The commit 635cf99a introduced a
regression.  Executing a ptrace single step after certain int80
accesses will infinitely loop and never advance the PC.

The TIF_SINGLESTEP check should be done on the return from the syscall
and not before it.

I loops on each single step on the pop right after the int80 which writes out
to the console.  At that point you can issue as many single steps as you want
and it will not advance any further.

The test case is below:

/* Test whether singlestep through an int80 syscall works.
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <asm/user.h>
#include <string.h>

static int child, status;
static struct user_regs_struct regs;

static void do_child()
{
	char str[80] = "child: int80 test\n";

	ptrace(PTRACE_TRACEME, 0, 0, 0);
	kill(getpid(), SIGUSR1);
	write(fileno(stdout),str,strlen(str));
	asm ("int $0x80" : : "a" (20)); /* getpid */
}

static void do_parent()
{
	unsigned long eip, expected = 0;
again:
	waitpid(child, &status, 0);
	if (WIFEXITED(status) || WIFSIGNALED(status))
		return;

	if (WIFSTOPPED(status)) {
		ptrace(PTRACE_GETREGS, child, 0, &regs);
		eip = regs.eip;
		if (expected)
			fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n",
					eip, expected,
					eip == expected ? "" : " <== ERROR");

		if (*(unsigned short *)eip == 0x80cd) {
			fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip);
			expected = eip + 2;
		} else
			expected = 0;

		ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
	}
	goto again;
}

int main(int argc, char * const argv[])
{
	child = fork();
	if (child)
		do_parent();
	else
		do_child();
	return 0;
}
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: <stable@kernel.org>
Cc: Chuck Ebbert <76306.1226@compuserve.com>
Acked-by: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

elf_core_dump() supports dumping arch specific ELF notes, via the #define
ELF_CORE_WRITE_EXTRA_NOTES.  Currently the only user of this is the powerpc
spu coredump code.

There is a bug in the handling of foffset WRT the arch notes, which causes
us to erroneously increment foffset by the size of the arch notes, leaving
a block of zeroes in the file, and causing all subsequent data in the file
to be at <supposed position> + <arch note size>.  eg:

  LOAD  0x050000 0x00100000 0x00000000 0x20000 0x20000 R E 0x10000

Tells us we should have a chunk of data at 0x50000.  The truth is the data
is at 0x90dbc = 0x50000 + 0x40dbc (the size of the arch notes).

This bug prevents gdb from reading the core file correctly.

The simplest fix is to simply remember the size of the arch notes, and add
it to foffset after we've written the arch notes.  The only drawback is
that if the arch code doesn't write as many bytes as it said it would, we
end up with a broken core dump again.  For now I think that's a reasonable
requirement.

Tested on a Cell blade, gdb no longer complains about the core file being
bogus.

While I'm here I should point out that the spu coredump code does not work
if we're dumping to a pipe - we'll have to wait for 23 to fix that.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] always allow dump_stack() to produce a backtrace
  [ARM] Fix non-page aligned boot time mappings
  [ARM] 4458/1: pxa: Fix CKEN usage and hence fix pxa suspend/resume
  [ARM] 4454/1: Use word accesses in Versatile PCI config reads

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: document some of keycodes
  Input: add a new EV_SW SW_RADIO event, for radio switches on laptops
  Input: serio - take drv_mutex in serio_cleanup()
  Input: atkbd - use printk_ratelimit for spurious ACK messages
  Input: atkbd - throttle LED switching
  Input: i8042 - add HP Pavilion ZT1000 to the MUX blacklist

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  [POWERPC] Update defconfigs
  [POWERPC] Uninline and export virq_to_hw() for the pasemi_mac driver
  [POWERPC] Fix PMI breakage in cbe_cbufreq driver
  [POWERPC] Disable old EMAC driver in arch/powerpc

Commit b46b8f19 fixed a couple of bugs
by switching the redzone to 64 bits. Unfortunately, it neglected to
ensure that the _second_ redzone, after the slab object, is aligned
correctly. This caused illegal instruction faults on sparc32, which for
some reason not entirely clear to me are not trapped and fixed up.

Two things need to be done to fix this:
  - increase the object size, rounding up to alignof(long long) so
    that the second redzone can be aligned correctly.
  - If SLAB_STORE_USER is set but alignof(long long)==8, allow a
    full 64 bits of space for the user word at the end of the buffer,
    even though we may not _use_ the whole 64 bits.

This patch should be a no-op on any 64-bit architecture or any 32-bit
architecture where alignof(long long) == 4. Of the others, it's tested
on ppc32 by myself and a very similar patch was tested on sparc32 by
Mark Fortescue, who reported the new problem.

Also, fix the conditions for FORCED_DEBUG, which hadn't been adjusted to
the new sizes. Again noticed by Mark.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Don't make this dependent on CONFIG_DEBUG_KERNEL - if we hit a WARN_ON
we need the stack trace to work out how we got to that point.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

Yeah, we could have just disabled it, but there's work on a new one that
isn't as fundamentally broken, so there really doesn't seem to be any
point in keeping it around.

The recent timer cleanup broke the only valid use, and when I say
"valid", I obviously mean "totally broken".  So it's not like it works,
or really even can work in the current format that uses the unsafe
"panic" LED blinking routines..
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

AT91SAM9260 stopped booting with the recent changes to MM
initialisation - it was asking for a non-aligned virtual address
which caused loops to be non-terminal.  Fix this by rounding
virtual addresses down, but remember to include the offset in
the length, and round the length up to the following page.

This means that asking for a mapping of 4K starting at 2K into
a page maps two pages as one would expect.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [MIPS] VSMP: Fix initialization ordering bug.
  [MIPS] Add whitelists for checksyscalls.sh
  [MIPS] die(): Properly declare as non-returning
  [MIPS] Fix include wrapper symbol definitions in IP32 code.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 This marks the declaration of die() correctly, removing "control reaches
end of non-void function" warnings from non-void functions that die() at
the end.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Some IP35 defines snuck into some IP32-specific code during the DMA re-write.
Signed-off-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

We should have stopped returning 1 from read_dnode() to indicate
failure. We can just mark the damn thing obsolete immediately. But I
missed a case where we don't.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

When Andi reverted the HPET resource reservation (in commit
0f8dc2f0), he didn't remove the now
unused variables, which just causes gcc to be noisy.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Badari Pulavarty reported a case of this BUG_ON is triggering during
testing.  It's completely bogus and should be removed.

It's trying to notice if we left references to the dio hanging around in
the sync case.  They should have been dropped as IO completed while this
path was in dio_await_completion().  This condition will also be
checked, via some twisty logic, by the BUG_ON(ret != -EIOCBQUEUED) a few
lines lower.  So to start this BUG_ON() is redundant.

More fatally, it's dereferencing dio-> after having dropped its
reference.  It's only safe to dereference the dio after releasing the
lock if the final reference was just dropped.  Another CPU might free
the dio in bio completion and reuse the memory after this path drops the
dio lock but before the BUG_ON() is evaluated.

This patch passed aio+dio regression unit tests and aio-stress on ext3.
Signed-off-by: Zach Brown <zach.brown@oracle.com>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

With this change it works again when the nmi watchdog is disabled.
Signed-off-by: Andi Kleen <ak@suse.de>
Cc: Björn Steinbrink <B.Steinbrink@gmx.de>
Cc: Stephane Eranian <eranian@hpl.hp.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Matthias Lenk reports that the PCI subsystem would move the HPET on
SB400/SB600-based systems, where the HPET is in BAR1 of the SMbus
controller.

The reason? The ACPI layer registered the PCI MMIO range as being busy
too early, before PCI enumeration had happened, causing the PCI layer to
decide that it should relocate the resources somewhere else.

Firmware resources should be marked busy _after_ the PCI enumeration and
probing has happened, not before.

Remove the too-early reservation, we'll fix it up to do it properly
later.  In the meantime, this solves the regression.
Tested-by: Matthias Lenk <matthias.lenk@amd.com>
Cc: Aaron Durbin <adurbin@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6:
  ide: ide_scan_pcibus(): check __pci_register_driver return value
  ide: pdc202xx_new PLL input clock fix
  it821x: fix incorrect SWDMA mask
  amd74xx: resume fix
  hpt366: use correct enablebits for HPT36x
  hpt366: blacklist MAXTOR STM3320620A for UltraDMA/66
  ide: Fix a theoretical Ooops case
  ide: never called printk statement in ide-taskfile.c::wait_drive_not_busy

* 'master' of ssh://master.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb:
  V4L/DVB (5822): Fix the return value in ttpci_budget_init()
  V4L/DVB (5818): CinergyT2: fix flush_workqueue() vs work->func() deadlock
  V4L/DVB (5816): Cx88-blackbird: fix vidioc_g_tuner never ending list of tuners
  V4L/DVB (5808): Bttv: fix v4l1 breaking the driver

If we move the local_irq_enable() to the end of the function then
add_partial() in early_kmem_cache_node_alloc() will be called
with interrupts disabled like during regular operations.

This makes lockdep happy.
Signed-off-by: Christoph Lameter <clameter@sgi.com>
Tested-by: Andre Noll <maan@systemlinux.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The clock_was_set() call in seconds_overflow() which happens only when
leap seconds are inserted / deleted is wrong in two aspects:

1. it results in a call to on_each_cpu() with interrupts disabled
2. it is potential deadlock source vs. call_lock in smp_call_function()

The only possible side effect of the removal might be, that an absolute
CLOCK_REALTIME timer fires 1 second too late, in the rare case of leap
second deletion and an absolute CLOCK_REALTIME timer which expires in
the affected time frame. It will never fire too early.

This was probably observed by the reporter of a June 30th -> July 1st
hang: http://lkml.org/lkml/2007/7/3/103

A similar problem was observed by Dave Jones, who provided a screen shot
with a lockdep back trace, which allowed to analyse the problem.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

drivers/ide/setup-pci.c: In function 'ide_scan_pcibus':
drivers/ide/setup-pci.c:879: warning: ignoring return value of '__pci_register_driver', declared with attribute warn_unused_result
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Recently the PLL input clock of Promise 2027x is sometimes detected
higher than expected (e.g. 20.027 MHz compared to 16.714 MHz).
It seems sometimes the mdelay() function is not as precise as it
used to be. Per Alan's advice, HT or power management might affect
the precision of mdelay().

This patch calls gettimeofday() to measure the time elapsed and
calculate the PLL input clock accordingly.
Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Bahadir Balban <bahadir.balban@gmail.com>
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

SWDMA modes are unsupported by it821x.  Attempts to tune SWDMA modes always
fail (due to sanity check in ->speedproc) and result in PIO being tuned.

* Fix incorrect SWDMA mask so core code won't try these modes and will just
  tune PIO if no other DMA modes are available.

* Bump driver version.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>

* Driver can't skip programming transfer mode on the device in amd_set_drive()
  (similar fix has been applied to via82cxxx driver ages ago).

* While at it remove redundant warning (ide_config_drive_speed() already
  produces more valuable one).

* Bump driver version.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

The HPT36x chips finally turned out to have the channel enable bits -- however,
badly implemented.  Make use of them despite it's probably only going to burden
the driver's code -- assuming both channels are always enabled by the HighPoint
BIOS anyway...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Acked-by: Linas Vepstas <linas@austin.ibm.com>
Cc: michal.kepien@poczta.onet.pl
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Add the MAXTOR STM3320620A drive into the UltraDMA/66 mode blacklist
for the HPT36x chips.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Acked-by: Linas Vepstas <linas@austin.ibm.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Found by a static analyser. It is in theory possible we dereference
dev->id when it has become invalid. Re-order to avoid this.

Not needed for new-ide as we no longer support the crazy exabyte nest stuff
Signed-off-by: Alan Cox <alan@redhat.com>
Cc: Andrew Morton <akpm@osdl.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Look at wait_drive_not_busy in drivers/ide/ide-taskfile.c:

    static u8 wait_drive_not_busy(ide_drive_t *drive)
    {
            ide_hwif_t *hwif = HWIF(drive);
            int retries = 100;
            u8 stat;

            /*
             * Last sector was transfered, wait until drive is ready.
             * This can take up to 10 usec, but we will wait max 1 ms
             * (drive_cmd_intr() waits that long).
             */
            while (((stat = hwif->INB(IDE_STATUS_REG)) & BUSY_STAT) && retries--)
                    udelay(10);

            if (!retries)
                    printk(KERN_ERR "%s: drive still BUSY!\n", drive->name);

            return stat;
    }

`printk' is never called because `retries' never holds zero at the
outside of `while' loop: when `retries' holds zero at the while's loop
condition, `retries' will hold -1 at the if condition.
Signed-off-by: Masatake YAMATO <jet@gyve.org>
Cc: Chuck Ebbert <cebbert@redhat.com>
Cc: joe@perches.com
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

if the call to budget_register() fails in ttpci_budget_int(),
ttpci_budget_init() returns success. The attached patch will
fix this problem.
Signed-off-by: Hartmut Birr <e9hack@googlemail.com>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

Spotted and tested by Thomas Sattler <tsattler@gmx.de>.

cinergyT2.c does cancel_delayed_work() + flush_scheduled_work() while
holding cinergyt2->sem. This leads to deadlock because work->func()
needs the same mutex to complete. Another bug is that this code in fact
can't reliably stop the re-arming delayed_work.

Convert this code to use cancel_rearming_delayed_work() and move it
out of ->sem. Another mutex, ->wq_sem, was added to protect against the
concurrent open/resume.

This patch is a horrible hack to fix the lockup which happens in practice.
As Dmitry Torokhov pointed out this driver has other problems and needs
further changes.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

v4l-info and other programs would loop indefinitely while querying the
tuners for cx88-blackbird cards.

The cause was that vidioc_g_tuner didn't return an error value for
qctrl->id != 0, making the application think there is a never ending
list of tuners...

This patch adds the same index check as done in vidioc_g_tuner() in
cx88-video.
Signed-off-by: Jelle Foks <jelle@foks.8m.com>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

If one uses a V4L *one* application, such as vlc or mplayer's v4l driver, as
the first user after the driver is loaded, the driver wedges itself and will
never capture properly.  Even if one uses a V4L2 application later, it still
won't work.

If one uses a V4L *two* application first, such as tvtime or mplayer's v4l2
driver, then the driver will be ok.  One can then run a V4L1 application, and
it will work.

It turns out the problem is with norm changing and the crop support that was
added in 2.6.21.  The driver defaults to PAL, and keeps the last norm it was
set too across opens.  If one changes the norm via V4L1, the cropping
parameters are not reset like they should be, and they'll remain broken across
device opens.

This patch removes the direct setting of btv->tvnorm in the V4L1 ioctl
VIDIOCSCHAN handler.  The norm is set via the existing call to set_input(),
which calls set_tvnorm(), which will reset the cropping values now that it is
able to detect the norm change.
Signed-off-by: Trent Piepho <xyzzy@speakeasy.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

PCMCIA doesn't use DMA and as this driver is used on many platforms we
don't want it to fail on those that define the DMA alloc API as a NULL
return
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>

We got it backwards and now the other detects are fixed it shows up
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>

Mirrors change in IT821X
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>

This patch was found to fix some of the problems with the
pata_ali driver.

https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=156482Signed-off-by: Jeff Garzik <jeff@garzik.org>

Signed-off-by: Florian Attenberger  <valdyn@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>