--- /dev/null
+From 4acd57c3de62374fe5bb52e5cd24538190f4eab2 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Sun, 29 Nov 2009 16:39:52 +0000
+Subject: ALSA: AACI: fix AC97 multiple-open bug
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit 4acd57c3de62374fe5bb52e5cd24538190f4eab2 upstream.
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/arm/aaci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/arm/aaci.c
++++ b/sound/arm/aaci.c
+@@ -504,6 +504,10 @@ static int aaci_pcm_hw_params(struct snd
+ int err;
+
+ aaci_pcm_hw_free(substream);
++ if (aacirun->pcm_open) {
++ snd_ac97_pcm_close(aacirun->pcm);
++ aacirun->pcm_open = 0;
++ }
+
+ err = devdma_hw_alloc(NULL, substream,
+ params_buffer_bytes(params));
--- /dev/null
+From 8ee763b9c82c6ca0a59a7271ce4fa29d7baf5c09 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Sun, 29 Nov 2009 16:39:59 +0000
+Subject: ALSA: AACI: fix recording bug
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit 8ee763b9c82c6ca0a59a7271ce4fa29d7baf5c09 upstream.
+
+pcm->r[1].slots is the double rate slot information, not the
+capture information. For capture, 'pcm' will already be the
+capture ac97 pcm structure.
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/arm/aaci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/arm/aaci.c
++++ b/sound/arm/aaci.c
+@@ -521,7 +521,7 @@ static int aaci_pcm_hw_params(struct snd
+ else
+ err = snd_ac97_pcm_open(aacirun->pcm, params_rate(params),
+ params_channels(params),
+- aacirun->pcm->r[1].slots);
++ aacirun->pcm->r[0].slots);
+
+ if (err)
+ goto out;
--- /dev/null
+From f495088210c8b9e20791d995a8210170c68d2deb Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Fri, 6 Nov 2009 23:44:53 +0200
+Subject: ALSA: usb-audio: fix combine_word problem
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit f495088210c8b9e20791d995a8210170c68d2deb upstream.
+
+Fix combine_word problem where first octet is not
+read properly. The only affected place seems to be the
+INPUT_TERMINAL type. Before now, sound controls can be created
+with the output terminal's name which is a fallback mechanism
+used only for unknown input terminal types. For example,
+Line can wrongly appear as Speaker. After the change it
+should appear as Line.
+
+ The side effect of this change can be that users
+can expect the wrong control name in their scripts or
+programs while now we return the correct one.
+
+ Probably, these defines should use get_unaligned_le16 and
+friends.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/usb/usbaudio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -209,7 +209,7 @@ struct snd_usb_midi_endpoint_info {
+ /*
+ */
+
+-#define combine_word(s) ((*s) | ((unsigned int)(s)[1] << 8))
++#define combine_word(s) ((*(s)) | ((unsigned int)(s)[1] << 8))
+ #define combine_triple(s) (combine_word(s) | ((unsigned int)(s)[2] << 16))
+ #define combine_quad(s) (combine_triple(s) | ((unsigned int)(s)[3] << 24))
+
--- /dev/null
+From 690e744869f3262855b83b4fb59199cf142765b0 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Mon, 19 Oct 2009 19:55:13 -0400
+Subject: [SCSI] gdth: Prevent negative offsets in ioctl CVE-2009-3080
+
+From: Dave Jones <davej@redhat.com>
+
+commit 690e744869f3262855b83b4fb59199cf142765b0 upstream.
+
+A negative offset could be used to index before the event buffer and
+lead to a security breach.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/gdth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -2912,7 +2912,7 @@ static int gdth_read_event(gdth_ha_str *
+ eindex = handle;
+ estr->event_source = 0;
+
+- if (eindex >= MAX_EVENTS) {
++ if (eindex < 0 || eindex >= MAX_EVENTS) {
+ spin_unlock_irqrestore(&ha->smp_lock, flags);
+ return eindex;
+ }
--- /dev/null
+From 199bc9ff5ca5e4b3bcaff8927b2983c65f34c263 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Mon, 30 Nov 2009 09:06:40 +0000
+Subject: jffs2: Fix memory corruption in jffs2_read_inode_range()
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit 199bc9ff5ca5e4b3bcaff8927b2983c65f34c263 upstream.
+
+In 2.6.23 kernel, commit a32ea1e1f925399e0d81ca3f7394a44a6dafa12c
+("Fix read/truncate race") fixed a race in the generic code, and as a
+side effect, now do_generic_file_read() can ask us to readpage() past
+the i_size. This seems to be correctly handled by the block routines
+(e.g. block_read_full_page() fills the page with zeroes in case if
+somebody is trying to read past the last inode's block).
+
+JFFS2 doesn't handle this; it assumes that it won't be asked to read
+pages which don't exist -- and thus that there will be at least _one_
+valid 'frag' on the page it's being asked to read. It will fill any
+holes with the following memset:
+
+ memset(buf, 0, min(end, frag->ofs + frag->size) - offset);
+
+When the 'closest smaller match' returned by jffs2_lookup_node_frag() is
+actually on a previous page and ends before 'offset', that results in:
+
+ memset(buf, 0, <huge unsigned negative>);
+
+Hopefully, in most cases the corruption is fatal, and quickly causing
+random oopses, like this:
+
+ root@10.0.0.4:~/ltp-fs-20090531# ./testcases/kernel/fs/ftest/ftest01
+ Unable to handle kernel paging request for data at address 0x00000008
+ Faulting instruction address: 0xc01cd980
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ [...]
+ NIP [c01cd980] rb_insert_color+0x38/0x184
+ LR [c0043978] enqueue_hrtimer+0x88/0xc4
+ Call Trace:
+ [c6c63b60] [c004f9a8] tick_sched_timer+0xa0/0xe4 (unreliable)
+ [c6c63b80] [c0043978] enqueue_hrtimer+0x88/0xc4
+ [c6c63b90] [c0043a48] __run_hrtimer+0x94/0xbc
+ [c6c63bb0] [c0044628] hrtimer_interrupt+0x140/0x2b8
+ [c6c63c10] [c000f8e8] timer_interrupt+0x13c/0x254
+ [c6c63c30] [c001352c] ret_from_except+0x0/0x14
+ --- Exception: 901 at memset+0x38/0x5c
+ LR = jffs2_read_inode_range+0x144/0x17c
+ [c6c63cf0] [00000000] (null) (unreliable)
+
+This patch fixes the issue, plus fixes all LTP tests on NAND/UBI with
+JFFS2 filesystem that were failing since 2.6.23 (seems like the bug
+above also broke the truncation).
+
+Reported-By: Anton Vorontsov <avorontsov@ru.mvista.com>
+Tested-By: Anton Vorontsov <avorontsov@ru.mvista.com>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/jffs2/read.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/jffs2/read.c
++++ b/fs/jffs2/read.c
+@@ -164,12 +164,15 @@ int jffs2_read_inode_range(struct jffs2_
+
+ /* XXX FIXME: Where a single physical node actually shows up in two
+ frags, we read it twice. Don't do that. */
+- /* Now we're pointing at the first frag which overlaps our page */
++ /* Now we're pointing at the first frag which overlaps our page
++ * (or perhaps is before it, if we've been asked to read off the
++ * end of the file). */
+ while(offset < end) {
+ D2(printk(KERN_DEBUG "jffs2_read_inode_range: offset %d, end %d\n", offset, end));
+- if (unlikely(!frag || frag->ofs > offset)) {
++ if (unlikely(!frag || frag->ofs > offset ||
++ frag->ofs + frag->size <= offset)) {
+ uint32_t holesize = end - offset;
+- if (frag) {
++ if (frag && frag->ofs > offset) {
+ D1(printk(KERN_NOTICE "Eep. Hole in ino #%u fraglist. frag->ofs = 0x%08x, offset = 0x%08x\n", f->inocache->ino, frag->ofs, offset));
+ holesize = min(holesize, frag->ofs - offset);
+ }
--- /dev/null
+alsa-aaci-fix-ac97-multiple-open-bug.patch
+alsa-aaci-fix-recording-bug.patch
+alsa-usb-audio-fix-combine_word-problem.patch
+gdth-prevent-negative-offsets-in-ioctl-cve-2009-3080.patch
+jffs2-fix-memory-corruption-in-jffs2_read_inode_range.patch
+v4l-dvb-13079-dib0700-fixed-xc2028-firmware-loading-kernel-oops.patch
+v4l-dvb-13107-tda18271-fix-overflow-in-fm-radio-frequency-calculation.patch
+v4l-dvb-13109-tda18271-fix-signedness-issue-in-tda18271_rf_tracking_filters_init.patch
+v4l-dvb-13190-em28xx-fix-panic-that-can-occur-when-starting-audio-streaming.patch
+v4l-dvb-13230-s2255drv-don-t-conditionalize-video-buffer-completion-on-waiting-processes.patch
--- /dev/null
+From 7646b9de26c54cf4bc9c446d7ada9f91ece31e0a Mon Sep 17 00:00:00 2001
+From: Martin Samek <martin@marsark.sytes.net>
+Date: Wed, 30 Sep 2009 22:59:09 -0300
+Subject: V4L/DVB (13079): dib0700: fixed xc2028 firmware loading kernel oops
+
+From: Martin Samek <martin@marsark.sytes.net>
+
+commit 7646b9de26c54cf4bc9c446d7ada9f91ece31e0a upstream.
+
+Fixing kernel oops when driver attemps to load xc2028 firmware.
+
+Note by djh: the patch contribute by Martin is a port of a fix I made during
+the PCTV 340e development. It's a temporary workaround that fixes a regression
+(an OOPS condition) and the real fix should be in the code that manages the
+i2c master on the dib7000p. But this fix does address the immmediate
+regression and should be merged upstream until we do a cleaner fix.
+
+Signed-off-by: Martin Samek <martin@marsark.sytes.net>
+Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/dvb/frontends/dib7000p.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/dvb/frontends/dib7000p.c
++++ b/drivers/media/dvb/frontends/dib7000p.c
+@@ -1343,6 +1343,11 @@ struct dvb_frontend * dib7000p_attach(st
+ if (dib7000p_identify(st) != 0)
+ goto error;
+
++ /* FIXME: make sure the dev.parent field is initialized, or else
++ request_firmware() will hit an OOPS (this should be moved somewhere
++ more common) */
++ st->i2c_master.gated_tuner_i2c_adap.dev.parent = i2c_adap->dev.parent;
++
+ dibx000_init_i2c_master(&st->i2c_master, DIB7000P, st->i2c_adap, st->i2c_addr);
+
+ dib7000p_demod_reset(st);
--- /dev/null
+From 4d8317876d5f53ef792e90f89d8f162d7bca5c81 Mon Sep 17 00:00:00 2001
+From: Michael Krufky <mkrufky@kernellabs.com>
+Date: Sun, 27 Sep 2009 14:05:12 -0300
+Subject: V4L/DVB (13107): tda18271: fix overflow in FM radio frequency calculation
+
+From: Michael Krufky <mkrufky@kernellabs.com>
+
+commit 4d8317876d5f53ef792e90f89d8f162d7bca5c81 upstream.
+
+Multiplication by 62500 causes an overflow in the 32 bit freq variable,
+which is later divided by 1000 when using FM radio.
+
+This patch prevents the overflow by scaling the frequency value correctly
+upfront. Thanks to Henk Vergonet for spotting the problem and providing
+a preliminary patch, which this changeset was based upon.
+
+Cc: Henk Vergonet <Henk.Vergonet@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/common/tuners/tda18271-fe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/common/tuners/tda18271-fe.c
++++ b/drivers/media/common/tuners/tda18271-fe.c
+@@ -927,12 +927,12 @@ static int tda18271_set_analog_params(st
+ struct tda18271_std_map_item *map;
+ char *mode;
+ int ret;
+- u32 freq = params->frequency * 62500;
++ u32 freq = params->frequency * 125 *
++ ((params->mode == V4L2_TUNER_RADIO) ? 1 : 1000) / 2;
+
+ priv->mode = TDA18271_ANALOG;
+
+ if (params->mode == V4L2_TUNER_RADIO) {
+- freq = freq / 1000;
+ map = &std_map->fm_radio;
+ mode = "fm";
+ } else if (params->std & V4L2_STD_MN) {
--- /dev/null
+From a57c1dcb93e43357ed3f666e5a2b5d5071dd3930 Mon Sep 17 00:00:00 2001
+From: Seth Barry <seth@cyberseth.com>
+Date: Sun, 27 Sep 2009 16:42:29 -0300
+Subject: V4L/DVB (13109): tda18271: fix signedness issue in tda18271_rf_tracking_filters_init
+
+From: Seth Barry <seth@cyberseth.com>
+
+commit a57c1dcb93e43357ed3f666e5a2b5d5071dd3930 upstream.
+
+While having tda18271 module set with debug=17 (cal & info prints) and
+cal=0 (delay calibration process until first use) - I discovered that
+during the calibration process, if the frequency test for 69750000
+returned a bcal of 0 (see tda18721-fe.c in tda18271_powerscan func) that
+the tuner wouldn't be able to pickup any of the frequencies in the range
+(all the other frequencies bands returned bcal=1). I spent some time
+going over the code and the NXP's tda18271 spec (ver.4 of it i think) and
+adding a lot of debug prints and walking/stepping through the calibration
+process. I found that when the powerscan fails to find a frequency, the
+rf calibration is not run and the default value is supposed to be used in
+its place (pulled from the RF_CAL_map table) - but something was getting
+goofed up there.
+
+Now, my c coding skills are very rusty, but i think root of the problem is
+a signedness issue with the math operation for calculating the rf_a1 and
+rf_a2 values in tda18271_rf_tracking_filters_init func, which results in
+values like 20648 for rf_a1 (when it should probably have a value like 0,
+or so slightly negative that it should be zero - this bad value for rf_a1
+would in turn makes the approx calc within
+tda18271c2_rf_tracking_filters_correction go out of whack). The simplest
+solution i found was to explicitly convert the signedness of the
+denominator to avoid the implicit conversion. The values placed into the
+u32 rf_freq array should never exceed about 900mhz, so i think the s32 max
+value shouldn't be an issue in this case.
+
+I've tested it out a little, and even when i get a bcal=0 with the
+modified code, the default calibration value gets used, rf_a1 is zero, and
+the tuner seems to lock on the stream and mythtv seems to play it fine.
+
+Signed-off-by: Seth Barry <seth@cyberseth.com>
+Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/common/tuners/tda18271-fe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/common/tuners/tda18271-fe.c
++++ b/drivers/media/common/tuners/tda18271-fe.c
+@@ -595,13 +595,13 @@ static int tda18271_rf_tracking_filters_
+ case RF2:
+ map[i].rf_a1 = (prog_cal[RF2] - prog_tab[RF2] -
+ prog_cal[RF1] + prog_tab[RF1]) /
+- ((rf_freq[RF2] - rf_freq[RF1]) / 1000);
++ (s32)((rf_freq[RF2] - rf_freq[RF1]) / 1000);
+ map[i].rf2 = rf_freq[RF2] / 1000;
+ break;
+ case RF3:
+ map[i].rf_a2 = (prog_cal[RF3] - prog_tab[RF3] -
+ prog_cal[RF2] + prog_tab[RF2]) /
+- ((rf_freq[RF3] - rf_freq[RF2]) / 1000);
++ (s32)((rf_freq[RF3] - rf_freq[RF2]) / 1000);
+ map[i].rf_b2 = prog_cal[RF2] - prog_tab[RF2];
+ map[i].rf3 = rf_freq[RF3] / 1000;
+ break;
--- /dev/null
+From 96fbf771d86a90ff006bc62ca4d4de6474b3de31 Mon Sep 17 00:00:00 2001
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+Date: Thu, 15 Oct 2009 01:14:34 -0300
+Subject: V4L/DVB (13190): em28xx: fix panic that can occur when starting audio streaming
+
+From: Devin Heitmueller <dheitmueller@kernellabs.com>
+
+commit 96fbf771d86a90ff006bc62ca4d4de6474b3de31 upstream.
+
+Because the counters were not reset when starting up streaming, they would
+be reused from the previous run. This can result in cases such that when the
+second instance of streaming starts up, the "cnt" variable in
+em28xx_audio_isocirq() can end up being negative, resulting in attempting to
+write to memory before the start of runtime->dma_area (as well as having a
+negative number of bytes to copy).
+
+Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/em28xx/em28xx-audio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/video/em28xx/em28xx-audio.c
++++ b/drivers/media/video/em28xx/em28xx-audio.c
+@@ -365,6 +365,11 @@ static int snd_em28xx_hw_capture_free(st
+
+ static int snd_em28xx_prepare(struct snd_pcm_substream *substream)
+ {
++ struct em28xx *dev = snd_pcm_substream_chip(substream);
++
++ dev->adev.hwptr_done_capture = 0;
++ dev->adev.capture_transfer_done = 0;
++
+ return 0;
+ }
+
--- /dev/null
+From 1f95725755ab67f3198df3b5bf7517f926f310ca Mon Sep 17 00:00:00 2001
+From: Mike Isely <isely@pobox.com>
+Date: Wed, 23 Sep 2009 18:06:57 -0300
+Subject: V4L/DVB (13230): s2255drv: Don't conditionalize video buffer completion on waiting processes
+
+From: Mike Isely <isely@pobox.com>
+
+commit 1f95725755ab67f3198df3b5bf7517f926f310ca upstream.
+
+The s2255 driver had logic which aborted processing of a video frame
+if there was no process waiting on the video buffer in question. That
+simply doesn't work when the application is doing things in an
+asynchronous manner. If the application went to the trouble to queue
+the buffer in the first place, then the driver should always attempt
+to complete it - even if the application at that moment has its
+attention turned elsewhere. Applications which always blocked waiting
+for I/O on the capture device would not have been affected by this.
+Applications which *mostly* blocked waiting for I/O on the capture
+device probably only would have been somewhat affected (frame lossage,
+at a rate which goes up as the application blocks less). Applications
+which never blocked on the capture device (e.g. polling only) however
+would never have been able to receive any video frames, since in that
+case this "is anyone waiting on this?" check on the buffer never would
+have evalutated true. This patch just deletes that harmful check
+against the buffer's wait queue.
+
+Signed-off-by: Mike Isely <isely@pobox.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/s2255drv.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/media/video/s2255drv.c
++++ b/drivers/media/video/s2255drv.c
+@@ -578,11 +578,6 @@ static int s2255_got_frame(struct s2255_
+ buf = list_entry(dma_q->active.next,
+ struct s2255_buffer, vb.queue);
+
+- if (!waitqueue_active(&buf->vb.done)) {
+- /* no one active */
+- rc = -1;
+- goto unlock;
+- }
+ list_del(&buf->vb.queue);
+ do_gettimeofday(&buf->vb.ts);
+ dprintk(100, "[%p/%d] wakeup\n", buf, buf->vb.i);
projects / thirdparty / kernel / stable-queue.git / commitdiff
