diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-03-24 12:53:39 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-03-24 12:53:39 -0700 |
commit | 68b65d9bf43b201b02de25fc215bf1c789b45adc (patch) | |
tree | adbe26d0626301a287cd5c68af9a9defcde28611 | |
parent | a8b45126b1b777eeca719f4dfa88fb00d64a72b8 (diff) | |
download | longterm-queue-2.6.33-68b65d9bf43b201b02de25fc215bf1c789b45adc.tar.gz |
.33 patches
14 files changed, 851 insertions, 0 deletions
diff --git a/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch b/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch new file mode 100644 index 0000000..e7c054e --- /dev/null +++ b/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch @@ -0,0 +1,80 @@ +From b5a3b3d985493c173925907adfebf3edab236fe7 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Wed, 16 Mar 2011 10:57:15 -0400 +Subject: ehci-hcd: Bug fix: don't set a QH's Halt bit + +From: Alan Stern <stern@rowland.harvard.edu> + +commit b5a3b3d985493c173925907adfebf3edab236fe7 upstream. + +This patch (as1453) fixes a long-standing bug in the ehci-hcd driver. + +There is no need to set the Halt bit in the overlay region for an +unlinked or blocked QH. Contrary to what the comment says, setting +the Halt bit does not cause the QH to be patched later; that decision +(made in qh_refresh()) depends only on whether the QH is currently +pointing to a valid qTD. Likewise, setting the Halt bit does not +prevent completions from activating the QH while it is "stopped"; they +are prevented by the fact that qh_completions() temporarily changes +qh->qh_state to QH_STATE_COMPLETING. + +On the other hand, there are circumstances in which the QH will be +reactivated _without_ being patched; this happens after an URB beyond +the head of the queue is unlinked. Setting the Halt bit will then +cause the hardware to see the QH with both the Active and Halt bits +set, an invalid combination that will prevent the queue from +advancing and may even crash some controllers. + +Apparently the only reason this hasn't been reported before is that +unlinking URBs from the middle of a running queue is quite uncommon. +However Test 17, recently added to the usbtest driver, does exactly +this, and it confirms the presence of the bug. + +In short, there is no reason to set the Halt bit for an unlinked or +blocked QH, and there is a very good reason not to set it. Therefore +the code that sets it is removed. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Tested-by: Andiry Xu <andiry.xu@amd.com> +CC: David Brownell <david-b@pacbell.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/host/ehci-q.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -315,7 +315,6 @@ qh_completions (struct ehci_hcd *ehci, s + int stopped; + unsigned count = 0; + u8 state; +- const __le32 halt = HALT_BIT(ehci); + struct ehci_qh_hw *hw = qh->hw; + + if (unlikely (list_empty (&qh->qtd_list))) +@@ -422,7 +421,6 @@ qh_completions (struct ehci_hcd *ehci, s + && !(qtd->hw_alt_next + & EHCI_LIST_END(ehci))) { + stopped = 1; +- goto halt; + } + + /* stop scanning when we reach qtds the hc is using */ +@@ -456,16 +454,6 @@ qh_completions (struct ehci_hcd *ehci, s + */ + ehci_clear_tt_buffer(ehci, qh, urb, token); + } +- +- /* force halt for unlinked or blocked qh, so we'll +- * patch the qh later and so that completions can't +- * activate it while we "know" it's stopped. +- */ +- if ((halt & hw->hw_token) == 0) { +-halt: +- hw->hw_token |= halt; +- wmb (); +- } + } + + /* unless we already know the urb's status, collect qtd status diff --git a/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch b/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch new file mode 100644 index 0000000..e115f5a --- /dev/null +++ b/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch @@ -0,0 +1,41 @@ +From ce654b37f87980d95f339080e4c3bdb2370bdf22 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein <amir73il@gmail.com> +Date: Sat, 26 Feb 2011 22:40:19 +0200 +Subject: ext3: skip orphan cleanup on rocompat fs + +From: Amir Goldstein <amir73il@gmail.com> + +commit ce654b37f87980d95f339080e4c3bdb2370bdf22 upstream. + +Orphan cleanup is currently executed even if the file system has some +number of unknown ROCOMPAT features, which deletes inodes and frees +blocks, which could be very bad for some RO_COMPAT features. + +This patch skips the orphan cleanup if it contains readonly compatible +features not known by this ext3 implementation, which would prevent +the fs from being mounted (or remounted) readwrite. + +Signed-off-by: Amir Goldstein <amir73il@users.sf.net> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext3/super.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -1440,6 +1440,13 @@ static void ext3_orphan_cleanup (struct + return; + } + ++ /* Check if feature set allows readwrite operations */ ++ if (EXT3_HAS_RO_COMPAT_FEATURE(sb, ~EXT3_FEATURE_RO_COMPAT_SUPP)) { ++ ext3_msg(sb, KERN_INFO, "Skipping orphan cleanup due to " ++ "unknown ROCOMPAT features"); ++ return; ++ } ++ + if (EXT3_SB(sb)->s_mount_state & EXT3_ERROR_FS) { + if (es->s_last_orphan) + jbd_debug(1, "Errors on filesystem, " diff --git a/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch b/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch new file mode 100644 index 0000000..587e42f --- /dev/null +++ b/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch @@ -0,0 +1,37 @@ +From d6244bc0ed0c52a795e6f4dcab3886daf3e74fac Mon Sep 17 00:00:00 2001 +From: Henry Nestler <henry.nestler@gmail.com> +Date: Sun, 20 Feb 2011 20:50:56 +0000 +Subject: fbcon: Bugfix soft cursor detection in Tile Blitting + +From: Henry Nestler <henry.nestler@gmail.com> + +commit d6244bc0ed0c52a795e6f4dcab3886daf3e74fac upstream. + +Use mask 0x10 for "soft cursor" detection on in function tile_cursor. +(Tile Blitting Operation in framebuffer console). + +The old mask 0x01 for vc_cursor_type detects CUR_NONE, CUR_LOWER_THIRD +and every second mode value as "software cursor". This hides the cursor +for these modes (cursor.mode = 0). But, only CUR_NONE or "software cursor" +should hide the cursor. +See also 0x10 in functions add_softcursor, bit_cursor and cw_cursor. + +Signed-off-by: Henry Nestler <henry.nestler@gmail.com> +Signed-off-by: Paul Mundt <lethal@linux-sh.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/video/console/tileblit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/console/tileblit.c ++++ b/drivers/video/console/tileblit.c +@@ -83,7 +83,7 @@ static void tile_cursor(struct vc_data * + int softback_lines, int fg, int bg) + { + struct fb_tilecursor cursor; +- int use_sw = (vc->vc_cursor_type & 0x01); ++ int use_sw = (vc->vc_cursor_type & 0x10); + + cursor.sx = vc->vc_x; + cursor.sy = vc->vc_y; diff --git a/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch b/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch new file mode 100644 index 0000000..a440a03 --- /dev/null +++ b/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch @@ -0,0 +1,49 @@ +From 5a02ab7c3c4580f94d13c683721039855b67cda6 Mon Sep 17 00:00:00 2001 +From: Mi Jinlong <mijinlong@cn.fujitsu.com> +Date: Fri, 11 Mar 2011 12:13:55 +0800 +Subject: nfsd: wrong index used in inner loop + +From: Mi Jinlong <mijinlong@cn.fujitsu.com> + +commit 5a02ab7c3c4580f94d13c683721039855b67cda6 upstream. + +We must not use dummy for index. +After the first index, READ32(dummy) will change dummy!!!! + +Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com> +[bfields@redhat.com: Trond points out READ_BUF alone is sufficient.] +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/nfs4xdr.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1106,7 +1106,7 @@ nfsd4_decode_create_session(struct nfsd4 + + u32 dummy; + char *machine_name; +- int i, j; ++ int i; + int nr_secflavs; + + READ_BUF(16); +@@ -1179,8 +1179,6 @@ nfsd4_decode_create_session(struct nfsd4 + READ_BUF(4); + READ32(dummy); + READ_BUF(dummy * 4); +- for (j = 0; j < dummy; ++j) +- READ32(dummy); + break; + case RPC_AUTH_GSS: + dprintk("RPC_AUTH_GSS callback secflavor " +@@ -1196,7 +1194,6 @@ nfsd4_decode_create_session(struct nfsd4 + READ_BUF(4); + READ32(dummy); + READ_BUF(dummy); +- p += XDR_QUADLEN(dummy); + break; + default: + dprintk("Illegal callback secflavor\n"); diff --git a/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch b/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch new file mode 100644 index 0000000..74f152c --- /dev/null +++ b/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch @@ -0,0 +1,40 @@ +From 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 Mon Sep 17 00:00:00 2001 +From: Mi Jinlong <mijinlong@cn.fujitsu.com> +Date: Fri, 18 Feb 2011 09:08:31 +0800 +Subject: nfsd41: modify the members value of nfsd4_op_flags + +From: Mi Jinlong <mijinlong@cn.fujitsu.com> + +commit 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 upstream. + +The members of nfsd4_op_flags, (ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS) +equals to ALLOWED_AS_FIRST_OP, maybe that's not what we want. + +OP_PUTROOTFH with op_flags = ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS, +can't appears as the first operation with out SEQUENCE ops. + +This patch modify the wrong value of ALLOWED_WITHOUT_FH etc which +was introduced by f9bb94c4. + +Reviewed-by: Benny Halevy <bhalevy@panasas.com> +Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/nfs4proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -953,8 +953,8 @@ typedef __be32(*nfsd4op_func)(struct svc + void *); + enum nfsd4_op_flags { + ALLOWED_WITHOUT_FH = 1 << 0, /* No current filehandle required */ +- ALLOWED_ON_ABSENT_FS = 2 << 0, /* ops processed on absent fs */ +- ALLOWED_AS_FIRST_OP = 3 << 0, /* ops reqired first in compound */ ++ ALLOWED_ON_ABSENT_FS = 1 << 1, /* ops processed on absent fs */ ++ ALLOWED_AS_FIRST_OP = 1 << 2, /* ops reqired first in compound */ + }; + + struct nfsd4_operation { diff --git a/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch b/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch new file mode 100644 index 0000000..ca77713 --- /dev/null +++ b/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch @@ -0,0 +1,48 @@ +From 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook <kees.cook@canonical.com> +Date: Wed, 23 Mar 2011 16:42:53 -0700 +Subject: proc: protect mm start_code/end_code in /proc/pid/stat + +From: Kees Cook <kees.cook@canonical.com> + +commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream. + +While mm->start_stack was protected from cross-uid viewing (commit +f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged +processes")), the start_code and end_code values were not. This would +allow the text location of a PIE binary to leak, defeating ASLR. + +Note that the value "1" is used instead of "0" for a protected value since +"ps", "killall", and likely other readers of /proc/pid/stat, take +start_code of "0" to mean a kernel thread and will misbehave. Thanks to +Brad Spengler for pointing this out. + +Addresses CVE-2011-0726 + +Signed-off-by: Kees Cook <kees.cook@canonical.com> +Cc: Alexey Dobriyan <adobriyan@gmail.com> +Cc: David Howells <dhowells@redhat.com> +Cc: Eugene Teo <eugeneteo@kernel.sg> +Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> +Cc: Brad Spengler <spender@grsecurity.net> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/proc/array.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -488,8 +488,8 @@ static int do_task_stat(struct seq_file + vsize, + mm ? get_mm_rss(mm) : 0, + rsslim, +- mm ? mm->start_code : 0, +- mm ? mm->end_code : 0, ++ mm ? (permitted ? mm->start_code : 1) : 0, ++ mm ? (permitted ? mm->end_code : 1) : 0, + (permitted && mm) ? mm->start_stack : 0, + esp, + eip, diff --git a/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch b/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch new file mode 100644 index 0000000..2cb4723 --- /dev/null +++ b/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch @@ -0,0 +1,127 @@ +From 0db0c01b53a1a421513f91573241aabafb87802a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen <aaro.koskinen@nokia.com> +Date: Wed, 23 Mar 2011 16:42:50 -0700 +Subject: procfs: fix /proc/<pid>/maps heap check + +From: Aaro Koskinen <aaro.koskinen@nokia.com> + +commit 0db0c01b53a1a421513f91573241aabafb87802a upstream. + +The current code fails to print the "[heap]" marking if the heap is split +into multiple mappings. + +Fix the check so that the marking is displayed in all possible cases: + 1. vma matches exactly the heap + 2. the heap vma is merged e.g. with bss + 3. the heap vma is splitted e.g. due to locked pages + +Test cases. In all cases, the process should have mapping(s) with +[heap] marking: + + (1) vma matches exactly the heap + + #include <stdio.h> + #include <unistd.h> + #include <sys/types.h> + + int main (void) + { + if (sbrk(4096) != (void *)-1) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test1 + check /proc/553/maps + [1] + Stopped ./test1 + # cat /proc/553/maps | head -4 + 00008000-00009000 r-xp 00000000 01:00 3113640 /test1 + 00010000-00011000 rw-p 00000000 01:00 3113640 /test1 + 00011000-00012000 rw-p 00000000 00:00 0 [heap] + 4006f000-40070000 rw-p 00000000 00:00 0 + + (2) the heap vma is merged + + #include <stdio.h> + #include <unistd.h> + #include <sys/types.h> + + char foo[4096] = "foo"; + char bar[4096]; + + int main (void) + { + if (sbrk(4096) != (void *)-1) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test2 + check /proc/556/maps + [2] + Stopped ./test2 + # cat /proc/556/maps | head -4 + 00008000-00009000 r-xp 00000000 01:00 3116312 /test2 + 00010000-00012000 rw-p 00000000 01:00 3116312 /test2 + 00012000-00014000 rw-p 00000000 00:00 0 [heap] + 4004a000-4004b000 rw-p 00000000 00:00 0 + + (3) the heap vma is splitted (this fails without the patch) + + #include <stdio.h> + #include <unistd.h> + #include <sys/mman.h> + #include <sys/types.h> + + int main (void) + { + if ((sbrk(4096) != (void *)-1) && !mlockall(MCL_FUTURE) && + (sbrk(4096) != (void *)-1)) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test3 + check /proc/559/maps + [1] + Stopped ./test3 + # cat /proc/559/maps|head -4 + 00008000-00009000 r-xp 00000000 01:00 3119108 /test3 + 00010000-00011000 rw-p 00000000 01:00 3119108 /test3 + 00011000-00012000 rw-p 00000000 00:00 0 [heap] + 00012000-00013000 rw-p 00000000 00:00 0 [heap] + +It looks like the bug has been there forever, and since it only results in +some information missing from a procfile, it does not fulfil the -stable +"critical issue" criteria. + +Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com> +Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/proc/task_mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -243,8 +243,8 @@ static void show_map_vma(struct seq_file + const char *name = arch_vma_name(vma); + if (!name) { + if (mm) { +- if (vma->vm_start <= mm->start_brk && +- vma->vm_end >= mm->brk) { ++ if (vma->vm_start <= mm->brk && ++ vma->vm_end >= mm->start_brk) { + name = "[heap]"; + } else if (vma->vm_start <= mm->start_stack && + vma->vm_end >= mm->start_stack) { diff --git a/queue-2.6.33/series b/queue-2.6.33/series index e46d842..8d054e9 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -15,3 +15,16 @@ xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch pci-return-correct-value-when-writing-to-the-reset-attribute.patch revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch +ext3-skip-orphan-cleanup-on-rocompat-fs.patch +procfs-fix-proc-pid-maps-heap-check.patch +proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch +fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch +nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch +nfsd-wrong-index-used-in-inner-loop.patch +uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch +uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch +ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch +usb-uss720-fixup-refcount-position.patch +usb-cdc-acm-fix-memory-corruption-panic.patch +usb-cdc-acm-fix-potential-null-pointer-dereference.patch +usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch diff --git a/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch b/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch new file mode 100644 index 0000000..1ca78c0 --- /dev/null +++ b/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch @@ -0,0 +1,214 @@ +From 23b80550e2aa61d0ba3af98b831b9195be0db9ee Mon Sep 17 00:00:00 2001 +From: Johan Hovold <jhovold@gmail.com> +Date: Tue, 22 Mar 2011 11:12:09 +0100 +Subject: USB: cdc-acm: fix memory corruption / panic + +From: Johan Hovold <jhovold@gmail.com> + +commit 23b80550e2aa61d0ba3af98b831b9195be0db9ee upstream. + +Prevent read urbs from being resubmitted from tasklet after port close. + +The receive tasklet was not disabled on port close, which could lead to +corruption of receive lists on consecutive port open. In particular, +read urbs could be re-submitted before port open, added to free list in +open, and then added a second time to the free list in the completion +handler. + +cdc-acm.c: Entering acm_tty_open. +cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0 +cdc-acm.c: Entering acm_rx_tasklet +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64 +cdc-acm.c: set line: 115200 0 0 8 +cdc-acm.c: acm_control_msg: rq: 0x20 val: 0x0 len: 0x7 result: 7 +cdc-acm.c: acm_tty_close +cdc-acm.c: acm_port_down +cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x0 len: 0x0 result: 0 +cdc-acm.c: acm_ctrl_irq - urb shutting down with status: -2 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50 +cdc-acm.c: Entering acm_read_bulk with status -2 +cdc_acm 4-1:1.1: Aborting, acm not ready +cdc-acm.c: Entering acm_read_bulk with status -2 +cdc_acm 4-1:1.1: Aborting, acm not ready +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da400, rcv 0xf57fbbe8, buf 0xf57fbd28 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da480, rcv 0xf57fbbd4, buf 0xf57fbd14 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da900, rcv 0xf57fbbc0, buf 0xf57fbd00 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da980, rcv 0xf57fbbac, buf 0xf57fbcec +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa00, rcv 0xf57fbb98, buf 0xf57fbcd8 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa80, rcv 0xf57fbb84, buf 0xf57fbcc4 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab00, rcv 0xf57fbb70, buf 0xf57fbcb0 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab80, rcv 0xf57fbb5c, buf 0xf57fbc9c +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac00, rcv 0xf57fbb48, buf 0xf57fbc88 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac80, rcv 0xf57fbb34, buf 0xf57fbc74 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad00, rcv 0xf57fbb20, buf 0xf57fbc60 +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad80, rcv 0xf57fbb0c, buf 0xf57fbc4c +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da880, rcv 0xf57fbaf8, buf 0xf57fbc38 +cdc-acm.c: Entering acm_tty_open. +cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0 +cdc-acm.c: Entering acm_rx_tasklet +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64 +cdc-acm.c: Entering acm_tty_write to write 3 bytes, +cdc-acm.c: Get 3 bytes... +cdc-acm.c: acm_write_start susp_count: 0 +cdc-acm.c: Entering acm_read_bulk with status 0 +------------[ cut here ]------------ +WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120() +Hardware name: Vostro 1520 +list_del corruption. next->prev should be f57fbc10, but was f57fbaf8 +Modules linked in: cdc_acm +Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.37+ #39 +Call Trace: + [<c103c7e2>] warn_slowpath_common+0x72/0xa0 + [<c11dd8ac>] ? list_del+0x10c/0x120 + [<c11dd8ac>] ? list_del+0x10c/0x120 + [<c103c8b3>] warn_slowpath_fmt+0x33/0x40 + [<c11dd8ac>] list_del+0x10c/0x120 + [<f8051dbf>] acm_rx_tasklet+0xef/0x3e0 [cdc_acm] + [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80 + [<c1042bb6>] tasklet_action+0xe6/0x140 + [<c104342f>] __do_softirq+0xaf/0x210 + [<c1043380>] ? __do_softirq+0x0/0x210 + <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0 + [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0 + [<c105ac24>] ? kthread+0x74/0x80 + [<c105abb0>] ? kthread+0x0/0x80 + [<c100337a>] ? kernel_thread_helper+0x6/0x10 +---[ end trace efd9a11434f0082e ]--- +------------[ cut here ]------------ +WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120() +Hardware name: Vostro 1520 +list_del corruption. next->prev should be f57fbd50, but was f57fbdb0 +Modules linked in: cdc_acm +Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 +Call Trace: + [<c103c7e2>] warn_slowpath_common+0x72/0xa0 + [<c11dd8ac>] ? list_del+0x10c/0x120 + [<c11dd8ac>] ? list_del+0x10c/0x120 + [<c103c8b3>] warn_slowpath_fmt+0x33/0x40 + [<c11dd8ac>] list_del+0x10c/0x120 + [<f8051dd6>] acm_rx_tasklet+0x106/0x3e0 [cdc_acm] + [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80 + [<c1042bb6>] tasklet_action+0xe6/0x140 + [<c104342f>] __do_softirq+0xaf/0x210 + [<c1043380>] ? __do_softirq+0x0/0x210 + <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0 + [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0 + [<c105ac24>] ? kthread+0x74/0x80 + [<c105abb0>] ? kthread+0x0/0x80 + [<c100337a>] ? kernel_thread_helper+0x6/0x10 +---[ end trace efd9a11434f0082f ]--- +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50 +cdc-acm.c: disconnected from network +cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c +cdc-acm.c: Entering acm_rx_tasklet +------------[ cut here ]------------ +WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:48 list_del+0xd5/0x120() +Hardware name: Vostro 1520 +list_del corruption, next is LIST_POISON1 (00100100) +Modules linked in: cdc_acm +Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 +Call Trace: + [<c103c7e2>] warn_slowpath_common+0x72/0xa0 + [<c11dd875>] ? list_del+0xd5/0x120 + [<c11dd875>] ? list_del+0xd5/0x120 + [<c103c8b3>] warn_slowpath_fmt+0x33/0x40 + [<c11dd875>] list_del+0xd5/0x120 + [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] + [<c106dbab>] ? trace_hardirqs_on+0xb/0x10 + [<c1042b30>] ? tasklet_action+0x60/0x140 + [<c1042bb6>] tasklet_action+0xe6/0x140 + [<c104342f>] __do_softirq+0xaf/0x210 + [<c1043380>] ? __do_softirq+0x0/0x210 + <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0 + [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0 + [<c105ac24>] ? kthread+0x74/0x80 + [<c105abb0>] ? kthread+0x0/0x80 + [<c100337a>] ? kernel_thread_helper+0x6/0x10 +---[ end trace efd9a11434f00830 ]--- +BUG: unable to handle kernel paging request at 00200200 +IP: [<c11dd7bd>] list_del+0x1d/0x120 +*pde = 00000000 +Oops: 0000 [#1] PREEMPT SMP +last sysfs file: /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0/tty/ttyACM0/uevent +Modules linked in: cdc_acm +Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 0T816J/Vostro 1520 +EIP: 0060:[<c11dd7bd>] EFLAGS: 00010046 CPU: 0 +EIP is at list_del+0x1d/0x120 +EAX: f57fbd3c EBX: f57fb800 ECX: ffff8000 EDX: 00200200 +ESI: f57fbe90 EDI: f57fbd3c EBP: f600bf54 ESP: f600bf3c + DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +Process ksoftirqd/0 (pid: 3, ti=f600a000 task=f60791c0 task.ti=f6082000) +Stack: + c1527e84 00000030 c1527e54 00100100 f57fb800 f57fbd3c f600bf98 f8051fac + f8053104 f8052b94 f600bf6c c106dbab f600bf80 00000286 f60791c0 c1042b30 + f57fbda8 f57f5800 f57fbdb0 f57fbd80 f57fbe7c c1656b04 00000000 f600bfb0 +Call Trace: + [<f8051fac>] ? acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] + [<c106dbab>] ? trace_hardirqs_on+0xb/0x10 + [<c1042b30>] ? tasklet_action+0x60/0x140 + [<c1042bb6>] ? tasklet_action+0xe6/0x140 + [<c104342f>] ? __do_softirq+0xaf/0x210 + [<c1043380>] ? __do_softirq+0x0/0x210 + <IRQ> + [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0 + [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0 + [<c105ac24>] ? kthread+0x74/0x80 + [<c105abb0>] ? kthread+0x0/0x80 + [<c100337a>] ? kernel_thread_helper+0x6/0x10 +Code: ff 48 14 e9 57 ff ff ff 90 90 90 90 90 90 55 89 e5 83 ec 18 81 38 00 01 10 00 0f 84 9c 00 00 00 8b 50 04 81 fa 00 02 20 00 74 33 <8b> 12 39 d0 75 5c 8b 10 8b 4a 04 39 c8 0f 85 b5 00 00 00 8b 48 +EIP: [<c11dd7bd>] list_del+0x1d/0x120 SS:ESP 0068:f600bf3c +CR2: 0000000000200200 +---[ end trace efd9a11434f00831 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +Pid: 3, comm: ksoftirqd/0 Tainted: G D W 2.6.37+ #39 +Call Trace: + [<c13fede1>] ? printk+0x1d/0x24 + [<c13fecce>] panic+0x66/0x15c + [<c10067df>] oops_end+0x8f/0x90 + [<c1025476>] no_context+0xc6/0x160 + [<c10255a8>] __bad_area_nosemaphore+0x98/0x140 + [<c103cf68>] ? release_console_sem+0x1d8/0x210 + [<c1025667>] bad_area_nosemaphore+0x17/0x20 + [<c1025a49>] do_page_fault+0x279/0x420 + [<c1006a8f>] ? show_trace+0x1f/0x30 + [<c13fede1>] ? printk+0x1d/0x24 + [<c10257d0>] ? do_page_fault+0x0/0x420 + [<c140333b>] error_code+0x5f/0x64 + [<c103007b>] ? select_task_rq_fair+0x37b/0x6a0 + [<c10257d0>] ? do_page_fault+0x0/0x420 + [<c11dd7bd>] ? list_del+0x1d/0x120 + [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] + [<c106dbab>] ? trace_hardirqs_on+0xb/0x10 + [<c1042b30>] ? tasklet_action+0x60/0x140 + [<c1042bb6>] tasklet_action+0xe6/0x140 + [<c104342f>] __do_softirq+0xaf/0x210 + [<c1043380>] ? __do_softirq+0x0/0x210 + <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0 + [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0 + [<c105ac24>] ? kthread+0x74/0x80 + [<c105abb0>] ? kthread+0x0/0x80 + [<c100337a>] ? kernel_thread_helper+0x6/0x10 +panic occurred, switching back to text console +------------[ cut here ]------------ + +Signed-off-by: Johan Hovold <jhovold@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/class/cdc-acm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -652,8 +652,10 @@ static void acm_port_down(struct acm *ac + usb_kill_urb(acm->ctrlurb); + for (i = 0; i < ACM_NW; i++) + usb_kill_urb(acm->wb[i].urb); ++ tasklet_disable(&acm->urb_task); + for (i = 0; i < nr; i++) + usb_kill_urb(acm->ru[i].urb); ++ tasklet_enable(&acm->urb_task); + acm->control->needs_remote_wakeup = 0; + usb_autopm_put_interface(acm->control); + } diff --git a/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch new file mode 100644 index 0000000..04fac27 --- /dev/null +++ b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch @@ -0,0 +1,42 @@ +From 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c Mon Sep 17 00:00:00 2001 +From: Johan Hovold <jhovold@gmail.com> +Date: Tue, 22 Mar 2011 11:12:11 +0100 +Subject: USB: cdc-acm: fix potential null-pointer dereference on disconnect + +From: Johan Hovold <jhovold@gmail.com> + +commit 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c upstream. + +Fix potential null-pointer exception on disconnect introduced by commit +11ea859d64b69a747d6b060b9ed1520eab1161fe (USB: additional power savings +for cdc-acm devices that support remote wakeup). + +Only access acm->dev after making sure it is non-null in control urb +completion handler. + +Signed-off-by: Johan Hovold <jhovold@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/class/cdc-acm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -297,6 +297,8 @@ static void acm_ctrl_irq(struct urb *urb + if (!ACM_READY(acm)) + goto exit; + ++ usb_mark_last_busy(acm->dev); ++ + data = (unsigned char *)(dr + 1); + switch (dr->bNotificationType) { + case USB_CDC_NOTIFY_NETWORK_CONNECTION: +@@ -336,7 +338,6 @@ static void acm_ctrl_irq(struct urb *urb + break; + } + exit: +- usb_mark_last_busy(acm->dev); + retval = usb_submit_urb(urb, GFP_ATOMIC); + if (retval) + dev_err(&urb->dev->dev, "%s - usb_submit_urb failed with " diff --git a/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch new file mode 100644 index 0000000..319539f --- /dev/null +++ b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,29 @@ +From 15e5bee33ffc11d0e5c6f819a65e7881c5c407be Mon Sep 17 00:00:00 2001 +From: Johan Hovold <jhovold@gmail.com> +Date: Tue, 22 Mar 2011 11:12:10 +0100 +Subject: USB: cdc-acm: fix potential null-pointer dereference + +From: Johan Hovold <jhovold@gmail.com> + +commit 15e5bee33ffc11d0e5c6f819a65e7881c5c407be upstream. + +Must check return value of tty_port_tty_get. + +Signed-off-by: Johan Hovold <jhovold@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/class/cdc-acm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -534,6 +534,8 @@ static void acm_softint(struct work_stru + if (!ACM_READY(acm)) + return; + tty = tty_port_tty_get(&acm->port); ++ if (!tty) ++ return; + tty_wakeup(tty); + tty_kref_put(tty); + } diff --git a/queue-2.6.33/usb-uss720-fixup-refcount-position.patch b/queue-2.6.33/usb-uss720-fixup-refcount-position.patch new file mode 100644 index 0000000..88a9deb --- /dev/null +++ b/queue-2.6.33/usb-uss720-fixup-refcount-position.patch @@ -0,0 +1,41 @@ +From adaa3c6342b249548ea830fe8e02aa5b45be8688 Mon Sep 17 00:00:00 2001 +From: Peter Holik <peter@holik.at> +Date: Fri, 18 Mar 2011 18:47:44 +0100 +Subject: USB: uss720 fixup refcount position + +From: Peter Holik <peter@holik.at> + +commit adaa3c6342b249548ea830fe8e02aa5b45be8688 upstream. + +My testprog do a lot of bitbang - after hours i got following warning and my machine lockups: +WARNING: at /build/buildd/linux-2.6.38/lib/kref.c:34 +After debugging uss720 driver i discovered that the completion callback was called before +usb_submit_urb returns. The callback frees the request structure that is krefed on return by +usb_submit_urb. + +Signed-off-by: Peter Holik <peter@holik.at> +Acked-by: Thomas Sailer <t.sailer@alumni.ethz.ch> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/misc/uss720.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -176,12 +176,11 @@ static struct uss720_async_request *subm + spin_lock_irqsave(&priv->asynclock, flags); + list_add_tail(&rq->asynclist, &priv->asynclist); + spin_unlock_irqrestore(&priv->asynclock, flags); ++ kref_get(&rq->ref_count); + ret = usb_submit_urb(rq->urb, mem_flags); +- if (!ret) { +- kref_get(&rq->ref_count); ++ if (!ret) + return rq; +- } +- kref_put(&rq->ref_count, destroy_async); ++ destroy_async(&rq->ref_count); + err("submit_async_request submit_urb failed with %d", ret); + return NULL; + } diff --git a/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch b/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch new file mode 100644 index 0000000..671ce55 --- /dev/null +++ b/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch @@ -0,0 +1,40 @@ +From 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Date: Wed, 23 Feb 2011 11:19:17 -0300 +Subject: [media] uvcvideo: Fix descriptor parsing for video output devices + +From: Laurent Pinchart <laurent.pinchart@ideasonboard.com> + +commit 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d upstream. + +Commit 4057ac6ca9a77c4275b34b5925ab5c99557913b1 + + V4L/DVB (13505): uvcvideo: Refactor chain scan + +broke output terminals parsing. Fix it. + +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/media/video/uvc/uvc_driver.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/media/video/uvc/uvc_driver.c ++++ b/drivers/media/video/uvc/uvc_driver.c +@@ -1260,6 +1260,14 @@ static int uvc_scan_chain_entity(struct + + break; + ++ case UVC_OTT_VENDOR_SPECIFIC: ++ case UVC_OTT_DISPLAY: ++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT: ++ if (uvc_trace_param & UVC_TRACE_PROBE) ++ printk(" OT %d", entity->id); ++ ++ break; ++ + case UVC_TT_STREAMING: + if (UVC_ENTITY_IS_ITERM(entity)) { + if (uvc_trace_param & UVC_TRACE_PROBE) diff --git a/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch b/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch new file mode 100644 index 0000000..acb839f --- /dev/null +++ b/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch @@ -0,0 +1,50 @@ +From 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 Mon Sep 17 00:00:00 2001 +From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com> +Date: Thu, 27 Jan 2011 23:04:33 -0300 +Subject: [media] uvcvideo: Fix uvc_fixup_video_ctrl() format search + +From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com> + +commit 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 upstream. + +The scheme used to index format in uvc_fixup_video_ctrl() is not robust: +format index is based on descriptor ordering, which does not necessarily +match bFormatIndex ordering. Searching for first matching format will +prevent uvc_fixup_video_ctrl() from using the wrong format/frame to make +adjustments. + +Signed-off-by: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/media/video/uvc/uvc_video.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/media/video/uvc/uvc_video.c ++++ b/drivers/media/video/uvc/uvc_video.c +@@ -64,15 +64,19 @@ int uvc_query_ctrl(struct uvc_device *de + static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + struct uvc_streaming_control *ctrl) + { +- struct uvc_format *format; ++ struct uvc_format *format = NULL; + struct uvc_frame *frame = NULL; + unsigned int i; + +- if (ctrl->bFormatIndex <= 0 || +- ctrl->bFormatIndex > stream->nformats) +- return; ++ for (i = 0; i < stream->nformats; ++i) { ++ if (stream->format[i].index == ctrl->bFormatIndex) { ++ format = &stream->format[i]; ++ break; ++ } ++ } + +- format = &stream->format[ctrl->bFormatIndex - 1]; ++ if (format == NULL) ++ return; + + for (i = 0; i < format->nframes; ++i) { + if (format->frame[i].bFrameIndex == ctrl->bFrameIndex) { |