From 6e4b42c7c2c9626a8ca6773352f82c8de24472f0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Feb 2012 13:36:47 -0800 Subject: [PATCH] 3.2-stable patches added patches: alsa-hda-fix-redundant-jack-creations-for-cx5051.patch mmc-core-check-for-zero-length-ioctl-data.patch nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch nfsv4-fix-server_scope-memory-leak.patch --- ...-redundant-jack-creations-for-cx5051.patch | 68 +++++++++ ...ore-check-for-zero-length-ioctl-data.patch | 135 ++++++++++++++++++ ...tion-stateids-on-nfs4err_bad_stateid.patch | 30 ++++ ...fix-an-oops-in-the-nfsv4-getacl-code.patch | 92 ++++++++++++ .../nfsv4-fix-server_scope-memory-leak.patch | 53 +++++++ queue-3.2/series | 5 + 6 files changed, 383 insertions(+) create mode 100644 queue-3.2/alsa-hda-fix-redundant-jack-creations-for-cx5051.patch create mode 100644 queue-3.2/mmc-core-check-for-zero-length-ioctl-data.patch create mode 100644 queue-3.2/nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch create mode 100644 queue-3.2/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch create mode 100644 queue-3.2/nfsv4-fix-server_scope-memory-leak.patch diff --git a/queue-3.2/alsa-hda-fix-redundant-jack-creations-for-cx5051.patch b/queue-3.2/alsa-hda-fix-redundant-jack-creations-for-cx5051.patch new file mode 100644 index 00000000000..78f7479657b --- /dev/null +++ b/queue-3.2/alsa-hda-fix-redundant-jack-creations-for-cx5051.patch @@ -0,0 +1,68 @@ +From tiwai@suse.de Wed Feb 22 13:27:25 2012 +From: Takashi Iwai +Date: Wed, 22 Feb 2012 17:02:38 +0100 +Subject: ALSA: hda - Fix redundant jack creations for cx5051 +To: stable@vger.kernel.org +Message-ID: + +From: Takashi Iwai + +[Note that since the patch isn't applicable (and unnecessary) to +3.3-rc, there is no corresponding upstream fix.] + +The cx5051 parser calls snd_hda_input_jack_add() in the init callback +to create and initialize the jack detection instances. Since the init +callback is called at each time when the device gets woken up after +suspend or power-saving mode, the duplicated instances are accumulated +at each call. This ends up with the kernel warnings with the too +large array size. + +The fix is simply to move the calls of snd_hda_input_jack_add() into +the parser section instead of the init callback. + +The fix is needed only up to 3.2 kernel, since the HD-audio jack layer +was redesigned in the 3.3 kernel. + +Reported-by: Russell King +Tested-by: Russell King +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1899,6 +1899,10 @@ static void cxt5051_init_mic_port(struct + snd_hda_codec_write(codec, nid, 0, + AC_VERB_SET_UNSOLICITED_ENABLE, + AC_USRSP_EN | event); ++} ++ ++static void cxt5051_init_mic_jack(struct hda_codec *codec, hda_nid_t nid) ++{ + snd_hda_input_jack_add(codec, nid, SND_JACK_MICROPHONE, NULL); + snd_hda_input_jack_report(codec, nid); + } +@@ -1916,7 +1920,6 @@ static int cxt5051_init(struct hda_codec + struct conexant_spec *spec = codec->spec; + + conexant_init(codec); +- conexant_init_jacks(codec); + + if (spec->auto_mic & AUTO_MIC_PORTB) + cxt5051_init_mic_port(codec, 0x17, CXT5051_PORTB_EVENT); +@@ -2037,6 +2040,12 @@ static int patch_cxt5051(struct hda_code + if (spec->beep_amp) + snd_hda_attach_beep_device(codec, spec->beep_amp); + ++ conexant_init_jacks(codec); ++ if (spec->auto_mic & AUTO_MIC_PORTB) ++ cxt5051_init_mic_jack(codec, 0x17); ++ if (spec->auto_mic & AUTO_MIC_PORTC) ++ cxt5051_init_mic_jack(codec, 0x18); ++ + return 0; + } + diff --git a/queue-3.2/mmc-core-check-for-zero-length-ioctl-data.patch b/queue-3.2/mmc-core-check-for-zero-length-ioctl-data.patch new file mode 100644 index 00000000000..308b6732247 --- /dev/null +++ b/queue-3.2/mmc-core-check-for-zero-length-ioctl-data.patch @@ -0,0 +1,135 @@ +From 4d6144de8ba263eb3691a737c547e5b2fdc45287 Mon Sep 17 00:00:00 2001 +From: Johan Rudholm +Date: Wed, 23 Nov 2011 09:05:58 +0100 +Subject: mmc: core: check for zero length ioctl data + +From: Johan Rudholm + +commit 4d6144de8ba263eb3691a737c547e5b2fdc45287 upstream. + +If the read or write buffer size associated with the command sent +through the mmc_blk_ioctl is zero, do not prepare data buffer. + +This enables a ioctl(2) call to for instance send a MMC_SWITCH to set +a byte in the ext_csd. + +Signed-off-by: Johan Rudholm +Signed-off-by: Chris Ball +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 82 +++++++++++++++++++++++++---------------------- + 1 file changed, 45 insertions(+), 37 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -266,6 +266,9 @@ static struct mmc_blk_ioc_data *mmc_blk_ + goto idata_err; + } + ++ if (!idata->buf_bytes) ++ return idata; ++ + idata->buf = kzalloc(idata->buf_bytes, GFP_KERNEL); + if (!idata->buf) { + err = -ENOMEM; +@@ -312,25 +315,6 @@ static int mmc_blk_ioctl_cmd(struct bloc + if (IS_ERR(idata)) + return PTR_ERR(idata); + +- cmd.opcode = idata->ic.opcode; +- cmd.arg = idata->ic.arg; +- cmd.flags = idata->ic.flags; +- +- data.sg = &sg; +- data.sg_len = 1; +- data.blksz = idata->ic.blksz; +- data.blocks = idata->ic.blocks; +- +- sg_init_one(data.sg, idata->buf, idata->buf_bytes); +- +- if (idata->ic.write_flag) +- data.flags = MMC_DATA_WRITE; +- else +- data.flags = MMC_DATA_READ; +- +- mrq.cmd = &cmd; +- mrq.data = &data; +- + md = mmc_blk_get(bdev->bd_disk); + if (!md) { + err = -EINVAL; +@@ -343,6 +327,48 @@ static int mmc_blk_ioctl_cmd(struct bloc + goto cmd_done; + } + ++ cmd.opcode = idata->ic.opcode; ++ cmd.arg = idata->ic.arg; ++ cmd.flags = idata->ic.flags; ++ ++ if (idata->buf_bytes) { ++ data.sg = &sg; ++ data.sg_len = 1; ++ data.blksz = idata->ic.blksz; ++ data.blocks = idata->ic.blocks; ++ ++ sg_init_one(data.sg, idata->buf, idata->buf_bytes); ++ ++ if (idata->ic.write_flag) ++ data.flags = MMC_DATA_WRITE; ++ else ++ data.flags = MMC_DATA_READ; ++ ++ /* data.flags must already be set before doing this. */ ++ mmc_set_data_timeout(&data, card); ++ ++ /* Allow overriding the timeout_ns for empirical tuning. */ ++ if (idata->ic.data_timeout_ns) ++ data.timeout_ns = idata->ic.data_timeout_ns; ++ ++ if ((cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) { ++ /* ++ * Pretend this is a data transfer and rely on the ++ * host driver to compute timeout. When all host ++ * drivers support cmd.cmd_timeout for R1B, this ++ * can be changed to: ++ * ++ * mrq.data = NULL; ++ * cmd.cmd_timeout = idata->ic.cmd_timeout_ms; ++ */ ++ data.timeout_ns = idata->ic.cmd_timeout_ms * 1000000; ++ } ++ ++ mrq.data = &data; ++ } ++ ++ mrq.cmd = &cmd; ++ + mmc_claim_host(card->host); + + if (idata->ic.is_acmd) { +@@ -351,24 +377,6 @@ static int mmc_blk_ioctl_cmd(struct bloc + goto cmd_rel_host; + } + +- /* data.flags must already be set before doing this. */ +- mmc_set_data_timeout(&data, card); +- /* Allow overriding the timeout_ns for empirical tuning. */ +- if (idata->ic.data_timeout_ns) +- data.timeout_ns = idata->ic.data_timeout_ns; +- +- if ((cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) { +- /* +- * Pretend this is a data transfer and rely on the host driver +- * to compute timeout. When all host drivers support +- * cmd.cmd_timeout for R1B, this can be changed to: +- * +- * mrq.data = NULL; +- * cmd.cmd_timeout = idata->ic.cmd_timeout_ms; +- */ +- data.timeout_ns = idata->ic.cmd_timeout_ms * 1000000; +- } +- + mmc_wait_for_req(card->host, &mrq); + + if (cmd.error) { diff --git a/queue-3.2/nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch b/queue-3.2/nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch new file mode 100644 index 00000000000..1466348abbc --- /dev/null +++ b/queue-3.2/nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch @@ -0,0 +1,30 @@ +From b9f9a03150969e4bd9967c20bce67c4de769058f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 9 Feb 2012 15:31:36 -0500 +Subject: NFSv4: Ensure we throw out bad delegation stateids on NFS4ERR_BAD_STATEID + +From: Trond Myklebust + +commit b9f9a03150969e4bd9967c20bce67c4de769058f upstream. + +To ensure that we don't just reuse the bad delegation when we attempt to +recover the nfs4_state that received the bad stateid error. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1071,6 +1071,8 @@ void nfs4_schedule_stateid_recovery(cons + { + struct nfs_client *clp = server->nfs_client; + ++ if (test_and_clear_bit(NFS_DELEGATED_STATE, &state->flags)) ++ nfs_async_inode_return_delegation(state->inode, &state->stateid); + nfs4_state_mark_reclaim_nograce(clp, state); + nfs4_schedule_state_manager(clp); + } diff --git a/queue-3.2/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch b/queue-3.2/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch new file mode 100644 index 00000000000..102f2700087 --- /dev/null +++ b/queue-3.2/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch @@ -0,0 +1,92 @@ +From 331818f1c468a24e581aedcbe52af799366a9dfe Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 3 Feb 2012 18:30:53 -0500 +Subject: NFSv4: Fix an Oops in the NFSv4 getacl code + +From: Trond Myklebust + +commit 331818f1c468a24e581aedcbe52af799366a9dfe upstream. + +Commit bf118a342f10dafe44b14451a1392c3254629a1f (NFSv4: include bitmap +in nfsv4 get acl data) introduces the 'acl_scratch' page for the case +where we may need to decode multi-page data. However it fails to take +into account the fact that the variable may be NULL (for the case where +we're not doing multi-page decode), and it also attaches it to the +encoding xdr_stream rather than the decoding one. + +The immediate result is an Oops in nfs4_xdr_enc_getacl due to the +call to page_address() with a NULL page pointer. + +Signed-off-by: Trond Myklebust +Cc: Andy Adamson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 8 ++++---- + fs/nfs/nfs4xdr.c | 5 ++++- + include/linux/nfs_xdr.h | 2 +- + 3 files changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3568,8 +3568,8 @@ static ssize_t __nfs4_get_acl_uncached(s + } + if (npages > 1) { + /* for decoding across pages */ +- args.acl_scratch = alloc_page(GFP_KERNEL); +- if (!args.acl_scratch) ++ res.acl_scratch = alloc_page(GFP_KERNEL); ++ if (!res.acl_scratch) + goto out_free; + } + args.acl_len = npages * PAGE_SIZE; +@@ -3605,8 +3605,8 @@ out_free: + for (i = 0; i < npages; i++) + if (pages[i]) + __free_page(pages[i]); +- if (args.acl_scratch) +- __free_page(args.acl_scratch); ++ if (res.acl_scratch) ++ __free_page(res.acl_scratch); + return ret; + } + +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -2522,7 +2522,6 @@ static void nfs4_xdr_enc_getacl(struct r + + xdr_inline_pages(&req->rq_rcv_buf, replen << 2, + args->acl_pages, args->acl_pgbase, args->acl_len); +- xdr_set_scratch_buffer(xdr, page_address(args->acl_scratch), PAGE_SIZE); + + encode_nops(&hdr); + } +@@ -6034,6 +6033,10 @@ nfs4_xdr_dec_getacl(struct rpc_rqst *rqs + struct compound_hdr hdr; + int status; + ++ if (res->acl_scratch != NULL) { ++ void *p = page_address(res->acl_scratch); ++ xdr_set_scratch_buffer(xdr, p, PAGE_SIZE); ++ } + status = decode_compound_hdr(xdr, &hdr); + if (status) + goto out; +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -602,7 +602,6 @@ struct nfs_getaclargs { + size_t acl_len; + unsigned int acl_pgbase; + struct page ** acl_pages; +- struct page * acl_scratch; + struct nfs4_sequence_args seq_args; + }; + +@@ -612,6 +611,7 @@ struct nfs_getaclres { + size_t acl_len; + size_t acl_data_offset; + int acl_flags; ++ struct page * acl_scratch; + struct nfs4_sequence_res seq_res; + }; + diff --git a/queue-3.2/nfsv4-fix-server_scope-memory-leak.patch b/queue-3.2/nfsv4-fix-server_scope-memory-leak.patch new file mode 100644 index 00000000000..8ad613d3bd2 --- /dev/null +++ b/queue-3.2/nfsv4-fix-server_scope-memory-leak.patch @@ -0,0 +1,53 @@ +From abe9a6d57b4544ac208401f9c0a4262814db2be4 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Thu, 16 Feb 2012 11:17:05 -0500 +Subject: NFSv4: fix server_scope memory leak + +From: Weston Andros Adamson + +commit abe9a6d57b4544ac208401f9c0a4262814db2be4 upstream. + +server_scope would never be freed if nfs4_check_cl_exchange_flags() returned +non-zero + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4876,8 +4876,10 @@ int nfs4_proc_exchange_id(struct nfs_cli + clp->cl_rpcclient->cl_auth->au_flavor); + + res.server_scope = kzalloc(sizeof(struct server_scope), GFP_KERNEL); +- if (unlikely(!res.server_scope)) +- return -ENOMEM; ++ if (unlikely(!res.server_scope)) { ++ status = -ENOMEM; ++ goto out; ++ } + + status = rpc_call_sync(clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT); + if (!status) +@@ -4894,12 +4896,13 @@ int nfs4_proc_exchange_id(struct nfs_cli + clp->server_scope = NULL; + } + +- if (!clp->server_scope) ++ if (!clp->server_scope) { + clp->server_scope = res.server_scope; +- else +- kfree(res.server_scope); ++ goto out; ++ } + } +- ++ kfree(res.server_scope); ++out: + dprintk("<-- %s status= %d\n", __func__, status); + return status; + } diff --git a/queue-3.2/series b/queue-3.2/series index cc8368fd5f9..5a7109965a9 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -9,3 +9,8 @@ ecryptfs-copy-up-lower-inode-attrs-after-setting-lower-xattr.patch correct-ktime-to-tod-clock-comparator-conversion.patch vfs-fix-d_inode_lookup-dentry-ref-leak.patch arm-7326-2-pl330-fix-null-pointer-dereference-in-pl330_chan_ctrl.patch +alsa-hda-fix-redundant-jack-creations-for-cx5051.patch +mmc-core-check-for-zero-length-ioctl-data.patch +nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch +nfsv4-ensure-we-throw-out-bad-delegation-stateids-on-nfs4err_bad_stateid.patch +nfsv4-fix-server_scope-memory-leak.patch -- 2.47.3