.32 patches

6 files changed, 201 insertions, 0 deletions

diff --git a/queue-2.6.32/3w-9xxx-fix-iommu_iova-leak.patch b/queue-2.6.32/3w-9xxx-fix-iommu_iova-leak.patch
new file mode 100644
index 0000000..64b6635
--- /dev/null
+++ b/queue-2.6.32/3w-9xxx-fix-iommu_iova-leak.patch
@@ -0,0 +1,40 @@
+From 96067723e46b0dd24ae7b934085ab4eff4d26a1b Mon Sep 17 00:00:00 2001
+From: James Bottomley <JBottomley@Parallels.com>
+Date: Sun, 18 Sep 2011 18:56:20 +0400
+Subject: [SCSI] 3w-9xxx: fix iommu_iova leak
+
+From: James Bottomley <JBottomley@Parallels.com>
+
+commit 96067723e46b0dd24ae7b934085ab4eff4d26a1b upstream.
+
+Following reports on the list, it looks like the 3e-9xxx driver will leak dma
+mappings every time we get a transient queueing error back from the card.
+This is because it maps the sg list in the routine that sends the command, but
+doesn't unmap again in the transient failure path (even though the command is
+sent back to the block layer).  Fix by unmapping before returning the status.
+
+Reported-by: Chris Boot <bootc@bootc.net>
+Tested-by: Chris Boot <bootc@bootc.net>
+Acked-by: Adam Radford <aradford@gmail.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/3w-9xxx.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/3w-9xxx.c
++++ b/drivers/scsi/3w-9xxx.c
+@@ -1786,10 +1786,12 @@ static int twa_scsi_queue(struct scsi_cm
+ 	switch (retval) {
+ 	case SCSI_MLQUEUE_HOST_BUSY:
+ 		twa_free_request_id(tw_dev, request_id);
++		twa_unmap_scsi_data(tw_dev, request_id);
+ 		break;
+ 	case 1:
+ 		tw_dev->state[request_id] = TW_S_COMPLETED;
+ 		twa_free_request_id(tw_dev, request_id);
++		twa_unmap_scsi_data(tw_dev, request_id);
+ 		SCpnt->result = (DID_ERROR << 16);
+ 		done(SCpnt);
+ 		retval = 0;
diff --git a/queue-2.6.32/aacraid-reset-should-disable-msi-interrupt.patch b/queue-2.6.32/aacraid-reset-should-disable-msi-interrupt.patch
new file mode 100644
index 0000000..5a651dd
--- /dev/null
+++ b/queue-2.6.32/aacraid-reset-should-disable-msi-interrupt.patch
@@ -0,0 +1,37 @@
+From d0efab26f89506387a1bde898556660e06d7eb15 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@parallels.com>
+Date: Fri, 2 Sep 2011 19:31:46 +0400
+Subject: [SCSI] aacraid: reset should disable MSI interrupt
+
+From: Vasily Averin <vvs@parallels.com>
+
+commit d0efab26f89506387a1bde898556660e06d7eb15 upstream.
+
+scsi reset on hardware with enabled MSI interrupts generates WARNING message
+
+[11027.798722] aacraid: Host adapter abort request (0,0,0,0)
+[11027.798814] aacraid: Host adapter reset request. SCSI hang ?
+[11087.762237] aacraid: SCSI bus appears hung
+[11135.082543] ------------[ cut here ]------------
+[11135.082646] WARNING: at drivers/pci/msi.c:658 pci_enable_msi_block+0x251/0x290()
+
+Signed-off-by: Vasily Averin <vvs@sw.ru>
+Acked-by: Mark Salyzyn <mark_salyzyn@us.xyratex.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/aacraid/commsup.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -1202,6 +1202,8 @@ static int _aac_reset_adapter(struct aac
+ 	kfree(aac->queues);
+ 	aac->queues = NULL;
+ 	free_irq(aac->pdev->irq, aac);
++	if (aac->msi)
++		pci_disable_msi(aac->pdev);
+ 	kfree(aac->fsa_dev);
+ 	aac->fsa_dev = NULL;
+ 	quirks = aac_get_driver_ident(index)->quirks;
diff --git a/queue-2.6.32/cfg80211-fix-validation-of-akm-suites.patch b/queue-2.6.32/cfg80211-fix-validation-of-akm-suites.patch
new file mode 100644
index 0000000..abefddc
--- /dev/null
+++ b/queue-2.6.32/cfg80211-fix-validation-of-akm-suites.patch
@@ -0,0 +1,43 @@
+From 1b9ca0272ffae212e726380f66777b30a56ed7a5 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Wed, 21 Sep 2011 16:13:07 +0300
+Subject: cfg80211: Fix validation of AKM suites
+
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+
+commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream.
+
+Incorrect variable was used in validating the akm_suites array from
+NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
+validation of the array length (we only have room for
+NL80211_MAX_NR_AKM_SUITES).
+
+This can result in a buffer write overflow for stack variables with
+arbitrary data from user space. The nl80211 commands using the affected
+functionality require GENL_ADMIN_PERM, so this is only exposed to admin
+users.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/nl80211.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3364,9 +3364,12 @@ static int nl80211_crypto_settings(struc
+ 		if (len % sizeof(u32))
+ 			return -EINVAL;
+ 
++		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
++			return -EINVAL;
++
+ 		memcpy(settings->akm_suites, data, len);
+ 
+-		for (i = 0; i < settings->n_ciphers_pairwise; i++)
++		for (i = 0; i < settings->n_akm_suites; i++)
+ 			if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
+ 				return -EINVAL;
+ 	}
diff --git a/queue-2.6.32/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch b/queue-2.6.32/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch
new file mode 100644
index 0000000..a8dae83
--- /dev/null
+++ b/queue-2.6.32/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch
@@ -0,0 +1,43 @@
+From 24926dadc41cc566e974022b0e66231b82c6375f Mon Sep 17 00:00:00 2001
+From: Mark Salyzyn <mark_salyzyn@us.xyratex.com>
+Date: Thu, 1 Sep 2011 06:11:17 -0700
+Subject: [SCSI] libsas: fix failure to revalidate domain for anything but the first expander child.
+
+From: Mark Salyzyn <mark_salyzyn@us.xyratex.com>
+
+commit 24926dadc41cc566e974022b0e66231b82c6375f upstream.
+
+In an enclosure model where there are chaining expanders to a large body
+of storage, it was discovered that libsas, responding to a broadcast
+event change, would only revalidate the domain of first child expander
+in the list.
+
+The issue is that the pointer value to the discovered source device was
+used to break out of the loop, rather than the content of the pointer.
+
+This still remains non-compliant as the revalidate domain code is
+supposed to loop through all child expanders, and not stop at the first
+one it finds that reports a change count. However, the design of this
+routine does not allow multiple device discoveries and that would be a
+more complicated set of patches reserved for another day. We are fixing
+the glaring bug rather than refactoring the code.
+
+Signed-off-by: Mark Salyzyn <msalyzyn@us.xyratex.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/libsas/sas_expander.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -1712,7 +1712,7 @@ static int sas_find_bcast_dev(struct dom
+ 	list_for_each_entry(ch, &ex->children, siblings) {
+ 		if (ch->dev_type == EDGE_DEV || ch->dev_type == FANOUT_DEV) {
+ 			res = sas_find_bcast_dev(ch, src_dev);
+-			if (src_dev)
++			if (*src_dev)
+ 				return res;
+ 		}
+ 	}
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 68647ef..e2f1abd 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -37,3 +37,8 @@ tpm-zero-buffer-after-copying-to-userspace.patch
 libiscsi_tcp-fix-lld-data-allocation.patch
 cnic-improve-netdev_up-event-handling.patch
 alsa-hda-realtek-avoid-bogus-hp-pin-assignment.patch
+3w-9xxx-fix-iommu_iova-leak.patch
+aacraid-reset-should-disable-msi-interrupt.patch
+libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch
+cfg80211-fix-validation-of-akm-suites.patch
+splice-direct_splice_actor-should-not-use-pos-in-sd.patch
diff --git a/queue-2.6.32/splice-direct_splice_actor-should-not-use-pos-in-sd.patch b/queue-2.6.32/splice-direct_splice_actor-should-not-use-pos-in-sd.patch
new file mode 100644
index 0000000..c465cca
--- /dev/null
+++ b/queue-2.6.32/splice-direct_splice_actor-should-not-use-pos-in-sd.patch
@@ -0,0 +1,33 @@
+From 2cb4b05e7647891b46b91c07c9a60304803d1688 Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Tue, 29 Jun 2010 13:09:18 +0200
+Subject: splice: direct_splice_actor() should not use pos in sd
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+commit 2cb4b05e7647891b46b91c07c9a60304803d1688 upstream.
+
+direct_splice_actor() shouldn't use sd->pos, as sd->pos is for file reading,
+file->f_pos should be used instead.
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/splice.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1221,7 +1221,8 @@ static int direct_splice_actor(struct pi
+ {
+ 	struct file *file = sd->u.file;
+ 
+-	return do_splice_from(pipe, file, &sd->pos, sd->total_len, sd->flags);
++	return do_splice_from(pipe, file, &file->f_pos, sd->total_len,
++			      sd->flags);
+ }
+ 
+ /**