--- /dev/null
+From 3118a4f652c7b12c752f3222af0447008f9b2368 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: drm/i915: bounds check execbuffer relocation count
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Pinkie Pie
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -957,15 +957,20 @@ validate_exec_list(struct drm_i915_gem_e
+ int count)
+ {
+ int i;
++ int relocs_total = 0;
++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+
+ for (i = 0; i < count; i++) {
+ char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ int length; /* limited by fault_in_pages_readable() */
+
+- /* First check for malicious input causing overflow */
+- if (exec[i].relocation_count >
+- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++ /* First check for malicious input causing overflow in
++ * the worst case where we need to allocate the entire
++ * relocation tree as a single array.
++ */
++ if (exec[i].relocation_count > relocs_max - relocs_total)
+ return -EINVAL;
++ relocs_total += exec[i].relocation_count;
+
+ length = exec[i].relocation_count *
+ sizeof(struct drm_i915_gem_relocation_entry);
--- /dev/null
+From c19b3b0f6eed552952845e4ad908dba2113d67b4 Mon Sep 17 00:00:00 2001
+From: Torsten Duwe <torsten@lst.de>
+Date: Sat, 23 Mar 2013 15:39:34 +0100
+Subject: KMS: fix EDID detailed timing frame rate
+
+From: Torsten Duwe <torsten@lst.de>
+
+commit c19b3b0f6eed552952845e4ad908dba2113d67b4 upstream.
+
+When KMS has parsed an EDID "detailed timing", it leaves the frame rate
+zeroed. Consecutive (debug-) output of that mode thus yields 0 for
+vsync. This simple fix also speeds up future invocations of
+drm_mode_vrefresh().
+
+While it is debatable whether this qualifies as a -stable fix I'd apply
+it for consistency's sake; drm_helper_probe_single_connector_modes()
+does the same thing already for all probed modes.
+
+Signed-off-by: Torsten Duwe <duwe@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -917,6 +917,7 @@ set_size:
+ }
+
+ mode->type = DRM_MODE_TYPE_DRIVER;
++ mode->vrefresh = drm_mode_vrefresh(mode);
+ drm_mode_set_name(mode);
+
+ return mode;
--- /dev/null
+From 16dad1d743d31a104a849c8944e6b9eb479f6cd7 Mon Sep 17 00:00:00 2001
+From: Torsten Duwe <torsten@lst.de>
+Date: Sat, 23 Mar 2013 15:38:22 +0100
+Subject: KMS: fix EDID detailed timing vsync parsing
+
+From: Torsten Duwe <torsten@lst.de>
+
+commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream.
+
+EDID spreads some values across multiple bytes; bit-fiddling is needed
+to retrieve these. The current code to parse "detailed timings" has a
+cut&paste error that results in a vsync offset of at most 15 lines
+instead of 63.
+
+See
+
+ http://en.wikipedia.org/wiki/EDID
+
+and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why
+that needs to be a left shift.
+
+Signed-off-by: Torsten Duwe <duwe@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -836,7 +836,7 @@ static struct drm_display_mode *drm_mode
+ unsigned vblank = (pt->vactive_vblank_hi & 0xf) << 8 | pt->vblank_lo;
+ unsigned hsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc0) << 2 | pt->hsync_offset_lo;
+ unsigned hsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x30) << 4 | pt->hsync_pulse_width_lo;
+- unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) >> 2 | pt->vsync_offset_pulse_width_lo >> 4;
++ unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) << 2 | pt->vsync_offset_pulse_width_lo >> 4;
+ unsigned vsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x3) << 4 | (pt->vsync_offset_pulse_width_lo & 0xf);
+
+ /* ignore tiny modes */
--- /dev/null
+From d00285884c0892bb1310df96bce6056e9ce9b9d9 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Date: Fri, 22 Mar 2013 15:04:40 -0700
+Subject: mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting
+
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+
+commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream.
+
+hugetlb_total_pages is used for overcommit calculations but the current
+implementation considers only the default hugetlb page size (which is
+either the first defined hugepage size or the one specified by
+default_hugepagesz kernel boot parameter).
+
+If the system is configured for more than one hugepage size, which is
+possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page
+sizes") then the overcommit estimation done by __vm_enough_memory()
+(resp. shown by meminfo_proc_show) is not precise - there is an
+impression of more available/allowed memory. This can lead to an
+unexpected ENOMEM/EFAULT resp. SIGSEGV when memory is accounted.
+
+Testcase:
+ boot: hugepagesz=1G hugepages=1
+ the default overcommit ratio is 50
+ before patch:
+
+ egrep 'CommitLimit' /proc/meminfo
+ CommitLimit: 55434168 kB
+
+ after patch:
+
+ egrep 'CommitLimit' /proc/meminfo
+ CommitLimit: 54909880 kB
+
+[akpm@linux-foundation.org: coding-style tweak]
+Signed-off-by: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Hillf Danton <dhillf@gmail.com>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2096,8 +2096,12 @@ int hugetlb_report_node_meminfo(int nid,
+ /* Return the number pages of memory we physically have, in PAGE_SIZE units. */
+ unsigned long hugetlb_total_pages(void)
+ {
+- struct hstate *h = &default_hstate;
+- return h->nr_huge_pages * pages_per_huge_page(h);
++ struct hstate *h;
++ unsigned long nr_total_pages = 0;
++
++ for_each_hstate(h)
++ nr_total_pages += h->nr_huge_pages * pages_per_huge_page(h);
++ return nr_total_pages;
+ }
+
+ static int hugetlb_acct_memory(struct hstate *h, long delta)
--- /dev/null
+From 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Thu, 7 Mar 2013 20:00:16 -0800
+Subject: mwifiex: fix potential out-of-boundary access to ibss rate table
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream.
+
+smatch found this error:
+
+CHECK drivers/net/wireless/mwifiex/join.c
+ drivers/net/wireless/mwifiex/join.c:1121
+ mwifiex_cmd_802_11_ad_hoc_join()
+ error: testing array offset 'i' after use.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/join.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/join.c
++++ b/drivers/net/wireless/mwifiex/join.c
+@@ -1049,10 +1049,9 @@ mwifiex_cmd_802_11_ad_hoc_join(struct mw
+ adhoc_join->bss_descriptor.bssid,
+ adhoc_join->bss_descriptor.ssid);
+
+- for (i = 0; bss_desc->supported_rates[i] &&
+- i < MWIFIEX_SUPPORTED_RATES;
+- i++)
+- ;
++ for (i = 0; i < MWIFIEX_SUPPORTED_RATES &&
++ bss_desc->supported_rates[i]; i++)
++ ;
+ rates_size = i;
+
+ /* Copy Data Rates from the Rates recorded in scan response */
--- /dev/null
+From 9437a248e7cac427c898bdb11bd1ac6844a1ead4 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 13 Mar 2013 10:28:13 -0500
+Subject: rtlwifi: rtl8192cu: Fix problem that prevents reassociation
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 9437a248e7cac427c898bdb11bd1ac6844a1ead4 upstream.
+
+The driver was failing to clear the BSSID when a disconnect happened. That
+prevented a reconnection. This problem is reported at
+https://bugzilla.redhat.com/show_bug.cgi?id=789605,
+https://bugzilla.redhat.com/show_bug.cgi?id=866786,
+https://bugzilla.redhat.com/show_bug.cgi?id=906734, and
+https://bugzilla.kernel.org/show_bug.cgi?id=46171.
+
+Thanks to Jussi Kivilinna for making the critical observation
+that led to the solution.
+
+Reported-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Tested-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Tested-by: Alessandro Lannocca <alessandro.lannocca@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 87 +++++++++++-----------------
+ 1 file changed, 35 insertions(+), 52 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
+@@ -1377,74 +1377,57 @@ void rtl92cu_card_disable(struct ieee802
+
+ void rtl92cu_set_check_bssid(struct ieee80211_hw *hw, bool check_bssid)
+ {
+- /* dummy routine needed for callback from rtl_op_configure_filter() */
+-}
+-
+-/*========================================================================== */
+-
+-static void _rtl92cu_set_check_bssid(struct ieee80211_hw *hw,
+- enum nl80211_iftype type)
+-{
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+- u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR);
+ struct rtl_hal *rtlhal = rtl_hal(rtlpriv);
+- struct rtl_phy *rtlphy = &(rtlpriv->phy);
+- u8 filterout_non_associated_bssid = false;
++ u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR);
+
+- switch (type) {
+- case NL80211_IFTYPE_ADHOC:
+- case NL80211_IFTYPE_STATION:
+- filterout_non_associated_bssid = true;
+- break;
+- case NL80211_IFTYPE_UNSPECIFIED:
+- case NL80211_IFTYPE_AP:
+- default:
+- break;
+- }
+- if (filterout_non_associated_bssid) {
++ if (rtlpriv->psc.rfpwr_state != ERFON)
++ return;
++
++ if (check_bssid) {
++ u8 tmp;
+ if (IS_NORMAL_CHIP(rtlhal->version)) {
+- switch (rtlphy->current_io_type) {
+- case IO_CMD_RESUME_DM_BY_SCAN:
+- reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN);
+- rtlpriv->cfg->ops->set_hw_reg(hw,
+- HW_VAR_RCR, (u8 *)(®_rcr));
+- /* enable update TSF */
+- _rtl92cu_set_bcn_ctrl_reg(hw, 0, BIT(4));
+- break;
+- case IO_CMD_PAUSE_DM_BY_SCAN:
+- reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN);
+- rtlpriv->cfg->ops->set_hw_reg(hw,
+- HW_VAR_RCR, (u8 *)(®_rcr));
+- /* disable update TSF */
+- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0);
+- break;
+- }
++ reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN);
++ tmp = BIT(4);
+ } else {
+- reg_rcr |= (RCR_CBSSID);
+- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR,
+- (u8 *)(®_rcr));
+- _rtl92cu_set_bcn_ctrl_reg(hw, 0, (BIT(4)|BIT(5)));
++ reg_rcr |= RCR_CBSSID;
++ tmp = BIT(4) | BIT(5);
+ }
+- } else if (filterout_non_associated_bssid == false) {
++ rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR,
++ (u8 *) (®_rcr));
++ _rtl92cu_set_bcn_ctrl_reg(hw, 0, tmp);
++ } else {
++ u8 tmp;
+ if (IS_NORMAL_CHIP(rtlhal->version)) {
+- reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN));
+- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR,
+- (u8 *)(®_rcr));
+- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0);
++ reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN);
++ tmp = BIT(4);
+ } else {
+- reg_rcr &= (~RCR_CBSSID);
+- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR,
+- (u8 *)(®_rcr));
+- _rtl92cu_set_bcn_ctrl_reg(hw, (BIT(4)|BIT(5)), 0);
++ reg_rcr &= ~RCR_CBSSID;
++ tmp = BIT(4) | BIT(5);
+ }
++ reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN));
++ rtlpriv->cfg->ops->set_hw_reg(hw,
++ HW_VAR_RCR, (u8 *) (®_rcr));
++ _rtl92cu_set_bcn_ctrl_reg(hw, tmp, 0);
+ }
+ }
+
++/*========================================================================== */
++
+ int rtl92cu_set_network_type(struct ieee80211_hw *hw, enum nl80211_iftype type)
+ {
++ struct rtl_priv *rtlpriv = rtl_priv(hw);
++
+ if (_rtl92cu_set_media_status(hw, type))
+ return -EOPNOTSUPP;
+- _rtl92cu_set_check_bssid(hw, type);
++
++ if (rtlpriv->mac80211.link_state == MAC80211_LINKED) {
++ if (type != NL80211_IFTYPE_AP)
++ rtl92cu_set_check_bssid(hw, true);
++ } else {
++ rtl92cu_set_check_bssid(hw, false);
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From 664899786cb49cb52f620e06ac19c0be524a7cfa Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 27 Feb 2013 14:10:30 -0600
+Subject: rtlwifi: rtl8192cu: Fix schedule while atomic bug splat
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 664899786cb49cb52f620e06ac19c0be524a7cfa upstream.
+
+When run at debug 3 or higher, rtl8192cu reports a BUG as follows:
+
+BUG: scheduling while atomic: kworker/u:0/5281/0x00000002
+INFO: lockdep is turned off.
+Modules linked in: rtl8192cu rtl8192c_common rtlwifi fuse af_packet bnep bluetooth b43 mac80211 cfg80211 ipv6 snd_hda_codec_conexant kvm_amd k
+vm snd_hda_intel snd_hda_codec bcma rng_core snd_pcm ssb mmc_core snd_seq snd_timer snd_seq_device snd i2c_nforce2 sr_mod pcmcia forcedeth i2c_core soundcore
+ cdrom sg serio_raw k8temp hwmon joydev ac battery pcmcia_core snd_page_alloc video button wmi autofs4 ext4 mbcache jbd2 crc16 thermal processor scsi_dh_alua
+ scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic pata_acpi pata_amd [last unloaded: rtlwifi]
+Pid: 5281, comm: kworker/u:0 Tainted: G W 3.8.0-wl+ #119
+Call Trace:
+ [<ffffffff814531e7>] __schedule_bug+0x62/0x70
+ [<ffffffff81459af0>] __schedule+0x730/0xa30
+ [<ffffffff81326e49>] ? usb_hcd_link_urb_to_ep+0x19/0xa0
+ [<ffffffff8145a0d4>] schedule+0x24/0x70
+ [<ffffffff814575ec>] schedule_timeout+0x18c/0x2f0
+ [<ffffffff81459ec0>] ? wait_for_common+0x40/0x180
+ [<ffffffff8133f461>] ? ehci_urb_enqueue+0xf1/0xee0
+ [<ffffffff810a579d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff81459f65>] wait_for_common+0xe5/0x180
+ [<ffffffff8107d1c0>] ? try_to_wake_up+0x2d0/0x2d0
+ [<ffffffff8145a08e>] wait_for_completion_timeout+0xe/0x10
+ [<ffffffff8132ab1c>] usb_start_wait_urb+0x8c/0x100
+ [<ffffffff8132adf9>] usb_control_msg+0xd9/0x130
+ [<ffffffffa057dd8d>] _usb_read_sync+0xcd/0x140 [rtlwifi]
+ [<ffffffffa057de0e>] _usb_read32_sync+0xe/0x10 [rtlwifi]
+ [<ffffffffa04b0555>] rtl92cu_update_hal_rate_table+0x1a5/0x1f0 [rtl8192cu]
+
+The cause is a synchronous read from routine rtl92cu_update_hal_rate_table().
+The resulting output is not critical, thus the debug statement is
+deleted.
+
+Reported-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
+@@ -2059,8 +2059,6 @@ void rtl92cu_update_hal_rate_table(struc
+ (shortgi_rate << 4) | (shortgi_rate);
+ }
+ rtl_write_dword(rtlpriv, REG_ARFR0 + ratr_index * 4, ratr_value);
+- RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, "%x\n",
+- rtl_read_dword(rtlpriv, REG_ARFR0));
+ }
+
+ void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, u8 rssi_level)
alsa-snd-usb-mixer-propagate-errors-up-the-call-chain.patch
alsa-snd-usb-mixer-ignore-einval-in-snd_usb_mixer_controls.patch
drm-i915-restrict-kernel-address-leak-in-debugfs.patch
+tracing-fix-race-in-snapshot-swapping.patch
+tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
+rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch
+rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch
+mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
+drm-i915-bounds-check-execbuffer-relocation-count.patch
+kms-fix-edid-detailed-timing-vsync-parsing.patch
+kms-fix-edid-detailed-timing-frame-rate.patch
+mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
+target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch
--- /dev/null
+From 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 Mon Sep 17 00:00:00 2001
+From: Andy Grover <agrover@redhat.com>
+Date: Mon, 4 Mar 2013 13:52:09 -0800
+Subject: target/iscsi: Fix mutual CHAP auth on big-endian arches
+
+From: Andy Grover <agrover@redhat.com>
+
+commit 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 upstream.
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=916290
+
+Used a temp var since we take its address in sg_init_one.
+
+Signed-off-by: Andy Grover <agrover@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -166,6 +166,7 @@ static int chap_server_compute_md5(
+ {
+ char *endptr;
+ unsigned long id;
++ unsigned char id_as_uchar;
+ unsigned char digest[MD5_SIGNATURE_SIZE];
+ unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2];
+ unsigned char identifier[10], *challenge = NULL;
+@@ -355,7 +356,9 @@ static int chap_server_compute_md5(
+ goto out;
+ }
+
+- sg_init_one(&sg, &id, 1);
++ /* To handle both endiannesses */
++ id_as_uchar = id;
++ sg_init_one(&sg, &id_as_uchar, 1);
+ ret = crypto_hash_update(&desc, &sg, 1);
+ if (ret < 0) {
+ pr_err("crypto_hash_update() failed for id\n");
--- /dev/null
+From 740466bc89ad8bd5afcc8de220f715f62b21e365 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 13 Mar 2013 11:15:19 -0400
+Subject: tracing: Fix free of probe entry by calling call_rcu_sched()
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream.
+
+Because function tracing is very invasive, and can even trace
+calls to rcu_read_lock(), RCU access in function tracing is done
+with preempt_disable_notrace(). This requires a synchronize_sched()
+for updates and not a synchronize_rcu().
+
+Function probes (traceon, traceoff, etc) must be freed after
+a synchronize_sched() after its entry has been removed from the
+hash. But call_rcu() is used. Fix this by using call_rcu_sched().
+
+Also fix the usage to use hlist_del_rcu() instead of hlist_del().
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3034,8 +3034,8 @@ __unregister_ftrace_function_probe(char
+ continue;
+ }
+
+- hlist_del(&entry->node);
+- call_rcu(&entry->rcu, ftrace_free_entry_rcu);
++ hlist_del_rcu(&entry->node);
++ call_rcu_sched(&entry->rcu, ftrace_free_entry_rcu);
+ }
+ }
+ __disable_ftrace_function_probe();
--- /dev/null
+From 2721e72dd10f71a3ba90f59781becf02638aa0d9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 12 Mar 2013 11:32:32 -0400
+Subject: tracing: Fix race in snapshot swapping
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream.
+
+Although the swap is wrapped with a spin_lock, the assignment
+of the temp buffer used to swap is not within that lock.
+It needs to be moved into that lock, otherwise two swaps
+happening on two different CPUs, can end up using the wrong
+temp buffer to assign in the swap.
+
+Luckily, all current callers of the swap function appear to have
+their own locks. But in case something is added that allows two
+different callers to call the swap, then there's a chance that
+this race can trigger and corrupt the buffers.
+
+New code is coming soon that will allow for this race to trigger.
+
+I've Cc'd stable, so this bug will not show up if someone backports
+one of the changes that can trigger this bug.
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -708,7 +708,7 @@ __update_max_tr(struct trace_array *tr,
+ void
+ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
+ {
+- struct ring_buffer *buf = tr->buffer;
++ struct ring_buffer *buf;
+
+ if (trace_stop_count)
+ return;
+@@ -720,6 +720,7 @@ update_max_tr(struct trace_array *tr, st
+ }
+ arch_spin_lock(&ftrace_max_lock);
+
++ buf = tr->buffer;
+ tr->buffer = max_tr.buffer;
+ max_tr.buffer = buf;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
