--- /dev/null
+From 84f98fdf7865fbd35b312eb39ea91e5618c514c7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stef=C3=A1n=20Freyr?= <stefan.freyr@gmail.com>
+Date: Fri, 19 Oct 2012 22:46:00 +0200
+Subject: ALSA: hda - add dock support for Thinkpad T430
+
+From: =?UTF-8?q?Stef=C3=A1n=20Freyr?= <stefan.freyr@gmail.com>
+
+commit 84f98fdf7865fbd35b312eb39ea91e5618c514c7 upstream.
+
+I have a Lenovo ThinkPad T430 and an UltraBase Series 3 docking
+station.
+
+Without this patch, if I plug my headphones into the jack on the
+computer, everything works fine. The computer speakers mute and the
+audio is played in the headphones. However, if I plug into the docking
+station headphone jack the computer speakers are muted but there is no
+audio in the headphones.
+
+Addresses https://bugs.launchpad.net/bugs/1060372
+
+Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6214,6 +6214,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x21e9, "Thinkpad Edge 15", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x21f6, "Thinkpad T530", ALC269_FIXUP_LENOVO_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x21fa, "Thinkpad X230", ALC269_FIXUP_LENOVO_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x21f3, "Thinkpad T430", ALC269_FIXUP_LENOVO_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x21fb, "Thinkpad T430s", ALC269_FIXUP_LENOVO_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2203, "Thinkpad X230 Tablet", ALC269_FIXUP_LENOVO_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
--- /dev/null
+From cb766404e6b8c566569eb9ada02ea45d28729864 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 20 Oct 2012 10:55:21 +0200
+Subject: ALSA: hda - Fix silent headphone output from Toshiba P200
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit cb766404e6b8c566569eb9ada02ea45d28729864 upstream.
+
+By some reason, Toshiba laptop doesn't like the EAPD turned up for the
+headphone pin. Add a fix up code to force to turn down EAPD for NID
+0x15.
+
+Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=569991
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5704,6 +5704,7 @@ static const struct hda_verb alc268_beep
+
+ enum {
+ ALC268_FIXUP_INV_DMIC,
++ ALC268_FIXUP_HP_EAPD,
+ };
+
+ static const struct alc_fixup alc268_fixups[] = {
+@@ -5711,10 +5712,26 @@ static const struct alc_fixup alc268_fix
+ .type = ALC_FIXUP_FUNC,
+ .v.func = alc_fixup_inv_dmic_0x12,
+ },
++ [ALC268_FIXUP_HP_EAPD] = {
++ .type = ALC_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ {0x15, AC_VERB_SET_EAPD_BTLENABLE, 0},
++ {}
++ }
++ },
+ };
+
+ static const struct alc_model_fixup alc268_fixup_models[] = {
+ {.id = ALC268_FIXUP_INV_DMIC, .name = "inv-dmic"},
++ {.id = ALC268_FIXUP_HP_EAPD, .name = "hp-eapd"},
++ {}
++};
++
++static const struct snd_pci_quirk alc268_fixup_tbl[] = {
++ /* below is codec SSID since multiple Toshiba laptops have the
++ * same PCI SSID 1179:ff00
++ */
++ SND_PCI_QUIRK(0x1179, 0xff06, "Toshiba P200", ALC268_FIXUP_HP_EAPD),
+ {}
+ };
+
+@@ -5749,7 +5766,7 @@ static int patch_alc268(struct hda_codec
+
+ spec = codec->spec;
+
+- alc_pick_fixup(codec, alc268_fixup_models, NULL, alc268_fixups);
++ alc_pick_fixup(codec, alc268_fixup_models, alc268_fixup_tbl, alc268_fixups);
+ alc_apply_fixup(codec, ALC_FIXUP_ACT_PRE_PROBE);
+
+ /* automatic parse from the BIOS config */
--- /dev/null
+From 5f40b909728ad784eb43aa309d3c4e9bdf050781 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 19 Oct 2012 17:53:01 +0100
+Subject: ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 5f40b909728ad784eb43aa309d3c4e9bdf050781 upstream.
+
+When booting a secondary CPU, the primary CPU hands two sets of page
+tables via the secondary_data struct:
+
+ (1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
+ of the kernel image (i.e. the tables used by init_mm).
+
+ (2) idmap_pgd: an uncached mapping of the .idmap.text ELF
+ section.
+
+The idmap is generally used when enabling and disabling the MMU, which
+includes early CPU boot. In this case, the secondary CPU switches to
+swapper as soon as it enters C code:
+
+ struct mm_struct *mm = &init_mm;
+ unsigned int cpu = smp_processor_id();
+
+ /*
+ * All kernel threads share the same mm context; grab a
+ * reference and switch to it.
+ */
+ atomic_inc(&mm->mm_count);
+ current->active_mm = mm;
+ cpumask_set_cpu(cpu, mm_cpumask(mm));
+ cpu_switch_mm(mm->pgd, mm);
+
+This causes a problem on ARMv7, where the identity mapping is treated as
+strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
+exclusive accesses, such as those used by atomic_inc.
+
+This patch re-orders the secondary_start_kernel function so that we
+switch to swapper before performing any exclusive accesses.
+
+Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
+Cc: David McKay <david.mckay@st.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/smp.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -222,18 +222,24 @@ static void percpu_timer_setup(void);
+ asmlinkage void __cpuinit secondary_start_kernel(void)
+ {
+ struct mm_struct *mm = &init_mm;
+- unsigned int cpu = smp_processor_id();
++ unsigned int cpu;
++
++ /*
++ * The identity mapping is uncached (strongly ordered), so
++ * switch away from it before attempting any exclusive accesses.
++ */
++ cpu_switch_mm(mm->pgd, mm);
++ enter_lazy_tlb(mm, current);
++ local_flush_tlb_all();
+
+ /*
+ * All kernel threads share the same mm context; grab a
+ * reference and switch to it.
+ */
++ cpu = smp_processor_id();
+ atomic_inc(&mm->mm_count);
+ current->active_mm = mm;
+ cpumask_set_cpu(cpu, mm_cpumask(mm));
+- cpu_switch_mm(mm->pgd, mm);
+- enter_lazy_tlb(mm, current);
+- local_flush_tlb_all();
+
+ printk("CPU%u: Booted secondary processor\n", cpu);
+
--- /dev/null
+From fee0de7791f967c2c5f0d43eb7b7261761b45e64 Mon Sep 17 00:00:00 2001
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Thu, 25 Oct 2012 13:38:11 -0700
+Subject: drivers/rtc/rtc-imxdi.c: add missing spin lock initialization
+
+From: Jan Luebbe <jlu@pengutronix.de>
+
+commit fee0de7791f967c2c5f0d43eb7b7261761b45e64 upstream.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Roland Stigge <stigge@antcom.de>
+Cc: Grant Likely <grant.likely@secretlab.ca>
+Tested-by: Roland Stigge <stigge@antcom.de>
+Cc: Sascha Hauer <kernel@pengutronix.de>
+Cc: Russell King <linux@arm.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-imxdi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/rtc/rtc-imxdi.c
++++ b/drivers/rtc/rtc-imxdi.c
+@@ -392,6 +392,8 @@ static int dryice_rtc_probe(struct platf
+ if (imxdi->ioaddr == NULL)
+ return -ENOMEM;
+
++ spin_lock_init(&imxdi->irq_lock);
++
+ imxdi->irq = platform_get_irq(pdev, 0);
+ if (imxdi->irq < 0)
+ return imxdi->irq;
--- /dev/null
+From c71721324c612f7f040657ce9917d87f530f9784 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 19 Oct 2012 13:27:04 -0400
+Subject: drm/radeon: add error output if VM CS fails on cayman
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit c71721324c612f7f040657ce9917d87f530f9784 upstream.
+
+So we know why the CS was rejected.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/evergreen_cs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/evergreen_cs.c
++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
+@@ -2829,6 +2829,7 @@ static bool evergreen_vm_reg_valid(u32 r
+ case CAYMAN_SQ_EX_ALLOC_TABLE_SLOTS:
+ return true;
+ default:
++ DRM_ERROR("Invalid register 0x%x in CS\n", reg);
+ return false;
+ }
+ }
--- /dev/null
+From b6aa22db7857ab7ed042d6c56b800bfc727cfdff Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 16 Oct 2012 12:51:45 -0400
+Subject: drm/radeon: add some new SI PCI ids
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit b6aa22db7857ab7ed042d6c56b800bfc727cfdff upstream.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/drm/drm_pciids.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -205,6 +205,8 @@
+ {0x1002, 0x6788, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x678A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6790, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x6791, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x6792, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6798, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6799, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x679A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \
+@@ -217,6 +219,7 @@
+ {0x1002, 0x6808, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6809, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6810, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x6811, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6816, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6817, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6818, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_NEW_MEMMAP}, \
--- /dev/null
+From 12176503366885edd542389eed3aaf94be163fdb Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 25 Oct 2012 13:38:16 -0700
+Subject: fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 12176503366885edd542389eed3aaf94be163fdb upstream.
+
+The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
+while converting ioctl arguments. This could lead to leaking kernel
+stack contents into userspace.
+
+Patch extracted from existing fix in grsecurity.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: David Miller <davem@davemloft.net>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/compat_ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsi
+
+ err = get_user(palp, &up->palette);
+ err |= get_user(length, &up->length);
++ if (err)
++ return -EFAULT;
+
+ up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
+ err = put_user(compat_ptr(palp), &up_native->palette);
--- /dev/null
+From 20f1de659b77364d55d4e7fad2ef657e7730323f Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 25 Oct 2012 13:38:14 -0700
+Subject: gen_init_cpio: avoid stack overflow when expanding
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.
+
+Fix possible overflow of the buffer used for expanding environment
+variables when building file list.
+
+In the extremely unlikely case of an attacker having control over the
+environment variables visible to gen_init_cpio, control over the
+contents of the file gen_init_cpio parses, and gen_init_cpio was built
+without compiler hardening, the attacker can gain arbitrary execution
+control via a stack buffer overflow.
+
+ $ cat usr/crash.list
+ file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
+ $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
+ *** buffer overflow detected ***: ./usr/gen_init_cpio terminated
+
+This also replaces the space-indenting with tabs.
+
+Patch based on existing fix extracted from grsecurity.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Michal Marek <mmarek@suse.cz>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ usr/gen_init_cpio.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+--- a/usr/gen_init_cpio.c
++++ b/usr/gen_init_cpio.c
+@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name,
+ int retval;
+ int rc = -1;
+ int namesize;
+- int i;
++ unsigned int i;
+
+ mode |= S_IFREG;
+
+@@ -381,25 +381,28 @@ error:
+
+ static char *cpio_replace_env(char *new_location)
+ {
+- char expanded[PATH_MAX + 1];
+- char env_var[PATH_MAX + 1];
+- char *start;
+- char *end;
+-
+- for (start = NULL; (start = strstr(new_location, "${")); ) {
+- end = strchr(start, '}');
+- if (start < end) {
+- *env_var = *expanded = '\0';
+- strncat(env_var, start + 2, end - start - 2);
+- strncat(expanded, new_location, start - new_location);
+- strncat(expanded, getenv(env_var), PATH_MAX);
+- strncat(expanded, end + 1, PATH_MAX);
+- strncpy(new_location, expanded, PATH_MAX);
+- } else
+- break;
+- }
++ char expanded[PATH_MAX + 1];
++ char env_var[PATH_MAX + 1];
++ char *start;
++ char *end;
++
++ for (start = NULL; (start = strstr(new_location, "${")); ) {
++ end = strchr(start, '}');
++ if (start < end) {
++ *env_var = *expanded = '\0';
++ strncat(env_var, start + 2, end - start - 2);
++ strncat(expanded, new_location, start - new_location);
++ strncat(expanded, getenv(env_var),
++ PATH_MAX - strlen(expanded));
++ strncat(expanded, end + 1,
++ PATH_MAX - strlen(expanded));
++ strncpy(new_location, expanded, PATH_MAX);
++ new_location[PATH_MAX] = 0;
++ } else
++ break;
++ }
+
+- return new_location;
++ return new_location;
+ }
+
+
--- /dev/null
+From eedce141cd2dad8d0cefc5468ef41898949a7031 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Date: Thu, 25 Oct 2012 13:37:51 -0700
+Subject: genalloc: stop crashing the system when destroying a pool
+
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+
+commit eedce141cd2dad8d0cefc5468ef41898949a7031 upstream.
+
+The genalloc code uses the bitmap API from include/linux/bitmap.h and
+lib/bitmap.c, which is based on long values. Both bitmap_set from
+lib/bitmap.c and bitmap_set_ll, which is the lockless version from
+genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
+the bitmap.
+
+That one uses (1 << bits) - 1, 0b111, if you are setting the first three
+bits. This means that the API counts from the least significant bits
+(LSB from now on) to the MSB. The LSB in the first long is bit 0, then.
+The same works for the lookup functions.
+
+The genalloc code uses longs for the bitmap, as it should. In
+include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
+bits[0] as its last member. When allocating the struct, genalloc should
+reserve enough space for the bitmap. This should be a proper number of
+longs that can fit the amount of bits in the bitmap.
+
+However, genalloc allocates an integer number of bytes that fit the
+amount of bits, but may not be an integer amount of longs. 9 bytes, for
+example, could be allocated for 70 bits.
+
+This is a problem in itself if the Least Significat Bit in a long is in
+the byte with the largest address, which happens in Big Endian machines.
+This means genalloc is not allocating the byte in which it will try to
+set or check for a bit.
+
+This may end up in memory corruption, where genalloc will try to set the
+bits it has not allocated. In fact, genalloc may not set these bits
+because it may find them already set, because they were not zeroed since
+they were not allocated. And that's what causes a BUG when
+gen_pool_destroy is called and check for any set bits.
+
+What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
+on gen_pool_add_virt. With SLAB and SLUB, this means the whole slab
+will be cleared, not only the requested bytes. Since struct
+gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
+multiples of 8, we get lucky and allocate and clear the right amount of
+bytes.
+
+Hower, this is not the case with SLOB or with older code that did memset
+after allocating instead of using __GFP_ZERO.
+
+So, a simple module as this (running 3.6.0), will cause a crash when
+rmmod'ed.
+
+ [root@phantom-lp2 foo]# cat foo.c
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+ #include <linux/genalloc.h>
+
+ MODULE_LICENSE("GPL");
+ MODULE_VERSION("0.1");
+
+ static struct gen_pool *foo_pool;
+
+ static __init int foo_init(void)
+ {
+ int ret;
+ foo_pool = gen_pool_create(10, -1);
+ if (!foo_pool)
+ return -ENOMEM;
+ ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
+ if (ret) {
+ gen_pool_destroy(foo_pool);
+ return ret;
+ }
+ return 0;
+ }
+
+ static __exit void foo_exit(void)
+ {
+ gen_pool_destroy(foo_pool);
+ }
+
+ module_init(foo_init);
+ module_exit(foo_exit);
+ [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
+ CONFIG_SLOB=y
+ [root@phantom-lp2 foo]# insmod ./foo.ko
+ [root@phantom-lp2 foo]# rmmod foo
+ ------------[ cut here ]------------
+ kernel BUG at lib/genalloc.c:243!
+ cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
+ pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
+ lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
+ sp: c0000000bb0e7be0
+ msr: 8000000000029032
+ current = 0xc0000000bb0e0000
+ paca = 0xc000000006d30e00 softe: 0 irq_happened: 0x01
+ pid = 13044, comm = rmmod
+ kernel BUG at lib/genalloc.c:243!
+ [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
+ [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
+ [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
+ --- Exception: c00 (System Call) at 000000800753d1a0
+ SP (fffd0b0e640) is in userspace
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/genalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -176,7 +176,7 @@ int gen_pool_add_virt(struct gen_pool *p
+ struct gen_pool_chunk *chunk;
+ int nbits = size >> pool->min_alloc_order;
+ int nbytes = sizeof(struct gen_pool_chunk) +
+- (nbits + BITS_PER_BYTE - 1) / BITS_PER_BYTE;
++ BITS_TO_LONGS(nbits) * sizeof(long);
+
+ chunk = kmalloc_node(nbytes, GFP_KERNEL | __GFP_ZERO, nid);
+ if (unlikely(chunk == NULL))
--- /dev/null
+drm-radeon-add-some-new-si-pci-ids.patch
+drm-radeon-add-error-output-if-vm-cs-fails-on-cayman.patch
+alsa-hda-add-dock-support-for-thinkpad-t430.patch
+alsa-hda-fix-silent-headphone-output-from-toshiba-p200.patch
+vfs-don-t-do-protected-sym-hard-links-by-default.patch
+gen_init_cpio-avoid-stack-overflow-when-expanding.patch
+fs-compat_ioctl.c-video_set_spu_palette-missing-error-check.patch
+drivers-rtc-rtc-imxdi.c-add-missing-spin-lock-initialization.patch
+genalloc-stop-crashing-the-system-when-destroying-a-pool.patch
+arm-7559-1-smp-switch-away-from-the-idmap-before-updating-init_mm.mm_count.patch
--- /dev/null
+From 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 26 Oct 2012 10:05:07 -0700
+Subject: VFS: don't do protected {sym,hard}links by default
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 upstream.
+
+In commit 800179c9b8a1 ("This adds symlink and hardlink restrictions to
+the Linux VFS"), the new link protections were enabled by default, in
+the hope that no actual application would care, despite it being
+technically against legacy UNIX (and documented POSIX) behavior.
+
+However, it does turn out to break some applications. It's rare, and
+it's unfortunate, but it's unacceptable to break existing systems, so
+we'll have to default to legacy behavior.
+
+In particular, it has broken the way AFD distributes files, see
+
+ http://www.dwd.de/AFD/
+
+along with some legacy scripts.
+
+Distributions can end up setting this at initrd time or in system
+scripts: if you have security problems due to link attacks during your
+early boot sequence, you have bigger problems than some kernel sysctl
+setting. Do:
+
+ echo 1 > /proc/sys/fs/protected_symlinks
+ echo 1 > /proc/sys/fs/protected_hardlinks
+
+to re-enable the link protections.
+
+Alternatively, we may at some point introduce a kernel config option
+that sets these kinds of "more secure but not traditional" behavioural
+options automatically.
+
+Reported-by: Nick Bowler <nbowler@elliptictech.com>
+Reported-by: Holger Kiehl <Holger.Kiehl@dwd.de>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -651,8 +651,8 @@ static inline void put_link(struct namei
+ path_put(link);
+ }
+
+-int sysctl_protected_symlinks __read_mostly = 1;
+-int sysctl_protected_hardlinks __read_mostly = 1;
++int sysctl_protected_symlinks __read_mostly = 0;
++int sysctl_protected_hardlinks __read_mostly = 0;
+
+ /**
+ * may_follow_link - Check symlink following for unsafe situations
projects / thirdparty / kernel / stable-queue.git / commitdiff
