<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/drivers, branch v2.6.32.55</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/drivers?h=v2.6.32.55</id>
<link rel='self' href='https://git.amat.us/linux/atom/drivers?h=v2.6.32.55'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-01-25T21:53:24Z</updated>
<entry>
<title>sym53c8xx: Fix NULL pointer dereference in slave_destroy</title>
<updated>2012-01-25T21:53:24Z</updated>
<author>
<name>Stratos Psomadakis</name>
<email>psomas@gentoo.org</email>
</author>
<published>2011-12-04T00:23:54Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=751153cccad7b285060c11af30379fcf599dc625'/>
<id>urn:sha1:751153cccad7b285060c11af30379fcf599dc625</id>
<content type='text'>
commit cced5041ed5a2d1352186510944b0ddfbdbe4c0b upstream.

sym53c8xx_slave_destroy unconditionally assumes that sym53c8xx_slave_alloc has
succesesfully allocated a sym_lcb. This can lead to a NULL pointer dereference
(exposed by commit 4e6c82b).

Signed-off-by: Stratos Psomadakis &lt;psomas@gentoo.org&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>block: add and use scsi_blk_cmd_ioctl</title>
<updated>2012-01-25T21:53:24Z</updated>
<author>
<name>Paolo Bonzini</name>
<email>pbonzini@redhat.com</email>
</author>
<published>2012-01-12T15:01:27Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=9e5cfd33a485494c731458de02ae58ea256538b8'/>
<id>urn:sha1:9e5cfd33a485494c731458de02ae58ea256538b8</id>
<content type='text'>
commit 577ebb374c78314ac4617242f509e2f5e7156649 upstream.

Introduce a wrapper around scsi_cmd_ioctl that takes a block device.

The function will then be enhanced to detect partition block devices
and, in that case, subject the ioctls to whitelisting.

Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe &lt;axboe@kernel.dk&gt;
Cc: James Bottomley &lt;JBottomley@parallels.com&gt;
Signed-off-by: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
[bwh: Backport to 2.6.32 - adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>USB: Fix 'bad dma' problem on WDM device disconnect</title>
<updated>2012-01-25T21:53:23Z</updated>
<author>
<name>Robert Lukassen</name>
<email>Robert.Lukassen@tomtom.com</email>
</author>
<published>2011-03-16T11:13:34Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=dc01426e7f98c1e79bbbb41a991d7d4cf77ac968'/>
<id>urn:sha1:dc01426e7f98c1e79bbbb41a991d7d4cf77ac968</id>
<content type='text'>
commit 878b753e32ca765cd346a5d3038d630178ec78ff upstream.
[ changed s/usb_free_coherent/usb_buffer_free/ for 2.6.32.x]

In the WDM class driver a disconnect event leads to calls to
usb_free_coherent to put back two USB DMA buffers allocated earlier.
The call to usb_free_coherent uses a different size parameter
(desc-&gt;wMaxCommand) than the corresponding call to usb_alloc_coherent
(desc-&gt;bMaxPacketSize0).

When a disconnect event occurs, this leads to 'bad dma' complaints
from usb core because the USB DMA buffer is being pushed back to the
'buffer-2048' pool from which it has not been allocated.

This patch against the most recent linux-2.6 kernel ensures that the
parameters used by usb_alloc_coherent &amp; usb_free_coherent calls in
cdc-wdm.c match.

Signed-off-by: Robert Lukassen &lt;robert.lukassen@tomtom.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Bjørn Mork &lt;bjorn@mork.no&gt;

</content>
</entry>
<entry>
<title>USB: cdc-wdm: fix misuse of logical operation in place of bitop</title>
<updated>2012-01-25T21:53:23Z</updated>
<author>
<name>David Sterba</name>
<email>dsterba@suse.cz</email>
</author>
<published>2010-12-27T17:49:58Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a979c54ee6bac03999183e1c6aa9dea193be98ca'/>
<id>urn:sha1:a979c54ee6bac03999183e1c6aa9dea193be98ca</id>
<content type='text'>
commit 0cdfb819b6a97e79c7a0aa0c471cd7000367103b upstream.

CC: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
CC: Oliver Neukum &lt;oliver@neukum.org&gt;
CC: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Bjørn Mork &lt;bjorn@mork.no&gt;

</content>
</entry>
<entry>
<title>V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()</title>
<updated>2012-01-25T21:53:21Z</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2012-01-05T05:27:57Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=537400450bd43daf3f99efe35efd0ccaf16f38b1'/>
<id>urn:sha1:537400450bd43daf3f99efe35efd0ccaf16f38b1</id>
<content type='text'>
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.

If ctrls-&gt;count is too high the multiplication could overflow and
array_size would be lower than expected.  Mauro and Hans Verkuil
suggested that we cap it at 1024.  That comes from the maximum
number of controls with lots of room for expantion.

$ grep V4L2_CID include/linux/videodev2.h | wc -l
211

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>i2c: Fix error value returned by several bus drivers</title>
<updated>2012-01-25T21:53:21Z</updated>
<author>
<name>Jean Delvare</name>
<email>khali@linux-fr.org</email>
</author>
<published>2012-01-12T19:32:03Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=adafb366fb48fba6384818fa117ac89ce4ea75a8'/>
<id>urn:sha1:adafb366fb48fba6384818fa117ac89ce4ea75a8</id>
<content type='text'>
commit 7c1f59c9d5caf3a84f35549b5d58f3c055a68da5 upstream.

When adding checks for ACPI resource conflicts to many bus drivers,
not enough attention was paid to the error paths, and for several
drivers this causes 0 to be returned on error in some cases. Fix this
by properly returning a non-zero value on every error.

Signed-off-by: Jean Delvare &lt;khali@linux-fr.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>UBI: fix nameless volumes handling</title>
<updated>2012-01-25T21:53:21Z</updated>
<author>
<name>Richard Weinberger</name>
<email>richard@nod.at</email>
</author>
<published>2012-01-13T14:07:40Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=0e60934064ce77caeff195b0de40b904f4098da3'/>
<id>urn:sha1:0e60934064ce77caeff195b0de40b904f4098da3</id>
<content type='text'>
commit 4a59c797a18917a5cf3ff7ade296b46134d91e6a upstream.

Currently it's possible to create a volume without a name. E.g:
ubimkvol -n 32 -s 2MiB -t static /dev/ubi0 -N ""

After that vtbl_check() will always fail because it does not permit
empty strings.

Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Artem Bityutskiy &lt;Artem.Bityutskiy@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB</title>
<updated>2012-01-25T21:53:20Z</updated>
<author>
<name>Bjorn Helgaas</name>
<email>bhelgaas@google.com</email>
</author>
<published>2012-01-05T21:27:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2215d91091c465fd58da7814d1c10e09ac2d8307'/>
<id>urn:sha1:2215d91091c465fd58da7814d1c10e09ac2d8307</id>
<content type='text'>
commit eb31aae8cb5eb54e234ed2d857ddac868195d911 upstream.

Some Dell BIOSes have MCFG tables that don't report the entire
MMCONFIG area claimed by the chipset.  If we move PCI devices into
that claimed-but-unreported area, they don't work.

This quirk reads the AMD MMCONFIG MSRs and adds PNP0C01 resources as
needed to cover the entire area.

Example problem scenario:

  BIOS-e820: 00000000cfec5400 - 00000000d4000000 (reserved)
  Fam 10h mmconf [d0000000, dfffffff]
  PCI: MMCONFIG for domain 0000 [bus 00-3f] at [mem 0xd0000000-0xd3ffffff] (base 0xd0000000)
  pnp 00:0c: [mem 0xd0000000-0xd3ffffff]
  pci 0000:00:12.0: reg 10: [mem 0xffb00000-0xffb00fff]
  pci 0000:00:12.0: no compatible bridge window for [mem 0xffb00000-0xffb00fff]
  pci 0000:00:12.0: BAR 0: assigned [mem 0xd4000000-0xd40000ff]

Reported-by: Lisa Salimbas &lt;lisa.salimbas@canonical.com&gt;
Reported-by: &lt;thuban@singularity.fr&gt;
Tested-by: dann frazier &lt;dann.frazier@canonical.com&gt;
References: https://bugzilla.kernel.org/show_bug.cgi?id=31602
References: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/647043
References: https://bugzilla.redhat.com/show_bug.cgi?id=770308
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Jesse Barnes &lt;jbarnes@virtuousgeek.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>xen/xenbus: Reject replies with payload &gt; XENSTORE_PAYLOAD_MAX.</title>
<updated>2012-01-25T21:53:20Z</updated>
<author>
<name>Ian Campbell</name>
<email>Ian.Campbell@citrix.com</email>
</author>
<published>2012-01-04T09:34:49Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=76f494aa33a8785d494c4f31fb1d348d44b26288'/>
<id>urn:sha1:76f494aa33a8785d494c4f31fb1d348d44b26288</id>
<content type='text'>
commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream.

Haogang Chen found out that:

 There is a potential integer overflow in process_msg() that could result
 in cross-domain attack.

 	body = kmalloc(msg-&gt;hdr.len + 1, GFP_NOIO | __GFP_HIGH);

 When a malicious guest passes 0xffffffff in msg-&gt;hdr.len, the subsequent
 call to xb_read() would write to a zero-length buffer.

 The other end of this connection is always the xenstore backend daemon
 so there is no guest (malicious or otherwise) which can do this. The
 xenstore daemon is a trusted component in the system.

 However this seem like a reasonable robustness improvement so we should
 have it.

And Ian when read the API docs found that:
        The payload length (len field of the header) is limited to 4096
        (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
        limit, its xenstored connection will be immediately killed by
        xenstored, which is usually catastrophic from the client's point of
        view.  Clients (particularly domains, which cannot just reconnect)
        should avoid this.

so this patch checks against that instead.

This also avoids a potential integer overflow pointed out by Haogang Chen.

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Cc: Haogang Chen &lt;haogangchen@gmail.com&gt;
Signed-off-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>PCI: msi: Disable msi interrupts when we initialize a pci device</title>
<updated>2012-01-25T21:53:19Z</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2011-10-17T18:46:06Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c3914e688d696bdda2b2df0b56df1ecba59bbfab'/>
<id>urn:sha1:c3914e688d696bdda2b2df0b56df1ecba59bbfab</id>
<content type='text'>
commit a776c491ca5e38c26d9f66923ff574d041e747f4 upstream.

I traced a nasty kexec on panic boot failure to the fact that we had
screaming msi interrupts and we were not disabling the msi messages at
kernel startup.  The booting kernel had not enabled those interupts so
was not prepared to handle them.

I can see no reason why we would ever want to leave the msi interrupts
enabled at boot if something else has enabled those interrupts.  The pci
spec specifies that msi interrupts should be off by default.  Drivers
are expected to enable the msi interrupts if they want to use them.  Our
interrupt handling code reprograms the interrupt handlers at boot and
will not be be able to do anything useful with an unexpected interrupt.

This patch applies cleanly all of the way back to 2.6.32 where I noticed
the problem.

Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jesse Barnes &lt;jbarnes@virtuousgeek.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
