--- /dev/null
+From ce91acb3acae26f4163c5a6f1f695d1a1e8d9009 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 17 Jan 2012 16:08:51 -0500
+Subject: cifs: lower default wsize when unix extensions are not used
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit ce91acb3acae26f4163c5a6f1f695d1a1e8d9009 upstream.
+
+We've had some reports of servers (namely, the Solaris in-kernel CIFS
+server) that don't deal properly with writes that are "too large" even
+though they set CAP_LARGE_WRITE_ANDX. Change the default to better
+mirror what windows clients do.
+
+Cc: Pavel Shilovsky <piastry@etersoft.ru>
+Reported-by: Nick Davis <phireph0x@yahoo.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2914,18 +2914,33 @@ void cifs_setup_cifs_sb(struct smb_vol *
+ #define CIFS_DEFAULT_IOSIZE (1024 * 1024)
+
+ /*
+- * Windows only supports a max of 60k reads. Default to that when posix
+- * extensions aren't in force.
++ * Windows only supports a max of 60kb reads and 65535 byte writes. Default to
++ * those values when posix extensions aren't in force. In actuality here, we
++ * use 65536 to allow for a write that is a multiple of 4k. Most servers seem
++ * to be ok with the extra byte even though Windows doesn't send writes that
++ * are that large.
++ *
++ * Citation:
++ *
++ * http://blogs.msdn.com/b/openspecification/archive/2009/04/10/smb-maximum-transmit-buffer-size-and-performance-tuning.aspx
+ */
+ #define CIFS_DEFAULT_NON_POSIX_RSIZE (60 * 1024)
++#define CIFS_DEFAULT_NON_POSIX_WSIZE (65536)
+
+ static unsigned int
+ cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *pvolume_info)
+ {
+ __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability);
+ struct TCP_Server_Info *server = tcon->ses->server;
+- unsigned int wsize = pvolume_info->wsize ? pvolume_info->wsize :
+- CIFS_DEFAULT_IOSIZE;
++ unsigned int wsize;
++
++ /* start with specified wsize, or default */
++ if (pvolume_info->wsize)
++ wsize = pvolume_info->wsize;
++ else if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
++ wsize = CIFS_DEFAULT_IOSIZE;
++ else
++ wsize = CIFS_DEFAULT_NON_POSIX_WSIZE;
+
+ /* can server support 24-bit write sizes? (via UNIX extensions) */
+ if (!tcon->unix_ext || !(unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
--- /dev/null
+From b2ccccdca46273c7b321ecf5041c362cd950da20 Mon Sep 17 00:00:00 2001
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Date: Thu, 10 Nov 2011 06:55:04 -0800
+Subject: iwlagn: check for SMPS mode
+
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+
+commit b2ccccdca46273c7b321ecf5041c362cd950da20 upstream.
+
+Check and report WARN only when its invalid
+
+Resolves:
+https://bugzilla.kernel.org/show_bug.cgi?id=42621
+https://bugzilla.redhat.com/show_bug.cgi?id=766071
+
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 +
+ drivers/net/wireless/iwlwifi/iwl-agn-rxon.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -827,6 +827,7 @@ static int iwl_get_idle_rx_chain_count(s
+ case IEEE80211_SMPS_STATIC:
+ case IEEE80211_SMPS_DYNAMIC:
+ return IWL_NUM_IDLE_CHAINS_SINGLE;
++ case IEEE80211_SMPS_AUTOMATIC:
+ case IEEE80211_SMPS_OFF:
+ return active_cnt;
+ default:
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
+@@ -559,6 +559,9 @@ int iwlagn_mac_config(struct ieee80211_h
+
+ mutex_lock(&priv->shrd->mutex);
+
++ if (test_bit(STATUS_EXIT_PENDING, &priv->shrd->status))
++ goto out;
++
+ if (unlikely(test_bit(STATUS_SCANNING, &priv->shrd->status))) {
+ IWL_DEBUG_MAC80211(priv, "leave - scanning\n");
+ goto out;
--- /dev/null
+From 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Fri, 23 Dec 2011 08:13:50 +0100
+Subject: iwlegacy: 3945: fix hw passive scan on radar channels
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f upstream.
+
+Patch fix firmware error on "iw dev wlan0 scan passive" for
+hardware scanning (with disable_hw_scan=0 module parameter).
+
+ iwl3945 0000:03:00.0: Microcode SW error detected. Restarting 0x82000008.
+ iwl3945 0000:03:00.0: Loaded firmware version: 15.32.2.9
+ iwl3945 0000:03:00.0: Start IWL Error Log Dump:
+ iwl3945 0000:03:00.0: Status: 0x0002A2E4, count: 1
+ iwl3945 0000:03:00.0: Desc Time asrtPC blink2 ilink1 nmiPC Line
+ iwl3945 0000:03:00.0: SYSASSERT (0x5) 0041263900 0x13756 0x0031C 0x00000 764
+ iwl3945 0000:03:00.0: Error Reply type 0x000002FC cmd C_SCAN (0x80) seq 0x443E ser 0x00340000
+ iwl3945 0000:03:00.0: Command C_SCAN failed: FW Error
+ iwl3945 0000:03:00.0: Can't stop Rx DMA.
+
+We have disable ability to change passive scanning to active on
+particular channel when traffic is detected on that channel. Otherwise
+firmware will report error, when we try to do passive scan on radar
+channels.
+
+Reported-and-debugged-by: Pedro Francisco <pedrogfrancisco@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlegacy/iwl3945-base.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c
+@@ -2656,14 +2656,13 @@ int iwl3945_request_scan(struct iwl_priv
+ IWL_WARN(priv, "Invalid scan band\n");
+ return -EIO;
+ }
+-
+ /*
+- * If active scaning is requested but a certain channel
+- * is marked passive, we can do active scanning if we
+- * detect transmissions.
++ * If active scaning is requested but a certain channel is marked
++ * passive, we can do active scanning if we detect transmissions. For
++ * passive only scanning disable switching to active on any channel.
+ */
+ scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT :
+- IWL_GOOD_CRC_TH_DISABLED;
++ IWL_GOOD_CRC_TH_NEVER;
+
+ len = iwl_legacy_fill_probe_req(priv, (struct ieee80211_mgmt *)scan->data,
+ vif->addr, priv->scan_request->ie,
--- /dev/null
+From d496aab567e7e52b3e974c9192a5de6e77dce32c Mon Sep 17 00:00:00 2001
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Date: Fri, 20 Jan 2012 14:34:04 -0800
+Subject: kprobes: initialize before using a hlist
+
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+
+commit d496aab567e7e52b3e974c9192a5de6e77dce32c upstream.
+
+Commit ef53d9c5e ("kprobes: improve kretprobe scalability with hashed
+locking") introduced a bug where we can potentially leak
+kretprobe_instances since we initialize a hlist head after having used
+it.
+
+Initialize the hlist head before using it.
+
+Reported by: Jim Keniston <jkenisto@us.ibm.com>
+Acked-by: Jim Keniston <jkenisto@us.ibm.com>
+Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: Srinivasa D S <srinivasa@in.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct
+ /* Early boot. kretprobe_table_locks not yet initialized. */
+ return;
+
++ INIT_HLIST_HEAD(&empty_rp);
+ hash = hash_ptr(tk, KPROBE_HASH_BITS);
+ head = &kretprobe_inst_table[hash];
+ kretprobe_table_lock(hash, &flags);
+@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct
+ recycle_rp_inst(ri, &empty_rp);
+ }
+ kretprobe_table_unlock(hash, &flags);
+- INIT_HLIST_HEAD(&empty_rp);
+ hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
+ hlist_del(&ri->hlist);
+ kfree(ri);
--- /dev/null
+From 687875fb7de4a95223af20ee024282fa9099f860 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.cz>
+Date: Fri, 20 Jan 2012 14:33:55 -0800
+Subject: mm: fix NULL ptr dereference in __count_immobile_pages
+
+From: Michal Hocko <mhocko@suse.cz>
+
+commit 687875fb7de4a95223af20ee024282fa9099f860 upstream.
+
+Fix the following NULL ptr dereference caused by
+
+ cat /sys/devices/system/memory/memory0/removable
+
+Pid: 13979, comm: sed Not tainted 3.0.13-0.5-default #1 IBM BladeCenter LS21 -[7971PAM]-/Server Blade
+RIP: __count_immobile_pages+0x4/0x100
+Process sed (pid: 13979, threadinfo ffff880221c36000, task ffff88022e788480)
+Call Trace:
+ is_pageblock_removable_nolock+0x34/0x40
+ is_mem_section_removable+0x74/0xf0
+ show_mem_removable+0x41/0x70
+ sysfs_read_file+0xfe/0x1c0
+ vfs_read+0xc7/0x130
+ sys_read+0x53/0xa0
+ system_call_fastpath+0x16/0x1b
+
+We are crashing because we are trying to dereference NULL zone which
+came from pfn=0 (struct page ffffea0000000000). According to the boot
+log this page is marked reserved:
+e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved)
+
+and early_node_map confirms that:
+early_node_map[3] active PFN ranges
+ 1: 0x00000010 -> 0x0000009c
+ 1: 0x00000100 -> 0x000bffa3
+ 1: 0x00100000 -> 0x00240000
+
+The problem is that memory_present works in PAGE_SECTION_MASK aligned
+blocks so the reserved range sneaks into the the section as well. This
+also means that free_area_init_node will not take care of those reserved
+pages and they stay uninitialized.
+
+When we try to read the removable status we walk through all available
+sections and hope that the zone is valid for all pages in the section.
+But this is not true in this case as the zone and nid are not initialized.
+
+We have only one node in this particular case and it is marked as node=1
+(rather than 0) and that made the problem visible because page_to_nid will
+return 0 and there are no zones on the node.
+
+Let's check that the zone is valid and that the given pfn falls into its
+boundaries and mark the section not removable. This might cause some
+false positives, probably, but we do not have any sane way to find out
+whether the page is reserved by the platform or it is just not used for
+whatever other reasons.
+
+Signed-off-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page_alloc.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5608,6 +5608,17 @@ __count_immobile_pages(struct zone *zone
+ bool is_pageblock_removable_nolock(struct page *page)
+ {
+ struct zone *zone = page_zone(page);
++ unsigned long pfn = page_to_pfn(page);
++
++ /*
++ * We have to be careful here because we are iterating over memory
++ * sections which are not zone aware so we might end up outside of
++ * the zone but still within the section.
++ */
++ if (!zone || zone->zone_start_pfn > pfn ||
++ zone->zone_start_pfn + zone->spanned_pages <= pfn)
++ return false;
++
+ return __count_immobile_pages(zone, page, 0);
+ }
+
--- /dev/null
+From 85e72aa5384b1a614563ad63257ded0e91d1a620 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 20 Jan 2012 14:34:09 -0800
+Subject: proc: clear_refs: do not clear reserved pages
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 85e72aa5384b1a614563ad63257ded0e91d1a620 upstream.
+
+/proc/pid/clear_refs is used to clear the Referenced and YOUNG bits for
+pages and corresponding page table entries of the task with PID pid, which
+includes any special mappings inserted into the page tables in order to
+provide things like vDSOs and user helper functions.
+
+On ARM this causes a problem because the vectors page is mapped as a
+global mapping and since ec706dab ("ARM: add a vma entry for the user
+accessible vector page"), a VMA is also inserted into each task for this
+page to aid unwinding through signals and syscall restarts. Since the
+vectors page is required for handling faults, clearing the YOUNG bit (and
+subsequently writing a faulting pte) means that we lose the vectors page
+*globally* and cannot fault it back in. This results in a system deadlock
+on the next exception.
+
+To see this problem in action, just run:
+
+ $ echo 1 > /proc/self/clear_refs
+
+on an ARM platform (as any user) and watch your system hang. I think this
+has been the case since 2.6.37
+
+This patch avoids clearing the aforementioned bits for reserved pages,
+therefore leaving the vectors page intact on ARM. Since reserved pages
+are not candidates for swap, this change should not have any impact on the
+usefulness of clear_refs.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Reported-by: Moussa Ba <moussaba@micron.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Russell King <rmk@arm.linux.org.uk>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Cc: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/task_mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -518,6 +518,9 @@ static int clear_refs_pte_range(pmd_t *p
+ if (!page)
+ continue;
+
++ if (PageReserved(page))
++ continue;
++
+ /* Clear accessed and referenced bits. */
+ ptep_test_and_clear_young(vma, addr, pte);
+ ClearPageReferenced(page);
--- /dev/null
+From c25a785d6647984505fa165b5cd84cfc9a95970b Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 20 Jan 2012 14:34:27 -0800
+Subject: score: fix off-by-one index into syscall table
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream.
+
+If the provided system call number is equal to __NR_syscalls, the
+current check will pass and a function pointer just after the system
+call table may be called, since sys_call_table is an array with total
+size __NR_syscalls.
+
+Whether or not this is a security bug depends on what the compiler puts
+immediately after the system call table. It's likely that this won't do
+anything bad because there is an additional NULL check on the syscall
+entry, but if there happens to be a non-NULL value immediately after the
+system call table, this may result in local privilege escalation.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Chen Liqin <liqin.chen@sunplusct.com>
+Cc: Lennox Wu <lennox.wu@gmail.com>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/score/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/score/kernel/entry.S
++++ b/arch/score/kernel/entry.S
+@@ -408,7 +408,7 @@ ENTRY(handle_sys)
+ sw r9, [r0, PT_EPC]
+
+ cmpi.c r27, __NR_syscalls # check syscall number
+- bgtu illegal_syscall
++ bgeu illegal_syscall
+
+ slli r8, r27, 2 # get syscall routine
+ la r11, sys_call_table
rt2800pci-fix-spurious-interrupts-generation.patch
xfs-fix-endian-conversion-issue-in-discard-code.patch
i2c-eg20t-modified-the-setting-of-transfer-rate.patch
+score-fix-off-by-one-index-into-syscall-table.patch
+cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch
+kprobes-initialize-before-using-a-hlist.patch
+proc-clear_refs-do-not-clear-reserved-pages.patch
+mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch
+iwlagn-check-for-smps-mode.patch
+iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
