--- /dev/null
+From 2eb7f204db51969ea558802a6601d79c2fb273b9 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Fri, 9 Dec 2011 14:12:00 -0800
+Subject: Documentation: Update stable address
+
+From: Joe Perches <joe@perches.com>
+
+commit 2eb7f204db51969ea558802a6601d79c2fb273b9 upstream.
+
+The Japanese/Korean/Chinese versions still need updating.
+
+Also, the stable kernel 2.6.x.y descriptions are out of date
+and should be updated as well.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ Documentation/HOWTO | 4 ++--
+ Documentation/development-process/5.Posting | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/Documentation/HOWTO
++++ b/Documentation/HOWTO
+@@ -275,8 +275,8 @@ versions.
+ If no 2.6.x.y kernel is available, then the highest numbered 2.6.x
+ kernel is the current stable kernel.
+
+-2.6.x.y are maintained by the "stable" team <stable@kernel.org>, and are
+-released as needs dictate. The normal release period is approximately
++2.6.x.y are maintained by the "stable" team <stable@vger.kernel.org>, and
++are released as needs dictate. The normal release period is approximately
+ two weeks, but it can be longer if there are no pressing problems. A
+ security-related problem, instead, can cause a release to happen almost
+ instantly.
+--- a/Documentation/development-process/5.Posting
++++ b/Documentation/development-process/5.Posting
+@@ -271,10 +271,10 @@ copies should go to:
+ the linux-kernel list.
+
+ - If you are fixing a bug, think about whether the fix should go into the
+- next stable update. If so, stable@kernel.org should get a copy of the
+- patch. Also add a "Cc: stable@kernel.org" to the tags within the patch
+- itself; that will cause the stable team to get a notification when your
+- fix goes into the mainline.
++ next stable update. If so, stable@vger.kernel.org should get a copy of
++ the patch. Also add a "Cc: stable@vger.kernel.org" to the tags within
++ the patch itself; that will cause the stable team to get a notification
++ when your fix goes into the mainline.
+
+ When selecting recipients for a patch, it is good to have an idea of who
+ you think will eventually accept the patch and get it merged. While it
--- /dev/null
+From eea915bb0d1358755f151eaefb8208a2d5f3e10c Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Mon, 2 Jan 2012 15:31:23 -0500
+Subject: firmware: Fix an oops on reading fw_priv->fw in sysfs loading file
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+commit eea915bb0d1358755f151eaefb8208a2d5f3e10c upstream.
+
+This oops was reported recently:
+firmware_loading_store+0xf9/0x17b
+dev_attr_store+0x20/0x22
+sysfs_write_file+0x101/0x134
+vfs_write+0xac/0xf3
+sys_write+0x4a/0x6e
+system_call_fastpath+0x16/0x1b
+
+The complete backtrace was unfortunately not captured, but details can be found
+here:
+https://bugzilla.redhat.com/show_bug.cgi?id=769920
+
+The cause is fairly clear.
+
+Its caused by the fact that firmware_loading_store has a case 0 in its
+switch statement that reads and writes the fw_priv->fw poniter without the
+protection of the fw_lock mutex. since there is a window between the time that
+_request_firmware sets fw_priv->fw to NULL and the time the corresponding sysfs
+file is unregistered, its possible for a user space application to race in, and
+write a zero to the loading file, causing a NULL dereference in
+firmware_loading_store. Fix it by extending the protection of the fw_lock mutex
+to cover all of the firware_loading_store function.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/firmware_class.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -226,13 +226,13 @@ static ssize_t firmware_loading_store(st
+ int loading = simple_strtol(buf, NULL, 10);
+ int i;
+
++ mutex_lock(&fw_lock);
++
++ if (!fw_priv->fw)
++ goto out;
++
+ switch (loading) {
+ case 1:
+- mutex_lock(&fw_lock);
+- if (!fw_priv->fw) {
+- mutex_unlock(&fw_lock);
+- break;
+- }
+ firmware_free_data(fw_priv->fw);
+ memset(fw_priv->fw, 0, sizeof(struct firmware));
+ /* If the pages are not owned by 'struct firmware' */
+@@ -243,7 +243,6 @@ static ssize_t firmware_loading_store(st
+ fw_priv->page_array_size = 0;
+ fw_priv->nr_pages = 0;
+ set_bit(FW_STATUS_LOADING, &fw_priv->status);
+- mutex_unlock(&fw_lock);
+ break;
+ case 0:
+ if (test_bit(FW_STATUS_LOADING, &fw_priv->status)) {
+@@ -274,7 +273,8 @@ static ssize_t firmware_loading_store(st
+ fw_load_abort(fw_priv);
+ break;
+ }
+-
++out:
++ mutex_unlock(&fw_lock);
+ return count;
+ }
+
--- /dev/null
+From c055fe0797b7bd8f6f21a13598a55a16d5c13ae7 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 3 Jan 2012 12:09:15 +1100
+Subject: offb: Fix bug in calculating requested vram size
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit c055fe0797b7bd8f6f21a13598a55a16d5c13ae7 upstream.
+
+We used to try to request 8 times more vram than needed, which would
+fail if the card has a too small BAR (observed with qemu & kvm).
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/offb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/offb.c
++++ b/drivers/video/offb.c
+@@ -377,7 +377,7 @@ static void __init offb_init_fb(const ch
+ int pitch, unsigned long address,
+ int foreign_endian, struct device_node *dp)
+ {
+- unsigned long res_size = pitch * height * (depth + 7) / 8;
++ unsigned long res_size = pitch * height;
+ struct offb_par *par = &default_par;
+ unsigned long res_start = address;
+ struct fb_fix_screeninfo *fix;
--- /dev/null
+From 1bb0b7d21584b3f878e2bc880db62351ddee5185 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Wed, 28 Dec 2011 00:10:16 +0000
+Subject: offb: Fix setting of the pseudo-palette for >8bpp
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 1bb0b7d21584b3f878e2bc880db62351ddee5185 upstream.
+
+When using a >8bpp framebuffer, offb advertises truecolor, not directcolor,
+and doesn't touch the color map even if it has a corresponding access method
+for the real hardware.
+
+Thus it needs to set the pseudo-palette with all 3 components of the color,
+like other truecolor framebuffers, not with copies of the color index like
+a directcolor framebuffer would do.
+
+This went unnoticed for a long time because it's pretty hard to get offb
+to kick in with anything but 8bpp (old BootX under MacOS will do that and
+qemu does it).
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/offb.c | 44 ++++++++++++++++++++------------------------
+ 1 file changed, 20 insertions(+), 24 deletions(-)
+
+--- a/drivers/video/offb.c
++++ b/drivers/video/offb.c
+@@ -100,36 +100,32 @@ static int offb_setcolreg(u_int regno, u
+ u_int transp, struct fb_info *info)
+ {
+ struct offb_par *par = (struct offb_par *) info->par;
+- int i, depth;
+- u32 *pal = info->pseudo_palette;
+
+- depth = info->var.bits_per_pixel;
+- if (depth == 16)
+- depth = (info->var.green.length == 5) ? 15 : 16;
++ if (info->fix.visual == FB_VISUAL_TRUECOLOR) {
++ u32 *pal = info->pseudo_palette;
++ u32 cr = red >> (16 - info->var.red.length);
++ u32 cg = green >> (16 - info->var.green.length);
++ u32 cb = blue >> (16 - info->var.blue.length);
++ u32 value;
+
+- if (regno > 255 ||
+- (depth == 16 && regno > 63) ||
+- (depth == 15 && regno > 31))
+- return 1;
++ if (regno >= 16)
++ return -EINVAL;
+
+- if (regno < 16) {
+- switch (depth) {
+- case 15:
+- pal[regno] = (regno << 10) | (regno << 5) | regno;
+- break;
+- case 16:
+- pal[regno] = (regno << 11) | (regno << 5) | regno;
+- break;
+- case 24:
+- pal[regno] = (regno << 16) | (regno << 8) | regno;
+- break;
+- case 32:
+- i = (regno << 8) | regno;
+- pal[regno] = (i << 16) | i;
+- break;
++ value = (cr << info->var.red.offset) |
++ (cg << info->var.green.offset) |
++ (cb << info->var.blue.offset);
++ if (info->var.transp.length > 0) {
++ u32 mask = (1 << info->var.transp.length) - 1;
++ mask <<= info->var.transp.offset;
++ value |= mask;
+ }
++ pal[regno] = value;
++ return 0;
+ }
+
++ if (regno > 255)
++ return -EINVAL;
++
+ red >>= 8;
+ green >>= 8;
+ blue >>= 8;
--- /dev/null
+From e4f387d8db3ba3c2dae4d8bdfe7bb5f4fe1bcb0d Mon Sep 17 00:00:00 2001
+From: Li Zhong <zhong@linux.vnet.ibm.com>
+Date: Sun, 18 Dec 2011 16:03:04 +0000
+Subject: powerpc: Fix unpaired probe_hcall_entry and probe_hcall_exit
+
+From: Li Zhong <zhong@linux.vnet.ibm.com>
+
+commit e4f387d8db3ba3c2dae4d8bdfe7bb5f4fe1bcb0d upstream.
+
+Unpaired calling of probe_hcall_entry and probe_hcall_exit might happen
+as following, which could cause incorrect preempt count.
+
+__trace_hcall_entry => trace_hcall_entry -> probe_hcall_entry =>
+get_cpu_var => preempt_disable
+
+__trace_hcall_exit => trace_hcall_exit -> probe_hcall_exit =>
+put_cpu_var => preempt_enable
+
+where:
+A => B and A -> B means A calls B, but
+=> means A will call B through function name, and B will definitely be
+called.
+-> means A will call B through function pointer, so B might not be
+called if the function pointer is not set.
+
+So error happens when only one of probe_hcall_entry and probe_hcall_exit
+get called during a hcall.
+
+This patch tries to move the preempt count operations from
+probe_hcall_entry and probe_hcall_exit to its callers.
+
+Reported-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
+Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/platforms/pseries/hvCall_inst.c | 4 +---
+ arch/powerpc/platforms/pseries/lpar.c | 2 ++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/hvCall_inst.c
++++ b/arch/powerpc/platforms/pseries/hvCall_inst.c
+@@ -109,7 +109,7 @@ static void probe_hcall_entry(void *igno
+ if (opcode > MAX_HCALL_OPCODE)
+ return;
+
+- h = &get_cpu_var(hcall_stats)[opcode / 4];
++ h = &__get_cpu_var(hcall_stats)[opcode / 4];
+ h->tb_start = mftb();
+ h->purr_start = mfspr(SPRN_PURR);
+ }
+@@ -126,8 +126,6 @@ static void probe_hcall_exit(void *ignor
+ h->num_calls++;
+ h->tb_total += mftb() - h->tb_start;
+ h->purr_total += mfspr(SPRN_PURR) - h->purr_start;
+-
+- put_cpu_var(hcall_stats);
+ }
+
+ static int __init hcall_inst_init(void)
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -553,6 +553,7 @@ void __trace_hcall_entry(unsigned long o
+ goto out;
+
+ (*depth)++;
++ preempt_disable();
+ trace_hcall_entry(opcode, args);
+ (*depth)--;
+
+@@ -575,6 +576,7 @@ void __trace_hcall_exit(long opcode, uns
+
+ (*depth)++;
+ trace_hcall_exit(opcode, retval, retbuf);
++ preempt_enable();
+ (*depth)--;
+
+ out:
--- /dev/null
+From 37fb9a0231ee43d42d069863bdfd567fca2b61af Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 23 Nov 2011 20:07:17 +0000
+Subject: powerpc/time: Handle wrapping of decrementer
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 37fb9a0231ee43d42d069863bdfd567fca2b61af upstream.
+
+When re-enabling interrupts we have code to handle edge sensitive
+decrementers by resetting the decrementer to 1 whenever it is negative.
+If interrupts were disabled long enough that the decrementer wrapped to
+positive we do nothing. This means interrupts can be delayed for a long
+time until it finally goes negative again.
+
+While we hope interrupts are never be disabled long enough for the
+decrementer to go positive, we have a very good test team that can
+drive any kernel into the ground. The softlockup data we get back
+from these fails could be seconds in the future, completely missing
+the cause of the lockup.
+
+We already keep track of the timebase of the next event so use that
+to work out if we should trigger a decrementer exception.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/include/asm/time.h | 2 ++
+ arch/powerpc/kernel/irq.c | 15 ++++++---------
+ arch/powerpc/kernel/time.c | 9 +++++++++
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/include/asm/time.h
++++ b/arch/powerpc/include/asm/time.h
+@@ -219,5 +219,7 @@ DECLARE_PER_CPU(struct cpu_usage, cpu_us
+ extern void secondary_cpu_time_init(void);
+ extern void iSeries_time_init_early(void);
+
++extern void decrementer_check_overflow(void);
++
+ #endif /* __KERNEL__ */
+ #endif /* __POWERPC_TIME_H */
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -164,16 +164,13 @@ notrace void arch_local_irq_restore(unsi
+ */
+ local_paca->hard_enabled = en;
+
+-#ifndef CONFIG_BOOKE
+- /* On server, re-trigger the decrementer if it went negative since
+- * some processors only trigger on edge transitions of the sign bit.
+- *
+- * BookE has a level sensitive decrementer (latches in TSR) so we
+- * don't need that
++ /*
++ * Trigger the decrementer if we have a pending event. Some processors
++ * only trigger on edge transitions of the sign bit. We might also
++ * have disabled interrupts long enough that the decrementer wrapped
++ * to positive.
+ */
+- if ((int)mfspr(SPRN_DEC) < 0)
+- mtspr(SPRN_DEC, 1);
+-#endif /* CONFIG_BOOKE */
++ decrementer_check_overflow();
+
+ /*
+ * Force the delivery of pending soft-disabled interrupts on PS3.
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -889,6 +889,15 @@ static void __init clocksource_init(void
+ clock->name, clock->mult, clock->shift);
+ }
+
++void decrementer_check_overflow(void)
++{
++ u64 now = get_tb_or_rtc();
++ struct decrementer_clock *decrementer = &__get_cpu_var(decrementers);
++
++ if (now >= decrementer->next_tb)
++ set_dec(1);
++}
++
+ static int decrementer_set_next_event(unsigned long evt,
+ struct clock_event_device *dev)
+ {
--- /dev/null
+From 3f81f8f1524ccca24df1029b0cf825ecef5e5cdc Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Tue, 27 Dec 2011 12:22:51 -0600
+Subject: rt2800usb: Move ID out of unknown
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 3f81f8f1524ccca24df1029b0cf825ecef5e5cdc upstream.
+
+Testing on the openSUSE wireless forum has shown that a Linksys
+WUSB54GC v3 with USB ID 1737:0077 works with rt2800usb when the ID is
+written to /sys/.../new_id. This ID can therefore be moved out of UNKNOWN.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt2800usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -970,6 +970,7 @@ static struct usb_device_id rt2800usb_de
+ { USB_DEVICE(0x13b1, 0x0031) },
+ { USB_DEVICE(0x1737, 0x0070) },
+ { USB_DEVICE(0x1737, 0x0071) },
++ { USB_DEVICE(0x1737, 0x0077) },
+ /* Logitec */
+ { USB_DEVICE(0x0789, 0x0162) },
+ { USB_DEVICE(0x0789, 0x0163) },
+@@ -1165,7 +1166,6 @@ static struct usb_device_id rt2800usb_de
+ { USB_DEVICE(0x1740, 0x0605) },
+ { USB_DEVICE(0x1740, 0x0615) },
+ /* Linksys */
+- { USB_DEVICE(0x1737, 0x0077) },
+ { USB_DEVICE(0x1737, 0x0078) },
+ /* Logitec */
+ { USB_DEVICE(0x0789, 0x0168) },
maintainers-stable-update-address.patch
+documentation-update-stable-address.patch
+firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch
+rt2800usb-move-id-out-of-unknown.patch
+offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch
+offb-fix-bug-in-calculating-requested-vram-size.patch
+wl12xx-validate-fem-index-from-ini-file-and-fw.patch
+wl12xx-check-buffer-bound-when-processing-nvs-data.patch
+wl12xx-restore-testmode-abi.patch
+powerpc-time-handle-wrapping-of-decrementer.patch
+powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch
--- /dev/null
+From f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 Mon Sep 17 00:00:00 2001
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+Date: Tue, 18 Oct 2011 09:23:42 +0200
+Subject: wl12xx: Check buffer bound when processing nvs data
+
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+
+commit f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 upstream.
+
+An nvs with malformed contents could cause the processing of the
+calibration data to read beyond the end of the buffer. Prevent this
+from happening by adding bound checking.
+
+Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
+Reviewed-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/wl12xx/boot.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/wireless/wl12xx/boot.c
++++ b/drivers/net/wireless/wl12xx/boot.c
+@@ -358,6 +358,9 @@ static int wl1271_boot_upload_nvs(struct
+ nvs_ptr += 3;
+
+ for (i = 0; i < burst_len; i++) {
++ if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len)
++ goto out_badnvs;
++
+ val = (nvs_ptr[0] | (nvs_ptr[1] << 8)
+ | (nvs_ptr[2] << 16) | (nvs_ptr[3] << 24));
+
+@@ -369,6 +372,9 @@ static int wl1271_boot_upload_nvs(struct
+ nvs_ptr += 4;
+ dest_addr += 4;
+ }
++
++ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
++ goto out_badnvs;
+ }
+
+ /*
+@@ -380,6 +386,10 @@ static int wl1271_boot_upload_nvs(struct
+ */
+ nvs_ptr = (u8 *)wl->nvs +
+ ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4);
++
++ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
++ goto out_badnvs;
++
+ nvs_len -= nvs_ptr - (u8 *)wl->nvs;
+
+ /* Now we must set the partition correctly */
+@@ -395,6 +405,10 @@ static int wl1271_boot_upload_nvs(struct
+
+ kfree(nvs_aligned);
+ return 0;
++
++out_badnvs:
++ wl1271_error("nvs data is malformed");
++ return -EILSEQ;
+ }
+
+ static void wl1271_boot_enable_interrupts(struct wl1271 *wl)
--- /dev/null
+From 3f1764945eaac532c20ab1f23afa352a40f797b2 Mon Sep 17 00:00:00 2001
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+Date: Thu, 1 Dec 2011 12:13:44 +0100
+Subject: wl12xx: Restore testmode ABI
+
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+
+commit 3f1764945eaac532c20ab1f23afa352a40f797b2 upstream.
+
+Commit 80900d0140a7648587982c8f299830e900e49165 accidently broke
+the ABI for testmode commands. Restore the ABI again.
+
+Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/wl12xx/testmode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/wl12xx/testmode.c
++++ b/drivers/net/wireless/wl12xx/testmode.c
+@@ -36,6 +36,7 @@ enum wl1271_tm_commands {
+ WL1271_TM_CMD_TEST,
+ WL1271_TM_CMD_INTERROGATE,
+ WL1271_TM_CMD_CONFIGURE,
++ WL1271_TM_CMD_NVS_PUSH, /* Not in use. Keep to not break ABI */
+ WL1271_TM_CMD_SET_PLT_MODE,
+ WL1271_TM_CMD_RECOVER,
+
--- /dev/null
+From 2131d3c2f99b081806fdae7662c92fe6acda52af Mon Sep 17 00:00:00 2001
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+Date: Tue, 18 Oct 2011 09:23:41 +0200
+Subject: wl12xx: Validate FEM index from ini file and FW
+
+From: Pontus Fuchs <pontus.fuchs@gmail.com>
+
+commit 2131d3c2f99b081806fdae7662c92fe6acda52af upstream.
+
+Check for out of bound FEM index to prevent reading beyond ini
+memory end.
+
+Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
+Reviewed-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/wl12xx/cmd.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/drivers/net/wireless/wl12xx/cmd.c
++++ b/drivers/net/wireless/wl12xx/cmd.c
+@@ -120,6 +120,11 @@ int wl1271_cmd_general_parms(struct wl12
+ if (!wl->nvs)
+ return -ENODEV;
+
++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
++ wl1271_warning("FEM index from INI out of bounds");
++ return -EINVAL;
++ }
++
+ gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL);
+ if (!gen_parms)
+ return -ENOMEM;
+@@ -148,6 +153,12 @@ int wl1271_cmd_general_parms(struct wl12
+ gp->tx_bip_fem_manufacturer =
+ gen_parms->general_params.tx_bip_fem_manufacturer;
+
++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
++ wl1271_warning("FEM index from FW out of bounds");
++ ret = -EINVAL;
++ goto out;
++ }
++
+ wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n",
+ answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer);
+
+@@ -167,6 +178,11 @@ int wl128x_cmd_general_parms(struct wl12
+ if (!wl->nvs)
+ return -ENODEV;
+
++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
++ wl1271_warning("FEM index from ini out of bounds");
++ return -EINVAL;
++ }
++
+ gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL);
+ if (!gen_parms)
+ return -ENOMEM;
+@@ -191,6 +207,12 @@ int wl128x_cmd_general_parms(struct wl12
+ gp->tx_bip_fem_manufacturer =
+ gen_parms->general_params.tx_bip_fem_manufacturer;
+
++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
++ wl1271_warning("FEM index from FW out of bounds");
++ ret = -EINVAL;
++ goto out;
++ }
++
+ wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n",
+ answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
