From 97680048a9ab17aa2193a7b73d18e0614b2c9d89 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Sat, 21 Jul 2007 16:56:02 -0700 Subject: [PATCH] update queue-2.6.21 patches --- ...ops-removing-watch-if-audit-disabled.patch | 39 ++++++ queue-2.6.21/dm-crypt-disable-barriers.patch | 40 ++++++ ...-fix-avoid-cloned-bio-ref-after-free.patch | 43 +++++++ .../dm-crypt-fix-call-to-clone_init.patch | 92 ++++++++++++++ .../dm-crypt-fix-remove-first_clone.patch | 117 ++++++++++++++++++ .../futex-restore-the-dropped-ersch-fix.patch | 47 +++++++ ...licy-for-stacked-shared-memory-files.patch | 57 +++++++++ ...-loop-with-singlestep-int80-syscalls.patch | 111 +++++++++++++++++ ...n-error-handling-during-raid1-repair.patch | 58 +++++++++ queue-2.6.21/md-fix-two-raid10-bugs.patch | 44 +++++++ ...idate_anon_vma-to-avoid-mapcount-bug.patch | 92 ++++++++++++++ ...ock_was_set-call-to-prevent-deadlock.patch | 54 ++++++++ ...ation-by-small-intervals-and-sig_ign.patch | 100 +++++++++++++++ ...rruption-bug-in-signal-return-on-smp.patch | 55 ++++++++ ...saa7134-fix-thread-shutdown-handling.patch | 43 +++++++ ...terval-determination-in-idle_balance.patch | 73 +++++++++++ ...ear-proper-mpsc-interrupt-cause-bits.patch | 40 ++++++ queue-2.6.21/series | 20 +++ .../sky2-workaround-for-lost-irq.patch | 45 +++++++ ...x-v4l1-api-usage-breaking-the-driver.patch | 97 +++++++++++++++ ..._g_tuner-never-ending-list-of-tuners.patch | 41 ++++++ 21 files changed, 1308 insertions(+) create mode 100644 queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch create mode 100644 queue-2.6.21/dm-crypt-disable-barriers.patch create mode 100644 queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch create mode 100644 queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch create mode 100644 queue-2.6.21/dm-crypt-fix-remove-first_clone.patch create mode 100644 queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch create mode 100644 queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch create mode 100644 queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch create mode 100644 queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch create mode 100644 queue-2.6.21/md-fix-two-raid10-bugs.patch create mode 100644 queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch create mode 100644 queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch create mode 100644 queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch create mode 100644 queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch create mode 100644 queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch create mode 100644 queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch create mode 100644 queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch create mode 100644 queue-2.6.21/sky2-workaround-for-lost-irq.patch create mode 100644 queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch create mode 100644 queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch diff --git a/queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch b/queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch new file mode 100644 index 00000000000..b5ca5ec7ec3 --- /dev/null +++ b/queue-2.6.21/audit-fix-oops-removing-watch-if-audit-disabled.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Sat Jun 23 17:25:29 2007 +Message-Id: <200706240016.l5O0GlIh030858@imap1.linux-foundation.org> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sat, 23 Jun 2007 17:16:47 -0700 +Cc: akpm@linux-foundation.org, tonyj@suse.de, viro@zeniv.linux.org.uk +Subject: audit: fix oops removing watch if audit disabled + +From: Tony Jones + +Removing a watched file will oops if audit is disabled (auditctl -e 0). + +To reproduce: +- auditctl -e 1 +- touch /tmp/foo +- auditctl -w /tmp/foo +- auditctl -e 0 +- rm /tmp/foo (or mv) + +Signed-off-by: Tony Jones +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + kernel/auditfilter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/kernel/auditfilter.c ++++ linux-2.6.21.6/kernel/auditfilter.c +@@ -905,7 +905,7 @@ static void audit_update_watch(struct au + + /* If the update involves invalidating rules, do the inode-based + * filtering now, so we don't omit records. */ +- if (invalidating && ++ if (invalidating && current->audit_context && + audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) + audit_set_auditable(current->audit_context); + diff --git a/queue-2.6.21/dm-crypt-disable-barriers.patch b/queue-2.6.21/dm-crypt-disable-barriers.patch new file mode 100644 index 00000000000..c37ab2bb034 --- /dev/null +++ b/queue-2.6.21/dm-crypt-disable-barriers.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Wed Jun 13 12:56:49 2007 +Message-ID: <46704BF7.4010104@redhat.com> +Date: Wed, 13 Jun 2007 15:56:39 -0400 +From: Chuck Ebbert +To: stable@kernel.org +Cc: Dave Jones , agk@redhat.com +Subject: dm crypt: disable barriers + +From: Milan Broz + +Disable barriers in dm-crypt because of current workqueue processing can +reorder requests. + +This must be addresed later but for now disabling barriers is needed to +prevent data corruption. + +Signed-off-by: Milan Broz +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9c89f8be1a7d14aad9d2c3f7d90d7d88f82c61e2 + + drivers/md/dm-crypt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -954,6 +954,9 @@ static int crypt_map(struct dm_target *t + struct crypt_config *cc = ti->private; + struct crypt_io *io; + ++ if (bio_barrier(bio)) ++ return -EOPNOTSUPP; ++ + io = mempool_alloc(cc->io_pool, GFP_NOIO); + io->target = ti; + io->base_bio = bio; diff --git a/queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch b/queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch new file mode 100644 index 00000000000..c7ce0012004 --- /dev/null +++ b/queue-2.6.21/dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Wed Jun 13 12:59:23 2007 +Message-ID: <46704C94.7050903@redhat.com> +Date: Wed, 13 Jun 2007 15:59:16 -0400 +From: Chuck Ebbert +To: stable@kernel.org +Cc: Dave Jones , agk@redhat.com +Subject: dm crypt: fix avoid cloned bio ref after free + +From: Olaf Kirch + +Do not access the bio after generic_make_request + +We should never access a bio after generic_make_request - there's no guarantee +it still exists. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=98221eb757de03d9aa6262b1eded2be708640ccc + + drivers/md/dm-crypt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -655,9 +655,12 @@ static void process_write(struct crypt_i + + generic_make_request(clone); + ++ /* Do not reference clone after this - it ++ * may be gone already. */ ++ + /* out of memory -> run queues */ + if (remaining) +- congestion_wait(bio_data_dir(clone), HZ/100); ++ congestion_wait(WRITE, HZ/100); + } + } + diff --git a/queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch b/queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch new file mode 100644 index 00000000000..51cdac8767f --- /dev/null +++ b/queue-2.6.21/dm-crypt-fix-call-to-clone_init.patch @@ -0,0 +1,92 @@ +From stable-bounces@linux.kernel.org Wed Jun 13 12:57:56 2007 +Message-ID: <46704C3E.20608@redhat.com> +Date: Wed, 13 Jun 2007 15:57:50 -0400 +From: Chuck Ebbert +To: stable@kernel.org +Cc: Dave Jones , agk@redhat.com +Subject: dm crypt: fix call to clone_init + +From: Olaf Kirch + +Call clone_init early + +We need to call clone_init as early as possible - at least before call +bio_put(clone) in any error path. Otherwise, the destructor will try to +dereference bi_private, which may still be NULL. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=027581f3515b5ec2218847dab578afa439a9d6b9 + + drivers/md/dm-crypt.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -107,6 +107,8 @@ struct crypt_config { + + static struct kmem_cache *_crypt_io_pool; + ++static void clone_init(struct crypt_io *, struct bio *); ++ + /* + * Different IV generation algorithms: + * +@@ -379,9 +381,10 @@ static int crypt_convert(struct crypt_co + * May return a smaller bio when running out of pages + */ + static struct bio * +-crypt_alloc_buffer(struct crypt_config *cc, unsigned int size, ++crypt_alloc_buffer(struct crypt_io *io, unsigned int size, + struct bio *base_bio, unsigned int *bio_vec_idx) + { ++ struct crypt_config *cc = io->target->private; + struct bio *clone; + unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; + gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM; +@@ -396,7 +399,7 @@ crypt_alloc_buffer(struct crypt_config * + if (!clone) + return NULL; + +- clone->bi_destructor = dm_crypt_bio_destructor; ++ clone_init(io, clone); + + /* if the last bio was not complete, continue where that one ended */ + clone->bi_idx = *bio_vec_idx; +@@ -562,6 +565,7 @@ static void clone_init(struct crypt_io * + clone->bi_end_io = crypt_endio; + clone->bi_bdev = cc->dev->bdev; + clone->bi_rw = io->base_bio->bi_rw; ++ clone->bi_destructor = dm_crypt_bio_destructor; + } + + static void process_read(struct crypt_io *io) +@@ -585,7 +589,6 @@ static void process_read(struct crypt_io + } + + clone_init(io, clone); +- clone->bi_destructor = dm_crypt_bio_destructor; + clone->bi_idx = 0; + clone->bi_vcnt = bio_segments(base_bio); + clone->bi_size = base_bio->bi_size; +@@ -615,7 +618,7 @@ static void process_write(struct crypt_i + * so repeat the whole process until all the data can be handled. + */ + while (remaining) { +- clone = crypt_alloc_buffer(cc, base_bio->bi_size, ++ clone = crypt_alloc_buffer(io, base_bio->bi_size, + io->first_clone, &bvec_idx); + if (unlikely(!clone)) { + dec_pending(io, -ENOMEM); +@@ -631,7 +634,6 @@ static void process_write(struct crypt_i + return; + } + +- clone_init(io, clone); + clone->bi_sector = cc->start + sector; + + if (!io->first_clone) { diff --git a/queue-2.6.21/dm-crypt-fix-remove-first_clone.patch b/queue-2.6.21/dm-crypt-fix-remove-first_clone.patch new file mode 100644 index 00000000000..0afc5edf9d9 --- /dev/null +++ b/queue-2.6.21/dm-crypt-fix-remove-first_clone.patch @@ -0,0 +1,117 @@ +From stable-bounces@linux.kernel.org Wed Jun 13 13:00:52 2007 +Message-ID: <46704CDE.50004@redhat.com> +Date: Wed, 13 Jun 2007 16:00:30 -0400 +From: Chuck Ebbert +To: stable@kernel.org +Cc: Dave Jones , agk@redhat.com +Subject: dm crypt: fix remove first_clone + +From: Olaf Kirch + +Get rid of first_clone in dm-crypt + +This gets rid of first_clone, which is not really needed. Apparently, cloned +bios used to share their bvec some time way in the past - this is no longer +the case. Contrarily, this even hurts us if we try to create a clone off +first_clone after it has completed, and crypt_endio has destroyed its bvec. + +Signed-off-by: Olaf Kirch +Signed-off-by: Alasdair G Kergon +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f9941b6c55d70103c1bc3f2c7676acd9f20bf8a + + drivers/md/dm-crypt.c | 34 ++++++---------------------------- + 1 file changed, 6 insertions(+), 28 deletions(-) + +--- linux-2.6.21.6.orig/drivers/md/dm-crypt.c ++++ linux-2.6.21.6/drivers/md/dm-crypt.c +@@ -33,7 +33,6 @@ + struct crypt_io { + struct dm_target *target; + struct bio *base_bio; +- struct bio *first_clone; + struct work_struct work; + atomic_t pending; + int error; +@@ -380,9 +379,8 @@ static int crypt_convert(struct crypt_co + * This should never violate the device limitations + * May return a smaller bio when running out of pages + */ +-static struct bio * +-crypt_alloc_buffer(struct crypt_io *io, unsigned int size, +- struct bio *base_bio, unsigned int *bio_vec_idx) ++static struct bio *crypt_alloc_buffer(struct crypt_io *io, unsigned int size, ++ unsigned int *bio_vec_idx) + { + struct crypt_config *cc = io->target->private; + struct bio *clone; +@@ -390,12 +388,7 @@ crypt_alloc_buffer(struct crypt_io *io, + gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM; + unsigned int i; + +- if (base_bio) { +- clone = bio_alloc_bioset(GFP_NOIO, base_bio->bi_max_vecs, cc->bs); +- __bio_clone(clone, base_bio); +- } else +- clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs); +- ++ clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs); + if (!clone) + return NULL; + +@@ -498,9 +491,6 @@ static void dec_pending(struct crypt_io + if (!atomic_dec_and_test(&io->pending)) + return; + +- if (io->first_clone) +- bio_put(io->first_clone); +- + bio_endio(io->base_bio, io->base_bio->bi_size, io->error); + + mempool_free(io, cc->io_pool); +@@ -618,8 +608,7 @@ static void process_write(struct crypt_i + * so repeat the whole process until all the data can be handled. + */ + while (remaining) { +- clone = crypt_alloc_buffer(io, base_bio->bi_size, +- io->first_clone, &bvec_idx); ++ clone = crypt_alloc_buffer(io, base_bio->bi_size, &bvec_idx); + if (unlikely(!clone)) { + dec_pending(io, -ENOMEM); + return; +@@ -635,21 +624,11 @@ static void process_write(struct crypt_i + } + + clone->bi_sector = cc->start + sector; +- +- if (!io->first_clone) { +- /* +- * hold a reference to the first clone, because it +- * holds the bio_vec array and that can't be freed +- * before all other clones are released +- */ +- bio_get(clone); +- io->first_clone = clone; +- } +- + remaining -= clone->bi_size; + sector += bio_sectors(clone); + +- /* prevent bio_put of first_clone */ ++ /* Grab another reference to the io struct ++ * before we kick off the request */ + if (remaining) + atomic_inc(&io->pending); + +@@ -965,7 +944,6 @@ static int crypt_map(struct dm_target *t + io = mempool_alloc(cc->io_pool, GFP_NOIO); + io->target = ti; + io->base_bio = bio; +- io->first_clone = NULL; + io->error = io->post_process = 0; + atomic_set(&io->pending, 0); + kcryptd_queue_io(io); diff --git a/queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch b/queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch new file mode 100644 index 00000000000..f8b62b27ce4 --- /dev/null +++ b/queue-2.6.21/futex-restore-the-dropped-ersch-fix.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Sat Jun 23 02:48:55 2007 +From: Thomas Gleixner +To: torvalds@osdl.org +Date: Sat, 23 Jun 2007 11:48:40 +0200 +Message-Id: <1182592120.20203.181.camel@chaos> +Cc: akpm@osdl.org, drepper@redhat.com, mingo@elte.hu +Subject: FUTEX: Restore the dropped ERSCH fix + +The return value of futex_find_get_task() needs to be -ESRCH in case +that the search fails. This was part of the original futex fixes and +got accidentally dropped, when the futex-tidy-up patch was split out. + +Results in a NULL pointer dereference in case the search fails. + +Restore it. + +Signed-off-by: Thomas Gleixner +Cc: Ingo Molnar +Cc: Ulrich Drepper +Signed-off-by: Chris Wright +--- + kernel/futex.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- linux-2.6.21.6.orig/kernel/futex.c ++++ linux-2.6.21.6/kernel/futex.c +@@ -390,14 +390,12 @@ static struct task_struct * futex_find_g + + rcu_read_lock(); + p = find_task_by_pid(pid); +- if (!p) +- goto out_unlock; +- if ((current->euid != p->euid) && (current->euid != p->uid)) { +- p = NULL; +- goto out_unlock; +- } +- get_task_struct(p); +-out_unlock: ++ ++ if (!p || ((current->euid != p->euid) && (current->euid != p->uid))) ++ p = ERR_PTR(-ESRCH); ++ else ++ get_task_struct(p); ++ + rcu_read_unlock(); + + return p; diff --git a/queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch b/queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch new file mode 100644 index 00000000000..a15aaf7ffbe --- /dev/null +++ b/queue-2.6.21/hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch @@ -0,0 +1,57 @@ +From stable-bounces@linux.kernel.org Sat Jun 16 10:24:40 2007 +Message-Id: <200706161716.l5GHGGIP019702@imap1.linux-foundation.org> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sat, 16 Jun 2007 10:16:15 -0700 +Cc: dean@arctic.org, ak@suse.de, agl@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org, bill.irwin@oracle.com, clameter@sgi.com +Subject: hugetlb: fix get_policy for stacked shared memory files + +From: Adam Litke + +Here's another breakage as a result of shared memory stacked files :( + +The NUMA policy for a VMA is determined by checking the following (in the +order given): + +1) vma->vm_ops->get_policy() (if defined) +2) vma->vm_policy (if defined) +3) task->mempolicy (if defined) +4) Fall back to default_policy + +By switching to stacked files for shared memory, get_policy() is now always +set to shm_get_policy which is a wrapper function. This causes us to stop +at step 1, which yields NULL for hugetlb instead of task->mempolicy which +was the previous (and correct) result. + +This patch modifies the shm_get_policy() wrapper to maintain steps 1-3 for +the wrapped vm_ops. + +(akpm: the refcounting of mempolicies is busted and this patch does nothing to +improve it) + +Signed-off-by: Adam Litke +Acked-by: William Irwin +Cc: dean gaudet +Cc: Christoph Lameter +Cc: Andi Kleen +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + ipc/shm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/ipc/shm.c ++++ linux-2.6.21.6/ipc/shm.c +@@ -254,8 +254,10 @@ struct mempolicy *shm_get_policy(struct + + if (sfd->vm_ops->get_policy) + pol = sfd->vm_ops->get_policy(vma, addr); +- else ++ else if (vma->vm_policy) + pol = vma->vm_policy; ++ else ++ pol = current->mempolicy; + return pol; + } + #endif diff --git a/queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch b/queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch new file mode 100644 index 00000000000..a883f2afc30 --- /dev/null +++ b/queue-2.6.21/i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch @@ -0,0 +1,111 @@ +From stable-bounces@linux.kernel.org Mon Jul 2 13:54:04 2007 +Message-ID: <468965D8.7020405@windriver.com> +Date: Mon, 02 Jul 2007 15:53:44 -0500 +From: Jason Wessel +To: stable@kernel.org +Subject: i386: fix infinite loop with singlestep int80 syscalls + +The commit 635cf99a80f4ebee59d70eb64bb85ce829e4591f introduced a +regression. Executing a ptrace single step after certain int80 +accesses will infinitely loop and never advance the PC. + +The TIF_SINGLESTEP check should be done on the return from the syscall +and not before it. + +The new test case is below: + +/* Test whether singlestep through an int80 syscall works. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +static int child, status; +static struct user_regs_struct regs; + +static void do_child() +{ + char str[80] = "child: int80 test\n"; + + ptrace(PTRACE_TRACEME, 0, 0, 0); + kill(getpid(), SIGUSR1); + write(fileno(stdout),str,strlen(str)); + asm ("int $0x80" : : "a" (20)); /* getpid */ +} + +static void do_parent() +{ + unsigned long eip, expected = 0; +again: + waitpid(child, &status, 0); + if (WIFEXITED(status) || WIFSIGNALED(status)) + return; + + if (WIFSTOPPED(status)) { + ptrace(PTRACE_GETREGS, child, 0, ®s); + eip = regs.eip; + if (expected) + fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n", + eip, expected, + eip == expected ? "" : " <== ERROR"); + + if (*(unsigned short *)eip == 0x80cd) { + fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip); + expected = eip + 2; + } else + expected = 0; + + ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); + } + goto again; +} + +int main(int argc, char * const argv[]) +{ + child = fork(); + if (child) + do_parent(); + else + do_child(); + return 0; +} + + +Signed-off-by: Jason Wessel +Cc: Jeremy Fitzhardinge +Cc: Chuck Ebbert +Signed-off-by: Chris Wright +--- + arch/i386/kernel/entry.S | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- linux-2.6.21.6.orig/arch/i386/kernel/entry.S ++++ linux-2.6.21.6/arch/i386/kernel/entry.S +@@ -371,10 +371,6 @@ ENTRY(system_call) + CFI_ADJUST_CFA_OFFSET 4 + SAVE_ALL + GET_THREAD_INFO(%ebp) +- testl $TF_MASK,PT_EFLAGS(%esp) +- jz no_singlestep +- orl $_TIF_SINGLESTEP,TI_flags(%ebp) +-no_singlestep: + # system call tracing in operation / emulation + /* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */ + testw $(_TIF_SYSCALL_EMU|_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT),TI_flags(%ebp) +@@ -389,6 +385,10 @@ syscall_exit: + # setting need_resched or sigpending + # between sampling and the iret + TRACE_IRQS_OFF ++ testl $TF_MASK,PT_EFLAGS(%esp) # If tracing set singlestep flag on exit ++ jz no_singlestep ++ orl $_TIF_SINGLESTEP,TI_flags(%ebp) ++no_singlestep: + movl TI_flags(%ebp), %ecx + testw $_TIF_ALLWORK_MASK, %cx # current->work + jne syscall_exit_work diff --git a/queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch b/queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch new file mode 100644 index 00000000000..5d996d774fc --- /dev/null +++ b/queue-2.6.21/md-fix-bug-in-error-handling-during-raid1-repair.patch @@ -0,0 +1,58 @@ +From stable-bounces@linux.kernel.org Mon Jun 11 18:09:47 2007 +From: NeilBrown +To: Andrew Morton +Date: Tue, 12 Jun 2007 11:09:35 +1000 +Message-Id: <1070612010935.25370@suse.de> +Cc: linux-raid@vger.kernel.org, neilb@suse.de +Subject: md: Fix bug in error handling during raid1 repair. + +From: Mike Accetta + +If raid1/repair (which reads all block and fixes any differences +it finds) hits a read error, it doesn't reset the bio for writing +before writing correct data back, so the read error isn't fixed, +and the device probably gets a zero-length write which it might +complain about. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +--- + + drivers/md/raid1.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c +--- linux-2.6.21.6.orig/drivers/md/raid1.c ++++ linux-2.6.21.6/drivers/md/raid1.c +@@ -1240,17 +1240,24 @@ static void sync_request_write(mddev_t * + } + r1_bio->read_disk = primary; + for (i=0; iraid_disks; i++) +- if (r1_bio->bios[i]->bi_end_io == end_sync_read && +- test_bit(BIO_UPTODATE, &r1_bio->bios[i]->bi_flags)) { ++ if (r1_bio->bios[i]->bi_end_io == end_sync_read) { + int j; + int vcnt = r1_bio->sectors >> (PAGE_SHIFT- 9); + struct bio *pbio = r1_bio->bios[primary]; + struct bio *sbio = r1_bio->bios[i]; +- for (j = vcnt; j-- ; ) +- if (memcmp(page_address(pbio->bi_io_vec[j].bv_page), +- page_address(sbio->bi_io_vec[j].bv_page), +- PAGE_SIZE)) +- break; ++ ++ if (test_bit(BIO_UPTODATE, &sbio->bi_flags)) { ++ for (j = vcnt; j-- ; ) { ++ struct page *p, *s; ++ p = pbio->bi_io_vec[j].bv_page; ++ s = sbio->bi_io_vec[j].bv_page; ++ if (memcmp(page_address(p), ++ page_address(s), ++ PAGE_SIZE)) ++ break; ++ } ++ } else ++ j = 0; + if (j >= 0) + mddev->resync_mismatches += r1_bio->sectors; + if (j < 0 || test_bit(MD_RECOVERY_CHECK, &mddev->recovery)) { diff --git a/queue-2.6.21/md-fix-two-raid10-bugs.patch b/queue-2.6.21/md-fix-two-raid10-bugs.patch new file mode 100644 index 00000000000..c76c918e823 --- /dev/null +++ b/queue-2.6.21/md-fix-two-raid10-bugs.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Mon Jun 11 18:09:50 2007 +From: NeilBrown +To: Andrew Morton +Date: Tue, 12 Jun 2007 11:09:29 +1000 +Message-Id: <1070612010929.25355@suse.de> +Cc: linux-raid@vger.kernel.org, neilb@suse.de +Subject: md: Fix two raid10 bugs. + +1/ When resyncing a degraded raid10 which has more than 2 copies of each block, + garbage can get synced on top of good data. + +2/ We round the wrong way in part of the device size calculation, which + can cause confusion. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +--- + + drivers/md/raid10.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff .prev/drivers/md/raid10.c ./drivers/md/raid10.c +--- linux-2.6.21.6.orig/drivers/md/raid10.c ++++ linux-2.6.21.6/drivers/md/raid10.c +@@ -1867,6 +1867,7 @@ static sector_t sync_request(mddev_t *md + int d = r10_bio->devs[i].devnum; + bio = r10_bio->devs[i].bio; + bio->bi_end_io = NULL; ++ clear_bit(BIO_UPTODATE, &bio->bi_flags); + if (conf->mirrors[d].rdev == NULL || + test_bit(Faulty, &conf->mirrors[d].rdev->flags)) + continue; +@@ -2037,6 +2038,11 @@ static int run(mddev_t *mddev) + /* 'size' is now the number of chunks in the array */ + /* calculate "used chunks per device" in 'stride' */ + stride = size * conf->copies; ++ ++ /* We need to round up when dividing by raid_disks to ++ * get the stride size. ++ */ ++ stride += conf->raid_disks - 1; + sector_div(stride, conf->raid_disks); + mddev->size = stride << (conf->chunk_shift-1); + diff --git a/queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch b/queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch new file mode 100644 index 00000000000..9d3749eac6c --- /dev/null +++ b/queue-2.6.21/mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch @@ -0,0 +1,92 @@ +From stable-bounces@linux.kernel.org Wed Jun 27 14:10:34 2007 +Message-Id: <200706272109.l5RL9rWw007129@imap1.linux-foundation.org> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Wed, 27 Jun 2007 14:09:53 -0700 +Cc: npiggin@suse.de, petr@vmware.com, andrea@suse.de, hugh@veritas.com, akpm@linux-foundation.org, stable@kernel.org +Subject: mm: kill validate_anon_vma to avoid mapcount BUG + +From: Hugh Dickins + +validate_anon_vma gave a useful check on the integrity of the anon_vma list +when Andrea was developing obj rmap; but it was not enabled in SLES9 +itself, nor in mainline, until Nick changed commented-out RMAP_DEBUG to +configurable CONFIG_DEBUG_VM in 2.6.17. Now Petr Vandrovec reports that +its BUG_ON(mapcount > 100000) can easily crash a CONFIG_DEBUG_VM=y system. + +That limit was just an arbitrary number to protect against an infinite +loop. We could raise it to something enormous (depending on sizeof struct +vma and size of memory?); but I rather think validate_anon_vma has outlived +its usefulness, and is better just removed - which gives a magnificent +performance boost to anything like Petr's test program ;) + +Of course, a very long anon_vma list is bad news for preemption latency, +and I believe there has been one recent report of such: let's not forget +that, but validate_anon_vma only makes it worse not better. + +Signed-off-by: Hugh Dickins +Cc: Petr Vandrovec +Acked-by: Nick Piggin +Cc: Andrea Arcangeli +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + mm/rmap.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +--- linux-2.6.21.6.orig/mm/rmap.c ++++ linux-2.6.21.6/mm/rmap.c +@@ -53,24 +53,6 @@ + + struct kmem_cache *anon_vma_cachep; + +-static inline void validate_anon_vma(struct vm_area_struct *find_vma) +-{ +-#ifdef CONFIG_DEBUG_VM +- struct anon_vma *anon_vma = find_vma->anon_vma; +- struct vm_area_struct *vma; +- unsigned int mapcount = 0; +- int found = 0; +- +- list_for_each_entry(vma, &anon_vma->head, anon_vma_node) { +- mapcount++; +- BUG_ON(mapcount > 100000); +- if (vma == find_vma) +- found = 1; +- } +- BUG_ON(!found); +-#endif +-} +- + /* This must be called under the mmap_sem. */ + int anon_vma_prepare(struct vm_area_struct *vma) + { +@@ -121,10 +103,8 @@ void __anon_vma_link(struct vm_area_stru + { + struct anon_vma *anon_vma = vma->anon_vma; + +- if (anon_vma) { ++ if (anon_vma) + list_add_tail(&vma->anon_vma_node, &anon_vma->head); +- validate_anon_vma(vma); +- } + } + + void anon_vma_link(struct vm_area_struct *vma) +@@ -134,7 +114,6 @@ void anon_vma_link(struct vm_area_struct + if (anon_vma) { + spin_lock(&anon_vma->lock); + list_add_tail(&vma->anon_vma_node, &anon_vma->head); +- validate_anon_vma(vma); + spin_unlock(&anon_vma->lock); + } + } +@@ -148,7 +127,6 @@ void anon_vma_unlink(struct vm_area_stru + return; + + spin_lock(&anon_vma->lock); +- validate_anon_vma(vma); + list_del(&vma->anon_vma_node); + + /* We must garbage collect the anon_vma if it's empty */ diff --git a/queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch b/queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch new file mode 100644 index 00000000000..994db6989e7 --- /dev/null +++ b/queue-2.6.21/ntp-remove-clock_was_set-call-to-prevent-deadlock.patch @@ -0,0 +1,54 @@ +From stable-bounces@linux.kernel.org Tue Jul 3 12:02:14 2007 +From: Thomas Gleixner +To: torvalds@osdl.org +Date: Tue, 03 Jul 2007 20:05:20 +0200 +Message-Id: <1183485920.3291.28.camel@chaos> +Cc: akpm@osdl.org, johnstul@us.ibm.com, linux-kernel@vger.kernel.org, davej@redhat.com, mingo@elte.hu, Vincent.Fortier1@EC.GC.CA +Subject: NTP: remove clock_was_set() call to prevent deadlock + +The clock_was_set() call in seconds_overflow() which happens only when +leap seconds are inserted / deleted is wrong in two aspects: + +1. it results in a call to on_each_cpu() with interrupts disabled +2. it is potential deadlock source vs. call_lock in smp_call_function() + +The only possible side effect of the removal might be, that an absolute +CLOCK_REALTIME timer fires 1 second too late, in the rare case of leap +second deletion and an absolute CLOCK_REALTIME timer which expires in +the affected time frame. It will never fire too early. + +This was probably observed by the reporter of a June 30th -> July 1st +hang: http://lkml.org/lkml/2007/7/3/ + +A similar problem was observed by Dave Jones, who provided a screen shot +with a lockdep back trace, which allowed to analyse the problem. + +Signed-off-by: Thomas Gleixner +Cc: john stultz +Cc: Dave Jones +Cc: Ingo Molnar +Cc: "Fortier, Vincent" +Signed-off-by: Chris Wright + +--- + kernel/time/ntp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- linux-2.6.21.6.orig/kernel/time/ntp.c ++++ linux-2.6.21.6/kernel/time/ntp.c +@@ -120,7 +120,6 @@ void second_overflow(void) + */ + time_interpolator_update(-NSEC_PER_SEC); + time_state = TIME_OOP; +- clock_was_set(); + printk(KERN_NOTICE "Clock: inserting leap second " + "23:59:60 UTC\n"); + } +@@ -135,7 +134,6 @@ void second_overflow(void) + */ + time_interpolator_update(NSEC_PER_SEC); + time_state = TIME_WAIT; +- clock_was_set(); + printk(KERN_NOTICE "Clock: deleting leap second " + "23:59:59 UTC\n"); + } diff --git a/queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch b/queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch new file mode 100644 index 00000000000..559e5fed849 --- /dev/null +++ b/queue-2.6.21/posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch @@ -0,0 +1,100 @@ +From stable-bounces@linux.kernel.org Thu Jun 21 13:35:08 2007 +Message-Id: <20070621191927.992615568@inhelltoy.tec.linutronix.de> +Date: Thu, 21 Jun 2007 20:45:15 -0000 +From: Thomas Gleixner +To: torvalds@linux-foundation.org +Cc: mingo@elte.hu, drepper@redhat.com, jan.kiszka@web.de, akpm@linux-foundation.org +Subject: posix-timers: Prevent softirq starvation by small intervals and SIG_IGN + +posix-timers which deliver an ignored signal are currently rearmed in +the timer softirq: This is necessary because the timer needs to be +delivered again when SIG_IGN is removed. This is not a problem, when +the interval is reasonable. + +With high resolution timers enabled one might arm a posix timer with a +very small interval and ignore the signal. This might lead to a +softirq starvation when the interval is so small that the timer is +requeued onto the softirq pending list right away. + +This problem was pointed out by Jan Kiszka. Thanks Jan ! + +The correct solution would be to stop the timer, when the signal is +ignored and rearm it when SIG_IGN is removed. Unfortunately this +requires modification in sigaction and involves non trivial sighand +locking. It's too late in the release cycle for such a change. + +For now we just keep the timer running and enforce that the timer only +fires every jiffie. This does not break anything as we keep the +overrun counter correct. It adds a little inaccuracy to the +timer_gettime() interface, but... + +The more complex change is necessary anyway to fix another short +coming of the current implementation, which I discovered while looking +at this problem: A pending signal is discarded when SIG_IGN is set. In +case that a posixtimer signal is pending then it is discarded as well, +but when SIG_IGN is removed later nothing rearms the timer. This is +not new, it's that way since posix timers have been merged. So nothing +to worry about right now. + +I have a working solution to fix all of this, but the impact is too +large for both stable and 2.6.22. I'm going to send it out for review +in the next days. + +This should go into 2.6.21.stable as well. + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Cc: Jan Kiszka +Cc: Ulrich Drepper +Signed-off-by: Chris Wright +--- + +--- + kernel/posix-timers.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +--- linux-2.6.21.6.orig/kernel/posix-timers.c ++++ linux-2.6.21.6/kernel/posix-timers.c +@@ -354,9 +354,40 @@ static enum hrtimer_restart posix_timer_ + * it should be restarted. + */ + if (timr->it.real.interval.tv64 != 0) { ++ ktime_t now = hrtimer_cb_get_time(timer); ++ ++ /* ++ * FIXME: What we really want, is to stop this ++ * timer completely and restart it in case the ++ * SIG_IGN is removed. This is a non trivial ++ * change which involves sighand locking ++ * (sigh !), which we don't want to do late in ++ * the release cycle. ++ * ++ * For now we just let timers with an interval ++ * less than a jiffie expire every jiffie to ++ * avoid softirq starvation in case of SIG_IGN ++ * and a very small interval, which would put ++ * the timer right back on the softirq pending ++ * list. By moving now ahead of time we trick ++ * hrtimer_forward() to expire the timer ++ * later, while we still maintain the overrun ++ * accuracy, but have some inconsistency in ++ * the timer_gettime() case. This is at least ++ * better than a starved softirq. A more ++ * complex fix which solves also another related ++ * inconsistency is already in the pipeline. ++ */ ++#ifdef CONFIG_HIGH_RES_TIMERS ++ { ++ ktime_t kj = ktime_set(0, NSEC_PER_SEC / HZ); ++ ++ if (timr->it.real.interval.tv64 < kj.tv64) ++ now = ktime_add(now, kj); ++ } ++#endif + timr->it_overrun += +- hrtimer_forward(timer, +- hrtimer_cb_get_time(timer), ++ hrtimer_forward(timer, now, + timr->it.real.interval); + ret = HRTIMER_RESTART; + ++timr->it_requeue_pending; diff --git a/queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch b/queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch new file mode 100644 index 00000000000..fb3e4a37b3a --- /dev/null +++ b/queue-2.6.21/powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Tue Jun 26 03:10:36 2007 +Message-ID: <18048.58884.161725.44037@cargo.ozlabs.ibm.com> +Date: Tue, 26 Jun 2007 20:10:12 +1000 +From: Paul Mackerras +To: stable@kernel.org +Subject: POWERPC: Fix subtle FP state corruption bug in signal return on SMP + +This fixes a bug which can cause corruption of the floating-point state +on return from a signal handler. If we have a signal handler that has +used the floating-point registers, and it happens to context-switch to +another task while copying the interrupted floating-point state from the +user stack into the thread struct (e.g. because of a page fault, or +because it gets preempted), the context switch code will think that the +FP registers contain valid FP state that needs to be copied into the +thread_struct, and will thus overwrite the values that the signal return +code has put into the thread_struct. + +This can occur because we clear the MSR bits that indicate the presence +of valid FP state after copying the state into the thread_struct. To fix +this we just move the clearing of the MSR bits to before the copy. A +similar potential problem also occurs with the Altivec state, and this +fixes that in the same way. + +Signed-off-by: Paul Mackerras +Signed-off-by: Chris Wright +--- + arch/powerpc/kernel/signal_64.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- linux-2.6.21.6.orig/arch/powerpc/kernel/signal_64.c ++++ linux-2.6.21.6/arch/powerpc/kernel/signal_64.c +@@ -177,6 +177,13 @@ static long restore_sigcontext(struct pt + */ + discard_lazy_cpu_state(); + ++ /* ++ * Force reload of FP/VEC. ++ * This has to be done before copying stuff into current->thread.fpr/vr ++ * for the reasons explained in the previous comment. ++ */ ++ regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC); ++ + err |= __copy_from_user(¤t->thread.fpr, &sc->fp_regs, FP_REGS_SIZE); + + #ifdef CONFIG_ALTIVEC +@@ -198,9 +205,6 @@ static long restore_sigcontext(struct pt + current->thread.vrsave = 0; + #endif /* CONFIG_ALTIVEC */ + +- /* Force reload of FP/VEC */ +- regs->msr &= ~(MSR_FP | MSR_FE0 | MSR_FE1 | MSR_VEC); +- + return err; + } + diff --git a/queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch b/queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch new file mode 100644 index 00000000000..c8deee8aad9 --- /dev/null +++ b/queue-2.6.21/saa7134-fix-thread-shutdown-handling.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Wed Jun 27 14:10:40 2007 +Message-Id: <200706272109.l5RL9wC5007145@imap1.linux-foundation.org> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Wed, 27 Jun 2007 14:09:58 -0700 +Cc: akpm@linux-foundation.org, jeffm@suse.com, stable@kernel.org, mchehab@infradead.org +Subject: saa7134: fix thread shutdown handling + +From: Jeff Mahoney + +This patch changes the test for the thread pid from >= 0 to > 0. + +When the saa8134 driver initialization fails after a certain point, it goes +through the complete shutdown process for the driver. Part of shutting it +down includes tearing down the thread for tv audio. + +The test for tearing down the thread tests for >= 0. Since the dev +structure is kzalloc'd, the test will always be true if we haven't tried to +start the thread yet. We end up waiting on pid 0 to complete, which will +never happen, so we lock up. + +This bug was observed in Novell Bugzilla 284718, when request_irq() failed. + +Signed-off-by: Jeff Mahoney +Acked-by: Mauro Carvalho Chehab +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/media/video/saa7134/saa7134-tvaudio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/media/video/saa7134/saa7134-tvaudio.c ++++ linux-2.6.21.6/drivers/media/video/saa7134/saa7134-tvaudio.c +@@ -1006,7 +1006,7 @@ int saa7134_tvaudio_init2(struct saa7134 + int saa7134_tvaudio_fini(struct saa7134_dev *dev) + { + /* shutdown tvaudio thread */ +- if (dev->thread.pid >= 0) { ++ if (dev->thread.pid > 0) { + dev->thread.shutdown = 1; + wake_up_interruptible(&dev->thread.wq); + wait_for_completion(&dev->thread.exit); diff --git a/queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch b/queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch new file mode 100644 index 00000000000..ff787a6627f --- /dev/null +++ b/queue-2.6.21/sched-fix-next_interval-determination-in-idle_balance.patch @@ -0,0 +1,73 @@ +From stable-bounces@linux.kernel.org Tue Jun 19 12:39:31 2007 +Date: Tue, 19 Jun 2007 21:39:03 +0200 +From: Ingo Molnar +To: torvalds@linux-foundation.org, akpm@linux-foundation.org +Cc: gregkh@suse.de, vatsa@linux.vnet.ibm.com, chrisw@sous-sol.org, paulmck@linux.vnet.ibm.com, clameter@sgi.com +Message-ID: <20070619193903.GA15024@elte.hu> +Subject: sched: fix next_interval determination in idle_balance() + +From: Christoph Lameter + +Fix massive SMP imbalance on NUMA nodes observed on 2.6.21.5 with CFS. +(and later on reproduced without CFS as well). + +The intervals of domains that do not have SD_BALANCE_NEWIDLE must be +considered for the calculation of the time of the next balance. +Otherwise we may defer rebalancing forever and nodes might stay idle for +very long times. + +Siddha also spotted that the conversion of the balance interval to +jiffies is missing. Fix that to. + +From: Srivatsa Vaddagiri + +also continue the loop if !(sd->flags & SD_LOAD_BALANCE). + +Tested-by: Paul E. McKenney + +It did in fact trigger under all three of mainline, CFS, and -rt +including CFS -- see below for a couple of emails from last Friday +giving results for these three on the AMD box (where it happened) and on +a single-quad NUMA-Q system (where it did not, at least not with such +severity). + +Signed-off-by: Christoph Lameter +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +--- + kernel/sched.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- linux-2.6.21.6.orig/kernel/sched.c ++++ linux-2.6.21.6/kernel/sched.c +@@ -2831,17 +2831,21 @@ static void idle_balance(int this_cpu, s + unsigned long next_balance = jiffies + 60 * HZ; + + for_each_domain(this_cpu, sd) { +- if (sd->flags & SD_BALANCE_NEWIDLE) { ++ unsigned long interval; ++ ++ if (!(sd->flags & SD_LOAD_BALANCE)) ++ continue; ++ ++ if (sd->flags & SD_BALANCE_NEWIDLE) + /* If we've pulled tasks over stop searching: */ + pulled_task = load_balance_newidle(this_cpu, +- this_rq, sd); +- if (time_after(next_balance, +- sd->last_balance + sd->balance_interval)) +- next_balance = sd->last_balance +- + sd->balance_interval; +- if (pulled_task) +- break; +- } ++ this_rq, sd); ++ ++ interval = msecs_to_jiffies(sd->balance_interval); ++ if (time_after(next_balance, sd->last_balance + interval)) ++ next_balance = sd->last_balance + interval; ++ if (pulled_task) ++ break; + } + if (!pulled_task) + /* diff --git a/queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch b/queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch new file mode 100644 index 00000000000..7ed90bc8900 --- /dev/null +++ b/queue-2.6.21/serial-clear-proper-mpsc-interrupt-cause-bits.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Wed Jun 27 14:15:05 2007 +Message-Id: <200706272110.l5RLA91q007189@imap1.linux-foundation.org> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Wed, 27 Jun 2007 14:10:09 -0700 +Cc: akpm@linux-foundation.org, mgreer@mvista.com, jaylubo@motorola.com, stable@kernel.org +Subject: serial: clear proper MPSC interrupt cause bits + +From: Jay Lubomirski + +The interrupt clearing code in mpsc_sdma_intr_ack() mistakenly clears the +interrupt for both controllers instead of just the one its supposed to. +This can result in the other controller appearing to hang because its +interrupt was effectively lost. + +So, don't clear the interrupt cause bits for both MPSC controllers when +clearing the interrupt for one of them. Just clear the one that is +supposed to be cleared. + +Signed-off-by: Jay Lubomirski +Acked-by: Mark A. Greer +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/serial/mpsc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/serial/mpsc.c ++++ linux-2.6.21.6/drivers/serial/mpsc.c +@@ -502,7 +502,8 @@ mpsc_sdma_intr_ack(struct mpsc_port_info + + if (pi->mirror_regs) + pi->shared_regs->SDMA_INTR_CAUSE_m = 0; +- writel(0, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE); ++ writeb(0x00, pi->shared_regs->sdma_intr_base + SDMA_INTR_CAUSE + ++ pi->port.line); + return; + } + diff --git a/queue-2.6.21/series b/queue-2.6.21/series index b1b9a92bfec..bfe64351b6b 100644 --- a/queue-2.6.21/series +++ b/queue-2.6.21/series @@ -4,3 +4,23 @@ rt-mutex-fix-stale-return-value.patch rt-mutex-fix-chain-walk-early-wakeup-bug.patch pi-futex-fix-exit-races-and-locking-problems.patch hpt366-disallow-ultra133-for-hpt374.patch +md-fix-two-raid10-bugs.patch +md-fix-bug-in-error-handling-during-raid1-repair.patch +dm-crypt-disable-barriers.patch +dm-crypt-fix-call-to-clone_init.patch +dm-crypt-fix-avoid-cloned-bio-ref-after-free.patch +dm-crypt-fix-remove-first_clone.patch +hugetlb-fix-get_policy-for-stacked-shared-memory-files.patch +sched-fix-next_interval-determination-in-idle_balance.patch +posix-timers-prevent-softirq-starvation-by-small-intervals-and-sig_ign.patch +futex-restore-the-dropped-ersch-fix.patch +audit-fix-oops-removing-watch-if-audit-disabled.patch +powerpc-fix-subtle-fp-state-corruption-bug-in-signal-return-on-smp.patch +mm-kill-validate_anon_vma-to-avoid-mapcount-bug.patch +saa7134-fix-thread-shutdown-handling.patch +serial-clear-proper-mpsc-interrupt-cause-bits.patch +i386-fix-infinite-loop-with-singlestep-int80-syscalls.patch +ntp-remove-clock_was_set-call-to-prevent-deadlock.patch +sky2-workaround-for-lost-irq.patch +v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch +v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch diff --git a/queue-2.6.21/sky2-workaround-for-lost-irq.patch b/queue-2.6.21/sky2-workaround-for-lost-irq.patch new file mode 100644 index 00000000000..89ac88e9d52 --- /dev/null +++ b/queue-2.6.21/sky2-workaround-for-lost-irq.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Mon Jul 9 12:02:23 2007 +Date: Mon, 9 Jul 2007 12:01:31 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Message-ID: <20070709120131.79df9203@freepuppy.rosehill.hemminger.net> +Subject: sky2: workaround for lost IRQ + +This patch restores a couple of workarounds from 2.6.16: + * restart transmit moderation timer in case it expires during IRQ routine + * default to having 10 HZ watchdog timer. +At this point it more important not to hang than to worry about the +power cost. + +Signed-off-by: Stephen Hemminger +Cc: Jeff Garzik +Signed-off-by: Chris Wright +--- + drivers/net/sky2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- linux-2.6.21.6.orig/drivers/net/sky2.c ++++ linux-2.6.21.6/drivers/net/sky2.c +@@ -95,7 +95,7 @@ static int disable_msi = 0; + module_param(disable_msi, int, 0); + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)"); + +-static int idle_timeout = 0; ++static int idle_timeout = 100; + module_param(idle_timeout, int, 0); + MODULE_PARM_DESC(idle_timeout, "Watchdog timer for lost interrupts (ms)"); + +@@ -2433,6 +2433,13 @@ static int sky2_poll(struct net_device * + + work_done = sky2_status_intr(hw, work_limit); + if (work_done < work_limit) { ++ /* Bug/Errata workaround? ++ * Need to kick the TX irq moderation timer. ++ */ ++ if (sky2_read8(hw, STAT_TX_TIMER_CTRL) == TIM_START) { ++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_STOP); ++ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_START); ++ } + netif_rx_complete(dev0); + + sky2_read32(hw, B0_Y2_SP_LISR); diff --git a/queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch b/queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch new file mode 100644 index 00000000000..0391369f008 --- /dev/null +++ b/queue-2.6.21/v4l-bttv-fix-v4l1-api-usage-breaking-the-driver.patch @@ -0,0 +1,97 @@ +From stable-bounces@linux.kernel.org Mon Jul 9 21:03:10 2007 +Message-ID: <469304F5.6040809@linuxtv.org> +Date: Tue, 10 Jul 2007 00:03:01 -0400 +From: Michael Krufky +To: stable@kernel.org +Cc: v4l-dvb-maintainer@linuxtv.org, xyzzy@speakeasy.org +Subject: V4L: bttv: fix v4l1 api usage breaking the driver + +From: Trent Piepho + +If one uses a V4L *one* application, such as vlc or mplayer's v4l driver, as +the first user after the driver is loaded, the driver wedges itself and will +never capture properly. Even if one uses a V4L2 application later, it still +won't work. + +If one uses a V4L *two* application first, such as tvtime or mplayer's v4l2 +driver, then the driver will be ok. One can then run a V4L1 application, and +it will work. + +It turns out the problem is with norm changing and the crop support that was +added in 2.6.21. The driver defaults to PAL, and keeps the last norm it was +set too across opens. If one changes the norm via V4L1, the cropping +parameters are not reset like they should be, and they'll remain broken across +device opens. + +This patch removes the direct setting of btv->tvnorm in the V4L1 ioctl +VIDIOCSCHAN handler. The norm is set via the existing call to set_input(), +which calls set_tvnorm(), which will reset the cropping values now that it is +able to detect the norm change. + +Signed-off-by: Trent Piepho +Signed-off-by: Michael Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +--- +(cherry picked from commit 333408f21590d50397f3004e3f87070fa8f52c51) + + drivers/media/video/bt8xx/bttv-driver.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- linux-2.6.21.6.orig/drivers/media/video/bt8xx/bttv-driver.c ++++ linux-2.6.21.6/drivers/media/video/bt8xx/bttv-driver.c +@@ -1313,7 +1313,7 @@ set_tvnorm(struct bttv *btv, unsigned in + + /* Call with btv->lock down. */ + static void +-set_input(struct bttv *btv, unsigned int input) ++set_input(struct bttv *btv, unsigned int input, unsigned int norm) + { + unsigned long flags; + +@@ -1332,7 +1332,7 @@ set_input(struct bttv *btv, unsigned int + } + audio_input(btv,(input == bttv_tvcards[btv->c.type].tuner ? + TVAUDIO_INPUT_TUNER : TVAUDIO_INPUT_EXTERN)); +- set_tvnorm(btv,btv->tvnorm); ++ set_tvnorm(btv, norm); + i2c_vidiocschan(btv); + } + +@@ -1423,7 +1423,7 @@ static void bttv_reinit_bt848(struct btt + + init_bt848(btv); + btv->pll.pll_current = -1; +- set_input(btv,btv->input); ++ set_input(btv, btv->input, btv->tvnorm); + } + + static int get_control(struct bttv *btv, struct v4l2_control *c) +@@ -1993,8 +1993,7 @@ static int bttv_common_ioctls(struct btt + return 0; + } + +- btv->tvnorm = v->norm; +- set_input(btv,v->channel); ++ set_input(btv, v->channel, v->norm); + mutex_unlock(&btv->lock); + return 0; + } +@@ -2130,7 +2129,7 @@ static int bttv_common_ioctls(struct btt + if (*i > bttv_tvcards[btv->c.type].video_inputs) + return -EINVAL; + mutex_lock(&btv->lock); +- set_input(btv,*i); ++ set_input(btv, *i, btv->tvnorm); + mutex_unlock(&btv->lock); + return 0; + } +@@ -4762,7 +4761,7 @@ static int __devinit bttv_probe(struct p + bt848_hue(btv,32768); + bt848_sat(btv,32768); + audio_mute(btv, 1); +- set_input(btv,0); ++ set_input(btv, 0, btv->tvnorm); + bttv_crop_reset(&btv->crop[0], btv->tvnorm); + btv->crop[1] = btv->crop[0]; /* current = default */ + disclaim_vbi_lines(btv); diff --git a/queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch b/queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch new file mode 100644 index 00000000000..9bf083c30da --- /dev/null +++ b/queue-2.6.21/v4l-cx88-blackbird-fix-vidioc_g_tuner-never-ending-list-of-tuners.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Mon Jul 9 21:03:11 2007 +Message-ID: <469304F6.6000301@linuxtv.org> +Date: Tue, 10 Jul 2007 00:03:02 -0400 +From: Michael Krufky +To: stable@kernel.org +Cc: v4l-dvb-maintainer@linuxtv.org, jelle@foks.8m.com +Subject: V4L: cx88-blackbird: fix vidioc_g_tuner never ending list of tuners + +From: Jelle Foks + +v4l-info and other programs would loop indefinitely while querying the +tuners for cx88-blackbird cards. + +The cause was that vidioc_g_tuner didn't return an error value for +qctrl->id != 0, making the application think there is a never ending +list of tuners... + +This patch adds the same index check as done in vidioc_g_tuner() in +cx88-video. + +Signed-off-by: Jelle Foks +Signed-off-by: Michael Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +--- +(cherry picked from commit f057131fb6eb2c45f6023e3da41ccd6e4e71aee9) + + drivers/media/video/cx88/cx88-blackbird.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.6.orig/drivers/media/video/cx88/cx88-blackbird.c ++++ linux-2.6.21.6/drivers/media/video/cx88/cx88-blackbird.c +@@ -1034,6 +1034,8 @@ static int vidioc_g_tuner (struct file * + + if (unlikely(UNSET == core->tuner_type)) + return -EINVAL; ++ if (0 != t->index) ++ return -EINVAL; + + strcpy(t->name, "Television"); + t->type = V4L2_TUNER_ANALOG_TV; -- 2.47.3