--- /dev/null
+From 69a4cfdd444d1fe5c24d29b3a063964ac165d2cd Mon Sep 17 00:00:00 2001
+From: Sean Connor <sconnor004@allyinics.org>
+Date: Thu, 28 Feb 2013 09:20:00 -0500
+Subject: ALSA: ice1712: Initialize card->private_data properly
+
+From: Sean Connor <sconnor004@allyinics.org>
+
+commit 69a4cfdd444d1fe5c24d29b3a063964ac165d2cd upstream.
+
+Set card->private_data in snd_ice1712_create for fixing NULL
+dereference in snd_ice1712_remove().
+
+Signed-off-by: Sean Connor <sconnor004@allyinics.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ice1712/ice1712.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/ice1712/ice1712.c
++++ b/sound/pci/ice1712/ice1712.c
+@@ -2594,6 +2594,8 @@ static int snd_ice1712_create(struct snd
+ snd_ice1712_proc_init(ice);
+ synchronize_irq(pci->irq);
+
++ card->private_data = ice;
++
+ err = pci_request_regions(pci, "ICE1712");
+ if (err < 0) {
+ kfree(ice);
--- /dev/null
+From 2069d483b39a603a5f3428a19d3b4ac89aa97f48 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Mar 2013 15:43:39 +0100
+Subject: ALSA: vmaster: Fix slave change notification
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2069d483b39a603a5f3428a19d3b4ac89aa97f48 upstream.
+
+When a value of a vmaster slave control is changed, the ctl change
+notification is sometimes ignored. This happens when the master
+control overrides, e.g. when the corresponding master control is
+muted. The reason is that slave_put() returns the value of the actual
+slave put callback, and it doesn't reflect the virtual slave value
+change.
+
+This patch fixes the function just to return 1 whenever a slave value
+is changed.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/vmaster.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/core/vmaster.c
++++ b/sound/core/vmaster.c
+@@ -213,7 +213,10 @@ static int slave_put(struct snd_kcontrol
+ }
+ if (!changed)
+ return 0;
+- return slave_put_val(slave, ucontrol);
++ err = slave_put_val(slave, ucontrol);
++ if (err < 0)
++ return err;
++ return 1;
+ }
+
+ static int slave_tlv_cmd(struct snd_kcontrol *kcontrol,
--- /dev/null
+From a40e7cf8f06b4e322ba902e4e9f6a6b0c2daa907 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 8 Mar 2013 12:43:32 -0800
+Subject: dmi_scan: fix missing check for _DMI_ signature in smbios_present()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit a40e7cf8f06b4e322ba902e4e9f6a6b0c2daa907 upstream.
+
+Commit 9f9c9cbb6057 ("drivers/firmware/dmi_scan.c: fetch dmi version
+from SMBIOS if it exists") hoisted the check for "_DMI_" into
+dmi_scan_machine(), which means that we don't bother to check for
+"_DMI_" at offset 16 in an SMBIOS entry. smbios_present() may also call
+dmi_present() for an address where we found "_SM_", if it failed further
+validation.
+
+Check for "_DMI_" in smbios_present() before calling dmi_present().
+
+[akpm@linux-foundation.org: fix build]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Reported-by: Tim McGrath <tmhikaru@gmail.com>
+Tested-by: Tim Mcgrath <tmhikaru@gmail.com>
+Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/dmi_scan.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -442,7 +442,6 @@ static int __init dmi_present(const char
+ static int __init smbios_present(const char __iomem *p)
+ {
+ u8 buf[32];
+- int offset = 0;
+
+ memcpy_fromio(buf, p, 32);
+ if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) {
+@@ -461,9 +460,9 @@ static int __init smbios_present(const c
+ dmi_ver = 0x0206;
+ break;
+ }
+- offset = 16;
++ return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16);
+ }
+- return dmi_present(buf + offset);
++ return 1;
+ }
+
+ void __init dmi_scan_machine(void)
--- /dev/null
+From 88b9e456b1649722673ffa147914299799dc9041 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri, 8 Mar 2013 12:43:27 -0800
+Subject: ipc: don't allocate a copy larger than max
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 88b9e456b1649722673ffa147914299799dc9041 upstream.
+
+When MSG_COPY is set, a duplicate message must be allocated for the copy
+before locking the queue. However, the copy could not be larger than was
+sent which is limited to msg_ctlmax.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *b
+ struct msg_msg *copy = NULL;
+ unsigned long copy_number = 0;
+
++ ns = current->nsproxy->ipc_ns;
++
+ if (msqid < 0 || (long) bufsz < 0)
+ return -EINVAL;
+ if (msgflg & MSG_COPY) {
+- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
++ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
++ msgflg, &msgtyp, ©_number);
+ if (IS_ERR(copy))
+ return PTR_ERR(copy);
+ }
+ mode = convert_mode(&msgtyp, msgflg);
+- ns = current->nsproxy->ipc_ns;
+
+ msq = msg_lock_check(ns, msqid);
+ if (IS_ERR(msq)) {
--- /dev/null
+From e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri, 8 Mar 2013 12:43:26 -0800
+Subject: ipc: fix potential oops when src msg > 4k w/ MSG_COPY
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 upstream.
+
+If the src msg is > 4k, then dest->next points to the
+next allocated segment; resetting it just prior to dereferencing
+is bad.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msgutil.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg
+ if (alen > DATALEN_MSG)
+ alen = DATALEN_MSG;
+
+- dst->next = NULL;
+- dst->security = NULL;
+-
+ memcpy(dst + 1, src + 1, alen);
+
+ len -= alen;
--- /dev/null
+From db04dc679bcc780ad6907943afe24a30de974a1b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 9 Mar 2013 00:14:45 -0800
+Subject: proc: Use nd_jump_link in proc_ns_follow_link
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit db04dc679bcc780ad6907943afe24a30de974a1b upstream.
+
+Update proc_ns_follow_link to use nd_jump_link instead of just
+manually updating nd.path.dentry.
+
+This fixes the BUG_ON(nd->inode != parent->d_inode) reported by Dave
+Jones and reproduced trivially with mkdir /proc/self/ns/uts/a.
+
+Sigh it looks like the VFS change to require use of nd_jump_link
+happend while proc_ns_follow_link was baking and since the common case
+of proc_ns_follow_link continued to work without problems the need for
+making this change was overlooked.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/namespaces.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/proc/namespaces.c
++++ b/fs/proc/namespaces.c
+@@ -118,7 +118,7 @@ static void *proc_ns_follow_link(struct
+ struct super_block *sb = inode->i_sb;
+ struct proc_inode *ei = PROC_I(inode);
+ struct task_struct *task;
+- struct dentry *ns_dentry;
++ struct path ns_path;
+ void *error = ERR_PTR(-EACCES);
+
+ task = get_proc_task(inode);
+@@ -128,14 +128,14 @@ static void *proc_ns_follow_link(struct
+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
+ goto out_put_task;
+
+- ns_dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
+- if (IS_ERR(ns_dentry)) {
+- error = ERR_CAST(ns_dentry);
++ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
++ if (IS_ERR(ns_path.dentry)) {
++ error = ERR_CAST(ns_path.dentry);
+ goto out_put_task;
+ }
+
+- dput(nd->path.dentry);
+- nd->path.dentry = ns_dentry;
++ ns_path.mnt = mntget(nd->path.mnt);
++ nd_jump_link(nd, &ns_path);
+ error = NULL;
+
+ out_put_task:
--- /dev/null
+From b980955236922ae6106774511c5c05003d3ad225 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 4 Mar 2013 11:59:12 -0500
+Subject: random: fix locking dependency with the tasklist_lock
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b980955236922ae6106774511c5c05003d3ad225 upstream.
+
+Commit 6133705494bb introduced a circular lock dependency because
+posix_cpu_timers_exit() is called by release_task(), which is holding
+a writer lock on tasklist_lock, and this can cause a deadlock since
+kill_fasync() gets called with nonblocking_pool.lock taken.
+
+There's no reason why kill_fasync() needs to be taken while the random
+pool is locked, so move it out to fix this locking dependency.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reported-by: Russ Dill <Russ.Dill@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -852,6 +852,7 @@ static size_t account(struct entropy_sto
+ int reserved)
+ {
+ unsigned long flags;
++ int wakeup_write = 0;
+
+ /* Hold lock while accounting */
+ spin_lock_irqsave(&r->lock, flags);
+@@ -873,10 +874,8 @@ static size_t account(struct entropy_sto
+ else
+ r->entropy_count = reserved;
+
+- if (r->entropy_count < random_write_wakeup_thresh) {
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- }
++ if (r->entropy_count < random_write_wakeup_thresh)
++ wakeup_write = 1;
+ }
+
+ DEBUG_ENT("debiting %zu entropy credits from %s%s\n",
+@@ -884,6 +883,11 @@ static size_t account(struct entropy_sto
+
+ spin_unlock_irqrestore(&r->lock, flags);
+
++ if (wakeup_write) {
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++ }
++
+ return nbytes;
+ }
+
drm-i915-reorder-setup-sequence-to-have-irqs-for-output-setup.patch
drm-i915-enable-irqs-earlier-when-resuming.patch
drm-i915-turn-off-hsync-and-vsync-on-adpa-when-disabling-crt.patch
+ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch
+ipc-don-t-allocate-a-copy-larger-than-max.patch
+dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch
+alsa-ice1712-initialize-card-private_data-properly.patch
+alsa-vmaster-fix-slave-change-notification.patch
+vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch
+proc-use-nd_jump_link-in-proc_ns_follow_link.patch
+tile-work-around-bug-in-the-generic-sys_llseek.patch
+random-fix-locking-dependency-with-the-tasklist_lock.patch
--- /dev/null
+From 5a114b98661e3aaa0ac085eb931584dce3b0ef9b Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@tilera.com>
+Date: Mon, 4 Mar 2013 11:19:09 -0500
+Subject: tile: work around bug in the generic sys_llseek
+
+From: Chris Metcalf <cmetcalf@tilera.com>
+
+commit 5a114b98661e3aaa0ac085eb931584dce3b0ef9b upstream.
+
+sys_llseek should specify the high and low 32-bit seek values as "unsigned
+int" but instead it specifies "unsigned long". Since compat syscall
+arguments are always sign-extended on tile, this means that a seek value
+of 0xffffffff will be incorrectly interpreted as a value of -1ULL.
+
+To avoid the risk of breaking binary compatibility on architectures
+that already use sys_llseek this way, we follow the same path as MIPS
+and provide a wrapper override.
+
+Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/include/asm/compat.h | 3 +++
+ arch/tile/kernel/compat.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/arch/tile/include/asm/compat.h
++++ b/arch/tile/include/asm/compat.h
+@@ -296,6 +296,9 @@ long compat_sys_sync_file_range2(int fd,
+ long compat_sys_fallocate(int fd, int mode,
+ u32 offset_lo, u32 offset_hi,
+ u32 len_lo, u32 len_hi);
++long compat_sys_llseek(unsigned int fd, unsigned int offset_high,
++ unsigned int offset_low, loff_t __user * result,
++ unsigned int origin);
+
+ /* Assembly trampoline to avoid clobbering r0. */
+ long _compat_sys_rt_sigreturn(void);
+--- a/arch/tile/kernel/compat.c
++++ b/arch/tile/kernel/compat.c
+@@ -76,6 +76,18 @@ long compat_sys_fallocate(int fd, int mo
+ ((loff_t)len_hi << 32) | len_lo);
+ }
+
++/*
++ * Avoid bug in generic sys_llseek() that specifies offset_high and
++ * offset_low as "unsigned long", thus making it possible to pass
++ * a sign-extended high 32 bits in offset_low.
++ */
++long compat_sys_llseek(unsigned int fd, unsigned int offset_high,
++ unsigned int offset_low, loff_t __user * result,
++ unsigned int origin)
++{
++ return sys_llseek(fd, offset_high, offset_low, result, origin);
++}
++
+ /* Provide the compat syscall number to call mapping. */
+ #undef __SYSCALL
+ #define __SYSCALL(nr, call) [nr] = (call),
+@@ -83,6 +95,7 @@ long compat_sys_fallocate(int fd, int mo
+ /* See comments in sys.c */
+ #define compat_sys_fadvise64_64 sys32_fadvise64_64
+ #define compat_sys_readahead sys32_readahead
++#define sys_llseek compat_sys_llseek
+
+ /* Call the assembly trampolines where necessary. */
+ #define compat_sys_rt_sigreturn _compat_sys_rt_sigreturn
--- /dev/null
+From 7b54c165a0c012edbaeaa73c5c87cb73721eb580 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 8 Mar 2013 09:03:07 -0800
+Subject: vfs: don't BUG_ON() if following a /proc fd pseudo-symlink
+ results in a symlink
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 7b54c165a0c012edbaeaa73c5c87cb73721eb580 upstream.
+
+It's "normal" - it can happen if the file descriptor you followed was
+opened with O_NOFOLLOW.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -693,8 +693,6 @@ void nd_jump_link(struct nameidata *nd,
+ nd->path = *path;
+ nd->inode = nd->path.dentry->d_inode;
+ nd->flags |= LOOKUP_JUMPED;
+-
+- BUG_ON(nd->inode->i_op->follow_link);
+ }
+
+ static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)
projects / thirdparty / kernel / stable-queue.git / commitdiff
