diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-28 17:35:13 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-28 18:13:46 -0400 |
| commit | 737f69e50862a1a29d36137986ec772fa0c85889 (patch) | |
| tree | 01ae621c2b661ad429617a08f9d504150b3f51e7 | |
| parent | a0a7d08ac77cd95d846a49f64d1043fc46410670 (diff) | |
| download | longterm-queue-2.6.34-737f69e50862a1a29d36137986ec772fa0c85889.tar.gz | |
queue: import of 50 commits parallel to those on 32.37
Largely a raw import. Ran reviewbot to look for glaring errors.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
59 files changed, 3147 insertions, 8 deletions
diff --git a/queue/ALSA-Fix-yet-another-race-in-disconnection.patch b/queue/ALSA-Fix-yet-another-race-in-disconnection.patch new file mode 100644 index 0000000..cb892d1 --- /dev/null +++ b/queue/ALSA-Fix-yet-another-race-in-disconnection.patch @@ -0,0 +1,42 @@ +From 367c0a0eb37fcd4e5f83efae3370ec87de5cfe0f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Thu, 24 Mar 2011 09:50:15 +0100 +Subject: [PATCH] ALSA: Fix yet another race in disconnection + +commit a45e3d6b13e97506b616980c0f122c3389bcefa4 upstream. + +This patch fixes a race between snd_card_file_remove() and +snd_card_disconnect(). When the card is added to shutdown_files list +in snd_card_disconnect(), but it's freed in snd_card_file_remove() at +the same time, the shutdown_files list gets corrupted. The list member +must be freed in snd_card_file_remove() as well. + +Reported-and-tested-by: Russ Dill <russ.dill@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/core/init.c b/sound/core/init.c +index ec4a50c..82f350e 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -848,6 +848,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file) + return -ENOMEM; + mfile->file = file; + mfile->disconnected_f_op = NULL; ++ INIT_LIST_HEAD(&mfile->shutdown_list); + spin_lock(&card->files_lock); + if (card->shutdown) { + spin_unlock(&card->files_lock); +@@ -883,6 +884,9 @@ int snd_card_file_remove(struct snd_card *card, struct file *file) + list_for_each_entry(mfile, &card->files_list, list) { + if (mfile->file == file) { + list_del(&mfile->list); ++ spin_lock(&shutdown_lock); ++ list_del(&mfile->shutdown_list); ++ spin_unlock(&shutdown_lock); + if (mfile->disconnected_f_op) + fops_put(mfile->disconnected_f_op); + found = mfile; +-- +1.7.4.4 + diff --git a/queue/ALSA-ens1371-fix-Creative-Ectiva-support.patch b/queue/ALSA-ens1371-fix-Creative-Ectiva-support.patch new file mode 100644 index 0000000..6e36254 --- /dev/null +++ b/queue/ALSA-ens1371-fix-Creative-Ectiva-support.patch @@ -0,0 +1,92 @@ +From d8933e3065208937902a4952ae83c069d736f234 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch <clemens@ladisch.de> +Date: Wed, 30 Mar 2011 08:24:25 +0200 +Subject: [PATCH] ALSA: ens1371: fix Creative Ectiva support + +commit 6ebb8a4a43e34f999ab36f27f972f3cd751cda4f upstream. + +To make the EV1938 chip work, add a magic bit and an extra delay. + +Signed-off-by: Clemens Ladisch <clemens@ladisch.de> +Tested-by: Tino Schmidt <mailtinoshomepage@gmx.net> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/pci/ens1370.c b/sound/pci/ens1370.c +index c7fba53..d6a40e2 100644 +--- a/sound/pci/ens1370.c ++++ b/sound/pci/ens1370.c +@@ -229,6 +229,7 @@ MODULE_PARM_DESC(lineio, "Line In to Rear Out (0 = auto, 1 = force)."); + #define ES_REG_1371_CODEC 0x14 /* W/R: Codec Read/Write register address */ + #define ES_1371_CODEC_RDY (1<<31) /* codec ready */ + #define ES_1371_CODEC_WIP (1<<30) /* codec register access in progress */ ++#define EV_1938_CODEC_MAGIC (1<<26) + #define ES_1371_CODEC_PIRD (1<<23) /* codec read/write select register */ + #define ES_1371_CODEC_WRITE(a,d) ((((a)&0x7f)<<16)|(((d)&0xffff)<<0)) + #define ES_1371_CODEC_READS(a) ((((a)&0x7f)<<16)|ES_1371_CODEC_PIRD) +@@ -603,12 +604,18 @@ static void snd_es1370_codec_write(struct snd_ak4531 *ak4531, + + #ifdef CHIP1371 + ++static inline bool is_ev1938(struct ensoniq *ensoniq) ++{ ++ return ensoniq->pci->device == 0x8938; ++} ++ + static void snd_es1371_codec_write(struct snd_ac97 *ac97, + unsigned short reg, unsigned short val) + { + struct ensoniq *ensoniq = ac97->private_data; +- unsigned int t, x; ++ unsigned int t, x, flag; + ++ flag = is_ev1938(ensoniq) ? EV_1938_CODEC_MAGIC : 0; + mutex_lock(&ensoniq->src_mutex); + for (t = 0; t < POLL_COUNT; t++) { + if (!(inl(ES_REG(ensoniq, 1371_CODEC)) & ES_1371_CODEC_WIP)) { +@@ -630,7 +637,8 @@ static void snd_es1371_codec_write(struct snd_ac97 *ac97, + 0x00010000) + break; + } +- outl(ES_1371_CODEC_WRITE(reg, val), ES_REG(ensoniq, 1371_CODEC)); ++ outl(ES_1371_CODEC_WRITE(reg, val) | flag, ++ ES_REG(ensoniq, 1371_CODEC)); + /* restore SRC reg */ + snd_es1371_wait_src_ready(ensoniq); + outl(x, ES_REG(ensoniq, 1371_SMPRATE)); +@@ -647,8 +655,9 @@ static unsigned short snd_es1371_codec_read(struct snd_ac97 *ac97, + unsigned short reg) + { + struct ensoniq *ensoniq = ac97->private_data; +- unsigned int t, x, fail = 0; ++ unsigned int t, x, flag, fail = 0; + ++ flag = is_ev1938(ensoniq) ? EV_1938_CODEC_MAGIC : 0; + __again: + mutex_lock(&ensoniq->src_mutex); + for (t = 0; t < POLL_COUNT; t++) { +@@ -671,7 +680,8 @@ static unsigned short snd_es1371_codec_read(struct snd_ac97 *ac97, + 0x00010000) + break; + } +- outl(ES_1371_CODEC_READS(reg), ES_REG(ensoniq, 1371_CODEC)); ++ outl(ES_1371_CODEC_READS(reg) | flag, ++ ES_REG(ensoniq, 1371_CODEC)); + /* restore SRC reg */ + snd_es1371_wait_src_ready(ensoniq); + outl(x, ES_REG(ensoniq, 1371_SMPRATE)); +@@ -683,6 +693,11 @@ static unsigned short snd_es1371_codec_read(struct snd_ac97 *ac97, + /* now wait for the stinkin' data (RDY) */ + for (t = 0; t < POLL_COUNT; t++) { + if ((x = inl(ES_REG(ensoniq, 1371_CODEC))) & ES_1371_CODEC_RDY) { ++ if (is_ev1938(ensoniq)) { ++ for (t = 0; t < 100; t++) ++ inl(ES_REG(ensoniq, CONTROL)); ++ x = inl(ES_REG(ensoniq, 1371_CODEC)); ++ } + mutex_unlock(&ensoniq->src_mutex); + return ES_1371_CODEC_READ(x); + } +-- +1.7.4.4 + diff --git a/queue/ALSA-hda-Fix-SPDIF-out-regression-on-ALC889.patch b/queue/ALSA-hda-Fix-SPDIF-out-regression-on-ALC889.patch new file mode 100644 index 0000000..a267f82 --- /dev/null +++ b/queue/ALSA-hda-Fix-SPDIF-out-regression-on-ALC889.patch @@ -0,0 +1,35 @@ +From be7857532b6c5caf383d84fda5a01d6e009525c1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 23 Mar 2011 22:54:32 +0100 +Subject: [PATCH] ALSA: hda - Fix SPDIF out regression on ALC889 + +commit 20b67dddcc5f29d3d0c900225d85e0ac655bc69d upstream. + +The commit 5a8cfb4e8ae317d283f84122ed20faa069c5e0c4 + ALSA: hda - Use ALC_INIT_DEFAULT for really default initialization +changed to use the default initialization method for ALC889, but +this caused a regression on SPDIF output on some machines. +This seems due to the COEF setup included in the default init procedure. +For making SPDIF working again, the COEF-setup has to be avoided for +the id 0889. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=24342 +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 8070ba2..d388680 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1148,7 +1148,7 @@ static void alc_auto_init_amp(struct hda_codec *codec, int type) + case 0x10ec0883: + case 0x10ec0885: + case 0x10ec0887: +- case 0x10ec0889: ++ /*case 0x10ec0889:*/ /* this causes an SPDIF problem */ + alc889_coef_init(codec); + break; + case 0x10ec0888: +-- +1.7.4.4 + diff --git a/queue/ASoC-Explicitly-say-registerless-widgets-have-no-reg.patch b/queue/ASoC-Explicitly-say-registerless-widgets-have-no-reg.patch new file mode 100644 index 0000000..f85182c --- /dev/null +++ b/queue/ASoC-Explicitly-say-registerless-widgets-have-no-reg.patch @@ -0,0 +1,67 @@ +From 4c417efe551933361149038e67f4b441c1a01406 Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@opensource.wolfsonmicro.com> +Date: Wed, 23 Mar 2011 20:45:40 +0000 +Subject: [PATCH] ASoC: Explicitly say registerless widgets have no register + +commit 0ca03cd7d0fa3bfbd56958136a10f19733c4ce12 upstream. + +This stops code that handles widgets generically from attempting to access +registers for these widgets. + +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Acked-by: Liam Girdwood <lrg@ti.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/include/sound/soc-dapm.h b/include/sound/soc-dapm.h +index c0922a0..b93c659 100644 +--- a/include/sound/soc-dapm.h ++++ b/include/sound/soc-dapm.h +@@ -46,25 +46,25 @@ + /* platform domain */ + #define SND_SOC_DAPM_INPUT(wname) \ + { .id = snd_soc_dapm_input, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0} ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM } + #define SND_SOC_DAPM_OUTPUT(wname) \ + { .id = snd_soc_dapm_output, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0} ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM } + #define SND_SOC_DAPM_MIC(wname, wevent) \ + { .id = snd_soc_dapm_mic, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD} + #define SND_SOC_DAPM_HP(wname, wevent) \ + { .id = snd_soc_dapm_hp, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD} + #define SND_SOC_DAPM_SPK(wname, wevent) \ + { .id = snd_soc_dapm_spk, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD} + #define SND_SOC_DAPM_LINE(wname, wevent) \ + { .id = snd_soc_dapm_line, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD} + + /* path domain */ +@@ -161,11 +161,11 @@ + /* events that are pre and post DAPM */ + #define SND_SOC_DAPM_PRE(wname, wevent) \ + { .id = snd_soc_dapm_pre, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD} + #define SND_SOC_DAPM_POST(wname, wevent) \ + { .id = snd_soc_dapm_post, .name = wname, .kcontrols = NULL, \ +- .num_kcontrols = 0, .event = wevent, \ ++ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \ + .event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD} + + /* stream domain */ +-- +1.7.4.4 + diff --git a/queue/Bluetooth-add-support-for-Apple-MacBook-Pro-8-2.patch b/queue/Bluetooth-add-support-for-Apple-MacBook-Pro-8-2.patch new file mode 100644 index 0000000..bb6a8cd --- /dev/null +++ b/queue/Bluetooth-add-support-for-Apple-MacBook-Pro-8-2.patch @@ -0,0 +1,30 @@ +From bb51d2282e944e32e7339f5837d5c01708bc0b6b Mon Sep 17 00:00:00 2001 +From: Marc-Antoine Perennou <Marc-Antoine@Perennou.com> +Date: Thu, 24 Mar 2011 14:51:21 -0300 +Subject: [PATCH] Bluetooth: add support for Apple MacBook Pro 8,2 + +commit 63a8588debd4dc72becb9e27add9343c76301c7d upstream. + +Just adding the vendor details makes it work fine. + +Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 6fcb971..c9e2dc8 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -62,6 +62,9 @@ static struct usb_device_id btusb_table[] = { + /* Apple iMac11,1 */ + { USB_DEVICE(0x05ac, 0x8215) }, + ++ /* Apple MacBookPro8,2 */ ++ { USB_DEVICE(0x05ac, 0x821a) }, ++ + /* AVM BlueFRITZ! USB v2.0 */ + { USB_DEVICE(0x057c, 0x3800) }, + +-- +1.7.4.4 + diff --git a/queue/Btrfs-Fix-uninitialized-root-flags-for-subvolumes.patch b/queue/Btrfs-Fix-uninitialized-root-flags-for-subvolumes.patch new file mode 100644 index 0000000..cf61362 --- /dev/null +++ b/queue/Btrfs-Fix-uninitialized-root-flags-for-subvolumes.patch @@ -0,0 +1,117 @@ +From 29e00892ab4700376df05bc75e6dd3dd2b778902 Mon Sep 17 00:00:00 2001 +From: Li Zefan <lizf@cn.fujitsu.com> +Date: Mon, 28 Mar 2011 02:01:25 +0000 +Subject: [PATCH] Btrfs: Fix uninitialized root flags for subvolumes + +commit 08fe4db170b4193603d9d31f40ebaf652d07ac9c upstream. + +root_item->flags and root_item->byte_limit are not initialized when +a subvolume is created. This bug is not revealed until we added +readonly snapshot support - now you mount a btrfs filesystem and you +may find the subvolumes in it are readonly. + +To work around this problem, we steal a bit from root_item->inode_item->flags, +and use it to indicate if those fields have been properly initialized. +When we read a tree root from disk, we check if the bit is set, and if +not we'll set the flag and initialize the two fields of the root item. + +Reported-by: Andreas Philipp <philipp.andreas@gmail.com> +Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> +Tested-by: Andreas Philipp <philipp.andreas@gmail.com> +Signed-off-by: Chris Mason <chris.mason@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 746a724..a79a910 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1184,6 +1184,8 @@ struct btrfs_root { + #define BTRFS_INODE_NOATIME (1 << 9) + #define BTRFS_INODE_DIRSYNC (1 << 10) + ++#define BTRFS_INODE_ROOT_ITEM_INIT (1 << 31) ++ + /* some macros to generate set/get funcs for the struct fields. This + * assumes there is a lefoo_to_cpu for every type, so lets make a simple + * one for u8: +@@ -2185,6 +2187,8 @@ int btrfs_find_dead_roots(struct btrfs_root *root, u64 objectid); + int btrfs_find_orphan_roots(struct btrfs_root *tree_root); + int btrfs_set_root_node(struct btrfs_root_item *item, + struct extent_buffer *node); ++void btrfs_check_and_init_root_item(struct btrfs_root_item *item); ++ + /* dir-item.c */ + int btrfs_insert_dir_item(struct btrfs_trans_handle *trans, + struct btrfs_root *root, const char *name, +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index feca041..fa46c2d 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1146,8 +1146,10 @@ struct btrfs_root *btrfs_read_fs_root_no_radix(struct btrfs_root *tree_root, + root->commit_root = btrfs_root_node(root); + BUG_ON(!root->node); + out: +- if (location->objectid != BTRFS_TREE_LOG_OBJECTID) ++ if (location->objectid != BTRFS_TREE_LOG_OBJECTID) { + root->ref_cows = 1; ++ btrfs_check_and_init_root_item(&root->root_item); ++ } + + return root; + } +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index e9d0535..e624555 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -286,6 +286,10 @@ static noinline int create_subvol(struct btrfs_root *root, + inode_item->nbytes = cpu_to_le64(root->leafsize); + inode_item->mode = cpu_to_le32(S_IFDIR | 0755); + ++ root_item.flags = 0; ++ root_item.byte_limit = 0; ++ inode_item->flags = cpu_to_le64(BTRFS_INODE_ROOT_ITEM_INIT); ++ + btrfs_set_root_bytenr(&root_item, leaf->start); + btrfs_set_root_generation(&root_item, trans->transid); + btrfs_set_root_level(&root_item, 0); +diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c +index 67fa2d2..3174255 100644 +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -459,3 +459,21 @@ again: + btrfs_free_path(path); + return 0; + } ++ ++/* ++ * Old btrfs forgets to init root_item->flags and root_item->byte_limit ++ * for subvolumes. To work around this problem, we steal a bit from ++ * root_item->inode_item->flags, and use it to indicate if those fields ++ * have been properly initialized. ++ */ ++void btrfs_check_and_init_root_item(struct btrfs_root_item *root_item) ++{ ++ u64 inode_flags = le64_to_cpu(root_item->inode.flags); ++ ++ if (!(inode_flags & BTRFS_INODE_ROOT_ITEM_INIT)) { ++ inode_flags |= BTRFS_INODE_ROOT_ITEM_INIT; ++ root_item->inode.flags = cpu_to_le64(inode_flags); ++ root_item->flags = 0; ++ root_item->byte_limit = 0; ++ } ++} +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 2cb1160..5110e70 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -805,6 +805,7 @@ static noinline int create_pending_snapshot(struct btrfs_trans_handle *trans, + record_root_in_trans(trans, root); + btrfs_set_root_last_snapshot(&root->root_item, trans->transid); + memcpy(new_root_item, &root->root_item, sizeof(*new_root_item)); ++ btrfs_check_and_init_root_item(new_root_item); + + old = btrfs_lock_root_node(root); + btrfs_cow_block(trans, root, old, NULL, 0, &old); +-- +1.7.4.4 + diff --git a/queue/PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch b/queue/PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch index f023d63..26f159f 100644 --- a/queue/PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch +++ b/queue/PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch @@ -1,4 +1,4 @@ -From ffb5cf17c299378ca88d4981408f886551b638b2 Mon Sep 17 00:00:00 2001 +From 50ca5a42601940cb583e4f97eef8e8d26dff8274 Mon Sep 17 00:00:00 2001 From: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Date: Mon, 28 Feb 2011 16:20:11 +0000 Subject: [PATCH] PCI hotplug: acpiphp: set current_state to D0 in diff --git a/queue/ROSE-prevent-heap-corruption-with-bad-facilities.patch b/queue/ROSE-prevent-heap-corruption-with-bad-facilities.patch new file mode 100644 index 0000000..1ce46b4 --- /dev/null +++ b/queue/ROSE-prevent-heap-corruption-with-bad-facilities.patch @@ -0,0 +1,77 @@ +From b941ac22314633842743431cdc358e82012b63fc Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Sat, 19 Mar 2011 20:43:43 +0000 +Subject: [PATCH] ROSE: prevent heap corruption with bad facilities + +commit be20250c13f88375345ad99950190685eda51eb8 upstream. + +When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for +a remote host to provide more digipeaters than expected, resulting in +heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and +abort facilities parsing on failure. + +Additionally, when parsing the FAC_CCITT_DEST_NSAP and +FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length +of less than 10, resulting in an underflow in a memcpy size, causing a +kernel panic due to massive heap corruption. A length of greater than +20 results in a stack overflow of the callsign array. Abort facilities +parsing on these invalid length values. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c +index 1734abb..174d51c 100644 +--- a/net/rose/rose_subr.c ++++ b/net/rose/rose_subr.c +@@ -290,10 +290,15 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct * + facilities->source_ndigis = 0; + facilities->dest_ndigis = 0; + for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) { +- if (pt[6] & AX25_HBIT) ++ if (pt[6] & AX25_HBIT) { ++ if (facilities->dest_ndigis >= ROSE_MAX_DIGIS) ++ return -1; + memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN); +- else ++ } else { ++ if (facilities->source_ndigis >= ROSE_MAX_DIGIS) ++ return -1; + memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN); ++ } + } + } + p += l + 2; +@@ -333,6 +338,11 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac + + case 0xC0: + l = p[1]; ++ ++ /* Prevent overflows*/ ++ if (l < 10 || l > 20) ++ return -1; ++ + if (*p == FAC_CCITT_DEST_NSAP) { + memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN); + memcpy(callsign, p + 12, l - 10); +@@ -373,12 +383,16 @@ int rose_parse_facilities(unsigned char *p, + switch (*p) { + case FAC_NATIONAL: /* National */ + len = rose_parse_national(p + 1, facilities, facilities_len - 1); ++ if (len < 0) ++ return 0; + facilities_len -= len + 1; + p += len + 1; + break; + + case FAC_CCITT: /* CCITT */ + len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1); ++ if (len < 0) ++ return 0; + facilities_len -= len + 1; + p += len + 1; + break; +-- +1.7.4.4 + diff --git a/queue/Squashfs-handle-corruption-of-directory-structure.patch b/queue/Squashfs-handle-corruption-of-directory-structure.patch new file mode 100644 index 0000000..8a067a5 --- /dev/null +++ b/queue/Squashfs-handle-corruption-of-directory-structure.patch @@ -0,0 +1,91 @@ +From 664fc2e93bd9584c0f6e4741afa018a9977767ca Mon Sep 17 00:00:00 2001 +From: Phillip Lougher <phillip@lougher.demon.co.uk> +Date: Tue, 15 Mar 2011 22:09:55 +0000 +Subject: [PATCH] Squashfs: handle corruption of directory structure + +commit 44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 upstream. + +Handle the rare case where a directory metadata block is uncompressed and +corrupted, leading to a kernel oops in directory scanning (memcpy). +Normally corruption is detected at the decompression stage and dealt with +then, however, this will not happen if: + +- metadata isn't compressed (users can optionally request no metadata + compression), or +- the compressed metadata block was larger than the original, in which + case the uncompressed version was used, or +- the data was corrupt after decompression + +This patch fixes this by adding some sanity checks against known maximum +values. + +Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c +index 12b933a..a37d445 100644 +--- a/fs/squashfs/dir.c ++++ b/fs/squashfs/dir.c +@@ -172,6 +172,11 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir) + length += sizeof(dirh); + + dir_count = le32_to_cpu(dirh.count) + 1; ++ ++ /* dir_count should never be larger than 256 */ ++ if (dir_count > 256) ++ goto failed_read; ++ + while (dir_count--) { + /* + * Read directory entry. +@@ -183,6 +188,10 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir) + + size = le16_to_cpu(dire->size) + 1; + ++ /* size should never be larger than SQUASHFS_NAME_LEN */ ++ if (size > SQUASHFS_NAME_LEN) ++ goto failed_read; ++ + err = squashfs_read_metadata(inode->i_sb, dire->name, + &block, &offset, size); + if (err < 0) +diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c +index 5266bd8..4fa484d 100644 +--- a/fs/squashfs/namei.c ++++ b/fs/squashfs/namei.c +@@ -174,6 +174,11 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, + length += sizeof(dirh); + + dir_count = le32_to_cpu(dirh.count) + 1; ++ ++ /* dir_count should never be larger than 256 */ ++ if (dir_count > 256) ++ goto data_error; ++ + while (dir_count--) { + /* + * Read directory entry. +@@ -185,6 +190,10 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, + + size = le16_to_cpu(dire->size) + 1; + ++ /* size should never be larger than SQUASHFS_NAME_LEN */ ++ if (size > SQUASHFS_NAME_LEN) ++ goto data_error; ++ + err = squashfs_read_metadata(dir->i_sb, dire->name, + &block, &offset, size); + if (err < 0) +@@ -226,6 +235,9 @@ exit_lookup: + d_add(dentry, inode); + return ERR_PTR(0); + ++data_error: ++ err = -EIO; ++ + read_failure: + ERROR("Unable to read directory block [%llx:%x]\n", + squashfs_i(dir)->start + msblk->directory_table, +-- +1.7.4.4 + diff --git a/queue/Treat-writes-as-new-when-holes-span-across-page-boun.patch b/queue/Treat-writes-as-new-when-holes-span-across-page-boun.patch new file mode 100644 index 0000000..d3c2525 --- /dev/null +++ b/queue/Treat-writes-as-new-when-holes-span-across-page-boun.patch @@ -0,0 +1,37 @@ +From 7acf096f352a3de8061e2a49362834a20bffb05b Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues <rgoldwyn@gmail.com> +Date: Thu, 17 Feb 2011 09:44:40 -0600 +Subject: [PATCH] Treat writes as new when holes span across page boundaries + +commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream. + +When a hole spans across page boundaries, the next write forces +a read of the block. This could end up reading existing garbage +data from the disk in ocfs2_map_page_blocks. This leads to +non-zero holes. In order to avoid this, mark the writes as new +when the holes span across page boundaries. + +Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.de> +Signed-off-by: jlbec <jlbec@evilplan.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c +index e504ab7..3de08db 100644 +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -1035,6 +1035,12 @@ static int ocfs2_prepare_page_for_write(struct inode *inode, u64 *p_blkno, + ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), cpos, + &cluster_start, &cluster_end); + ++ /* treat the write as new if the a hole/lseek spanned across ++ * the page boundary. ++ */ ++ new = new | ((i_size_read(inode) <= page_offset(page)) && ++ (page_offset(page) <= user_pos)); ++ + if (page == wc->w_target_page) { + map_from = user_pos & (PAGE_CACHE_SIZE - 1); + map_to = map_from + user_len; +-- +1.7.4.4 + diff --git a/queue/UBIFS-do-not-read-flash-unnecessarily.patch b/queue/UBIFS-do-not-read-flash-unnecessarily.patch new file mode 100644 index 0000000..8531882 --- /dev/null +++ b/queue/UBIFS-do-not-read-flash-unnecessarily.patch @@ -0,0 +1,38 @@ +From 764f8c98275fd736f533b0ced005af9ffafdf423 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Date: Fri, 25 Mar 2011 18:33:57 +0200 +Subject: [PATCH] UBIFS: do not read flash unnecessarily + +commit 8b229c76765816796eec7ccd428f03bd8de8b525 upstream. + +This fix makes the 'dbg_check_old_index()' function return +immediately if debugging is disabled, instead of executing +incorrect 'goto out' which causes UBIFS to: + +1. Allocate memory +2. Read the flash + +On every commit. OK, we do not commit that often, but it is +still silly to do unneeded I/O anyway. + +Credits to coverity for spotting this silly issue. + +Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ubifs/commit.c b/fs/ubifs/commit.c +index 37fa7ed..de01f28 100644 +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -519,7 +519,7 @@ int dbg_check_old_index(struct ubifs_info *c, struct ubifs_zbranch *zroot) + size_t sz; + + if (!(ubifs_chk_flags & UBIFS_CHK_OLD_IDX)) +- goto out; ++ return 0; + + INIT_LIST_HEAD(&list); + +-- +1.7.4.4 + diff --git a/queue/UBIFS-fix-debugging-failure-in-dbg_check_space_info.patch b/queue/UBIFS-fix-debugging-failure-in-dbg_check_space_info.patch new file mode 100644 index 0000000..e90b7f2 --- /dev/null +++ b/queue/UBIFS-fix-debugging-failure-in-dbg_check_space_info.patch @@ -0,0 +1,94 @@ +From aef12dd930709af3d719ed655a62b05e309f138d Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Date: Mon, 4 Apr 2011 17:16:39 +0300 +Subject: [PATCH] UBIFS: fix debugging failure in dbg_check_space_info + +commit 7da6443aca9be29c6948dcbd636ad50154d0bc0c upstream. + +This patch fixes a debugging failure with which looks like this: +UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654 + +The reason for this failure is described in the comment this patch adds +to the code. But in short - 'c->freeable_cnt' may be different before +and after re-mounting, and this is normal. So the debugging code should +make sure that free space calculations do not depend on 'c->freeable_cnt'. + +A similar issue has been reported here: +http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html + +This patch should fix it. + +For the -stable guys: this patch is only relevant for kernels 2.6.30 +onwards. + +Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c +index c2a68ba..923d697 100644 +--- a/fs/ubifs/debug.c ++++ b/fs/ubifs/debug.c +@@ -961,11 +961,39 @@ void dbg_dump_index(struct ubifs_info *c) + void dbg_save_space_info(struct ubifs_info *c) + { + struct ubifs_debug_info *d = c->dbg; +- +- ubifs_get_lp_stats(c, &d->saved_lst); ++ int freeable_cnt; + + spin_lock(&c->space_lock); ++ memcpy(&d->saved_lst, &c->lst, sizeof(struct ubifs_lp_stats)); ++ ++ /* ++ * We use a dirty hack here and zero out @c->freeable_cnt, because it ++ * affects the free space calculations, and UBIFS might not know about ++ * all freeable eraseblocks. Indeed, we know about freeable eraseblocks ++ * only when we read their lprops, and we do this only lazily, upon the ++ * need. So at any given point of time @c->freeable_cnt might be not ++ * exactly accurate. ++ * ++ * Just one example about the issue we hit when we did not zero ++ * @c->freeable_cnt. ++ * 1. The file-system is mounted R/O, c->freeable_cnt is %0. We save the ++ * amount of free space in @d->saved_free ++ * 2. We re-mount R/W, which makes UBIFS to read the "lsave" ++ * information from flash, where we cache LEBs from various ++ * categories ('ubifs_remount_fs()' -> 'ubifs_lpt_init()' ++ * -> 'lpt_init_wr()' -> 'read_lsave()' -> 'ubifs_lpt_lookup()' ++ * -> 'ubifs_get_pnode()' -> 'update_cats()' ++ * -> 'ubifs_add_to_cat()'). ++ * 3. Lsave contains a freeable eraseblock, and @c->freeable_cnt ++ * becomes %1. ++ * 4. We calculate the amount of free space when the re-mount is ++ * finished in 'dbg_check_space_info()' and it does not match ++ * @d->saved_free. ++ */ ++ freeable_cnt = c->freeable_cnt; ++ c->freeable_cnt = 0; + d->saved_free = ubifs_get_free_space_nolock(c); ++ c->freeable_cnt = freeable_cnt; + spin_unlock(&c->space_lock); + } + +@@ -982,12 +1010,15 @@ int dbg_check_space_info(struct ubifs_info *c) + { + struct ubifs_debug_info *d = c->dbg; + struct ubifs_lp_stats lst; +- long long avail, free; ++ long long free; ++ int freeable_cnt; + + spin_lock(&c->space_lock); +- avail = ubifs_calc_available(c, c->min_idx_lebs); ++ freeable_cnt = c->freeable_cnt; ++ c->freeable_cnt = 0; ++ free = ubifs_get_free_space_nolock(c); ++ c->freeable_cnt = freeable_cnt; + spin_unlock(&c->space_lock); +- free = ubifs_get_free_space(c); + + if (free != d->saved_free) { + ubifs_err("free space changed from %lld to %lld", +-- +1.7.4.4 + diff --git a/queue/UBIFS-fix-oops-on-error-path-in-read_pnode.patch b/queue/UBIFS-fix-oops-on-error-path-in-read_pnode.patch new file mode 100644 index 0000000..65f6d7b --- /dev/null +++ b/queue/UBIFS-fix-oops-on-error-path-in-read_pnode.patch @@ -0,0 +1,35 @@ +From 5e5db3727602d53a16da62581b87aad5f1c6cb90 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Date: Fri, 25 Mar 2011 19:09:54 +0200 +Subject: [PATCH] UBIFS: fix oops on error path in read_pnode + +commit 54acbaaa523ca0bd284a18f67ad213c379679e86 upstream. + +Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()' +in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer +when we 'goto out'. + +Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ubifs/lpt.c b/fs/ubifs/lpt.c +index ad7f67b..ead230e 100644 +--- a/fs/ubifs/lpt.c ++++ b/fs/ubifs/lpt.c +@@ -1270,10 +1270,9 @@ static int read_pnode(struct ubifs_info *c, struct ubifs_nnode *parent, int iip) + lnum = branch->lnum; + offs = branch->offs; + pnode = kzalloc(sizeof(struct ubifs_pnode), GFP_NOFS); +- if (!pnode) { +- err = -ENOMEM; +- goto out; +- } ++ if (!pnode) ++ return -ENOMEM; ++ + if (lnum == 0) { + /* + * This pnode was not written which just means that the LEB +-- +1.7.4.4 + diff --git a/queue/aio-wake-all-waiters-when-destroying-ctx.patch b/queue/aio-wake-all-waiters-when-destroying-ctx.patch index d67dac0..d0559a7 100644 --- a/queue/aio-wake-all-waiters-when-destroying-ctx.patch +++ b/queue/aio-wake-all-waiters-when-destroying-ctx.patch @@ -1,4 +1,4 @@ -From f2b9f42bb2ccaab3baef6cdab7eccf99989c76c8 Mon Sep 17 00:00:00 2001 +From fa9d637c3213e638a515035dd73cadc315589cbe Mon Sep 17 00:00:00 2001 From: Roland Dreier <roland@purestorage.com> Date: Tue, 22 Mar 2011 16:35:10 -0700 Subject: [PATCH] aio: wake all waiters when destroying ctx diff --git a/queue/ath9k-fix-a-chip-wakeup-related-crash-in-ath9k_start.patch b/queue/ath9k-fix-a-chip-wakeup-related-crash-in-ath9k_start.patch new file mode 100644 index 0000000..1b7167f --- /dev/null +++ b/queue/ath9k-fix-a-chip-wakeup-related-crash-in-ath9k_start.patch @@ -0,0 +1,39 @@ +From 04416f53d8b102eb6711a3064f679fd17a8243ef Mon Sep 17 00:00:00 2001 +From: Felix Fietkau <nbd@openwrt.org> +Date: Fri, 25 Mar 2011 17:43:41 +0100 +Subject: [PATCH] ath9k: fix a chip wakeup related crash in ath9k_start + +commit f62d816fc4324afbb7cf90110c70b6a14139b225 upstream. + +When the chip is still asleep when ath9k_start is called, +ath9k_hw_configpcipowersave can trigger a data bus error. + +Signed-off-by: Felix Fietkau <nbd@openwrt.org> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 115e1ae..b9585fb 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -1090,6 +1090,8 @@ static int ath9k_start(struct ieee80211_hw *hw) + "Starting driver with initial channel: %d MHz\n", + curchan->center_freq); + ++ ath9k_ps_wakeup(sc); ++ + mutex_lock(&sc->mutex); + + if (ath9k_wiphy_started(sc)) { +@@ -1199,6 +1201,8 @@ static int ath9k_start(struct ieee80211_hw *hw) + mutex_unlock: + mutex_unlock(&sc->mutex); + ++ ath9k_ps_restore(sc); ++ + return r; + } + +-- +1.7.4.4 + diff --git a/queue/atm-solos-pci-Don-t-include-frame-pseudo-header-on-t.patch b/queue/atm-solos-pci-Don-t-include-frame-pseudo-header-on-t.patch new file mode 100644 index 0000000..c86a9d8 --- /dev/null +++ b/queue/atm-solos-pci-Don-t-include-frame-pseudo-header-on-t.patch @@ -0,0 +1,53 @@ +From 1a0a21f5619c2a649d53d2c54e38da7f796de690 Mon Sep 17 00:00:00 2001 +From: Philip A. Prindeville <philipp@redfish-solutions.com> +Date: Wed, 30 Mar 2011 12:59:26 +0000 +Subject: [PATCH] atm/solos-pci: Don't include frame pseudo-header on transmit + hex-dump + +commit 18b429e74eeafe42e947b1b0f9a760c7153a0b5c upstream. + +Omit pkt_hdr preamble when dumping transmitted packet as hex-dump; +we can pull this up because the frame has already been sent, and +dumping it is the last thing we do with it before freeing it. + +Also include the size, vpi, and vci in the debug as is done on +receive. + +Use "port" consistently instead of "device" intermittently. + +Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index 3613422..6ba851b 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -695,7 +695,7 @@ void solos_bh(unsigned long card_arg) + size); + } + if (atmdebug) { +- dev_info(&card->dev->dev, "Received: device %d\n", port); ++ dev_info(&card->dev->dev, "Received: port %d\n", port); + dev_info(&card->dev->dev, "size: %d VPI: %d VCI: %d\n", + size, le16_to_cpu(header->vpi), + le16_to_cpu(header->vci)); +@@ -1015,8 +1015,15 @@ static uint32_t fpga_tx(struct solos_card *card) + + /* Clean up and free oldskb now it's gone */ + if (atmdebug) { ++ struct pkt_hdr *header = (void *)oldskb->data; ++ int size = le16_to_cpu(header->size); ++ ++ skb_pull(oldskb, sizeof(*header)); + dev_info(&card->dev->dev, "Transmitted: port %d\n", + port); ++ dev_info(&card->dev->dev, "size: %d VPI: %d VCI: %d\n", ++ size, le16_to_cpu(header->vpi), ++ le16_to_cpu(header->vci)); + print_buffer(oldskb); + } + +-- +1.7.4.4 + diff --git a/queue/b43-allocate-receive-buffers-big-enough-for-max-fram.patch b/queue/b43-allocate-receive-buffers-big-enough-for-max-fram.patch new file mode 100644 index 0000000..d98c45c --- /dev/null +++ b/queue/b43-allocate-receive-buffers-big-enough-for-max-fram.patch @@ -0,0 +1,45 @@ +From 60f3a2fc76c117f32bb6f88149d195a34dd44947 Mon Sep 17 00:00:00 2001 +From: John W. Linville <linville@tuxdriver.com> +Date: Wed, 30 Mar 2011 14:02:46 -0400 +Subject: [PATCH] b43: allocate receive buffers big enough for max frame len + + offset + +commit c85ce65ecac078ab1a1835c87c4a6319cf74660a upstream. + +Otherwise, skb_put inside of dma_rx can fail... + + https://bugzilla.kernel.org/show_bug.cgi?id=32042 + +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Acked-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c +index fa40fdf..b8900f0 100644 +--- a/drivers/net/wireless/b43/dma.c ++++ b/drivers/net/wireless/b43/dma.c +@@ -1538,7 +1538,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) + dmaaddr = meta->dmaaddr; + goto drop_recycle_buffer; + } +- if (unlikely(len > ring->rx_buffersize)) { ++ if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) { + /* The data did not fit into one descriptor buffer + * and is split over multiple buffers. + * This should never happen, as we try to allocate buffers +diff --git a/drivers/net/wireless/b43/dma.h b/drivers/net/wireless/b43/dma.h +index dc91944..a9282d7 100644 +--- a/drivers/net/wireless/b43/dma.h ++++ b/drivers/net/wireless/b43/dma.h +@@ -163,7 +163,7 @@ struct b43_dmadesc_generic { + /* DMA engine tuning knobs */ + #define B43_TXRING_SLOTS 256 + #define B43_RXRING_SLOTS 64 +-#define B43_DMA0_RX_BUFFERSIZE IEEE80211_MAX_FRAME_LEN ++#define B43_DMA0_RX_BUFFERSIZE (B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN) + + /* Pointer poison */ + #define B43_DMA_PTR_POISON ((void *)ERR_PTR(-ENOMEM)) +-- +1.7.4.4 + diff --git a/queue/can-Add-missing-socket-check-in-can-bcm-release.patch b/queue/can-Add-missing-socket-check-in-can-bcm-release.patch index 1b7d976..8978e7e 100644 --- a/queue/can-Add-missing-socket-check-in-can-bcm-release.patch +++ b/queue/can-Add-missing-socket-check-in-can-bcm-release.patch @@ -1,4 +1,4 @@ -From 3acf1e0adee3d409e811762b0b8da99634cb6ec4 Mon Sep 17 00:00:00 2001 +From 738bd722ce1f66febebe9c79a3ac6c25662cee81 Mon Sep 17 00:00:00 2001 From: Dave Jones <davej@redhat.com> Date: Tue, 19 Apr 2011 20:36:59 -0700 Subject: [PATCH] can: Add missing socket check in can/bcm release. diff --git a/queue/can-add-missing-socket-check-in-can-raw-release.patch b/queue/can-add-missing-socket-check-in-can-raw-release.patch index 9a2d41a..70703de 100644 --- a/queue/can-add-missing-socket-check-in-can-raw-release.patch +++ b/queue/can-add-missing-socket-check-in-can-raw-release.patch @@ -1,4 +1,4 @@ -From 40352df517ac43e9b43bbf380fe55a6198984d71 Mon Sep 17 00:00:00 2001 +From af6caa46b7e1edacae1e7b49a025a54cb2a77029 Mon Sep 17 00:00:00 2001 From: Oliver Hartkopp <socketcan@hartkopp.net> Date: Wed, 20 Apr 2011 01:57:15 +0000 Subject: [PATCH] can: add missing socket check in can/raw release diff --git a/queue/cciss-fix-lost-command-issue.patch b/queue/cciss-fix-lost-command-issue.patch new file mode 100644 index 0000000..6b2186a --- /dev/null +++ b/queue/cciss-fix-lost-command-issue.patch @@ -0,0 +1,34 @@ +From ca8f1563820898684c2d0dbaedaa98c564ce4148 Mon Sep 17 00:00:00 2001 +From: Bud Brown <bud.brown@redhat.com> +Date: Wed, 23 Mar 2011 20:47:11 +0100 +Subject: [PATCH] cciss: fix lost command issue + +commit 1ddd5049545e0aa1a0ed19bca4d9c9c3ce1ac8a2 upstream. + +Under certain workloads a command may seem to get lost. IOW, the Smart Array +thinks all commands have been completed but we still have commands in our +completion queue. This may lead to system instability, filesystems going +read-only, or even panics depending on the affected filesystem. We add an +extra read to force the write to complete. + +Testing shows this extra read avoids the problem. + +Signed-off-by: Mike Miller <mike.miller@hp.com> +Signed-off-by: Jens Axboe <jaxboe@fusionio.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h +index c5d4111..37a2d4f 100644 +--- a/drivers/block/cciss.h ++++ b/drivers/block/cciss.h +@@ -173,6 +173,7 @@ static void SA5_submit_command( ctlr_info_t *h, CommandList_struct *c) + printk("Sending %x - down to controller\n", c->busaddr ); + #endif /* CCISS_DEBUG */ + writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET); ++ readl(h->vaddr + SA5_REQUEST_PORT_OFFSET); + h->commands_outstanding++; + if ( h->commands_outstanding > h->max_outstanding) + h->max_outstanding = h->commands_outstanding; +-- +1.7.4.4 + diff --git a/queue/char-tpm-Fix-unitialized-usage-of-data-buffer.patch b/queue/char-tpm-Fix-unitialized-usage-of-data-buffer.patch new file mode 100644 index 0000000..42ea5d9 --- /dev/null +++ b/queue/char-tpm-Fix-unitialized-usage-of-data-buffer.patch @@ -0,0 +1,35 @@ +From 9671b910b658e260547a52851eb02dc3fbab6969 Mon Sep 17 00:00:00 2001 +From: Peter Huewe <huewe.external.infineon@googlemail.com> +Date: Tue, 29 Mar 2011 13:31:25 +0200 +Subject: [PATCH] char/tpm: Fix unitialized usage of data buffer + +commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream. + +This patch fixes information leakage to the userspace by initializing +the data buffer to zero. + +Reported-by: Peter Huewe <huewe.external@infineon.com> +Signed-off-by: Peter Huewe <huewe.external@infineon.com> +Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com> +[ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way + deeper problems than a simple multiplication can fix. - Linus ] +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c +index 6ab5381..7f95fec 100644 +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -956,7 +956,7 @@ int tpm_open(struct inode *inode, struct file *file) + return -EBUSY; + } + +- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL); ++ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL); + if (chip->data_buffer == NULL) { + clear_bit(0, &chip->is_open); + put_device(chip->dev); +-- +1.7.4.4 + diff --git a/queue/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch b/queue/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch new file mode 100644 index 0000000..81a3842 --- /dev/null +++ b/queue/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch @@ -0,0 +1,38 @@ +From 6c76a8311abb7a9d14d513dda0049f951790d5cf Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Tue, 22 Mar 2011 16:34:01 -0700 +Subject: [PATCH] drivers/misc/ep93xx_pwm.c: world-writable sysfs files + +commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream. + +Don't allow everybody to change device settings. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Acked-by: Hartley Sweeten <hartleys@visionengravers.com> +Cc: Matthieu Crapet <mcrapet@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/misc/ep93xx_pwm.c b/drivers/misc/ep93xx_pwm.c +index 46b3439..16d7179 100644 +--- a/drivers/misc/ep93xx_pwm.c ++++ b/drivers/misc/ep93xx_pwm.c +@@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(struct device *dev, + + static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL); + static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL); +-static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_freq, ep93xx_pwm_set_freq); +-static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent); +-static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO, ++static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO, + ep93xx_pwm_get_invert, ep93xx_pwm_set_invert); + + static struct attribute *ep93xx_pwm_attrs[] = { +-- +1.7.4.4 + diff --git a/queue/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-.patch b/queue/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-.patch new file mode 100644 index 0000000..a1d3c89 --- /dev/null +++ b/queue/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-.patch @@ -0,0 +1,32 @@ +From 6f09a0ddbea5ede3520b61eebfed913f8c104778 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Tue, 22 Mar 2011 16:34:53 -0700 +Subject: [PATCH] drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file + +commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream. + +Don't allow everybogy to write to NVRAM. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Cc: Andy Sharp <andy.sharp@onstor.com> +Cc: Alessandro Zummo <a.zummo@towertech.it> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/rtc/rtc-ds1511.c b/drivers/rtc/rtc-ds1511.c +index 06b8566..fad05bd 100644 +--- a/drivers/rtc/rtc-ds1511.c ++++ b/drivers/rtc/rtc-ds1511.c +@@ -483,7 +483,7 @@ ds1511_nvram_write(struct kobject *kobj, struct bin_attribute *bin_attr, + static struct bin_attribute ds1511_nvram_attr = { + .attr = { + .name = "nvram", +- .mode = S_IRUGO | S_IWUGO, ++ .mode = S_IRUGO | S_IWUSR, + }, + .size = DS1511_RAM_MAX, + .read = ds1511_nvram_read, +-- +1.7.4.4 + diff --git a/queue/eCryptfs-Unlock-page-in-write_begin-error-path.patch b/queue/eCryptfs-Unlock-page-in-write_begin-error-path.patch new file mode 100644 index 0000000..bc3e28d --- /dev/null +++ b/queue/eCryptfs-Unlock-page-in-write_begin-error-path.patch @@ -0,0 +1,33 @@ +From 2a04a541c4b4a319a21339770784fd15dfaee923 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks <tyhicks@linux.vnet.ibm.com> +Date: Wed, 9 Mar 2011 11:49:13 -0600 +Subject: [PATCH] eCryptfs: Unlock page in write_begin error path + +commit 50f198ae16ac66508d4b8d5a40967a8507ad19ee upstream. + +Unlock the page in error path of ecryptfs_write_begin(). This may +happen, for example, if decryption fails while bring the page +up-to-date. + +Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ecryptfs/mmap.c b/fs/ecryptfs/mmap.c +index 2ee9a3a..eb1a0c9 100644 +--- a/fs/ecryptfs/mmap.c ++++ b/fs/ecryptfs/mmap.c +@@ -377,6 +377,11 @@ static int ecryptfs_write_begin(struct file *file, + && (pos != 0)) + zero_user(page, 0, PAGE_CACHE_SIZE); + out: ++ if (unlikely(rc)) { ++ unlock_page(page); ++ page_cache_release(page); ++ *pagep = NULL; ++ } + return rc; + } + +-- +1.7.4.4 + diff --git a/queue/eCryptfs-ecryptfs_keyring_auth_tok_for_sig-bug-fix.patch b/queue/eCryptfs-ecryptfs_keyring_auth_tok_for_sig-bug-fix.patch new file mode 100644 index 0000000..cbdbcc3 --- /dev/null +++ b/queue/eCryptfs-ecryptfs_keyring_auth_tok_for_sig-bug-fix.patch @@ -0,0 +1,30 @@ +From ac4a8bdcc5a9631f4e995a07ffef68563fb59e38 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu <roberto.sassu@polito.it> +Date: Thu, 17 Mar 2011 12:48:50 +0100 +Subject: [PATCH] eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix + +commit 1821df040ac3cd6a57518739f345da6d50ea9d3f upstream. + +The pointer '(*auth_tok_key)' is set to NULL in case request_key() +fails, in order to prevent its use by functions calling +ecryptfs_keyring_auth_tok_for_sig(). + +Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> +Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c +index 89c5476..d6e9355 100644 +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1543,6 +1543,7 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, + printk(KERN_ERR "Could not find key with description: [%s]\n", + sig); + rc = process_request_key_err(PTR_ERR(*auth_tok_key)); ++ (*auth_tok_key) = NULL; + goto out; + } + (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key); +-- +1.7.4.4 + diff --git a/queue/exec-copy-and-paste-the-fixes-into-compat_do_execve-.patch b/queue/exec-copy-and-paste-the-fixes-into-compat_do_execve-.patch new file mode 100644 index 0000000..6fec015 --- /dev/null +++ b/queue/exec-copy-and-paste-the-fixes-into-compat_do_execve-.patch @@ -0,0 +1,143 @@ +From 0e863a0fe3dc9a7c4b7708f7ab0f9fcc129b85f4 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov <oleg@redhat.com> +Date: Tue, 30 Nov 2010 20:56:02 +0100 +Subject: [PATCH] exec: copy-and-paste the fixes into compat_do_execve() paths + +commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream. + +Note: this patch targets 2.6.37 and tries to be as simple as possible. +That is why it adds more copy-and-paste horror into fs/compat.c and +uglifies fs/exec.c, this will be cleanuped later. + +compat_copy_strings() plays with bprm->vma/mm directly and thus has +two problems: it lacks the RLIMIT_STACK check and argv/envp memory +is not visible to oom killer. + +Export acct_arg_size() and get_arg_page(), change compat_copy_strings() +to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0) +as do_execve() does. + +Add the fatal_signal_pending/cond_resched checks into compat_count() and +compat_copy_strings(), this matches the code in fs/exec.c and certainly +makes sense. + +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/compat.c b/fs/compat.c +index 6490d21..633e63c 100644 +--- a/fs/compat.c ++++ b/fs/compat.c +@@ -1376,6 +1376,10 @@ static int compat_count(compat_uptr_t __user *argv, int max) + argv++; + if (i++ >= max) + return -E2BIG; ++ ++ if (fatal_signal_pending(current)) ++ return -ERESTARTNOHAND; ++ cond_resched(); + } + } + return i; +@@ -1417,6 +1421,12 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, + while (len > 0) { + int offset, bytes_to_copy; + ++ if (fatal_signal_pending(current)) { ++ ret = -ERESTARTNOHAND; ++ goto out; ++ } ++ cond_resched(); ++ + offset = pos % PAGE_SIZE; + if (offset == 0) + offset = PAGE_SIZE; +@@ -1433,18 +1443,8 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, + if (!kmapped_page || kpos != (pos & PAGE_MASK)) { + struct page *page; + +-#ifdef CONFIG_STACK_GROWSUP +- ret = expand_stack_downwards(bprm->vma, pos); +- if (ret < 0) { +- /* We've exceed the stack rlimit. */ +- ret = -E2BIG; +- goto out; +- } +-#endif +- ret = get_user_pages(current, bprm->mm, pos, +- 1, 1, 1, &page, NULL); +- if (ret <= 0) { +- /* We've exceed the stack rlimit. */ ++ page = get_arg_page(bprm, pos, 1); ++ if (!page) { + ret = -E2BIG; + goto out; + } +@@ -1565,8 +1565,10 @@ int compat_do_execve(char * filename, + return retval; + + out: +- if (bprm->mm) ++ if (bprm->mm) { ++ acct_arg_size(bprm, 0); + mmput(bprm->mm); ++ } + + out_file: + if (bprm->file) { +diff --git a/fs/exec.c b/fs/exec.c +index b5cf64a..11cfcce 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -158,7 +158,7 @@ out: + + #ifdef CONFIG_MMU + +-static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) ++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) + { + struct mm_struct *mm = current->mm; + long diff = (long)(pages - bprm->vma_pages); +@@ -173,7 +173,7 @@ static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) + up_write(&mm->mmap_sem); + } + +-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + int write) + { + struct page *page; +@@ -291,11 +291,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len) + + #else + +-static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) ++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) + { + } + +-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + int write) + { + struct page *page; +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index 39798c6..074b620 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -60,6 +60,10 @@ struct linux_binprm{ + unsigned long loader, exec; + }; + ++extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages); ++extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++ int write); ++ + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 + #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT) + +-- +1.7.4.4 + diff --git a/queue/ext4-fix-credits-computing-for-indirect-mapped-files.patch b/queue/ext4-fix-credits-computing-for-indirect-mapped-files.patch new file mode 100644 index 0000000..3576bc5 --- /dev/null +++ b/queue/ext4-fix-credits-computing-for-indirect-mapped-files.patch @@ -0,0 +1,45 @@ +From ab3687999c0c6561118fb8bbeb157a7d0f2e11b1 Mon Sep 17 00:00:00 2001 +From: Yongqiang Yang <xiaoqiangnk@gmail.com> +Date: Mon, 4 Apr 2011 15:40:24 -0400 +Subject: [PATCH] ext4: fix credits computing for indirect mapped files + +commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream. + +When writing a contiguous set of blocks, two indirect blocks could be +needed depending on how the blocks are aligned, so we need to increase +the number of credits needed by one. + +[ Also fixed a another bug which could further underestimate the + number of journal credits needed by 1; the code was using integer + division instead of DIV_ROUND_UP() -- tytso] + +Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com> +Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 4eced51..904f3e4 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5573,13 +5573,12 @@ static int ext4_indirect_trans_blocks(struct inode *inode, int nrblocks, + /* if nrblocks are contiguous */ + if (chunk) { + /* +- * With N contiguous data blocks, it need at most +- * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) indirect blocks +- * 2 dindirect blocks +- * 1 tindirect block ++ * With N contiguous data blocks, we need at most ++ * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) + 1 indirect blocks, ++ * 2 dindirect blocks, and 1 tindirect block + */ +- indirects = nrblocks / EXT4_ADDR_PER_BLOCK(inode->i_sb); +- return indirects + 3; ++ return DIV_ROUND_UP(nrblocks, ++ EXT4_ADDR_PER_BLOCK(inode->i_sb)) + 4; + } + /* + * if nrblocks are not contiguous, worse case, each block touch +-- +1.7.4.4 + diff --git a/queue/gro-Reset-dev-pointer-on-reuse.patch b/queue/gro-Reset-dev-pointer-on-reuse.patch new file mode 100644 index 0000000..f367c88 --- /dev/null +++ b/queue/gro-Reset-dev-pointer-on-reuse.patch @@ -0,0 +1,38 @@ +From 63f056dfc47265f5b224b688855efc87490354ea Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Sat, 29 Jan 2011 20:44:54 -0800 +Subject: [PATCH] gro: Reset dev pointer on reuse + +commit 66c46d741e2e60f0e8b625b80edb0ab820c46d7a upstream. + +On older kernels the VLAN code may zero skb->dev before dropping +it and causing it to be reused by GRO. + +Unfortunately we didn't reset skb->dev in that case which causes +the next GRO user to get a bogus skb->dev pointer. + +This particular problem no longer happens with the current upstream +kernel due to changes in VLAN processing. + +However, for correctness we should still reset the skb->dev pointer +in the GRO reuse function in case a future user does the same thing. + +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/core/dev.c b/net/core/dev.c +index 3095934..19a74f6 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2822,6 +2822,7 @@ void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb) + { + __skb_pull(skb, skb_headlen(skb)); + skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb)); ++ skb->dev = napi->dev; + + napi->skb = skb; + } +-- +1.7.4.4 + diff --git a/queue/gro-reset-skb_iif-on-reuse.patch b/queue/gro-reset-skb_iif-on-reuse.patch new file mode 100644 index 0000000..dfed3ca --- /dev/null +++ b/queue/gro-reset-skb_iif-on-reuse.patch @@ -0,0 +1,35 @@ +From 9faae02648e3f8b2e5c47a0c252cce3f289616ad Mon Sep 17 00:00:00 2001 +From: Andy Gospodarek <andy@greyhouse.net> +Date: Wed, 2 Feb 2011 14:53:25 -0800 +Subject: [PATCH] gro: reset skb_iif on reuse + +commit 6d152e23ad1a7a5b40fef1f42e017d66e6115159 upstream. + +Like Herbert's change from a few days ago: + +66c46d741e2e60f0e8b625b80edb0ab820c46d7a gro: Reset dev pointer on reuse + +this may not be necessary at this point, but we should still clean up +the skb->skb_iif. If not we may end up with an invalid valid for +skb->skb_iif when the skb is reused and the check is done in +__netif_receive_skb. + +Signed-off-by: Andy Gospodarek <andy@greyhouse.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/core/dev.c b/net/core/dev.c +index 19a74f6..1bde8b7 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2823,6 +2823,7 @@ void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb) + __skb_pull(skb, skb_headlen(skb)); + skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb)); + skb->dev = napi->dev; ++ skb->skb_iif = 0; + + napi->skb = skb; + } +-- +1.7.4.4 + diff --git a/queue/irda-prevent-heap-corruption-on-invalid-nickname.patch b/queue/irda-prevent-heap-corruption-on-invalid-nickname.patch new file mode 100644 index 0000000..2e59fa0 --- /dev/null +++ b/queue/irda-prevent-heap-corruption-on-invalid-nickname.patch @@ -0,0 +1,35 @@ +From 5f5455bb36edfe1e6ca339e91cdfcd5a42df4fec Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Sat, 19 Mar 2011 20:14:30 +0000 +Subject: [PATCH] irda: prevent heap corruption on invalid nickname + +commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream. + +Invalid nicknames containing only spaces will result in an underflow in +a memcpy size calculation, subsequently destroying the heap and +panicking. + +v2 also catches the case where the provided nickname is longer than the +buffer size, which can result in controllable heap corruption. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c +index 6a1a202..ab5bee2 100644 +--- a/net/irda/irnet/irnet_ppp.c ++++ b/net/irda/irnet/irnet_ppp.c +@@ -106,6 +106,9 @@ irnet_ctrl_write(irnet_socket * ap, + while(isspace(start[length - 1])) + length--; + ++ DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, ++ -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); ++ + /* Copy the name for later reuse */ + memcpy(ap->rname, start + 5, length - 5); + ap->rname[length - 5] = '\0'; +-- +1.7.4.4 + diff --git a/queue/irda-validate-peer-name-and-attribute-lengths.patch b/queue/irda-validate-peer-name-and-attribute-lengths.patch new file mode 100644 index 0000000..c2ed69b --- /dev/null +++ b/queue/irda-validate-peer-name-and-attribute-lengths.patch @@ -0,0 +1,39 @@ +From 36fa93000c776c9c838588e7e553d67ae958990d Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Sun, 20 Mar 2011 15:32:06 +0000 +Subject: [PATCH] irda: validate peer name and attribute lengths + +commit d370af0ef7951188daeb15bae75db7ba57c67846 upstream. + +Length fields provided by a peer for names and attributes may be longer +than the destination array sizes. Validate lengths to prevent stack +buffer overflows. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/irda/iriap.c b/net/irda/iriap.c +index b6fd6d1..26272fe 100644 +--- a/net/irda/iriap.c ++++ b/net/irda/iriap.c +@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self, + n = 1; + + name_len = fp[n++]; ++ ++ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;); ++ + memcpy(name, fp+n, name_len); n+=name_len; + name[name_len] = '\0'; + + attr_len = fp[n++]; ++ ++ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;); ++ + memcpy(attr, fp+n, attr_len); n+=attr_len; + attr[attr_len] = '\0'; + +-- +1.7.4.4 + diff --git a/queue/mac80211-initialize-sta-last_rx-in-sta_info_alloc.patch b/queue/mac80211-initialize-sta-last_rx-in-sta_info_alloc.patch new file mode 100644 index 0000000..7a53627 --- /dev/null +++ b/queue/mac80211-initialize-sta-last_rx-in-sta_info_alloc.patch @@ -0,0 +1,31 @@ +From db7503b242674ec7127120a70722797812abcfd8 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau <nbd@openwrt.org> +Date: Mon, 21 Mar 2011 20:01:00 +0100 +Subject: [PATCH] mac80211: initialize sta->last_rx in sta_info_alloc + +commit 8bc8aecdc5e26cfda12dbd6867af4aa67836da6a upstream. + +This field is used to determine the inactivity time. When in AP mode, +hostapd uses it for kicking out inactive clients after a while. Without this +patch, hostapd immediately deauthenticates a new client if it checks the +inactivity time before the client sends its first data frame. + +Signed-off-by: Felix Fietkau <nbd@openwrt.org> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index fb12cec..8899c78 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -239,6 +239,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata, + memcpy(sta->sta.addr, addr, ETH_ALEN); + sta->local = local; + sta->sdata = sdata; ++ sta->last_rx = jiffies; + + if (sta_prepare_rate_control(local, sta, gfp)) { + kfree(sta); +-- +1.7.4.4 + diff --git a/queue/mfd-ab3100-world-writable-debugfs-_priv-files.patch b/queue/mfd-ab3100-world-writable-debugfs-_priv-files.patch new file mode 100644 index 0000000..eb3ac0b --- /dev/null +++ b/queue/mfd-ab3100-world-writable-debugfs-_priv-files.patch @@ -0,0 +1,39 @@ +From fb150eb7c97637cc30431ff35181a6f086ed4d50 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Fri, 4 Feb 2011 15:23:36 +0300 +Subject: [PATCH] mfd: ab3100: world-writable debugfs *_priv files + +commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream. + +Don't allow everybody to change device hardware registers. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Acked-by: Linus Walleij <linus.walleij@stericsson.com> +Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/mfd/ab3100-core.c b/drivers/mfd/ab3100-core.c +index e4ca590..4267a4d 100644 +--- a/drivers/mfd/ab3100-core.c ++++ b/drivers/mfd/ab3100-core.c +@@ -580,7 +580,7 @@ static void ab3100_setup_debugfs(struct ab3100 *ab3100) + ab3100_get_priv.ab3100 = ab3100; + ab3100_get_priv.mode = false; + ab3100_get_reg_file = debugfs_create_file("get_reg", +- S_IWUGO, ab3100_dir, &ab3100_get_priv, ++ S_IWUSR, ab3100_dir, &ab3100_get_priv, + &ab3100_get_set_reg_fops); + if (!ab3100_get_reg_file) { + err = -ENOMEM; +@@ -590,7 +590,7 @@ static void ab3100_setup_debugfs(struct ab3100 *ab3100) + ab3100_set_priv.ab3100 = ab3100; + ab3100_set_priv.mode = true; + ab3100_set_reg_file = debugfs_create_file("set_reg", +- S_IWUGO, ab3100_dir, &ab3100_set_priv, ++ S_IWUSR, ab3100_dir, &ab3100_set_priv, + &ab3100_get_set_reg_fops); + if (!ab3100_set_reg_file) { + err = -ENOMEM; +-- +1.7.4.4 + diff --git a/queue/mm-avoid-wrapping-vm_pgoff-in-mremap.patch b/queue/mm-avoid-wrapping-vm_pgoff-in-mremap.patch new file mode 100644 index 0000000..1bae369 --- /dev/null +++ b/queue/mm-avoid-wrapping-vm_pgoff-in-mremap.patch @@ -0,0 +1,47 @@ +From 840db12c9185825551870d0c2931d13212130f69 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 7 Apr 2011 07:35:50 -0700 +Subject: [PATCH] mm: avoid wrapping vm_pgoff in mremap() + +commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream. + +The normal mmap paths all avoid creating a mapping where the pgoff +inside the mapping could wrap around due to overflow. However, an +expanding mremap() can take such a non-wrapping mapping and make it +bigger and cause a wrapping condition. + +Noticed by Robert Swiecki when running a system call fuzzer, where it +caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A +vma dumping patch by Hugh then pinpointed the crazy wrapped case. + +Reported-and-tested-by: Robert Swiecki <robert@swiecki.net> +Acked-by: Hugh Dickins <hughd@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/mm/mremap.c b/mm/mremap.c +index 10d5f62..97de5ae 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -274,9 +274,16 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, + if (old_len > vma->vm_end - addr) + goto Efault; + +- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) { +- if (new_len > old_len) ++ /* Need to be careful about a growing mapping */ ++ if (new_len > old_len) { ++ unsigned long pgoff; ++ ++ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) + goto Efault; ++ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT; ++ pgoff += vma->vm_pgoff; ++ if (pgoff + (new_len >> PAGE_SHIFT) < pgoff) ++ goto Einval; + } + + if (vma->vm_flags & VM_LOCKED) { +-- +1.7.4.4 + diff --git a/queue/myri10ge-fix-rmmod-crash.patch b/queue/myri10ge-fix-rmmod-crash.patch new file mode 100644 index 0000000..9a60378 --- /dev/null +++ b/queue/myri10ge-fix-rmmod-crash.patch @@ -0,0 +1,30 @@ +From 53b30ea2fcaa4768db220b59578dc18bb0c0722a Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Wed, 23 Mar 2011 02:44:30 +0000 +Subject: [PATCH] myri10ge: fix rmmod crash + +commit cda6587c21a887254c8ed4b58da8fcc4040ab557 upstream. + +Rmmod myri10ge crash at free_netdev() -> netif_napi_del(), because napi +structures are already deallocated. To fix call netif_napi_del() before +kfree() at myri10ge_free_slices(). + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/myri10ge/myri10ge.c b/drivers/net/myri10ge/myri10ge.c +index ecde087..649b8db6 100644 +--- a/drivers/net/myri10ge/myri10ge.c ++++ b/drivers/net/myri10ge/myri10ge.c +@@ -3600,6 +3600,7 @@ static void myri10ge_free_slices(struct myri10ge_priv *mgp) + dma_free_coherent(&pdev->dev, bytes, + ss->fw_stats, ss->fw_stats_bus); + ss->fw_stats = NULL; ++ netif_napi_del(&ss->napi); + } + } + kfree(mgp->ss); +-- +1.7.4.4 + diff --git a/queue/netfilter-ipt_CLUSTERIP-fix-buffer-overflow.patch b/queue/netfilter-ipt_CLUSTERIP-fix-buffer-overflow.patch new file mode 100644 index 0000000..de2a888 --- /dev/null +++ b/queue/netfilter-ipt_CLUSTERIP-fix-buffer-overflow.patch @@ -0,0 +1,40 @@ +From 280f1015075daebfd9a77e56cbe1620e045ea05d Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Sun, 20 Mar 2011 15:42:52 +0100 +Subject: [PATCH] netfilter: ipt_CLUSTERIP: fix buffer overflow + +commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream. + +'buffer' string is copied from userspace. It is not checked whether it is +zero terminated. This may lead to overflow inside of simple_strtoul(). +Changli Gao suggested to copy not more than user supplied 'size' bytes. + +It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are +root writable only by default, however, on some setups permissions might be +relaxed to e.g. network admin user. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Acked-by: Changli Gao <xiaosuo@gmail.com> +Signed-off-by: Patrick McHardy <kaber@trash.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index ab82840..e8bd977 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, + char buffer[PROC_WRITELEN+1]; + unsigned long nodenum; + +- if (copy_from_user(buffer, input, PROC_WRITELEN)) ++ if (size > PROC_WRITELEN) ++ return -EIO; ++ if (copy_from_user(buffer, input, size)) + return -EFAULT; ++ buffer[size] = 0; + + if (*buffer == '+') { + nodenum = simple_strtoul(buffer+1, NULL, 10); +-- +1.7.4.4 + diff --git a/queue/next_pidmap-fix-overflow-condition.patch b/queue/next_pidmap-fix-overflow-condition.patch index 428a410..d44ef3d 100644 --- a/queue/next_pidmap-fix-overflow-condition.patch +++ b/queue/next_pidmap-fix-overflow-condition.patch @@ -1,4 +1,4 @@ -From 249fe00b6399e3a37dfda794e440987b2ee12576 Mon Sep 17 00:00:00 2001 +From 0e717b3cde059ed0f2c9595b455ecfef4a6e4369 Mon Sep 17 00:00:00 2001 From: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon, 18 Apr 2011 10:35:30 -0700 Subject: [PATCH] next_pidmap: fix overflow condition diff --git a/queue/nfsd-fix-auth_domain-reference-leak-on-nlm-operation.patch b/queue/nfsd-fix-auth_domain-reference-leak-on-nlm-operation.patch new file mode 100644 index 0000000..bf86027 --- /dev/null +++ b/queue/nfsd-fix-auth_domain-reference-leak-on-nlm-operation.patch @@ -0,0 +1,35 @@ +From 091fc1ba91f42e520ca179dc0aaa814d3dcffb19 Mon Sep 17 00:00:00 2001 +From: J. Bruce Fields <bfields@redhat.com> +Date: Thu, 24 Mar 2011 22:51:14 -0400 +Subject: [PATCH] nfsd: fix auth_domain reference leak on nlm operations + +commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream. + +This was noticed by users who performed more than 2^32 lock operations +and hence made this counter overflow (eventually leading to +use-after-free's). Setting rq_client to NULL here means that it won't +later get auth_domain_put() when it should be. + +Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth +domain lookup into svcauth" which moved most of the rq_client handling +to common svcauth code, but left behind this one line. + +Cc: Neil Brown <neilb@suse.de> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/nfsd/lockd.c b/fs/nfsd/lockd.c +index 0c6d816..7c831a2 100644 +--- a/fs/nfsd/lockd.c ++++ b/fs/nfsd/lockd.c +@@ -38,7 +38,6 @@ nlm_fopen(struct svc_rqst *rqstp, struct nfs_fh *f, struct file **filp) + exp_readlock(); + nfserr = nfsd_open(rqstp, &fh, S_IFREG, NFSD_MAY_LOCK, filp); + fh_put(&fh); +- rqstp->rq_client = NULL; + exp_readunlock(); + /* We return nlm error codes as nlm doesn't know + * about nfsd, but nfsd does know about nlm.. +-- +1.7.4.4 + diff --git a/queue/nilfs2-fix-data-loss-in-mmap-page-write-for-hole-blo.patch b/queue/nilfs2-fix-data-loss-in-mmap-page-write-for-hole-blo.patch new file mode 100644 index 0000000..a66a914 --- /dev/null +++ b/queue/nilfs2-fix-data-loss-in-mmap-page-write-for-hole-blo.patch @@ -0,0 +1,79 @@ +From 59365cf8d8c42f6426ddaef5e87a31e0d6718139 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> +Date: Sun, 27 Mar 2011 22:50:49 +0900 +Subject: [PATCH] nilfs2: fix data loss in mmap page write for hole blocks + +commit 34094537943113467faee98fe67c8a3d3f9a0a8b upstream. + +From the result of a function test of mmap, mmap write to shared pages +turned out to be broken for hole blocks. It doesn't write out filled +blocks and the data will be lost after umount. This is due to a bug +that the target file is not queued for log writer when filling hole +blocks. + +Also, nilfs_page_mkwrite function exits normal code path even after +successfully filled hole blocks due to a change of block_page_mkwrite +function; just after nilfs was merged into the mainline, +block_page_mkwrite() started to return VM_FAULT_LOCKED instead of zero +by the patch "mm: close page_mkwrite races" (commit: +b827e496c893de0c). The current nilfs_page_mkwrite() is not handling +this value properly. + +This corrects nilfs_page_mkwrite() and will resolve the data loss +problem in mmap write. + +[This should be applied to every kernel since 2.6.30 but a fix is + needed for 2.6.37 and prior kernels] + +Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> +Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/nilfs2/file.c b/fs/nilfs2/file.c +index 30292df..e5cf985 100644 +--- a/fs/nilfs2/file.c ++++ b/fs/nilfs2/file.c +@@ -72,10 +72,9 @@ static int nilfs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf) + /* + * check to see if the page is mapped already (no holes) + */ +- if (PageMappedToDisk(page)) { +- unlock_page(page); ++ if (PageMappedToDisk(page)) + goto mapped; +- } ++ + if (page_has_buffers(page)) { + struct buffer_head *bh, *head; + int fully_mapped = 1; +@@ -90,7 +89,6 @@ static int nilfs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf) + + if (fully_mapped) { + SetPageMappedToDisk(page); +- unlock_page(page); + goto mapped; + } + } +@@ -105,16 +103,17 @@ static int nilfs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf) + return VM_FAULT_SIGBUS; + + ret = block_page_mkwrite(vma, vmf, nilfs_get_block); +- if (unlikely(ret)) { ++ if (ret != VM_FAULT_LOCKED) { + nilfs_transaction_abort(inode->i_sb); + return ret; + } ++ nilfs_set_file_dirty(inode, 1 << (PAGE_SHIFT - inode->i_blkbits)); + nilfs_transaction_commit(inode->i_sb); + + mapped: + SetPageChecked(page); + wait_on_page_writeback(page); +- return 0; ++ return VM_FAULT_LOCKED; + } + + static const struct vm_operations_struct nilfs_file_vm_ops = { +-- +1.7.4.4 + diff --git a/queue/p54usb-IDs-for-two-new-devices.patch b/queue/p54usb-IDs-for-two-new-devices.patch new file mode 100644 index 0000000..7df1250 --- /dev/null +++ b/queue/p54usb-IDs-for-two-new-devices.patch @@ -0,0 +1,35 @@ +From 5f366de5145a8c4f01378210b6a50b7039d63165 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter <chunkeey@googlemail.com> +Date: Sat, 2 Apr 2011 11:31:29 +0200 +Subject: [PATCH] p54usb: IDs for two new devices + +commit 220107610c7c2c9703e09eb363e8ab31025b9315 upstream. + +Reported-by: Mark Davis [via p54/devices wiki] +Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c +index 9a57d14..3317906d 100644 +--- a/drivers/net/wireless/p54/p54usb.c ++++ b/drivers/net/wireless/p54/p54usb.c +@@ -56,6 +56,7 @@ static struct usb_device_id p54u_table[] __devinitdata = { + {USB_DEVICE(0x0846, 0x4210)}, /* Netgear WG121 the second ? */ + {USB_DEVICE(0x0846, 0x4220)}, /* Netgear WG111 */ + {USB_DEVICE(0x09aa, 0x1000)}, /* Spinnaker Proto board */ ++ {USB_DEVICE(0x0bf8, 0x1007)}, /* Fujitsu E-5400 USB */ + {USB_DEVICE(0x0cde, 0x0006)}, /* Medion 40900, Roper Europe */ + {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */ + {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */ +@@ -68,6 +69,7 @@ static struct usb_device_id p54u_table[] __devinitdata = { + {USB_DEVICE(0x1915, 0x2235)}, /* Linksys WUSB54G Portable OEM */ + {USB_DEVICE(0x2001, 0x3701)}, /* DLink DWL-G120 Spinnaker */ + {USB_DEVICE(0x2001, 0x3703)}, /* DLink DWL-G122 */ ++ {USB_DEVICE(0x2001, 0x3762)}, /* Conceptronic C54U */ + {USB_DEVICE(0x5041, 0x2234)}, /* Linksys WUSB54G */ + {USB_DEVICE(0x5041, 0x2235)}, /* Linksys WUSB54G Portable */ + +-- +1.7.4.4 + diff --git a/queue/perf-Better-fit-max-unprivileged-mlock-pages-for-too.patch b/queue/perf-Better-fit-max-unprivileged-mlock-pages-for-too.patch new file mode 100644 index 0000000..a3219f3 --- /dev/null +++ b/queue/perf-Better-fit-max-unprivileged-mlock-pages-for-too.patch @@ -0,0 +1,55 @@ +From b15ba5651de0a659eb13be179a0967e9bc194f4e Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker <fweisbec@gmail.com> +Date: Wed, 23 Mar 2011 19:29:39 +0100 +Subject: [PATCH] perf: Better fit max unprivileged mlock pages for tools + needs + +commit 880f57318450dbead6a03f9e31a1468924d6dd88 upstream. + +The maximum kilobytes of locked memory that an unprivileged user +can reserve is of 512 kB = 128 pages by default, scaled to the +number of onlined CPUs, which fits well with the tools that use +128 data pages by default. + +However tools actually use 129 pages, because they need one more +for the user control page. Thus the default mlock threshold is +not sufficient for the default tools needs and we always end up +to evaluate the constant mlock rlimit policy, which doesn't have +this scaling with the number of online CPUs. + +Hence, on systems that have more than 16 CPUs, we overlap the +rlimit threshold and fail to mmap: + + $ perf record ls + Error: failed to mmap with 1 (Operation not permitted) + +Just increase the max unprivileged mlock threshold by one page +so that it supports well perf tools even after 16 CPUs. + +Reported-by: Han Pingtian <phan@redhat.com> +Reported-by: Peter Zijlstra <a.p.zijlstra@chello.nl> +Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> +Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Stephane Eranian <eranian@google.com> +LKML-Reference: <1300904979-5508-1-git-send-email-fweisbec@gmail.com> +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/kernel/perf_event.c b/kernel/perf_event.c +index 2357b19..b203546 100644 +--- a/kernel/perf_event.c ++++ b/kernel/perf_event.c +@@ -57,7 +57,8 @@ static atomic_t nr_task_events __read_mostly; + */ + int sysctl_perf_event_paranoid __read_mostly = 1; + +-int sysctl_perf_event_mlock __read_mostly = 512; /* 'free' kb per user */ ++/* Minimum for 128 pages + 1 for the user control page */ ++int sysctl_perf_event_mlock __read_mostly = 516; /* 'free' kb per user */ + + /* + * max perf event sample rate +-- +1.7.4.4 + diff --git a/queue/proc-do-proper-range-check-on-readdir-offset.patch b/queue/proc-do-proper-range-check-on-readdir-offset.patch index 1346062..a2bc859 100644 --- a/queue/proc-do-proper-range-check-on-readdir-offset.patch +++ b/queue/proc-do-proper-range-check-on-readdir-offset.patch @@ -1,4 +1,4 @@ -From 1ee957483ba1e383e7eb511ac500febc8f020968 Mon Sep 17 00:00:00 2001 +From e8a9c416617d128cae080fe26d3318f1cfebdbca Mon Sep 17 00:00:00 2001 From: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon, 18 Apr 2011 10:36:54 -0700 Subject: [PATCH] proc: do proper range check on readdir offset diff --git a/queue/quota-Don-t-write-quota-info-in-dquot_commit.patch b/queue/quota-Don-t-write-quota-info-in-dquot_commit.patch new file mode 100644 index 0000000..ecb60e3 --- /dev/null +++ b/queue/quota-Don-t-write-quota-info-in-dquot_commit.patch @@ -0,0 +1,57 @@ +From 7034996f2fb03cb04d499a1bf4ea8a038b4049b2 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 31 Mar 2011 18:36:52 +0200 +Subject: [PATCH] quota: Don't write quota info in dquot_commit() + +commit b03f24567ce7caf2420b8be4c6eb74c191d59a91 upstream. + +There's no reason to write quota info in dquot_commit(). The writing is a +relict from the old days when we didn't have dquot_acquire() and +dquot_release() and thus dquot_commit() could have created / removed quota +structures from the file. These days dquot_commit() only updates usage counters +/ limits in quota structure and thus there's no need to write quota info. + +This also fixes an issue with journaling filesystem which didn't reserve +enough space in the transaction for write of quota info (it could have been +dirty at the time of dquot_commit() because of a race with other operation +changing it). + +Reported-and-tested-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 788b580..0d465c7 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -411,7 +411,7 @@ EXPORT_SYMBOL(dquot_acquire); + */ + int dquot_commit(struct dquot *dquot) + { +- int ret = 0, ret2 = 0; ++ int ret = 0; + struct quota_info *dqopt = sb_dqopt(dquot->dq_sb); + + mutex_lock(&dqopt->dqio_mutex); +@@ -423,15 +423,10 @@ int dquot_commit(struct dquot *dquot) + spin_unlock(&dq_list_lock); + /* Inactive dquot can be only if there was error during read/init + * => we have better not writing it */ +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ret = dqopt->ops[dquot->dq_type]->commit_dqblk(dquot); +- if (info_dirty(&dqopt->info[dquot->dq_type])) { +- ret2 = dqopt->ops[dquot->dq_type]->write_file_info( +- dquot->dq_sb, dquot->dq_type); +- } +- if (ret >= 0) +- ret = ret2; +- } ++ else ++ ret = -EIO; + out_sem: + mutex_unlock(&dqopt->dqio_mutex); + return ret; +-- +1.7.4.4 + diff --git a/queue/repair-gdbstub-to-match-the-gdbserial-protocol-speci.patch b/queue/repair-gdbstub-to-match-the-gdbserial-protocol-speci.patch new file mode 100644 index 0000000..c0d396b --- /dev/null +++ b/queue/repair-gdbstub-to-match-the-gdbserial-protocol-speci.patch @@ -0,0 +1,55 @@ +From fac4481dee3b5e85504fc776cfd38ffd9897590d Mon Sep 17 00:00:00 2001 +From: Jason Wessel <jason.wessel@windriver.com> +Date: Wed, 21 Jul 2010 19:27:05 -0500 +Subject: [PATCH] repair gdbstub to match the gdbserial protocol specification + +commit fb82c0ff27b2c40c6f7a3d1a94cafb154591fa80 upstream. + +The gdbserial protocol handler should return an empty packet instead +of an error string when ever it responds to a command it does not +implement. + +The problem cases come from a debugger client sending +qTBuffer, qTStatus, qSearch, qSupported. + +The incorrect response from the gdbstub leads the debugger clients to +not function correctly. Recent versions of gdb will not detach correctly as a result of this behavior. + +[PG: file renamed by time of fb82c0ff kgdb.c --> debug/gdbstub.c] + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> +Signed-off-by: Dongdong Deng <dongdong.deng@windriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/kernel/kgdb.c b/kernel/kgdb.c +index 11f3515..0887213 100644 +--- a/kernel/kgdb.c ++++ b/kernel/kgdb.c +@@ -976,10 +976,8 @@ static void gdb_cmd_query(struct kgdb_state *ks) + switch (remcom_in_buffer[1]) { + case 's': + case 'f': +- if (memcmp(remcom_in_buffer + 2, "ThreadInfo", 10)) { +- error_packet(remcom_out_buffer, -EINVAL); ++ if (memcmp(remcom_in_buffer + 2, "ThreadInfo", 10)) + break; +- } + + i = 0; + remcom_out_buffer[0] = 'm'; +@@ -1020,10 +1018,9 @@ static void gdb_cmd_query(struct kgdb_state *ks) + pack_threadid(remcom_out_buffer + 2, thref); + break; + case 'T': +- if (memcmp(remcom_in_buffer + 1, "ThreadExtraInfo,", 16)) { +- error_packet(remcom_out_buffer, -EINVAL); ++ if (memcmp(remcom_in_buffer + 1, "ThreadExtraInfo,", 16)) + break; +- } ++ + ks->threadid = 0; + ptr = remcom_in_buffer + 17; + kgdb_hex2long(&ptr, &ks->threadid); +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index edfc310..5a535d7 100644 --- a/queue/series +++ b/queue/series @@ -4,6 +4,60 @@ PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch shmem-let-shared-anonymous-be-nonlinear-again.patch aio-wake-all-waiters-when-destroying-ctx.patch +# Content taken from v2.6.32.37 +ALSA-hda-Fix-SPDIF-out-regression-on-ALC889.patch +ALSA-Fix-yet-another-race-in-disconnection.patch +perf-Better-fit-max-unprivileged-mlock-pages-for-too.patch +myri10ge-fix-rmmod-crash.patch +cciss-fix-lost-command-issue.patch +sound-oss-opl3-validate-voice-and-channel-indexes.patch +mac80211-initialize-sta-last_rx-in-sta_info_alloc.patch +ses-show-devices-for-enclosures-with-no-page-7.patch +ses-Avoid-kernel-panic-when-lun-0-is-not-mapped.patch +eCryptfs-Unlock-page-in-write_begin-error-path.patch +eCryptfs-ecryptfs_keyring_auth_tok_for_sig-bug-fix.patch +staging-usbip-bugfixes-related-to-kthread-conversion.patch +staging-usbip-bugfix-add-number-of-packets-for-isoch.patch +staging-usbip-bugfix-for-isochronous-packets-and-opt.patch +staging-hv-Fix-GARP-not-sent-after-Quick-Migration.patch +staging-hv-use-sync_bitops-when-interacting-with-the.patch +irda-validate-peer-name-and-attribute-lengths.patch +irda-prevent-heap-corruption-on-invalid-nickname.patch +nilfs2-fix-data-loss-in-mmap-page-write-for-hole-blo.patch +ASoC-Explicitly-say-registerless-widgets-have-no-reg.patch +ALSA-ens1371-fix-Creative-Ectiva-support.patch +ROSE-prevent-heap-corruption-with-bad-facilities.patch +Btrfs-Fix-uninitialized-root-flags-for-subvolumes.patch +x86-mtrr-pat-Fix-one-cpu-getting-out-of-sync-during-.patch +ath9k-fix-a-chip-wakeup-related-crash-in-ath9k_start.patch +UBIFS-do-not-read-flash-unnecessarily.patch +UBIFS-fix-oops-on-error-path-in-read_pnode.patch +UBIFS-fix-debugging-failure-in-dbg_check_space_info.patch +quota-Don-t-write-quota-info-in-dquot_commit.patch +mm-avoid-wrapping-vm_pgoff-in-mremap.patch +p54usb-IDs-for-two-new-devices.patch +b43-allocate-receive-buffers-big-enough-for-max-fram.patch +Bluetooth-add-support-for-Apple-MacBook-Pro-8-2.patch +Treat-writes-as-new-when-holes-span-across-page-boun.patch +char-tpm-Fix-unitialized-usage-of-data-buffer.patch +netfilter-ipt_CLUSTERIP-fix-buffer-overflow.patch +mfd-ab3100-world-writable-debugfs-_priv-files.patch +drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-.patch +drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch +sound-oss-remove-offset-from-load_patch-callbacks.patch +sound-oss-midi_synth-check-get_user-return-value.patch +repair-gdbstub-to-match-the-gdbserial-protocol-speci.patch +gro-Reset-dev-pointer-on-reuse.patch +gro-reset-skb_iif-on-reuse.patch +x86-microcode-AMD-Extend-ucode-size-verification.patch +Squashfs-handle-corruption-of-directory-structure.patch +atm-solos-pci-Don-t-include-frame-pseudo-header-on-t.patch +ext4-fix-credits-computing-for-indirect-mapped-files.patch +nfsd-fix-auth_domain-reference-leak-on-nlm-operation.patch +exec-copy-and-paste-the-fixes-into-compat_do_execve-.patch + +# Content taken from v2.6.32.38 + # Content taken from v2.6.32.39 # Content taken from v2.6.32.40 diff --git a/queue/ses-Avoid-kernel-panic-when-lun-0-is-not-mapped.patch b/queue/ses-Avoid-kernel-panic-when-lun-0-is-not-mapped.patch new file mode 100644 index 0000000..2adcd4e --- /dev/null +++ b/queue/ses-Avoid-kernel-panic-when-lun-0-is-not-mapped.patch @@ -0,0 +1,44 @@ +From 05aaff08e0b3259cfdd6b050ba2a6d64837bef20 Mon Sep 17 00:00:00 2001 +From: Krishnasamy, Somasundaram <Somasundaram.Krishnasamy@lsi.com> +Date: Mon, 28 Feb 2011 18:13:22 -0500 +Subject: [PATCH] ses: Avoid kernel panic when lun 0 is not mapped + +commit d1e12de804f9d8ad114786ca7c2ce593cba79891 upstream. + +During device discovery, scsi mid layer sends INQUIRY command to LUN +0. If the LUN 0 is not mapped to host, it creates a temporary +scsi_device with LUN id 0 and sends REPORT_LUNS command to it. After +the REPORT_LUNS succeeds, it walks through the LUN table and adds each +LUN found to sysfs. At the end of REPORT_LUNS lun table scan, it will +delete the temporary scsi_device of LUN 0. + +When scsi devices are added to sysfs, it calls add_dev function of all +the registered class interfaces. If ses driver has been registered, +ses_intf_add() of ses module will be called. This function calls +scsi_device_enclosure() to check the inquiry data for EncServ +bit. Since inquiry was not allocated for temporary LUN 0 scsi_device, +it will cause NULL pointer exception. + +To fix the problem, sdev->inquiry is checked for NULL before reading it. + +Signed-off-by: Somasundaram Krishnasamy <Somasundaram.Krishnasamy@lsi.com> +Signed-off-by: Babu Moger <babu.moger@lsi.com> +Signed-off-by: James Bottomley <James.Bottomley@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index d80b6db..558fa2f 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -451,7 +451,7 @@ static inline int scsi_device_qas(struct scsi_device *sdev) + } + static inline int scsi_device_enclosure(struct scsi_device *sdev) + { +- return sdev->inquiry[6] & (1<<6); ++ return sdev->inquiry ? (sdev->inquiry[6] & (1<<6)) : 1; + } + + static inline int scsi_device_protection(struct scsi_device *sdev) +-- +1.7.4.4 + diff --git a/queue/ses-show-devices-for-enclosures-with-no-page-7.patch b/queue/ses-show-devices-for-enclosures-with-no-page-7.patch new file mode 100644 index 0000000..12f8ce9 --- /dev/null +++ b/queue/ses-show-devices-for-enclosures-with-no-page-7.patch @@ -0,0 +1,36 @@ +From 58e29022f3481fcc6b0dff6bf47591ad65f2d404 Mon Sep 17 00:00:00 2001 +From: John Hughes <john@Calva.COM> +Date: Wed, 4 Nov 2009 19:01:22 +0100 +Subject: [PATCH] ses: show devices for enclosures with no page 7 + +commit 877a55979c189c590e819a61cbbe2b7947875f17 upstream. + +enclosure page 7 gives us the "pretty" names of the enclosure slots. +Without a page 7, we can still use the enclosure code as long as we +make up numeric names for the slots. Unfortunately, the current code +fails to add any devices because the check for page 10 is in the wrong +place if we have no page 7. Fix it so that devices show up even if +the enclosure has no page 7. + +Signed-off-by: James Bottomley <James.Bottomley@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c +index 7f5a6a8..3b00e90 100644 +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -390,9 +390,9 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, + len = (desc_ptr[2] << 8) + desc_ptr[3]; + /* skip past overall descriptor */ + desc_ptr += len + 4; +- if (ses_dev->page10) +- addl_desc_ptr = ses_dev->page10 + 8; + } ++ if (ses_dev->page10) ++ addl_desc_ptr = ses_dev->page10 + 8; + type_ptr = ses_dev->page1 + 12 + ses_dev->page1[11]; + components = 0; + for (i = 0; i < types; i++, type_ptr += 4) { +-- +1.7.4.4 + diff --git a/queue/shmem-let-shared-anonymous-be-nonlinear-again.patch b/queue/shmem-let-shared-anonymous-be-nonlinear-again.patch index 0c1e8fb..ca55bf6 100644 --- a/queue/shmem-let-shared-anonymous-be-nonlinear-again.patch +++ b/queue/shmem-let-shared-anonymous-be-nonlinear-again.patch @@ -1,4 +1,4 @@ -From b301ec1451b25a610e8b090d17f959ff5aab63af Mon Sep 17 00:00:00 2001 +From 9d54973da4979fc15ed88af5b0216e7624ca3a29 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd@google.com> Date: Tue, 22 Mar 2011 16:33:43 -0700 Subject: [PATCH] shmem: let shared anonymous be nonlinear again diff --git a/queue/sound-oss-midi_synth-check-get_user-return-value.patch b/queue/sound-oss-midi_synth-check-get_user-return-value.patch new file mode 100644 index 0000000..8b94011 --- /dev/null +++ b/queue/sound-oss-midi_synth-check-get_user-return-value.patch @@ -0,0 +1,31 @@ +From 86bdcc2d7fa012efd4528b1213e864d3e0cde772 Mon Sep 17 00:00:00 2001 +From: Kulikov Vasiliy <segooon@gmail.com> +Date: Wed, 28 Jul 2010 20:41:17 +0400 +Subject: [PATCH] sound: oss: midi_synth: check get_user() return value + +commit b3390ceab95601afc12213c3ec5551d3bc7b638f upstream. + +get_user() may fail, if so return -EFAULT. + +Signed-off-by: Kulikov Vasiliy <segooon@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/oss/midi_synth.c b/sound/oss/midi_synth.c +index 11685f1..2292c23 100644 +--- a/sound/oss/midi_synth.c ++++ b/sound/oss/midi_synth.c +@@ -519,7 +519,9 @@ midi_synth_load_patch(int dev, int format, const char __user *addr, + { + unsigned char data; + +- get_user(*(unsigned char *) &data, (unsigned char __user *) &((addr)[hdr_size + i])); ++ if (get_user(data, ++ (unsigned char __user *)(addr + hdr_size + i))) ++ return -EFAULT; + + eox_seen = (i > 0 && data & 0x80); /* End of sysex */ + +-- +1.7.4.4 + diff --git a/queue/sound-oss-opl3-validate-voice-and-channel-indexes.patch b/queue/sound-oss-opl3-validate-voice-and-channel-indexes.patch new file mode 100644 index 0000000..6fd056a --- /dev/null +++ b/queue/sound-oss-opl3-validate-voice-and-channel-indexes.patch @@ -0,0 +1,51 @@ +From acfa07e05a5e3b58acf8c2fdacec98b5428592b1 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Wed, 23 Mar 2011 11:42:57 -0400 +Subject: [PATCH] sound/oss/opl3: validate voice and channel indexes + +commit 4d00135a680727f6c3be78f8befaac009030e4df upstream. + +User-controllable indexes for voice and channel values may cause reading +and writing beyond the bounds of their respective arrays, leading to +potentially exploitable memory corruption. Validate these indexes. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c +index 938c48c..f4ffdff 100644 +--- a/sound/oss/opl3.c ++++ b/sound/oss/opl3.c +@@ -849,6 +849,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, + + static void opl3_panning(int dev, int voice, int value) + { ++ ++ if (voice < 0 || voice >= devc->nr_voice) ++ return; ++ + devc->voc[voice].panning = value; + } + +@@ -1066,8 +1070,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info + + static void opl3_setup_voice(int dev, int voice, int chn) + { +- struct channel_info *info = +- &synth_devs[dev]->chn_info[chn]; ++ struct channel_info *info; ++ ++ if (voice < 0 || voice >= devc->nr_voice) ++ return; ++ ++ if (chn < 0 || chn > 15) ++ return; ++ ++ info = &synth_devs[dev]->chn_info[chn]; + + opl3_set_instr(dev, voice, info->pgm_num); + +-- +1.7.4.4 + diff --git a/queue/sound-oss-remove-offset-from-load_patch-callbacks.patch b/queue/sound-oss-remove-offset-from-load_patch-callbacks.patch new file mode 100644 index 0000000..912525e --- /dev/null +++ b/queue/sound-oss-remove-offset-from-load_patch-callbacks.patch @@ -0,0 +1,155 @@ +From 59310ca797348ab935d4cd1986e2bbbfd5fe3597 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Wed, 23 Mar 2011 10:53:41 -0400 +Subject: [PATCH] sound/oss: remove offset from load_patch callbacks + +commit b769f49463711205d57286e64cf535ed4daf59e9 upstream. + +Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of +uninitialized value, and signedness issue + +The offset passed to midi_synth_load_patch() can be essentially +arbitrary. If it's greater than the header length, this will result in +a copy_from_user(dst, src, negative_val). While this will just return +-EFAULT on x86, on other architectures this may cause memory corruption. +Additionally, the length field of the sysex_info structure may not be +initialized prior to its use. Finally, a signed comparison may result +in an unintentionally large loop. + +On suggestion by Takashi Iwai, version two removes the offset argument +from the load_patch callbacks entirely, which also resolves similar +issues in opl3. Compile tested only. + +v3 adjusts comments and hopefully gets copy offsets right. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/oss/dev_table.h b/sound/oss/dev_table.h +index b7617be..0199a31 100644 +--- a/sound/oss/dev_table.h ++++ b/sound/oss/dev_table.h +@@ -271,7 +271,7 @@ struct synth_operations + void (*reset) (int dev); + void (*hw_control) (int dev, unsigned char *event); + int (*load_patch) (int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag); ++ int count, int pmgr_flag); + void (*aftertouch) (int dev, int voice, int pressure); + void (*controller) (int dev, int voice, int ctrl_num, int value); + void (*panning) (int dev, int voice, int value); +diff --git a/sound/oss/midi_synth.c b/sound/oss/midi_synth.c +index 3bc7104..11685f1 100644 +--- a/sound/oss/midi_synth.c ++++ b/sound/oss/midi_synth.c +@@ -476,7 +476,7 @@ EXPORT_SYMBOL(midi_synth_hw_control); + + int + midi_synth_load_patch(int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag) ++ int count, int pmgr_flag) + { + int orig_dev = synth_devs[dev]->midi_dev; + +@@ -491,33 +491,29 @@ midi_synth_load_patch(int dev, int format, const char __user *addr, + if (!prefix_cmd(orig_dev, 0xf0)) + return 0; + ++ /* Invalid patch format */ + if (format != SYSEX_PATCH) +- { +-/* printk("MIDI Error: Invalid patch format (key) 0x%x\n", format);*/ + return -EINVAL; +- } ++ ++ /* Patch header too short */ + if (count < hdr_size) +- { +-/* printk("MIDI Error: Patch header too short\n");*/ + return -EINVAL; +- } ++ + count -= hdr_size; + + /* +- * Copy the header from user space but ignore the first bytes which have +- * been transferred already. ++ * Copy the header from user space + */ + +- if(copy_from_user(&((char *) &sysex)[offs], &(addr)[offs], hdr_size - offs)) ++ if (copy_from_user(&sysex, addr, hdr_size)) + return -EFAULT; +- +- if (count < sysex.len) +- { +-/* printk(KERN_WARNING "MIDI Warning: Sysex record too short (%d<%d)\n", count, (int) sysex.len);*/ ++ ++ /* Sysex record too short */ ++ if ((unsigned)count < (unsigned)sysex.len) + sysex.len = count; +- } +- left = sysex.len; +- src_offs = 0; ++ ++ left = sysex.len; ++ src_offs = 0; + + for (i = 0; i < left && !signal_pending(current); i++) + { +diff --git a/sound/oss/midi_synth.h b/sound/oss/midi_synth.h +index 6bc9d00..b64ddd6 100644 +--- a/sound/oss/midi_synth.h ++++ b/sound/oss/midi_synth.h +@@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode); + void midi_synth_close (int dev); + void midi_synth_hw_control (int dev, unsigned char *event); + int midi_synth_load_patch (int dev, int format, const char __user * addr, +- int offs, int count, int pmgr_flag); ++ int count, int pmgr_flag); + void midi_synth_panning (int dev, int channel, int pressure); + void midi_synth_aftertouch (int dev, int channel, int pressure); + void midi_synth_controller (int dev, int channel, int ctrl_num, int value); +diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c +index f4ffdff..407cd67 100644 +--- a/sound/oss/opl3.c ++++ b/sound/oss/opl3.c +@@ -820,7 +820,7 @@ static void opl3_hw_control(int dev, unsigned char *event) + } + + static int opl3_load_patch(int dev, int format, const char __user *addr, +- int offs, int count, int pmgr_flag) ++ int count, int pmgr_flag) + { + struct sbi_instrument ins; + +@@ -830,11 +830,7 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, + return -EINVAL; + } + +- /* +- * What the fuck is going on here? We leave junk in the beginning +- * of ins and then check the field pretty close to that beginning? +- */ +- if(copy_from_user(&((char *) &ins)[offs], addr + offs, sizeof(ins) - offs)) ++ if (copy_from_user(&ins, addr, sizeof(ins))) + return -EFAULT; + + if (ins.channel < 0 || ins.channel >= SBFM_MAXINSTR) +diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c +index e85789e..a0072a9 100644 +--- a/sound/oss/sequencer.c ++++ b/sound/oss/sequencer.c +@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file *file, const char __user *buf, int coun + return -ENXIO; + + fmt = (*(short *) &event_rec[0]) & 0xffff; +- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0); ++ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0); + if (err < 0) + return err; + +-- +1.7.4.4 + diff --git a/queue/staging-hv-Fix-GARP-not-sent-after-Quick-Migration.patch b/queue/staging-hv-Fix-GARP-not-sent-after-Quick-Migration.patch new file mode 100644 index 0000000..6c53f62 --- /dev/null +++ b/queue/staging-hv-Fix-GARP-not-sent-after-Quick-Migration.patch @@ -0,0 +1,90 @@ +From 523ec9f415f632f74dcb02157591ff14a5a810ac Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang <haiyangz@microsoft.com> +Date: Wed, 6 Apr 2011 15:18:00 -0700 +Subject: [PATCH] staging: hv: Fix GARP not sent after Quick Migration + +commit c996edcf1c451b81740abbcca5257ed7e353fcc6 upstream. + +After Quick Migration, the network is not immediately operational in the +current context when receiving RNDIS_STATUS_MEDIA_CONNECT event. So, I added +another netif_notify_peers() into a scheduled work, otherwise GARP packet will +not be sent after quick migration, and cause network disconnection. + +Thanks to Mike Surcouf <mike@surcouf.co.uk> for reporting the bug and +testing the patch. + +Reported-by: Mike Surcouf <mike@surcouf.co.uk> +Tested-by: Mike Surcouf <mike@surcouf.co.uk> +Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com> +Signed-off-by: Hank Janssen <hjanssen@microsoft.com> +Signed-off-by: Abhishek Kane <v-abkane@microsoft.com> +Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/hv/netvsc_drv.c b/drivers/staging/hv/netvsc_drv.c +index d6940f4..5d77f11 100644 +--- a/drivers/staging/hv/netvsc_drv.c ++++ b/drivers/staging/hv/netvsc_drv.c +@@ -44,6 +44,7 @@ struct net_device_context { + /* point back to our device context */ + struct vm_device *device_ctx; + struct net_device_stats stats; ++ struct work_struct work; + }; + + struct netvsc_driver_context { +@@ -274,6 +275,7 @@ static void netvsc_linkstatus_callback(struct hv_device *device_obj, + { + struct vm_device *device_ctx = to_vm_device(device_obj); + struct net_device *net = dev_get_drvdata(&device_ctx->device); ++ struct net_device_context *ndev_ctx; + + DPRINT_ENTER(NETVSC_DRV); + +@@ -287,6 +289,8 @@ static void netvsc_linkstatus_callback(struct hv_device *device_obj, + netif_carrier_on(net); + netif_wake_queue(net); + netif_notify_peers(net); ++ ndev_ctx = netdev_priv(net); ++ schedule_work(&ndev_ctx->work); + } else { + netif_carrier_off(net); + netif_stop_queue(net); +@@ -388,6 +392,25 @@ static const struct net_device_ops device_ops = { + .ndo_set_mac_address = eth_mac_addr, + }; + ++/* ++ * Send GARP packet to network peers after migrations. ++ * After Quick Migration, the network is not immediately operational in the ++ * current context when receiving RNDIS_STATUS_MEDIA_CONNECT event. So, add ++ * another netif_notify_peers() into a scheduled work, otherwise GARP packet ++ * will not be sent after quick migration, and cause network disconnection. ++ */ ++static void netvsc_send_garp(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx; ++ struct net_device *net; ++ ++ msleep(20); ++ ndev_ctx = container_of(w, struct net_device_context, work); ++ net = dev_get_drvdata(&ndev_ctx->device_ctx->device); ++ netif_notify_peers(net); ++} ++ ++ + static int netvsc_probe(struct device *device) + { + struct driver_context *driver_ctx = +@@ -418,6 +441,7 @@ static int netvsc_probe(struct device *device) + net_device_ctx = netdev_priv(net); + net_device_ctx->device_ctx = device_ctx; + dev_set_drvdata(device, net); ++ INIT_WORK(&net_device_ctx->work, netvsc_send_garp); + + /* Notify the netvsc driver of the new device */ + ret = net_drv_obj->Base.OnDeviceAdd(device_obj, &device_info); +-- +1.7.4.4 + diff --git a/queue/staging-hv-use-sync_bitops-when-interacting-with-the.patch b/queue/staging-hv-use-sync_bitops-when-interacting-with-the.patch new file mode 100644 index 0000000..b33908a --- /dev/null +++ b/queue/staging-hv-use-sync_bitops-when-interacting-with-the.patch @@ -0,0 +1,107 @@ +From 469e63a45e4d20a11c85a2fd9b3a8c6760a9a4dd Mon Sep 17 00:00:00 2001 +From: Olaf Hering <olaf@aepfle.de> +Date: Mon, 21 Mar 2011 14:41:37 +0100 +Subject: [PATCH] staging: hv: use sync_bitops when interacting with the + hypervisor + +commit 22356585712d1ff08fbfed152edd8b386873b238 upstream. + +Locking is required when tweaking bits located in a shared page, use the +sync_ version of bitops. Without this change vmbus_on_event() will miss +events and as a result, vmbus_isr() will not schedule the receive tasklet. + +Signed-off-by: Olaf Hering <olaf@aepfle.de> +Acked-by: Haiyang Zhang <haiyangz@microsoft.com> +Acked-by: Hank Janssen <hjanssen@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/hv/Channel.c b/drivers/staging/hv/Channel.c +index e69e9ee..d0b435e 100644 +--- a/drivers/staging/hv/Channel.c ++++ b/drivers/staging/hv/Channel.c +@@ -76,14 +76,14 @@ static void VmbusChannelSetEvent(struct vmbus_channel *Channel) + + if (Channel->OfferMsg.MonitorAllocated) { + /* Each u32 represents 32 channels */ +- set_bit(Channel->OfferMsg.ChildRelId & 31, ++ sync_set_bit(Channel->OfferMsg.ChildRelId & 31, + (unsigned long *) gVmbusConnection.SendInterruptPage + + (Channel->OfferMsg.ChildRelId >> 5)); + + monitorPage = gVmbusConnection.MonitorPages; + monitorPage++; /* Get the child to parent monitor page */ + +- set_bit(Channel->MonitorBit, ++ sync_set_bit(Channel->MonitorBit, + (unsigned long *)&monitorPage->TriggerGroup + [Channel->MonitorGroup].Pending); + +@@ -103,7 +103,7 @@ static void VmbusChannelClearEvent(struct vmbus_channel *channel) + + if (Channel->OfferMsg.MonitorAllocated) { + /* Each u32 represents 32 channels */ +- clear_bit(Channel->OfferMsg.ChildRelId & 31, ++ sync_clear_bit(Channel->OfferMsg.ChildRelId & 31, + (unsigned long *)gVmbusConnection.SendInterruptPage + + (Channel->OfferMsg.ChildRelId >> 5)); + +@@ -111,7 +111,7 @@ static void VmbusChannelClearEvent(struct vmbus_channel *channel) + (struct hv_monitor_page *)gVmbusConnection.MonitorPages; + monitorPage++; /* Get the child to parent monitor page */ + +- clear_bit(Channel->MonitorBit, ++ sync_clear_bit(Channel->MonitorBit, + (unsigned long *)&monitorPage->TriggerGroup + [Channel->MonitorGroup].Pending); + } +diff --git a/drivers/staging/hv/Connection.c b/drivers/staging/hv/Connection.c +index e0ea9cf..e39d422 100644 +--- a/drivers/staging/hv/Connection.c ++++ b/drivers/staging/hv/Connection.c +@@ -285,7 +285,7 @@ void VmbusOnEvents(void) + for (dword = 0; dword < maxdword; dword++) { + if (recvInterruptPage[dword]) { + for (bit = 0; bit < 32; bit++) { +- if (test_and_clear_bit(bit, (unsigned long *)&recvInterruptPage[dword])) { ++ if (sync_test_and_clear_bit(bit, (unsigned long *)&recvInterruptPage[dword])) { + relid = (dword << 5) + bit; + DPRINT_DBG(VMBUS, "event detected for relid - %d", relid); + +@@ -330,7 +330,7 @@ int VmbusSetEvent(u32 childRelId) + DPRINT_ENTER(VMBUS); + + /* Each u32 represents 32 channels */ +- set_bit(childRelId & 31, ++ sync_set_bit(childRelId & 31, + (unsigned long *)gVmbusConnection.SendInterruptPage + + (childRelId >> 5)); + +diff --git a/drivers/staging/hv/Vmbus.c b/drivers/staging/hv/Vmbus.c +index 2f84bf7..0680868 100644 +--- a/drivers/staging/hv/Vmbus.c ++++ b/drivers/staging/hv/Vmbus.c +@@ -255,7 +255,7 @@ static int VmbusOnISR(struct hv_driver *drv) + event = (union hv_synic_event_flags *)page_addr + VMBUS_MESSAGE_SINT; + + /* Since we are a child, we only need to check bit 0 */ +- if (test_and_clear_bit(0, (unsigned long *) &event->Flags32[0])) { ++ if (sync_test_and_clear_bit(0, (unsigned long *) &event->Flags32[0])) { + DPRINT_DBG(VMBUS, "received event %d", event->Flags32[0]); + ret |= 0x2; + } +diff --git a/drivers/staging/hv/VmbusPrivate.h b/drivers/staging/hv/VmbusPrivate.h +index 05ad2c9..5a37cce 100644 +--- a/drivers/staging/hv/VmbusPrivate.h ++++ b/drivers/staging/hv/VmbusPrivate.h +@@ -32,6 +32,7 @@ + #include "ChannelInterface.h" + #include "RingBuffer.h" + #include <linux/list.h> ++#include <asm/sync_bitops.h> + + + /* +-- +1.7.4.4 + diff --git a/queue/staging-usbip-bugfix-add-number-of-packets-for-isoch.patch b/queue/staging-usbip-bugfix-add-number-of-packets-for-isoch.patch new file mode 100644 index 0000000..1b827e1 --- /dev/null +++ b/queue/staging-usbip-bugfix-add-number-of-packets-for-isoch.patch @@ -0,0 +1,69 @@ +From 930e4ea3485955dc3610efb55629f25bd9294add Mon Sep 17 00:00:00 2001 +From: Arjan Mels <arjan.mels@gmx.net> +Date: Tue, 5 Apr 2011 20:26:38 +0200 +Subject: [PATCH] staging: usbip: bugfix add number of packets for isochronous + frames + +commit 1325f85fa49f57df034869de430f7c302ae23109 upstream. + +The number_of_packets was not transmitted for RET_SUBMIT packets. The +linux client used the stored number_of_packet from the submitted +request. The windows userland client does not do this however and needs +to know the number_of_packets to determine the size of the transmission. + +Signed-off-by: Arjan Mels <arjan.mels@gmx.net> +Cc: Takahiro Hirofuchi <hirofuchi@users.sourceforge.net> +Cc: Max Vozeler <max@vozeler.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c +index e3fa421..4d0eb92 100644 +--- a/drivers/staging/usbip/usbip_common.c ++++ b/drivers/staging/usbip/usbip_common.c +@@ -334,10 +334,11 @@ void usbip_dump_header(struct usbip_header *pdu) + usbip_udbg("CMD_UNLINK: seq %u\n", pdu->u.cmd_unlink.seqnum); + break; + case USBIP_RET_SUBMIT: +- usbip_udbg("RET_SUBMIT: st %d al %u sf %d ec %d\n", ++ usbip_udbg("RET_SUBMIT: st %d al %u sf %d #p %d ec %d\n", + pdu->u.ret_submit.status, + pdu->u.ret_submit.actual_length, + pdu->u.ret_submit.start_frame, ++ pdu->u.ret_submit.number_of_packets, + pdu->u.ret_submit.error_count); + case USBIP_RET_UNLINK: + usbip_udbg("RET_UNLINK: status %d\n", pdu->u.ret_unlink.status); +@@ -605,6 +606,7 @@ static void usbip_pack_ret_submit(struct usbip_header *pdu, struct urb *urb, + rpdu->status = urb->status; + rpdu->actual_length = urb->actual_length; + rpdu->start_frame = urb->start_frame; ++ rpdu->number_of_packets = urb->number_of_packets; + rpdu->error_count = urb->error_count; + } else { + /* vhci_rx.c */ +@@ -612,6 +614,7 @@ static void usbip_pack_ret_submit(struct usbip_header *pdu, struct urb *urb, + urb->status = rpdu->status; + urb->actual_length = rpdu->actual_length; + urb->start_frame = rpdu->start_frame; ++ urb->number_of_packets = rpdu->number_of_packets; + urb->error_count = rpdu->error_count; + } + } +@@ -680,11 +683,13 @@ static void correct_endian_ret_submit(struct usbip_header_ret_submit *pdu, + cpu_to_be32s(&pdu->status); + cpu_to_be32s(&pdu->actual_length); + cpu_to_be32s(&pdu->start_frame); ++ cpu_to_be32s(&pdu->number_of_packets); + cpu_to_be32s(&pdu->error_count); + } else { + be32_to_cpus(&pdu->status); + be32_to_cpus(&pdu->actual_length); + be32_to_cpus(&pdu->start_frame); ++ cpu_to_be32s(&pdu->number_of_packets); + be32_to_cpus(&pdu->error_count); + } + } +-- +1.7.4.4 + diff --git a/queue/staging-usbip-bugfix-for-isochronous-packets-and-opt.patch b/queue/staging-usbip-bugfix-for-isochronous-packets-and-opt.patch new file mode 100644 index 0000000..e81ef43 --- /dev/null +++ b/queue/staging-usbip-bugfix-for-isochronous-packets-and-opt.patch @@ -0,0 +1,273 @@ +From 058ced7be0a942b1ad460502b276d3e8ec2def3b Mon Sep 17 00:00:00 2001 +From: Arjan Mels <arjan.mels@gmx.net> +Date: Tue, 5 Apr 2011 20:26:59 +0200 +Subject: [PATCH] staging: usbip: bugfix for isochronous packets and + optimization + +commit 28276a28d8b3cd19f4449991faad4945fe557656 upstream. + +For isochronous packets the actual_length is the sum of the actual +length of each of the packets, however between the packets might be +padding, so it is not sufficient to just send the first actual_length +bytes of the buffer. To fix this and simultanesouly optimize the +bandwidth the content of the isochronous packets are send without the +padding, the padding is restored on the receiving end. + +Signed-off-by: Arjan Mels <arjan.mels@gmx.net> +Cc: Takahiro Hirofuchi <hirofuchi@users.sourceforge.net> +Cc: Max Vozeler <max@vozeler.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/usbip/stub_tx.c b/drivers/staging/usbip/stub_tx.c +index d7136e2..b7a493c 100644 +--- a/drivers/staging/usbip/stub_tx.c ++++ b/drivers/staging/usbip/stub_tx.c +@@ -169,7 +169,6 @@ static int stub_send_ret_submit(struct stub_device *sdev) + struct stub_priv *priv, *tmp; + + struct msghdr msg; +- struct kvec iov[3]; + size_t txsize; + + size_t total_size = 0; +@@ -179,28 +178,73 @@ static int stub_send_ret_submit(struct stub_device *sdev) + struct urb *urb = priv->urb; + struct usbip_header pdu_header; + void *iso_buffer = NULL; ++ struct kvec *iov = NULL; ++ int iovnum = 0; + + txsize = 0; + memset(&pdu_header, 0, sizeof(pdu_header)); + memset(&msg, 0, sizeof(msg)); +- memset(&iov, 0, sizeof(iov)); + +- usbip_dbg_stub_tx("setup txdata urb %p\n", urb); ++ if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) ++ iovnum = 2 + urb->number_of_packets; ++ else ++ iovnum = 2; ++ ++ iov = kzalloc(iovnum * sizeof(struct kvec), GFP_KERNEL); + ++ if (!iov) { ++ usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_MALLOC); ++ return -1; ++ } ++ ++ iovnum = 0; + + /* 1. setup usbip_header */ + setup_ret_submit_pdu(&pdu_header, urb); ++ usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n", ++ pdu_header.base.seqnum, urb); ++ /*usbip_dump_header(pdu_header);*/ + usbip_header_correct_endian(&pdu_header, 1); + +- iov[0].iov_base = &pdu_header; +- iov[0].iov_len = sizeof(pdu_header); ++ iov[iovnum].iov_base = &pdu_header; ++ iov[iovnum].iov_len = sizeof(pdu_header); ++ iovnum++; + txsize += sizeof(pdu_header); + + /* 2. setup transfer buffer */ +- if (usb_pipein(urb->pipe) && urb->actual_length > 0) { +- iov[1].iov_base = urb->transfer_buffer; +- iov[1].iov_len = urb->actual_length; ++ if (usb_pipein(urb->pipe) && ++ usb_pipetype(urb->pipe) != PIPE_ISOCHRONOUS && ++ urb->actual_length > 0) { ++ iov[iovnum].iov_base = urb->transfer_buffer; ++ iov[iovnum].iov_len = urb->actual_length; ++ iovnum++; + txsize += urb->actual_length; ++ } else if (usb_pipein(urb->pipe) && ++ usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) { ++ /* ++ * For isochronous packets: actual length is the sum of ++ * the actual length of the individual, packets, but as ++ * the packet offsets are not changed there will be ++ * padding between the packets. To optimally use the ++ * bandwidth the padding is not transmitted. ++ */ ++ ++ int i; ++ for (i = 0; i < urb->number_of_packets; i++) { ++ iov[iovnum].iov_base = urb->transfer_buffer + urb->iso_frame_desc[i].offset; ++ iov[iovnum].iov_len = urb->iso_frame_desc[i].actual_length; ++ iovnum++; ++ txsize += urb->iso_frame_desc[i].actual_length; ++ } ++ ++ if (txsize != sizeof(pdu_header) + urb->actual_length) { ++ dev_err(&sdev->interface->dev, ++ "actual length of urb (%d) does not match iso packet sizes (%d)\n", ++ urb->actual_length, txsize-sizeof(pdu_header)); ++ kfree(iov); ++ usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP); ++ return -1; ++ } + } + + /* 3. setup iso_packet_descriptor */ +@@ -211,32 +255,34 @@ static int stub_send_ret_submit(struct stub_device *sdev) + if (!iso_buffer) { + usbip_event_add(&sdev->ud, + SDEV_EVENT_ERROR_MALLOC); ++ kfree(iov); + return -1; + } + +- iov[2].iov_base = iso_buffer; +- iov[2].iov_len = len; ++ iov[iovnum].iov_base = iso_buffer; ++ iov[iovnum].iov_len = len; + txsize += len; ++ iovnum++; + } + +- ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg, iov, +- 3, txsize); ++ ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg, ++ iov, iovnum, txsize); + if (ret != txsize) { + dev_err(&sdev->interface->dev, + "sendmsg failed!, retval %d for %zd\n", + ret, txsize); ++ kfree(iov); + kfree(iso_buffer); + usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP); + return -1; + } + ++ kfree(iov); + kfree(iso_buffer); +- usbip_dbg_stub_tx("send txdata\n"); + + total_size += txsize; + } + +- + spin_lock_irqsave(&sdev->priv_lock, flags); + + list_for_each_entry_safe(priv, tmp, &sdev->priv_free, list) { +diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c +index 4d0eb92..707b57d 100644 +--- a/drivers/staging/usbip/usbip_common.c ++++ b/drivers/staging/usbip/usbip_common.c +@@ -815,6 +815,7 @@ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb) + int size = np * sizeof(*iso); + int i; + int ret; ++ int total_length = 0; + + if (!usb_pipeisoc(urb->pipe)) + return 0; +@@ -844,19 +845,75 @@ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb) + return -EPIPE; + } + ++ + for (i = 0; i < np; i++) { + iso = buff + (i * sizeof(*iso)); + + usbip_iso_pakcet_correct_endian(iso, 0); + usbip_pack_iso(iso, &urb->iso_frame_desc[i], 0); ++ total_length += urb->iso_frame_desc[i].actual_length; + } + + kfree(buff); + ++ if (total_length != urb->actual_length) { ++ dev_err(&urb->dev->dev, ++ "total length of iso packets (%d) not equal to actual length of buffer (%d)\n", ++ total_length, urb->actual_length); ++ ++ if (ud->side == USBIP_STUB) ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ else ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ ++ return -EPIPE; ++ } ++ + return ret; + } + EXPORT_SYMBOL_GPL(usbip_recv_iso); + ++/* ++ * This functions restores the padding which was removed for optimizing ++ * the bandwidth during transfer over tcp/ip ++ * ++ * buffer and iso packets need to be stored and be in propeper endian in urb ++ * before calling this function ++ */ ++int usbip_pad_iso(struct usbip_device *ud, struct urb *urb) ++{ ++ int np = urb->number_of_packets; ++ int i; ++ int ret; ++ int actualoffset = urb->actual_length; ++ ++ if (!usb_pipeisoc(urb->pipe)) ++ return 0; ++ ++ /* if no packets or length of data is 0, then nothing to unpack */ ++ if (np == 0 || urb->actual_length == 0) ++ return 0; ++ ++ /* ++ * if actual_length is transfer_buffer_length then no padding is ++ * present. ++ */ ++ if (urb->actual_length == urb->transfer_buffer_length) ++ return 0; ++ ++ /* ++ * loop over all packets from last to first (to prevent overwritting ++ * memory when padding) and move them into the proper place ++ */ ++ for (i = np-1; i > 0; i--) { ++ actualoffset -= urb->iso_frame_desc[i].actual_length; ++ memmove(urb->transfer_buffer + urb->iso_frame_desc[i].offset, ++ urb->transfer_buffer + actualoffset, ++ urb->iso_frame_desc[i].actual_length); ++ } ++ return ret; ++} ++EXPORT_SYMBOL_GPL(usbip_pad_iso); + + /* some members of urb must be substituted before. */ + int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) +diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h +index 6f1dcb1..c7c6c81 100644 +--- a/drivers/staging/usbip/usbip_common.h ++++ b/drivers/staging/usbip/usbip_common.h +@@ -393,6 +393,8 @@ void usbip_header_correct_endian(struct usbip_header *pdu, int send); + int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb); + /* some members of urb must be substituted before. */ + int usbip_recv_iso(struct usbip_device *ud, struct urb *urb); ++/* some members of urb must be substituted before. */ ++int usbip_pad_iso(struct usbip_device *ud, struct urb *urb); + void *usbip_alloc_iso_desc_pdu(struct urb *urb, ssize_t *bufflen); + + +diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c +index bdbedd2..a1ac1b8 100644 +--- a/drivers/staging/usbip/vhci_rx.c ++++ b/drivers/staging/usbip/vhci_rx.c +@@ -99,6 +99,9 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + if (usbip_recv_iso(ud, urb) < 0) + return; + ++ /* restore the padding in iso packets */ ++ if (usbip_pad_iso(ud, urb) < 0) ++ return; + + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); +-- +1.7.4.4 + diff --git a/queue/staging-usbip-bugfixes-related-to-kthread-conversion.patch b/queue/staging-usbip-bugfixes-related-to-kthread-conversion.patch new file mode 100644 index 0000000..e30d361 --- /dev/null +++ b/queue/staging-usbip-bugfixes-related-to-kthread-conversion.patch @@ -0,0 +1,74 @@ +From e7c584b57c9aba0fd96056c4a76071d95c950cd1 Mon Sep 17 00:00:00 2001 +From: Arjan Mels <arjan.mels@gmx.net> +Date: Tue, 5 Apr 2011 20:26:11 +0200 +Subject: [PATCH] staging: usbip: bugfixes related to kthread conversion + +commit d2dd0b07c3e725d386d20294ec906f7ddef207fa upstream. + +When doing a usb port reset do a queued reset instead to prevent a +deadlock: the reset will cause the driver to unbind, causing the +usb_driver_lock_for_reset to stall. + +Signed-off-by: Arjan Mels <arjan.mels@gmx.net> +Cc: Takahiro Hirofuchi <hirofuchi@users.sourceforge.net> +Cc: Max Vozeler <max@vozeler.com> +Cc: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c +index bc26740..16a7df1 100644 +--- a/drivers/staging/usbip/stub_rx.c ++++ b/drivers/staging/usbip/stub_rx.c +@@ -170,33 +170,23 @@ static int tweak_set_configuration_cmd(struct urb *urb) + + static int tweak_reset_device_cmd(struct urb *urb) + { +- struct usb_ctrlrequest *req; +- __u16 value; +- __u16 index; +- int ret; +- +- req = (struct usb_ctrlrequest *) urb->setup_packet; +- value = le16_to_cpu(req->wValue); +- index = le16_to_cpu(req->wIndex); +- +- usbip_uinfo("reset_device (port %d) to %s\n", index, +- dev_name(&urb->dev->dev)); ++ struct stub_priv *priv = (struct stub_priv *) urb->context; ++ struct stub_device *sdev = priv->sdev; + +- /* all interfaces should be owned by usbip driver, so just reset it. */ +- ret = usb_lock_device_for_reset(urb->dev, NULL); +- if (ret < 0) { +- dev_err(&urb->dev->dev, "lock for reset\n"); +- return ret; +- } +- +- /* try to reset the device */ +- ret = usb_reset_device(urb->dev); +- if (ret < 0) +- dev_err(&urb->dev->dev, "device reset\n"); ++ usbip_uinfo("reset_device %s\n", dev_name(&urb->dev->dev)); + +- usb_unlock_device(urb->dev); +- +- return ret; ++ /* ++ * usb_lock_device_for_reset caused a deadlock: it causes the driver ++ * to unbind. In the shutdown the rx thread is signalled to shut down ++ * but this thread is pending in the usb_lock_device_for_reset. ++ * ++ * Instead queue the reset. ++ * ++ * Unfortunatly an existing usbip connection will be dropped due to ++ * driver unbinding. ++ */ ++ usb_queue_reset_device(sdev->interface); ++ return 0; + } + + /* +-- +1.7.4.4 + diff --git a/queue/x86-microcode-AMD-Extend-ucode-size-verification.patch b/queue/x86-microcode-AMD-Extend-ucode-size-verification.patch new file mode 100644 index 0000000..c957c48 --- /dev/null +++ b/queue/x86-microcode-AMD-Extend-ucode-size-verification.patch @@ -0,0 +1,134 @@ +From ffe10b3f9a0761a2aae91777356e829d90ef9177 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov <borislav.petkov@amd.com> +Date: Thu, 10 Feb 2011 12:19:47 +0100 +Subject: [PATCH] x86, microcode, AMD: Extend ucode size verification + +commit 44d60c0f5c58c2168f31df9a481761451840eb54 upstream. + +The different families have a different max size for the ucode patch, +adjust size checking to the family we're running on. Also, do not +vzalloc the max size of the ucode but only the actual size that is +passed on from the firmware loader. + +[PG: baseline of 44d60c0f5~1 differs in multiple trivial ways from + the 34's; this commit makes get_next_ucode() look like 44d60c0f5's] + +Signed-off-by: Borislav Petkov <borislav.petkov@amd.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c +index e1af7c0..ed47400 100644 +--- a/arch/x86/kernel/microcode_amd.c ++++ b/arch/x86/kernel/microcode_amd.c +@@ -66,7 +66,6 @@ struct microcode_amd { + unsigned int mpb[0]; + }; + +-#define UCODE_MAX_SIZE 2048 + #define UCODE_CONTAINER_SECTION_HDR 8 + #define UCODE_CONTAINER_HEADER_SIZE 12 + +@@ -155,6 +154,37 @@ static int apply_microcode_amd(int cpu) + return 0; + } + ++static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(cpu); ++ unsigned int max_size, actual_size; ++ ++#define F1XH_MPB_MAX_SIZE 2048 ++#define F14H_MPB_MAX_SIZE 1824 ++#define F15H_MPB_MAX_SIZE 4096 ++ ++ switch (c->x86) { ++ case 0x14: ++ max_size = F14H_MPB_MAX_SIZE; ++ break; ++ case 0x15: ++ max_size = F15H_MPB_MAX_SIZE; ++ break; ++ default: ++ max_size = F1XH_MPB_MAX_SIZE; ++ break; ++ } ++ ++ actual_size = buf[4] + (buf[5] << 8); ++ ++ if (actual_size > size || actual_size > max_size) { ++ pr_err("section size mismatch\n"); ++ return 0; ++ } ++ ++ return actual_size; ++} ++ + static int get_ucode_data(void *to, const u8 *from, size_t n) + { + memcpy(to, from, n); +@@ -162,37 +192,29 @@ static int get_ucode_data(void *to, const u8 *from, size_t n) + } + + static void * +-get_next_ucode(const u8 *buf, unsigned int size, unsigned int *mc_size) ++get_next_ucode(int cpu, const u8 *buf, unsigned int size, unsigned int *mc_size) + { +- unsigned int total_size; +- u8 section_hdr[UCODE_CONTAINER_SECTION_HDR]; +- void *mc; ++ void *mc = NULL; ++ unsigned int actual_size = 0; + +- if (get_ucode_data(section_hdr, buf, UCODE_CONTAINER_SECTION_HDR)) +- return NULL; +- +- if (section_hdr[0] != UCODE_UCODE_TYPE) { ++ if (buf[0] != UCODE_UCODE_TYPE) { + pr_err("error: invalid type field in container file section header\n"); +- return NULL; ++ goto out; + } + +- total_size = (unsigned long) (section_hdr[4] + (section_hdr[5] << 8)); ++ actual_size = verify_ucode_size(cpu, buf, size); ++ if (!actual_size) ++ goto out; + +- if (total_size > size || total_size > UCODE_MAX_SIZE) { +- pr_err("error: size mismatch\n"); +- return NULL; +- } ++ mc = vmalloc(actual_size); ++ if (!mc) ++ goto out; + +- mc = vmalloc(UCODE_MAX_SIZE); +- if (mc) { +- memset(mc, 0, UCODE_MAX_SIZE); +- if (get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR, +- total_size)) { +- vfree(mc); +- mc = NULL; +- } else +- *mc_size = total_size + UCODE_CONTAINER_SECTION_HDR; +- } ++ memset(mc, 0, actual_size); ++ get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR, actual_size); ++ *mc_size = actual_size + UCODE_CONTAINER_SECTION_HDR; ++ ++out: + return mc; + } + +@@ -258,7 +280,7 @@ generic_load_microcode(int cpu, const u8 *data, size_t size) + unsigned int uninitialized_var(mc_size); + struct microcode_header_amd *mc_header; + +- mc = get_next_ucode(ucode_ptr, leftover, &mc_size); ++ mc = get_next_ucode(cpu, ucode_ptr, leftover, &mc_size); + if (!mc) + break; + +-- +1.7.4.4 + diff --git a/queue/x86-mtrr-pat-Fix-one-cpu-getting-out-of-sync-during-.patch b/queue/x86-mtrr-pat-Fix-one-cpu-getting-out-of-sync-during-.patch new file mode 100644 index 0000000..919fc9c --- /dev/null +++ b/queue/x86-mtrr-pat-Fix-one-cpu-getting-out-of-sync-during-.patch @@ -0,0 +1,89 @@ +From 79191de793b75f141e18adb8f97f6ec053abd2f7 Mon Sep 17 00:00:00 2001 +From: Suresh Siddha <suresh.b.siddha@intel.com> +Date: Tue, 29 Mar 2011 15:38:12 -0700 +Subject: [PATCH] x86, mtrr, pat: Fix one cpu getting out of sync during + resume + +commit 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 upstream. + +On laptops with core i5/i7, there were reports that after resume +graphics workloads were performing poorly on a specific AP, while +the other cpu's were ok. This was observed on a 32bit kernel +specifically. + +Debug showed that the PAT init was not happening on that AP +during resume and hence it contributing to the poor workload +performance on that cpu. + +On this system, resume flow looked like this: + +1. BP starts the resume sequence and we reinit BP's MTRR's/PAT + early on using mtrr_bp_restore() + +2. Resume sequence brings all AP's online + +3. Resume sequence now kicks off the MTRR reinit on all the AP's. + +4. For some reason, between point 2 and 3, we moved from BP + to one of the AP's. My guess is that printk() during resume + sequence is contributing to this. We don't see similar + behavior with the 64bit kernel but there is no guarantee that + at this point the remaining resume sequence (after AP's bringup) + has to happen on BP. + +5. set_mtrr() was assuming that we are still on BP and skipped the + MTRR/PAT init on that cpu (because of 1 above) + +6. But we were on an AP and this led to not reprogramming PAT + on this cpu leading to bad performance. + +Fix this by doing unconditional mtrr_if->set_all() in set_mtrr() +during MTRR/PAT init. This might be unnecessary if we are still +running on BP. But it is of no harm and will guarantee that after +resume, all the cpu's will be in sync with respect to the +MTRR/PAT registers. + +Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> +LKML-Reference: <1301438292-28370-1-git-send-email-eric@anholt.net> +Signed-off-by: Eric Anholt <eric@anholt.net> +Tested-by: Keith Packard <keithp@keithp.com> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c +index e253288..34b4e2f 100644 +--- a/arch/x86/kernel/cpu/mtrr/main.c ++++ b/arch/x86/kernel/cpu/mtrr/main.c +@@ -263,14 +263,24 @@ set_mtrr(unsigned int reg, unsigned long base, unsigned long size, mtrr_type typ + + /* + * HACK! +- * We use this same function to initialize the mtrrs on boot. +- * The state of the boot cpu's mtrrs has been saved, and we want +- * to replicate across all the APs. +- * If we're doing that @reg is set to something special... ++ * ++ * We use this same function to initialize the mtrrs during boot, ++ * resume, runtime cpu online and on an explicit request to set a ++ * specific MTRR. ++ * ++ * During boot or suspend, the state of the boot cpu's mtrrs has been ++ * saved, and we want to replicate that across all the cpus that come ++ * online (either at the end of boot or resume or during a runtime cpu ++ * online). If we're doing that, @reg is set to something special and on ++ * this cpu we still do mtrr_if->set_all(). During boot/resume, this ++ * is unnecessary if at this point we are still on the cpu that started ++ * the boot/resume sequence. But there is no guarantee that we are still ++ * on the same cpu. So we do mtrr_if->set_all() on this cpu aswell to be ++ * sure that we are in sync with everyone else. + */ + if (reg != ~0U) + mtrr_if->set(reg, base, size, type); +- else if (!mtrr_aps_delayed_init) ++ else + mtrr_if->set_all(); + + /* Wait for the others */ +-- +1.7.4.4 + diff --git a/queue/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch b/queue/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch index 4c48d0a..b187033 100644 --- a/queue/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch +++ b/queue/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch @@ -1,4 +1,4 @@ -From 4e18304772b8860c84981115a0cea50605e0cc1f Mon Sep 17 00:00:00 2001 +From df970150e3a45e6a1fa73de2344da6e99e7f370f Mon Sep 17 00:00:00 2001 From: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Date: Fri, 18 Feb 2011 11:32:40 +0000 Subject: [PATCH] xen: set max_pfn_mapped to the last pfn mapped |