commit f23cb6b5657e6e5507b46290a48ce65021683061 Author: Greg Kroah-Hartman Date: Tue Dec 8 11:21:07 2009 -0800 Linux 2.6.27.40 commit 909ec99b24903fcd15cd78b01c0925afeb46ebf3 Author: Jean Delvare Date: Sat Nov 7 19:11:41 2009 +0100 hwmon: (it87) Fix VID reading on IT8718F commit 371dc4a6d8c3c74a9a1c74b87c2affb3fcef6500 upstream Comparing apples to bananas doesn't seem right. The bug has been there since support for the IT8718F was added, so VID never worked for this chip. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 34dcc7657b7e11976cb9ab67e0bd3135539c97ea Author: Maciej Sosnowski Date: Mon Feb 2 23:26:57 2009 -0800 dca: redesign locks to fix deadlocks commit eb4400e3a040b90a3ad805b01fcbc99a5f615c8f upstream. Change spin_locks to irqsave to prevent dead-locks. Protect adding and deleting to/from dca_providers list. Drop the lock during dca_sysfs_add_req() and dca_sysfs_remove_req() calls as they might sleep (use GFP_KERNEL allocation). Signed-off-by: Maciej Sosnowski Acked-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f10f9dd87161b70da6ec3d257c1f01a6ac02536f Author: Alan Stern Date: Tue Dec 1 10:01:08 2009 -0500 USB: usb-serial: replace shutdown with disconnect, release This is commit f9c99bb8b3a1ec81af68d484a551307326c2e933 back-ported to 2.6.27.39. This patch (as1254-2) splits up the shutdown method of usb_serial_driver into a disconnect and a release method. The problem is that the usb-serial core was calling shutdown during disconnect handling, but drivers didn't expect it to be called until after all the open file references had been closed. The result was an oops when the close method tried to use memory that had been deallocated by shutdown. Signed-off-by: Alan Stern Tested-by: Rory Filer Signed-off-by: Greg Kroah-Hartman commit e1897f9fc227055733cea2b7449af38276b2e6a5 Author: Oliver Neukum Date: Tue Jan 27 17:21:40 2009 +0100 USB: suspend/resume support for option driver commit 4901b2c34ecb6fc45909228ad269c8126efe4401 upstream. This patch implements suspend and resume methods for the option driver. With my hardware I can even suspend the system and keep up a connection for a short time. Signed-off-by: Oliver Neukum Signed-Off-By: Matthias Urlichs Signed-off-by: Greg Kroah-Hartman commit e72432d716f8555c27fc95b39969ba0a1d0c988b Author: Libin Yang Date: Wed Nov 4 14:55:18 2009 +0800 USB: ohci: quirk AMD prefetch for USB 1.1 ISO transfer commit a1f17a872bc7b1cb7efdd5486a2963e88a536e61 upstream. The following patch in the driver is required to avoid USB 1.1 device failures that may occur due to requests from USB OHCI controllers may be overwritten if the latency for any pending request by the USB controller is very long (in the range of milliseconds). Signed-off-by: Libin Yang Cc: David Brownell Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit d608b567459dd38ced1f3691d71520a8984f63a1 Author: Roel Kluin Date: Fri Nov 20 19:48:23 2009 +0100 thinkpad-acpi: fix sign of ERESTARTSYS return commit 80a8d1228e90349b4514e8c925c061fa5cbcea75 upstream. The returned error should be negative Signed-off-by: Roel Kluin Acked-by: Henrique de Moraes Holschuh Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit e9ab6d1f58eda5d33cc7e849778b72a5b2c1d916 Author: Roel Kluin Date: Wed Nov 4 08:31:59 2009 -0800 isdn: hfc_usb: Fix read buffer overflow commit 286e633ef0ff5bb63c07b4516665da8004966fec upstream. Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin Cc: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c2d3f19ba21524e0445a2e217e852bc4010d9b3 Author: Anand V. Avati Date: Thu Oct 22 06:24:52 2009 -0700 fuse: prevent fuse_put_request on invalid pointer commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 upstream. fuse_direct_io() has a loop where requests are allocated in each iteration. if allocation fails, the loop is broken out and follows into an unconditional fuse_put_request() on that invalid pointer. Signed-off-by: Anand V. Avati Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit e192c2e5db689c874f6e56166face8ac96544350 Author: Csaba Henk Date: Fri Nov 27 19:30:14 2009 +0530 fuse: reject O_DIRECT flag also in fuse_create commit 1b7323965a8c6eee9dc4e345a7ae4bff1dc93149 upstream. The comment in fuse_open about O_DIRECT: "VFS checks this, but only _after_ ->open()" also holds for fuse_create, however, the same kind of check was missing there. As an impact of this bug, open(newfile, O_RDWR|O_CREAT|O_DIRECT) fails, but a stub newfile will remain if the fuse server handled the implied FUSE_CREATE request appropriately. Other impact: in the above situation ima_file_free() will complain to open/free imbalance if CONFIG_IMA is set. Signed-off-by: Csaba Henk Signed-off-by: Miklos Szeredi Cc: Harshavardhana Signed-off-by: Greg Kroah-Hartman commit fdab80d867f4df236d5158a232275147964a7705 Author: Harald Welte Date: Tue Nov 24 16:53:00 2009 +0100 Enable ACPI PDC handshake for VIA/Centaur CPUs commit d77b81974521c82fa6fda38dfff1b491dcc62a32 upstream. In commit 0de51088e6a82bc8413d3ca9e28bbca2788b5b53, we introduced the use of acpi-cpufreq on VIA/Centaur CPU's by removing a vendor check for VENDOR_INTEL. However, as it turns out, at least the Nano CPU's also need the PDC (processor driver capabilities) handshake in order to activate the methods required for acpi-cpufreq. Since arch_acpi_processor_init_pdc() contains another vendor check for Intel, the PDC is not initialized on VIA CPU's. The resulting behavior of a current mainline kernel on such systems is: acpi-cpufreq loads and it indicates CPU frequency changes. However, the CPU stays at a single frequency This trivial patch ensures that init_intel_pdc() is called on Intel and VIA/Centaur CPU's alike. Signed-off-by: Harald Welte Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit f6cb332a48ed2100e820cbcae1904e3ad294ae32 Author: Mike Isely Date: Wed Sep 23 18:06:57 2009 -0300 V4L/DVB (13230): s2255drv: Don't conditionalize video buffer completion on waiting processes commit 1f95725755ab67f3198df3b5bf7517f926f310ca upstream. The s2255 driver had logic which aborted processing of a video frame if there was no process waiting on the video buffer in question. That simply doesn't work when the application is doing things in an asynchronous manner. If the application went to the trouble to queue the buffer in the first place, then the driver should always attempt to complete it - even if the application at that moment has its attention turned elsewhere. Applications which always blocked waiting for I/O on the capture device would not have been affected by this. Applications which *mostly* blocked waiting for I/O on the capture device probably only would have been somewhat affected (frame lossage, at a rate which goes up as the application blocks less). Applications which never blocked on the capture device (e.g. polling only) however would never have been able to receive any video frames, since in that case this "is anyone waiting on this?" check on the buffer never would have evalutated true. This patch just deletes that harmful check against the buffer's wait queue. Signed-off-by: Mike Isely Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 72c62be1f9f89d3f60408ab55728237f37911e08 Author: Devin Heitmueller Date: Thu Oct 15 01:14:34 2009 -0300 V4L/DVB (13190): em28xx: fix panic that can occur when starting audio streaming commit 96fbf771d86a90ff006bc62ca4d4de6474b3de31 upstream. Because the counters were not reset when starting up streaming, they would be reused from the previous run. This can result in cases such that when the second instance of streaming starts up, the "cnt" variable in em28xx_audio_isocirq() can end up being negative, resulting in attempting to write to memory before the start of runtime->dma_area (as well as having a negative number of bytes to copy). Signed-off-by: Devin Heitmueller Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 1ed704825c65b7dd7da77427898d6f08c793c040 Author: Seth Barry Date: Sun Sep 27 16:42:29 2009 -0300 V4L/DVB (13109): tda18271: fix signedness issue in tda18271_rf_tracking_filters_init commit a57c1dcb93e43357ed3f666e5a2b5d5071dd3930 upstream. While having tda18271 module set with debug=17 (cal & info prints) and cal=0 (delay calibration process until first use) - I discovered that during the calibration process, if the frequency test for 69750000 returned a bcal of 0 (see tda18721-fe.c in tda18271_powerscan func) that the tuner wouldn't be able to pickup any of the frequencies in the range (all the other frequencies bands returned bcal=1). I spent some time going over the code and the NXP's tda18271 spec (ver.4 of it i think) and adding a lot of debug prints and walking/stepping through the calibration process. I found that when the powerscan fails to find a frequency, the rf calibration is not run and the default value is supposed to be used in its place (pulled from the RF_CAL_map table) - but something was getting goofed up there. Now, my c coding skills are very rusty, but i think root of the problem is a signedness issue with the math operation for calculating the rf_a1 and rf_a2 values in tda18271_rf_tracking_filters_init func, which results in values like 20648 for rf_a1 (when it should probably have a value like 0, or so slightly negative that it should be zero - this bad value for rf_a1 would in turn makes the approx calc within tda18271c2_rf_tracking_filters_correction go out of whack). The simplest solution i found was to explicitly convert the signedness of the denominator to avoid the implicit conversion. The values placed into the u32 rf_freq array should never exceed about 900mhz, so i think the s32 max value shouldn't be an issue in this case. I've tested it out a little, and even when i get a bcal=0 with the modified code, the default calibration value gets used, rf_a1 is zero, and the tuner seems to lock on the stream and mythtv seems to play it fine. Signed-off-by: Seth Barry Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit bf5d113f0353b600bff5320f0b7b9c304c57f5d7 Author: Michael Krufky Date: Sun Sep 27 14:05:12 2009 -0300 V4L/DVB (13107): tda18271: fix overflow in FM radio frequency calculation commit 4d8317876d5f53ef792e90f89d8f162d7bca5c81 upstream. Multiplication by 62500 causes an overflow in the 32 bit freq variable, which is later divided by 1000 when using FM radio. This patch prevents the overflow by scaling the frequency value correctly upfront. Thanks to Henk Vergonet for spotting the problem and providing a preliminary patch, which this changeset was based upon. Cc: Henk Vergonet Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6e7e66fbee87251c07c59c04e7f1ed3ff4f3b151 Author: Martin Samek Date: Wed Sep 30 22:59:09 2009 -0300 V4L/DVB (13079): dib0700: fixed xc2028 firmware loading kernel oops commit 7646b9de26c54cf4bc9c446d7ada9f91ece31e0a upstream. Fixing kernel oops when driver attemps to load xc2028 firmware. Note by djh: the patch contribute by Martin is a port of a fix I made during the PCTV 340e development. It's a temporary workaround that fixes a regression (an OOPS condition) and the real fix should be in the code that manages the i2c master on the dib7000p. But this fix does address the immmediate regression and should be merged upstream until we do a cleaner fix. Signed-off-by: Martin Samek Signed-off-by: Devin Heitmueller Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 87e1908d17628e075869f329c013d44145309671 Author: David Woodhouse Date: Mon Nov 30 09:06:40 2009 +0000 jffs2: Fix memory corruption in jffs2_read_inode_range() commit 199bc9ff5ca5e4b3bcaff8927b2983c65f34c263 upstream. In 2.6.23 kernel, commit a32ea1e1f925399e0d81ca3f7394a44a6dafa12c ("Fix read/truncate race") fixed a race in the generic code, and as a side effect, now do_generic_file_read() can ask us to readpage() past the i_size. This seems to be correctly handled by the block routines (e.g. block_read_full_page() fills the page with zeroes in case if somebody is trying to read past the last inode's block). JFFS2 doesn't handle this; it assumes that it won't be asked to read pages which don't exist -- and thus that there will be at least _one_ valid 'frag' on the page it's being asked to read. It will fill any holes with the following memset: memset(buf, 0, min(end, frag->ofs + frag->size) - offset); When the 'closest smaller match' returned by jffs2_lookup_node_frag() is actually on a previous page and ends before 'offset', that results in: memset(buf, 0, ); Hopefully, in most cases the corruption is fatal, and quickly causing random oopses, like this: root@10.0.0.4:~/ltp-fs-20090531# ./testcases/kernel/fs/ftest/ftest01 Unable to handle kernel paging request for data at address 0x00000008 Faulting instruction address: 0xc01cd980 Oops: Kernel access of bad area, sig: 11 [#1] [...] NIP [c01cd980] rb_insert_color+0x38/0x184 LR [c0043978] enqueue_hrtimer+0x88/0xc4 Call Trace: [c6c63b60] [c004f9a8] tick_sched_timer+0xa0/0xe4 (unreliable) [c6c63b80] [c0043978] enqueue_hrtimer+0x88/0xc4 [c6c63b90] [c0043a48] __run_hrtimer+0x94/0xbc [c6c63bb0] [c0044628] hrtimer_interrupt+0x140/0x2b8 [c6c63c10] [c000f8e8] timer_interrupt+0x13c/0x254 [c6c63c30] [c001352c] ret_from_except+0x0/0x14 --- Exception: 901 at memset+0x38/0x5c LR = jffs2_read_inode_range+0x144/0x17c [c6c63cf0] [00000000] (null) (unreliable) This patch fixes the issue, plus fixes all LTP tests on NAND/UBI with JFFS2 filesystem that were failing since 2.6.23 (seems like the bug above also broke the truncation). Reported-By: Anton Vorontsov Tested-By: Anton Vorontsov Signed-off-by: David Woodhouse Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 664179bfb83f35f3f9a09a8b2323666882244d35 Author: Dave Jones Date: Mon Oct 19 19:55:13 2009 -0400 gdth: Prevent negative offsets in ioctl CVE-2009-3080 commit 690e744869f3262855b83b4fb59199cf142765b0 upstream. A negative offset could be used to index before the event buffer and lead to a security breach. Signed-off-by: Dave Jones Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 9d4cf8bdc0b80550a2c7befff56b8f57acf0f9f7 Author: Julian Anastasov Date: Fri Nov 6 23:44:53 2009 +0200 ALSA: usb-audio: fix combine_word problem commit f495088210c8b9e20791d995a8210170c68d2deb upstream. Fix combine_word problem where first octet is not read properly. The only affected place seems to be the INPUT_TERMINAL type. Before now, sound controls can be created with the output terminal's name which is a fallback mechanism used only for unknown input terminal types. For example, Line can wrongly appear as Speaker. After the change it should appear as Line. The side effect of this change can be that users can expect the wrong control name in their scripts or programs while now we return the correct one. Probably, these defines should use get_unaligned_le16 and friends. Signed-off-by: Julian Anastasov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ec80577e2e409977d33649197c2ced7269d2c7c2 Author: Russell King Date: Sun Nov 29 16:39:59 2009 +0000 ALSA: AACI: fix recording bug commit 8ee763b9c82c6ca0a59a7271ce4fa29d7baf5c09 upstream. pcm->r[1].slots is the double rate slot information, not the capture information. For capture, 'pcm' will already be the capture ac97 pcm structure. Signed-off-by: Russell King Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a390ede93a1b9f6a66c39789fc97e6219068c9a9 Author: Russell King Date: Sun Nov 29 16:39:52 2009 +0000 ALSA: AACI: fix AC97 multiple-open bug commit 4acd57c3de62374fe5bb52e5cd24538190f4eab2 upstream. Signed-off-by: Russell King Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman