--- /dev/null
+From ddc64b278a4dda052390b3de1b551e59acdff105 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Thu, 21 Aug 2014 20:55:21 +0200
+Subject: ALSA: core: fix buffer overflow in snd_info_get_line()
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit ddc64b278a4dda052390b3de1b551e59acdff105 upstream.
+
+snd_info_get_line() documents that its last parameter must be one
+less than the buffer size, but this API design guarantees that
+(literally) every caller gets it wrong.
+
+Just change this parameter to have its obvious meaning.
+
+Reported-by: Tommi Rantala <tt.rantala@gmail.com>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/info.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -684,7 +684,7 @@ int snd_info_card_free(struct snd_card *
+ * snd_info_get_line - read one line from the procfs buffer
+ * @buffer: the procfs buffer
+ * @line: the buffer to store
+- * @len: the max. buffer size - 1
++ * @len: the max. buffer size
+ *
+ * Reads one line from the buffer and stores the string.
+ *
+@@ -704,7 +704,7 @@ int snd_info_get_line(struct snd_info_bu
+ buffer->stop = 1;
+ if (c == '\n')
+ break;
+- if (len) {
++ if (len > 1) {
+ len--;
+ *line++ = c;
+ }
--- /dev/null
+From 1033eb5b5aeeb526c22068e0fb0cef9f3c14231e Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Fri, 29 Aug 2014 13:40:44 +0900
+Subject: ALSA: dice: fix wrong channel mappping at higher sampling rate
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 1033eb5b5aeeb526c22068e0fb0cef9f3c14231e upstream.
+
+The channel mapping is initialized by amdtp_stream_set_parameters(), however
+Dice driver set it before calling this function. Furthermore, the setting is
+wrong because the index is the value of array, and vice versa.
+
+This commit moves codes for channel mapping after the function and set it correctly.
+
+Reported-by: Daniel Robbins <drobbins@funtoo.org>
+Fixes: 10550bea44a8 ("ALSA: dice/firewire-lib: Keep dualwire mode but obsolete CIP_HI_DUALWIRE")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/dice.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/sound/firewire/dice.c
++++ b/sound/firewire/dice.c
+@@ -579,11 +579,6 @@ static int dice_hw_params(struct snd_pcm
+ return err;
+ }
+
+- for (i = 0; i < channels; i++) {
+- dice->stream.pcm_positions[i * 2] = i;
+- dice->stream.pcm_positions[i * 2 + 1] = i + channels;
+- }
+-
+ rate /= 2;
+ channels *= 2;
+ }
+@@ -591,6 +586,15 @@ static int dice_hw_params(struct snd_pcm
+ mode = rate_index_to_mode(rate_index);
+ amdtp_stream_set_parameters(&dice->stream, rate, channels,
+ dice->rx_midi_ports[mode]);
++ if (rate_index > 4) {
++ channels /= 2;
++
++ for (i = 0; i < channels; i++) {
++ dice->stream.pcm_positions[i] = i * 2;
++ dice->stream.pcm_positions[i + channels] = i * 2 + 1;
++ }
++ }
++
+ amdtp_stream_set_pcm_format(&dice->stream,
+ params_format(hw_params));
+
--- /dev/null
+From 65845f29bec6bc17f80eff25c3bc39bcf3be9bf9 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Fri, 29 Aug 2014 13:40:45 +0900
+Subject: ALSA: firewire-lib/dice: add arrangements of PCM pointer and interrupts for Dice quirk
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 65845f29bec6bc17f80eff25c3bc39bcf3be9bf9 upstream.
+
+In IEC 61883-6, one data block transfers one event. In ALSA, the event equals one PCM frame,
+hence one data block transfers one PCM frame. But Dice has a quirk at higher sampling rate
+(176.4/192.0 kHz) that one data block transfers two PCM frames.
+
+Commit 10550bea44a8 ("ALSA: dice/firewire-lib: Keep dualwire mode but obsolete
+CIP_HI_DUALWIRE") moved some codes related to this quirk into Dice driver. But the commit
+forgot to add arrangements for PCM period interrupts and DMA pointer updates. As a result, Dice
+driver cannot work correctly at higher sampling rate.
+
+This commit adds 'double_pcm_frames' parameter to amdtp structure for this quirk. When this
+parameter is set, PCM period interrupts and DMA pointer updates occur at double speed than in
+IEC 61883-6.
+
+Reported-by: Daniel Robbins <drobbins@funtoo.org>
+Fixes: 10550bea44a8 ("ALSA: dice/firewire-lib: Keep dualwire mode but obsolete CIP_HI_DUALWIRE")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp.c | 11 ++++++++++-
+ sound/firewire/amdtp.h | 1 +
+ sound/firewire/dice.c | 15 +++++++++++----
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+--- a/sound/firewire/amdtp.c
++++ b/sound/firewire/amdtp.c
+@@ -507,7 +507,16 @@ static void amdtp_pull_midi(struct amdtp
+ static void update_pcm_pointers(struct amdtp_stream *s,
+ struct snd_pcm_substream *pcm,
+ unsigned int frames)
+-{ unsigned int ptr;
++{
++ unsigned int ptr;
++
++ /*
++ * In IEC 61883-6, one data block represents one event. In ALSA, one
++ * event equals to one PCM frame. But Dice has a quirk to transfer
++ * two PCM frames in one data block.
++ */
++ if (s->double_pcm_frames)
++ frames *= 2;
+
+ ptr = s->pcm_buffer_pointer + frames;
+ if (ptr >= pcm->runtime->buffer_size)
+--- a/sound/firewire/amdtp.h
++++ b/sound/firewire/amdtp.h
+@@ -125,6 +125,7 @@ struct amdtp_stream {
+ unsigned int pcm_buffer_pointer;
+ unsigned int pcm_period_pointer;
+ bool pointer_flush;
++ bool double_pcm_frames;
+
+ struct snd_rawmidi_substream *midi[AMDTP_MAX_CHANNELS_FOR_MIDI * 8];
+
+--- a/sound/firewire/dice.c
++++ b/sound/firewire/dice.c
+@@ -567,10 +567,14 @@ static int dice_hw_params(struct snd_pcm
+ return err;
+
+ /*
+- * At rates above 96 kHz, pretend that the stream runs at half the
+- * actual sample rate with twice the number of channels; two samples
+- * of a channel are stored consecutively in the packet. Requires
+- * blocking mode and PCM buffer size should be aligned to SYT_INTERVAL.
++ * At 176.4/192.0 kHz, Dice has a quirk to transfer two PCM frames in
++ * one data block of AMDTP packet. Thus sampling transfer frequency is
++ * a half of PCM sampling frequency, i.e. PCM frames at 192.0 kHz are
++ * transferred on AMDTP packets at 96 kHz. Two successive samples of a
++ * channel are stored consecutively in the packet. This quirk is called
++ * as 'Dual Wire'.
++ * For this quirk, blocking mode is required and PCM buffer size should
++ * be aligned to SYT_INTERVAL.
+ */
+ channels = params_channels(hw_params);
+ if (rate_index > 4) {
+@@ -581,6 +585,9 @@ static int dice_hw_params(struct snd_pcm
+
+ rate /= 2;
+ channels *= 2;
++ dice->stream.double_pcm_frames = true;
++ } else {
++ dice->stream.double_pcm_frames = false;
+ }
+
+ mode = rate_index_to_mode(rate_index);
--- /dev/null
+From 8245b3634516e6b7eb1c94594c0fd41d233502aa Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Fri, 19 Sep 2014 14:57:02 +0800
+Subject: ALSA: hda - Add fixup model name lookup for Lemote A1205
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 8245b3634516e6b7eb1c94594c0fd41d233502aa upstream.
+
+Lemote A1004 is already added in commit a2dd933d01f (ALSA: hda - Add
+fixup name lookup for CX5051 and 5066 codecs), but Lemote A1205 has
+missing.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -3382,6 +3382,7 @@ static const struct hda_model_fixup cxt5
+ { .id = CXT_PINCFG_LENOVO_TP410, .name = "tp410" },
+ { .id = CXT_FIXUP_THINKPAD_ACPI, .name = "thinkpad" },
+ { .id = CXT_PINCFG_LEMOTE_A1004, .name = "lemote-a1004" },
++ { .id = CXT_PINCFG_LEMOTE_A1205, .name = "lemote-a1205" },
+ { .id = CXT_FIXUP_OLPC_XO, .name = "olpc-xo" },
+ {}
+ };
--- /dev/null
+From acf08081adb5e8fe0519eb97bb49797ef52614d6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 2 Sep 2014 07:21:56 +0200
+Subject: ALSA: hda - Fix COEF setups for ALC1150 codec
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit acf08081adb5e8fe0519eb97bb49797ef52614d6 upstream.
+
+ALC1150 codec seems to need the COEF- and PLL-setups just like its
+compatible ALC882 codec. Some machines (e.g. SunMicro X10SAT) show
+the problem like too low output volumes unless the COEF setup is
+applied.
+
+Reported-and-tested-by: Dana Goyette <danagoyette@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -327,6 +327,7 @@ static void alc_auto_init_amp(struct hda
+ case 0x10ec0885:
+ case 0x10ec0887:
+ /*case 0x10ec0889:*/ /* this causes an SPDIF problem */
++ case 0x10ec0900:
+ alc889_coef_init(codec);
+ break;
+ case 0x10ec0888:
+@@ -2349,6 +2350,7 @@ static int patch_alc882(struct hda_codec
+ switch (codec->vendor_id) {
+ case 0x10ec0882:
+ case 0x10ec0885:
++ case 0x10ec0900:
+ break;
+ default:
+ /* ALC883 and variants */
--- /dev/null
+From ff50479ad61069f3ee14863225aebe36d598e93e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 1 Sep 2014 14:26:49 +0200
+Subject: ALSA: hda - Fix digital mic on Acer Aspire 3830TG
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ff50479ad61069f3ee14863225aebe36d598e93e upstream.
+
+Acer Aspire 3830TG with CX20588 codec has a digital built-in mic that
+has the same problem like many others, the inverted signal in stereo.
+Apply the same fixup to this machine, too.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -2822,6 +2822,7 @@ enum {
+ CXT_FIXUP_HEADPHONE_MIC_PIN,
+ CXT_FIXUP_HEADPHONE_MIC,
+ CXT_FIXUP_GPIO1,
++ CXT_FIXUP_ASPIRE_DMIC,
+ CXT_FIXUP_THINKPAD_ACPI,
+ CXT_FIXUP_OLPC_XO,
+ CXT_FIXUP_CAP_MIX_AMP,
+@@ -3269,6 +3270,12 @@ static const struct hda_fixup cxt_fixups
+ { }
+ },
+ },
++ [CXT_FIXUP_ASPIRE_DMIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = cxt_fixup_stereo_dmic,
++ .chained = true,
++ .chain_id = CXT_FIXUP_GPIO1,
++ },
+ [CXT_FIXUP_THINKPAD_ACPI] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = hda_fixup_thinkpad_acpi,
+@@ -3349,7 +3356,7 @@ static const struct hda_model_fixup cxt5
+
+ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
+- SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_GPIO1),
++ SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
+ SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
--- /dev/null
+From 7a9744cb455e6faa287e148394b4b422a6f3c5c4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 11 Sep 2014 12:59:21 +0200
+Subject: ALSA: hda - Fix invalid pin powermap without jack detection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7a9744cb455e6faa287e148394b4b422a6f3c5c4 upstream.
+
+When a driver is set up without the jack detection explicitly (either
+by passing a model option or via a specific fixup), the pin powermap
+of IDT/STAC codecs is set up wrongly, resulting in the silence
+output. It's because of a logic failure in stac_init_power_map().
+It tries to avoid creating a callback for the pins that have other
+auto-hp and auto-mic callbacks, but the check is done in a wrong way
+at a wrong time. The stac_init_power_map() should be called after
+creating other jack detection ctls, and the jack callback should be
+created only for jack-detectable widgets.
+
+This patch fixes the check in stac_init_power_map() and its callee
+at the right place, after snd_hda_gen_build_controls().
+
+Reported-by: Adam Richter <adam_richter2004@yahoo.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -565,8 +565,8 @@ static void stac_init_power_map(struct h
+ if (snd_hda_jack_tbl_get(codec, nid))
+ continue;
+ if (def_conf == AC_JACK_PORT_COMPLEX &&
+- !(spec->vref_mute_led_nid == nid ||
+- is_jack_detectable(codec, nid))) {
++ spec->vref_mute_led_nid != nid &&
++ is_jack_detectable(codec, nid)) {
+ snd_hda_jack_detect_enable_callback(codec, nid,
+ STAC_PWR_EVENT,
+ jack_update_power);
+@@ -4263,11 +4263,18 @@ static int stac_parse_auto_config(struct
+ return err;
+ }
+
+- stac_init_power_map(codec);
+-
+ return 0;
+ }
+
++static int stac_build_controls(struct hda_codec *codec)
++{
++ int err = snd_hda_gen_build_controls(codec);
++
++ if (err < 0)
++ return err;
++ stac_init_power_map(codec);
++ return 0;
++}
+
+ static int stac_init(struct hda_codec *codec)
+ {
+@@ -4379,7 +4386,7 @@ static int stac_suspend(struct hda_codec
+ #endif /* CONFIG_PM */
+
+ static const struct hda_codec_ops stac_patch_ops = {
+- .build_controls = snd_hda_gen_build_controls,
++ .build_controls = stac_build_controls,
+ .build_pcms = snd_hda_gen_build_pcms,
+ .init = stac_init,
+ .free = stac_free,
--- /dev/null
+From a9960e6a293e6fc3ed414643bb4e4106272e4d0a Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Sun, 21 Sep 2014 22:50:57 +0200
+Subject: ALSA: pcm: fix fifo_size frame calculation
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit a9960e6a293e6fc3ed414643bb4e4106272e4d0a upstream.
+
+The calculated frame size was wrong because snd_pcm_format_physical_width()
+actually returns the number of bits, not bytes.
+
+Use snd_pcm_format_size() instead, which not only returns bytes, but also
+simplifies the calculation.
+
+Fixes: 8bea869c5e56 ("ALSA: PCM midlevel: improve fifo_size handling")
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1782,14 +1782,16 @@ static int snd_pcm_lib_ioctl_fifo_size(s
+ {
+ struct snd_pcm_hw_params *params = arg;
+ snd_pcm_format_t format;
+- int channels, width;
++ int channels;
++ ssize_t frame_size;
+
+ params->fifo_size = substream->runtime->hw.fifo_size;
+ if (!(substream->runtime->hw.info & SNDRV_PCM_INFO_FIFO_IN_FRAMES)) {
+ format = params_format(params);
+ channels = params_channels(params);
+- width = snd_pcm_format_physical_width(format);
+- params->fifo_size /= width * channels;
++ frame_size = snd_pcm_format_size(format, channels);
++ if (frame_size > 0)
++ params->fifo_size /= (unsigned)frame_size;
+ }
+ return 0;
+ }
--- /dev/null
+From 27d7ff273c2aad37b28f6ff0cab2cfa35b51e648 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 22 Aug 2014 14:13:24 +0100
+Subject: arm64: ptrace: fix compat hardware watchpoint reporting
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 27d7ff273c2aad37b28f6ff0cab2cfa35b51e648 upstream.
+
+I'm not sure what I was on when I wrote this, but when iterating over
+the hardware watchpoint array (hbp_watch_array), our index is off by
+ARM_MAX_BRP, so we walk off the end of our thread_struct...
+
+... except, a dodgy condition in the loop means that it never executes
+at all (bp cannot be NULL).
+
+This patch fixes the code so that we remove the bp check and use the
+correct index for accessing the watchpoint structures.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/hw_breakpoint.h | 1 -
+ arch/arm64/kernel/ptrace.c | 3 ++-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/hw_breakpoint.h
++++ b/arch/arm64/include/asm/hw_breakpoint.h
+@@ -79,7 +79,6 @@ static inline void decode_ctrl_reg(u32 r
+ */
+ #define ARM_MAX_BRP 16
+ #define ARM_MAX_WRP 16
+-#define ARM_MAX_HBP_SLOTS (ARM_MAX_BRP + ARM_MAX_WRP)
+
+ /* Virtual debug register bases. */
+ #define AARCH64_DBG_REG_BVR 0
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -85,7 +85,8 @@ static void ptrace_hbptriggered(struct p
+ break;
+ }
+ }
+- for (i = ARM_MAX_BRP; i < ARM_MAX_HBP_SLOTS && !bp; ++i) {
++
++ for (i = 0; i < ARM_MAX_WRP; ++i) {
+ if (current->thread.debug.hbp_watch[i] == bp) {
+ info.si_errno = -((i << 1) + 1);
+ break;
--- /dev/null
+From e15693ef18e13e3e6bffe891fe140f18b8ff6d07 Mon Sep 17 00:00:00 2001
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 26 Aug 2014 20:56:36 +0900
+Subject: cfq-iosched: Fix wrong children_weight calculation
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+commit e15693ef18e13e3e6bffe891fe140f18b8ff6d07 upstream.
+
+cfq_group_service_tree_add() is applying new_weight at the beginning of
+the function via cfq_update_group_weight().
+This actually allows weight to change between adding it to and subtracting
+it from children_weight, and triggers WARN_ON_ONCE() in
+cfq_group_service_tree_del(), or even causes oops by divide error during
+vfr calculation in cfq_group_service_tree_add().
+
+The detailed scenario is as follows:
+1. Create blkio cgroups X and Y as a child of X.
+ Set X's weight to 500 and perform some I/O to apply new_weight.
+ This X's I/O completes before starting Y's I/O.
+2. Y starts I/O and cfq_group_service_tree_add() is called with Y.
+3. cfq_group_service_tree_add() walks up the tree during children_weight
+ calculation and adds parent X's weight (500) to children_weight of root.
+ children_weight becomes 500.
+4. Set X's weight to 1000.
+5. X starts I/O and cfq_group_service_tree_add() is called with X.
+6. cfq_group_service_tree_add() applies its new_weight (1000).
+7. I/O of Y completes and cfq_group_service_tree_del() is called with Y.
+8. I/O of X completes and cfq_group_service_tree_del() is called with X.
+9. cfq_group_service_tree_del() subtracts X's weight (1000) from
+ children_weight of root. children_weight becomes -500.
+ This triggers WARN_ON_ONCE().
+10. Set X's weight to 500.
+11. X starts I/O and cfq_group_service_tree_add() is called with X.
+12. cfq_group_service_tree_add() applies its new_weight (500) and adds it
+ to children_weight of root. children_weight becomes 0. Calcularion of
+ vfr triggers oops by divide error.
+
+weight should be updated right before adding it to children_weight.
+
+Reported-by: Ruki Sekiya <sekiya.ruki@lab.ntt.co.jp>
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/cfq-iosched.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -1275,12 +1275,16 @@ __cfq_group_service_tree_add(struct cfq_
+ static void
+ cfq_update_group_weight(struct cfq_group *cfqg)
+ {
+- BUG_ON(!RB_EMPTY_NODE(&cfqg->rb_node));
+-
+ if (cfqg->new_weight) {
+ cfqg->weight = cfqg->new_weight;
+ cfqg->new_weight = 0;
+ }
++}
++
++static void
++cfq_update_group_leaf_weight(struct cfq_group *cfqg)
++{
++ BUG_ON(!RB_EMPTY_NODE(&cfqg->rb_node));
+
+ if (cfqg->new_leaf_weight) {
+ cfqg->leaf_weight = cfqg->new_leaf_weight;
+@@ -1299,7 +1303,7 @@ cfq_group_service_tree_add(struct cfq_rb
+ /* add to the service tree */
+ BUG_ON(!RB_EMPTY_NODE(&cfqg->rb_node));
+
+- cfq_update_group_weight(cfqg);
++ cfq_update_group_leaf_weight(cfqg);
+ __cfq_group_service_tree_add(st, cfqg);
+
+ /*
+@@ -1323,6 +1327,7 @@ cfq_group_service_tree_add(struct cfq_rb
+ */
+ while ((parent = cfqg_parent(pos))) {
+ if (propagate) {
++ cfq_update_group_weight(pos);
+ propagate = !parent->nr_active++;
+ parent->children_weight += pos->weight;
+ }
i2c-rk3x-fix-divisor-calculation-for-scl-frequency.patch
i2c-ismt-use-correct-length-when-copy-buffer.patch
ftrace-use-current-addr-when-converting-to-nop-in-__ftrace_replace_code.patch
+trace-fix-epoll-hang-when-we-race-with-new-entries.patch
+arm64-ptrace-fix-compat-hardware-watchpoint-reporting.patch
+alsa-core-fix-buffer-overflow-in-snd_info_get_line.patch
+alsa-dice-fix-wrong-channel-mappping-at-higher-sampling-rate.patch
+alsa-firewire-lib-dice-add-arrangements-of-pcm-pointer-and-interrupts-for-dice-quirk.patch
+alsa-hda-fix-digital-mic-on-acer-aspire-3830tg.patch
+alsa-hda-fix-coef-setups-for-alc1150-codec.patch
+alsa-hda-fix-invalid-pin-powermap-without-jack-detection.patch
+alsa-hda-add-fixup-model-name-lookup-for-lemote-a1205.patch
+alsa-pcm-fix-fifo_size-frame-calculation.patch
+cfq-iosched-fix-wrong-children_weight-calculation.patch
--- /dev/null
+From 4ce97dbf50245227add17c83d87dc838e7ca79d0 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Mon, 25 Aug 2014 13:59:41 -0400
+Subject: trace: Fix epoll hang when we race with new entries
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 4ce97dbf50245227add17c83d87dc838e7ca79d0 upstream.
+
+Epoll on trace_pipe can sometimes hang in a weird case. If the ring buffer is
+empty when we set waiters_pending but an event shows up exactly at that moment
+we can miss being woken up by the ring buffers irq work. Since
+ring_buffer_empty() is inherently racey we will sometimes think that the buffer
+is not empty. So we don't get woken up and we don't think there are any events
+even though there were some ready when we added the watch, which makes us hang.
+This patch fixes this by making sure that we are actually on the wait list
+before we set waiters_pending, and add a memory barrier to make sure
+ring_buffer_empty() is going to be correct.
+
+Link: http://lkml.kernel.org/p/1408989581-23727-1-git-send-email-jbacik@fb.com
+
+Cc: Martin Lau <kafai@fb.com>
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -626,8 +626,22 @@ int ring_buffer_poll_wait(struct ring_bu
+ work = &cpu_buffer->irq_work;
+ }
+
+- work->waiters_pending = true;
+ poll_wait(filp, &work->waiters, poll_table);
++ work->waiters_pending = true;
++ /*
++ * There's a tight race between setting the waiters_pending and
++ * checking if the ring buffer is empty. Once the waiters_pending bit
++ * is set, the next event will wake the task up, but we can get stuck
++ * if there's only a single event in.
++ *
++ * FIXME: Ideally, we need a memory barrier on the writer side as well,
++ * but adding a memory barrier to all events will cause too much of a
++ * performance hit in the fast path. We only need a memory barrier when
++ * the buffer goes from empty to having content. But as this race is
++ * extremely small, and it's not a problem if another event comes in, we
++ * will fix it later.
++ */
++ smp_mb();
+
+ if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) ||
+ (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu)))
projects / thirdparty / kernel / stable-queue.git / commitdiff
