.32 patches

9 files changed, 383 insertions, 0 deletions

diff --git a/queue-2.6.32/asoc-fix-blackfin-i2s-_pointer-implementation-return-in.patch b/queue-2.6.32/asoc-fix-blackfin-i2s-_pointer-implementation-return-in.patch
new file mode 100644
index 0000000..fd4ecf1
--- /dev/null
+++ b/queue-2.6.32/asoc-fix-blackfin-i2s-_pointer-implementation-return-in.patch
@@ -0,0 +1,49 @@
+From e999dc50404d401150a5429b6459473a691fd1a0 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Mon, 13 Jun 2011 12:14:07 +0100
+Subject: ASoC: Fix Blackfin I2S _pointer() implementation return in bounds values
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit e999dc50404d401150a5429b6459473a691fd1a0 upstream.
+
+The Blackfin DMA controller can report one frame beyond the end of the
+buffer in the wraparound case but ALSA requires that the pointer always
+be in the buffer. Do the wraparound to handle this. A similar bug is
+likely to apply to the other Blackfin PCM drivers but the code is less
+obvious to inspection and I don't have a user to test.
+
+Reported-by: Kieran O'Leary <Kieran.O'Leary@wolfsonmicro.com>
+Acked-by: Liam Girdwood <lrg@ti.com>
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/soc/blackfin/bf5xx-i2s-pcm.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/blackfin/bf5xx-i2s-pcm.c
++++ b/sound/soc/blackfin/bf5xx-i2s-pcm.c
+@@ -139,11 +139,20 @@ static snd_pcm_uframes_t bf5xx_pcm_point
+ 	pr_debug("%s enter\n", __func__);
+ 	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ 		diff = sport_curr_offset_tx(sport);
+-		frames = bytes_to_frames(substream->runtime, diff);
+ 	} else {
+ 		diff = sport_curr_offset_rx(sport);
+-		frames = bytes_to_frames(substream->runtime, diff);
+ 	}
++
++	/*
++	 * TX at least can report one frame beyond the end of the
++	 * buffer if we hit the wraparound case - clamp to within the
++	 * buffer as the ALSA APIs require.
++	 */
++	if (diff == snd_pcm_lib_buffer_bytes(substream))
++		diff = 0;
++
++	frames = bytes_to_frames(substream->runtime, diff);
++
+ 	return frames;
+ }
+ 
diff --git a/queue-2.6.32/bttv-fix-s_tuner-for-radio.patch b/queue-2.6.32/bttv-fix-s_tuner-for-radio.patch
new file mode 100644
index 0000000..0f5264c
--- /dev/null
+++ b/queue-2.6.32/bttv-fix-s_tuner-for-radio.patch
@@ -0,0 +1,32 @@
+From a024c1a6b274e11596d124619e43c25560f64c01 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Sun, 12 Jun 2011 07:02:43 -0300
+Subject: [media] bttv: fix s_tuner for radio
+
+From: Hans Verkuil <hans.verkuil@cisco.com>
+
+commit a024c1a6b274e11596d124619e43c25560f64c01 upstream.
+
+Fix typo: g_tuner should have been s_tuner.
+
+Tested with a bttv card.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/bt8xx/bttv-driver.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/video/bt8xx/bttv-driver.c
++++ b/drivers/media/video/bt8xx/bttv-driver.c
+@@ -3532,7 +3532,7 @@ static int radio_s_tuner(struct file *fi
+ 	if (0 != t->index)
+ 		return -EINVAL;
+ 
+-	bttv_call_all(btv, tuner, g_tuner, t);
++	bttv_call_all(btv, tuner, s_tuner, t);
+ 	return 0;
+ }
+ 
diff --git a/queue-2.6.32/fs-partitions-efi.c-corrupted-guid-partition-tables-can-cause-kernel-oops.patch b/queue-2.6.32/fs-partitions-efi.c-corrupted-guid-partition-tables-can-cause-kernel-oops.patch
new file mode 100644
index 0000000..7df6df2
--- /dev/null
+++ b/queue-2.6.32/fs-partitions-efi.c-corrupted-guid-partition-tables-can-cause-kernel-oops.patch
@@ -0,0 +1,61 @@
+From 3eb8e74ec72736b9b9d728bad30484ec89c91dde Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Thu, 26 May 2011 16:25:57 -0700
+Subject: fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream.
+
+The kernel automatically evaluates partition tables of storage devices.
+The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+a bug that causes a kernel oops on certain corrupted GUID partition
+tables.
+
+This bug has security impacts, because it allows, for example, to
+prepare a storage device that crashes a kernel subsystem upon connecting
+the device (e.g., a "USB Stick of (Partial) Death").
+
+	crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+
+computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+There is no validation of (*gpt)->header_size before the efi_crc32 call.
+
+A corrupted partition table may have large values for (*gpt)->header_size.
+ In this case, the CRC32 computation access memory beyond the memory
+allocated for gpt, which may cause a kernel heap overflow.
+
+Validate value of GUID partition table header size.
+
+[akpm@linux-foundation.org: fix layout and indenting]
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Cc: Matt Domsch <Matt_Domsch@dell.com>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Dave Jones <davej@codemonkey.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Moritz Muehlenhoff <jmm@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/efi.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -311,6 +311,15 @@ is_gpt_valid(struct block_device *bdev,
+ 		goto fail;
+ 	}
+ 
++	/* Check the GUID Partition Table header size */
++	if (le32_to_cpu((*gpt)->header_size) >
++			bdev_logical_block_size(state->bdev)) {
++		pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++			le32_to_cpu((*gpt)->header_size),
++			bdev_logical_block_size(state->bdev));
++		goto fail;
++	}
++
+ 	/* Check the GUID Partition Table CRC */
+ 	origcrc = le32_to_cpu((*gpt)->header_crc32);
+ 	(*gpt)->header_crc32 = 0;
diff --git a/queue-2.6.32/nfsv4.1-update-nfs4_fattr_bitmap_maxsz.patch b/queue-2.6.32/nfsv4.1-update-nfs4_fattr_bitmap_maxsz.patch
new file mode 100644
index 0000000..0c63ccf
--- /dev/null
+++ b/queue-2.6.32/nfsv4.1-update-nfs4_fattr_bitmap_maxsz.patch
@@ -0,0 +1,31 @@
+From e5012d1f3861d18c7f3814e757c1c3ab3741dbcd Mon Sep 17 00:00:00 2001
+From: Andy Adamson <andros@netapp.com>
+Date: Mon, 11 Jul 2011 17:17:42 -0400
+Subject: NFSv4.1: update nfs4_fattr_bitmap_maxsz
+
+From: Andy Adamson <andros@netapp.com>
+
+commit e5012d1f3861d18c7f3814e757c1c3ab3741dbcd upstream.
+
+Attribute IDs assigned in RFC 5661 now require three bitmaps.
+Fixes hitting a BUG_ON in xdr_shrink_bufhead when getting ACLs.
+
+Signed-off-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4xdr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -88,7 +88,7 @@ static int nfs4_stat_to_errno(int);
+ #define encode_getfh_maxsz      (op_encode_hdr_maxsz)
+ #define decode_getfh_maxsz      (op_decode_hdr_maxsz + 1 + \
+ 				((3+NFS4_FHSIZE) >> 2))
+-#define nfs4_fattr_bitmap_maxsz 3
++#define nfs4_fattr_bitmap_maxsz 4
+ #define encode_getattr_maxsz    (op_encode_hdr_maxsz + nfs4_fattr_bitmap_maxsz)
+ #define nfs4_name_maxsz		(1 + ((3 + NFS4_MAXNAMLEN) >> 2))
+ #define nfs4_path_maxsz		(1 + ((3 + NFS4_MAXPATHLEN) >> 2))
diff --git a/queue-2.6.32/pvrusb2-fix-g-s_tuner-support.patch b/queue-2.6.32/pvrusb2-fix-g-s_tuner-support.patch
new file mode 100644
index 0000000..5221ab1
--- /dev/null
+++ b/queue-2.6.32/pvrusb2-fix-g-s_tuner-support.patch
@@ -0,0 +1,45 @@
+From 50e9efd60b213ce43ad6979bfc18e25eec2d8413 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Sun, 12 Jun 2011 06:39:52 -0300
+Subject: [media] pvrusb2: fix g/s_tuner support
+
+From: Hans Verkuil <hans.verkuil@cisco.com>
+
+commit 50e9efd60b213ce43ad6979bfc18e25eec2d8413 upstream.
+
+The tuner-core subdev requires that the type field of v4l2_tuner is
+filled in correctly. This is done in v4l2-ioctl.c, but pvrusb2 doesn't
+use that yet, so we have to do it manually based on whether the current
+input is radio or not.
+
+Tested with my pvrusb2.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Acked-by: Mike Isely <isely@pobox.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/pvrusb2/pvrusb2-hdw.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/video/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/video/pvrusb2/pvrusb2-hdw.c
+@@ -2979,6 +2979,8 @@ static void pvr2_subdev_update(struct pv
+ 	if (hdw->input_dirty || hdw->audiomode_dirty || hdw->force_dirty) {
+ 		struct v4l2_tuner vt;
+ 		memset(&vt, 0, sizeof(vt));
++		vt.type = (hdw->input_val == PVR2_CVAL_INPUT_RADIO) ?
++			V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
+ 		vt.audmode = hdw->audiomode_val;
+ 		v4l2_device_call_all(&hdw->v4l2_dev, 0, tuner, s_tuner, &vt);
+ 	}
+@@ -5064,6 +5066,8 @@ void pvr2_hdw_status_poll(struct pvr2_hd
+ {
+ 	struct v4l2_tuner *vtp = &hdw->tuner_signal_info;
+ 	memset(vtp, 0, sizeof(*vtp));
++	vtp->type = (hdw->input_val == PVR2_CVAL_INPUT_RADIO) ?
++		V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
+ 	hdw->tuner_signal_stale = 0;
+ 	/* Note: There apparently is no replacement for VIDIOC_CROPCAP
+ 	   using v4l2-subdev - therefore we can't support that AT ALL right
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
new file mode 100644
index 0000000..64b55db
--- /dev/null
+++ b/queue-2.6.32/series
@@ -0,0 +1,8 @@
+asoc-fix-blackfin-i2s-_pointer-implementation-return-in.patch
+v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
+pvrusb2-fix-g-s_tuner-support.patch
+bttv-fix-s_tuner-for-radio.patch
+fs-partitions-efi.c-corrupted-guid-partition-tables-can-cause-kernel-oops.patch
+nfsv4.1-update-nfs4_fattr_bitmap_maxsz.patch
+sunrpc-fix-a-race-between-work-queue-and-rpc_killall_tasks.patch
+sunrpc-fix-use-of-static-variable-in-rpcb_getport_async.patch
diff --git a/queue-2.6.32/sunrpc-fix-a-race-between-work-queue-and-rpc_killall_tasks.patch b/queue-2.6.32/sunrpc-fix-a-race-between-work-queue-and-rpc_killall_tasks.patch
new file mode 100644
index 0000000..a908ece
--- /dev/null
+++ b/queue-2.6.32/sunrpc-fix-a-race-between-work-queue-and-rpc_killall_tasks.patch
@@ -0,0 +1,65 @@
+From b55c59892e1f3b6c7d4b9ccffb4263e1486fb990 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 6 Jul 2011 19:58:23 -0400
+Subject: SUNRPC: Fix a race between work-queue and rpc_killall_tasks
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit b55c59892e1f3b6c7d4b9ccffb4263e1486fb990 upstream.
+
+Since rpc_killall_tasks may modify the rpc_task's tk_action field
+without any locking, we need to be careful when dereferencing it.
+
+Reported-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/sched.c |   27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -613,30 +613,25 @@ static void __rpc_execute(struct rpc_tas
+ 	BUG_ON(RPC_IS_QUEUED(task));
+ 
+ 	for (;;) {
++		void (*do_action)(struct rpc_task *);
+ 
+ 		/*
+-		 * Execute any pending callback.
++		 * Execute any pending callback first.
+ 		 */
+-		if (task->tk_callback) {
+-			void (*save_callback)(struct rpc_task *);
+-
+-			/*
+-			 * We set tk_callback to NULL before calling it,
+-			 * in case it sets the tk_callback field itself:
+-			 */
+-			save_callback = task->tk_callback;
+-			task->tk_callback = NULL;
+-			save_callback(task);
+-		} else {
++		do_action = task->tk_callback;
++		task->tk_callback = NULL;
++		if (do_action == NULL) {
+ 			/*
+ 			 * Perform the next FSM step.
+-			 * tk_action may be NULL when the task has been killed
+-			 * by someone else.
++			 * tk_action may be NULL if the task has been killed.
++			 * In particular, note that rpc_killall_tasks may
++			 * do this at any time, so beware when dereferencing.
+ 			 */
+-			if (task->tk_action == NULL)
++			do_action = task->tk_action;
++			if (do_action == NULL)
+ 				break;
+-			task->tk_action(task);
+ 		}
++		do_action(task);
+ 
+ 		/*
+ 		 * Lockless check for whether task is sleeping or not.
diff --git a/queue-2.6.32/sunrpc-fix-use-of-static-variable-in-rpcb_getport_async.patch b/queue-2.6.32/sunrpc-fix-use-of-static-variable-in-rpcb_getport_async.patch
new file mode 100644
index 0000000..87528aa
--- /dev/null
+++ b/queue-2.6.32/sunrpc-fix-use-of-static-variable-in-rpcb_getport_async.patch
@@ -0,0 +1,37 @@
+From ec0dd267bf7d08cb30e321e45a75fd40edd7e528 Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Tue, 12 Jul 2011 10:27:55 -0700
+Subject: SUNRPC: Fix use of static variable in rpcb_getport_async
+
+From: Ben Greear <greearb@candelatech.com>
+
+commit ec0dd267bf7d08cb30e321e45a75fd40edd7e528 upstream.
+
+Because struct rpcbind_args *map was declared static, if two
+threads entered this method at the same time, the values
+assigned to map could be sent two two differen tasks.
+This could cause all sorts of problems, include use-after-free
+and double-free of memory.
+
+Fix this by removing the static declaration so that the map
+pointer is on the stack.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/rpcb_clnt.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/rpcb_clnt.c
++++ b/net/sunrpc/rpcb_clnt.c
+@@ -533,7 +533,7 @@ void rpcb_getport_async(struct rpc_task
+ 	u32 bind_version;
+ 	struct rpc_xprt *xprt;
+ 	struct rpc_clnt	*rpcb_clnt;
+-	static struct rpcbind_args *map;
++	struct rpcbind_args *map;
+ 	struct rpc_task	*child;
+ 	struct sockaddr_storage addr;
+ 	struct sockaddr *sap = (struct sockaddr *)&addr;
diff --git a/queue-2.6.32/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch b/queue-2.6.32/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
new file mode 100644
index 0000000..11b85c0
--- /dev/null
+++ b/queue-2.6.32/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
@@ -0,0 +1,55 @@
+From 227690df75382e46a4f6ea1bbc5df855a674b47f Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Sun, 12 Jun 2011 06:36:41 -0300
+Subject: [media] v4l2-ioctl.c: prefill tuner type for g_frequency and g/s_tuner
+
+From: Hans Verkuil <hans.verkuil@cisco.com>
+
+commit 227690df75382e46a4f6ea1bbc5df855a674b47f upstream.
+
+The subdevs are supposed to receive a valid tuner type for the g_frequency
+and g/s_tuner subdev ops. Some drivers do this, others don't. So prefill
+this in v4l2-ioctl.c based on whether the device node from which this is
+called is a radio node or not.
+
+The spec does not require applications to fill in the type, and if they
+leave it at 0 then the 'check_mode' call in tuner-core.c will return
+an error and the ioctl does nothing.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/v4l2-ioctl.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -1600,6 +1600,8 @@ static long __video_do_ioctl(struct file
+ 		if (!ops->vidioc_g_tuner)
+ 			break;
+ 
++		p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ?
++			V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
+ 		ret = ops->vidioc_g_tuner(file, fh, p);
+ 		if (!ret)
+ 			dbgarg(cmd, "index=%d, name=%s, type=%d, "
+@@ -1618,6 +1620,8 @@ static long __video_do_ioctl(struct file
+ 
+ 		if (!ops->vidioc_s_tuner)
+ 			break;
++		p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ?
++			V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
+ 		dbgarg(cmd, "index=%d, name=%s, type=%d, "
+ 				"capability=0x%x, rangelow=%d, "
+ 				"rangehigh=%d, signal=%d, afc=%d, "
+@@ -1636,6 +1640,8 @@ static long __video_do_ioctl(struct file
+ 		if (!ops->vidioc_g_frequency)
+ 			break;
+ 
++		p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ?
++			V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
+ 		ret = ops->vidioc_g_frequency(file, fh, p);
+ 		if (!ret)
+ 			dbgarg(cmd, "tuner=%d, type=%d, frequency=%d\n",