p;
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jun 16 10:24:40 2007
+Message-Id: <200706161716.l5GHGGIP019702@imap1.linux-foundation.org>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sat, 16 Jun 2007 10:16:15 -0700
+Cc: dean@arctic.org, ak@suse.de, agl@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org, bill.irwin@oracle.com, clameter@sgi.com
+Subject: hugetlb: fix get_policy for stacked shared memory files
+
+From: Adam Litke <agl@us.ibm.com>
+
+Here's another breakage as a result of shared memory stacked files :(
+
+The NUMA policy for a VMA is determined by checking the following (in the
+order given):
+
+1) vma->vm_ops->get_policy() (if defined)
+2) vma->vm_policy (if defined)
+3) task->mempolicy (if defined)
+4) Fall back to default_policy
+
+By switching to stacked files for shared memory, get_policy() is now always
+set to shm_get_policy which is a wrapper function. This causes us to stop
+at step 1, which yields NULL for hugetlb instead of task->mempolicy which
+was the previous (and correct) result.
+
+This patch modifies the shm_get_policy() wrapper to maintain steps 1-3 for
+the wrapped vm_ops.
+
+(akpm: the refcounting of mempolicies is busted and this patch does nothing to
+improve it)
+
+Signed-off-by: Adam Litke <agl@us.ibm.com>
+Acked-by: William Irwin <bill.irwin@oracle.com>
+Cc: dean gaudet <dean@arctic.org>
+Cc: Christoph Lameter <clameter@sgi.com>
+Cc: Andi Kleen <ak@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ ipc/shm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/ipc/shm.c
++++ linux-2.6.21.6/ipc/shm.c
+@@ -254,8 +254,10 @@ struct mempolicy *shm_get_policy(struct
+
+ if (sfd->vm_ops->get_policy)
+ pol = sfd->vm_ops->get_policy(vma, addr);
+- else
++ else if (vma->vm_policy)
+ pol = vma->vm_policy;
++ else
++ pol = current->mempolicy;
+ return pol;
+ }
+ #endif
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 2 13:54:04 2007
+Message-ID: <468965D8.7020405@windriver.com>
+Date: Mon, 02 Jul 2007 15:53:44 -0500
+From: Jason Wessel <jason.wessel@windriver.com>
+To: stable@kernel.org
+Subject: i386: fix infinite loop with singlestep int80 syscalls
+
+The commit 635cf99a80f4ebee59d70eb64bb85ce829e4591f introduced a
+regression. Executing a ptrace single step after certain int80
+accesses will infinitely loop and never advance the PC.
+
+The TIF_SINGLESTEP check should be done on the return from the syscall
+and not before it.
+
+The new test case is below:
+
+/* Test whether singlestep through an int80 syscall works.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <asm/user.h>
+#include <string.h>
+
+static int child, status;
+static struct user_regs_struct regs;
+
+static void do_child()
+{
+ char str[80] = "child: int80 test\n";
+
+ ptrace(PTRACE_TRACEME, 0, 0, 0);
+ kill(getpid(), SIGUSR1);
+ write(fileno(stdout),str,strlen(str));
+ asm ("int $0x80" : : "a" (20)); /* getpid */
+}
+
+static void do_parent()
+{
+ unsigned long eip, expected = 0;
+again:
+ waitpid(child, &status, 0);
+ if (WIFEXITED(status) || WIFSIGNALED(status))
+ return;
+
+ if (WIFSTOPPED(status)) {
+ ptrace(PTRACE_GETREGS, child, 0, ®s);
+ eip = regs.eip;
+ if (expected)
+ fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n",
+ eip, expected,
+ eip == expected ? "" : " <== ERROR");
+
+ if (*(unsigned short *)eip == 0x80cd) {
+ fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip);
+ expected = eip + 2;
+ } else
+ expected = 0;
+
+ ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
+ }
+ goto again;
+}
+
+int main(int argc, char * const argv[])
+{
+ child = fork();
+ if (child)
+ do_parent();
+ else
+ do_child();
+ return 0;
+}
+
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Cc: Jeremy Fitzhardinge <jeremy@goop.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/i386/kernel/entry.S | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.6.orig/arch/i386/kernel/entry.S
++++ linux-2.6.21.6/arch/i386/kernel/entry.S
+@@ -371,10 +371,6 @@ ENTRY(system_call)
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
+ GET_THREAD_INFO(%ebp)
+- testl $TF_MASK,PT_EFLAGS(%esp)
+- jz no_singlestep
+- orl $_TIF_SINGLESTEP,TI_flags(%ebp)
+-no_singlestep:
+ # system call tracing in operation / emulation
+ /* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */
+ testw $(_TIF_SYSCALL_EMU|_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
+@@ -389,6 +385,10 @@ syscall_exit:
+ # setting need_resched or sigpending
+ # between sampling and the iret
+ TRACE_IRQS_OFF
++ testl $TF_MASK,PT_EFLAGS(%esp) # If tracing set singlestep flag on exit
++ jz no_singlestep
++ orl $_TIF_SINGLESTEP,TI_flags(%ebp)
++no_singlestep:
+ movl TI_flags(%ebp), %ecx
+ testw $_TIF_ALLWORK_MASK, %cx # current->work
+ jne syscall_exit_work
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jun 11 18:09:47 2007
+From: NeilBrown <neilb@suse.de>
+To: Andrew Morton <akpm@linux-foundation.org>
+Date: Tue, 12 Jun 2007 11:09:35 +1000
+Message-Id: <1070612010935.25370@suse.de>
+Cc: linux-raid@vger.kernel.org, neilb@suse.de
+Subject: md: Fix bug in error handling during raid1 repair.
+
+From: Mike Accetta <maccetta@laurelnetworks.com>
+
+If raid1/repair (which reads all block and fixes any differences
+it finds) hits a read error, it doesn't reset the bio for writing
+before writing correct data back, so the read error isn't fixed,
+and the device probably gets a zero-length write which it might
+complain about.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/md/raid1.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c
+--- linux-2.6.21.6.orig/drivers/md/raid1.c
++++ linux-2.6.21.6/drivers/md/raid1.c
+@@ -1240,17 +1240,24 @@ static void sync_request_write(mddev_t *
+ }
+ r1_bio->read_disk = primary;
+ for (i=0; i<mddev->raid_disks; i++)
+- if (r1_bio->bios[i]->bi_end_io == end_sync_read &&
+- test_bit(BIO_UPTODATE, &r1_bio->bios[i]->bi_flags)) {
++ if (r1_bio->bios[i]->bi_end_io == end_sync_read) {
+ int j;
+ int vcnt = r1_bio->sectors >> (PAGE_SHIFT- 9);
+ struct bio *pbio = r1_bio->bios[primary];
+ struct bio *sbio = r1_bio->bios[i];
+- for (j = vcnt; j-- ; )
+- if (memcmp(page_address(pbio->bi_io_vec[j].bv_page),
+- page_address(sbio->bi_io_vec[j].bv_page),
+- PAGE_SIZE))
+- break;
++
++ if (test_bit(BIO_UPTODATE, &sbio->bi_flags)) {
++ for (j = vcnt; j-- ; ) {
++ struct page *p, *s;
++ p = pbio->bi_io_vec[j].bv_page;
++ s = sbio->bi_io_vec[j].bv_page;
++ if (memcmp(page_address(p),
++ page_address(s),
++ PAGE_SIZE))
++ break;
++ }
++ } else
++ j = 0;
+ if (j >= 0)
+ mddev->resync_mismatches += r1_bio->sectors;
+ if (j < 0 || test_bit(MD_RECOVERY_CHECK, &mddev->recovery)) {
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jun 11 18:09:50 2007
+From: NeilBrown <neilb@suse.de>
+To: Andrew Morton <akpm@linux-foundation.org>
+Date: Tue, 12 Jun 2007 11:09:29 +1000
+Message-Id: <1070612010929.25355@suse.de>
+Cc: linux-raid@vger.kernel.org, neilb@suse.de
+Subject: md: Fix two raid10 bugs.
+
+1/ When resyncing a degraded raid10 which has more than 2 copies of each block,
+ garbage can get synced on top of good data.
+
+2/ We round the wrong way in part of the device size calculation, which
+ can cause confusion.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/md/raid10.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff .prev/drivers/md/raid10.c ./drivers/md/raid10.c
+--- linux-2.6.21.6.orig/drivers/md/raid10.c
++++ linux-2.6.21.6/drivers/md/raid10.c
+@@ -1867,6 +1867,7 @@ static sector_t sync_request(mddev_t *md
+ int d = r10_bio->devs[i].devnum;
+ bio = r10_bio->devs[i].bio;
+ bio->bi_end_io = NULL;
++ clear_bit(BIO_UPTODATE, &bio->bi_flags);
+ if (conf->mirrors[d].rdev == NULL ||
+ test_bit(Faulty, &conf->mirrors[d].rdev->flags))
+ continue;
+@@ -2037,6 +2038,11 @@ static int run(mddev_t *mddev)
+ /* 'size' is now the number of chunks in the array */
+ /* calculate "used chunks per device" in 'stride' */
+ stride = size * conf->copies;
++
++ /* We need to round up when dividing by raid_disks to
++ * get the stride size.
++ */
++ stride += conf->raid_disks - 1;
+ sector_div(stride, conf->raid_disks);
+ mddev->size = stride << (conf->chunk_shift-1);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 27 14:10:34 2007
+Message-Id: <200706272109.l5RL9rWw007129@imap1.linux-foundation.org>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Wed, 27 Jun 2007 14:09:53 -0700
+Cc: npiggin@suse.de, petr@vmware.com, andrea@suse.de, hugh@veritas.com, akpm@linux-foundation.org, stable@kernel.org
+Subject: mm: kill validate_anon_vma to avoid mapcount BUG
+
+From: Hugh Dickins <hugh@veritas.com>
+
+validate_anon_vma gave a useful check on the integrity of the anon_vma list
+when Andrea was developing obj rmap; but it was not enabled in SLES9
+itself, nor in mainline, until Nick changed commented-out RMAP_DEBUG to
+configurable CONFIG_DEBUG_VM in 2.6.17. Now Petr Vandrovec reports that
+its BUG_ON(mapcount > 100000) can easily crash a CONFIG_DEBUG_VM=y system.
+
+That limit was just an arbitrary number to protect against an infinite
+loop. We could raise it to something enormous (depending on sizeof struct
+vma and size of memory?); but I rather think validate_anon_vma has outlived
+its usefulness, and is better just removed - which gives a magnificent
+performance boost to anything like Petr's test program ;)
+
+Of course, a very long anon_vma list is bad news for preemption latency,
+and I believe there has been one recent report of such: let's not forget
+that, but validate_anon_vma only makes it worse not better.
+
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Cc: Petr Vandrovec <petr@vmware.com>
+Acked-by: Nick Piggin <npiggin@suse.de>
+Cc: Andrea Arcangeli <andrea@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ mm/rmap.c | 24 +-----------------------
+ 1 file changed, 1 insertion(+), 23 deletions(-)
+
+--- linux-2.6.21.6.orig/mm/rmap.c
++++ linux-2.6.21.6/mm/rmap.c
+@@ -53,24 +53,6 @@
+
+ struct kmem_cache *anon_vma_cachep;
+
+-static inline void validate_anon_vma(struct vm_area_struct *find_vma)
+-{
+-#ifdef CONFIG_DEBUG_VM
+- struct anon_vma *anon_vma = find_vma->anon_vma;
+- struct vm_area_struct *vma;
+- unsigned int mapcount = 0;
+- int found = 0;
+-
+- list_for_each_entry(vma, &anon_vma->head, anon_vma_node) {
+- mapcount++;
+- BUG_ON(mapcount > 100000);
+- if (vma == find_vma)
+- found = 1;
+- }
+- BUG_ON(!found);
+-#endif
+-}
+-
+ /* This must be called under the mmap_sem. */
+ int anon_vma_prepare(struct vm_area_struct *vma)
+ {
+@@ -121,10 +103,8 @@ void __anon_vma_link(struct vm_area_stru
+ {
+ struct anon_vma *anon_vma = vma->anon_vma;
+
+- if (anon_vma) {
++ if (anon_vma)
+ list_add_tail(&vma->anon_vma_node, &anon_vma->head);
+- validate_anon_vma(vma);
+- }
+ }
+
+ void anon_vma_link(struct vm_area_struct *vma)
+@@ -134,7 +114,6 @@ void anon_vma_link(struct vm_area_struct
+ if (anon_vma) {
+ spin_lock(&anon_vma->lock);
+ list_add_tail(&vma->anon_vma_node, &anon_vma->head);
+- validate_anon_vma(vma);
+ spin_unlock(&anon_vma->lock);
+ }
+ }
+@@ -148,7 +127,6 @@ void anon_vma_unlink(struct vm_area_stru
+ return;
+
+ spin_lock(&anon_vma->lock);
+- validate_anon_vma(vma);
+ list_del(&vma->anon_vma_node);
+
+ /* We must garbage collect the anon_vma if it's empty */
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 3 12:02:14 2007
+From: Thomas Gleixner <tglx@linutronix.de>
+To: torvalds@osdl.org
+Date: Tue, 03 Jul 2007 20:05:20 +0200
+Message-Id: <1183485920.3291.28.camel@chaos>
+Cc: akpm@osdl.org, johnstul@us.ibm.com, linux-kernel@vger.kernel.org, davej@redhat.com, mingo@elte.hu, Vincent.Fortier1@EC.GC.CA
+Subject: NTP: remove clock_was_set() call to prevent deadlock
+
+The clock_was_set() call in seconds_overflow() which happens only when
+leap seconds are inserted / deleted is wrong in two aspects:
+
+1. it results in a call to on_each_cpu() with interrupts disabled
+2. it is potential deadlock source vs. call_lock in smp_call_function()
+
+The only possible side effect of the removal might be, that an absolute
+CLOCK_REALTIME timer fires 1 second too late, in the rare case of leap
+second deletion and an absolute CLOCK_REALTIME timer which expires in
+the affected time frame. It will never fire too early.
+
+This was probably observed by the reporter of a June 30th -> July 1st
+hang: http://lkml.org/lkml/2007/7/3/
+
+A similar problem was observed by Dave Jones, who provided a screen shot
+with a lockdep back trace, which allowed to analyse the problem.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: john stultz <johnstul@us.ibm.com>
+Cc: Dave Jones <davej@redhat.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: "Fortier, Vincent" <Vincent.Fortier1@EC.GC.CA>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ kernel/time/ntp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- linux-2.6.21.6.orig/kernel/time/ntp.c
++++ linux-2.6.21.6/kernel/time/ntp.c
+@@ -120,7 +120,6 @@ void second_overflow(void)
+ */
+ time_interpolator_update(-NSEC_PER_SEC);
+ time_state = TIME_OOP;
+- clock_was_set();
+ printk(KERN_NOTICE "Clock: inserting leap second "
+ "23:59:60 UTC\n");
+ }
+@@ -135,7 +134,6 @@ void second_overflow(void)
+ */
+ time_interpolator_update(NSEC_PER_SEC);
+ time_state = TIME_WAIT;
+- clock_was_set();
+ printk(KERN_NOTICE "Clock: deleting leap second "
+ "23:59:59 UTC\n");
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jun 21 13:35:08 2007
+Message-Id: <20070621191927.992615568@inhelltoy.tec.linutronix.de>
+Date: Thu, 21 Jun 2007 20:45:15 -0000
+From: Thomas Gleixner <tglx@linutronix.de>
+To: torvalds@linux-foundation.org
+Cc: mingo@elte.hu, drepper@redhat.com, jan.kiszka@web.de, akpm@linux-foundation.org
+Subject: posix-timers: Prevent softirq starvation by small intervals and SIG_IGN
+
+posix-timers which deliver an ignored signal are currently rearmed in
+the timer softirq: This is necessary because the timer needs to be
+delivered again when SIG_IGN is removed. This is not a problem, when
+the interval is reasonable.
+
+With high resolution timers enabled one might arm a posix timer with a
+very small interval and ignore the signal. This might lead to a
+softirq starvation when the interval is so small that the timer is
+requeued onto the softirq pending list right away.
+
+This problem was pointed out by Jan Kiszka. Thanks Jan !
+
+The correct solution would be to stop the timer, when the signal is
+ignored and rearm it when SIG_IGN is removed. Unfortunately this
+requires modification in sigaction and involves non trivial sighand
+locking. It's too late in the release cycle for such a change.
+
+For now we just keep the timer running and enforce that the timer only
+fires every jiffie. This does not break anything as we keep the
+overrun counter correct. It adds a little inaccuracy to the
+timer_gettime() interface, but...
+
+The more complex change is necessary anyway to fix another short
+coming of the current implementation, which I discovered while looking
+at this problem: A pending signal is discarded when SIG_IGN is set. In
+case that a posixtimer signal is pending then it is discarded as well,
+but when SIG_IGN is removed later nothing rearms the timer. This is
+not new, it's that way since posix timers have been merged. So nothing
+to worry about right now.
+
+I have a working solution to fix all of this, but the impact is too
+large for both stable and 2.6.22. I'm going to send it out for review
+in the next days.
+
+This should go into 2.6.21.stable as well.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: Jan Kiszka <jan.kiszka@web.de>
+Cc: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ kernel/posix-timers.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.6.orig/kernel/posix-timers.c
++++ linux-2.6.21.6/kernel/posix-timers.c
+@@ -354,9 +354,40 @@ static enum hrtimer_restart posix_timer_
+ * it should be restarted.
+ */
+ if (timr->it.real.interval.tv64 != 0) {
++ ktime_t now = hrtimer_cb_get_time(timer);
++
++ /*
++ * FIXME: What we really want, is to stop this
++ * timer completely and restart it in case the
++ * SIG_IGN is removed. This is a non trivial
++ * change which involves sighand locking
++ * (sigh !), which we don't want to do late in
++ * the release cycle.
++ *
++ * For now we just let timers with an interval
++ * less than a jiffie expire every jiffie to
++ * avoid softirq starvation in case of SIG_IGN
++ * and a very small interval, which would put
++ * the timer right back on the softirq pending
++ * list. By moving now ahead of time we trick
++ * hrtimer_forward() to expire the timer
++ * later, while we still maintain the overrun
++ * accuracy, but have some inconsistency in
++ * the timer_gettime() case. This is at least
++ * better than a starved softirq. A more
++ * complex fix which solves also another related
++ * inconsistency is already in the pipeline.
++ */
++#ifdef CONFIG_HIGH_RES_TIMERS
++ {
++ ktime_t kj = ktime_set(0, NSEC_PER_SEC / HZ);
++
++ if (timr->it.real.interval.tv64 < kj.tv64)
++ now = ktime_add(now, kj);
++ }
++#endif
+ timr->it_overrun +=
+- hrtimer_forward(timer,
+- hrtimer_cb_get_time(timer),
++ hrtimer_forward(timer, now,
+ timr->it.real.interval);
+ ret = HRTIMER_RESTART;
+ ++timr->it_requeue_pending;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 26 03:10:36 2007
+Message-ID: <18048.58884.161725.44037@cargo.ozlabs.ibm.com>
+Date: Tue, 26 Jun 2007 20:10:12 +1000
+From: Paul Mackerras <paulus@samba.org>
+To: stable@kernel.org
+Subject: POWERPC: Fix subtle FP state corruption bug in signal return on SMP
+
+This fixes a bug which can cause corruption of the floating-point state
+on return from a signal handler. If we have a signal handler that has
+used the floating-point registers, and it happens to context-switch to
+another task while copying the interrupted floating-point state from the
+user stack into the thread struct (e.g. because of a page fault, or
+because it gets preempted), the context switch code will think that the
+FP registers contain valid FP state that needs to be copied into the
+thread_struct, and will thus overwrite the values that the signal return
+code has put into the thread_struct.
+
+This can occur because we clear the MSR bits that indicate the presence
+of valid FP state after copying the state into the thread_struct. To fix
+this we just move the clearing of the MSR bits to before the copy. A
+similar potential problem also occurs with the Altivec state, and this
+fixes that in the same way.
+
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/powerpc/kernel/signal_64.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.6.orig/arch/powerpc/kernel/signal_64.c
++++ linux-2.6.21.6/arch/powerpc/kernel/signal_64.c
+@@ -177,6 +177,13 @@ static long restore_sigcontext(struct pt
+ */
+ discard_lazy_cpu_state();
+
++ /*
++ * Force reload of FP/VEC.
++ * This has to be done before copying stuff into current->thread.fpr/vr
++ * for the reasons explained in the previous comment.
++ */
++ regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC);
++
+ err |= __copy_from_user(¤t->thread.fpr, &sc->fp_regs, FP_REGS_SIZE);
+
+ #ifdef CONFIG_ALTIVEC
+@@ -198,9 +205,6 @@ static long restore_sigcontext(struct pt
+ current->thread.vrsave = 0;
+ #endif /* CONFIG_ALTIVEC */
+
+- /* Force reload of FP/VEC */
+- regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC);
+-
+ return err;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 27 14:10:40 2007
+Message-Id: <200706272109.l5RL9wC5007145@imap1.linux-foundation.org>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Wed, 27 Jun 2007 14:09:58 -0700
+Cc: akpm@linux-foundation.org, jeffm@suse.com, stable@kernel.org, mchehab@infradead.org
+Subject: saa7134: fix thread shutdown handling
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+This patch changes the test for the thread pid from >= 0 to > 0.
+
+When the saa8134 driver initialization fails after a certain point, it goes
+through the complete shutdown process for the driver. Part of shutting it
+down includes tearing down the thread for tv audio.
+
+The test for tearing down the thread tests for >= 0. Since the dev
+structure is kzalloc'd, the test will always be true if we haven't tried to
+start the thread yet. We end up waiting on pid 0 to complete, which will
+never happen, so we lock up.
+
+This bug was observed in Novell Bugzilla 284718, when request_irq() failed.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Acked-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/media/video/saa7134/saa7134-tvaudio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/drivers/media/video/saa7134/saa7134-tvaudio.c
++++ linux-2.6.21.6/drivers/media/video/saa7134/saa7134-tvaudio.c
+@@ -1006,7 +1006,7 @@ int saa7134_tvaudio_init2(struct saa7134
+ int saa7134_tvaudio_fini(struct saa7134_dev *dev)
+ {
+ /* shutdown tvaudio thread */
+- if (dev->thread.pid >= 0) {
++ if (dev->thread.pid > 0) {
+ dev->thread.shutdown = 1;
+ wake_up_interruptible(&dev->thread.wq);
+ wait_for_completion(&dev->thread.exit);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 19 12:39:31 2007
+Date: Tue, 19 Jun 2007 21:39:03 +0200
+From: Ingo Molnar <mingo@elte.hu>
+To: torvalds@linux-foundation.org, akpm@linux-foundation.org
+Cc: gregkh@suse.de, vatsa@linux.vnet.ibm.com, chrisw@sous-sol.org, paulmck@linux.vnet.ibm.com, clameter@sgi.com
+Message-ID: <20070619193903.GA15024@elte.hu>
+Subject: sched: fix next_interval determination in idle_balance()
+
+From: Christoph Lameter <clameter@sgi.com>
+
+Fix massive SMP imbalance on NUMA nodes observed on 2.6.21.5 with CFS.
+(and later on reproduced without CFS as well).
+
+The intervals of domains that do not have SD_BALANCE_NEWIDLE must be
+considered for the calculation of the time of the next balance.
+Otherwise we may defer rebalancing forever and nodes might stay idle for
+very long times.
+
+Siddha also spotted that the conversion of the balance interval to
+jiffies is missing. Fix that to.
+
+From: Srivatsa Vaddagiri <vatsa@linux.vnet.ibm.com>
+
+also continue the loop if !(sd->flags & SD_LOAD_BALANCE).
+
+Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+It did in fact trigger under all three of mainline, CFS, and -rt
+including CFS -- see below for a couple of emails from last Friday
+giving results for these three on the AMD box (where it happened) and on
+a single-quad NUMA-Q system (where it did not, at least not with such
+severity).
+
+Signed-off-by: Christoph Lameter <clameter@sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ kernel/sched.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- linux-2.6.21.6.orig/kernel/sched.c
++++ linux-2.6.21.6/kernel/sched.c
+@@ -2831,17 +2831,21 @@ static void idle_balance(int this_cpu, s
+ unsigned long next_balance = jiffies + 60 * HZ;
+
+ for_each_domain(this_cpu, sd) {
+- if (sd->flags & SD_BALANCE_NEWIDLE) {
++ unsigned long interval;
++
++ if (!(sd->flags & SD_LOAD_BALANCE))
++ continue;
++
++ if (sd->flags & SD_BALANCE_NEWIDLE)
+ /* If we've pulled tasks over stop searching: */
+ pulled_task = load_balance_newidle(this_cpu,
+- this_rq, sd);
+- if (time_after(next_balance,
+- sd->last_balance + sd->balance_interval))
+- next_balance = sd->last_balance
+- + sd->balance_interval;
+- if (pulled_task)
+- break;
+- }
++ this_rq, sd);
++
++ interval = msecs_to_jiffies(sd->balance_interval);
++ if (time_after(next_balance, sd->last_balance + interval))
++ next_balance = sd->last_balance + interval;
++ if (pulled_task)
++ break;
+ }
+ if (!pulled_task)
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jun 27 14:15:05 2007
+Message-Id: <200706272110.l5RLA91q007189@imap1.linux-foundation.org>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Wed, 27 Jun 2007 14:10:09 -0700
+Cc: akpm@linux-foundation.org, mgreer@mvista.com, jaylubo@motorola.com, stable@kernel.org
+Subject: serial: clear proper MPSC interrupt cause bits
+
+From: Jay Lubomirski <jaylubo@motorola.com>
+
+The interrupt clearing code in mpsc_sdma_intr_ack() mistakenly clears the
+interrupt for both controllers instead of just the one its supposed to.
+This can result in the other controller appearing to hang because its
+interrupt was effectively lost.
+
+So, don't clear the interrupt cause bits for both MPSC controllers when
+clearing the interrupt for one of them. Just clear the one that is
+supposed to be cleared.
+
+Signed-off-by: Jay Lubomirski <jaylubo@motorola.com>
+Acked-by: Mark A. Greer <mgreer@mvista.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/serial/mpsc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/drivers/serial/mpsc.c
++++ linux-2.6.21.6/drivers/serial/mpsc.c
+@@ -502,7 +502,8 @@ mpsc_sdma_intr_ack(struct mpsc_port_info
+
+ if (pi->mirror_regs)
+ pi->shared_regs->SDMA_INTR_CAUSE_m = 0;
+- writel(0, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE);
++ writeb(0x00, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE +
++ pi->port.line);
+ return;
+ }
+
rt-mutex-fix-chain-walk-early-wakeup-bug.patch
pi-futex-fix-exit-races-and-locking-problems.patch
hpt366-disallow-ultra133-for-hpt374.patch
+md-fix-two-raid10-bugs.patch
+md-fix-bug-in-error-handling-during-raid1-repair.patch
+dm-crypt-disable-barriers.patch
+dm-crypt-fix-call-to-clone_init.patch
+dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch
+dm-crypt-fix-remove-first_clone.patch
+hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch
+sched-fix-next_interval-determination-in-idle_balance.patch
+posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch
+futex-restore-the-dropped-ersch-fix.patch
+audit-fix-oops-removing-watch-if-audit-disabled.patch
+powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch
+mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch
+saa7134-fix-thread-shutdown-handling.patch
+serial-clear-proper-mpsc-interrupt-cause-bits.patch
+i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch
+ntp-remove-clock_was_set-call-to-prevent-deadlock.patch
+sky2-workaround-for-lost-irq.patch
+v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch
+v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 9 12:02:23 2007
+Date: Mon, 9 Jul 2007 12:01:31 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: stable@kernel.org
+Message-ID: <20070709120131.79df9203@freepuppy.rosehill.hemminger.net>
+Subject: sky2: workaround for lost IRQ
+
+This patch restores a couple of workarounds from 2.6.16:
+ * restart transmit moderation timer in case it expires during IRQ routine
+ * default to having 10 HZ watchdog timer.
+At this point it more important not to hang than to worry about the
+power cost.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Cc: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/sky2.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.6.orig/drivers/net/sky2.c
++++ linux-2.6.21.6/drivers/net/sky2.c
+@@ -95,7 +95,7 @@ static int disable_msi = 0;
+ module_param(disable_msi, int, 0);
+ MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)");
+
+-static int idle_timeout = 0;
++static int idle_timeout = 100;
+ module_param(idle_timeout, int, 0);
+ MODULE_PARM_DESC(idle_timeout, "Watchdog timer for lost interrupts (ms)");
+
+@@ -2433,6 +2433,13 @@ static int sky2_poll(struct net_device *
+
+ work_done = sky2_status_intr(hw, work_limit);
+ if (work_done < work_limit) {
++ /* Bug/Errata workaround?
++ * Need to kick the TX irq moderation timer.
++ */
++ if (sky2_read8(hw, STAT_TX_TIMER_CTRL) == TIM_START) {
++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_STOP);
++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_START);
++ }
+ netif_rx_complete(dev0);
+
+ sky2_read32(hw, B0_Y2_SP_LISR);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 9 21:03:10 2007
+Message-ID: <469304F5.6040809@linuxtv.org>
+Date: Tue, 10 Jul 2007 00:03:01 -0400
+From: Michael Krufky <mkrufky@linuxtv.org>
+To: stable@kernel.org
+Cc: v4l-dvb-maintainer@linuxtv.org, xyzzy@speakeasy.org
+Subject: V4L: bttv: fix v4l1 api usage breaking the driver
+
+From: Trent Piepho <xyzzy@speakeasy.org>
+
+If one uses a V4L *one* application, such as vlc or mplayer's v4l driver, as
+the first user after the driver is loaded, the driver wedges itself and will
+never capture properly. Even if one uses a V4L2 application later, it still
+won't work.
+
+If one uses a V4L *two* application first, such as tvtime or mplayer's v4l2
+driver, then the driver will be ok. One can then run a V4L1 application, and
+it will work.
+
+It turns out the problem is with norm changing and the crop support that was
+added in 2.6.21. The driver defaults to PAL, and keeps the last norm it was
+set too across opens. If one changes the norm via V4L1, the cropping
+parameters are not reset like they should be, and they'll remain broken across
+device opens.
+
+This patch removes the direct setting of btv->tvnorm in the V4L1 ioctl
+VIDIOCSCHAN handler. The norm is set via the existing call to set_input(),
+which calls set_tvnorm(), which will reset the cropping values now that it is
+able to detect the norm change.
+
+Signed-off-by: Trent Piepho <xyzzy@speakeasy.org>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+(cherry picked from commit 333408f21590d50397f3004e3f87070fa8f52c51)
+
+ drivers/media/video/bt8xx/bttv-driver.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- linux-2.6.21.6.orig/drivers/media/video/bt8xx/bttv-driver.c
++++ linux-2.6.21.6/drivers/media/video/bt8xx/bttv-driver.c
+@@ -1313,7 +1313,7 @@ set_tvnorm(struct bttv *btv, unsigned in
+
+ /* Call with btv->lock down. */
+ static void
+-set_input(struct bttv *btv, unsigned int input)
++set_input(struct bttv *btv, unsigned int input, unsigned int norm)
+ {
+ unsigned long flags;
+
+@@ -1332,7 +1332,7 @@ set_input(struct bttv *btv, unsigned int
+ }
+ audio_input(btv,(input == bttv_tvcards[btv->c.type].tuner ?
+ TVAUDIO_INPUT_TUNER : TVAUDIO_INPUT_EXTERN));
+- set_tvnorm(btv,btv->tvnorm);
++ set_tvnorm(btv, norm);
+ i2c_vidiocschan(btv);
+ }
+
+@@ -1423,7 +1423,7 @@ static void bttv_reinit_bt848(struct btt
+
+ init_bt848(btv);
+ btv->pll.pll_current = -1;
+- set_input(btv,btv->input);
++ set_input(btv, btv->input, btv->tvnorm);
+ }
+
+ static int get_control(struct bttv *btv, struct v4l2_control *c)
+@@ -1993,8 +1993,7 @@ static int bttv_common_ioctls(struct btt
+ return 0;
+ }
+
+- btv->tvnorm = v->norm;
+- set_input(btv,v->channel);
++ set_input(btv, v->channel, v->norm);
+ mutex_unlock(&btv->lock);
+ return 0;
+ }
+@@ -2130,7 +2129,7 @@ static int bttv_common_ioctls(struct btt
+ if (*i > bttv_tvcards[btv->c.type].video_inputs)
+ return -EINVAL;
+ mutex_lock(&btv->lock);
+- set_input(btv,*i);
++ set_input(btv, *i, btv->tvnorm);
+ mutex_unlock(&btv->lock);
+ return 0;
+ }
+@@ -4762,7 +4761,7 @@ static int __devinit bttv_probe(struct p
+ bt848_hue(btv,32768);
+ bt848_sat(btv,32768);
+ audio_mute(btv, 1);
+- set_input(btv,0);
++ set_input(btv, 0, btv->tvnorm);
+ bttv_crop_reset(&btv->crop[0], btv->tvnorm);
+ btv->crop[1] = btv->crop[0]; /* current = default */
+ disclaim_vbi_lines(btv);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 9 21:03:11 2007
+Message-ID: <469304F6.6000301@linuxtv.org>
+Date: Tue, 10 Jul 2007 00:03:02 -0400
+From: Michael Krufky <mkrufky@linuxtv.org>
+To: stable@kernel.org
+Cc: v4l-dvb-maintainer@linuxtv.org, jelle@foks.8m.com
+Subject: V4L: cx88-blackbird: fix vidioc_g_tuner never ending list of tuners
+
+From: Jelle Foks <jelle@foks.8m.com>
+
+v4l-info and other programs would loop indefinitely while querying the
+tuners for cx88-blackbird cards.
+
+The cause was that vidioc_g_tuner didn't return an error value for
+qctrl->id != 0, making the application think there is a never ending
+list of tuners...
+
+This patch adds the same index check as done in vidioc_g_tuner() in
+cx88-video.
+
+Signed-off-by: Jelle Foks <jelle@foks.8m.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+(cherry picked from commit f057131fb6eb2c45f6023e3da41ccd6e4e71aee9)
+
+ drivers/media/video/cx88/cx88-blackbird.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.21.6.orig/drivers/media/video/cx88/cx88-blackbird.c
++++ linux-2.6.21.6/drivers/media/video/cx88/cx88-blackbird.c
+@@ -1034,6 +1034,8 @@ static int vidioc_g_tuner (struct file *
+
+ if (unlikely(UNSET == core->tuner_type))
+ return -EINVAL;
++ if (0 != t->index)
++ return -EINVAL;
+
+ strcpy(t->name, "Television");
+ t->type = V4L2_TUNER_ANALOG_TV;
projects / thirdparty / kernel / stable-queue.git / commitdiff
