From: Greg Kroah-Hartman Date: Sun, 14 Oct 2012 11:25:05 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.47~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7e324e4bf06978de073e19b3b74fa4330b6cd8d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch --- diff --git a/queue-3.4/acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch b/queue-3.4/acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch new file mode 100644 index 00000000000..234f88bd6d3 --- /dev/null +++ b/queue-3.4/acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch @@ -0,0 +1,58 @@ +From 67bfa9b60bd689601554526d144b21d529f78a09 Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Fri, 28 Sep 2012 15:22:01 +0800 +Subject: ACPI: EC: Add a quirk for CLEVO M720T/M730T laptop + +From: Feng Tang + +commit 67bfa9b60bd689601554526d144b21d529f78a09 upstream. + +By enlarging the GPE storm threshold back to 20, that laptop's +EC works fine with interrupt mode instead of polling mode. + +https://bugzilla.kernel.org/show_bug.cgi?id=45151 + +Reported-and-Tested-by: Francesco +Signed-off-by: Feng Tang +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -930,6 +930,17 @@ static int ec_flag_msi(const struct dmi_ + return 0; + } + ++/* ++ * Clevo M720 notebook actually works ok with IRQ mode, if we lifted ++ * the GPE storm threshold back to 20 ++ */ ++static int ec_enlarge_storm_threshold(const struct dmi_system_id *id) ++{ ++ pr_debug("Setting the EC GPE storm threshold to 20\n"); ++ ec_storm_threshold = 20; ++ return 0; ++} ++ + static struct dmi_system_id __initdata ec_dmi_table[] = { + { + ec_skip_dsdt_scan, "Compal JFL92", { +@@ -961,10 +972,13 @@ static struct dmi_system_id __initdata e + { + ec_validate_ecdt, "ASUS hardware", { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer Inc.") }, NULL}, ++ { ++ ec_enlarge_storm_threshold, "CLEVO hardware", { ++ DMI_MATCH(DMI_SYS_VENDOR, "CLEVO Co."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M720T/M730T"),}, NULL}, + {}, + }; + +- + int __init acpi_ec_ecdt_probe(void) + { + acpi_status status; diff --git a/queue-3.4/acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch b/queue-3.4/acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch new file mode 100644 index 00000000000..825f1e9ac6e --- /dev/null +++ b/queue-3.4/acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch @@ -0,0 +1,74 @@ +From a520d52e99b14ba7db135e916348f12f2a6e09be Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Fri, 28 Sep 2012 15:22:00 +0800 +Subject: ACPI: EC: Make the GPE storm threshold a module parameter + +From: Feng Tang + +commit a520d52e99b14ba7db135e916348f12f2a6e09be upstream. + +The Linux EC driver includes a mechanism to detect GPE storms, +and switch from interrupt-mode to polling mode. However, polling +mode sometimes doesn't work, so the workaround is problematic. +Also, different systems seem to need the threshold for detecting +the GPE storm at different levels. + +ACPI_EC_STORM_THRESHOLD was initially 20 when it's created, and +was changed to 8 in 2.6.28 commit 06cf7d3c7 "ACPI: EC: lower interrupt storm +threshold" to fix kernel bug 11892 by forcing the laptop in that bug to +work in polling mode. However in bug 45151, it works fine in interrupt +mode if we lift the threshold back to 20. + +This patch makes the threshold a module parameter so that user has a +flexible option to debug/workaround this issue. + +The default is unchanged. + +This is also a preparation patch to fix specific systems: + https://bugzilla.kernel.org/show_bug.cgi?id=45151 + +Signed-off-by: Feng Tang +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -71,9 +71,6 @@ enum ec_command { + #define ACPI_EC_UDELAY_GLK 1000 /* Wait 1ms max. to get global lock */ + #define ACPI_EC_MSI_UDELAY 550 /* Wait 550us for MSI EC */ + +-#define ACPI_EC_STORM_THRESHOLD 8 /* number of false interrupts +- per one transaction */ +- + enum { + EC_FLAGS_QUERY_PENDING, /* Query is pending */ + EC_FLAGS_GPE_STORM, /* GPE storm detected */ +@@ -87,6 +84,15 @@ static unsigned int ec_delay __read_most + module_param(ec_delay, uint, 0644); + MODULE_PARM_DESC(ec_delay, "Timeout(ms) waited until an EC command completes"); + ++/* ++ * If the number of false interrupts per one transaction exceeds ++ * this threshold, will think there is a GPE storm happened and ++ * will disable the GPE for normal transaction. ++ */ ++static unsigned int ec_storm_threshold __read_mostly = 8; ++module_param(ec_storm_threshold, uint, 0644); ++MODULE_PARM_DESC(ec_storm_threshold, "Maxim false GPE numbers not considered as GPE storm"); ++ + /* If we find an EC via the ECDT, we need to keep a ptr to its context */ + /* External interfaces use first EC only, so remember */ + typedef int (*acpi_ec_query_func) (void *data); +@@ -319,7 +325,7 @@ static int acpi_ec_transaction(struct ac + msleep(1); + /* It is safe to enable the GPE outside of the transaction. */ + acpi_enable_gpe(NULL, ec->gpe); +- } else if (t->irq_count > ACPI_EC_STORM_THRESHOLD) { ++ } else if (t->irq_count > ec_storm_threshold) { + pr_info(PREFIX "GPE storm detected, " + "transactions will use polling mode\n"); + set_bit(EC_FLAGS_GPE_STORM, &ec->flags); diff --git a/queue-3.4/alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch b/queue-3.4/alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch new file mode 100644 index 00000000000..e5859074631 --- /dev/null +++ b/queue-3.4/alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch @@ -0,0 +1,33 @@ +From f7f4b2322bf7b8c5929b7eb5a667091f32592580 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Wed, 10 Oct 2012 16:32:09 +0200 +Subject: ALSA: hda - do not detect jack on internal speakers for Realtek + +From: David Henningsson + +commit f7f4b2322bf7b8c5929b7eb5a667091f32592580 upstream. + +This caused the internal speaker to mute itself because it was +present, which happened after powersave. +It was found on Dell XPS 15 (L502x), ALC665. + +Reported-by: Da Fox +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -602,6 +602,8 @@ static void alc_line_automute(struct hda + { + struct alc_spec *spec = codec->spec; + ++ if (spec->autocfg.line_out_type == AUTO_PIN_SPEAKER_OUT) ++ return; + /* check LO jack only when it's different from HP */ + if (spec->autocfg.line_out_pins[0] == spec->autocfg.hp_pins[0]) + return; diff --git a/queue-3.4/alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch b/queue-3.4/alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch new file mode 100644 index 00000000000..7bcf34e90e1 --- /dev/null +++ b/queue-3.4/alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch @@ -0,0 +1,47 @@ +From c5e0b6dbad9b4d18c561af90b384d02373f1c994 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 10 Oct 2012 08:50:35 +0200 +Subject: ALSA: hda - Fix memory leaks at error path in patch_cirrus.c + +From: Takashi Iwai + +commit c5e0b6dbad9b4d18c561af90b384d02373f1c994 upstream. + +The proper destructor should be called at the error path. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_cirrus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -1427,7 +1427,7 @@ static int patch_cs420x(struct hda_codec + return 0; + + error: +- kfree(codec->spec); ++ cs_free(codec); + codec->spec = NULL; + return err; + } +@@ -1984,7 +1984,7 @@ static int patch_cs4210(struct hda_codec + return 0; + + error: +- kfree(codec->spec); ++ cs_free(codec); + codec->spec = NULL; + return err; + } +@@ -2009,7 +2009,7 @@ static int patch_cs4213(struct hda_codec + return 0; + + error: +- kfree(codec->spec); ++ cs_free(codec); + codec->spec = NULL; + return err; + } diff --git a/queue-3.4/mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch b/queue-3.4/mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch new file mode 100644 index 00000000000..5eb1e52fbf0 --- /dev/null +++ b/queue-3.4/mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch @@ -0,0 +1,51 @@ +From f0a996eeeda214f4293e234df33b29bec003b536 Mon Sep 17 00:00:00 2001 +From: Jason Wessel +Date: Fri, 10 Aug 2012 12:21:15 -0500 +Subject: mips,kgdb: fix recursive page fault with CONFIG_KPROBES + +From: Jason Wessel + +commit f0a996eeeda214f4293e234df33b29bec003b536 upstream. + +This fault was detected using the kgdb test suite on boot and it +crashes recursively due to the fact that CONFIG_KPROBES on mips adds +an extra die notifier in the page fault handler. The crash signature +looks like this: + +kgdbts:RUN bad memory access test +KGDB: re-enter exception: ALL breakpoints killed +Call Trace: +[<807b7548>] dump_stack+0x20/0x54 +[<807b7548>] dump_stack+0x20/0x54 + +The fix for now is to have kgdb return immediately if the fault type +is DIE_PAGE_FAULT and allow the kprobe code to decide what is supposed +to happen. + +Cc: Masami Hiramatsu +Cc: David S. Miller +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/kgdb.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/mips/kernel/kgdb.c ++++ b/arch/mips/kernel/kgdb.c +@@ -283,6 +283,15 @@ static int kgdb_mips_notify(struct notif + struct pt_regs *regs = args->regs; + int trap = (regs->cp0_cause & 0x7c) >> 2; + ++#ifdef CONFIG_KPROBES ++ /* ++ * Return immediately if the kprobes fault notifier has set ++ * DIE_PAGE_FAULT. ++ */ ++ if (cmd == DIE_PAGE_FAULT) ++ return NOTIFY_DONE; ++#endif /* CONFIG_KPROBES */ ++ + /* Userspace events, ignore. */ + if (user_mode(regs)) + return NOTIFY_DONE; diff --git a/queue-3.4/series b/queue-3.4/series index 4b8fdd6503f..fdca38e93e3 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -2,3 +2,9 @@ arm-vfp-fix-saving-d16-d31-vfp-registers-on-v6-kernels.patch nfsd4-fix-nfs4-stateid-leak.patch nfsd-pass-null-terminated-buf-to-kstrtouint.patch lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch +acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch +acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch +alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch +alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch +mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch +tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch diff --git a/queue-3.4/tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch b/queue-3.4/tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch new file mode 100644 index 00000000000..21410034018 --- /dev/null +++ b/queue-3.4/tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch @@ -0,0 +1,196 @@ +From 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Sun, 7 Oct 2012 20:32:51 -0700 +Subject: tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking + +From: Hugh Dickins + +commit 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 upstream. + +Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(), + u64 inum = fid->raw[2]; +which is unhelpfully reported as at the end of shmem_alloc_inode(): + +BUG: unable to handle kernel paging request at ffff880061cd3000 +IP: [] shmem_alloc_inode+0x40/0x40 +Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +Call Trace: + [] ? exportfs_decode_fh+0x79/0x2d0 + [] do_handle_open+0x163/0x2c0 + [] sys_open_by_handle_at+0xc/0x10 + [] tracesys+0xe1/0xe6 + +Right, tmpfs is being stupid to access fid->raw[2] before validating that +fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may +fall at the end of a page, and the next page not be present. + +But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being +careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and +could oops in the same way: add the missing fh_len checks to those. + +Reported-by: Sasha Levin +Signed-off-by: Hugh Dickins +Cc: Al Viro +Cc: Sage Weil +Cc: Steven Whitehouse +Cc: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/export.c | 18 ++++++++++++++---- + fs/gfs2/export.c | 4 ++++ + fs/isofs/export.c | 2 +- + fs/reiserfs/inode.c | 6 +++++- + fs/xfs/xfs_export.c | 3 +++ + mm/shmem.c | 6 ++++-- + 6 files changed, 31 insertions(+), 8 deletions(-) + +--- a/fs/ceph/export.c ++++ b/fs/ceph/export.c +@@ -89,7 +89,7 @@ static int ceph_encode_fh(struct dentry + * FIXME: we should try harder by querying the mds for the ino. + */ + static struct dentry *__fh_to_dentry(struct super_block *sb, +- struct ceph_nfs_fh *fh) ++ struct ceph_nfs_fh *fh, int fh_len) + { + struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; + struct inode *inode; +@@ -97,6 +97,9 @@ static struct dentry *__fh_to_dentry(str + struct ceph_vino vino; + int err; + ++ if (fh_len < sizeof(*fh) / 4) ++ return ERR_PTR(-ESTALE); ++ + dout("__fh_to_dentry %llx\n", fh->ino); + vino.ino = fh->ino; + vino.snap = CEPH_NOSNAP; +@@ -140,7 +143,7 @@ static struct dentry *__fh_to_dentry(str + * convert connectable fh to dentry + */ + static struct dentry *__cfh_to_dentry(struct super_block *sb, +- struct ceph_nfs_confh *cfh) ++ struct ceph_nfs_confh *cfh, int fh_len) + { + struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; + struct inode *inode; +@@ -148,6 +151,9 @@ static struct dentry *__cfh_to_dentry(st + struct ceph_vino vino; + int err; + ++ if (fh_len < sizeof(*cfh) / 4) ++ return ERR_PTR(-ESTALE); ++ + dout("__cfh_to_dentry %llx (%llx/%x)\n", + cfh->ino, cfh->parent_ino, cfh->parent_name_hash); + +@@ -197,9 +203,11 @@ static struct dentry *ceph_fh_to_dentry( + int fh_len, int fh_type) + { + if (fh_type == 1) +- return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw); ++ return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw, ++ fh_len); + else +- return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw); ++ return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw, ++ fh_len); + } + + /* +@@ -220,6 +228,8 @@ static struct dentry *ceph_fh_to_parent( + + if (fh_type == 1) + return ERR_PTR(-ESTALE); ++ if (fh_len < sizeof(*cfh) / 4) ++ return ERR_PTR(-ESTALE); + + pr_debug("fh_to_parent %llx/%d\n", cfh->parent_ino, + cfh->parent_name_hash); +--- a/fs/gfs2/export.c ++++ b/fs/gfs2/export.c +@@ -168,6 +168,8 @@ static struct dentry *gfs2_fh_to_dentry( + case GFS2_SMALL_FH_SIZE: + case GFS2_LARGE_FH_SIZE: + case GFS2_OLD_FH_SIZE: ++ if (fh_len < GFS2_SMALL_FH_SIZE) ++ return NULL; + this.no_formal_ino = ((u64)be32_to_cpu(fh[0])) << 32; + this.no_formal_ino |= be32_to_cpu(fh[1]); + this.no_addr = ((u64)be32_to_cpu(fh[2])) << 32; +@@ -187,6 +189,8 @@ static struct dentry *gfs2_fh_to_parent( + switch (fh_type) { + case GFS2_LARGE_FH_SIZE: + case GFS2_OLD_FH_SIZE: ++ if (fh_len < GFS2_LARGE_FH_SIZE) ++ return NULL; + parent.no_formal_ino = ((u64)be32_to_cpu(fh[4])) << 32; + parent.no_formal_ino |= be32_to_cpu(fh[5]); + parent.no_addr = ((u64)be32_to_cpu(fh[6])) << 32; +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -179,7 +179,7 @@ static struct dentry *isofs_fh_to_parent + { + struct isofs_fid *ifid = (struct isofs_fid *)fid; + +- if (fh_type != 2) ++ if (fh_len < 2 || fh_type != 2) + return NULL; + + return isofs_export_iget(sb, +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -1573,8 +1573,10 @@ struct dentry *reiserfs_fh_to_dentry(str + reiserfs_warning(sb, "reiserfs-13077", + "nfsd/reiserfs, fhtype=%d, len=%d - odd", + fh_type, fh_len); +- fh_type = 5; ++ fh_type = fh_len; + } ++ if (fh_len < 2) ++ return NULL; + + return reiserfs_get_dentry(sb, fid->raw[0], fid->raw[1], + (fh_type == 3 || fh_type >= 5) ? fid->raw[2] : 0); +@@ -1583,6 +1585,8 @@ struct dentry *reiserfs_fh_to_dentry(str + struct dentry *reiserfs_fh_to_parent(struct super_block *sb, struct fid *fid, + int fh_len, int fh_type) + { ++ if (fh_type > fh_len) ++ fh_type = fh_len; + if (fh_type < 4) + return NULL; + +--- a/fs/xfs/xfs_export.c ++++ b/fs/xfs/xfs_export.c +@@ -195,6 +195,9 @@ xfs_fs_fh_to_parent(struct super_block * + struct xfs_fid64 *fid64 = (struct xfs_fid64 *)fid; + struct inode *inode = NULL; + ++ if (fh_len < xfs_fileid_length(fileid_type)) ++ return NULL; ++ + switch (fileid_type) { + case FILEID_INO32_GEN_PARENT: + inode = xfs_nfs_get_inode(sb, fid->i32.parent_ino, +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2018,12 +2018,14 @@ static struct dentry *shmem_fh_to_dentry + { + struct inode *inode; + struct dentry *dentry = NULL; +- u64 inum = fid->raw[2]; +- inum = (inum << 32) | fid->raw[1]; ++ u64 inum; + + if (fh_len < 3) + return NULL; + ++ inum = fid->raw[2]; ++ inum = (inum << 32) | fid->raw[1]; ++ + inode = ilookup5(sb, (unsigned long)(inum + fid->raw[0]), + shmem_match, fid->raw); + if (inode) {