From: Greg Kroah-Hartman Date: Wed, 1 Aug 2012 19:26:19 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.0.39~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a993e515a89a90531ec80d575c7dbd7c97d5d400;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: alsa-hda-add-dock-support-for-thinkpad-x230-tablet.patch batman-adv-fix-skb-data-assignment.patch locks-fix-checking-of-fcntl_setlease-argument.patch x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch --- diff --git a/queue-3.5/alsa-hda-add-dock-support-for-thinkpad-x230-tablet.patch b/queue-3.5/alsa-hda-add-dock-support-for-thinkpad-x230-tablet.patch new file mode 100644 index 00000000000..9da62a1c4b8 --- /dev/null +++ b/queue-3.5/alsa-hda-add-dock-support-for-thinkpad-x230-tablet.patch @@ -0,0 +1,103 @@ +From 108cc108a3bb42fe4705df1317ff98e1e29428a6 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Fri, 20 Jul 2012 10:37:25 +0200 +Subject: ALSA: hda - add dock support for Thinkpad X230 Tablet + +From: David Henningsson + +commit 108cc108a3bb42fe4705df1317ff98e1e29428a6 upstream. + +Also add a model/fixup string "lenovo-dock", so that other Thinkpad +users will be able to test this fixup easily, to see if it enables +dock I/O for them as well. + +BugLink: https://bugs.launchpad.net/bugs/1026953 +Tested-by: John McCarron +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sound/alsa/HD-Audio-Models.txt | 3 ++- + sound/pci/hda/patch_realtek.c | 27 +++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +--- a/Documentation/sound/alsa/HD-Audio-Models.txt ++++ b/Documentation/sound/alsa/HD-Audio-Models.txt +@@ -21,10 +21,11 @@ ALC267/268 + ========== + N/A + +-ALC269 ++ALC269/270/275/276/280/282 + ====== + laptop-amic Laptops with analog-mic input + laptop-dmic Laptops with digital-mic input ++ lenovo-dock Enables docking station I/O for some Lenovos + + ALC662/663/272 + ============== +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5704,6 +5704,15 @@ static int alc269_resume(struct hda_code + } + #endif /* CONFIG_PM */ + ++static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec, ++ const struct alc_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == ALC_FIXUP_ACT_PRE_PROBE) ++ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; ++} ++ + static void alc269_fixup_hweq(struct hda_codec *codec, + const struct alc_fixup *fix, int action) + { +@@ -5828,6 +5837,8 @@ enum { + ALC269VB_FIXUP_AMIC, + ALC269VB_FIXUP_DMIC, + ALC269_FIXUP_MIC2_MUTE_LED, ++ ALC269_FIXUP_LENOVO_DOCK, ++ ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT, + }; + + static const struct alc_fixup alc269_fixups[] = { +@@ -5952,6 +5963,20 @@ static const struct alc_fixup alc269_fix + .type = ALC_FIXUP_FUNC, + .v.func = alc269_fixup_mic2_mute, + }, ++ [ALC269_FIXUP_LENOVO_DOCK] = { ++ .type = ALC_FIXUP_PINS, ++ .v.pins = (const struct alc_pincfg[]) { ++ { 0x19, 0x23a11040 }, /* dock mic */ ++ { 0x1b, 0x2121103f }, /* dock headphone */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT ++ }, ++ [ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT] = { ++ .type = ALC_FIXUP_FUNC, ++ .v.func = alc269_fixup_pincfg_no_hp_to_lineout, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -5975,6 +6000,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x21b8, "Thinkpad Edge 14", ALC269_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x17aa, 0x21ca, "Thinkpad L412", ALC269_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x17aa, 0x21e9, "Thinkpad Edge 15", ALC269_FIXUP_SKU_IGNORE), ++ SND_PCI_QUIRK(0x17aa, 0x2203, "Thinkpad X230 Tablet", ALC269_FIXUP_LENOVO_DOCK), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_QUANTA_MUTE), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Lenovo Ideapd", ALC269_FIXUP_PCM_44K), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), +@@ -6033,6 +6059,7 @@ static const struct snd_pci_quirk alc269 + static const struct alc_model_fixup alc269_fixup_models[] = { + {.id = ALC269_FIXUP_AMIC, .name = "laptop-amic"}, + {.id = ALC269_FIXUP_DMIC, .name = "laptop-dmic"}, ++ {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"}, + {} + }; + diff --git a/queue-3.5/batman-adv-fix-skb-data-assignment.patch b/queue-3.5/batman-adv-fix-skb-data-assignment.patch new file mode 100644 index 00000000000..b7d1ee504a4 --- /dev/null +++ b/queue-3.5/batman-adv-fix-skb-data-assignment.patch @@ -0,0 +1,37 @@ +From d2b6cc8e460494251442a877fcbc150faa175b4f Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 14 Jun 2012 22:21:28 +0200 +Subject: batman-adv: fix skb->data assignment + +From: Antonio Quartulli + +commit d2b6cc8e460494251442a877fcbc150faa175b4f upstream. + +skb_linearize(skb) possibly rearranges the skb internal data and then changes +the skb->data pointer value. For this reason any other pointer in the code that +was assigned skb->data before invoking skb_linearise(skb) must be re-assigned. + +In the current tt_query message handling code this is not done and therefore, in +case of skb linearization, the pointer used to handle the packet header ends up +in pointing to poisoned memory. The packet is then dropped but the +translation-table mechanism is corrupted. + +Signed-off-by: Antonio Quartulli +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/routing.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -626,6 +626,8 @@ int recv_tt_query(struct sk_buff *skb, s + if (unlikely(skb_headlen(skb) < + sizeof(struct tt_query_packet) + tt_len)) + goto out; ++ /* skb_linearize() possibly changed skb->data */ ++ tt_query = (struct tt_query_packet *)skb->data; + + handle_tt_response(bat_priv, tt_query); + } else { diff --git a/queue-3.5/locks-fix-checking-of-fcntl_setlease-argument.patch b/queue-3.5/locks-fix-checking-of-fcntl_setlease-argument.patch new file mode 100644 index 00000000000..be8d7f0ae2c --- /dev/null +++ b/queue-3.5/locks-fix-checking-of-fcntl_setlease-argument.patch @@ -0,0 +1,55 @@ +From 0ec4f431eb56d633da3a55da67d5c4b88886ccc7 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 23 Jul 2012 15:17:17 -0400 +Subject: locks: fix checking of fcntl_setlease argument + +From: "J. Bruce Fields" + +commit 0ec4f431eb56d633da3a55da67d5c4b88886ccc7 upstream. + +The only checks of the long argument passed to fcntl(fd,F_SETLEASE,.) +are done after converting the long to an int. Thus some illegal values +may be let through and cause problems in later code. + +[ They actually *don't* cause problems in mainline, as of Dave Jones's + commit 8d657eb3b438 "Remove easily user-triggerable BUG from + generic_setlease", but we should fix this anyway. And this patch will + be necessary to fix real bugs on earlier kernels. ] + +Signed-off-by: J. Bruce Fields +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -308,7 +308,7 @@ static int flock_make_lock(struct file * + return 0; + } + +-static int assign_type(struct file_lock *fl, int type) ++static int assign_type(struct file_lock *fl, long type) + { + switch (type) { + case F_RDLCK: +@@ -445,7 +445,7 @@ static const struct lock_manager_operati + /* + * Initialize a lease, use the default lock manager operations + */ +-static int lease_init(struct file *filp, int type, struct file_lock *fl) ++static int lease_init(struct file *filp, long type, struct file_lock *fl) + { + if (assign_type(fl, type) != 0) + return -EINVAL; +@@ -463,7 +463,7 @@ static int lease_init(struct file *filp, + } + + /* Allocate a file_lock initialised to this type of lease */ +-static struct file_lock *lease_alloc(struct file *filp, int type) ++static struct file_lock *lease_alloc(struct file *filp, long type) + { + struct file_lock *fl = locks_alloc_lock(); + int error = -ENOMEM; diff --git a/queue-3.5/series b/queue-3.5/series index ec1beae68f7..38149711731 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -33,3 +33,8 @@ usb-disable-lpm-while-the-device-is-unconfigured.patch usb-fix-lpm-disable-enable-during-device-reset.patch usb-remove-unused-lpm-variable.patch usb-fix-lpm-disable-count-mismatch-on-driver-unbind.patch +alsa-hda-add-dock-support-for-thinkpad-x230-tablet.patch +x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch +x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch +locks-fix-checking-of-fcntl_setlease-argument.patch +batman-adv-fix-skb-data-assignment.patch diff --git a/queue-3.5/x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch b/queue-3.5/x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch new file mode 100644 index 00000000000..3ed10ac10f9 --- /dev/null +++ b/queue-3.5/x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch @@ -0,0 +1,115 @@ +From 6751ed65dc6642af64f7b8a440a75563c8aab7ae Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Wed, 11 Jul 2012 10:20:47 -0700 +Subject: x86/mce: Fix siginfo_t->si_addr value for non-recoverable memory faults + +From: Tony Luck + +commit 6751ed65dc6642af64f7b8a440a75563c8aab7ae upstream. + +In commit dad1743e5993f1 ("x86/mce: Only restart instruction after machine +check recovery if it is safe") we fixed mce_notify_process() to force a +signal to the current process if it was not restartable (RIPV bit not +set in MCG_STATUS). But doing it here means that the process doesn't +get told the virtual address of the fault via siginfo_t->si_addr. This +would prevent application level recovery from the fault. + +Make a new MF_MUST_KILL flag bit for memory_failure() et al. to use so +that we will provide the right information with the signal. + +Signed-off-by: Tony Luck +Acked-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 6 ++++-- + include/linux/mm.h | 1 + + mm/memory-failure.c | 14 ++++++++------ + 3 files changed, 13 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -1186,6 +1186,7 @@ void mce_notify_process(void) + { + unsigned long pfn; + struct mce_info *mi = mce_find_info(); ++ int flags = MF_ACTION_REQUIRED; + + if (!mi) + mce_panic("Lost physical address for unconsumed uncorrectable error", NULL, NULL); +@@ -1200,8 +1201,9 @@ void mce_notify_process(void) + * doomed. We still need to mark the page as poisoned and alert any + * other users of the page. + */ +- if (memory_failure(pfn, MCE_VECTOR, MF_ACTION_REQUIRED) < 0 || +- mi->restartable == 0) { ++ if (!mi->restartable) ++ flags |= MF_MUST_KILL; ++ if (memory_failure(pfn, MCE_VECTOR, flags) < 0) { + pr_err("Memory error not recovered"); + force_sig(SIGBUS, current); + } +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1591,6 +1591,7 @@ void vmemmap_populate_print_last(void); + enum mf_flags { + MF_COUNT_INCREASED = 1 << 0, + MF_ACTION_REQUIRED = 1 << 1, ++ MF_MUST_KILL = 1 << 2, + }; + extern int memory_failure(unsigned long pfn, int trapno, int flags); + extern void memory_failure_queue(unsigned long pfn, int trapno, int flags); +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -345,14 +345,14 @@ static void add_to_kill(struct task_stru + * Also when FAIL is set do a force kill because something went + * wrong earlier. + */ +-static void kill_procs(struct list_head *to_kill, int doit, int trapno, ++static void kill_procs(struct list_head *to_kill, int forcekill, int trapno, + int fail, struct page *page, unsigned long pfn, + int flags) + { + struct to_kill *tk, *next; + + list_for_each_entry_safe (tk, next, to_kill, nd) { +- if (doit) { ++ if (forcekill) { + /* + * In case something went wrong with munmapping + * make sure the process doesn't catch the +@@ -858,7 +858,7 @@ static int hwpoison_user_mappings(struct + struct address_space *mapping; + LIST_HEAD(tokill); + int ret; +- int kill = 1; ++ int kill = 1, forcekill; + struct page *hpage = compound_head(p); + struct page *ppage; + +@@ -888,7 +888,7 @@ static int hwpoison_user_mappings(struct + * be called inside page lock (it's recommended but not enforced). + */ + mapping = page_mapping(hpage); +- if (!PageDirty(hpage) && mapping && ++ if (!(flags & MF_MUST_KILL) && !PageDirty(hpage) && mapping && + mapping_cap_writeback_dirty(mapping)) { + if (page_mkclean(hpage)) { + SetPageDirty(hpage); +@@ -965,12 +965,14 @@ static int hwpoison_user_mappings(struct + * Now that the dirty bit has been propagated to the + * struct page and all unmaps done we can decide if + * killing is needed or not. Only kill when the page +- * was dirty, otherwise the tokill list is merely ++ * was dirty or the process is not restartable, ++ * otherwise the tokill list is merely + * freed. When there was a problem unmapping earlier + * use a more force-full uncatchable kill to prevent + * any accesses to the poisoned memory. + */ +- kill_procs(&tokill, !!PageDirty(ppage), trapno, ++ forcekill = PageDirty(ppage) || (flags & MF_MUST_KILL); ++ kill_procs(&tokill, forcekill, trapno, + ret != SWAP_SUCCESS, p, pfn, flags); + + return ret; diff --git a/queue-3.5/x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch b/queue-3.5/x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch new file mode 100644 index 00000000000..36f6c82f2f0 --- /dev/null +++ b/queue-3.5/x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch @@ -0,0 +1,89 @@ +From c9fc3f778a6a215ace14ee556067c73982b6d40f Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 21 Jun 2012 14:07:16 +0200 +Subject: x86, microcode: Sanitize per-cpu microcode reloading interface + +From: Borislav Petkov + +commit c9fc3f778a6a215ace14ee556067c73982b6d40f upstream. + +Microcode reloading in a per-core manner is a very bad idea for both +major x86 vendors. And the thing is, we have such interface with which +we can end up with different microcode versions applied on different +cores of an otherwise homogeneous wrt (family,model,stepping) system. + +So turn off the possibility of doing that per core and allow it only +system-wide. + +This is a minimal fix which we'd like to see in stable too thus the +more-or-less arbitrary decision to allow system-wide reloading only on +the BSP: + +$ echo 1 > /sys/devices/system/cpu/cpu0/microcode/reload +... + +and disable the interface on the other cores: + +$ echo 1 > /sys/devices/system/cpu/cpu23/microcode/reload +-bash: echo: write error: Invalid argument + +Also, allowing the reload only from one CPU (the BSP in +that case) doesn't allow the reload procedure to degenerate +into an O(n^2) deal when triggering reloads from all +/sys/devices/system/cpu/cpuX/microcode/reload sysfs nodes +simultaneously. + +A more generic fix will follow. + +Cc: Henrique de Moraes Holschuh +Cc: Peter Zijlstra +Signed-off-by: Borislav Petkov +Link: http://lkml.kernel.org/r/1340280437-7718-2-git-send-email-bp@amd64.org +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/microcode_core.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/microcode_core.c ++++ b/arch/x86/kernel/microcode_core.c +@@ -298,19 +298,31 @@ static ssize_t reload_store(struct devic + const char *buf, size_t size) + { + unsigned long val; +- int cpu = dev->id; +- ssize_t ret = 0; ++ int cpu; ++ ssize_t ret = 0, tmp_ret; ++ ++ /* allow reload only from the BSP */ ++ if (boot_cpu_data.cpu_index != dev->id) ++ return -EINVAL; + + ret = kstrtoul(buf, 0, &val); + if (ret) + return ret; + +- if (val == 1) { +- get_online_cpus(); +- if (cpu_online(cpu)) +- ret = reload_for_cpu(cpu); +- put_online_cpus(); ++ if (val != 1) ++ return size; ++ ++ get_online_cpus(); ++ for_each_online_cpu(cpu) { ++ tmp_ret = reload_for_cpu(cpu); ++ if (tmp_ret != 0) ++ pr_warn("Error reloading microcode on CPU %d\n", cpu); ++ ++ /* save retval of the first encountered reload error */ ++ if (!ret) ++ ret = tmp_ret; + } ++ put_online_cpus(); + + if (!ret) + ret = size;