From ba44a39f9910ffbfbc2bd10932938245d2c7e777 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 16 Nov 2008 21:29:26 -0800 Subject: [PATCH] more .27 patches --- ...cording-to-the-status-of-acpi-device.patch | 144 ++++++++++++++++++ ...x-broken-ownership-of-proc-sys-files.patch | 30 ++++ .../s390-cpu-topology-fix-locking.patch | 79 ++++++++++ queue-2.6.27/series | 6 +- ...tvaudio-when-controlling-bass-treble.patch | 131 ++++++++++++++++ 5 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 queue-2.6.27/acpi-load-device-driver-according-to-the-status-of-acpi-device.patch create mode 100644 queue-2.6.27/fix-broken-ownership-of-proc-sys-files.patch create mode 100644 queue-2.6.27/s390-cpu-topology-fix-locking.patch create mode 100644 queue-2.6.27/v4l-dvb-cve-2008-5033-fix-oops-on-tvaudio-when-controlling-bass-treble.patch diff --git a/queue-2.6.27/acpi-load-device-driver-according-to-the-status-of-acpi-device.patch b/queue-2.6.27/acpi-load-device-driver-according-to-the-status-of-acpi-device.patch new file mode 100644 index 00000000000..88bea22bfd2 --- /dev/null +++ b/queue-2.6.27/acpi-load-device-driver-according-to-the-status-of-acpi-device.patch @@ -0,0 +1,144 @@ +From 39a0ad871000d2a016a4fa113a6e53d22aabf25d Mon Sep 17 00:00:00 2001 +From: Zhao Yakui +Date: Mon, 11 Aug 2008 13:40:22 +0800 +Subject: ACPI : Load device driver according to the status of acpi device + +From: Zhao Yakui + +commit 39a0ad871000d2a016a4fa113a6e53d22aabf25d upstream. + +According to ACPI spec when the status of some device is not present +but functional, the device is valid and the children of this device +should be enumerated. It means that the device should be added to +linux acpi device tree. But the device driver for this device should not +be loaded. + The detailed info can be found in the section 6.3.7 of ACPI 3.0b spec. + _STA may return bit 0 clear (not present) with bit 3 set (device is +functional). This case is used to indicate a valid device for which no +device driver should be loaded (for example, a bridge device.). +Children of this device may be present and valid. OS should continue +enumeration below a device whose _STA returns this bit combination + +http://bugzilla.kernel.org/show_bug.cgi?id=3358 + +Signed-off-by: Zhao Yakui +Signed-off-by: Li Shaohua +Signed-off-by: Zhang Rui +Signed-off-by: Andi Kleen +Signed-off-by: Len Brown +Cc: Holger Macht +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/bus.c | 16 ++++++++-------- + drivers/acpi/scan.c | 35 +++++++++++++++++++++++++---------- + drivers/pnp/pnpacpi/core.c | 6 +++++- + 3 files changed, 38 insertions(+), 19 deletions(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -95,21 +95,21 @@ int acpi_bus_get_status(struct acpi_devi + } + + /* +- * Otherwise we assume the status of our parent (unless we don't +- * have one, in which case status is implied). ++ * According to ACPI spec some device can be present and functional ++ * even if the parent is not present but functional. ++ * In such conditions the child device should not inherit the status ++ * from the parent. + */ +- else if (device->parent) +- device->status = device->parent->status; + else + STRUCT_TO_INT(device->status) = + ACPI_STA_DEVICE_PRESENT | ACPI_STA_DEVICE_ENABLED | + ACPI_STA_DEVICE_UI | ACPI_STA_DEVICE_FUNCTIONING; + + if (device->status.functional && !device->status.present) { +- printk(KERN_WARNING PREFIX "Device [%s] status [%08x]: " +- "functional but not present; setting present\n", +- device->pnp.bus_id, (u32) STRUCT_TO_INT(device->status)); +- device->status.present = 1; ++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device [%s] status [%08x]: " ++ "functional but not present;\n", ++ device->pnp.bus_id, ++ (u32) STRUCT_TO_INT(device->status))); + } + + ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device [%s] status [%08x]\n", +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -276,6 +276,13 @@ int acpi_match_device_ids(struct acpi_de + { + const struct acpi_device_id *id; + ++ /* ++ * If the device is not present, it is unnecessary to load device ++ * driver for it. ++ */ ++ if (!device->status.present) ++ return -ENODEV; ++ + if (device->flags.hardware_id) { + for (id = ids; id->id[0]; id++) { + if (!strcmp((char*)id->id, device->pnp.hardware_id)) +@@ -1221,15 +1228,18 @@ acpi_add_single_object(struct acpi_devic + result = -ENODEV; + goto end; + } +- if (!device->status.present) { +- /* Bay and dock should be handled even if absent */ +- if (!ACPI_SUCCESS( +- acpi_is_child_device(device, acpi_bay_match)) && +- !ACPI_SUCCESS( +- acpi_is_child_device(device, acpi_dock_match))) { +- result = -ENODEV; +- goto end; +- } ++ /* ++ * When the device is neither present nor functional, the ++ * device should not be added to Linux ACPI device tree. ++ * When the status of the device is not present but functinal, ++ * it should be added to Linux ACPI tree. For example : bay ++ * device , dock device. ++ * In such conditions it is unncessary to check whether it is ++ * bay device or dock device. ++ */ ++ if (!device->status.present && !device->status.functional) { ++ result = -ENODEV; ++ goto end; + } + break; + default: +@@ -1402,7 +1412,12 @@ static int acpi_bus_scan(struct acpi_dev + * TBD: Need notifications and other detection mechanisms + * in place before we can fully implement this. + */ +- if (child->status.present) { ++ /* ++ * When the device is not present but functional, it is also ++ * necessary to scan the children of this device. ++ */ ++ if (child->status.present || (!child->status.present && ++ child->status.functional)) { + status = acpi_get_next_object(ACPI_TYPE_ANY, chandle, + NULL, NULL); + if (ACPI_SUCCESS(status)) { +--- a/drivers/pnp/pnpacpi/core.c ++++ b/drivers/pnp/pnpacpi/core.c +@@ -148,9 +148,13 @@ static int __init pnpacpi_add_device(str + acpi_status status; + struct pnp_dev *dev; + ++ /* ++ * If a PnPacpi device is not present , the device ++ * driver should not be loaded. ++ */ + status = acpi_get_handle(device->handle, "_CRS", &temp); + if (ACPI_FAILURE(status) || !ispnpidacpi(acpi_device_hid(device)) || +- is_exclusive_device(device)) ++ is_exclusive_device(device) || (!device->status.present)) + return 0; + + dev = pnp_alloc_dev(&pnpacpi_protocol, num, acpi_device_hid(device)); diff --git a/queue-2.6.27/fix-broken-ownership-of-proc-sys-files.patch b/queue-2.6.27/fix-broken-ownership-of-proc-sys-files.patch new file mode 100644 index 00000000000..4951629883c --- /dev/null +++ b/queue-2.6.27/fix-broken-ownership-of-proc-sys-files.patch @@ -0,0 +1,30 @@ +From 5c06fe772da43db63b053addcd2c267f76d0be91 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 16 Nov 2008 22:19:10 +0000 +Subject: Fix broken ownership of /proc/sys/ files + +From: Al Viro + +commit 5c06fe772da43db63b053addcd2c267f76d0be91 upstream. + +D'oh... + +Signed-off-by: Al Viro +Reported-and-tested-by: Peter Palfrader +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/proc_sysctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -31,6 +31,7 @@ static struct inode *proc_sys_make_inode + inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; + inode->i_flags |= S_PRIVATE; /* tell selinux to ignore this inode */ + inode->i_mode = table->mode; ++ inode->i_uid = inode->i_gid = 0; + if (!table->child) { + inode->i_mode |= S_IFREG; + inode->i_op = &proc_sys_inode_operations; diff --git a/queue-2.6.27/s390-cpu-topology-fix-locking.patch b/queue-2.6.27/s390-cpu-topology-fix-locking.patch new file mode 100644 index 00000000000..fbf3e93165b --- /dev/null +++ b/queue-2.6.27/s390-cpu-topology-fix-locking.patch @@ -0,0 +1,79 @@ +From 74af283102b358b0da545460d0d176f473e110f6 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 14 Nov 2008 18:18:07 +0100 +Subject: S390: cpu topology: fix locking + +From: Heiko Carstens + +commit 74af283102b358b0da545460d0d176f473e110f6 upstream. + +cpu_coregroup_map used to grab a mutex on s390 since it was only +called from process context. +Since c7c22e4d5c1fdebfac4dba76de7d0338c2b0d832 "block: add support +for IO CPU affinity" this is not true anymore. +It now also gets called from softirq context. + +To prevent possible deadlocks change this in architecture code and +use a spinlock instead of a mutex. + +Cc: Jens Axboe +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/topology.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -65,18 +65,21 @@ static int machine_has_topology_irq; + static struct timer_list topology_timer; + static void set_topology_timer(void); + static DECLARE_WORK(topology_work, topology_work_fn); ++/* topology_lock protects the core linked list */ ++static DEFINE_SPINLOCK(topology_lock); + + cpumask_t cpu_core_map[NR_CPUS]; + + cpumask_t cpu_coregroup_map(unsigned int cpu) + { + struct core_info *core = &core_info; ++ unsigned long flags; + cpumask_t mask; + + cpus_clear(mask); + if (!machine_has_topology) + return cpu_present_map; +- mutex_lock(&smp_cpu_state_mutex); ++ spin_lock_irqsave(&topology_lock, flags); + while (core) { + if (cpu_isset(cpu, core->mask)) { + mask = core->mask; +@@ -84,7 +87,7 @@ cpumask_t cpu_coregroup_map(unsigned int + } + core = core->next; + } +- mutex_unlock(&smp_cpu_state_mutex); ++ spin_unlock_irqrestore(&topology_lock, flags); + if (cpus_empty(mask)) + mask = cpumask_of_cpu(cpu); + return mask; +@@ -133,7 +136,7 @@ static void tl_to_cores(struct tl_info * + union tl_entry *tle, *end; + struct core_info *core = &core_info; + +- mutex_lock(&smp_cpu_state_mutex); ++ spin_lock_irq(&topology_lock); + clear_cores(); + tle = info->tle; + end = (union tl_entry *)((unsigned long)info + info->length); +@@ -157,7 +160,7 @@ static void tl_to_cores(struct tl_info * + } + tle = next_tle(tle); + } +- mutex_unlock(&smp_cpu_state_mutex); ++ spin_unlock_irq(&topology_lock); + } + + static void topology_update_polarization_simple(void) diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 58803edf11f..f0388fef6c1 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -1,4 +1,3 @@ -net-fix-proc-net-snmp-as-memory-corruptor.patch touch_mnt_namespace-when-the-mount-flags-change.patch iwlagn-avoid-sleep-in-softirq-context.patch ath5k-fix-suspend-related-oops-on-rmmod.patch @@ -21,3 +20,8 @@ input-alps-add-signature-for-dualpoint-found-in-dell-latitude-e6500.patch memory-hotplug-fix-page_zone-calculation-in-test_pages_isolated.patch r8169-select-mii-in-kconfig.patch sony-laptop-ignore-missing-_dis-method-on-pic-device.patch +net-fix-proc-net-snmp-as-memory-corruptor.patch +fix-broken-ownership-of-proc-sys-files.patch +v4l-dvb-cve-2008-5033-fix-oops-on-tvaudio-when-controlling-bass-treble.patch +s390-cpu-topology-fix-locking.patch +acpi-load-device-driver-according-to-the-status-of-acpi-device.patch diff --git a/queue-2.6.27/v4l-dvb-cve-2008-5033-fix-oops-on-tvaudio-when-controlling-bass-treble.patch b/queue-2.6.27/v4l-dvb-cve-2008-5033-fix-oops-on-tvaudio-when-controlling-bass-treble.patch new file mode 100644 index 00000000000..e984198c750 --- /dev/null +++ b/queue-2.6.27/v4l-dvb-cve-2008-5033-fix-oops-on-tvaudio-when-controlling-bass-treble.patch @@ -0,0 +1,131 @@ +From 01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 14 Nov 2008 10:46:59 -0300 +Subject: V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble + +From: Mauro Carvalho Chehab + +commit 01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 upstream. + +This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1, +where a call to NULL happens. + +Not all tvaudio chips allow controlling bass/treble. So, the driver +has a table with a flag to indicate if the chip does support it. + +Unfortunately, the handling of this logic were broken for a very long +time (probably since the first module version). Due to that, an OOPS +were generated for devices that don't support bass/treble. + +This were the resulting OOPS message before the patch, with debug messages +enabled: + +tvaudio' 1-005b: VIDIOC_S_CTRL +BUG: unable to handle kernel NULL pointer dereference at 00000000 +IP: [<00000000>] +*pde = 22fda067 *pte = 00000000 +Oops: 0000 [#1] SMP +Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device +snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner +tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT +nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack +ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat +ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom +i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt +iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache +uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore] + +Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1) +EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0 +EIP is at 0x0 +EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046 +ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c + DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 +Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000) +Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000 + f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8 + f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c +Call Trace: + [] ? chip_command+0x266/0x4b6 [tvaudio] + [] ? chip_command+0x0/0x4b6 [tvaudio] + [] ? i2c_cmd+0x0/0x2f [i2c_core] + [] ? i2c_cmd+0x2a/0x2f [i2c_core] + [] ? device_for_each_child+0x21/0x49 + [] ? i2c_clients_command+0x1c/0x1e [i2c_core] + [] ? bttv_call_i2c_clients+0x14/0x16 [bttv] + [] ? bttv_s_ctrl+0x1bc/0x313 [bttv] + [] ? bttv_s_ctrl+0x0/0x313 [bttv] + [] ? __video_do_ioctl+0x1f84/0x3726 [videodev] + [] ? sock_aio_write+0x100/0x10d + [] ? kmap_atomic_prot+0x1dd/0x1df + [] ? enqueue_hrtimer+0xc2/0xcd + [] ? copy_from_user+0x39/0x121 + [] ? __video_ioctl2+0x1aa/0x24a [videodev] + [] ? do_notify_resume+0x768/0x795 + [] ? getnstimeofday+0x34/0xd1 + [] ? autoremove_wake_function+0x0/0x33 + [] ? video_ioctl2+0xf/0x13 [videodev] + [] ? vfs_ioctl+0x50/0x69 + [] ? do_vfs_ioctl+0x239/0x24c + [] ? sys_ioctl+0x40/0x5b + [] ? syscall_call+0x7/0xb + [] ? cpuid4_cache_sysfs_exit+0x3d/0x69 + ======================= +Code: Bad EIP value. +EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/tvaudio.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/media/video/tvaudio.c ++++ b/drivers/media/video/tvaudio.c +@@ -1576,13 +1576,13 @@ static int tvaudio_get_ctrl(struct CHIPS + return 0; + } + case V4L2_CID_AUDIO_BASS: +- if (desc->flags & CHIP_HAS_BASSTREBLE) ++ if (!(desc->flags & CHIP_HAS_BASSTREBLE)) + break; + ctrl->value = chip->bass; + return 0; + case V4L2_CID_AUDIO_TREBLE: +- if (desc->flags & CHIP_HAS_BASSTREBLE) +- return -EINVAL; ++ if (!(desc->flags & CHIP_HAS_BASSTREBLE)) ++ break; + ctrl->value = chip->treble; + return 0; + } +@@ -1642,16 +1642,15 @@ static int tvaudio_set_ctrl(struct CHIPS + return 0; + } + case V4L2_CID_AUDIO_BASS: +- if (desc->flags & CHIP_HAS_BASSTREBLE) ++ if (!(desc->flags & CHIP_HAS_BASSTREBLE)) + break; + chip->bass = ctrl->value; + chip_write(chip,desc->bassreg,desc->bassfunc(chip->bass)); + + return 0; + case V4L2_CID_AUDIO_TREBLE: +- if (desc->flags & CHIP_HAS_BASSTREBLE) +- return -EINVAL; +- ++ if (!(desc->flags & CHIP_HAS_BASSTREBLE)) ++ break; + chip->treble = ctrl->value; + chip_write(chip,desc->treblereg,desc->treblefunc(chip->treble)); + +@@ -1695,7 +1694,7 @@ static int chip_command(struct i2c_clien + break; + case V4L2_CID_AUDIO_BASS: + case V4L2_CID_AUDIO_TREBLE: +- if (desc->flags & CHIP_HAS_BASSTREBLE) ++ if (!(desc->flags & CHIP_HAS_BASSTREBLE)) + return -EINVAL; + break; + default: -- 2.47.3