.33 patches

4 files changed, 161 insertions, 0 deletions

diff --git a/queue-2.6.33/hwmon-asus_atk0110-fix-memory-leak.patch b/queue-2.6.33/hwmon-asus_atk0110-fix-memory-leak.patch
new file mode 100644
index 0000000..d75de8b
--- /dev/null
+++ b/queue-2.6.33/hwmon-asus_atk0110-fix-memory-leak.patch
@@ -0,0 +1,30 @@
+From 0b8e77f12cb6bfe2e5a67f2cdc8c7af23abc4ccf Mon Sep 17 00:00:00 2001
+From: Luca Tettamanti <kronos.it@gmail.com>
+Date: Sun, 17 Jul 2011 18:39:18 +0200
+Subject: hwmon: (asus_atk0110) Fix memory leak
+
+From: Luca Tettamanti <kronos.it@gmail.com>
+
+commit 0b8e77f12cb6bfe2e5a67f2cdc8c7af23abc4ccf upstream.
+
+The object returned by atk_gitm is dynamically allocated and must be
+freed.
+
+Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/asus_atk0110.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwmon/asus_atk0110.c
++++ b/drivers/hwmon/asus_atk0110.c
+@@ -654,6 +654,7 @@ static int atk_debugfs_gitm_get(void *p,
+ 	else
+ 		err = -EIO;
+ 
++	ACPI_FREE(ret);
+ 	return err;
+ }
+ 
diff --git a/queue-2.6.33/hwmon-max1111-fix-race-condition-causing-null-pointer-exception.patch b/queue-2.6.33/hwmon-max1111-fix-race-condition-causing-null-pointer-exception.patch
new file mode 100644
index 0000000..a91641f
--- /dev/null
+++ b/queue-2.6.33/hwmon-max1111-fix-race-condition-causing-null-pointer-exception.patch
@@ -0,0 +1,80 @@
+From d3f684f2820a7f42acef68bea6622d9032127fb2 Mon Sep 17 00:00:00 2001
+From: Pavel Herrmann <morpheus.ibis@gmail.com>
+Date: Sun, 17 Jul 2011 18:39:19 +0200
+Subject: hwmon: (max1111) Fix race condition causing NULL pointer exception
+
+From: Pavel Herrmann <morpheus.ibis@gmail.com>
+
+commit d3f684f2820a7f42acef68bea6622d9032127fb2 upstream.
+
+spi_sync call uses its spi_message parameter to keep completion information,
+using a drvdata structure is not thread-safe. Use a mutex to prevent
+multiple access to shared driver data.
+
+Signed-off-by: Pavel Herrmann <morpheus.ibis@gmail.com>
+Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Marek Vasut <marek.vasut@gmail.com>
+Acked-by: Cyril Hrubis <metan@ucw.cz>
+Tested-by: Stanislav Brabec <utx@penguin.cz>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/max1111.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/hwmon/max1111.c
++++ b/drivers/hwmon/max1111.c
+@@ -39,6 +39,8 @@ struct max1111_data {
+ 	struct spi_transfer	xfer[2];
+ 	uint8_t *tx_buf;
+ 	uint8_t *rx_buf;
++	struct mutex		drvdata_lock;
++	/* protect msg, xfer and buffers from multiple access */
+ };
+ 
+ static int max1111_read(struct device *dev, int channel)
+@@ -47,6 +49,9 @@ static int max1111_read(struct device *d
+ 	uint8_t v1, v2;
+ 	int err;
+ 
++	/* writing to drvdata struct is not thread safe, wait on mutex */
++	mutex_lock(&data->drvdata_lock);
++
+ 	data->tx_buf[0] = (channel << MAX1111_CTRL_SEL_SH) |
+ 		MAX1111_CTRL_PD0 | MAX1111_CTRL_PD1 |
+ 		MAX1111_CTRL_SGL | MAX1111_CTRL_UNI | MAX1111_CTRL_STR;
+@@ -54,12 +59,15 @@ static int max1111_read(struct device *d
+ 	err = spi_sync(data->spi, &data->msg);
+ 	if (err < 0) {
+ 		dev_err(dev, "spi_sync failed with %d\n", err);
++		mutex_unlock(&data->drvdata_lock);
+ 		return err;
+ 	}
+ 
+ 	v1 = data->rx_buf[0];
+ 	v2 = data->rx_buf[1];
+ 
++	mutex_unlock(&data->drvdata_lock);
++
+ 	if ((v1 & 0xc0) || (v2 & 0x3f))
+ 		return -EINVAL;
+ 
+@@ -175,6 +183,8 @@ static int __devinit max1111_probe(struc
+ 	if (err)
+ 		goto err_free_data;
+ 
++	mutex_init(&data->drvdata_lock);
++
+ 	data->spi = spi;
+ 	spi_set_drvdata(spi, data);
+ 
+@@ -212,6 +222,7 @@ static int __devexit max1111_remove(stru
+ 
+ 	hwmon_device_unregister(data->hwmon_dev);
+ 	sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);
++	mutex_destroy(&data->drvdata_lock);
+ 	kfree(data->rx_buf);
+ 	kfree(data->tx_buf);
+ 	kfree(data);
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 14ff91c..1465dea 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -5,3 +5,6 @@ bttv-fix-s_tuner-for-radio.patch
 fs-partitions-efi.c-corrupted-guid-partition-tables-can-cause-kernel-oops.patch
 sunrpc-fix-a-race-between-work-queue-and-rpc_killall_tasks.patch
 sunrpc-fix-use-of-static-variable-in-rpcb_getport_async.patch
+si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
+hwmon-asus_atk0110-fix-memory-leak.patch
+hwmon-max1111-fix-race-condition-causing-null-pointer-exception.patch
diff --git a/queue-2.6.33/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch b/queue-2.6.33/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
new file mode 100644
index 0000000..d99c471
--- /dev/null
+++ b/queue-2.6.33/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
@@ -0,0 +1,48 @@
+From dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+Date: Sun, 17 Jul 2011 00:24:37 -0300
+Subject: si4713-i2c: avoid potential buffer overflow on si4713
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream.
+
+While compiling it with Fedora 15, I noticed this issue:
+
+  inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
+  arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
+Acked-by: Eduardo Valentin <edubezval@gmail.com>
+Reviewed-by: Eugene Teo <eugeneteo@kernel.sg>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/radio/si4713-i2c.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/radio/si4713-i2c.c
++++ b/drivers/media/radio/si4713-i2c.c
+@@ -1003,7 +1003,7 @@ static int si4713_write_econtrol_string(
+ 		char ps_name[MAX_RDS_PS_NAME + 1];
+ 
+ 		len = control->size - 1;
+-		if (len > MAX_RDS_PS_NAME) {
++		if (len < 0 || len > MAX_RDS_PS_NAME) {
+ 			rval = -ERANGE;
+ 			goto exit;
+ 		}
+@@ -1025,7 +1025,7 @@ static int si4713_write_econtrol_string(
+ 		char radio_text[MAX_RDS_RADIO_TEXT + 1];
+ 
+ 		len = control->size - 1;
+-		if (len > MAX_RDS_RADIO_TEXT) {
++		if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
+ 			rval = -ERANGE;
+ 			goto exit;
+ 		}