From: Greg Kroah-Hartman Date: Tue, 13 Mar 2012 17:25:47 +0000 (-0700) Subject: 3.2-stable patches X-Git-Tag: v3.0.25~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bbd73888ee7cea8762e20f1dabddf6e7d9496ad;p=thirdparty%2Fkernel%2Fstable-queue.git 3.2-stable patches added patches: aio-fix-io_setup-io_destroy-race.patch aio-fix-the-too-late-munmap-race.patch alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch asoc-neo1973-fix-neo1973-wm8753-initialization.patch pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch x86-derandom-delay_tsc-for-64-bit.patch --- diff --git a/queue-3.2/aio-fix-io_setup-io_destroy-race.patch b/queue-3.2/aio-fix-io_setup-io_destroy-race.patch new file mode 100644 index 00000000000..d2c634241ba --- /dev/null +++ b/queue-3.2/aio-fix-io_setup-io_destroy-race.patch @@ -0,0 +1,52 @@ +From 86b62a2cb4fc09037bbce2959d2992962396fd7f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 7 Mar 2012 05:16:35 +0000 +Subject: aio: fix io_setup/io_destroy race + +From: Al Viro + +commit 86b62a2cb4fc09037bbce2959d2992962396fd7f upstream. + +Have ioctx_alloc() return an extra reference, so that caller would drop it +on success and not bother with re-grabbing it on failure exit. The current +code is obviously broken - io_destroy() from another thread that managed +to guess the address io_setup() would've returned would free ioctx right +under us; gets especially interesting if aio_context_t * we pass to +io_setup() points to PROT_READ mapping, so put_user() fails and we end +up doing io_destroy() on kioctx another thread has just got freed... + +Signed-off-by: Al Viro +Acked-by: Benjamin LaHaise +Reviewed-by: Jeff Moyer +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -273,7 +273,7 @@ static struct kioctx *ioctx_alloc(unsign + mm = ctx->mm = current->mm; + atomic_inc(&mm->mm_count); + +- atomic_set(&ctx->users, 1); ++ atomic_set(&ctx->users, 2); + spin_lock_init(&ctx->ctx_lock); + spin_lock_init(&ctx->ring_info.ring_lock); + init_waitqueue_head(&ctx->wait); +@@ -1338,10 +1338,10 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_e + ret = PTR_ERR(ioctx); + if (!IS_ERR(ioctx)) { + ret = put_user(ioctx->user_id, ctxp); +- if (!ret) ++ if (!ret) { ++ put_ioctx(ioctx); + return 0; +- +- get_ioctx(ioctx); /* io_destroy() expects us to hold a ref */ ++ } + io_destroy(ioctx); + } + diff --git a/queue-3.2/aio-fix-the-too-late-munmap-race.patch b/queue-3.2/aio-fix-the-too-late-munmap-race.patch new file mode 100644 index 00000000000..29f52679160 --- /dev/null +++ b/queue-3.2/aio-fix-the-too-late-munmap-race.patch @@ -0,0 +1,79 @@ +From c7b285550544c22bc005ec20978472c9ac7138c6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Mar 2012 17:51:19 +0000 +Subject: aio: fix the "too late munmap()" race + +From: Al Viro + +commit c7b285550544c22bc005ec20978472c9ac7138c6 upstream. + +Current code has put_ioctx() called asynchronously from aio_fput_routine(); +that's done *after* we have killed the request that used to pin ioctx, +so there's nothing to stop io_destroy() waiting in wait_for_all_aios() +from progressing. As the result, we can end up with async call of +put_ioctx() being the last one and possibly happening during exit_mmap() +or elf_core_dump(), neither of which expects stray munmap() being done +to them... + +We do need to prevent _freeing_ ioctx until aio_fput_routine() is done +with that, but that's all we care about - neither io_destroy() nor +exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() +does really_put_req(), so the ioctx teardown won't be done until then +and we don't care about the contents of ioctx past that point. + +Since actual freeing of these suckers is RCU-delayed, we don't need to +bump ioctx refcount when request goes into list for async removal. +All we need is rcu_read_lock held just over the ->ctx_lock-protected +area in aio_fput_routine(). + +Signed-off-by: Al Viro +Reviewed-by: Jeff Moyer +Acked-by: Benjamin LaHaise +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -228,12 +228,6 @@ static void __put_ioctx(struct kioctx *c + call_rcu(&ctx->rcu_head, ctx_rcu_free); + } + +-static inline void get_ioctx(struct kioctx *kioctx) +-{ +- BUG_ON(atomic_read(&kioctx->users) <= 0); +- atomic_inc(&kioctx->users); +-} +- + static inline int try_get_ioctx(struct kioctx *kioctx) + { + return atomic_inc_not_zero(&kioctx->users); +@@ -609,11 +603,16 @@ static void aio_fput_routine(struct work + fput(req->ki_filp); + + /* Link the iocb into the context's free list */ ++ rcu_read_lock(); + spin_lock_irq(&ctx->ctx_lock); + really_put_req(ctx, req); ++ /* ++ * at that point ctx might've been killed, but actual ++ * freeing is RCU'd ++ */ + spin_unlock_irq(&ctx->ctx_lock); ++ rcu_read_unlock(); + +- put_ioctx(ctx); + spin_lock_irq(&fput_lock); + } + spin_unlock_irq(&fput_lock); +@@ -644,7 +643,6 @@ static int __aio_put_req(struct kioctx * + * this function will be executed w/out any aio kthread wakeup. + */ + if (unlikely(!fput_atomic(req->ki_filp))) { +- get_ioctx(ctx); + spin_lock(&fput_lock); + list_add(&req->ki_list, &fput_head); + spin_unlock(&fput_lock); diff --git a/queue-3.2/alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch b/queue-3.2/alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch new file mode 100644 index 00000000000..c190e73f677 --- /dev/null +++ b/queue-3.2/alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch @@ -0,0 +1,53 @@ +From 526af6eb4dc71302f59806e2ccac7793963a7fe0 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 7 Mar 2012 08:25:20 +0100 +Subject: ALSA: hda/realtek - Apply the coef-setup only to ALC269VB + +From: Kailang Yang + +commit 526af6eb4dc71302f59806e2ccac7793963a7fe0 upstream. + +The coef setup in alc269_fill_coef() was designed only for ALC269VB +model, and this has some bad effects for other ALC269 variants, such +as turning off the external mic input. Apply it only to ALC269VB. + +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2063,12 +2063,16 @@ static int alc_build_controls(struct hda + */ + + static void alc_init_special_input_src(struct hda_codec *codec); ++static int alc269_fill_coef(struct hda_codec *codec); + + static int alc_init(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + unsigned int i; + ++ if (codec->vendor_id == 0x10ec0269) ++ alc269_fill_coef(codec); ++ + alc_fix_pll(codec); + alc_auto_init_amp(codec, spec->init_amp); + +@@ -5110,8 +5114,12 @@ static const struct alc_model_fixup alc2 + + static int alc269_fill_coef(struct hda_codec *codec) + { ++ struct alc_spec *spec = codec->spec; + int val; + ++ if (spec->codec_variant != ALC269_TYPE_ALC269VB) ++ return 0; ++ + if ((alc_get_coef0(codec) & 0x00ff) < 0x015) { + alc_write_coef_idx(codec, 0xf, 0x960b); + alc_write_coef_idx(codec, 0xe, 0x8817); diff --git a/queue-3.2/asoc-neo1973-fix-neo1973-wm8753-initialization.patch b/queue-3.2/asoc-neo1973-fix-neo1973-wm8753-initialization.patch new file mode 100644 index 00000000000..625a195735e --- /dev/null +++ b/queue-3.2/asoc-neo1973-fix-neo1973-wm8753-initialization.patch @@ -0,0 +1,40 @@ +From b2ccf065f7b23147ed135a41b01d05a332ca6b7e Mon Sep 17 00:00:00 2001 +From: Denis 'GNUtoo' Carikli +Date: Sun, 26 Feb 2012 19:21:54 +0100 +Subject: ASoC: neo1973: fix neo1973 wm8753 initialization + +From: Denis 'GNUtoo' Carikli + +commit b2ccf065f7b23147ed135a41b01d05a332ca6b7e upstream. + +The neo1973 driver had wrong codec name which prevented the "sound card" +from appearing. + +Signed-off-by: Denis 'GNUtoo' Carikli +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/samsung/neo1973_wm8753.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/samsung/neo1973_wm8753.c ++++ b/sound/soc/samsung/neo1973_wm8753.c +@@ -421,7 +421,7 @@ static struct snd_soc_dai_link neo1973_d + .platform_name = "samsung-audio", + .cpu_dai_name = "s3c24xx-iis", + .codec_dai_name = "wm8753-hifi", +- .codec_name = "wm8753-codec.0-001a", ++ .codec_name = "wm8753.0-001a", + .init = neo1973_wm8753_init, + .ops = &neo1973_hifi_ops, + }, +@@ -430,7 +430,7 @@ static struct snd_soc_dai_link neo1973_d + .stream_name = "Voice", + .cpu_dai_name = "dfbmcs320-pcm", + .codec_dai_name = "wm8753-voice", +- .codec_name = "wm8753-codec.0-001a", ++ .codec_name = "wm8753.0-001a", + .ops = &neo1973_voice_ops, + }, + }; diff --git a/queue-3.2/pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch b/queue-3.2/pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch new file mode 100644 index 00000000000..f82c5942836 --- /dev/null +++ b/queue-3.2/pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch @@ -0,0 +1,35 @@ +From 4949be16822e92a18ea0cc1616319926628092ee Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 6 Mar 2012 13:41:49 -0500 +Subject: PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled + +From: Matthew Garrett + +commit 4949be16822e92a18ea0cc1616319926628092ee upstream. + +Right now we won't touch ASPM state if ASPM is disabled, except in the case +where we find a device that appears to be too old to reliably support ASPM. +Right now we'll clear it in that case, which is almost certainly the wrong +thing to do. The easiest way around this is just to disable the blacklisting +when ASPM is disabled. + +Signed-off-by: Matthew Garrett +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/aspm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -500,6 +500,9 @@ static int pcie_aspm_sanity_check(struct + int pos; + u32 reg32; + ++ if (aspm_disabled) ++ return 0; ++ + /* + * Some functions in a slot might not all be PCIe functions, + * very strange. Disable ASPM for the whole slot diff --git a/queue-3.2/series b/queue-3.2/series new file mode 100644 index 00000000000..c0f74d8d2dc --- /dev/null +++ b/queue-3.2/series @@ -0,0 +1,6 @@ +asoc-neo1973-fix-neo1973-wm8753-initialization.patch +alsa-hda-realtek-apply-the-coef-setup-only-to-alc269vb.patch +aio-fix-io_setup-io_destroy-race.patch +aio-fix-the-too-late-munmap-race.patch +x86-derandom-delay_tsc-for-64-bit.patch +pci-ignore-pre-1.1-aspm-quirking-when-aspm-is-disabled.patch diff --git a/queue-3.2/x86-derandom-delay_tsc-for-64-bit.patch b/queue-3.2/x86-derandom-delay_tsc-for-64-bit.patch new file mode 100644 index 00000000000..808487a40bf --- /dev/null +++ b/queue-3.2/x86-derandom-delay_tsc-for-64-bit.patch @@ -0,0 +1,61 @@ +From a7f4255f906f60f72e00aad2fb000939449ff32e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 9 Mar 2012 20:55:10 +0100 +Subject: x86: Derandom delay_tsc for 64 bit + +From: Thomas Gleixner + +commit a7f4255f906f60f72e00aad2fb000939449ff32e upstream. + +Commit f0fbf0abc093 ("x86: integrate delay functions") converted +delay_tsc() into a random delay generator for 64 bit. The reason is +that it merged the mostly identical versions of delay_32.c and +delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { +- unsigned bclock, now; ++ unsigned long bclock, now; + +Now the function uses rdtscl() which returns the lower 32bit of the +TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 +bit this fails when the lower 32bit are close to wrap around when +bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + +evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 +because the unsigned long (now - bclock) of these values results in +0xffffffff00000001 which is definitely larger than the loops +value. That explains Tvortkos observation: + +"Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + +Make those variables explicitely u32 again, so this works for both 32 +and 64 bit. + +Reported-by: Tvrtko Ursulin +Signed-off-by: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/lib/delay.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/lib/delay.c ++++ b/arch/x86/lib/delay.c +@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loo + } + + /* TSC based delay: */ +-static void delay_tsc(unsigned long loops) ++static void delay_tsc(unsigned long __loops) + { +- unsigned long bclock, now; ++ u32 bclock, now, loops = __loops; + int cpu; + + preempt_disable();