diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-29 15:17:52 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-29 15:17:52 -0700 |
commit | 9c3f4e51f8ba993c1c27984bb1ef58624b1000c6 (patch) | |
tree | 067df12a0e50e19e8bdcbd065ac8f90cc76c7103 | |
parent | d680960f15610a151e4e9ecaeac2e00aa413a519 (diff) | |
download | stable-queue-9c3f4e51f8ba993c1c27984bb1ef58624b1000c6.tar.gz |
3.0 patches
9 files changed, 518 insertions, 0 deletions
diff --git a/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch b/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch new file mode 100644 index 0000000000..02b7d680ce --- /dev/null +++ b/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch @@ -0,0 +1,36 @@ +From 8b2a3827bb12430d932cd479b22d906baf08c212 Mon Sep 17 00:00:00 2001 +From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> +Date: Wed, 24 Aug 2011 21:38:07 +0530 +Subject: ath9k: Fix PS wrappers in ath9k_set_coverage_class + +From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> + +commit 8b2a3827bb12430d932cd479b22d906baf08c212 upstream. + +this callback is called during suspend/resume and also via iw command. +it configures parameters like sifs, slottime, acktimeout in +ath9k_hw_init_global_settings where few REG_READ, REG_RMW are also done +and hence the need for PS wrappers + +Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -2260,7 +2260,11 @@ static void ath9k_set_coverage_class(str + + mutex_lock(&sc->mutex); + ah->coverage_class = coverage_class; ++ ++ ath9k_ps_wakeup(sc); + ath9k_hw_init_global_settings(ah); ++ ath9k_ps_restore(sc); ++ + mutex_unlock(&sc->mutex); + } + diff --git a/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch b/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch new file mode 100644 index 0000000000..8fd45e7e10 --- /dev/null +++ b/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch @@ -0,0 +1,39 @@ +From b503c7a273c0a3018ad11ea8c513c639120afbf4 Mon Sep 17 00:00:00 2001 +From: Senthil Balasubramanian <senthilb@qca.qualcomm.com> +Date: Fri, 19 Aug 2011 18:43:06 +0530 +Subject: ath9k_hw: Fix STA (AR9485) bringup issue due to incorrect MAC address + +From: Senthil Balasubramanian <senthilb@qca.qualcomm.com> + +commit b503c7a273c0a3018ad11ea8c513c639120afbf4 upstream. + +Due to some recent optimization done in the way the mac address +bytes are written into the OTP memory, some AR9485 chipsets were +forced to use the first byte from the eeprom template and the +remaining bytes are read from OTP. + +AR9485 happens to use generic eeprom template which has 0x1 as +the first byte causes issues in bringing up the card. + +So fixed the eeprom template accordingly to address the issue. + +Cc: Paul Stewart <pstew@google.com> +Signed-off-by: Senthil Balasubramanian <senthilb@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +@@ -68,7 +68,7 @@ static int ar9003_hw_power_interpolate(i + static const struct ar9300_eeprom ar9300_default = { + .eepromVersion = 2, + .templateVersion = 2, +- .macAddr = {1, 2, 3, 4, 5, 6}, ++ .macAddr = {0, 2, 3, 4, 5, 6}, + .custData = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + .baseEepHeader = { diff --git a/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch b/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch new file mode 100644 index 0000000000..b57cf4e81d --- /dev/null +++ b/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch @@ -0,0 +1,42 @@ +From 66cb54bd24086b2d871a03035de9b0e79b2b725e Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Wed, 24 Aug 2011 00:44:32 +0400 +Subject: carl9170: Fix mismatch in carl9170_op_set_key mutex + lock-unlock + +From: Alexey Khoroshilov <khoroshilov@ispras.ru> + +commit 66cb54bd24086b2d871a03035de9b0e79b2b725e upstream. + +If is_main_vif(ar, vif) reports that we have to fall back +to software encryption, we goto err_softw; before locking ar->mutex. +As a result, we have unprotected call to carl9170_set_operating_mode +and unmatched mutex_unlock. + +The patch fix the issue by adding mutex_lock before goto. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Acked-By: Christian Lamparter <chunkeey@googlemail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/ath/carl9170/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/carl9170/main.c ++++ b/drivers/net/wireless/ath/carl9170/main.c +@@ -1066,8 +1066,10 @@ static int carl9170_op_set_key(struct ie + * the high througput speed in 802.11n networks. + */ + +- if (!is_main_vif(ar, vif)) ++ if (!is_main_vif(ar, vif)) { ++ mutex_lock(&ar->mutex); + goto err_softw; ++ } + + /* + * While the hardware supports *catch-all* key, for offloading diff --git a/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch b/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch new file mode 100644 index 0000000000..84b5b6d727 --- /dev/null +++ b/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch @@ -0,0 +1,77 @@ +From c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Wed, 24 Aug 2011 17:56:15 -0700 +Subject: ibmveth: Fix leak when recycling skb and hypervisor returns + error + +From: Anton Blanchard <anton@samba.org> + +commit c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a upstream. + +If h_add_logical_lan_buffer returns an error we need to free +the skb. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/ibmveth.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/ibmveth.c ++++ b/drivers/net/ibmveth.c +@@ -394,7 +394,7 @@ static inline struct sk_buff *ibmveth_rx + } + + /* recycle the current buffer on the rx queue */ +-static void ibmveth_rxq_recycle_buffer(struct ibmveth_adapter *adapter) ++static int ibmveth_rxq_recycle_buffer(struct ibmveth_adapter *adapter) + { + u32 q_index = adapter->rx_queue.index; + u64 correlator = adapter->rx_queue.queue_addr[q_index].correlator; +@@ -402,6 +402,7 @@ static void ibmveth_rxq_recycle_buffer(s + unsigned int index = correlator & 0xffffffffUL; + union ibmveth_buf_desc desc; + unsigned long lpar_rc; ++ int ret = 1; + + BUG_ON(pool >= IBMVETH_NUM_BUFF_POOLS); + BUG_ON(index >= adapter->rx_buff_pool[pool].size); +@@ -409,7 +410,7 @@ static void ibmveth_rxq_recycle_buffer(s + if (!adapter->rx_buff_pool[pool].active) { + ibmveth_rxq_harvest_buffer(adapter); + ibmveth_free_buffer_pool(adapter, &adapter->rx_buff_pool[pool]); +- return; ++ goto out; + } + + desc.fields.flags_len = IBMVETH_BUF_VALID | +@@ -422,12 +423,16 @@ static void ibmveth_rxq_recycle_buffer(s + netdev_dbg(adapter->netdev, "h_add_logical_lan_buffer failed " + "during recycle rc=%ld", lpar_rc); + ibmveth_remove_buffer_from_pool(adapter, adapter->rx_queue.queue_addr[adapter->rx_queue.index].correlator); ++ ret = 0; + } + + if (++adapter->rx_queue.index == adapter->rx_queue.num_slots) { + adapter->rx_queue.index = 0; + adapter->rx_queue.toggle = !adapter->rx_queue.toggle; + } ++ ++out: ++ return ret; + } + + static void ibmveth_rxq_harvest_buffer(struct ibmveth_adapter *adapter) +@@ -1083,8 +1088,9 @@ restart_poll: + if (rx_flush) + ibmveth_flush_buffer(skb->data, + length + offset); ++ if (!ibmveth_rxq_recycle_buffer(adapter)) ++ kfree_skb(skb); + skb = new_skb; +- ibmveth_rxq_recycle_buffer(adapter); + } else { + ibmveth_rxq_harvest_buffer(adapter); + skb_reserve(skb, offset); diff --git a/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch b/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch new file mode 100644 index 0000000000..8d15f57954 --- /dev/null +++ b/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch @@ -0,0 +1,137 @@ +From ecb4433550f0620f3d1471ae7099037ede30a91e Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Fri, 12 Aug 2011 14:00:59 +0200 +Subject: mac80211: fix suspend/resume races with unregister hw + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit ecb4433550f0620f3d1471ae7099037ede30a91e upstream. + +Do not call ->suspend, ->resume methods after we unregister wiphy. Also +delete sta_clanup timer after we finish wiphy unregister to avoid this: + +WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0() +Hardware name: 6369CTO +ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211] +Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode] +Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19 +Call Trace: + [<c0454cfd>] warn_slowpath_common+0x6d/0xa0 + [<c05e05e5>] ? debug_print_object+0x85/0xa0 + [<c05e05e5>] ? debug_print_object+0x85/0xa0 + [<c0454dae>] warn_slowpath_fmt+0x2e/0x30 + [<c05e05e5>] debug_print_object+0x85/0xa0 + [<f8a808e0>] ? sta_info_alloc+0x1a0/0x1a0 [mac80211] + [<c05e0bd2>] debug_check_no_obj_freed+0xe2/0x180 + [<c051175b>] kfree+0x8b/0x150 + [<f8a126ae>] cfg80211_dev_free+0x7e/0x90 [cfg80211] + [<f8a13afd>] wiphy_dev_release+0xd/0x10 [cfg80211] + [<c068d959>] device_release+0x19/0x80 + [<c05d06ba>] kobject_release+0x7a/0x1c0 + [<c07646a8>] ? rtnl_unlock+0x8/0x10 + [<f8a13adb>] ? wiphy_resume+0x6b/0x80 [cfg80211] + [<c05d0640>] ? kobject_del+0x30/0x30 + [<c05d1a6d>] kref_put+0x2d/0x60 + [<c05d056d>] kobject_put+0x1d/0x50 + [<c08015f4>] ? mutex_lock+0x14/0x40 + [<c068d60f>] put_device+0xf/0x20 + [<c069716a>] dpm_resume+0xca/0x160 + [<c04912bd>] hibernation_snapshot+0xcd/0x260 + [<c04903df>] ? freeze_processes+0x3f/0x90 + [<c049151b>] hibernate+0xcb/0x1e0 + [<c048fdc0>] ? pm_async_store+0x40/0x40 + [<c048fe60>] state_store+0xa0/0xb0 + [<c048fdc0>] ? pm_async_store+0x40/0x40 + [<c05d0200>] kobj_attr_store+0x20/0x30 + [<c0575ea4>] sysfs_write_file+0x94/0xf0 + [<c051e26a>] vfs_write+0x9a/0x160 + [<c0575e10>] ? sysfs_open_file+0x200/0x200 + [<c051e3fd>] sys_write+0x3d/0x70 + [<c080959f>] sysenter_do_call+0x12/0x28 + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/net/cfg80211.h | 3 +++ + net/mac80211/main.c | 2 +- + net/wireless/core.c | 7 +++++++ + net/wireless/sysfs.c | 6 ++++-- + 4 files changed, 15 insertions(+), 3 deletions(-) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -1814,6 +1814,9 @@ struct wiphy { + * you need use set_wiphy_dev() (see below) */ + struct device dev; + ++ /* protects ->resume, ->suspend sysfs callbacks against unregister hw */ ++ bool registered; ++ + /* dir in debugfs: ieee80211/<wiphyname> */ + struct dentry *debugfsdir; + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1012,7 +1012,6 @@ void ieee80211_unregister_hw(struct ieee + cancel_work_sync(&local->reconfig_filter); + + ieee80211_clear_tx_pending(local); +- sta_info_stop(local); + rate_control_deinitialize(local); + + if (skb_queue_len(&local->skb_queue) || +@@ -1024,6 +1023,7 @@ void ieee80211_unregister_hw(struct ieee + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); ++ sta_info_stop(local); + ieee80211_wep_free(local); + ieee80211_led_exit(local); + kfree(local->int_scan_req); +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -612,6 +612,9 @@ int wiphy_register(struct wiphy *wiphy) + if (res) + goto out_rm_dev; + ++ rtnl_lock(); ++ rdev->wiphy.registered = true; ++ rtnl_unlock(); + return 0; + + out_rm_dev: +@@ -643,6 +646,10 @@ void wiphy_unregister(struct wiphy *wiph + { + struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy); + ++ rtnl_lock(); ++ rdev->wiphy.registered = false; ++ rtnl_unlock(); ++ + rfkill_unregister(rdev->rfkill); + + /* protect the device list */ +--- a/net/wireless/sysfs.c ++++ b/net/wireless/sysfs.c +@@ -93,7 +93,8 @@ static int wiphy_suspend(struct device * + + if (rdev->ops->suspend) { + rtnl_lock(); +- ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan); ++ if (rdev->wiphy.registered) ++ ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan); + rtnl_unlock(); + } + +@@ -112,7 +113,8 @@ static int wiphy_resume(struct device *d + + if (rdev->ops->resume) { + rtnl_lock(); +- ret = rdev->ops->resume(&rdev->wiphy); ++ if (rdev->wiphy.registered) ++ ret = rdev->ops->resume(&rdev->wiphy); + rtnl_unlock(); + } + diff --git a/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch b/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch new file mode 100644 index 0000000000..548cb1c9e8 --- /dev/null +++ b/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch @@ -0,0 +1,80 @@ +From 543cc38c8fe86deba4169977c61eb88491036837 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Fri, 12 Aug 2011 14:02:04 +0200 +Subject: rt2x00: do not drop usb dev reference counter on suspend + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit 543cc38c8fe86deba4169977c61eb88491036837 upstream. + +When hibernating ->resume may not be called by usb core, but disconnect +and probe instead, so we do not increase the counter after decreasing +it in ->supend. As a result we free memory early, and get crash when +unplugging usb dongle. + +BUG: unable to handle kernel paging request at 6b6b6b9f +IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30 +*pdpt = 0000000034f21001 *pde = 0000000000000000 +Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO +EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1 +EIP is at driver_sysfs_remove+0x10/0x30 +EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b +ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000) +Call Trace: + [<c06909ef>] __device_release_driver+0x1f/0xa0 + [<c0690b20>] device_release_driver+0x20/0x40 + [<c068fd64>] bus_remove_device+0x84/0xe0 + [<c068e12a>] ? device_remove_attrs+0x2a/0x80 + [<c068e267>] device_del+0xe7/0x170 + [<c06d93d4>] usb_disconnect+0xd4/0x180 + [<c06d9d61>] hub_thread+0x691/0x1600 + [<c0473260>] ? wake_up_bit+0x30/0x30 + [<c0442a39>] ? complete+0x49/0x60 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c0472eb4>] kthread+0x74/0x80 + [<c0472e40>] ? kthread_worker_fn+0x150/0x150 + [<c0809b3e>] kernel_thread_helper+0x6/0x10 + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Acked-by: Ivo van Doorn <IvDoorn@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/rt2x00/rt2x00usb.c | 14 +------------- + 1 file changed, 1 insertion(+), 13 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/rt2x00/rt2x00usb.c +@@ -870,18 +870,8 @@ int rt2x00usb_suspend(struct usb_interfa + { + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; +- int retval; + +- retval = rt2x00lib_suspend(rt2x00dev, state); +- if (retval) +- return retval; +- +- /* +- * Decrease usbdev refcount. +- */ +- usb_put_dev(interface_to_usbdev(usb_intf)); +- +- return 0; ++ return rt2x00lib_suspend(rt2x00dev, state); + } + EXPORT_SYMBOL_GPL(rt2x00usb_suspend); + +@@ -890,8 +880,6 @@ int rt2x00usb_resume(struct usb_interfac + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; + +- usb_get_dev(interface_to_usbdev(usb_intf)); +- + return rt2x00lib_resume(rt2x00dev); + } + EXPORT_SYMBOL_GPL(rt2x00usb_resume); diff --git a/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch b/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch new file mode 100644 index 0000000000..c04ffa686f --- /dev/null +++ b/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch @@ -0,0 +1,39 @@ +From 4b00e4b3940eabb38adeec0823751820fe2d6fda Mon Sep 17 00:00:00 2001 +From: John Stanley <jpsinthemix@verizon.net> +Date: Wed, 3 Aug 2011 20:41:00 -0400 +Subject: savagedb: Fix typo causing regression in savage4 series + video chip detection + +From: John Stanley <jpsinthemix@verizon.net> + +commit 4b00e4b3940eabb38adeec0823751820fe2d6fda upstream. + +Two additional savage4 variants were added, but the S3_SAVAGE4_SERIES +macro was incompletely modified, resulting in a false positive detection +of a savage4 card regardless of which savage card is actually present. + +For non-savage4 series cards, such as a Savage/IX-MV card, this results +in garbled video and/or a hard-hang at boot time. Fix this by changing +an '||' to an '&&' in the S3_SAVAGE4_SERIES macro. + +Signed-off-by: John P. Stanley <jpsinthemix@verizon.net> +Reviewed-by: Tormod Volden <debian.tormod@gmail.com> +[ The macros have incomplete parenthesis too, but whatever .. -Linus ] +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/video/savage/savagefb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/savage/savagefb.h ++++ b/drivers/video/savage/savagefb.h +@@ -55,7 +55,7 @@ + + #define S3_SAVAGE3D_SERIES(chip) ((chip>=S3_SAVAGE3D) && (chip<=S3_SAVAGE_MX)) + +-#define S3_SAVAGE4_SERIES(chip) ((chip>=S3_SAVAGE4) || (chip<=S3_PROSAVAGEDDR)) ++#define S3_SAVAGE4_SERIES(chip) ((chip>=S3_SAVAGE4) && (chip<=S3_PROSAVAGEDDR)) + + #define S3_SAVAGE_MOBILE_SERIES(chip) ((chip==S3_SAVAGE_MX) || (chip==S3_SUPERSAVAGE)) + diff --git a/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch b/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch new file mode 100644 index 0000000000..0f85bd9108 --- /dev/null +++ b/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch @@ -0,0 +1,60 @@ +From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Date: Wed, 24 Aug 2011 19:45:03 -0700 +Subject: sendmmsg/sendmsg: fix unsafe user pointer access + +From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> + +commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream. + +Dereferencing a user pointer directly from kernel-space without going +through the copy_from_user family of functions is a bad idea. Two of +such usages can be found in the sendmsg code path called from sendmmsg, +added by + +commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream. +commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree. + +Usages are performed through memcmp() and memcpy() directly. Fix those +by using the already copied msg_sys structure instead of the __user *msg +structure. Note that msg_sys can be set to NULL by verify_compat_iovec() +or verify_iovec(), which requires additional NULL pointer checks. + +Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Signed-off-by: David Goulet <dgoulet@ev0ke.net> +CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +CC: Anton Blanchard <anton@samba.org> +CC: David S. Miller <davem@davemloft.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/socket.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket * + * used_address->name_len is initialized to UINT_MAX so that the first + * destination address never matches. + */ +- if (used_address && used_address->name_len == msg_sys->msg_namelen && +- !memcmp(&used_address->name, msg->msg_name, ++ if (used_address && msg_sys->msg_name && ++ used_address->name_len == msg_sys->msg_namelen && ++ !memcmp(&used_address->name, msg_sys->msg_name, + used_address->name_len)) { + err = sock_sendmsg_nosec(sock, msg_sys, total_len); + goto out_freectl; +@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket * + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; +- memcpy(&used_address->name, msg->msg_name, +- used_address->name_len); ++ if (msg_sys->msg_name) ++ memcpy(&used_address->name, msg_sys->msg_name, ++ used_address->name_len); + } + + out_freectl: diff --git a/queue-3.0/series b/queue-3.0/series index 320a3bfe87..c4d87ebad0 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -25,3 +25,11 @@ xhci-fix-memory-leak-during-failed-enqueue.patch xhci-fix-failed-enqueue-in-the-middle-of-isoch-td.patch xhci-remove-tds-from-td-lists-when-urbs-are-canceled.patch xhci-handle-zero-length-isochronous-packets.patch +sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch +ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch +ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch +carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch +ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch +rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch +mac80211-fix-suspend-resume-races-with-unregister-hw.patch +savagedb-fix-typo-causing-regression-in-savage4-series.patch |