--- /dev/null
+From 86b62a2cb4fc09037bbce2959d2992962396fd7f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed, 7 Mar 2012 05:16:35 +0000
+Subject: aio: fix io_setup/io_destroy race
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 86b62a2cb4fc09037bbce2959d2992962396fd7f upstream.
+
+Have ioctx_alloc() return an extra reference, so that caller would drop it
+on success and not bother with re-grabbing it on failure exit. The current
+code is obviously broken - io_destroy() from another thread that managed
+to guess the address io_setup() would've returned would free ioctx right
+under us; gets especially interesting if aio_context_t * we pass to
+io_setup() points to PROT_READ mapping, so put_user() fails and we end
+up doing io_destroy() on kioctx another thread has just got freed...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -273,7 +273,7 @@ static struct kioctx *ioctx_alloc(unsign
+ mm = ctx->mm = current->mm;
+ atomic_inc(&mm->mm_count);
+
+- atomic_set(&ctx->users, 1);
++ atomic_set(&ctx->users, 2);
+ spin_lock_init(&ctx->ctx_lock);
+ spin_lock_init(&ctx->ring_info.ring_lock);
+ init_waitqueue_head(&ctx->wait);
+@@ -1338,10 +1338,10 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_e
+ ret = PTR_ERR(ioctx);
+ if (!IS_ERR(ioctx)) {
+ ret = put_user(ioctx->user_id, ctxp);
+- if (!ret)
++ if (!ret) {
++ put_ioctx(ioctx);
+ return 0;
+-
+- get_ioctx(ioctx); /* io_destroy() expects us to hold a ref */
++ }
+ io_destroy(ioctx);
+ }
+
--- /dev/null
+From c7b285550544c22bc005ec20978472c9ac7138c6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 8 Mar 2012 17:51:19 +0000
+Subject: aio: fix the "too late munmap()" race
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit c7b285550544c22bc005ec20978472c9ac7138c6 upstream.
+
+Current code has put_ioctx() called asynchronously from aio_fput_routine();
+that's done *after* we have killed the request that used to pin ioctx,
+so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+from progressing. As the result, we can end up with async call of
+put_ioctx() being the last one and possibly happening during exit_mmap()
+or elf_core_dump(), neither of which expects stray munmap() being done
+to them...
+
+We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+with that, but that's all we care about - neither io_destroy() nor
+exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+does really_put_req(), so the ioctx teardown won't be done until then
+and we don't care about the contents of ioctx past that point.
+
+Since actual freeing of these suckers is RCU-delayed, we don't need to
+bump ioctx refcount when request goes into list for async removal.
+All we need is rcu_read_lock held just over the ->ctx_lock-protected
+area in aio_fput_routine().
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -228,12 +228,6 @@ static void __put_ioctx(struct kioctx *c
+ call_rcu(&ctx->rcu_head, ctx_rcu_free);
+ }
+
+-static inline void get_ioctx(struct kioctx *kioctx)
+-{
+- BUG_ON(atomic_read(&kioctx->users) <= 0);
+- atomic_inc(&kioctx->users);
+-}
+-
+ static inline int try_get_ioctx(struct kioctx *kioctx)
+ {
+ return atomic_inc_not_zero(&kioctx->users);
+@@ -609,11 +603,16 @@ static void aio_fput_routine(struct work
+ fput(req->ki_filp);
+
+ /* Link the iocb into the context's free list */
++ rcu_read_lock();
+ spin_lock_irq(&ctx->ctx_lock);
+ really_put_req(ctx, req);
++ /*
++ * at that point ctx might've been killed, but actual
++ * freeing is RCU'd
++ */
+ spin_unlock_irq(&ctx->ctx_lock);
++ rcu_read_unlock();
+
+- put_ioctx(ctx);
+ spin_lock_irq(&fput_lock);
+ }
+ spin_unlock_irq(&fput_lock);
+@@ -644,7 +643,6 @@ static int __aio_put_req(struct kioctx *
+ * this function will be executed w/out any aio kthread wakeup.
+ */
+ if (unlikely(!fput_atomic(req->ki_filp))) {
+- get_ioctx(ctx);
+ spin_lock(&fput_lock);
+ list_add(&req->ki_list, &fput_head);
+ spin_unlock(&fput_lock);
--- /dev/null
+From 526af6eb4dc71302f59806e2ccac7793963a7fe0 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 7 Mar 2012 08:25:20 +0100
+Subject: ALSA: hda/realtek - Apply the coef-setup only to ALC269VB
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 526af6eb4dc71302f59806e2ccac7793963a7fe0 upstream.
+
+The coef setup in alc269_fill_coef() was designed only for ALC269VB
+model, and this has some bad effects for other ALC269 variants, such
+as turning off the external mic input. Apply it only to ALC269VB.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2063,12 +2063,16 @@ static int alc_build_controls(struct hda
+ */
+
+ static void alc_init_special_input_src(struct hda_codec *codec);
++static int alc269_fill_coef(struct hda_codec *codec);
+
+ static int alc_init(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+ unsigned int i;
+
++ if (codec->vendor_id == 0x10ec0269)
++ alc269_fill_coef(codec);
++
+ alc_fix_pll(codec);
+ alc_auto_init_amp(codec, spec->init_amp);
+
+@@ -5110,8 +5114,12 @@ static const struct alc_model_fixup alc2
+
+ static int alc269_fill_coef(struct hda_codec *codec)
+ {
++ struct alc_spec *spec = codec->spec;
+ int val;
+
++ if (spec->codec_variant != ALC269_TYPE_ALC269VB)
++ return 0;
++
+ if ((alc_get_coef0(codec) & 0x00ff) < 0x015) {
+ alc_write_coef_idx(codec, 0xf, 0x960b);
+ alc_write_coef_idx(codec, 0xe, 0x8817);
--- /dev/null
+From b2ccf065f7b23147ed135a41b01d05a332ca6b7e Mon Sep 17 00:00:00 2001
+From: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>
+Date: Sun, 26 Feb 2012 19:21:54 +0100
+Subject: ASoC: neo1973: fix neo1973 wm8753 initialization
+
+From: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>
+
+commit b2ccf065f7b23147ed135a41b01d05a332ca6b7e upstream.
+
+The neo1973 driver had wrong codec name which prevented the "sound card"
+from appearing.
+
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/samsung/neo1973_wm8753.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/samsung/neo1973_wm8753.c
++++ b/sound/soc/samsung/neo1973_wm8753.c
+@@ -421,7 +421,7 @@ static struct snd_soc_dai_link neo1973_d
+ .platform_name = "samsung-audio",
+ .cpu_dai_name = "s3c24xx-iis",
+ .codec_dai_name = "wm8753-hifi",
+- .codec_name = "wm8753-codec.0-001a",
++ .codec_name = "wm8753.0-001a",
+ .init = neo1973_wm8753_init,
+ .ops = &neo1973_hifi_ops,
+ },
+@@ -430,7 +430,7 @@ static struct snd_soc_dai_link neo1973_d
+ .stream_name = "Voice",
+ .cpu_dai_name = "dfbmcs320-pcm",
+ .codec_dai_name = "wm8753-voice",
+- .codec_name = "wm8753-codec.0-001a",
++ .codec_name = "wm8753.0-001a",
+ .ops = &neo1973_voice_ops,
+ },
+ };
--- /dev/null
+From 4949be16822e92a18ea0cc1616319926628092ee Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Tue, 6 Mar 2012 13:41:49 -0500
+Subject: PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled
+
+From: Matthew Garrett <mjg@redhat.com>
+
+commit 4949be16822e92a18ea0cc1616319926628092ee upstream.
+
+Right now we won't touch ASPM state if ASPM is disabled, except in the case
+where we find a device that appears to be too old to reliably support ASPM.
+Right now we'll clear it in that case, which is almost certainly the wrong
+thing to do. The easiest way around this is just to disable the blacklisting
+when ASPM is disabled.
+
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/aspm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -500,6 +500,9 @@ static int pcie_aspm_sanity_check(struct
+ int pos;
+ u32 reg32;
+
++ if (aspm_disabled)
++ return 0;
++
+ /*
+ * Some functions in a slot might not all be PCIe functions,
+ * very strange. Disable ASPM for the whole slot
--- /dev/null
+asoc-neo1973-fix-neo1973-wm8753-initialization.patch
+alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch
+aio-fix-io_setup-io_destroy-race.patch
+aio-fix-the-too-late-munmap-race.patch
+x86-derandom-delay_tsc-for-64-bit.patch
+pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch
--- /dev/null
+From a7f4255f906f60f72e00aad2fb000939449ff32e Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 9 Mar 2012 20:55:10 +0100
+Subject: x86: Derandom delay_tsc for 64 bit
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit a7f4255f906f60f72e00aad2fb000939449ff32e upstream.
+
+Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+delay_tsc() into a random delay generator for 64 bit. The reason is
+that it merged the mostly identical versions of delay_32.c and
+delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+- unsigned bclock, now;
++ unsigned long bclock, now;
+
+Now the function uses rdtscl() which returns the lower 32bit of the
+TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+bit this fails when the lower 32bit are close to wrap around when
+bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+because the unsigned long (now - bclock) of these values results in
+0xffffffff00000001 which is definitely larger than the loops
+value. That explains Tvortkos observation:
+
+"Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+Make those variables explicitely u32 again, so this works for both 32
+and 64 bit.
+
+Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/lib/delay.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/lib/delay.c
++++ b/arch/x86/lib/delay.c
+@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loo
+ }
+
+ /* TSC based delay: */
+-static void delay_tsc(unsigned long loops)
++static void delay_tsc(unsigned long __loops)
+ {
+- unsigned long bclock, now;
++ u32 bclock, now, loops = __loops;
+ int cpu;
+
+ preempt_disable();
projects / thirdparty / kernel / stable-queue.git / commitdiff
