From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 4 Jan 2010 21:13:37 +0000 (-0800)
Subject: start .27 queue
X-Git-Tag: v2.6.31.10~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=67675e3431e8114b5655023651b3f519cee53fef;p=thirdparty%2Fkernel%2Fstable-queue.git

start .27 queue
---

diff --git a/queue-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch b/queue-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch
new file mode 100644
index 00000000000..143a8c03595
--- /dev/null
+++ b/queue-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch
@@ -0,0 +1,50 @@
+From 45b241689179a6065384260242637cf21dabfb2d Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@caiaq.de>
+Date: Wed, 16 Dec 2009 05:12:58 +0100
+Subject: Libertas: fix buffer overflow in lbs_get_essid()
+
+From: Daniel Mack <daniel@caiaq.de>
+
+commit 45b241689179a6065384260242637cf21dabfb2d upstream.
+
+The libertas driver copies the SSID buffer back to the wireless core and
+appends a trailing NULL character for termination. This is
+
+a) unnecessary because the buffer is allocated with kzalloc and is hence
+   already NULLed when this function is called, and
+
+b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
+   much which causes memory corruptions.
+
+Fix this by removing the extra write.
+
+Signed-off-by: Daniel Mack <daniel@caiaq.de>
+Cc: Stephen Hemminger <shemminger@vyatta.com>
+Cc: Maithili Hinge <maithili@marvell.com>
+Cc: Kiran Divekar <dkiran@marvell.com>
+Cc: Michael Hirsch <m.hirsch@raumfeld.com>
+Cc: netdev@vger.kernel.org
+Cc: libertas-dev@lists.infradead.org
+Cc: linux-wireless@lists.infradead.org
+Acked-by: Holger Schurig <holgerschurig@gmail.com>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/wext.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/libertas/wext.c
++++ b/drivers/net/wireless/libertas/wext.c
+@@ -1899,10 +1899,8 @@ static int lbs_get_essid(struct net_devi
+ 	if (priv->connect_status == LBS_CONNECTED) {
+ 		memcpy(extra, priv->curbssparams.ssid,
+ 		       priv->curbssparams.ssid_len);
+-		extra[priv->curbssparams.ssid_len] = '\0';
+ 	} else {
+ 		memset(extra, 0, 32);
+-		extra[priv->curbssparams.ssid_len] = '\0';
+ 	}
+ 	/*
+ 	 * If none, we may want to get the one that was set
diff --git a/queue-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch b/queue-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch
new file mode 100644
index 00000000000..07fad5069cf
--- /dev/null
+++ b/queue-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch
@@ -0,0 +1,38 @@
+From 509426bd46ad0903dca409803e0ee3d30f99f1e8 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Date: Sun, 20 Dec 2009 19:22:33 +0100
+Subject: pata_cmd64x: fix overclocking of UDMA0-2 modes
+
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+
+commit 509426bd46ad0903dca409803e0ee3d30f99f1e8 upstream.
+
+adev->dma_mode stores the transfer mode value not UDMA mode number
+so the condition in cmd64x_set_dmamode() is always true and the higher
+UDMA clock is always selected.  This can potentially result in data
+corruption when UDMA33 device is used, when 40-wire cable is used or
+when the error recovery code decides to lower the device speed down.
+
+The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack
+into a shape that looks like the documentation") which goes back to
+kernel 2.6.20.
+
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/pata_cmd64x.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/pata_cmd64x.c
++++ b/drivers/ata/pata_cmd64x.c
+@@ -219,7 +219,7 @@ static void cmd64x_set_dmamode(struct at
+ 		regU |= udma_data[adev->dma_mode - XFER_UDMA_0] << shift;
+ 		/* Merge the control bits */
+ 		regU |= 1 << adev->devno; /* UDMA on */
+-		if (adev->dma_mode > 2)	/* 15nS timing */
++		if (adev->dma_mode > XFER_UDMA_2) /* 15nS timing */
+ 			regU |= 4 << adev->devno;
+ 	} else {
+ 		regU &= ~ (1 << adev->devno);	/* UDMA off */
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
new file mode 100644
index 00000000000..cd277d71b85
--- /dev/null
+++ b/queue-2.6.27/series
@@ -0,0 +1,3 @@
+libertas-fix-buffer-overflow-in-lbs_get_essid.patch
+pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch
+sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch
diff --git a/queue-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch b/queue-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch
new file mode 100644
index 00000000000..449f6a18011
--- /dev/null
+++ b/queue-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch
@@ -0,0 +1,57 @@
+From 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Fri, 18 Dec 2009 09:27:24 +0100
+Subject: sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe upstream.
+
+When allocating the PCM buffer, use vmalloc_user() instead of vmalloc().
+Otherwise, it would be possible for applications to play the previous
+contents of the kernel memory to the speakers, or to read it directly if
+the buffer is exported to userspace.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/mips/sgio2audio.c                |    2 +-
+ sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c |    2 +-
+ sound/usb/usbaudio.c                   |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/mips/sgio2audio.c
++++ b/sound/mips/sgio2audio.c
+@@ -609,7 +609,7 @@ static int snd_sgio2audio_pcm_hw_params(
+ 	/* alloc virtual 'dma' area */
+ 	if (runtime->dma_area)
+ 		vfree(runtime->dma_area);
+-	runtime->dma_area = vmalloc(size);
++	runtime->dma_area = vmalloc_user(size);
+ 	if (runtime->dma_area == NULL)
+ 		return -ENOMEM;
+ 	runtime->dma_bytes = size;
+--- a/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c
++++ b/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c
+@@ -51,7 +51,7 @@ static int snd_pcm_alloc_vmalloc_buffer(
+ 			return 0; /* already enough large */
+ 		vfree(runtime->dma_area);
+ 	}
+-	runtime->dma_area = vmalloc_32(size);
++	runtime->dma_area = vmalloc_32_user(size);
+ 	if (! runtime->dma_area)
+ 		return -ENOMEM;
+ 	runtime->dma_bytes = size;
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -740,7 +740,7 @@ static int snd_pcm_alloc_vmalloc_buffer(
+ 			return 0; /* already large enough */
+ 		vfree(runtime->dma_area);
+ 	}
+-	runtime->dma_area = vmalloc(size);
++	runtime->dma_area = vmalloc_user(size);
+ 	if (!runtime->dma_area)
+ 		return -ENOMEM;
+ 	runtime->dma_bytes = size;