commit 01265a1d2e80c9e32b28a867241aad6535eed9f1
Author: Willy Tarreau <w@1wt.eu>
Date:   Wed Feb 9 22:15:44 2011 +0100

    Linux 2.6.27.58

commit 041f1a0d35e62f447e007f665e437a59e5945e77
Author: Tavis Ormandy <taviso@cmpxchg8b.com>
Date:   Thu Dec 9 15:29:42 2010 +0100

    install_special_mapping skips security_file_mmap check.
    
    commit 462e635e5b73ba9a4c03913b77138cd57ce4b050 upstream.
    
    The install_special_mapping routine (used, for example, to setup the
    vdso) skips the security check before insert_vm_struct, allowing a local
    attacker to bypass the mmap_min_addr security restriction by limiting
    the available pages for special mappings.
    
    bprm_mm_init() also skips the check, and although I don't think this can
    be used to bypass any restrictions, I don't see any reason not to have
    the security check.
    
      $ uname -m
      x86_64
      $ cat /proc/sys/vm/mmap_min_addr
      65536
      $ cat install_special_mapping.s
      section .bss
          resb BSS_SIZE
      section .text
          global _start
          _start:
              mov     eax, __NR_pause
              int     0x80
      $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
      $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
      $ ./install_special_mapping &
      [1] 14303
      $ cat /proc/14303/maps
      0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
      00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
      00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]
    
    It's worth noting that Red Hat are shipping with mmap_min_addr set to
    4096.
    
    Signed-off-by: Tavis Ormandy <taviso@google.com>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Robert Swiecki <swiecki@google.com>
    [ Changed to not drop the error code - akpm ]
    Reviewed-by: James Morris <jmorris@namei.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit ab42f1f2ba5bea8d266ed383438ad5652617b366
Author: Slava Pestov <slavapestov@google.com>
Date:   Wed Nov 24 15:13:16 2010 -0800

    tracing: Fix panic when lseek() called on "trace" opened for writing
    
    commit 364829b1263b44aa60383824e4c1289d83d78ca7 upstream.
    
    The file_ops struct for the "trace" special file defined llseek as seq_lseek().
    However, if the file was opened for writing only, seq_open() was not called,
    and the seek would dereference a null pointer, file->private_data.
    
    This patch introduces a new wrapper for seq_lseek() which checks if the file
    descriptor is opened for reading first. If not, it does nothing.
    
    Signed-off-by: Slava Pestov <slavapestov@google.com>
    LKML-Reference: <1290640396-24179-1-git-send-email-slavapestov@google.com>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    [wt: applied to tracing_lt_fops too /wt]
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 19e91969bdb9e50973805dfaa7c0e9cd80ab6657
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Mon Dec 13 16:01:38 2010 -0800

    x86, gcc-4.6: Use gcc -m options when building vdso
    
    commit de2a8cf98ecdde25231d6c5e7901e2cffaf32af9 upstream.
    
    The vdso Makefile passes linker-style -m options not to the linker but
    to gcc.  This happens to work with earlier gcc, but fails with gcc
    4.6.  Pass gcc-style -m options, instead.
    
    Note: all currently supported versions of gcc supports -m32, so there
    is no reason to conditionalize it any more.
    
    Reported-by: H. J. Lu <hjl.tools@gmail.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    LKML-Reference: <tip-*@git.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit 346ecec0ebc9c048df93f3b710716407120c8267
Author: NeilBrown <neilb@suse.de>
Date:   Tue Nov 16 16:55:19 2010 +1100

    sunrpc: prevent use-after-free on clearing XPT_BUSY
    
    commit ed2849d3ecfa339435818eeff28f6c3424300cec upstream.
    
    When an xprt is created, it has a refcount of 1, and XPT_BUSY is set.
    The refcount is *not* owned by the thread that created the xprt
    (as is clear from the fact that creators never put the reference).
    Rather, it is owned by the absence of XPT_DEAD.  Once XPT_DEAD is set,
    (And XPT_BUSY is clear) that initial reference is dropped and the xprt
    can be freed.
    
    So when a creator clears XPT_BUSY it is dropping its only reference and
    so must not touch the xprt again.
    
    However svc_recv, after calling ->xpo_accept (and so getting an XPT_BUSY
    reference on a new xprt), calls svc_xprt_recieved.  This clears
    XPT_BUSY and then svc_xprt_enqueue - this last without owning a reference.
    This is dangerous and has been seen to leave svc_xprt_enqueue working
    with an xprt containing garbage.
    
    So we need to hold an extra counted reference over that call to
    svc_xprt_received.
    
    For safety, any time we clear XPT_BUSY and then use the xprt again, we
    first get a reference, and the put it again afterwards.
    
    Note that svc_close_all does not need this extra protection as there are
    no threads running, and the final free can only be called asynchronously
    from such a thread.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 446f4ee822fd7c7979917fb118abead424da7952
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date:   Sat Dec 25 16:23:40 2010 -0500

    sound: Prevent buffer overflow in OSS load_mixer_volumes
    
    commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream.
    
    The load_mixer_volumes() function, which can be triggered by
    unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
    a buffer overflow.  Because the provided "name" argument isn't
    guaranteed to be NULL terminated at the expected 32 bytes, it's possible
    to overflow past the end of the last element in the mixer_vols array.
    Further exploitation can result in an arbitrary kernel write (via
    subsequent calls to load_mixer_volumes()) leading to privilege
    escalation, or arbitrary kernel reads via get_mixer_levels().  In
    addition, the strcmp() may leak bytes beyond the mixer_vols array.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 4746f7abc3f13246147e7f6c0d219876417001fa
Author: Vlad Yasevich <vladislav.yasevich@hp.com>
Date:   Thu May 6 00:56:07 2010 -0700

    sctp: Fix a race between ICMP protocol unreachable and connect()
    
    commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819 upstream.
    
    ICMP protocol unreachable handling completely disregarded
    the fact that the user may have locked the socket.  It proceeded
    to destroy the association, even though the user may have
    held the lock and had a ref on the association.  This resulted
    in the following:
    
    Attempt to release alive inet socket f6afcc00
    
    =========================
    [ BUG: held lock freed! ]
    -------------------------
    somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
    there!
     (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
    1 lock held by somenu/2672:
     #0:  (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
    
    stack backtrace:
    Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
    Call Trace:
     [<c1232266>] ? printk+0xf/0x11
     [<c1038553>] debug_check_no_locks_freed+0xce/0xff
     [<c10620b4>] kmem_cache_free+0x21/0x66
     [<c1185f25>] __sk_free+0x9d/0xab
     [<c1185f9c>] sk_free+0x1c/0x1e
     [<c1216e38>] sctp_association_put+0x32/0x89
     [<c1220865>] __sctp_connect+0x36d/0x3f4
     [<c122098a>] ? sctp_connect+0x13/0x4c
     [<c102d073>] ? autoremove_wake_function+0x0/0x33
     [<c12209a8>] sctp_connect+0x31/0x4c
     [<c11d1e80>] inet_dgram_connect+0x4b/0x55
     [<c11834fa>] sys_connect+0x54/0x71
     [<c103a3a2>] ? lock_release_non_nested+0x88/0x239
     [<c1054026>] ? might_fault+0x42/0x7c
     [<c1054026>] ? might_fault+0x42/0x7c
     [<c11847ab>] sys_socketcall+0x6d/0x178
     [<c10da994>] ? trace_hardirqs_on_thunk+0xc/0x10
     [<c1002959>] syscall_call+0x7/0xb
    
    This was because the sctp_wait_for_connect() would aqcure the socket
    lock and then proceed to release the last reference count on the
    association, thus cause the fully destruction path to finish freeing
    the socket.
    
    The simplest solution is to start a very short timer in case the socket
    is owned by user.  When the timer expires, we can do some verification
    and be able to do the release properly.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 0edaa467ad115dd2175d8bc544524f7974075643
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Fri Nov 5 16:53:42 2010 +0100

    posix-cpu-timers: workaround to suppress the problems with mt exec
    
    commit e0a70217107e6f9844628120412cb27bb4cea194 upstream.
    
    posix-cpu-timers.c correctly assumes that the dying process does
    posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
    timers from signal->cpu_timers list.
    
    But, it also assumes that timer->it.cpu.task is always the group
    leader, and thus the dead ->task means the dead thread group.
    
    This is obviously not true after de_thread() changes the leader.
    After that almost every posix_cpu_timer_ method has problems.
    
    It is not simple to fix this bug correctly. First of all, I think
    that timer->it.cpu should use struct pid instead of task_struct.
    Also, the locking should be reworked completely. In particular,
    tasklist_lock should not be used at all. This all needs a lot of
    nontrivial and hard-to-test changes.
    
    Change __exit_signal() to do posix_cpu_timers_exit_group() when
    the old leader dies during exec. This is not the fix, just the
    temporary hack to hide the problem for 2.6.37 and stable. IOW,
    this is obviously wrong but this is what we currently have anyway:
    cpu timers do not work after mt exec.
    
    In theory this change adds another race. The exiting leader can
    detach the timers which were attached to the new leader. However,
    the window between de_thread() and release_task() is small, we
    can pretend that sys_timer_create() was called before de_thread().
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 7980031ece121eb01f34cfd21b08687e7c9f3da1
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Dec 10 00:16:39 2010 +0100

    PM / Hibernate: Fix PM_POST_* notification with user-space suspend
    
    commit 1497dd1d29c6a53fcd3c80f7ac8d0e0239e7389e upstream.
    
    The user-space hibernation sends a wrong notification after the image
    restoration because of thinko for the file flag check.  RDONLY
    corresponds to hibernation and WRONLY to restoration, confusingly.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 27e4f346bd7900dec3a2bcea269303b9fcd947fe
Author: Neil Brown <neilb@suse.de>
Date:   Thu Dec 2 11:14:30 2010 +1100

    nfsd: Fix possible BUG_ON firing in set_change_info
    
    commit c1ac3ffcd0bc7e9617f62be8c7043d53ab84deac upstream.
    
    If vfs_getattr in fill_post_wcc returns an error, we don't
    set fh_post_change.
    For NFSv4, this can result in set_change_info triggering a BUG_ON.
    i.e. fh_post_saved being zero isn't really a bug.
    
    So:
     - instead of BUGging when fh_post_saved is zero, just clear ->atomic.
     - if vfs_getattr fails in fill_post_wcc, take a copy of i_ctime anyway.
       This will be used i seg_change_info, but not overly trusted.
     - While we are there, remove the pointless 'if' statements in set_change_info.
       There is no harm setting all the values.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 2d5ba8979460dbd072cde2cd9224917f61c10ddb
Author: Sergey Vlasov <vsu@altlinux.ru>
Date:   Sun Nov 28 21:04:05 2010 +0000

    NFS: Fix fcntl F_GETLK not reporting some conflicts
    
    commit 21ac19d484a8ffb66f64487846c8d53afef04d2b upstream.
    
    The commit 129a84de2347002f09721cda3155ccfd19fade40 (locks: fix F_GETLK
    regression (failure to find conflicts)) fixed the posix_test_lock()
    function by itself, however, its usage in NFS changed by the commit
    9d6a8c5c213e34c475e72b245a8eb709258e968c (locks: give posix_test_lock
    same interface as ->lock) remained broken - subsequent NFS-specific
    locking code received F_UNLCK instead of the user-specified lock type.
    To fix the problem, fl->fl_type needs to be saved before the
    posix_test_lock() call and restored if no local conflicts were reported.
    
    Reference: https://bugzilla.kernel.org/show_bug.cgi?id=23892
    Tested-by: Alexander Morozov <amorozov@etersoft.ru>
    Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 69b74dfe7cc2022a2f2e0cf920f0c24e72c0d387
Author: NeilBrown <neilb@suse.de>
Date:   Thu Dec 9 16:36:28 2010 +1100

    md: fix bug with re-adding of partially recovered device.
    
    commit 1a855a0606653d2d82506281e2c686bacb4b2f45 upstream.
    
    With v0.90 metadata, a hot-spare does not become a full member of the
    array until recovery is complete.  So if we re-add such a device to
    the array, we know that all of it is as up-to-date as the event count
    would suggest, and so it a bitmap-based recovery is possible.
    
    However with v1.x metadata, the hot-spare immediately becomes a full
    member of the array, but it record how much of the device has been
    recovered.  If the array is stopped and re-assembled recovery starts
    from this point.
    
    When such a device is hot-added to an array we currently lose the 'how
    much is recovered' information and incorrectly included it as a full
    in-sync member (after bitmap-based fixup).
    This is wrong and unsafe and could corrupt data.
    
    So be more careful about setting saved_raid_disk - which is what
    guides the re-adding of devices back into an array.
    The new code matches the code in slot_store which does a similar
    thing, which is encouraging.
    
    This is suitable for any -stable kernel.
    
    Reported-by: "Dailey, Nate" <Nate.Dailey@stratus.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 685c0cc45ed6d9a6289dee976eb6b9db4f05c5fe
Author: Saeed Bishara <saeed@marvell.com>
Date:   Tue Dec 21 16:53:39 2010 +0200

    mv_xor: fix race in tasklet function
    
    commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream.
    
    use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function
    aquires the spin lock that needed to protect the drivers data.
    
    Signed-off-by: Saeed Bishara <saeed@marvell.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit fca909254747217cbd454e9913fedfc728704828
Author: Dan Carpenter <error27@gmail.com>
Date:   Wed Oct 13 09:13:12 2010 +0000

    IB/uverbs: Handle large number of entries in poll CQ
    
    commit 7182afea8d1afd432a17c18162cc3fd441d0da93 upstream.
    
    In ib_uverbs_poll_cq() code there is a potential integer overflow if
    userspace passes in a large cmd.ne.  The calls to kmalloc() would
    allocate smaller buffers than intended, leading to memory corruption.
    There iss also an information leak if resp wasn't all used.
    Unprivileged userspace may call this function, although only if an
    RDMA device that uses this function is present.
    
    Fix this by copying CQ entries one at a time, which avoids the
    allocation entirely, and also by moving this copying into a function
    that makes sure to initialize all memory copied to userspace.
    
    Special thanks to Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    for his help and advice.
    
    Signed-off-by: Dan Carpenter <error27@gmail.com>
    
    [ Monkey around with things a bit to avoid bad code generation by gcc
      when designated initializers are used.  - Roland ]
    
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit aa076d3e48c4e19717fd20b840f288ccc8bab839
Author: Gabriele Gorla <gorlik@penguintown.net>
Date:   Wed Dec 8 16:27:22 2010 +0100

    hwmon: (adm1026) Fix setting fan_div
    
    commit 52bc9802ce849d0d287cc5fe76d06b0daa3986ca upstream.
    
    Prevent setting fan_div from stomping on other fans that share the
    same I2C register.
    
    Signed-off-by: Gabriele Gorla <gorlik@penguintown.net>
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 57d3b14324fc28006b23f879e2b72a26cfa36c94
Author: Gabriele Gorla <gorlik@penguintown.net>
Date:   Wed Dec 8 16:27:22 2010 +0100

    hwmon: (adm1026) Allow 1 as a valid divider value
    
    commit 8b0f1840a46449e1946fc88860ef3ec8d6b1c2c7 upstream.
    
    Allow 1 as a valid div value as specified in the ADM1026 datasheet.
    
    Signed-off-by: Gabriele Gorla <gorlik@penguintown.net>
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 332c1def71fec9b6dfed59c97423d92f741e78f1
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Tue Oct 19 11:29:55 2010 +0200

    HID: hidraw: fix window in hidraw_release
    
    commit cb174681a9ececa6702f114b85bdf82144b6a5af upstream.
    
    [ Backport to .32.y by Antonio Ospite <ospite@studenti.unina.it> ]
    
    There is a window between hidraw_table check and its dereference.
    In that window, the device may be unplugged and removed form the
    system and we will then dereference NULL.
    
    Lock that place properly so that either we get NULL and jump out or we
    can work with real pointer.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 383581097b55f8d2e94310bbb523241c751faca4
Author: Thomas Sailer <t.sailer@alumni.ethz.ch>
Date:   Tue Dec 14 16:04:05 2010 +0100

    USB: misc: uss720.c: add another vendor/product ID
    
    commit ecc1624a2fff45780959efbcb73ace18fdb3c58d upstream.
    
    Fabio Battaglia report that he has another cable that works with this
    driver, so this patch adds its vendor/product ID.
    
    Signed-off-by: Thomas Sailer <t.sailer@alumni.ethz.ch>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit e459b58ded0963ae6d9ef393d88fd93f763416cc
Author: Vitaly Kuznetsov <vitty@altlinux.ru>
Date:   Tue Dec 14 10:16:49 2010 -0500

    USB: usb-storage: unusual_devs entry for the Samsung YP-CP3
    
    commit d73a9b3001f29271c2e9f2a806b05a431c5d9591 upstream.
    
    Add an unusual_devs entry for the Samsung YP-CP3 MP4 player.
    
    User was getting the following errors in dmesg:
     usb 2-6: reset high speed USB device using ehci_hcd and address 2
     usb 2-6: reset high speed USB device using ehci_hcd and address 2
     usb 2-6: reset high speed USB device using ehci_hcd and address 2
     usb 2-6: USB disconnect, address 2
     sd 3:0:0:0: [sdb] Assuming drive cache: write through
     sdb:<2>ldm_validate_partition_table(): Disk read failed.
     Dev sdb: unable to read RDB block 0
      unable to read partition table
    
    Signed-off-by: Vitaly Kuznetsov <vitty@altlinux.ru>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit c8a519a7414d3bec1f67b8470197aa9805f9e736
Author: Daniel T Chen <crimsun@ubuntu.com>
Date:   Tue Dec 28 17:20:02 2010 -0500

    ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120
    
    commit e03fa055bc126e536c7f65862e08a9b143138ea9 upstream.
    
    Sjoerd Simons reports that, without using position_fix=1, recording
    experiences overruns. Work around that by applying the LPIB quirk
    for his hardware.
    
    Reported-and-tested-by: Sjoerd Simons <sjoerd@debian.org>
    Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 70df898cfa768c58dc00a7e742ecce648af5d186
Author: Daniel T Chen <crimsun@ubuntu.com>
Date:   Wed Mar 3 18:24:26 2010 -0500

    ALSA: hda: Use LPIB for Dell Latitude 131L
    
    commit 9919c7619c52d01e89103bca405cc3d4a2b1ac31 upstream.
    
    BugLink: https://launchpad.net/bugs/530346
    
    The OR has verified that position_fix=1 is necessary to work around
    errors on his machine.
    
    Reported-by: Tom Louwrier
    Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>

commit 40825e09a818892dde27e4b606290d76a8255712
Author: Daniel T Chen <crimsun@ubuntu.com>
Date:   Thu Dec 2 22:45:45 2010 -0500

    ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture
    
    commit 77c4d5cdb81d25a45fbdfb84dd3348121219a072 upstream.
    
    BugLink: https://launchpad.net/bugs/595482
    
    The original reporter states that audible playback from the internal
    speaker is inaudible despite the hardware being properly detected.  To
    work around this symptom, he uses the model=lg quirk to properly enable
    both playback, capture, and jack sense.  Another user corroborates this
    workaround on separate hardware.  Add this PCI SSID to the quirk table
    to enable it for further LG P1 Expresses.
    
    Reported-and-tested-by: Philip Peitsch <philip.peitsch@gmail.com>
    Tested-by: nikhov
    Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Willy Tarreau <w@1wt.eu>