From: Greg Kroah-Hartman Date: Tue, 7 Aug 2007 08:02:02 +0000 (-0700) Subject: more 2.6.22 patches added X-Git-Tag: v2.6.21.7~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a9cf3f07fc406f7bf370761d017f7018ddc6154;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.22 patches added --- diff --git a/queue-2.6.22/aacraid-fix-security-hole.patch b/queue-2.6.22/aacraid-fix-security-hole.patch new file mode 100644 index 00000000000..74953fbd467 --- /dev/null +++ b/queue-2.6.22/aacraid-fix-security-hole.patch @@ -0,0 +1,41 @@ +From 719be62903a6e6419789557cb3ed0e840d3e4ca9 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Mon, 23 Jul 2007 14:51:05 +0100 +Subject: [PATCH] aacraid: fix security hole + +From: Alan Cox + +On the SCSI layer ioctl path there is no implicit permissions check for +ioctls (and indeed other drivers implement unprivileged ioctls). aacraid +however allows all sorts of very admin only things to be done so should +check. + +Signed-off-by: Alan Cox +Acked-by: Mark Salyzyn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/linit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -597,6 +597,8 @@ static int aac_cfg_open(struct inode *in + static int aac_cfg_ioctl(struct inode *inode, struct file *file, + unsigned int cmd, unsigned long arg) + { ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_do_ioctl(file->private_data, cmd, (void __user *)arg); + } + +@@ -650,6 +652,8 @@ static int aac_compat_ioctl(struct scsi_ + + static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg) + { ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg); + } + #endif diff --git a/queue-2.6.22/drm-i915-fix-i965-secured-batchbuffer-usage.patch b/queue-2.6.22/drm-i915-fix-i965-secured-batchbuffer-usage.patch new file mode 100644 index 00000000000..54602223fbb --- /dev/null +++ b/queue-2.6.22/drm-i915-fix-i965-secured-batchbuffer-usage.patch @@ -0,0 +1,67 @@ +From 21f16289270447673a7263ccc0b22d562fb01ecb Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 7 Aug 2007 09:09:51 +1000 +Subject: [PATCH] drm/i915: Fix i965 secured batchbuffer usage + + +This 965G and above chipsets moved the batch buffer non-secure bits to +another place. This means that previous drm's allowed in-secure batchbuffers +to be submitted to the hardware from non-privileged users who are logged +into X and and have access to direct rendering. + +Signed-off-by: Dave Airlie +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/drm/i915_dma.c | 14 +++++++++++--- + drivers/char/drm/i915_drv.h | 1 + + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/char/drm/i915_dma.c ++++ b/drivers/char/drm/i915_dma.c +@@ -184,6 +184,8 @@ static int i915_initialize(drm_device_t + * private backbuffer/depthbuffer usage. + */ + dev_priv->use_mi_batchbuffer_start = 0; ++ if (IS_I965G(dev)) /* 965 doesn't support older method */ ++ dev_priv->use_mi_batchbuffer_start = 1; + + /* Allow hardware batchbuffers unless told otherwise. + */ +@@ -517,8 +519,13 @@ static int i915_dispatch_batchbuffer(drm + + if (dev_priv->use_mi_batchbuffer_start) { + BEGIN_LP_RING(2); +- OUT_RING(MI_BATCH_BUFFER_START | (2 << 6)); +- OUT_RING(batch->start | MI_BATCH_NON_SECURE); ++ if (IS_I965G(dev)) { ++ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6) | MI_BATCH_NON_SECURE_I965); ++ OUT_RING(batch->start); ++ } else { ++ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6)); ++ OUT_RING(batch->start | MI_BATCH_NON_SECURE); ++ } + ADVANCE_LP_RING(); + } else { + BEGIN_LP_RING(4); +@@ -735,7 +742,8 @@ static int i915_setparam(DRM_IOCTL_ARGS) + + switch (param.param) { + case I915_SETPARAM_USE_MI_BATCHBUFFER_START: +- dev_priv->use_mi_batchbuffer_start = param.value; ++ if (!IS_I965G(dev)) ++ dev_priv->use_mi_batchbuffer_start = param.value; + break; + case I915_SETPARAM_TEX_LRU_LOG_GRANULARITY: + dev_priv->tex_lru_log_granularity = param.value; +--- a/drivers/char/drm/i915_drv.h ++++ b/drivers/char/drm/i915_drv.h +@@ -282,6 +282,7 @@ extern int i915_wait_ring(drm_device_t * + #define MI_BATCH_BUFFER_START (0x31<<23) + #define MI_BATCH_BUFFER_END (0xA<<23) + #define MI_BATCH_NON_SECURE (1) ++#define MI_BATCH_NON_SECURE_I965 (1<<8) + + #define MI_WAIT_FOR_EVENT ((0x3<<23)) + #define MI_WAIT_FOR_PLANE_A_FLIP (1<<2) diff --git a/queue-2.6.22/firewire-fw-sbp2-set-correct-maximum-payload.patch b/queue-2.6.22/firewire-fw-sbp2-set-correct-maximum-payload.patch new file mode 100644 index 00000000000..289cb4c1a64 --- /dev/null +++ b/queue-2.6.22/firewire-fw-sbp2-set-correct-maximum-payload.patch @@ -0,0 +1,60 @@ +From stable-bounces@linux.kernel.org Sat Aug 4 09:38:53 2007 +From: Stefan Richter +Date: Sat, 4 Aug 2007 18:38:32 +0200 (CEST) +Subject: firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters) +To: stable@kernel.org +Cc: Kristian Høgsberg , linux-kernel@vger.kernel.org +Message-ID: +Content-Disposition: INLINE + + +As far as I know, all CardBus FireWire 400 adapters have a maximum +payload of 1024 bytes which is less than the speed-dependent limit of +2048 bytes. Fw-sbp2 has to take the host adapter's limit into account. + +This apparently fixes Juju's incompatibility with my CardBus cards, a +NEC based card and a VIA based card. + +Backport of commit 25659f7183376c6b37661da6141d5eaa21479061. + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/fw-sbp2.c | 5 ++++- + drivers/firewire/fw-transaction.h | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/firewire/fw-sbp2.c ++++ b/drivers/firewire/fw-sbp2.c +@@ -985,6 +985,7 @@ static int sbp2_scsi_queuecommand(struct + struct fw_unit *unit = sd->unit; + struct fw_device *device = fw_device(unit->device.parent); + struct sbp2_command_orb *orb; ++ unsigned max_payload; + + /* + * Bidirectional commands are not yet implemented, and unknown +@@ -1023,8 +1024,10 @@ static int sbp2_scsi_queuecommand(struct + * specifies the max payload size as 2 ^ (max_payload + 2), so + * if we set this to max_speed + 7, we get the right value. + */ ++ max_payload = device->node->max_speed + 7; ++ max_payload = min(max_payload, device->card->max_receive - 1); + orb->request.misc = +- COMMAND_ORB_MAX_PAYLOAD(device->node->max_speed + 7) | ++ COMMAND_ORB_MAX_PAYLOAD(max_payload) | + COMMAND_ORB_SPEED(device->node->max_speed) | + COMMAND_ORB_NOTIFY; + +--- a/drivers/firewire/fw-transaction.h ++++ b/drivers/firewire/fw-transaction.h +@@ -228,7 +228,7 @@ struct fw_card { + unsigned long reset_jiffies; + + unsigned long long guid; +- int max_receive; ++ unsigned max_receive; + int link_speed; + int config_rom_generation; + diff --git a/queue-2.6.22/fix-reported-task-file-values-in-sense-data.patch b/queue-2.6.22/fix-reported-task-file-values-in-sense-data.patch new file mode 100644 index 00000000000..d41de9f527f --- /dev/null +++ b/queue-2.6.22/fix-reported-task-file-values-in-sense-data.patch @@ -0,0 +1,46 @@ +From fe36cb53cfd82f3c0796a0826e1c9caf198c8f97 Mon Sep 17 00:00:00 2001 +From: Petr Vandrovec +Date: Fri, 20 Jul 2007 07:44:44 -0400 +Subject: [PATCH] [libata] Fix reported task file values in sense data + + +ata_tf_read was setting HOB bit when lba48 command was submitted, but +was not clearing it before reading "normal" data. As it is only place +which sets HOB bit in control register, and register reads should not +be affected by other bits, let's just clear it when we are done with +reading upper bytes so non-48bit commands do not have to touch ctl +at all. + +pata_scc suffered from same problem... + +Signed-off-by: Petr Vandrovec +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-sff.c | 2 ++ + drivers/ata/pata_scc.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -211,6 +211,8 @@ void ata_tf_read(struct ata_port *ap, st + tf->hob_lbal = ioread8(ioaddr->lbal_addr); + tf->hob_lbam = ioread8(ioaddr->lbam_addr); + tf->hob_lbah = ioread8(ioaddr->lbah_addr); ++ iowrite8(tf->ctl, ioaddr->ctl_addr); ++ ap->last_ctl = tf->ctl; + } + } + +--- a/drivers/ata/pata_scc.c ++++ b/drivers/ata/pata_scc.c +@@ -352,6 +352,8 @@ static void scc_tf_read (struct ata_port + tf->hob_lbal = in_be32(ioaddr->lbal_addr); + tf->hob_lbam = in_be32(ioaddr->lbam_addr); + tf->hob_lbah = in_be32(ioaddr->lbah_addr); ++ out_be32(ioaddr->ctl_addr, tf->ctl); ++ ap->last_ctl = tf->ctl; + } + } + diff --git a/queue-2.6.22/input-lifebook-fix-an-oops-on-panasonic-cf-18.patch b/queue-2.6.22/input-lifebook-fix-an-oops-on-panasonic-cf-18.patch new file mode 100644 index 00000000000..d89e27b388f --- /dev/null +++ b/queue-2.6.22/input-lifebook-fix-an-oops-on-panasonic-cf-18.patch @@ -0,0 +1,30 @@ +From stable-bounces@linux.kernel.org Thu Jul 19 21:37:41 2007 +From: Dmitry Torokhov +Date: Fri, 20 Jul 2007 00:37:30 -0400 +Subject: Input: lifebook - fix an oops on Panasonic CF-18 +To: stable@kernel.org +Message-ID: <200707200037.30449.dtor@insightbb.com> +Content-Disposition: inline + +From: Dmitry Torokhov + +Input: lifebook - fix an oops on Panasonic CF-18 + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/lifebook.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/mouse/lifebook.c ++++ b/drivers/input/mouse/lifebook.c +@@ -109,7 +109,7 @@ static psmouse_ret_t lifebook_process_by + { + struct lifebook_data *priv = psmouse->private; + struct input_dev *dev1 = psmouse->dev; +- struct input_dev *dev2 = priv->dev2; ++ struct input_dev *dev2 = priv ? priv->dev2 : NULL; + unsigned char *packet = psmouse->packet; + int relative_packet = packet[0] & 0x08; + diff --git a/queue-2.6.22/kvm-svm-reliably-detect-if-svm-was-disabled-by-bios.patch b/queue-2.6.22/kvm-svm-reliably-detect-if-svm-was-disabled-by-bios.patch new file mode 100644 index 00000000000..f5486fd00d7 --- /dev/null +++ b/queue-2.6.22/kvm-svm-reliably-detect-if-svm-was-disabled-by-bios.patch @@ -0,0 +1,53 @@ +From stable-bounces@linux.kernel.org Wed Jul 18 09:51:42 2007 +From: Joerg Roedel +Date: Wed, 18 Jul 2007 19:51:36 +0300 +Subject: KVM: SVM: Reliably detect if SVM was disabled by BIOS +To: stable@kernel.org +Cc: Joerg Roedel , Avi Kivity +Message-ID: <11847774962911-git-send-email-avi@qumranet.com> + +From: Joerg Roedel + +This patch adds an implementation to the svm is_disabled function to +detect reliably if the BIOS disabled the SVM feature in the CPU. This +fixes the issues with kernel panics when loading the kvm-amd module on +machines where SVM is available but disabled. + +Signed-off-by: Joerg Roedel +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/kvm/svm.c | 6 ++++++ + drivers/kvm/svm.h | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/drivers/kvm/svm.c ++++ b/drivers/kvm/svm.c +@@ -1727,6 +1727,12 @@ static void svm_inject_page_fault(struct + + static int is_disabled(void) + { ++ u64 vm_cr; ++ ++ rdmsrl(MSR_VM_CR, vm_cr); ++ if (vm_cr & (1 << SVM_VM_CR_SVM_DISABLE)) ++ return 1; ++ + return 0; + } + +--- a/drivers/kvm/svm.h ++++ b/drivers/kvm/svm.h +@@ -175,8 +175,11 @@ struct __attribute__ ((__packed__)) vmcb + #define SVM_CPUID_FUNC 0x8000000a + + #define MSR_EFER_SVME_MASK (1ULL << 12) ++#define MSR_VM_CR 0xc0010114 + #define MSR_VM_HSAVE_PA 0xc0010117ULL + ++#define SVM_VM_CR_SVM_DISABLE 4 ++ + #define SVM_SELECTOR_S_SHIFT 4 + #define SVM_SELECTOR_DPL_SHIFT 5 + #define SVM_SELECTOR_P_SHIFT 7 diff --git a/queue-2.6.22/make-timerfd-return-a-u64-and-fix-the-__put_user.patch b/queue-2.6.22/make-timerfd-return-a-u64-and-fix-the-__put_user.patch new file mode 100644 index 00000000000..19f7dda21da --- /dev/null +++ b/queue-2.6.22/make-timerfd-return-a-u64-and-fix-the-__put_user.patch @@ -0,0 +1,88 @@ +From stable-bounces@linux.kernel.org Thu Jul 26 10:46:51 2007 +From: Davide Libenzi +Date: Thu, 26 Jul 2007 10:41:07 -0700 +Subject: make timerfd return a u64 and fix the __put_user +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, davi@haxent.com.br, mtk-manpages@gmx.net, stable@kernel.org, davidel@xmailserver.org +Message-ID: <200707261745.l6QHjiRc012304@imap1.linux-foundation.org> + + +From: Davide Libenzi + +Davi fixed a missing cast in the __put_user(), that was making timerfd +return a single byte instead of the full value. + +Talking with Michael about the timerfd man page, we think it'd be better to +use a u64 for the returned value, to align it with the eventfd +implementation. + +This is an ABI change. The timerfd code is new in 2.6.22 and if we merge this +into 2.6.23 then we should also merge it into 2.6.22.x. That will leave a few +early 2.6.22 kernels out in the wild which might misbehave when a future +timerfd-enabled glibc is run on them. + +mtk says: + The difference would be that read() will only return 4 bytes, + while the application will expect 8. If the application is + checking the size of returned value, as it should, then it will + be able to detect the problem (it could even be sophisticated + enough to know that if this is a 4-byte return, then it is + running on an old 2.6.22 kernel). If the application is not + checking the return from read(), then its 8-byte buffer will not + be filled -- the contents of the last 4 bytes will be undefined, + so the u64 value as a whole will be junk. + + When I wrote up that description above, I forgot a crucial + detail. The above description described the difference between + the new behavior implemented by the patch, and the current + (i.e., 2.6.22) *intended* behavior. However, as I originally + remarked to Davide, the 2.6.22 read() behavior is broken: it + should return 4 bytes on a read(), but as originally + implemented, only the least significant byte contained valid + information. (In other words, the top 3 bytes of overrun + information were simply being discarded.) + + So the patch both fixes a bug in the originally intended + behavior, and changes the intended behavior (to return 8 bytes + from a read() instead of 4). + + +Signed-off-by: Davide Libenzi +Cc: Michael Kerrisk +Cc: Davi Arnaut +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/timerfd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/timerfd.c ++++ b/fs/timerfd.c +@@ -95,7 +95,7 @@ static ssize_t timerfd_read(struct file + { + struct timerfd_ctx *ctx = file->private_data; + ssize_t res; +- u32 ticks = 0; ++ u64 ticks = 0; + DECLARE_WAITQUEUE(wait, current); + + if (count < sizeof(ticks)) +@@ -130,7 +130,7 @@ static ssize_t timerfd_read(struct file + * callback to avoid DoS attacks specifying a very + * short timer period. + */ +- ticks = (u32) ++ ticks = (u64) + hrtimer_forward(&ctx->tmr, + hrtimer_cb_get_time(&ctx->tmr), + ctx->tintv); +@@ -140,7 +140,7 @@ static ssize_t timerfd_read(struct file + } + spin_unlock_irq(&ctx->wqh.lock); + if (ticks) +- res = put_user(ticks, buf) ? -EFAULT: sizeof(ticks); ++ res = put_user(ticks, (u64 __user *) buf) ? -EFAULT: sizeof(ticks); + return res; + } + diff --git a/queue-2.6.22/series b/queue-2.6.22/series index c3529d3ab60..61d7a29bf08 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -17,3 +17,18 @@ fix-ipv6-tunnel-endianness-bug.patch fix-sparc32-memset.patch fix-sparc32-udelay-rounding-errors.patch fix-tcp-ipv6-md5-bug.patch +kvm-svm-reliably-detect-if-svm-was-disabled-by-bios.patch +usb-fix-warning-caused-by-autosuspend-counter-going-negative.patch +usb-serial-fix-edgeport-regression-on-non-epic-devices.patch +fix-reported-task-file-values-in-sense-data.patch +aacraid-fix-security-hole.patch +firewire-fw-sbp2-set-correct-maximum-payload.patch +make-timerfd-return-a-u64-and-fix-the-__put_user.patch +v4l-add-check-for-valid-control-id-to-v4l2_ctrl_next.patch +v4l-ivtv-fix-broken-vbi-output-support.patch +v4l-ivtv-fix-dma-timeout-when-capturing-vbi-another-stream.patch +v4l-ivtv-add-locking-to-ensure-stream-setup-is-atomic.patch +v4l-wm8775-wm8739-fix-memory-leak-when-unloading-module.patch +input-lifebook-fix-an-oops-on-panasonic-cf-18.patch +splice-fix-double-page-unlock.patch +drm-i915-fix-i965-secured-batchbuffer-usage.patch diff --git a/queue-2.6.22/splice-fix-double-page-unlock.patch b/queue-2.6.22/splice-fix-double-page-unlock.patch new file mode 100644 index 00000000000..a84c0d333ae --- /dev/null +++ b/queue-2.6.22/splice-fix-double-page-unlock.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Fri Jul 20 06:22:09 2007 +From: Jens Axboe +Date: Fri, 20 Jul 2007 15:21:36 +0200 +Subject: splice: fix double page unlock +To: stable@kernel.org +Message-ID: <20070720132136.GD11657@kernel.dk> +Content-Disposition: inline + +From: Jens Axboe + +If add_to_page_cache_lru() fails, the page will not be locked. But +splice jumps to an error path that does a page release and unlock, +causing a BUG() in unlock_page(). + +Fix this by adding one more label that just releases the page. This bug +was actually triggered on EL5 by gurudas pai +using fio. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/splice.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -601,7 +601,7 @@ find_page: + ret = add_to_page_cache_lru(page, mapping, index, + GFP_KERNEL); + if (unlikely(ret)) +- goto out; ++ goto out_release; + } + + ret = mapping->a_ops->prepare_write(file, page, offset, offset+this_len); +@@ -657,8 +657,9 @@ find_page: + */ + mark_page_accessed(page); + out: +- page_cache_release(page); + unlock_page(page); ++out_release: ++ page_cache_release(page); + out_ret: + return ret; + } diff --git a/queue-2.6.22/usb-fix-warning-caused-by-autosuspend-counter-going-negative.patch b/queue-2.6.22/usb-fix-warning-caused-by-autosuspend-counter-going-negative.patch new file mode 100644 index 00000000000..8d262856b2e --- /dev/null +++ b/queue-2.6.22/usb-fix-warning-caused-by-autosuspend-counter-going-negative.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Thu Jul 19 20:46:46 2007 +From: Alan Stern +Date: Thu, 19 Jul 2007 20:44:51 -0700 +Subject: USB: fix warning caused by autosuspend counter going negative +To: linux-usb-devel@lists.sourceforge.net +Cc: Greg Kroah-Hartman , Alan Stern +Message-ID: <1184903162294-git-send-email-gregkh@suse.de> + + +From: Alan Stern + +This patch (as937) fixes a minor bug in the autosuspend usage-counting +code. Each hub's usage counter keeps track of the number of +unsuspended children. However the current driver increments the +counter after registering a new child, by which time the child may +already have been suspended and caused the counter to go negative. +The obvious solution is to increment the counter before registering +the child. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1388,6 +1388,10 @@ int usb_new_device(struct usb_device *ud + udev->dev.devt = MKDEV(USB_DEVICE_MAJOR, + (((udev->bus->busnum-1) * 128) + (udev->devnum-1))); + ++ /* Increment the parent's count of unsuspended children */ ++ if (udev->parent) ++ usb_autoresume_device(udev->parent); ++ + /* Register the device. The device driver is responsible + * for adding the device files to sysfs and for configuring + * the device. +@@ -1395,13 +1399,11 @@ int usb_new_device(struct usb_device *ud + err = device_add(&udev->dev); + if (err) { + dev_err(&udev->dev, "can't device_add, error %d\n", err); ++ if (udev->parent) ++ usb_autosuspend_device(udev->parent); + goto fail; + } + +- /* Increment the parent's count of unsuspended children */ +- if (udev->parent) +- usb_autoresume_device(udev->parent); +- + exit: + return err; + diff --git a/queue-2.6.22/usb-serial-fix-edgeport-regression-on-non-epic-devices.patch b/queue-2.6.22/usb-serial-fix-edgeport-regression-on-non-epic-devices.patch new file mode 100644 index 00000000000..131d5187753 --- /dev/null +++ b/queue-2.6.22/usb-serial-fix-edgeport-regression-on-non-epic-devices.patch @@ -0,0 +1,63 @@ +From stable-bounces@linux.kernel.org Mon Jul 30 15:11:15 2007 +From: Adam Kropelin +Date: Mon, 30 Jul 2007 15:09:07 -0700 +Subject: usb-serial: Fix edgeport regression on non-EPiC devices +To: linux-usb-devel@lists.sourceforge.net +Cc: Greg Kroah-Hartman , stable , Adam Kropelin +Message-ID: <11858334183168-git-send-email-gregkh@suse.de> + + +From: Adam Kropelin + +Fix serious regression on non-EPiC edgeport usb-serial devices. Baud +rate and MCR/LCR registers are not being written on these models due +to apparent copy-n-paste errors introduced with EPiC support. + +Failure reported by Nick Pasich . + +Signed-off-by: Adam Kropelin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2366,9 +2366,8 @@ static int send_cmd_write_baud_rate (str + int status; + unsigned char number = edge_port->port->number - edge_port->port->serial->minor; + +- if ((!edge_serial->is_epic) || +- ((edge_serial->is_epic) && +- (!edge_serial->epic_descriptor.Supports.IOSPSetBaudRate))) { ++ if (edge_serial->is_epic && ++ !edge_serial->epic_descriptor.Supports.IOSPSetBaudRate) { + dbg("SendCmdWriteBaudRate - NOT Setting baud rate for port = %d, baud = %d", + edge_port->port->number, baudRate); + return 0; +@@ -2461,18 +2460,16 @@ static int send_cmd_write_uart_register + + dbg("%s - write to %s register 0x%02x", (regNum == MCR) ? "MCR" : "LCR", __FUNCTION__, regValue); + +- if ((!edge_serial->is_epic) || +- ((edge_serial->is_epic) && +- (!edge_serial->epic_descriptor.Supports.IOSPWriteMCR) && +- (regNum == MCR))) { ++ if (edge_serial->is_epic && ++ !edge_serial->epic_descriptor.Supports.IOSPWriteMCR && ++ regNum == MCR) { + dbg("SendCmdWriteUartReg - Not writing to MCR Register"); + return 0; + } + +- if ((!edge_serial->is_epic) || +- ((edge_serial->is_epic) && +- (!edge_serial->epic_descriptor.Supports.IOSPWriteLCR) && +- (regNum == LCR))) { ++ if (edge_serial->is_epic && ++ !edge_serial->epic_descriptor.Supports.IOSPWriteLCR && ++ regNum == LCR) { + dbg ("SendCmdWriteUartReg - Not writing to LCR Register"); + return 0; + } diff --git a/queue-2.6.22/v4l-add-check-for-valid-control-id-to-v4l2_ctrl_next.patch b/queue-2.6.22/v4l-add-check-for-valid-control-id-to-v4l2_ctrl_next.patch new file mode 100644 index 00000000000..19029cd72de --- /dev/null +++ b/queue-2.6.22/v4l-add-check-for-valid-control-id-to-v4l2_ctrl_next.patch @@ -0,0 +1,58 @@ +From stable-bounces@linux.kernel.org Tue Jul 24 05:07:30 2007 +From: Hans Verkuil +Date: Tue, 24 Jul 2007 08:07:17 -0400 +Subject: V4L: Add check for valid control ID to v4l2_ctrl_next +To: stable@kernel.org +Message-ID: <46A5EB75.3010402@linuxtv.org> + + +From: Hans Verkuil + +If v4l2_ctrl_next is called without the V4L2_CTRL_FLAG_NEXT_CTRL then it +should check whether the passed control ID is valid and return 0 if it +isn't. Otherwise a for-loop over the control IDs will never end. + +(cherry picked from commit a46c5fbc6912c4e34cb7ded314249b639dc244a6) + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/v4l2-common.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/media/video/v4l2-common.c ++++ b/drivers/media/video/v4l2-common.c +@@ -939,16 +939,25 @@ int v4l2_ctrl_query_menu(struct v4l2_que + When no more controls are available 0 is returned. */ + u32 v4l2_ctrl_next(const u32 * const * ctrl_classes, u32 id) + { +- u32 ctrl_class; ++ u32 ctrl_class = V4L2_CTRL_ID2CLASS(id); + const u32 *pctrl; + +- /* if no query is desired, then just return the control ID */ +- if ((id & V4L2_CTRL_FLAG_NEXT_CTRL) == 0) +- return id; + if (ctrl_classes == NULL) + return 0; ++ ++ /* if no query is desired, then check if the ID is part of ctrl_classes */ ++ if ((id & V4L2_CTRL_FLAG_NEXT_CTRL) == 0) { ++ /* find class */ ++ while (*ctrl_classes && V4L2_CTRL_ID2CLASS(**ctrl_classes) != ctrl_class) ++ ctrl_classes++; ++ if (*ctrl_classes == NULL) ++ return 0; ++ pctrl = *ctrl_classes; ++ /* find control ID */ ++ while (*pctrl && *pctrl != id) pctrl++; ++ return *pctrl ? id : 0; ++ } + id &= V4L2_CTRL_ID_MASK; +- ctrl_class = V4L2_CTRL_ID2CLASS(id); + id++; /* select next control */ + /* find first class that matches (or is greater than) the class of + the ID */ diff --git a/queue-2.6.22/v4l-ivtv-add-locking-to-ensure-stream-setup-is-atomic.patch b/queue-2.6.22/v4l-ivtv-add-locking-to-ensure-stream-setup-is-atomic.patch new file mode 100644 index 00000000000..7a5b5e677b1 --- /dev/null +++ b/queue-2.6.22/v4l-ivtv-add-locking-to-ensure-stream-setup-is-atomic.patch @@ -0,0 +1,132 @@ +From stable-bounces@linux.kernel.org Tue Jul 24 05:07:52 2007 +From: Hans Verkuil +Date: Tue, 24 Jul 2007 08:07:40 -0400 +Subject: V4L: ivtv: Add locking to ensure stream setup is atomic +To: stable@kernel.org +Message-ID: <46A5EB8C.20508@linuxtv.org> + + +From: Hans Verkuil + +Starting an MPEG and VBI capture simultaneously caused errors in +the VBI setup: this setup was done twice when it should be done +only for the first stream that is opened. +Added a mutex to prevent this from happening. + +(cherry picked from commit f885969196da6ae905162c0d1c5f0553de12cb40) + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky + +--- + drivers/media/video/ivtv/ivtv-driver.c | 1 + + drivers/media/video/ivtv/ivtv-driver.h | 1 + + drivers/media/video/ivtv/ivtv-streams.c | 30 +++++++++++++++++++----------- + 3 files changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/media/video/ivtv/ivtv-driver.c ++++ b/drivers/media/video/ivtv/ivtv-driver.c +@@ -622,6 +622,7 @@ static int __devinit ivtv_init_struct1(s + itv->enc_mbox.max_mbox = 2; /* the encoder has 3 mailboxes (0-2) */ + itv->dec_mbox.max_mbox = 1; /* the decoder has 2 mailboxes (0-1) */ + ++ mutex_init(&itv->serialize_lock); + mutex_init(&itv->i2c_bus_lock); + mutex_init(&itv->udma.lock); + +--- a/drivers/media/video/ivtv/ivtv-driver.h ++++ b/drivers/media/video/ivtv/ivtv-driver.h +@@ -722,6 +722,7 @@ struct ivtv { + int search_pack_header; + + spinlock_t dma_reg_lock; /* lock access to DMA engine registers */ ++ struct mutex serialize_lock; /* lock used to serialize starting streams */ + + /* User based DMA for OSD */ + struct ivtv_user_dma udma; +--- a/drivers/media/video/ivtv/ivtv-streams.c ++++ b/drivers/media/video/ivtv/ivtv-streams.c +@@ -446,6 +446,9 @@ int ivtv_start_v4l2_encode_stream(struct + if (s->v4l2dev == NULL) + return -EINVAL; + ++ /* Big serialization lock to ensure no two streams are started ++ simultaneously: that can give all sorts of weird results. */ ++ mutex_lock(&itv->serialize_lock); + IVTV_DEBUG_INFO("Start encoder stream %s\n", s->name); + + switch (s->type) { +@@ -487,6 +490,7 @@ int ivtv_start_v4l2_encode_stream(struct + 0, sizeof(itv->vbi.sliced_mpeg_size)); + break; + default: ++ mutex_unlock(&itv->serialize_lock); + return -EINVAL; + } + s->subtype = subtype; +@@ -568,6 +572,7 @@ int ivtv_start_v4l2_encode_stream(struct + if (ivtv_vapi(itv, CX2341X_ENC_START_CAPTURE, 2, captype, subtype)) + { + IVTV_DEBUG_WARN( "Error starting capture!\n"); ++ mutex_unlock(&itv->serialize_lock); + return -EINVAL; + } + +@@ -583,6 +588,7 @@ int ivtv_start_v4l2_encode_stream(struct + + /* you're live! sit back and await interrupts :) */ + atomic_inc(&itv->capturing); ++ mutex_unlock(&itv->serialize_lock); + return 0; + } + +@@ -762,17 +768,6 @@ int ivtv_stop_v4l2_encode_stream(struct + /* when: 0 = end of GOP 1 = NOW!, type: 0 = mpeg, subtype: 3 = video+audio */ + ivtv_vapi(itv, CX2341X_ENC_STOP_CAPTURE, 3, stopmode, cap_type, s->subtype); + +- /* only run these if we're shutting down the last cap */ +- if (atomic_read(&itv->capturing) - 1 == 0) { +- /* event notification (off) */ +- if (test_and_clear_bit(IVTV_F_I_DIG_RST, &itv->i_flags)) { +- /* type: 0 = refresh */ +- /* on/off: 0 = off, intr: 0x10000000, mbox_id: -1: none */ +- ivtv_vapi(itv, CX2341X_ENC_SET_EVENT_NOTIFICATION, 4, 0, 0, IVTV_IRQ_ENC_VIM_RST, -1); +- ivtv_set_irq_mask(itv, IVTV_IRQ_ENC_VIM_RST); +- } +- } +- + then = jiffies; + + if (!test_bit(IVTV_F_S_PASSTHROUGH, &s->s_flags)) { +@@ -840,17 +835,30 @@ int ivtv_stop_v4l2_encode_stream(struct + /* Clear capture and no-read bits */ + clear_bit(IVTV_F_S_STREAMING, &s->s_flags); + ++ /* ensure these global cleanup actions are done only once */ ++ mutex_lock(&itv->serialize_lock); ++ + if (s->type == IVTV_ENC_STREAM_TYPE_VBI) + ivtv_set_irq_mask(itv, IVTV_IRQ_ENC_VBI_CAP); + + if (atomic_read(&itv->capturing) > 0) { ++ mutex_unlock(&itv->serialize_lock); + return 0; + } + + /* Set the following Interrupt mask bits for capture */ + ivtv_set_irq_mask(itv, IVTV_IRQ_MASK_CAPTURE); + ++ /* event notification (off) */ ++ if (test_and_clear_bit(IVTV_F_I_DIG_RST, &itv->i_flags)) { ++ /* type: 0 = refresh */ ++ /* on/off: 0 = off, intr: 0x10000000, mbox_id: -1: none */ ++ ivtv_vapi(itv, CX2341X_ENC_SET_EVENT_NOTIFICATION, 4, 0, 0, IVTV_IRQ_ENC_VIM_RST, -1); ++ ivtv_set_irq_mask(itv, IVTV_IRQ_ENC_VIM_RST); ++ } ++ + wake_up(&s->waitq); ++ mutex_unlock(&itv->serialize_lock); + + return 0; + } diff --git a/queue-2.6.22/v4l-ivtv-fix-broken-vbi-output-support.patch b/queue-2.6.22/v4l-ivtv-fix-broken-vbi-output-support.patch new file mode 100644 index 00000000000..679b2ca4a7a --- /dev/null +++ b/queue-2.6.22/v4l-ivtv-fix-broken-vbi-output-support.patch @@ -0,0 +1,91 @@ +From stable-bounces@linux.kernel.org Tue Jul 24 05:07:41 2007 +From: Hans Verkuil +Date: Tue, 24 Jul 2007 08:07:28 -0400 +Subject: V4L: ivtv: fix broken VBI output support +To: stable@kernel.org +Message-ID: <46A5EB80.3020101@linuxtv.org> + + +From: Hans Verkuil + +The old service_set_out setting was still tested, even though it no longer +was ever set and was in fact obsolete. This meant that everything that was +written to /dev/vbi16 was ignored. Removed the service_set_out variable +altogether and now it works again. + +(cherry picked from commit 47fd3ba9fc62d23a985f4969719c3091438d21c5) + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-driver.h | 1 - + drivers/media/video/ivtv/ivtv-vbi.c | 31 +++++++++++-------------------- + 2 files changed, 11 insertions(+), 21 deletions(-) + +--- a/drivers/media/video/ivtv/ivtv-driver.h ++++ b/drivers/media/video/ivtv/ivtv-driver.h +@@ -650,7 +650,6 @@ struct vbi_info { + /* convenience pointer to sliced struct in vbi_in union */ + struct v4l2_sliced_vbi_format *sliced_in; + u32 service_set_in; +- u32 service_set_out; + int insert_mpeg; + + /* Buffer for the maximum of 2 * 18 * packet_size sliced VBI lines. +--- a/drivers/media/video/ivtv/ivtv-vbi.c ++++ b/drivers/media/video/ivtv/ivtv-vbi.c +@@ -219,31 +219,23 @@ ssize_t ivtv_write_vbi(struct ivtv *itv, + int found_cc = 0; + int cc_pos = itv->vbi.cc_pos; + +- if (itv->vbi.service_set_out == 0) +- return -EPERM; +- + while (count >= sizeof(struct v4l2_sliced_vbi_data)) { + switch (p->id) { + case V4L2_SLICED_CAPTION_525: +- if (p->id == V4L2_SLICED_CAPTION_525 && +- p->line == 21 && +- (itv->vbi.service_set_out & +- V4L2_SLICED_CAPTION_525) == 0) { +- break; +- } +- found_cc = 1; +- if (p->field) { +- cc[2] = p->data[0]; +- cc[3] = p->data[1]; +- } else { +- cc[0] = p->data[0]; +- cc[1] = p->data[1]; ++ if (p->line == 21) { ++ found_cc = 1; ++ if (p->field) { ++ cc[2] = p->data[0]; ++ cc[3] = p->data[1]; ++ } else { ++ cc[0] = p->data[0]; ++ cc[1] = p->data[1]; ++ } + } + break; + + case V4L2_SLICED_VPS: +- if (p->line == 16 && p->field == 0 && +- (itv->vbi.service_set_out & V4L2_SLICED_VPS)) { ++ if (p->line == 16 && p->field == 0) { + itv->vbi.vps[0] = p->data[2]; + itv->vbi.vps[1] = p->data[8]; + itv->vbi.vps[2] = p->data[9]; +@@ -255,8 +247,7 @@ ssize_t ivtv_write_vbi(struct ivtv *itv, + break; + + case V4L2_SLICED_WSS_625: +- if (p->line == 23 && p->field == 0 && +- (itv->vbi.service_set_out & V4L2_SLICED_WSS_625)) { ++ if (p->line == 23 && p->field == 0) { + /* No lock needed for WSS */ + itv->vbi.wss = p->data[0] | (p->data[1] << 8); + itv->vbi.wss_found = 1; diff --git a/queue-2.6.22/v4l-ivtv-fix-dma-timeout-when-capturing-vbi-another-stream.patch b/queue-2.6.22/v4l-ivtv-fix-dma-timeout-when-capturing-vbi-another-stream.patch new file mode 100644 index 00000000000..1a6b4e9a922 --- /dev/null +++ b/queue-2.6.22/v4l-ivtv-fix-dma-timeout-when-capturing-vbi-another-stream.patch @@ -0,0 +1,58 @@ +From stable-bounces@linux.kernel.org Tue Jul 24 05:07:52 2007 +From: Hans Verkuil +Date: Tue, 24 Jul 2007 08:07:33 -0400 +Subject: V4L: ivtv: fix DMA timeout when capturing VBI + another stream +To: stable@kernel.org +Message-ID: <46A5EB85.701@linuxtv.org> + + +From: Hans Verkuil + +The VBI DMA is handled in a special way and is marked with a bit. +However, that bit was set at the wrong time and could be cleared +by mistake if a PCM (or other) DMA request would arrive before the +VBI DMA was completed. So on completion of the VBI DMA the driver +no longer knew that that DMA transfer was for VBI data. And this +in turn caused havoc with the card's DMA engine. + +(cherry picked from commit dd1e729d63f74a0b6290ca417bafd3fd8665db50) + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-irq.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/video/ivtv/ivtv-irq.c ++++ b/drivers/media/video/ivtv/ivtv-irq.c +@@ -403,6 +403,11 @@ static void ivtv_dma_enc_start(struct iv + /* Mark last buffer size for Interrupt flag */ + s->SGarray[s->SG_length - 1].size |= cpu_to_le32(0x80000000); + ++ if (s->type == IVTV_ENC_STREAM_TYPE_VBI) ++ set_bit(IVTV_F_I_ENC_VBI, &itv->i_flags); ++ else ++ clear_bit(IVTV_F_I_ENC_VBI, &itv->i_flags); ++ + if (ivtv_use_pio(s)) { + for (i = 0; i < s->SG_length; i++) { + s->PIOarray[i].src = le32_to_cpu(s->SGarray[i].src); +@@ -597,7 +602,6 @@ static void ivtv_irq_enc_start_cap(struc + data[0], data[1], data[2]); + return; + } +- clear_bit(IVTV_F_I_ENC_VBI, &itv->i_flags); + s = &itv->streams[ivtv_stream_map[data[0]]]; + if (!stream_enc_dma_append(s, data)) { + set_bit(ivtv_use_pio(s) ? IVTV_F_S_PIO_PENDING : IVTV_F_S_DMA_PENDING, &s->s_flags); +@@ -634,7 +638,6 @@ static void ivtv_irq_enc_vbi_cap(struct + then start a DMA request for just the VBI data. */ + if (!stream_enc_dma_append(s, data) && + !test_bit(IVTV_F_S_STREAMING, &s_mpg->s_flags)) { +- set_bit(IVTV_F_I_ENC_VBI, &itv->i_flags); + set_bit(ivtv_use_pio(s) ? IVTV_F_S_PIO_PENDING : IVTV_F_S_DMA_PENDING, &s->s_flags); + } + } diff --git a/queue-2.6.22/v4l-wm8775-wm8739-fix-memory-leak-when-unloading-module.patch b/queue-2.6.22/v4l-wm8775-wm8739-fix-memory-leak-when-unloading-module.patch new file mode 100644 index 00000000000..58d7208774a --- /dev/null +++ b/queue-2.6.22/v4l-wm8775-wm8739-fix-memory-leak-when-unloading-module.patch @@ -0,0 +1,57 @@ +From stable-bounces@linux.kernel.org Tue Jul 24 05:07:52 2007 +From: Hans Verkuil +Date: Tue, 24 Jul 2007 08:07:43 -0400 +Subject: V4L: wm8775/wm8739: Fix memory leak when unloading module +To: stable@kernel.org +Message-ID: <46A5EB8F.1080002@linuxtv.org> + +From: Hans Verkuil + +State struct was never freed. + +(cherry picked from commit 1b2232ab879993fcf5b9391c3febf6ab5d78201e) + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/wm8739.c | 2 ++ + drivers/media/video/wm8775.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/media/video/wm8739.c ++++ b/drivers/media/video/wm8739.c +@@ -321,12 +321,14 @@ static int wm8739_probe(struct i2c_adapt + + static int wm8739_detach(struct i2c_client *client) + { ++ struct wm8739_state *state = i2c_get_clientdata(client); + int err; + + err = i2c_detach_client(client); + if (err) + return err; + ++ kfree(state); + kfree(client); + return 0; + } +--- a/drivers/media/video/wm8775.c ++++ b/drivers/media/video/wm8775.c +@@ -222,12 +222,14 @@ static int wm8775_probe(struct i2c_adapt + + static int wm8775_detach(struct i2c_client *client) + { ++ struct wm8775_state *state = i2c_get_clientdata(client); + int err; + + err = i2c_detach_client(client); + if (err) { + return err; + } ++ kfree(state); + kfree(client); + + return 0;