--- /dev/null
+From 097b0e1bf18a00195cd89bb13565ddbc9b0df942 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Jul 2012 17:12:29 +0200
+Subject: b43: fix crash with OpenFWWF
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 097b0e1bf18a00195cd89bb13565ddbc9b0df942 upstream.
+
+b43 with open firmware crashes mac80211 because
+it changes the number of queues at runtime which,
+while it was never really supported, now crashes
+mac80211 due to the new hardware queue logic.
+
+Fix this by detecting open vs. proprietary fw
+earlier and registering with mac80211 with the
+right number of queues.
+
+Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+---
+ drivers/net/wireless/b43/b43.h | 7 -------
+ drivers/net/wireless/b43/main.c | 32 ++++++++++----------------------
+ 2 files changed, 10 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/wireless/b43/b43.h
++++ b/drivers/net/wireless/b43/b43.h
+@@ -870,13 +870,6 @@ struct b43_wl {
+ * handler, only. This basically is just the IRQ mask register. */
+ spinlock_t hardirq_lock;
+
+- /* The number of queues that were registered with the mac80211 subsystem
+- * initially. This is a backup copy of hw->queues in case hw->queues has
+- * to be dynamically lowered at runtime (Firmware does not support QoS).
+- * hw->queues has to be restored to the original value before unregistering
+- * from the mac80211 subsystem. */
+- u16 mac80211_initially_registered_queues;
+-
+ /* Set this if we call ieee80211_register_hw() and check if we call
+ * ieee80211_unregister_hw(). */
+ bool hw_registred;
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2359,6 +2359,8 @@ static int b43_try_request_fw(struct b43
+ if (err)
+ goto err_load;
+
++ fw->opensource = (ctx->req_type == B43_FWTYPE_OPENSOURCE);
++
+ return 0;
+
+ err_no_ucode:
+@@ -2434,6 +2436,10 @@ static void b43_request_firmware(struct
+ goto out;
+
+ start_ieee80211:
++ wl->hw->queues = B43_QOS_QUEUE_NUM;
++ if (!modparam_qos || dev->fw.opensource)
++ wl->hw->queues = 1;
++
+ err = ieee80211_register_hw(wl->hw);
+ if (err)
+ goto err_one_core_detach;
+@@ -2537,11 +2543,9 @@ static int b43_upload_microcode(struct b
+ dev->fw.hdr_format = B43_FW_HDR_410;
+ else
+ dev->fw.hdr_format = B43_FW_HDR_351;
+- dev->fw.opensource = (fwdate == 0xFFFF);
++ WARN_ON(dev->fw.opensource != (fwdate == 0xFFFF));
+
+- /* Default to use-all-queues. */
+- dev->wl->hw->queues = dev->wl->mac80211_initially_registered_queues;
+- dev->qos_enabled = !!modparam_qos;
++ dev->qos_enabled = dev->wl->hw->queues > 1;
+ /* Default to firmware/hardware crypto acceleration. */
+ dev->hwcrypto_enabled = true;
+
+@@ -2559,14 +2563,8 @@ static int b43_upload_microcode(struct b
+ /* Disable hardware crypto and fall back to software crypto. */
+ dev->hwcrypto_enabled = false;
+ }
+- if (!(fwcapa & B43_FWCAPA_QOS)) {
+- b43info(dev->wl, "QoS not supported by firmware\n");
+- /* Disable QoS. Tweak hw->queues to 1. It will be restored before
+- * ieee80211_unregister to make sure the networking core can
+- * properly free possible resources. */
+- dev->wl->hw->queues = 1;
+- dev->qos_enabled = false;
+- }
++ /* adding QoS support should use an offline discovery mechanism */
++ WARN(fwcapa & B43_FWCAPA_QOS, "QoS in OpenFW not supported\n");
+ } else {
+ b43info(dev->wl, "Loading firmware version %u.%u "
+ "(20%.2i-%.2i-%.2i %.2i:%.2i:%.2i)\n",
+@@ -5298,8 +5296,6 @@ static struct b43_wl *b43_wireless_init(
+
+ hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
+
+- hw->queues = modparam_qos ? B43_QOS_QUEUE_NUM : 1;
+- wl->mac80211_initially_registered_queues = hw->queues;
+ wl->hw_registred = false;
+ hw->max_rates = 2;
+ SET_IEEE80211_DEV(hw, dev->dev);
+@@ -5374,10 +5370,6 @@ static void b43_bcma_remove(struct bcma_
+
+ B43_WARN_ON(!wl);
+ if (wl->current_dev == wldev && wl->hw_registred) {
+- /* Restore the queues count before unregistering, because firmware detect
+- * might have modified it. Restoring is important, so the networking
+- * stack can properly free resources. */
+- wl->hw->queues = wl->mac80211_initially_registered_queues;
+ b43_leds_stop(wldev);
+ ieee80211_unregister_hw(wl->hw);
+ }
+@@ -5452,10 +5444,6 @@ static void b43_ssb_remove(struct ssb_de
+
+ B43_WARN_ON(!wl);
+ if (wl->current_dev == wldev && wl->hw_registred) {
+- /* Restore the queues count before unregistering, because firmware detect
+- * might have modified it. Restoring is important, so the networking
+- * stack can properly free resources. */
+- wl->hw->queues = wl->mac80211_initially_registered_queues;
+ b43_leds_stop(wldev);
+ ieee80211_unregister_hw(wl->hw);
+ }
--- /dev/null
+From 443772d408a25af62498793f6f805ce3c559309a Mon Sep 17 00:00:00 2001
+From: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+Date: Sat, 16 Jun 2012 15:30:45 +0200
+Subject: ftrace: Disable function tracing during suspend/resume and hibernation, again
+
+From: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+
+commit 443772d408a25af62498793f6f805ce3c559309a upstream.
+
+If function tracing is enabled for some of the low-level suspend/resume
+functions, it leads to triple fault during resume from suspend, ultimately
+ending up in a reboot instead of a resume (or a total refusal to come out
+of suspended state, on some machines).
+
+This issue was explained in more detail in commit f42ac38c59e0a03d (ftrace:
+disable tracing for suspend to ram). However, the changes made by that commit
+got reverted by commit cbe2f5a6e84eebb (tracing: allow tracing of
+suspend/resume & hibernation code again). So, unfortunately since things are
+not yet robust enough to allow tracing of low-level suspend/resume functions,
+suspend/resume is still broken when ftrace is enabled.
+
+So fix this by disabling function tracing during suspend/resume & hibernation.
+
+Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 6 ++++++
+ kernel/power/suspend.c | 3 +++
+ 2 files changed, 9 insertions(+)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -353,6 +353,7 @@ int hibernation_snapshot(int platform_mo
+ }
+
+ suspend_console();
++ ftrace_stop();
+ pm_restrict_gfp_mask();
+
+ error = dpm_suspend(PMSG_FREEZE);
+@@ -378,6 +379,7 @@ int hibernation_snapshot(int platform_mo
+ if (error || !in_suspend)
+ pm_restore_gfp_mask();
+
++ ftrace_start();
+ resume_console();
+ dpm_complete(msg);
+
+@@ -480,6 +482,7 @@ int hibernation_restore(int platform_mod
+
+ pm_prepare_console();
+ suspend_console();
++ ftrace_stop();
+ pm_restrict_gfp_mask();
+ error = dpm_suspend_start(PMSG_QUIESCE);
+ if (!error) {
+@@ -487,6 +490,7 @@ int hibernation_restore(int platform_mod
+ dpm_resume_end(PMSG_RECOVER);
+ }
+ pm_restore_gfp_mask();
++ ftrace_start();
+ resume_console();
+ pm_restore_console();
+ return error;
+@@ -513,6 +517,7 @@ int hibernation_platform_enter(void)
+
+ entering_platform_hibernation = true;
+ suspend_console();
++ ftrace_stop();
+ error = dpm_suspend_start(PMSG_HIBERNATE);
+ if (error) {
+ if (hibernation_ops->recover)
+@@ -556,6 +561,7 @@ int hibernation_platform_enter(void)
+ Resume_devices:
+ entering_platform_hibernation = false;
+ dpm_resume_end(PMSG_RESTORE);
++ ftrace_start();
+ resume_console();
+
+ Close:
+--- a/kernel/power/suspend.c
++++ b/kernel/power/suspend.c
+@@ -24,6 +24,7 @@
+ #include <linux/export.h>
+ #include <linux/suspend.h>
+ #include <linux/syscore_ops.h>
++#include <linux/ftrace.h>
+ #include <trace/events/power.h>
+
+ #include "power.h"
+@@ -212,6 +213,7 @@ int suspend_devices_and_enter(suspend_st
+ goto Close;
+ }
+ suspend_console();
++ ftrace_stop();
+ suspend_test_start();
+ error = dpm_suspend_start(PMSG_SUSPEND);
+ if (error) {
+@@ -231,6 +233,7 @@ int suspend_devices_and_enter(suspend_st
+ suspend_test_start();
+ dpm_resume_end(PMSG_RESUME);
+ suspend_test_finish("resume devices");
++ ftrace_start();
+ resume_console();
+ Close:
+ if (suspend_ops->end)
--- /dev/null
+From e19ebcab01cc130fa832764d453b263460ec3b91 Mon Sep 17 00:00:00 2001
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Thu, 10 May 2012 15:53:14 +0300
+Subject: iwlwifi: Check BSS ctx active before call mac80211
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+commit e19ebcab01cc130fa832764d453b263460ec3b91 upstream.
+
+It is possible that the BSS context is not active (for example
+when the current mode is set to GO), or that the vif->type is
+different than station. In such a case we cannot
+call mac80211 to report the average rssi for the interface
+(the function assumes that the vif is valid and that the type
+is station).
+
+Reported-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -617,6 +617,11 @@ static bool iwlagn_fill_txpower_mode(str
+ struct iwl_rxon_context *ctx = &priv->contexts[IWL_RXON_CTX_BSS];
+ int ave_rssi;
+
++ if (!ctx->vif || (ctx->vif->type != NL80211_IFTYPE_STATION)) {
++ IWL_DEBUG_INFO(priv, "BSS ctx not active or not in sta mode\n");
++ return false;
++ }
++
+ ave_rssi = ieee80211_ave_rssi(ctx->vif);
+ if (!ave_rssi) {
+ /* no rssi data, no changes to reduce tx power */
--- /dev/null
+From a35e270881a5db1ec9ac8bc6d61ebc3e85c14f33 Mon Sep 17 00:00:00 2001
+From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+Date: Wed, 16 May 2012 22:40:50 +0200
+Subject: iwlwifi: fix debug print in iwl_sta_calc_ht_flags
+
+From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+
+commit a35e270881a5db1ec9ac8bc6d61ebc3e85c14f33 upstream.
+
+We missed passing an argument to the
+debug print. Fix it.
+
+Signed-off-by: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-sta.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+@@ -236,6 +236,7 @@ static void iwl_sta_calc_ht_flags(struct
+ mimo_ps_mode = (sta_ht_inf->cap & IEEE80211_HT_CAP_SM_PS) >> 2;
+
+ IWL_DEBUG_INFO(priv, "STA %pM SM PS mode: %s\n",
++ sta->addr,
+ (mimo_ps_mode == WLAN_HT_CAP_SM_PS_STATIC) ?
+ "static" :
+ (mimo_ps_mode == WLAN_HT_CAP_SM_PS_DYNAMIC) ?
--- /dev/null
+From dac211ec10d268b9d09000093a9fa2ac1773894f Mon Sep 17 00:00:00 2001
+From: Eliad Peller <eliad@wizery.com>
+Date: Sun, 13 May 2012 18:07:04 +0300
+Subject: mac80211: fail authentication when AP denied authentication
+
+From: Eliad Peller <eliad@wizery.com>
+
+commit dac211ec10d268b9d09000093a9fa2ac1773894f upstream.
+
+ieee80211_rx_mgmt_auth() doesn't handle denied authentication
+properly - it authenticates the station and waits for association
+(for 5 seconds) instead of failing the authentication.
+
+Fix it by destroying auth_data and bailing out instead.
+
+Signed-off-by: Eliad Peller <eliad@wizery.com>
+Acked-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1805,7 +1805,8 @@ ieee80211_rx_mgmt_auth(struct ieee80211_
+ if (status_code != WLAN_STATUS_SUCCESS) {
+ printk(KERN_DEBUG "%s: %pM denied authentication (status %d)\n",
+ sdata->name, mgmt->sa, status_code);
+- goto out;
++ ieee80211_destroy_auth_data(sdata, false);
++ return RX_MGMT_CFG80211_RX_AUTH;
+ }
+
+ switch (ifmgd->auth_data->algorithm) {
+@@ -1827,7 +1828,6 @@ ieee80211_rx_mgmt_auth(struct ieee80211_
+ }
+
+ printk(KERN_DEBUG "%s: authenticated\n", sdata->name);
+- out:
+ ifmgd->auth_data->done = true;
+ ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
+ run_again(ifmgd, ifmgd->auth_data->timeout);
--- /dev/null
+From a6f38ac3cc853189705006cc1e0f17ce8467a1df Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 4 Jul 2012 12:49:59 +0200
+Subject: mac80211: fix crash with single-queue drivers
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a6f38ac3cc853189705006cc1e0f17ce8467a1df upstream.
+
+Larry (and some others I think) reported that with
+single-queue drivers mac80211 crashes when waking
+the queues. This happens because we allocate just
+a single queue for each virtual interface in case
+the driver doesn't have at least 4 queues, but the
+code stopping/waking the virtual interface queues
+wasn't taking this into account.
+
+Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/util.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -268,6 +268,10 @@ EXPORT_SYMBOL(ieee80211_ctstoself_durati
+ void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue)
+ {
+ struct ieee80211_sub_if_data *sdata;
++ int n_acs = IEEE80211_NUM_ACS;
++
++ if (local->hw.queues < IEEE80211_NUM_ACS)
++ n_acs = 1;
+
+ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ int ac;
+@@ -279,7 +283,7 @@ void ieee80211_propagate_queue_wake(stru
+ local->queue_stop_reasons[sdata->vif.cab_queue] != 0)
+ continue;
+
+- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ for (ac = 0; ac < n_acs; ac++) {
+ int ac_queue = sdata->vif.hw_queue[ac];
+
+ if (ac_queue == queue ||
+@@ -341,6 +345,7 @@ static void __ieee80211_stop_queue(struc
+ {
+ struct ieee80211_local *local = hw_to_local(hw);
+ struct ieee80211_sub_if_data *sdata;
++ int n_acs = IEEE80211_NUM_ACS;
+
+ trace_stop_queue(local, queue, reason);
+
+@@ -352,11 +357,14 @@ static void __ieee80211_stop_queue(struc
+
+ __set_bit(reason, &local->queue_stop_reasons[queue]);
+
++ if (local->hw.queues < IEEE80211_NUM_ACS)
++ n_acs = 1;
++
+ rcu_read_lock();
+ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ int ac;
+
+- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ for (ac = 0; ac < n_acs; ac++) {
+ if (sdata->vif.hw_queue[ac] == queue ||
+ sdata->vif.cab_queue == queue)
+ netif_stop_subqueue(sdata->dev, ac);
--- /dev/null
+From 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Sat, 7 Jul 2012 15:07:13 +0200
+Subject: mac80211: fix read outside array bounds
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+commit 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f upstream.
+
+ieee802_1d_to_ac is defined as a const int[8],
+but the tid parameter has a range from 0 to 15.
+
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -2733,7 +2733,7 @@ EXPORT_SYMBOL(ieee80211_get_buffered_bc)
+ void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
+ struct sk_buff *skb, int tid)
+ {
+- int ac = ieee802_1d_to_ac[tid];
++ int ac = ieee802_1d_to_ac[tid & 7];
+
+ skb_set_mac_header(skb, 0);
+ skb_set_network_header(skb, 0);
--- /dev/null
+From 064b021fbe470ecc9ca10f9f87af48c0fc0865fb Mon Sep 17 00:00:00 2001
+From: Colin Cross <ccross@android.com>
+Date: Thu, 19 Jul 2012 10:38:06 +0200
+Subject: PM / Sleep: call early resume handlers when suspend_noirq fails
+
+From: Colin Cross <ccross@android.com>
+
+commit 064b021fbe470ecc9ca10f9f87af48c0fc0865fb upstream.
+
+Commit cf579dfb82550e34de7ccf3ef090d8b834ccd3a9 (PM / Sleep: Introduce
+"late suspend" and "early resume" of devices) introduced a bug where
+suspend_late handlers would be called, but if dpm_suspend_noirq returned
+an error the early_resume handlers would never be called. All devices
+would end up on the dpm_late_early_list, and would never be resumed
+again.
+
+Fix it by calling dpm_resume_early when dpm_suspend_noirq returns
+an error.
+
+Signed-off-by: Colin Cross <ccross@android.com>
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -989,8 +989,16 @@ static int dpm_suspend_late(pm_message_t
+ int dpm_suspend_end(pm_message_t state)
+ {
+ int error = dpm_suspend_late(state);
++ if (error)
++ return error;
+
+- return error ? : dpm_suspend_noirq(state);
++ error = dpm_suspend_noirq(state);
++ if (error) {
++ dpm_resume_early(state);
++ return error;
++ }
++
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(dpm_suspend_end);
+
--- /dev/null
+From 11388c87d2abca1f01975ced28ce9eacea239104 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rjw@sisk.pl>
+Date: Thu, 19 Jul 2012 00:00:58 +0200
+Subject: PM / Sleep: Require CAP_BLOCK_SUSPEND to use wake_lock/wake_unlock
+
+From: "Rafael J. Wysocki" <rjw@sisk.pl>
+
+commit 11388c87d2abca1f01975ced28ce9eacea239104 upstream.
+
+Require processes wanting to use the wake_lock/wake_unlock sysfs
+files to have the CAP_BLOCK_SUSPEND capability, which also is
+required for the eventpoll EPOLLWAKEUP flag to be effective, so that
+all interfaces related to blocking autosleep depend on the same
+capability.
+
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Acked-by: Michael Kerrisk <mtk.man-pages@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/wakelock.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/power/wakelock.c
++++ b/kernel/power/wakelock.c
+@@ -9,6 +9,7 @@
+ * manipulate wakelocks on Android.
+ */
+
++#include <linux/capability.h>
+ #include <linux/ctype.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+@@ -188,6 +189,9 @@ int pm_wake_lock(const char *buf)
+ size_t len;
+ int ret = 0;
+
++ if (!capable(CAP_BLOCK_SUSPEND))
++ return -EPERM;
++
+ while (*str && !isspace(*str))
+ str++;
+
+@@ -231,6 +235,9 @@ int pm_wake_unlock(const char *buf)
+ size_t len;
+ int ret = 0;
+
++ if (!capable(CAP_BLOCK_SUSPEND))
++ return -EPERM;
++
+ len = strlen(buf);
+ if (!len)
+ return -EINVAL;
x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch
locks-fix-checking-of-fcntl_setlease-argument.patch
batman-adv-fix-skb-data-assignment.patch
+ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch
+pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch
+pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch
+tpm-chip-disabled-state-erronously-being-reported-as-error.patch
+tun-fix-a-crash-bug-and-a-memory-leak.patch
+mac80211-fix-crash-with-single-queue-drivers.patch
+b43-fix-crash-with-openfwwf.patch
+mac80211-fix-read-outside-array-bounds.patch
+mac80211-fail-authentication-when-ap-denied-authentication.patch
+iwlwifi-check-bss-ctx-active-before-call-mac80211.patch
+iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch
--- /dev/null
+From 24ebe6670de3d1f0dca11c9eb372134c7ab05503 Mon Sep 17 00:00:00 2001
+From: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
+Date: Tue, 24 Apr 2012 17:38:17 -0300
+Subject: TPM: chip disabled state erronously being reported as error
+
+From: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
+
+commit 24ebe6670de3d1f0dca11c9eb372134c7ab05503 upstream.
+
+tpm_do_selftest() attempts to read a PCR in order to
+decide if one can rely on the TPM being used or not.
+The function that's used by __tpm_pcr_read() does not
+expect the TPM to be disabled or deactivated, and if so,
+reports an error.
+
+It's fine if the TPM returns this error when trying to
+use it for the first time after a power cycle, but it's
+definitely not if it already returned success for a
+previous attempt to read one of its PCRs.
+
+The tpm_do_selftest() was modified so that the driver only
+reports this return code as an error when it really is.
+
+Reported-and-tested-by: Paul Bolle <pebolle@tiscali.nl>
+Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -827,10 +827,10 @@ EXPORT_SYMBOL_GPL(tpm_pcr_extend);
+ int tpm_do_selftest(struct tpm_chip *chip)
+ {
+ int rc;
+- u8 digest[TPM_DIGEST_SIZE];
+ unsigned int loops;
+ unsigned int delay_msec = 1000;
+ unsigned long duration;
++ struct tpm_cmd_t cmd;
+
+ duration = tpm_calc_ordinal_duration(chip,
+ TPM_ORD_CONTINUE_SELFTEST);
+@@ -845,7 +845,15 @@ int tpm_do_selftest(struct tpm_chip *chi
+ return rc;
+
+ do {
+- rc = __tpm_pcr_read(chip, 0, digest);
++ /* Attempt to read a PCR value */
++ cmd.header.in = pcrread_header;
++ cmd.params.pcrread_in.pcr_idx = cpu_to_be32(0);
++ rc = tpm_transmit(chip, (u8 *) &cmd, READ_PCR_RESULT_SIZE);
++
++ if (rc < TPM_HEADER_SIZE)
++ return -EFAULT;
++
++ rc = be32_to_cpu(cmd.header.out.return_code);
+ if (rc == TPM_ERR_DISABLED || rc == TPM_ERR_DEACTIVATED) {
+ dev_info(chip->dev,
+ "TPM is disabled/deactivated (0x%X)\n", rc);
--- /dev/null
+From b09e786bd1dd66418b69348cb110f3a64764626a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Date: Thu, 19 Jul 2012 06:13:36 +0000
+Subject: tun: fix a crash bug and a memory leak
+
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+
+commit b09e786bd1dd66418b69348cb110f3a64764626a upstream.
+
+This patch fixes a crash
+tun_chr_close -> netdev_run_todo -> tun_free_netdev -> sk_release_kernel ->
+sock_release -> iput(SOCK_INODE(sock))
+introduced by commit 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d
+
+The problem is that this socket is embedded in struct tun_struct, it has
+no inode, iput is called on invalid inode, which modifies invalid memory
+and optionally causes a crash.
+
+sock_release also decrements sockets_in_use, this causes a bug that
+"sockets: used" field in /proc/*/net/sockstat keeps on decreasing when
+creating and closing tun devices.
+
+This patch introduces a flag SOCK_EXTERNALLY_ALLOCATED that instructs
+sock_release to not free the inode and not decrement sockets_in_use,
+fixing both memory corruption and sockets_in_use underflow.
+
+It should be backported to 3.3 an 3.4 stabke.
+
+Signed-off-by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/tun.c | 3 +++
+ include/linux/net.h | 1 +
+ net/socket.c | 3 +++
+ 3 files changed, 7 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -358,6 +358,8 @@ static void tun_free_netdev(struct net_d
+ {
+ struct tun_struct *tun = netdev_priv(dev);
+
++ BUG_ON(!test_bit(SOCK_EXTERNALLY_ALLOCATED, &tun->socket.flags));
++
+ sk_release_kernel(tun->socket.sk);
+ }
+
+@@ -1115,6 +1117,7 @@ static int tun_set_iff(struct net *net,
+ tun->flags = flags;
+ tun->txflt.count = 0;
+ tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr);
++ set_bit(SOCK_EXTERNALLY_ALLOCATED, &tun->socket.flags);
+
+ err = -ENOMEM;
+ sk = sk_alloc(&init_net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -72,6 +72,7 @@ struct net;
+ #define SOCK_NOSPACE 2
+ #define SOCK_PASSCRED 3
+ #define SOCK_PASSSEC 4
++#define SOCK_EXTERNALLY_ALLOCATED 5
+
+ #ifndef ARCH_HAS_SOCKET_TYPES
+ /**
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -522,6 +522,9 @@ void sock_release(struct socket *sock)
+ if (rcu_dereference_protected(sock->wq, 1)->fasync_list)
+ printk(KERN_ERR "sock_release: fasync list not empty!\n");
+
++ if (test_bit(SOCK_EXTERNALLY_ALLOCATED, &sock->flags))
++ return;
++
+ this_cpu_sub(sockets_in_use, 1);
+ if (!sock->file) {
+ iput(SOCK_INODE(sock));
projects / thirdparty / kernel / stable-queue.git / commitdiff
