3.4-stable patches

added patches:
	radiotap-fix-bitmap-end-finding-buffer-overrun.patch
	rtlwifi-pci-fix-oops-on-driver-unload.patch

diff --git a/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch b/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch
new file mode 100644 (file)
index 0000000..de508d2
--- /dev/null
+++ b/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch
@@ -0,0 +1,35 @@
+From bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 16 Dec 2013 12:04:36 +0100
+Subject: radiotap: fix bitmap-end-finding buffer overrun
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream.
+
+Evan Huus found (by fuzzing in wireshark) that the radiotap
+iterator code can access beyond the length of the buffer if
+the first bitmap claims an extension but then there's no
+data at all. Fix this.
+
+Reported-by: Evan Huus <eapache@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/radiotap.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/wireless/radiotap.c
++++ b/net/wireless/radiotap.c
+@@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init(
+       /* find payload start allowing for extended bitmap(s) */
+ 
+       if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
++              if ((unsigned long)iterator->_arg -
++                  (unsigned long)iterator->_rtheader + sizeof(uint32_t) >
++                  (unsigned long)iterator->_max_length)
++                      return -EINVAL;
+               while (get_unaligned_le32(iterator->_arg) &
+                                       (1 << IEEE80211_RADIOTAP_EXT)) {
+                       iterator->_arg += sizeof(uint32_t);

diff --git a/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch b/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch
new file mode 100644 (file)
index 0000000..a860ec3
--- /dev/null
+++ b/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch
@@ -0,0 +1,47 @@
+From 9278db6279e28d4d433bc8a848e10b4ece8793ed Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 11 Dec 2013 17:13:10 -0600
+Subject: rtlwifi: pci: Fix oops on driver unload
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 9278db6279e28d4d433bc8a848e10b4ece8793ed upstream.
+
+On Fedora systems, unloading rtl8192ce causes an oops. This patch fixes the
+problem reported at https://bugzilla.redhat.com/show_bug.cgi?id=852761.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/pci.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/pci.c
++++ b/drivers/net/wireless/rtlwifi/pci.c
+@@ -678,6 +678,8 @@ static void _rtl_pci_rx_interrupt(struct
+       };
+       int index = rtlpci->rx_ring[rx_queue_idx].idx;
+ 
++      if (rtlpci->driver_is_goingto_unload)
++              return;
+       /*RX NORMAL PKT */
+       while (count--) {
+               /*rx descriptor */
+@@ -1553,6 +1555,7 @@ static void rtl_pci_stop(struct ieee8021
+        */
+       set_hal_stop(rtlhal);
+ 
++      rtlpci->driver_is_goingto_unload = true;
+       rtlpriv->cfg->ops->disable_interrupt(hw);
+       cancel_work_sync(&rtlpriv->works.lps_leave_work);
+ 
+@@ -1570,7 +1573,6 @@ static void rtl_pci_stop(struct ieee8021
+       ppsc->rfchange_inprogress = true;
+       spin_unlock_irqrestore(&rtlpriv->locks.rf_ps_lock, flags);
+ 
+-      rtlpci->driver_is_goingto_unload = true;
+       rtlpriv->cfg->ops->hw_disable(hw);
+       /* some things are not needed if firmware not available */
+       if (!rtlpriv->max_fw_size)

diff --git a/queue-3.4/series b/queue-3.4/series
index 4367b75884959f29a5a618da59a23e2244a764a8..ebe6de19823b3accc997501e7e3c235a3c93ba46 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -28,3 +28,5 @@ powerpc-fix-bad-stack-check-in-exception-entry.patch
 powerpc-align-p_end.patch
 cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch
 libata-add-ata_horkage_broken_fpdma_aa-quirk-for-seagate-momentus-spinpoint-m8.patch
+radiotap-fix-bitmap-end-finding-buffer-overrun.patch
+rtlwifi-pci-fix-oops-on-driver-unload.patch