commit b321cb58a311d172a3370029324b653e0b1d7041 Author: Chris Wright Date: Mon Feb 5 08:31:59 2007 -0800 Linux 2.6.19.3 commit 9868646d7a415771f015620ee40edfe257dc27d3 Author: Ingo Molnar Date: Fri Dec 29 16:48:13 2006 -0800 [PATCH] sched: fix cond_resched_softirq() offset Remove the __resched_legal() check: it is conceptually broken. The biggest problem it had is that it can mask buggy cond_resched() calls. A cond_resched() call is only legal if we are not in an atomic context, with two narrow exceptions: - if the system is booting - a reacquire_kernel_lock() down() done while PREEMPT_ACTIVE is set But __resched_legal() hid this and just silently returned whenever these primitives were called from invalid contexts. (Same goes for cond_resched_locked() and cond_resched_softirq()). Furthermore, the __legal_resched(0) call was buggy in that it caused unnecessarily long softirq latencies via cond_resched_softirq(). (which is only called from softirq-off sections, hence the code did nothing.) The fix is to resurrect the efficiency of the might_sleep checks and to only allow the narrow exceptions. Signed-off-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [chrisw: backport to 2.6.19.2] Signed-off-by: Chris Wright commit 56cf77091500709c99253b305708bc47196f7d21 Author: Kirill Korotaev Date: Sun Dec 10 02:20:11 2006 -0800 [PATCH] move_task_off_dead_cpu() should be called with disabled ints move_task_off_dead_cpu() requires interrupts to be disabled, while migrate_dead() calls it with enabled interrupts. Added appropriate comments to functions and added BUG_ON(!irqs_disabled()) into double_rq_lock() and double_lock_balance() which are the origin sources of such bugs. Signed-off-by: Kirill Korotaev Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 16a2980e7a2d9afe5b6c68c783d025036edcf70e Author: Trond Myklebust Date: Wed Jan 24 20:13:46 2007 -0800 [PATCH] SUNRPC: Give cloned RPC clients their own rpc_pipefs directory This patch fixes a regression in 2.6.19 in which the use of multiple krb5 mounts against the same NFS server may result in an Oops on unmount. The Oops is due to the fact that multiple NFS krb5 clients may end up inadvertently sharing the same rpc_pipefs upcall pipe. The first client to 'umount' will unlink that shared pipe, causing an Oops. The solution is to give each client their own upcall pipe. This fix has been in mainline since 2.6.20-rc1. Signed-off-by: Trond Myklebust [chrisw: backport to 2.6.19.2] Signed-off-by: Chris Wright commit 81a86f15d6f696efcb531620c936d1e7edb96f17 Author: Patrick McHardy Date: Wed Jan 31 01:27:29 2007 +0100 [PATCH] NETFILTER: xt_connbytes: fix division by zero When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Additionally we're probably going to go back to 64 bit counters in 2.6.21. Based on patch from Jonas Berlin , with suggestions from KOVACS Krisztian . Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 6e3e53bbff845b9c8d77967bf75bcd5325782199 Author: Masayuki Nakagawa Date: Fri Feb 2 13:17:13 2007 -0800 [PATCH] TCP: skb is unexpectedly freed. I encountered a kernel panic with my test program, which is a very simple IPv6 client-server program. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. (If you need the test program, please let me know. I can provide it.) This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. I suggest to use kfree_skb() instead of __kfree_skb(). Signed-off-by: Masayuki Nakagawa Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 39460cfb25adbafd7141a79b8f51769daacaa0d7 Author: Baruch Even Date: Fri Feb 2 13:16:09 2007 -0800 [PATCH] TCP: Fix sorting of SACK blocks. The sorting of SACK blocks actually munges them rather than sort, causing the TCP stack to ignore some SACK information and breaking the assumption of ordered SACK blocks after sorting. The sort takes the data from a second buffer which isn't moved causing subsequent data moves to occur from the wrong location. The fix is to use a temporary buffer as a normal sort does. Signed-off-By: Baruch Even Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 26cc0cab4c76d353c8f72fe3fe3e822d738f5c13 Author: Jarek Poplawski Date: Fri Feb 2 13:15:00 2007 -0800 [PATCH] TCP: rare bad TCP checksum with 2.6.19 The patch "Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE" changed to unconditional copying of ip_summed field from collapsed skb. This patch reverts this change. The majority of substantial work including heavy testing and diagnosing by: Michael Tokarev Possible reasons pointed by: Herbert Xu and Patrick McHardy. Signed-off-by: Jarek Poplawski Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 2a5332990f1f6f76a03396db7fb894bcd55c4ffe Author: David S. Miller Date: Fri Feb 2 13:01:28 2007 -0800 [PATCH] AF_PACKET: Check device down state before hard header callbacks. If the device is down, invoking the device hard header callbacks is not legal, so check it early. Based upon a shaper OOPS report from Frederik Deweerdt. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 6d2d108d66d02bc617e3cab2419fecf0e43afae6 Author: David S. Miller Date: Fri Feb 2 13:06:03 2007 -0800 [PATCH] AF_PACKET: Fix BPF handling. This fixes a bug introduced by: commit fda9ef5d679b07c9d9097aaf6ef7f069d794a8f9 Author: Dmitry Mishin Date: Thu Aug 31 15:28:39 2006 -0700 [NET]: Fix sk->sk_filter field access sk_run_filter() returns either 0 or an unsigned 32-bit length which says how much of the packet to retain. If that 32-bit unsigned integer is larger than the packet, this is fine we just leave the packet unchanged. The above commit caused all filter return values which were negative when interpreted as a signed integer to indicate a packet drop, which is wrong. Based upon a report and initial patch by Raivis Bucis. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 05267c7fe2e451b3a18cebb506c4adde5edcf275 Author: Robert Olsson Date: Fri Feb 2 12:58:58 2007 -0800 [PATCH] IPV4: Fix single-entry /proc/net/fib_trie output. When main table is just a single leaf this gets printed as belonging to the local table in /proc/net/fib_trie. A fix is below. Signed-off-by: Robert Olsson Acked-by: Eric W. Biederman Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 2990b4f42b1763d64038d9aacc0d58cb512896a8 Author: Eric W. Biederman Date: Fri Feb 2 12:57:16 2007 -0800 [PATCH] IPV4: Fix the fib trie iterator to work with a single entry routing tables In a kernel with trie routing enabled I had a simple routing setup with only a single route to the outside world and no default route. "ip route table list main" showed my the route just fine but /proc/net/route was an empty file. What was going on? Thinking it was a bug in something I did and I looked deeper. Eventually I setup a second route and everything looked correct, huh? Finally I realized that the it was just the iterator pair in fib_trie_get_first, fib_trie_get_next just could not handle a routing table with a single entry. So to save myself and others further confusion, here is a simple fix for the fib proc iterator so it works even when there is only a single route in a routing table. Signed-off-by: Eric W. Biederman Signed-off-by: Robert Olsson Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 594fb7bd8f3b317c531af7d00fb0967fb67e968d Author: Bob Breuer Date: Fri Feb 2 12:52:15 2007 -0800 [PATCH] SPARC32: Fix over-optimization by GCC near ip_fast_csum. In some cases such as: iph->check = 0; iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); GCC may optimize out the previous store. Observed as a failure of NFS over udp (bad checksums on ip fragments) when compiled with GCC 3.4.2. Signed-off-by: Bob Breuer Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 50d7d7e3c0ecbb01fc018434a23ec8b260c68473 Author: Eric W. Biederman Date: Fri Feb 2 12:50:23 2007 -0800 [PATCH] DECNET: Handle a failure in neigh_parms_alloc (take 2) While enhancing the neighbour code to handle multiple network namespaces I noticed that decnet is assuming neigh_parms_alloc will allways succeed, which is clearly wrong. So handle the failure. Signed-off-by: Eric W. Biederman Acked-by: Steven Whitehouse Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 75cd51415c52253931aef75895f4a9b2464e4b17 Author: ethanhsiao@jmicron.com Date: Tue Jan 30 14:36:13 2007 -0800 [PATCH] jmicron: 40/80pin primary detection jmicron module detects all JMB36x as JMB361 and PATA0 has wrong pin status of XICBLID. Cc: Jeff Garzik Cc: Alan Cox Cc: Bartlomiej Zolnierkiewicz Cc: Sergei Shtylyov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds cebbert@redhat.com: I folded in the warning fix (a51545ab25) because otherwise it makes the tester think the patch caused the warning that was already there. Cc: Dave Jones Signed-off-by: Chuck Ebbert Signed-off-by: Chris Wright commit 3002052b6358f932cbe381007ad20c76d5e4dca9 Author: Andy Gospodarek Date: Mon Jan 29 12:08:38 2007 -0800 [PATCH] bonding: ARP monitoring broken on x86_64 While working with the latest bonding code I noticed a nasty problem that will prevent arp monitoring from always functioning correctly on x86_64 systems. Comparing ints to longs and expecting reliable results on x86_64 is a bad idea. With this patch, arp monitoring works correctly again. Signed-off-by: Andy Gospodarek Cc: "David S. Miller" Cc: Stephen Hemminger Cc: Jeff Garzik Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright commit 9f8dc7500aa31654329ddb7596fd0f2f91817251 Author: Jeff Dike Date: Tue Jan 30 14:36:17 2007 -0800 [PATCH] uml: fix signal frame alignment Use the same signal frame alignment calculations as the underlying architecture. x86_64 appeared to do this, but the "- 8" was really subtracting 8 * sizeof(struct rt_sigframe) rather than 8 bytes. UML/i386 might have been OK, but I changed the calculation to match i386 just to be sure. Signed-off-by: Jeff Dike Cc: Cc: Adrian Bunk Cc: Paolo 'Blaisorblade' Giarrusso Acked-by: Antoine Martin Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 8b0165ce42354878b66482f34149d99660dbcdb0 Author: Adam Litke Date: Tue Jan 30 14:35:39 2007 -0800 [PATCH] Don't allow the stack to grow into hugetlb reserved regions When expanding the stack, we don't currently check if the VMA will cross into an area of the address space that is reserved for hugetlb pages. Subsequent faults on the expanded portion of such a VMA will confuse the low-level MMU code, resulting in an OOPS. Check for this. Signed-off-by: Adam Litke Cc: David Gibson Cc: William Lee Irwin III Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit e435bb1a3314e17118fd873290b198813537e864 Author: Jeff Garzik Date: Mon Dec 11 11:05:53 2006 -0500 [PATCH] libata: use kmap_atomic(KM_IRQ0) in SCSI simulator We are inside spin_lock_irqsave(). quoth akpm's debug facility: [ 231.948000] SCSI device sda: 195371568 512-byte hdwr sectors (100030 MB) [ 232.232000] ata1.00: configured for UDMA/33 [ 232.404000] WARNING (1) at arch/i386/mm/highmem.c:47 kmap_atomic() [ 232.404000] [] kmap_atomic+0xa9/0x1ab [ 232.404000] [] ata_scsi_rbuf_get+0x1c/0x30 [ 232.404000] [] ata_scsi_rbuf_fill+0x1a/0x87 [ 232.404000] [] ata_scsiop_mode_sense+0x0/0x309 [ 232.404000] [] end_bio_bh_io_sync+0x0/0x37 [ 232.404000] [] scsi_done+0x0/0x16 [ 232.404000] [] scsi_done+0x0/0x16 [ 232.404000] [] ata_scsi_simulate+0xb0/0x13f [...] Signed-off-by: Jeff Garzik Cc: Andrew Morton Signed-off-by: Chris Wright commit ec803d270172c7329be48faf49ff3095a54c4a56 Author: NeilBrown Date: Thu Jan 25 15:35:34 2007 +1100 [PATCH] md: fix potential memalloc deadlock in md If a GFP_KERNEL allocation is attempted in md while the mddev_lock is held, it is possible for a deadlock to eventuate. This happens if the array was marked 'clean', and the memalloc triggers a write-out to the md device. For the writeout to succeed, the array must be marked 'dirty', and that requires getting the mddev_lock. So, before attempting a GFP_KERNEL alloction while holding the lock, make sure the array is marked 'dirty' (unless it is currently read-only). Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 50c524829e518ca5a7e3e5423726e6bb24afaac4 Author: NeilBrown Date: Thu Jan 25 15:35:29 2007 +1100 [PATCH] md: fix a few problems with the interface (sysfs and ioctl) to md. While developing more functionality in mdadm I found some bugs in md... - When we remove a device from an inactive array (write 'remove' to the 'state' sysfs file - see 'state_store') would should not update the superblock information - as we may not have read and processed it all properly yet. - initialise all raid_disk entries to '-1' else the 'slot sysfs file will claim '0' for all devices in an array before the array is started. - all '\n' not to be present at the end of words written to sysfs files - when we use SET_ARRAY_INFO to set the md metadata version, set the flag to say that there is persistant metadata. - allow GET_BITMAP_FILE to be called on an array that hasn't been started yet. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit d53c44cb93ba219bc26fa2f7ddd98bdd4d219c9c Author: NeilBrown Date: Thu Jan 25 15:35:25 2007 +1100 [PATCH] md: make 'repair' actually work for raid1. When 'repair' finds a block that is different one the various parts of the mirror. it is meant to write a chosen good version to the others. However it currently writes out the original data to each. The memcpy to make all the data the same is missing. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 58d81d98ecc8ead88c64b7b1d5a2c05ba0b782f8 Author: NeilBrown Date: Thu Jan 25 15:35:21 2007 +1100 [PATCH] md: assorted md and raid1 one-liners Fix few bugs that meant that: - superblocks weren't alway written at exactly the right time (this could show up if the array was not written to - writting to the array causes lots of superblock updates and so hides these errors). - restarting device recovery after a clean shutdown (version-1 metadata only) didn't work as intended (or at all). 1/ Ensure superblock is updated when a new device is added. 2/ Remove an inappropriate test on MD_RECOVERY_SYNC in md_do_sync. The body of this if takes one of two branches depending on whether MD_RECOVERY_SYNC is set, so testing it in the clause of the if is wrong. 3/ Flag superblock for updating after a resync/recovery finishes. 4/ If we find the neeed to restart a recovery in the middle (version-1 metadata only) make sure a full recovery (not just as guided by bitmaps) does get done. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 92ad857a3c2e40b191c61d5afccdb20d74844766 Author: NeilBrown Date: Thu Jan 25 15:35:17 2007 +1100 [PATCH] knfsd: fix up some bit-rot in exp_export The nfsservctl systemcall isn't used but recent nfs-utils releases for exporting filesystems, and consequently the code that is uses - exp_export - has suffered some bitrot. Particular: - some newly added fields in 'struct svc_export' are being initialised properly. - the return value is now always -ENOMEM ... This patch fixes both these problems. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit dbd2bd734a5559fd167577e37498bad0b2f33d8a Author: NeilBrown Date: Thu Jan 25 15:35:12 2007 +1100 [PATCH] knfsd: fix type mismatch with filldir_t used by nfsd. nfsd defines a type 'encode_dent_fn' which is much like 'filldir_t' except that the first pointer is 'struct readdir_cd *' rather than 'void *'. It then casts encode_dent_fn points to 'filldir_t' as needed. This hides any other type mismatches between the two such as the fact that the 'ino' arg recently changed from ino_t to u64. So: get rid of 'encode_dent_fn', get rid of the cast of the function type, change the first arg of various functions from 'struct readdir_cd *' to 'void *', and live with the fact that we have a little less type checking on the calling of these functions now. Less internal (to nfsd) checking offset by more external checking, which is more important. Thanks to Gabriel Paubert for discovering this and providing an initial patch. Signed-off-by: Gabriel Paubert Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 79dab9e2b79871bdeb3ea23a882884a7a16d4c92 Author: NeilBrown Date: Thu Jan 25 15:35:08 2007 +1100 [PATCH] knfsd: fix an NFSD bug with full sized, non-page-aligned reads. NFSd assumes that largest number of pages that will be needed for a request+response is 2+N where N pages is the size of the largest permitted read/write request. The '2' are 1 for the non-data part of the request, and 1 for the non-data part of the reply. However, when a read request is not page-aligned, and we choose to use ->sendfile to send it directly from the page cache, we may need N+1 pages to hold the whole reply. This can overflow and array and cause an Oops. This patch increases size of the array for holding pages by one and makes sure that entry is NULL when it is not in use. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 65bd280c3e91096a291b77e5b2eed5a530851de7 Author: NeilBrown Date: Thu Jan 25 15:35:01 2007 +1100 [PATCH] knfsd: fix setting of ACL server versions. Due to silly typos, if the nfs versions are explicitly set, no NFSACL versions get enabled. Also improve an error message that would have made this bug a little easier to find. Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit 9aa6df322fe78b2c57f655e870d64bfac41c358f Author: Francois Romieu Date: Thu Jan 18 23:22:23 2007 +0100 [PATCH] sis190: failure to set the MAC address from EEPROM Fix from http://bugzilla.kernel.org/show_bug.cgi?id=7747 Signed-off-by: Andrew Morton Cc: Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright commit 0af78db8bf4cab644b0e458d476b124712b876bf Author: David S. Miller Date: Fri Jan 26 19:17:10 2007 -0800 [PATCH] SPARC64: Set g4/g5 properly in sun4v dtlb-prot handling. Mirror the logic in the sun4u handler, we have to update both registers even when we branch out to window fault fixup handling. The way it works is that if we are in etrap processing a fault already, g4/g5 holds the original fault information. If we take a window spill fault while doing etrap, then we put the window spill fault info into g4/g5 and this is what the top-level fault handler ends up processing first. Then we retry the originally faulting instruction, and process the original fault at that time. This is all necessary because of how constrained the trap registers are in these code paths. These cases trigger very rarely, so even if there is some performance implication it's doesn't happen very often. In fact the rarity is why it took so long to trigger and find this particular bug. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit ea813cd4d76976e63cba0f27110ddf7abb8dcf69 Author: Mike Frysinger Date: Fri Jan 26 00:57:08 2007 -0800 [PATCH] remove __devinit markings from rtc_sysfs_add_device() rtc_sysfs_add_device is needed even after dev initialization, so drop __devinit. Signed-off-by: Mike Frysinger Acked-by: Alessandro Zummo Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit f2910633b06be3c69f4e3b3d19d2a3c562c0d06a Author: Linus Torvalds Date: Mon Jan 22 08:53:24 2007 -0800 [PATCH] Revert "[PATCH] Fix up mmap_kmem" This reverts commit 99a10a60ba9bedcf5d70ef81414d3e03816afa3f. As per Hugh Dickins: "Nadia Derbey has reported that mmap of /dev/kmem no longer works with the kernel virtual address as offset, and Franck has confirmed that his patch came from a misunderstanding of what an offset means to /dev/kmem - whereas his patch description seems to say that he was correcting the offset on a few plaforms, there was no such problem to correct, and his patch was in fact changing its API on all platforms." Suggested-by: Hugh Dickins Cc: Franck Bui-Huu Cc: Nadia Derbey Cc: Andi Kleen Cc: Arjan van de Ven Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit ef7c3ade5615ed98d4567107eb627b962382a1b2 Author: Linas Vepstas Date: Tue Jan 23 19:40:54 2007 +0100 [PATCH] elevator: move clearing of unplug flag earlier A flag was recently added to the elevator code to avoid performing an unplug when reuests are being re-queued. The goal of this flag was to avoid a deep recursion that can occur when re-queueing requests after a SCSI device/host reset. See http://lkml.org/lkml/2006/5/17/254 However, that fix added the flag near the bottom of a case statement, where an earlier break (in an if statement) could transport one out of the case, without setting the flag. This patch sets the flag earlier in the case statement. I re-discovered the deep recursion recently during testing; I was told that it was a known problem, and the fix to it was in the kernel I was testing. Indeed it was ... but it didn't fix the bug. With the patch below, I no longer see the bug. Signed-off by: Linas Vepstas Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 19fad1a2ab244bec784fa252cff8d9bbb1f4f426 Author: Patrick McHardy Date: Wed Jan 24 17:46:39 2007 +0100 [PATCH] NETFILTER: Fix iptables ABI breakage on (at least) CRIS With the introduction of x_tables we accidentally broke compatibility by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of XT_TABLE_MAXNAMELEN, which is two bytes larger. On most architectures it doesn't really matter since we don't have any tables with names that long in the kernel and the structure layout didn't change because of alignment requirements of following members. On CRIS however (and other architectures that don't align data) this changed the structure layout and thus broke compatibility with old iptables binaries. Changing it back will break compatibility with binaries compiled against recent kernels again, but since the breakage has only been there for three releases this seems like the better choice. Spotted by Jonas Berlin . Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 787db6107036ffd8f89903857ce1327f73beabb3 Author: Andi Kleen Date: Wed Jan 24 04:17:09 2007 +1100 [PATCH] x86: Work around gcc 4.2 over aggressive optimizer The new PDA code uses a dummy _proxy_pda variable to describe memory references to the PDA. It is never referenced in inline assembly, but exists as input/output arguments. gcc 4.2 in some cases can CSE references to this which causes unresolved symbols. Define it to zero to avoid this. Signed-off-by: Andi Kleen Signed-off-by: Chris Wright commit 808c407e1a534865ca5e151b3a5bae58b73408a9 Author: Ingo Molnar Date: Tue Jan 23 17:16:26 2007 +0100 [PATCH] ACPI: fix cpufreq regression recently cpufreq support on my laptop (Lenovo T60) broke completely: when it's plugged into AC it would never go higher than 1 GHz - neither 1.3 GHz nor 1.83 GHz is possible - no matter which governor (userspace, speed or ondemand) is used. after some cpufreq debugging i tracked the regression back to the following (totally correct) bug-fix commit: commit 0916bd3ebb7cefdd0f432e8491abe24f4b5a101e Author: Dave Jones Date: Wed Nov 22 20:42:01 2006 -0500 [PATCH] Correct bound checking from the value returned from _PPC method. this bugfix, which makes other laptops work, made a previously hidden (BIOS) bug visible on my laptop. The bug is the following: if the _PPC (Performance Present Capabilities) optional ACPI object is queried /after/ bootup then the BIOS reports an incorrect value of '2'. My laptop (Lenovo T60) has the following performance states supported: 0: 1833000 1: 1333000 2: 1000000 Per ACPI specification, a _PPC value of '0' means that all 3 performance states are usable. A _PPC value of '1' means states 1 .. 2 are usable, a value of '2' means only state '2' (slowest) is usable. now, the _PPC object is optional, and it also comes with notification. Furthermore, when a CPU object is initialized, the _PPC object is initialized as well. So the following evaluation of the _PPC object is superfluous: [] acpi_processor_get_platform_limit+0xa1/0xaf [] acpi_processor_register_performance+0x3b9/0x3ef [] acpi_cpufreq_cpu_init+0xb7/0x596 [] cpufreq_add_dev+0x160/0x4a8 [] sysdev_driver_register+0x5a/0xa0 [] cpufreq_register_driver+0xb4/0x176 [] acpi_cpufreq_init+0xe5/0xeb [] init+0x14f/0x3dd and this is the point where my laptop's BIOS returns the incorrect value of '2'. Note that it has not sent any notification event, so the value is probably not really intentional (possibly spurious), and Windows likely doesnt query it after bootup either. Maybe the value is kept at '2' normally, and is only set to the real value when a true asynchronous event (such as AC plug event, battery switch, etc.) occurs. So i /think/ this is a grey area of the ACPI spec: per the letter of the spec the _PPC value only changes when notified, so there's no reason to query it after the system has booted up. So in my opinion the best (and most compatible) strategy would be to do the change below, and to not evaluate the _PPC object in the acpi_processor_get_performance_info() call, but only evaluate it if _PPC is present during CPU object init, or if it's notified during an asynchronous event. This change is more permissive than the previous logic, so it definitely shouldnt break any existing system. This also happens to fix my laptop, which is merrily chugging along at 1.83 GHz now. Yay! Signed-off-by: Ingo Molnar Cc: Dave Jones Acked-by: Len Brown Signed-off-by: Chris Wright commit cbfc226340bdceecdf1992e62f3e4dfc14088167 Author: Jeff Dike Date: Mon Jan 22 15:38:27 2007 -0500 [PATCH] Fix UML on non-standard VM split hosts This fixes UML on hosts with non-standard VM splits. We had changed the config variable that controls UML behavior on such hosts, but not propogated the change everywhere. In particular, the values of STUB_CODE and STUB_DATA relied on the old variable. I also reformatted the HOST_VMSPLIT_3G help to make it more standard. Spotted by uml@flonatel.org. Signed-off-by: Jeff Dike Signed-off-by: Chris Wright -- arch/um/Kconfig.i386 | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) commit 98069cdda7cc8bae988855a3071ba3b88a3a25ec Author: Erez Zilber Date: Mon Jan 22 15:03:53 2007 +0200 [PATCH] IB/iser: return error code when PDUs may not be sent iSER limits the number of outstanding PDUs to send. When this threshold is reached, it should return an error code (-ENOBUFS) instead of setting the suspend_tx bit (which should be used only by libiscsi). Without this fix, during logout, open-iscsi over iSER tries to logout forever. Signed-off-by: Erez Zilber Signed-off-by: Chris Wright commit 10c06e62e2840202a739c4ca0260d297d3fc50b8 Author: Paul Moore Date: Fri Jan 19 14:25:50 2007 -0500 [PATCH] SELinux: fix an oops with NetLabel and non-MLS SELinux policy In the case where a user has configured NetLabel in the kernel but is not using a SELinux policy with the MLS/MCS feature enabled there is a bug in mls_export_cat() where a NULL pointer is used. The initial problem report and discussion can be found here (this patch has been ACK'd by Stephen Smalley and James Morris in the discussion thread below): * http://marc2.theaimsgroup.com/?t=116920302500004&r=1&w=2 This patch is specific to the 2.6.19.y kernel series as the mls_export_cat() function has been replaced in the 2.6.20 kernel. Signed-off-by: Paul Moore Acked-by: Stephen Smalley Acked-by: James Morris Signed-off-by: Chris Wright commit c8e340f99f59bf76a3e02630bcd1aa9791faa8b5 Author: Takashi Iwai Date: Thu Jan 18 15:25:31 2007 +0100 [PATCH] ALSA hda-codec - Fix NULL dereference in generic hda code Fix NULL dereference in hda_generic.c. Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela Signed-off-by: Chris Wright commit 7fbbb01dca7704d52ace6f45a805c98a5b0362f9 Author: Herbert Xu Date: Wed Jan 17 13:35:01 2007 +1100 [PATCH] IPSEC: Policy list disorder The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 5624ef14c74b5e8237ef09aba7f5bfd2cb56f793 Author: Patrick McHardy Date: Mon Jan 15 10:28:28 2007 +0100 [PATCH] NETFILTER: ctnetlink: fix leak in ctnetlink_create_conntrack error path Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 17265a2000e702e0ff79924de616ce561e49c00f Author: Pablo Neira Ayuso Date: Mon Jan 15 10:28:27 2007 +0100 [PATCH] NETFILTER: ctnetlink: check for status attribute existence on conntrack creation Check that status flags are available in the netlink message received to create a new conntrack. Fixes a crash in ctnetlink_create_conntrack when the CTA_STATUS attribute is not present. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 3aed0b7e78a27a47f7cc730befd437ead67f866c Author: YOSHIFUJI Hideaki Date: Mon Jan 15 03:56:01 2007 +0900 [PATCH] IPV6 MCAST: Fix joining all-node multicast group on device initialization. Join all-node multicast group after assignment of dev->ip6_ptr because it must be assigned when ipv6_dev_mc_inc() is called. This fixes Bug#7817, reported by . Closes: 7817 Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: Chris Wright commit f8f47c1bd192ef079131c01b6a2842d24e3a1b12 Author: Ard van Breemen Date: Thu Jan 11 10:22:57 2007 -0500 [PATCH] PCI: prevent down_read when pci_devices is empty The pci_find_subsys gets called very early by obsolete ide setup parameters. This is a bogus call since pci is not initialized yet, so the list is empty. But in the mean time, interrupts get enabled by down_read. This can result in a kernel panic when the irq controller gets initialized. This patch checks if the device list is empty before taking the semaphore, and hence will not enable irq's. Furthermore it will inform that it is called while pci_devices is empty as a reminder that the ide code needs to be fixed. The pci_get_subsys can get called in the same manner, and as such is patched in the same manner. [akpm@osdl.org: cleanups] Signed-off-by: Ard van Breemen Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [chrisw: fold in 6a4c24ec5212 to avoid printk spamming] Signed-off-by: Chris Wright commit a9281060e889df67249949013c22858135068738 Author: Ard van Breemen Date: Thu Jan 11 10:21:52 2007 -0500 [PATCH] start_kernel: test if irq's got enabled early, barf, and disable them again The calls made by parse_parms to other initialization code might enable interrupts again way too early. Having interrupts on this early can make systems PANIC when they initialize the IRQ controllers (which happens later in the code). This patch detects that irq's are enabled again, barfs about it and disables them again as a safety net. [akpm@osdl.org: cleanups] Signed-off-by: Ard van Breemen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 3167f4ef8f28a9a94b6463a83488107b99387e4d Author: Linus Torvalds Date: Thu Jan 11 10:20:10 2007 -0500 [PATCH] Fix up CIFS for "test_clear_page_dirty()" removal Fix up CIFS for "test_clear_page_dirty()" removal This also adds he required page "writeback" flag handling, that cifs hasn't been doing and that the page dirty flag changes made obvious. Acked-by: Steve French Acked-by: Dave Kleikamp Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit cba93a2bdb434c0e365e3a7effc2d7a7f34d0cc4 Author: Nathan Lynch Date: Wed Jan 10 23:15:28 2007 -0800 [PATCH] sched: tasks cannot run on cpus onlined after boot Commit 5c1e176781f43bc902a51e5832f789756bff911b ("sched: force /sbin/init off isolated cpus") sets init's cpus_allowed to a subset of cpu_online_map at boot time, which means that tasks won't be scheduled on cpus that are added to the system later. Make init's cpus_allowed a subset of cpu_possible_map instead. This should still preserve the behavior that Nick's change intended. Thanks to Giuliano Pochini for reporting this and testing the fix: http://ozlabs.org/pipermail/linuxppc-dev/2006-December/029397.html Signed-off-by: Nathan Lynch Acked-by: Ingo Molnar Cc: Nick Piggin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 3060e6145db41e6fb3944ee42376977fed761c27 Author: Stefan Richter Date: Thu Jan 11 08:50:27 2007 +0100 [PATCH] ieee1394: sbp2: fix probing of some DVD-ROM/RWs Since commit 98e238cd42be6c0852da519303cf0182690f8d9f in Linux 2.6.19, "ieee1394: sbp2: don't prefer MODE SENSE 10", some FireWire DVD-ROMs and DVD-RWs were mistaken as CD-ROM because sr_mod now sent MODE SENSE 6. The MMC command set includes only MODE SENSE 10. http://bugzilla.kernel.org/show_bug.cgi?id=7800 This fix lets sbp2 switch scsi_device.use_10_for_rw on for MMC LUs. This should rather be done in the command set driver sr_mod, not in the sbp2 transport driver, and an according patch will follow for a next Linux release. Signed-off-by: Stefan Richter Signed-off-by: Chris Wright commit b4e8b1a91dd54ad653036367a11ff8b7cf109534 Author: Eric W. Biederman Date: Thu Dec 21 21:28:40 2006 -0700 [PATCH] Fix reparenting to the same thread group. (take 2) This patch fixes the case when we reparent to a different thread in the same thread group. This modifies the code so that we do not send signals and do not change the signal to send to SIGCHLD unless we have change the thread group of our parents. It also suppresses sending pdeath_sig in this cas as well since the result of geppid doesn't change. Thanks to Oleg for spotting my bug of only fixing this for non-ptraced tasks. This fixes the issues identified by Albert Cahalan in thread http://lkml.org/lkml/2006/12/21/22. Signed-off-by: Eric W. Biederman Acked-by: Mike Galbraith Cc: Albert Cahalan Cc: Andrew Morton Cc: Roland McGrath Cc: Ingo Molnar Cc: Coywolf Qi Hunt Acked-by: Oleg Nesterov Signed-off-by: Linus Torvalds [chrisw: fold in 241ceee0b442, Oleg's fix to restore user visible behaviour] Signed-off-by: Chris Wright commit de18536d60a831433d75c7082a9a7f4724d1f96c Author: Michael S. Tsirkin Date: Wed Jan 10 13:36:54 2007 -0800 [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree mthca_table_find() will return the wrong address when the table entry being searched for is exactly at the beginning of a sglist entry (other than the first), because it uses >= when it should use >. Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K. The current code will return first entry + 4K when we really want the second entry. In particular this means mapping an FMR on a memfree HCA may end up writing the page table into the wrong place, leading to memory corruption and also causing the HCA to use an incorrect address translation table. Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Signed-off-by: Chris Wright commit 4405173d05605d580f8d8d651aca9246ee651d92 Author: Karsten Wiese Date: Wed Jan 10 13:33:27 2007 +0100 [PATCH] Repair snd-usb-usx2y over OHCI The previous patch "Repair snd-usb-usx2y for usb 2.6.18" assumed urb->start_frame roll over beyond MAX_INT for both UHCI & OHCI. This isn't true until now (kernel 2.6.20). Fix this by only looking at the common between OHCI & UHCI Frame number range. This is for mainline and stable kernels >= 2.6.18. Signed-off-by: Karsten Wiese Signed-off-by: Chris Wright commit 7d9ba65c925f7d8224ce49d4f9cc41f60d758227 Author: Patrick McHardy Date: Wed Jan 10 08:04:50 2007 +0100 [PATCH] NETFILTER: arp_tables: fix userspace compilation The included patch translates arpt_counters to xt_counters, making userspace arptables compile against recent kernels. Signed-off-by: Bart De Schuymer Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 1110d9408fe24fa22a8599d6adcaae70744900ed Author: Patrick McHardy Date: Wed Jan 10 08:04:49 2007 +0100 [PATCH] NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM. Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit c1e8b113af91786cba47b948dd470d8381972175 Author: Patrick McHardy Date: Wed Jan 10 08:04:47 2007 +0100 [PATCH] NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 8c10ebbf6838583183d2846b7d61742704b8b055 Author: Patrick McHardy Date: Wed Jan 10 08:04:46 2007 +0100 [PATCH] NETFILTER: Fix routing of REJECT target generated packets in output chain Packets generated by the REJECT target in the output chain have a local destination address and a foreign source address. Make sure not to use the foreign source address for the output route lookup. Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 2a0dfac7457c2c8629a253499607b853c2f53786 Author: Lars Ellenberg Date: Mon Jan 8 15:02:42 2007 -0800 [PATCH] md: pass down BIO_RW_SYNC in raid{1,10} md raidX make_request functions strip off the BIO_RW_SYNC flag, thus introducing additional latency. Fixing this in raid1 and raid10 seems to be straightforward enough. For our particular usage case in DRBD, passing this flag improved some initialization time from ~5 minutes to ~5 seconds. Acked-by: NeilBrown Signed-off-by: Lars Ellenberg Acked-by: Jens Axboe Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit be0194e1f2a0a56408ac810c9c4324196f765936 Author: Michael Buesch Date: Mon Jan 8 16:34:54 2007 +0100 [PATCH] Fix HWRNG built-in initcalls priority This changes all HWRNG driver initcalls to module_init(). We must probe the RNGs after the major kernel subsystems are already up and running (like PCI). This fixes Bug 7730. http://bugzilla.kernel.org/show_bug.cgi?id=7730 Signed-off-by: Michael Buesch Signed-off-by: Chris Wright commit 75cda36db203e982ea134d785ea58d8b56c3aef3 Author: Christoph Lameter Date: Fri Jan 5 16:37:02 2007 -0800 [PATCH] Check for populated zone in __drain_pages Both process_zones() and drain_node_pages() check for populated zones before touching pagesets. However, __drain_pages does not do so, This may result in a NULL pointer dereference for pagesets in unpopulated zones if a NUMA setup is combined with cpu hotplug. Initially the unpopulated zone has the pcp pointers pointing to the boot pagesets. Since the zone is not populated the boot pageset pointers will not be changed during page allocator and slab bootstrap. If a cpu is later brought down (first call to __drain_pages()) then the pcp pointers for cpus in unpopulated zones are set to NULL since __drain_pages does not first check for an unpopulated zone. If the cpu is then brought up again then we call process_zones() which will ignore the unpopulated zone. So the pageset pointers will still be NULL. If the cpu is then again brought down then __drain_pages will attempt to drain pages by following the NULL pageset pointer for unpopulated zones. Signed-off-by: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 000883a54755a334c4a1c4ccc4a898eb09a5dff2 Author: Philippe De Muyter Date: Sun Jan 7 12:09:21 2007 +0100 [PATCH] i2c/m41t00: Do not forget to write year m41t00.c forgets to set the year field in set_rtc_time; fix that. Signed-off-by: Philippe De Muyter Acked-by: Mark A. Greer Signed-off-by: Jean Delvare Signed-off-by: Chris Wright commit a4a195873765f9b2f9843ccbbb27b03c648e3dd5 Author: Maxime Bizon Date: Sun Jan 7 11:49:48 2007 +0100 [PATCH] i2c-mv64xxx: Fix random oops at boot I have a Marvell board which has the same i2c hw block than mv64xxx, so I'm trying to use i2c-mv64xxx driver. But I get the following random oops at boot: Unable to handle kernel NULL pointer dereference at virtual address 00000002 Backtrace: [] (mv64xxx_i2c_intr+0x0/0x2b8) from [] (__do_irq+0x4c/0x8c) [] (__do_irq+0x0/0x8c) from [] (do_level_IRQ+0x68/0xc0) r8 = C0501E08 r7 = 00000005 r6 = C0501E08 r5 = 00000005 r4 = C048BB78 [] (do_level_IRQ+0x0/0xc0) from [] (asm_do_IRQ+0x50/0x134) r6 = C0449C78 r5 = F1020000 r4 = FFFFFFFF [] (asm_do_IRQ+0x0/0x134) from [] (__irq_svc+0x24/0x100) r8 = C1CAC400 r7 = 00000005 r6 = 00000002 r5 = F1020000 r4 = FFFFFFFF [] (setup_irq+0x0/0x124) from [] (request_irq+0xb0/0xd0) r7 = C041B2AC r6 = C0397E4C r5 = 00000000 r4 = 00000005 [] (request_irq+0x0/0xd0) from [] (mv64xxx_i2c_probe+0x148/0x244) [] (mv64xxx_i2c_probe+0x0/0x244) from [] (platform_drv_probe+0x20/0x24) The oops is caused by a spurious interrupt that occurs when request_irq is called. mv64xxx_i2c_fsm() tries to read drv_data->msg, which is NULL. I noticed that hardware init is done after requesting irq. Thus any pending irq from previous hardware usage may cause this. The following patch fixes it: Signed-off-by: Maxime Bizon Acked-by: Mark A. Greer Signed-off-by: Jean Delvare Signed-off-by: Chris Wright