--- /dev/null
+From 67bfa9b60bd689601554526d144b21d529f78a09 Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Fri, 28 Sep 2012 15:22:01 +0800
+Subject: ACPI: EC: Add a quirk for CLEVO M720T/M730T laptop
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit 67bfa9b60bd689601554526d144b21d529f78a09 upstream.
+
+By enlarging the GPE storm threshold back to 20, that laptop's
+EC works fine with interrupt mode instead of polling mode.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=45151
+
+Reported-and-Tested-by: Francesco <trentini@dei.unipd.it>
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -930,6 +930,17 @@ static int ec_flag_msi(const struct dmi_
+ return 0;
+ }
+
++/*
++ * Clevo M720 notebook actually works ok with IRQ mode, if we lifted
++ * the GPE storm threshold back to 20
++ */
++static int ec_enlarge_storm_threshold(const struct dmi_system_id *id)
++{
++ pr_debug("Setting the EC GPE storm threshold to 20\n");
++ ec_storm_threshold = 20;
++ return 0;
++}
++
+ static struct dmi_system_id __initdata ec_dmi_table[] = {
+ {
+ ec_skip_dsdt_scan, "Compal JFL92", {
+@@ -961,10 +972,13 @@ static struct dmi_system_id __initdata e
+ {
+ ec_validate_ecdt, "ASUS hardware", {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer Inc.") }, NULL},
++ {
++ ec_enlarge_storm_threshold, "CLEVO hardware", {
++ DMI_MATCH(DMI_SYS_VENDOR, "CLEVO Co."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "M720T/M730T"),}, NULL},
+ {},
+ };
+
+-
+ int __init acpi_ec_ecdt_probe(void)
+ {
+ acpi_status status;
--- /dev/null
+From a520d52e99b14ba7db135e916348f12f2a6e09be Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Fri, 28 Sep 2012 15:22:00 +0800
+Subject: ACPI: EC: Make the GPE storm threshold a module parameter
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit a520d52e99b14ba7db135e916348f12f2a6e09be upstream.
+
+The Linux EC driver includes a mechanism to detect GPE storms,
+and switch from interrupt-mode to polling mode. However, polling
+mode sometimes doesn't work, so the workaround is problematic.
+Also, different systems seem to need the threshold for detecting
+the GPE storm at different levels.
+
+ACPI_EC_STORM_THRESHOLD was initially 20 when it's created, and
+was changed to 8 in 2.6.28 commit 06cf7d3c7 "ACPI: EC: lower interrupt storm
+threshold" to fix kernel bug 11892 by forcing the laptop in that bug to
+work in polling mode. However in bug 45151, it works fine in interrupt
+mode if we lift the threshold back to 20.
+
+This patch makes the threshold a module parameter so that user has a
+flexible option to debug/workaround this issue.
+
+The default is unchanged.
+
+This is also a preparation patch to fix specific systems:
+ https://bugzilla.kernel.org/show_bug.cgi?id=45151
+
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -71,9 +71,6 @@ enum ec_command {
+ #define ACPI_EC_UDELAY_GLK 1000 /* Wait 1ms max. to get global lock */
+ #define ACPI_EC_MSI_UDELAY 550 /* Wait 550us for MSI EC */
+
+-#define ACPI_EC_STORM_THRESHOLD 8 /* number of false interrupts
+- per one transaction */
+-
+ enum {
+ EC_FLAGS_QUERY_PENDING, /* Query is pending */
+ EC_FLAGS_GPE_STORM, /* GPE storm detected */
+@@ -87,6 +84,15 @@ static unsigned int ec_delay __read_most
+ module_param(ec_delay, uint, 0644);
+ MODULE_PARM_DESC(ec_delay, "Timeout(ms) waited until an EC command completes");
+
++/*
++ * If the number of false interrupts per one transaction exceeds
++ * this threshold, will think there is a GPE storm happened and
++ * will disable the GPE for normal transaction.
++ */
++static unsigned int ec_storm_threshold __read_mostly = 8;
++module_param(ec_storm_threshold, uint, 0644);
++MODULE_PARM_DESC(ec_storm_threshold, "Maxim false GPE numbers not considered as GPE storm");
++
+ /* If we find an EC via the ECDT, we need to keep a ptr to its context */
+ /* External interfaces use first EC only, so remember */
+ typedef int (*acpi_ec_query_func) (void *data);
+@@ -319,7 +325,7 @@ static int acpi_ec_transaction(struct ac
+ msleep(1);
+ /* It is safe to enable the GPE outside of the transaction. */
+ acpi_enable_gpe(NULL, ec->gpe);
+- } else if (t->irq_count > ACPI_EC_STORM_THRESHOLD) {
++ } else if (t->irq_count > ec_storm_threshold) {
+ pr_info(PREFIX "GPE storm detected, "
+ "transactions will use polling mode\n");
+ set_bit(EC_FLAGS_GPE_STORM, &ec->flags);
--- /dev/null
+From 7819d1c70eb6a57e43554d86e10b39d1e106ed65 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Oct 2012 08:41:42 +0200
+Subject: ALSA: hda - Add missing hda_gen_spec to struct via_spec
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7819d1c70eb6a57e43554d86e10b39d1e106ed65 upstream.
+
+The commit [4b527b65 ALSA: hda - limit internal mic boost for Asus
+X202E] introduced the use of auto-parser code, but it forgot to add
+struct hda_gen_spec at the head of codec->spec which the auto-parser
+assumes silently. Without this record, it may result in memory
+corruption.
+
+This patch adds the missing piece.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_via.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -118,6 +118,8 @@ enum {
+ };
+
+ struct via_spec {
++ struct hda_gen_spec gen;
++
+ /* codec parameterization */
+ const struct snd_kcontrol_new *mixers[6];
+ unsigned int num_mixers;
+@@ -246,6 +248,7 @@ static struct via_spec * via_new_spec(st
+ /* VT1708BCE & VT1708S are almost same */
+ if (spec->codec_type == VT1708BCE)
+ spec->codec_type = VT1708S;
++ snd_hda_gen_init(&spec->gen);
+ return spec;
+ }
+
+@@ -1628,6 +1631,7 @@ static void via_free(struct hda_codec *c
+ vt1708_stop_hp_work(spec);
+ kfree(spec->bind_cap_vol);
+ kfree(spec->bind_cap_sw);
++ snd_hda_gen_free(&spec->gen);
+ kfree(spec);
+ }
+
--- /dev/null
+From f7f4b2322bf7b8c5929b7eb5a667091f32592580 Mon Sep 17 00:00:00 2001
+From: David Henningsson <david.henningsson@canonical.com>
+Date: Wed, 10 Oct 2012 16:32:09 +0200
+Subject: ALSA: hda - do not detect jack on internal speakers for Realtek
+
+From: David Henningsson <david.henningsson@canonical.com>
+
+commit f7f4b2322bf7b8c5929b7eb5a667091f32592580 upstream.
+
+This caused the internal speaker to mute itself because it was
+present, which happened after powersave.
+It was found on Dell XPS 15 (L502x), ALC665.
+
+Reported-by: Da Fox <da.fox.mail@gmail.com>
+Signed-off-by: David Henningsson <david.henningsson@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -611,6 +611,8 @@ static void alc_line_automute(struct hda
+ {
+ struct alc_spec *spec = codec->spec;
+
++ if (spec->autocfg.line_out_type == AUTO_PIN_SPEAKER_OUT)
++ return;
+ /* check LO jack only when it's different from HP */
+ if (spec->autocfg.line_out_pins[0] == spec->autocfg.hp_pins[0])
+ return;
--- /dev/null
+From c5e0b6dbad9b4d18c561af90b384d02373f1c994 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Oct 2012 08:50:35 +0200
+Subject: ALSA: hda - Fix memory leaks at error path in patch_cirrus.c
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c5e0b6dbad9b4d18c561af90b384d02373f1c994 upstream.
+
+The proper destructor should be called at the error path.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -1417,7 +1417,7 @@ static int patch_cs420x(struct hda_codec
+ return 0;
+
+ error:
+- kfree(codec->spec);
++ cs_free(codec);
+ codec->spec = NULL;
+ return err;
+ }
+@@ -1974,7 +1974,7 @@ static int patch_cs4210(struct hda_codec
+ return 0;
+
+ error:
+- kfree(codec->spec);
++ cs_free(codec);
+ codec->spec = NULL;
+ return err;
+ }
+@@ -1999,7 +1999,7 @@ static int patch_cs4213(struct hda_codec
+ return 0;
+
+ error:
+- kfree(codec->spec);
++ cs_free(codec);
+ codec->spec = NULL;
+ return err;
+ }
--- /dev/null
+From f0a996eeeda214f4293e234df33b29bec003b536 Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Fri, 10 Aug 2012 12:21:15 -0500
+Subject: mips,kgdb: fix recursive page fault with CONFIG_KPROBES
+
+From: Jason Wessel <jason.wessel@windriver.com>
+
+commit f0a996eeeda214f4293e234df33b29bec003b536 upstream.
+
+This fault was detected using the kgdb test suite on boot and it
+crashes recursively due to the fact that CONFIG_KPROBES on mips adds
+an extra die notifier in the page fault handler. The crash signature
+looks like this:
+
+kgdbts:RUN bad memory access test
+KGDB: re-enter exception: ALL breakpoints killed
+Call Trace:
+[<807b7548>] dump_stack+0x20/0x54
+[<807b7548>] dump_stack+0x20/0x54
+
+The fix for now is to have kgdb return immediately if the fault type
+is DIE_PAGE_FAULT and allow the kprobe code to decide what is supposed
+to happen.
+
+Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/kgdb.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/mips/kernel/kgdb.c
++++ b/arch/mips/kernel/kgdb.c
+@@ -283,6 +283,15 @@ static int kgdb_mips_notify(struct notif
+ struct pt_regs *regs = args->regs;
+ int trap = (regs->cp0_cause & 0x7c) >> 2;
+
++#ifdef CONFIG_KPROBES
++ /*
++ * Return immediately if the kprobes fault notifier has set
++ * DIE_PAGE_FAULT.
++ */
++ if (cmd == DIE_PAGE_FAULT)
++ return NOTIFY_DONE;
++#endif /* CONFIG_KPROBES */
++
+ /* Userspace events, ignore. */
+ if (user_mode(regs))
+ return NOTIFY_DONE;
lockd-per-net-nsm-client-creation-and-destruction-helpers-introduced.patch
lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch
lockd-create-and-use-per-net-nsm-rpc-clients-on-mon-unmon-requests.patch
+acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch
+acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch
+alsa-hda-add-missing-hda_gen_spec-to-struct-via_spec.patch
+alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch
+alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch
+mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch
+tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch
--- /dev/null
+From 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Sun, 7 Oct 2012 20:32:51 -0700
+Subject: tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 upstream.
+
+Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
+ u64 inum = fid->raw[2];
+which is unhelpfully reported as at the end of shmem_alloc_inode():
+
+BUG: unable to handle kernel paging request at ffff880061cd3000
+IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
+Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+Call Trace:
+ [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
+ [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
+ [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
+ [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
+
+Right, tmpfs is being stupid to access fid->raw[2] before validating that
+fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
+fall at the end of a page, and the next page not be present.
+
+But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
+careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
+could oops in the same way: add the missing fh_len checks to those.
+
+Reported-by: Sasha Levin <levinsasha928@gmail.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Sage Weil <sage@inktank.com>
+Cc: Steven Whitehouse <swhiteho@redhat.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/export.c | 18 ++++++++++++++----
+ fs/gfs2/export.c | 4 ++++
+ fs/isofs/export.c | 2 +-
+ fs/reiserfs/inode.c | 6 +++++-
+ fs/xfs/xfs_export.c | 3 +++
+ mm/shmem.c | 6 ++++--
+ 6 files changed, 31 insertions(+), 8 deletions(-)
+
+--- a/fs/ceph/export.c
++++ b/fs/ceph/export.c
+@@ -99,7 +99,7 @@ static int ceph_encode_fh(struct inode *
+ * FIXME: we should try harder by querying the mds for the ino.
+ */
+ static struct dentry *__fh_to_dentry(struct super_block *sb,
+- struct ceph_nfs_fh *fh)
++ struct ceph_nfs_fh *fh, int fh_len)
+ {
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc;
+ struct inode *inode;
+@@ -107,6 +107,9 @@ static struct dentry *__fh_to_dentry(str
+ struct ceph_vino vino;
+ int err;
+
++ if (fh_len < sizeof(*fh) / 4)
++ return ERR_PTR(-ESTALE);
++
+ dout("__fh_to_dentry %llx\n", fh->ino);
+ vino.ino = fh->ino;
+ vino.snap = CEPH_NOSNAP;
+@@ -150,7 +153,7 @@ static struct dentry *__fh_to_dentry(str
+ * convert connectable fh to dentry
+ */
+ static struct dentry *__cfh_to_dentry(struct super_block *sb,
+- struct ceph_nfs_confh *cfh)
++ struct ceph_nfs_confh *cfh, int fh_len)
+ {
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc;
+ struct inode *inode;
+@@ -158,6 +161,9 @@ static struct dentry *__cfh_to_dentry(st
+ struct ceph_vino vino;
+ int err;
+
++ if (fh_len < sizeof(*cfh) / 4)
++ return ERR_PTR(-ESTALE);
++
+ dout("__cfh_to_dentry %llx (%llx/%x)\n",
+ cfh->ino, cfh->parent_ino, cfh->parent_name_hash);
+
+@@ -207,9 +213,11 @@ static struct dentry *ceph_fh_to_dentry(
+ int fh_len, int fh_type)
+ {
+ if (fh_type == 1)
+- return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw);
++ return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw,
++ fh_len);
+ else
+- return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw);
++ return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw,
++ fh_len);
+ }
+
+ /*
+@@ -230,6 +238,8 @@ static struct dentry *ceph_fh_to_parent(
+
+ if (fh_type == 1)
+ return ERR_PTR(-ESTALE);
++ if (fh_len < sizeof(*cfh) / 4)
++ return ERR_PTR(-ESTALE);
+
+ pr_debug("fh_to_parent %llx/%d\n", cfh->parent_ino,
+ cfh->parent_name_hash);
+--- a/fs/gfs2/export.c
++++ b/fs/gfs2/export.c
+@@ -161,6 +161,8 @@ static struct dentry *gfs2_fh_to_dentry(
+ case GFS2_SMALL_FH_SIZE:
+ case GFS2_LARGE_FH_SIZE:
+ case GFS2_OLD_FH_SIZE:
++ if (fh_len < GFS2_SMALL_FH_SIZE)
++ return NULL;
+ this.no_formal_ino = ((u64)be32_to_cpu(fh[0])) << 32;
+ this.no_formal_ino |= be32_to_cpu(fh[1]);
+ this.no_addr = ((u64)be32_to_cpu(fh[2])) << 32;
+@@ -180,6 +182,8 @@ static struct dentry *gfs2_fh_to_parent(
+ switch (fh_type) {
+ case GFS2_LARGE_FH_SIZE:
+ case GFS2_OLD_FH_SIZE:
++ if (fh_len < GFS2_LARGE_FH_SIZE)
++ return NULL;
+ parent.no_formal_ino = ((u64)be32_to_cpu(fh[4])) << 32;
+ parent.no_formal_ino |= be32_to_cpu(fh[5]);
+ parent.no_addr = ((u64)be32_to_cpu(fh[6])) << 32;
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -175,7 +175,7 @@ static struct dentry *isofs_fh_to_parent
+ {
+ struct isofs_fid *ifid = (struct isofs_fid *)fid;
+
+- if (fh_type != 2)
++ if (fh_len < 2 || fh_type != 2)
+ return NULL;
+
+ return isofs_export_iget(sb,
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -1573,8 +1573,10 @@ struct dentry *reiserfs_fh_to_dentry(str
+ reiserfs_warning(sb, "reiserfs-13077",
+ "nfsd/reiserfs, fhtype=%d, len=%d - odd",
+ fh_type, fh_len);
+- fh_type = 5;
++ fh_type = fh_len;
+ }
++ if (fh_len < 2)
++ return NULL;
+
+ return reiserfs_get_dentry(sb, fid->raw[0], fid->raw[1],
+ (fh_type == 3 || fh_type >= 5) ? fid->raw[2] : 0);
+@@ -1583,6 +1585,8 @@ struct dentry *reiserfs_fh_to_dentry(str
+ struct dentry *reiserfs_fh_to_parent(struct super_block *sb, struct fid *fid,
+ int fh_len, int fh_type)
+ {
++ if (fh_type > fh_len)
++ fh_type = fh_len;
+ if (fh_type < 4)
+ return NULL;
+
+--- a/fs/xfs/xfs_export.c
++++ b/fs/xfs/xfs_export.c
+@@ -189,6 +189,9 @@ xfs_fs_fh_to_parent(struct super_block *
+ struct xfs_fid64 *fid64 = (struct xfs_fid64 *)fid;
+ struct inode *inode = NULL;
+
++ if (fh_len < xfs_fileid_length(fileid_type))
++ return NULL;
++
+ switch (fileid_type) {
+ case FILEID_INO32_GEN_PARENT:
+ inode = xfs_nfs_get_inode(sb, fid->i32.parent_ino,
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2366,12 +2366,14 @@ static struct dentry *shmem_fh_to_dentry
+ {
+ struct inode *inode;
+ struct dentry *dentry = NULL;
+- u64 inum = fid->raw[2];
+- inum = (inum << 32) | fid->raw[1];
++ u64 inum;
+
+ if (fh_len < 3)
+ return NULL;
+
++ inum = fid->raw[2];
++ inum = (inum << 32) | fid->raw[1];
++
+ inode = ilookup5(sb, (unsigned long)(inum + fid->raw[0]),
+ shmem_match, fid->raw);
+ if (inode) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
