From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 10 May 2013 17:15:00 +0000 (-0700)
Subject: 3.9-stable patches
X-Git-Tag: v3.9.2~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c10a05daadeaee765626044d3f93130851caa9c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.9-stable patches

added patches:
	acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch
	alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch
	asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch
	revert-alsa-hda-don-t-set-up-active-streams-twice.patch
---

diff --git a/queue-3.9/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch b/queue-3.9/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch
new file mode 100644
index 00000000000..9c9594f67ef
--- /dev/null
+++ b/queue-3.9/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch
@@ -0,0 +1,47 @@
+From 61388f9e5d93053cf399a356414f31f9b4814c6d Mon Sep 17 00:00:00 2001
+From: Bob Moore <robert.moore@intel.com>
+Date: Wed, 8 May 2013 04:01:15 +0000
+Subject: ACPICA: Fix possible buffer overflow during a field unit read operation
+
+From: Bob Moore <robert.moore@intel.com>
+
+commit 61388f9e5d93053cf399a356414f31f9b4814c6d upstream.
+
+Can only happen under these conditions: 1) The DSDT version is 1,
+meaning integers are 32-bits.  2) The field is between 33 and 64
+bits long.
+
+It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+).
+
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/exfldio.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpica/exfldio.c
++++ b/drivers/acpi/acpica/exfldio.c
+@@ -720,7 +720,19 @@ acpi_ex_extract_from_field(union acpi_op
+ 
+ 	if ((obj_desc->common_field.start_field_bit_offset == 0) &&
+ 	    (obj_desc->common_field.bit_length == access_bit_width)) {
+-		status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ);
++		if (buffer_length >= sizeof(u64)) {
++			status =
++			    acpi_ex_field_datum_io(obj_desc, 0, buffer,
++						   ACPI_READ);
++		} else {
++			/* Use raw_datum (u64) to handle buffers < 64 bits */
++
++			status =
++			    acpi_ex_field_datum_io(obj_desc, 0, &raw_datum,
++						   ACPI_READ);
++			ACPI_MEMCPY(buffer, &raw_datum, buffer_length);
++		}
++
+ 		return_ACPI_STATUS(status);
+ 	}
+ 
diff --git a/queue-3.9/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch b/queue-3.9/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch
new file mode 100644
index 00000000000..866f7d06240
--- /dev/null
+++ b/queue-3.9/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch
@@ -0,0 +1,42 @@
+From 2195b063f6609e4c6268f291683902f25eaf9aa6 Mon Sep 17 00:00:00 2001
+From: Wang YanQing <udknight@gmail.com>
+Date: Tue, 7 May 2013 11:27:33 +0800
+Subject: ALSA: HDA: Fix Oops caused by dereference NULL pointer
+
+From: Wang YanQing <udknight@gmail.com>
+
+commit 2195b063f6609e4c6268f291683902f25eaf9aa6 upstream.
+
+The interrupt handler azx_interrupt will call azx_update_rirb,
+which may call snd_hda_queue_unsol_event, snd_hda_queue_unsol_event
+will dereference chip->bus pointer.
+
+The problem is we alloc chip->bus in azx_codec_create
+which will be called after we enable IRQ and enable unsolicited
+event in azx_probe.
+
+This will cause Oops due dereference NULL pointer. I meet it, good luck:)
+
+[Rearranged the NULL check before the tracepoint and added another
+ NULL check of bus->workq -- tiwai]
+
+Signed-off-by: Wang YanQing <udknight@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -681,6 +681,9 @@ int snd_hda_queue_unsol_event(struct hda
+ 	struct hda_bus_unsolicited *unsol;
+ 	unsigned int wp;
+ 
++	if (!bus || !bus->workq)
++		return 0;
++
+ 	trace_hda_unsol_event(bus, res, res_ex);
+ 	unsol = bus->unsol;
+ 	if (!unsol)
diff --git a/queue-3.9/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch b/queue-3.9/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch
new file mode 100644
index 00000000000..91201a3b65a
--- /dev/null
+++ b/queue-3.9/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch
@@ -0,0 +1,30 @@
+From 4495e46fe18f198366961bb2b324a694ef8a9b44 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Apr 2013 10:24:41 +0300
+Subject: ASoC: wm8994: missing break in wm8994_aif3_hw_params()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4495e46fe18f198366961bb2b324a694ef8a9b44 upstream.
+
+The missing break here means that we always return early and the
+function is a no-op.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8994.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/wm8994.c
++++ b/sound/soc/codecs/wm8994.c
+@@ -2841,6 +2841,7 @@ static int wm8994_aif3_hw_params(struct
+ 		default:
+ 			return 0;
+ 		}
++		break;
+ 	default:
+ 		return 0;
+ 	}
diff --git a/queue-3.9/revert-alsa-hda-don-t-set-up-active-streams-twice.patch b/queue-3.9/revert-alsa-hda-don-t-set-up-active-streams-twice.patch
new file mode 100644
index 00000000000..cab1ef19aab
--- /dev/null
+++ b/queue-3.9/revert-alsa-hda-don-t-set-up-active-streams-twice.patch
@@ -0,0 +1,43 @@
+From 6c35ae3c327ef4b5f51d3428d2ba47ac2153e882 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 10 May 2013 13:39:50 +0200
+Subject: Revert "ALSA: hda - Don't set up active streams twice"
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6c35ae3c327ef4b5f51d3428d2ba47ac2153e882 upstream.
+
+This reverts commit affdb62b815b38261f09f9d4ec210a35c7ffb1f3.
+
+The commit introduced a regression with AD codecs where the stream is
+always clean up.  Since the patch is just a minor optimization and
+reverting the commit fixes the issue, let's just revert it.
+
+Reported-and-tested-by: Michael Burian <michael.burian@sbg.at>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -1577,7 +1577,7 @@ void snd_hda_codec_setup_stream(struct h
+ 		    "NID=0x%x, stream=0x%x, channel=%d, format=0x%x\n",
+ 		    nid, stream_tag, channel_id, format);
+ 	p = get_hda_cvt_setup(codec, nid);
+-	if (!p || p->active)
++	if (!p)
+ 		return;
+ 
+ 	if (codec->pcm_format_first)
+@@ -1624,7 +1624,7 @@ void __snd_hda_codec_cleanup_stream(stru
+ 
+ 	snd_printdd("hda_codec_cleanup_stream: NID=0x%x\n", nid);
+ 	p = get_hda_cvt_setup(codec, nid);
+-	if (p && p->active) {
++	if (p) {
+ 		/* here we just clear the active flag when do_now isn't set;
+ 		 * actual clean-ups will be done later in
+ 		 * purify_inactive_streams() called from snd_hda_codec_prpapre()
diff --git a/queue-3.9/series b/queue-3.9/series
index b3e1e31336a..00fe7b6eb61 100644
--- a/queue-3.9/series
+++ b/queue-3.9/series
@@ -4,3 +4,7 @@ kvm-emulator-emulate-xlat.patch
 kvm-emulator-emulate-salc.patch
 hid-reintroduce-fix-up-for-certain-sony-rf-receivers.patch
 arm-omap-rx-51-change-probe-order-of-touchscreen-and-panel-spi-devices.patch
+asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch
+acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch
+revert-alsa-hda-don-t-set-up-active-streams-twice.patch
+alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch