--- /dev/null
+From c7abf25af0f41be4b50d44c5b185d52eea360cb8 Mon Sep 17 00:00:00 2001
+From: Karl Beldan <karl.beldan@rivierawaves.com>
+Date: Mon, 13 Oct 2014 14:34:41 +0200
+Subject: mac80211: fix typo in starting baserate for rts_cts_rate_idx
+
+From: Karl Beldan <karl.beldan@rivierawaves.com>
+
+commit c7abf25af0f41be4b50d44c5b185d52eea360cb8 upstream.
+
+It affects non-(V)HT rates and can lead to selecting an rts_cts rate
+that is not a basic rate or way superior to the reference rate (ATM
+rates[0] used for the 1st attempt of the protected frame data).
+
+E.g, assuming drivers register growing (bitrate) sorted tables of
+ieee80211_rate-s, having :
+- rates[0].idx == d'2 and basic_rates == b'10100
+will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise
+- rates[0].idx == d'2 and basic_rates == b'10001
+will select rts_cts idx b'10000
+The first is not a basic rate and the second is > rates[0].
+
+Also, wrt severity of the addressed misbehavior, ATM we only have one
+rts_cts_rate_idx rather than one per rate table entry, so this idx might
+still point to bitrates > rates[1..MAX_RATES].
+
+Fixes: 5253ffb8c9e1 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates")
+Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -462,7 +462,7 @@ static void rate_fixup_ratelist(struct i
+ */
+ if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) {
+ u32 basic_rates = vif->bss_conf.basic_rates;
+- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0;
++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0;
+
+ rate = &sband->bitrates[rates[0].idx];
+
--- /dev/null
+From 94fb823fcb4892614f57e59601bb9d4920f24711 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 Oct 2014 20:29:10 +0300
+Subject: PM / Sleep: fix recovery during resuming from hibernation
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream.
+
+If a device's dev_pm_ops::freeze callback fails during the QUIESCE
+phase, we don't rollback things correctly calling the thaw and complete
+callbacks. This could leave some devices in a suspended state in case of
+an error during resuming from hibernation.
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -492,8 +492,14 @@ int hibernation_restore(int platform_mod
+ error = dpm_suspend_start(PMSG_QUIESCE);
+ if (!error) {
+ error = resume_target_kernel(platform_mode);
+- dpm_resume_end(PMSG_RECOVER);
++ /*
++ * The above should either succeed and jump to the new kernel,
++ * or return with an error. Otherwise things are just
++ * undefined, so let's be paranoid.
++ */
++ BUG_ON(!error);
+ }
++ dpm_resume_end(PMSG_RECOVER);
+ pm_restore_gfp_mask();
+ ftrace_start();
+ resume_console();
--- /dev/null
+From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 4 Oct 2014 23:06:39 +0200
+Subject: posix-timers: Fix stack info leak in timer_create()
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream.
+
+If userland creates a timer without specifying a sigevent info, we'll
+create one ourself, using a stack local variable. Particularly will we
+use the timer ID as sival_int. But as sigev_value is a union containing
+a pointer and an int, that assignment will only partially initialize
+sigev_value on systems where the size of a pointer is bigger than the
+size of an int. On such systems we'll copy the uninitialized stack bytes
+from the timer_create() call to userland when the timer actually fires
+and we're going to deliver the signal.
+
+Initialize sigev_value with 0 to plug the stack info leak.
+
+Found in the PaX patch, written by the PaX Team.
+
+Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...")
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: PaX Team <pageexec@freemail.hu>
+Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/posix-timers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -634,6 +634,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
+ goto out;
+ }
+ } else {
++ memset(&event.sigev_value, 0, sizeof(event.sigev_value));
+ event.sigev_notify = SIGEV_SIGNAL;
+ event.sigev_signo = SIGALRM;
+ event.sigev_value.sival_int = new_timer->it_id;
pci-rename-sysfs-enabled-file-back-to-enable.patch
quota-properly-return-errors-from-dquot_writeback_dquots.patch
xfs-avoid-false-quotacheck-after-unclean-shutdown.patch
+tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch
+pm-sleep-fix-recovery-during-resuming-from-hibernation.patch
+mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch
+posix-timers-fix-stack-info-leak-in-timer_create.patch
+x86-apic-handle-a-bad-tsc-more-gracefully.patch
--- /dev/null
+From 37b164578826406a173ca7c20d9ba7430134d23e Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Thu, 16 Oct 2014 13:51:30 -0400
+Subject: tty: Fix high cpu load if tty is unreleaseable
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 37b164578826406a173ca7c20d9ba7430134d23e upstream.
+
+Kernel oops can cause the tty to be unreleaseable (for example, if
+n_tty_read() crashes while on the read_wait queue). This will cause
+tty_release() to endlessly loop without sleeping.
+
+Use a killable sleep timeout which grows by 2n+1 jiffies over the interval
+[0, 120 secs.) and then jumps to forever (but still killable).
+
+NB: killable just allows for the task to be rewoken manually, not
+to be terminated.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1701,6 +1701,7 @@ int tty_release(struct inode *inode, str
+ int pty_master, tty_closing, o_tty_closing, do_sleep;
+ int idx;
+ char buf[64];
++ long timeout = 0;
+
+ if (tty_paranoia_check(tty, inode, __func__))
+ return 0;
+@@ -1785,7 +1786,11 @@ int tty_release(struct inode *inode, str
+ __func__, tty_name(tty, buf));
+ tty_unlock_pair(tty, o_tty);
+ mutex_unlock(&tty_mutex);
+- schedule();
++ schedule_timeout_killable(timeout);
++ if (timeout < 120 * HZ)
++ timeout = 2 * timeout + 1;
++ else
++ timeout = MAX_SCHEDULE_TIMEOUT;
+ }
+
+ /*
--- /dev/null
+From b47dcbdc5161d3d5756f430191e2840d9b855492 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 15 Oct 2014 10:12:07 -0700
+Subject: x86, apic: Handle a bad TSC more gracefully
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit b47dcbdc5161d3d5756f430191e2840d9b855492 upstream.
+
+If the TSC is unusable or disabled, then this patch fixes:
+
+ - Confusion while trying to clear old APIC interrupts.
+ - Division by zero and incorrect programming of the TSC deadline
+ timer.
+
+This fixes boot if the CPU has a TSC deadline timer but a missing or
+broken TSC. The failure to boot can be observed with qemu using
+-cpu qemu64,-tsc,+tsc-deadline
+
+This also happens to me in nested KVM for unknown reasons.
+With this patch, I can boot cleanly (although without a TSC).
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Bandan Das <bsd@redhat.com>
+Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 4 ++--
+ arch/x86/kernel/tsc.c | 5 ++++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1290,7 +1290,7 @@ void setup_local_APIC(void)
+ unsigned int value, queued;
+ int i, j, acked = 0;
+ unsigned long long tsc = 0, ntsc;
+- long long max_loops = cpu_khz;
++ long long max_loops = cpu_khz ? cpu_khz : 1000000;
+
+ if (cpu_has_tsc)
+ rdtscll(tsc);
+@@ -1387,7 +1387,7 @@ void setup_local_APIC(void)
+ break;
+ }
+ if (queued) {
+- if (cpu_has_tsc) {
++ if (cpu_has_tsc && cpu_khz) {
+ rdtscll(ntsc);
+ max_loops = (cpu_khz << 10) - (ntsc - tsc);
+ } else
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -1173,14 +1173,17 @@ void __init tsc_init(void)
+
+ x86_init.timers.tsc_pre_init();
+
+- if (!cpu_has_tsc)
++ if (!cpu_has_tsc) {
++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ return;
++ }
+
+ tsc_khz = x86_platform.calibrate_tsc();
+ cpu_khz = tsc_khz;
+
+ if (!tsc_khz) {
+ mark_tsc_unstable("could not calculate TSC khz");
++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ return;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
