From 858c9e215c36ccfa973b8480be9711d2750bca3c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 19 Oct 2010 14:06:07 -0700 Subject: [PATCH] .33 patches (ignore them...) --- ...-add-dell-latitude-e6400-model-quirk.patch | 31 +++++ ...x-analog-capture-on-claro-halo-cards.patch | 35 ++++++ ...event-heap-corruption-in-snd_ctl_new.patch | 48 +++++++ ...-free-when-unloading-a-driver-module.patch | 44 +++++++ ...t-reading-uninitialized-stack-memory.patch | 45 +++++++ ...-rx-coalescing-for-iwarp-connections.patch | 47 +++++++ queue-2.6.33/series | 8 ++ ...alization-of-interface-minor-numbers.patch | 118 ++++++++++++++++++ ...g-cpuid-re-run-cpu-feature-detection.patch | 55 ++++++++ 9 files changed, 431 insertions(+) create mode 100644 queue-2.6.33/alsa-hda-add-dell-latitude-e6400-model-quirk.patch create mode 100644 queue-2.6.33/alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch create mode 100644 queue-2.6.33/alsa-prevent-heap-corruption-in-snd_ctl_new.patch create mode 100644 queue-2.6.33/alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch create mode 100644 queue-2.6.33/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch create mode 100644 queue-2.6.33/rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch create mode 100644 queue-2.6.33/series create mode 100644 queue-2.6.33/usb-fix-bug-in-initialization-of-interface-minor-numbers.patch create mode 100644 queue-2.6.33/x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch diff --git a/queue-2.6.33/alsa-hda-add-dell-latitude-e6400-model-quirk.patch b/queue-2.6.33/alsa-hda-add-dell-latitude-e6400-model-quirk.patch new file mode 100644 index 00000000000..dcd9f9192ab --- /dev/null +++ b/queue-2.6.33/alsa-hda-add-dell-latitude-e6400-model-quirk.patch @@ -0,0 +1,31 @@ +From 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e Mon Sep 17 00:00:00 2001 +From: Luke Yelavich +Date: Tue, 21 Sep 2010 17:05:46 +1000 +Subject: ALSA: hda - Add Dell Latitude E6400 model quirk + +From: Luke Yelavich + +commit 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e upstream. + +BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/643891 + +Set the Dell Latitude E6400 (1028:0233) SSID to use AD1984_DELL_DESKTOP + +Signed-off-by: Luke Yelavich +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_analog.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -3536,6 +3536,7 @@ static struct snd_pci_quirk ad1984_cfg_t + /* Lenovo Thinkpad T61/X61 */ + SND_PCI_QUIRK_VENDOR(0x17aa, "Lenovo Thinkpad", AD1984_THINKPAD), + SND_PCI_QUIRK(0x1028, 0x0214, "Dell T3400", AD1984_DELL_DESKTOP), ++ SND_PCI_QUIRK(0x1028, 0x0233, "Dell Latitude E6400", AD1984_DELL_DESKTOP), + {} + }; + diff --git a/queue-2.6.33/alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch b/queue-2.6.33/alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch new file mode 100644 index 00000000000..744db1c93c7 --- /dev/null +++ b/queue-2.6.33/alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch @@ -0,0 +1,35 @@ +From 0873a5ae747847ee55a63db409dff3476e45bcd9 Mon Sep 17 00:00:00 2001 +From: Erik J. Staab +Date: Wed, 22 Sep 2010 11:07:41 +0200 +Subject: ALSA: oxygen: fix analog capture on Claro halo cards + +From: Erik J. Staab + +commit 0873a5ae747847ee55a63db409dff3476e45bcd9 upstream. + +On the HT-Omega Claro halo card, the ADC data must be captured from the +second I2S input. Using the default first input, which isn't connected +to anything, would result in silence. + +Signed-off-by: Erik J. Staab +Signed-off-by: Clemens Ladisch +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/oxygen/oxygen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/oxygen/oxygen.c ++++ b/sound/pci/oxygen/oxygen.c +@@ -543,6 +543,10 @@ static int __devinit get_oxygen_model(st + chip->model.suspend = claro_suspend; + chip->model.resume = claro_resume; + chip->model.set_adc_params = set_ak5385_params; ++ chip->model.device_config = PLAYBACK_0_TO_I2S | ++ PLAYBACK_1_TO_SPDIF | ++ CAPTURE_0_FROM_I2S_2 | ++ CAPTURE_1_FROM_SPDIF; + break; + } + if (id->driver_data == MODEL_MERIDIAN || diff --git a/queue-2.6.33/alsa-prevent-heap-corruption-in-snd_ctl_new.patch b/queue-2.6.33/alsa-prevent-heap-corruption-in-snd_ctl_new.patch new file mode 100644 index 00000000000..664f79145db --- /dev/null +++ b/queue-2.6.33/alsa-prevent-heap-corruption-in-snd_ctl_new.patch @@ -0,0 +1,48 @@ +From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Tue, 28 Sep 2010 14:18:20 -0400 +Subject: ALSA: prevent heap corruption in snd_ctl_new() + +From: Dan Rosenberg + +commit 5591bf07225523600450edd9e6ad258bb877b779 upstream. + +The snd_ctl_new() function in sound/core/control.c allocates space for a +snd_kcontrol struct by performing arithmetic operations on a +user-provided size without checking for integer overflow. If a user +provides a large enough size, an overflow will occur, the allocated +chunk will be too small, and a second user-influenced value will be +written repeatedly past the bounds of this chunk. This code is +reachable by unprivileged users who have permission to open +a /dev/snd/controlC* device (on many distros, this is group "audio") via +the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -31,6 +31,7 @@ + + /* max number of user-defined controls */ + #define MAX_USER_CONTROLS 32 ++#define MAX_CONTROL_COUNT 1028 + + struct snd_kctl_ioctl { + struct list_head list; /* list of all ioctls */ +@@ -191,6 +192,10 @@ static struct snd_kcontrol *snd_ctl_new( + + if (snd_BUG_ON(!control || !control->count)) + return NULL; ++ ++ if (control->count > MAX_CONTROL_COUNT) ++ return NULL; ++ + kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); + if (kctl == NULL) { + snd_printk(KERN_ERR "Cannot allocate control instance\n"); diff --git a/queue-2.6.33/alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch b/queue-2.6.33/alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch new file mode 100644 index 00000000000..9ff2d58be56 --- /dev/null +++ b/queue-2.6.33/alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch @@ -0,0 +1,44 @@ +From aa73aec6c385e2c797ac25cc7ccf0318031de7c8 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Fri, 15 Oct 2010 12:06:18 +0200 +Subject: ALSA: rawmidi: fix oops (use after free) when unloading a driver module + +From: Clemens Ladisch + +commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream. + +When a driver module is unloaded and the last still open file is a raw +MIDI device, the card and its devices will be actually freed in the +snd_card_file_remove() call when that file is closed. Afterwards, rmidi +and rmidi->card point into freed memory, so the module pointer is likely +to be garbage. +(This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) + +Signed-off-by: Clemens Ladisch +Reported-by: Krzysztof Foltman +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -531,13 +531,15 @@ static int snd_rawmidi_release(struct in + { + struct snd_rawmidi_file *rfile; + struct snd_rawmidi *rmidi; ++ struct module *module; + + rfile = file->private_data; + rmidi = rfile->rmidi; + rawmidi_release_priv(rfile); + kfree(rfile); ++ module = rmidi->card->module; + snd_card_file_remove(rmidi->card, file); +- module_put(rmidi->card->module); ++ module_put(module); + return 0; + } + diff --git a/queue-2.6.33/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch b/queue-2.6.33/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch new file mode 100644 index 00000000000..f00faf69266 --- /dev/null +++ b/queue-2.6.33/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch @@ -0,0 +1,45 @@ +From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Sat, 25 Sep 2010 11:07:27 -0400 +Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory + +From: Dan Rosenberg + +commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream. + +The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and +SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow +unprivileged users to read uninitialized kernel stack memory, because +several fields of the hdsp{m}_config_info structs declared on the stack +are not altered or zeroed before being copied back to the user. This +patch takes care of it. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/rme9652/hdsp.c | 1 + + sound/pci/rme9652/hdspm.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -4610,6 +4610,7 @@ static int snd_hdsp_hwdep_ioctl(struct s + if (err < 0) + return err; + ++ memset(&info, 0, sizeof(info)); + spin_lock_irqsave(&hdsp->lock, flags); + info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp); + info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp); +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct + + case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO: + ++ memset(&info, 0, sizeof(info)); + spin_lock_irq(&hdspm->lock); + info.pref_sync_ref = hdspm_pref_sync_ref(hdspm); + info.wordclock_sync_check = hdspm_wc_sync_check(hdspm); diff --git a/queue-2.6.33/rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch b/queue-2.6.33/rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch new file mode 100644 index 00000000000..c690169e23a --- /dev/null +++ b/queue-2.6.33/rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch @@ -0,0 +1,47 @@ +From bec658ff31453a5726b1c188674d587a5d40c482 Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Sat, 18 Sep 2010 19:38:21 -0500 +Subject: RDMA/cxgb3: Turn off RX coalescing for iWARP connections + +From: Steve Wise + +commit bec658ff31453a5726b1c188674d587a5d40c482 upstream. + +The HW by default has RX coalescing on. For iWARP connections, this +causes a 100ms delay in connection establishement due to the ingress +MPA Start message being stalled in HW. So explicitly turn RX +coalescing off when setting up iWARP connections. + +This was causing very bad performance for NP64 gather operations using +Open MPI, due to the way it sets up connections on larger jobs. + +Signed-off-by: Steve Wise +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb3/iwch_cm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c ++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c +@@ -486,7 +486,8 @@ static int send_connect(struct iwch_ep * + V_MSS_IDX(mtu_idx) | + V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx); + opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10); +- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor); ++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) | ++ V_CONG_CONTROL_FLAVOR(cong_flavor); + skb->priority = CPL_PRIORITY_SETUP; + set_arp_failure_handler(skb, act_open_req_arp_failure); + +@@ -1303,7 +1304,8 @@ static void accept_cr(struct iwch_ep *ep + V_MSS_IDX(mtu_idx) | + V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx); + opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10); +- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor); ++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) | ++ V_CONG_CONTROL_FLAVOR(cong_flavor); + + rpl = cplhdr(skb); + rpl->wr.wr_hi = htonl(V_WR_OP(FW_WROPCODE_FORWARD)); diff --git a/queue-2.6.33/series b/queue-2.6.33/series new file mode 100644 index 00000000000..f98ce04b903 --- /dev/null +++ b/queue-2.6.33/series @@ -0,0 +1,8 @@ +x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch +alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch +alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch +alsa-hda-add-dell-latitude-e6400-model-quirk.patch +alsa-prevent-heap-corruption-in-snd_ctl_new.patch +alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch +usb-fix-bug-in-initialization-of-interface-minor-numbers.patch +rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch diff --git a/queue-2.6.33/usb-fix-bug-in-initialization-of-interface-minor-numbers.patch b/queue-2.6.33/usb-fix-bug-in-initialization-of-interface-minor-numbers.patch new file mode 100644 index 00000000000..f3e294d76e9 --- /dev/null +++ b/queue-2.6.33/usb-fix-bug-in-initialization-of-interface-minor-numbers.patch @@ -0,0 +1,118 @@ +From 0026e00523a85b90a92a93ddf6660939ecef3e54 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 21 Sep 2010 15:01:53 -0400 +Subject: USB: fix bug in initialization of interface minor numbers + +From: Alan Stern + +commit 0026e00523a85b90a92a93ddf6660939ecef3e54 upstream. + +Recent changes in the usbhid layer exposed a bug in usbcore. If +CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned +a minor number of 0. However interfaces that aren't registered as USB +class devices also have their minor number set to 0, during +initialization. As a result usb_find_interface() may return the +wrong interface, leading to a crash. + +This patch (as1418) fixes the problem by initializing every +interface's minor number to -1. It also cleans up the +usb_register_dev() function, which besides being somewhat awkwardly +written, does not unwind completely on all its error paths. + +Signed-off-by: Alan Stern +Tested-by: Philip J. Turmel +Tested-by: Gabriel Craciunescu +Tested-by: Alex Riesen +Tested-by: Matthias Bayer +CC: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/file.c | 35 ++++++++++++++++------------------- + drivers/usb/core/message.c | 1 + + 2 files changed, 17 insertions(+), 19 deletions(-) + +--- a/drivers/usb/core/file.c ++++ b/drivers/usb/core/file.c +@@ -160,9 +160,9 @@ void usb_major_cleanup(void) + int usb_register_dev(struct usb_interface *intf, + struct usb_class_driver *class_driver) + { +- int retval = -EINVAL; ++ int retval; + int minor_base = class_driver->minor_base; +- int minor = 0; ++ int minor; + char name[20]; + char *temp; + +@@ -174,12 +174,17 @@ int usb_register_dev(struct usb_interfac + */ + minor_base = 0; + #endif +- intf->minor = -1; +- +- dbg ("looking for a minor, starting at %d", minor_base); + + if (class_driver->fops == NULL) +- goto exit; ++ return -EINVAL; ++ if (intf->minor >= 0) ++ return -EADDRINUSE; ++ ++ retval = init_usb_class(); ++ if (retval) ++ return retval; ++ ++ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base); + + down_write(&minor_rwsem); + for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) { +@@ -187,20 +192,12 @@ int usb_register_dev(struct usb_interfac + continue; + + usb_minors[minor] = class_driver->fops; +- +- retval = 0; ++ intf->minor = minor; + break; + } + up_write(&minor_rwsem); +- +- if (retval) +- goto exit; +- +- retval = init_usb_class(); +- if (retval) +- goto exit; +- +- intf->minor = minor; ++ if (intf->minor < 0) ++ return -EXFULL; + + /* create a usb class device for this usb interface */ + snprintf(name, sizeof(name), class_driver->name, minor - minor_base); +@@ -214,11 +211,11 @@ int usb_register_dev(struct usb_interfac + "%s", temp); + if (IS_ERR(intf->usb_dev)) { + down_write(&minor_rwsem); +- usb_minors[intf->minor] = NULL; ++ usb_minors[minor] = NULL; ++ intf->minor = -1; + up_write(&minor_rwsem); + retval = PTR_ERR(intf->usb_dev); + } +-exit: + return retval; + } + EXPORT_SYMBOL_GPL(usb_register_dev); +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1842,6 +1842,7 @@ free_interfaces: + intf->dev.groups = usb_interface_groups; + intf->dev.dma_mask = dev->dev.dma_mask; + INIT_WORK(&intf->reset_ws, __usb_queue_reset_device); ++ intf->minor = -1; + device_initialize(&intf->dev); + mark_quiesced(intf); + dev_set_name(&intf->dev, "%d-%s:%d.%d", diff --git a/queue-2.6.33/x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch b/queue-2.6.33/x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch new file mode 100644 index 00000000000..51de7e839c4 --- /dev/null +++ b/queue-2.6.33/x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch @@ -0,0 +1,55 @@ +From d900329e20f4476db6461752accebcf7935a8055 Mon Sep 17 00:00:00 2001 +From: H. Peter Anvin +Date: Tue, 28 Sep 2010 15:35:01 -0700 +Subject: x86, cpu: After uncapping CPUID, re-run CPU feature detection + +From: H. Peter Anvin + +commit d900329e20f4476db6461752accebcf7935a8055 upstream. + +After uncapping the CPUID level, we need to also re-run the CPU +feature detection code. + +This resolves kernel bugzilla 16322. + +Reported-by: boris64 +LKML-Reference: +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/cpu/cpu.h | 1 + + arch/x86/kernel/cpu/intel.c | 1 + + 3 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -537,7 +537,7 @@ void __cpuinit cpu_detect(struct cpuinfo + } + } + +-static void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c) ++void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c) + { + u32 tfms, xlvl; + u32 ebx; +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -33,5 +33,6 @@ extern const struct cpu_dev *const __x86 + *const __x86_cpu_dev_end[]; + + extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c); ++extern void get_cpu_cap(struct cpuinfo_x86 *c); + + #endif +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -40,6 +40,7 @@ static void __cpuinit early_init_intel(s + misc_enable &= ~MSR_IA32_MISC_ENABLE_LIMIT_CPUID; + wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable); + c->cpuid_level = cpuid_eax(0); ++ get_cpu_cap(c); + } + } + -- 2.47.2