This bug were supposed to be fixed by 5ba2f67a,
where a call to NULL happens.

Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.

Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble.

This were the resulting OOPS message before the patch, with debug messages
enabled:

tvaudio' 1-005b: VIDIOC_S_CTRL
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<00000000>]
*pde = 22fda067 *pte = 00000000
Oops: 0000 [#1] SMP
Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]

Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0
EIP is at 0x0
EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046
ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000)
Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
       f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
       f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
Call Trace:
 [<f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
 [<f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
 [<f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
 [<f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
 [<c0560185>] ? device_for_each_child+0x21/0x49
 [<f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
 [<f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
 [<f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
 [<f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
 [<f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
 [<c05abb4e>] ? sock_aio_write+0x100/0x10d
 [<c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
 [<c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
 [<c04f4fa4>] ? copy_from_user+0x39/0x121
 [<f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
 [<c04054fd>] ? do_notify_resume+0x768/0x795
 [<c043c0f7>] ? getnstimeofday+0x34/0xd1
 [<c0437b77>] ? autoremove_wake_function+0x0/0x33
 [<f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
 [<c048c6f0>] ? vfs_ioctl+0x50/0x69
 [<c048c942>] ? do_vfs_ioctl+0x239/0x24c
 [<c048c995>] ? sys_ioctl+0x40/0x5b
 [<c0405bf2>] ? syscall_call+0x7/0xb
 [<c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
 =======================
Code:  Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Before the patch, the used ioctl were printed as an hexadecimal code,
hard to be understand without consulting the way _IO macros work.
Instead, use the V4L default handler for printing such errors into a way
that would be easier to understand.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Some comments are not clear enough. Improve it to allow a better
understanding of the driver behavior.

While there, remove an unneeded struct prototype.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

There were no check about the limits of shadow.bytes array. This offers
a risk of writing values outside the limits, overriding other data
areas.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Instead of storing the pointer for the proper entry at chip description
table, the driver were storing an indirect reference, by using an index.
Better to reference directly the data.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

A driver used on several bttv boards since 2000 is not experimental
anymore ;) Remove it from the comments.

While there, update copyrights addind a quick note about the "recent"
updates since 2005.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

This patch checks for volume, bass, treble, set mode and get mode
callbacks before actually enabling the code that would use them.

Instead of aborting the driver for load, this patch will allow it to
load with a reduced number of functionatities.

This prevents OOPS if some board entry is missing a needed callback.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

generic_checkmode() were called, via a callback, for some tvaudio chips.
There's just one callback code used on all those boards. So, it makes no
sense on keeping this as a callback.

Since there were some OOPS reported on tvaudio on kerneloops.org, this
patch removes this callback, adding the code at the only place were it
is called: inside chip_tread. A flag were added to indicate the need for
a kernel thread to set stereo mode on cards that needs it.

Using this more direct approach simplifies the code, making it more
robust against human errors.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Also, the default standard is the first one. So, fix the comment at the
array.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Merge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  timers: handle HRTIMER_CB_IRQSAFE_UNLOCKED correctly from softirq context
  nohz: disable tick_nohz_kick_tick() for now
  irq: call __irq_enter() before calling the tick_idle_check
  x86: HPET: enter hpet_interrupt_handler with interrupts disabled
  x86: HPET: read from HPET_Tn_CMP() not HPET_T0_CMP
  x86: HPET: convert WARN_ON to WARN_ON_ONCE

Merge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  sched: release buddies on yield
  fix for account_group_exec_runtime(), make sure ->signal can't be freed under rq->lock
  sched: clean up debug info

Merge branch 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  ring-buffer: prevent infinite looping on time stamping
  ftrace: disable tracing on resize
  ftrace: fix breakage in bin_fmt results
  ftrace: ftrace.txt version update
  ftrace: update txt document

* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  [XFS] XFS: Check for valid transaction headers in recovery
  [XFS] handle memory allocation failures during log initialisation
  [XFS] Account for allocated blocks when expanding directories
  [XFS] Wait for all I/O on truncate to zero file size
  [XFS] Fix use-after-free with log and quotas

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2: (21 commits)
  ocfs2: Check search result in ocfs2_xattr_block_get()
  ocfs2: fix printk related build warnings in xattr.c
  ocfs2: truncate outstanding block after direct io failure
  ocfs2/xattr: Proper hash collision handle in bucket division
  ocfs2: return 0 in page_mkwrite to let VFS retry.
  ocfs2: Set journal descriptor to NULL after journal shutdown
  ocfs2: Fix check of return value of ocfs2_start_trans() in xattr.c.
  ocfs2: Let inode be really deleted when ocfs2_mknod_locked() fails
  ocfs2: Fix checking of return value of new_inode()
  ocfs2: Fix check of return value of ocfs2_start_trans()
  ocfs2: Fix some typos in xattr annotations.
  ocfs2: Remove unused ocfs2_restore_xattr_block().
  ocfs2: Don't repeat ocfs2_xattr_block_find()
  ocfs2: Specify appropriate journal access for new xattr buckets.
  ocfs2: Check errors from ocfs2_xattr_update_xattr_search()
  ocfs2: Don't return -EFAULT from a corrupt xattr entry.
  ocfs2: Check xattr block signatures properly.
  ocfs2: add handler_map array bounds checking
  ocfs2: remove duplicate definition in xattr
  ocfs2: fix function declaration and definition in xattr
  ...

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6: (35 commits)
  V4L/DVB (9516): cx18: Move DVB buffer transfer handling from irq handler to work_queue
  V4L/DVB (9557): gspca: Small changes for the sensor HV7131B in zc3xx.
  V4L/DVB (9556): gspca: Bad init sequence for sensor HV7131B in zc3xx.
  V4L/DVB (9549): gspca: Fix a typo in one of gspca chips name.
  V4L/DVB (9515): cx18: Use correct Mailbox IRQ Ack values and misc IRQ handling cleanup
  V4L/DVB (9493): kconfig patch
  V4L/DVB (9527): af9015: fix compile warnings
  V4L/DVB (9524): af9013: fix bug in status reading
  V4L/DVB (9511): cx18: Mark CX18_CPU_DE_RELEASE_MDL as a slow API call
  V4L/DVB (9510): cx18: Fix write retries for registers that always change - part 2.
  V4L/DVB (9506): ivtv/cx18: fix test whether modules should be loaded or not.
  V4L/DVB (9499): cx88-mpeg: final fix for analogue only compilation + de-alloc fix
  V4L/DVB (9496): cx88-blackbird: bugfix: cx88-blackbird-mpeg-users
  V4L/DVB (9495): cx88-blackbird: bugfix: cx88-blackbird-poll-fix
  V4L/DVB (9494): anysee: initialize anysee_usb_mutex statically
  V4L/DVB (9492): unplug oops from dvb_frontend_init...
  V4L/DVB (9486): ivtv/ivtvfb: no longer experimental
  V4L/DVB (9485): ivtv: remove incorrect V4L1 & tvaudio dependency
  V4L/DVB (9482): Documentation, especially regarding audio and informational links
  V4L/DVB (9475): cx18: Disable write retries for registers that always change - part 1.
  ...

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  powerpc: Update desktop/server defconfigs
  powerpc: Fix msr check in compat_sys_swapcontext
  powerpc: Repair device bindings documentation
  powerpc: Updated Freescale PPC related defconfigs
  powerpc: Update QE/CPM2 usb_ctlr structures for USB support
  powerpc/86xx: Correct SOC bus-frequency in GE Fanuc SBC610 DTS
  powerpc: Fix Book-E watchdog timer interval setting
  powerpc/fsl-booke: Fix synchronization bug w/local tlb invalidates

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/i915: Move legacy breadcrumb out of the reserved status page area
  drm/i915: Filter pci devices based on PCI_CLASS_DISPLAY_VGA
  drm/radeon: map registers at load time
  drm: Remove infrastructure for supporting i915's vblank swapping.
  i915: Remove racy delayed vblank swap ioctl.
  i915: Don't whine when pci_enable_msi() fails.
  i915: Don't attempt to short-circuit object_wait_rendering by checking domains.
  i915: Clean up sarea pointers on leavevt
  i915: Save/restore MCHBAR_RENDER_STANDBY on GM965/GM45

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  libata: fix last_reset timestamp handling
  libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
  [libata] pata_pcmcia: another memory card support
  [libata] pata_sch: notice attached slave devices
  [libata] pata_cs553*.c: cleanup kernel-doc

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
  sparc64: Update defconfig.
  Revert "sparc: correct section of current_pc()"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  dsa: fix master interface allmulti/promisc handling
  dsa: fix skb->pkt_type when mac address of slave interface differs
  net: fix setting of skb->tail in skb_recycle_check()
  net: fix /proc/net/snmp as memory corruptor
  mac80211: fix a buffer overrun in station debug code
  netfilter: payload_len is be16, add size of struct rather than size of pointer
  ipv6: fix ip6_mr_init error path
  [4/4] dca: fixup initialization dependency
  [3/4] I/OAT: fix async_tx.callback checking
  [2/4] I/OAT: fix dma_pin_iovec_pages() error handling
  [1/4] I/OAT: fix channel resources free for not allocated channels
  ssb: Fix DMA-API compilation for non-PCI systems
  SSB: hide empty sub menu
  vlan: Fix typos in proc output string
  [netdrvr] usb/hso: Cleanup rfkill error handling
  sfc: Correct address of gPXE boot configuration in EEPROM
  el3_common_init() should be __devinit, not __init
  hso: rfkill type should be WWAN
  mlx4_en: Start port error flow bug fix
  af_key: mark policy as dead before destroying

Clear buddies on yield, so that the buddy rules don't schedule them
despite them being placed right-most.

This fixed a performance regression with yield-happy binary JVMs.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Lin Ming <ming.m.lin@intel.com>

cx18: Move DVB buffer transfer handling from irq handler to work_queue thread.
In order to properly lock the epu2cpu mailbox for driver to CX23418 commands,
the DVB/TS buffer handling needs to be moved from the IRQ handler and IRQ
context to a work queue.  This work_queue implmentation is strikingly similar
to the ivtv implementation - for better or worse.
Signed-off-by: Andy Walls <awalls@radix.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

- touch only one register for brightness change
- no quality control
- don't probe again at streamon time.
Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

This patch fixes the H flip and the R & B color inversion of mode 320x240.
Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Signed-off-by: Krzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

cx18: Use correct Mailbox IRQ Ack values and misc IRQ handling cleanup.
The SCB field definitions for Ack IRQ's for mailboxes were inconsistent with
the bitmasks being loaded into those SCB fields and the SW2 Ack IRQ handling
logic.  Renamed fields in SCB to make things consistent and did misc IRQ
handling cleanups: removing legacy ivtv dma_reg_lock, HPU IRQ flags, etc.
Signed-off-by: Andy Walls <awalls@radix.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Ok I made a patch that converts gspca kconfig file to a more standard=
one, with tabs + 2 white spaces, so that if a warning is added it still
compiles
please find it attached
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

- use static to avoid compile warnings
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

- ! has a higher precedence than &
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

cx18: Mark CX18_CPU_DE_RELEASE_MDL as a slow API call.
Give the encoder time to complete the MDL release before destroying the
encoder internal task.  This avoids an encoder lockup on the next digital
capture and error messages about buffers being returned for an inactive
encoder task handle.
Signed-off-by: Andy Walls <awalls@radix.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

cx18: Fix write retries for registers that always change - part 2.
Some registers, especially interrupt related ones, will never read
back the value just written.  Modified interrupt register readback
checks to make sure the intended effect was achieved.
Signed-off-by: Andy Walls <awalls@radix.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Final fix for when analogue only is selected
for compilation (ie, !CX88_DVB)

This tidies up previous fix and adds missing
de-alloc memory leak on fault (eg, if fe1 fails to alloc
where fe0 was allocated).
Signed-off-by: Darron Broad <darron@kewl.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Allows multiple access to the mpeg device
Signed-off-by: Frederic CAND <frederic.cand@anevia.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Starts encoder not only on a read call but also on a poll command.
Signed-off-by: Frederic CAND <frederic.cand@anevia.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

anysee_usb_mutex is initialized at every time the anysee device is probed.
If the second anysee device is probed while anysee_usb_mutex is locked by
the first anysee device, the mutex is broken.

This patch fixes by initialize anysee_usb_mutex statically rather
than initialize at probe time.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>