--- /dev/null
+From b2ccccdca46273c7b321ecf5041c362cd950da20 Mon Sep 17 00:00:00 2001
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Date: Thu, 10 Nov 2011 06:55:04 -0800
+Subject: iwlagn: check for SMPS mode
+
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+
+commit b2ccccdca46273c7b321ecf5041c362cd950da20 upstream.
+
+Check and report WARN only when its invalid
+
+Resolves:
+https://bugzilla.kernel.org/show_bug.cgi?id=42621
+https://bugzilla.redhat.com/show_bug.cgi?id=766071
+
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 +
+ drivers/net/wireless/iwlwifi/iwl-agn-rxon.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -2023,6 +2023,7 @@ static int iwl_get_idle_rx_chain_count(s
+ case IEEE80211_SMPS_STATIC:
+ case IEEE80211_SMPS_DYNAMIC:
+ return IWL_NUM_IDLE_CHAINS_SINGLE;
++ case IEEE80211_SMPS_AUTOMATIC:
+ case IEEE80211_SMPS_OFF:
+ return active_cnt;
+ default:
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
+@@ -442,6 +442,9 @@ int iwlagn_mac_config(struct ieee80211_h
+
+ mutex_lock(&priv->mutex);
+
++ if (test_bit(STATUS_EXIT_PENDING, &priv->status))
++ goto out;
++
+ if (unlikely(test_bit(STATUS_SCANNING, &priv->status))) {
+ IWL_DEBUG_MAC80211(priv, "leave - scanning\n");
+ goto out;
--- /dev/null
+From 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Fri, 23 Dec 2011 08:13:50 +0100
+Subject: iwlegacy: 3945: fix hw passive scan on radar channels
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f upstream.
+
+Patch fix firmware error on "iw dev wlan0 scan passive" for
+hardware scanning (with disable_hw_scan=0 module parameter).
+
+ iwl3945 0000:03:00.0: Microcode SW error detected. Restarting 0x82000008.
+ iwl3945 0000:03:00.0: Loaded firmware version: 15.32.2.9
+ iwl3945 0000:03:00.0: Start IWL Error Log Dump:
+ iwl3945 0000:03:00.0: Status: 0x0002A2E4, count: 1
+ iwl3945 0000:03:00.0: Desc Time asrtPC blink2 ilink1 nmiPC Line
+ iwl3945 0000:03:00.0: SYSASSERT (0x5) 0041263900 0x13756 0x0031C 0x00000 764
+ iwl3945 0000:03:00.0: Error Reply type 0x000002FC cmd C_SCAN (0x80) seq 0x443E ser 0x00340000
+ iwl3945 0000:03:00.0: Command C_SCAN failed: FW Error
+ iwl3945 0000:03:00.0: Can't stop Rx DMA.
+
+We have disable ability to change passive scanning to active on
+particular channel when traffic is detected on that channel. Otherwise
+firmware will report error, when we try to do passive scan on radar
+channels.
+
+Reported-and-debugged-by: Pedro Francisco <pedrogfrancisco@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlegacy/iwl3945-base.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c
+@@ -2910,14 +2910,13 @@ int iwl3945_request_scan(struct iwl_priv
+ IWL_WARN(priv, "Invalid scan band\n");
+ return -EIO;
+ }
+-
+ /*
+- * If active scaning is requested but a certain channel
+- * is marked passive, we can do active scanning if we
+- * detect transmissions.
++ * If active scaning is requested but a certain channel is marked
++ * passive, we can do active scanning if we detect transmissions. For
++ * passive only scanning disable switching to active on any channel.
+ */
+ scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT :
+- IWL_GOOD_CRC_TH_DISABLED;
++ IWL_GOOD_CRC_TH_NEVER;
+
+ if (!priv->is_internal_short_scan) {
+ scan->tx_cmd.len = cpu_to_le16(
--- /dev/null
+From d496aab567e7e52b3e974c9192a5de6e77dce32c Mon Sep 17 00:00:00 2001
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Date: Fri, 20 Jan 2012 14:34:04 -0800
+Subject: kprobes: initialize before using a hlist
+
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+
+commit d496aab567e7e52b3e974c9192a5de6e77dce32c upstream.
+
+Commit ef53d9c5e ("kprobes: improve kretprobe scalability with hashed
+locking") introduced a bug where we can potentially leak
+kretprobe_instances since we initialize a hlist head after having used
+it.
+
+Initialize the hlist head before using it.
+
+Reported by: Jim Keniston <jkenisto@us.ibm.com>
+Acked-by: Jim Keniston <jkenisto@us.ibm.com>
+Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: Srinivasa D S <srinivasa@in.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct
+ /* Early boot. kretprobe_table_locks not yet initialized. */
+ return;
+
++ INIT_HLIST_HEAD(&empty_rp);
+ hash = hash_ptr(tk, KPROBE_HASH_BITS);
+ head = &kretprobe_inst_table[hash];
+ kretprobe_table_lock(hash, &flags);
+@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct
+ recycle_rp_inst(ri, &empty_rp);
+ }
+ kretprobe_table_unlock(hash, &flags);
+- INIT_HLIST_HEAD(&empty_rp);
+ hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
+ hlist_del(&ri->hlist);
+ kfree(ri);
--- /dev/null
+From 687875fb7de4a95223af20ee024282fa9099f860 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.cz>
+Date: Fri, 20 Jan 2012 14:33:55 -0800
+Subject: mm: fix NULL ptr dereference in __count_immobile_pages
+
+From: Michal Hocko <mhocko@suse.cz>
+
+commit 687875fb7de4a95223af20ee024282fa9099f860 upstream.
+
+Fix the following NULL ptr dereference caused by
+
+ cat /sys/devices/system/memory/memory0/removable
+
+Pid: 13979, comm: sed Not tainted 3.0.13-0.5-default #1 IBM BladeCenter LS21 -[7971PAM]-/Server Blade
+RIP: __count_immobile_pages+0x4/0x100
+Process sed (pid: 13979, threadinfo ffff880221c36000, task ffff88022e788480)
+Call Trace:
+ is_pageblock_removable_nolock+0x34/0x40
+ is_mem_section_removable+0x74/0xf0
+ show_mem_removable+0x41/0x70
+ sysfs_read_file+0xfe/0x1c0
+ vfs_read+0xc7/0x130
+ sys_read+0x53/0xa0
+ system_call_fastpath+0x16/0x1b
+
+We are crashing because we are trying to dereference NULL zone which
+came from pfn=0 (struct page ffffea0000000000). According to the boot
+log this page is marked reserved:
+e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved)
+
+and early_node_map confirms that:
+early_node_map[3] active PFN ranges
+ 1: 0x00000010 -> 0x0000009c
+ 1: 0x00000100 -> 0x000bffa3
+ 1: 0x00100000 -> 0x00240000
+
+The problem is that memory_present works in PAGE_SECTION_MASK aligned
+blocks so the reserved range sneaks into the the section as well. This
+also means that free_area_init_node will not take care of those reserved
+pages and they stay uninitialized.
+
+When we try to read the removable status we walk through all available
+sections and hope that the zone is valid for all pages in the section.
+But this is not true in this case as the zone and nid are not initialized.
+
+We have only one node in this particular case and it is marked as node=1
+(rather than 0) and that made the problem visible because page_to_nid will
+return 0 and there are no zones on the node.
+
+Let's check that the zone is valid and that the given pfn falls into its
+boundaries and mark the section not removable. This might cause some
+false positives, probably, but we do not have any sane way to find out
+whether the page is reserved by the platform or it is just not used for
+whatever other reasons.
+
+Signed-off-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page_alloc.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5565,6 +5565,17 @@ __count_immobile_pages(struct zone *zone
+ bool is_pageblock_removable_nolock(struct page *page)
+ {
+ struct zone *zone = page_zone(page);
++ unsigned long pfn = page_to_pfn(page);
++
++ /*
++ * We have to be careful here because we are iterating over memory
++ * sections which are not zone aware so we might end up outside of
++ * the zone but still within the section.
++ */
++ if (!zone || zone->zone_start_pfn > pfn ||
++ zone->zone_start_pfn + zone->spanned_pages <= pfn)
++ return false;
++
+ return __count_immobile_pages(zone, page, 0);
+ }
+
--- /dev/null
+From 85e72aa5384b1a614563ad63257ded0e91d1a620 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 20 Jan 2012 14:34:09 -0800
+Subject: proc: clear_refs: do not clear reserved pages
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 85e72aa5384b1a614563ad63257ded0e91d1a620 upstream.
+
+/proc/pid/clear_refs is used to clear the Referenced and YOUNG bits for
+pages and corresponding page table entries of the task with PID pid, which
+includes any special mappings inserted into the page tables in order to
+provide things like vDSOs and user helper functions.
+
+On ARM this causes a problem because the vectors page is mapped as a
+global mapping and since ec706dab ("ARM: add a vma entry for the user
+accessible vector page"), a VMA is also inserted into each task for this
+page to aid unwinding through signals and syscall restarts. Since the
+vectors page is required for handling faults, clearing the YOUNG bit (and
+subsequently writing a faulting pte) means that we lose the vectors page
+*globally* and cannot fault it back in. This results in a system deadlock
+on the next exception.
+
+To see this problem in action, just run:
+
+ $ echo 1 > /proc/self/clear_refs
+
+on an ARM platform (as any user) and watch your system hang. I think this
+has been the case since 2.6.37
+
+This patch avoids clearing the aforementioned bits for reserved pages,
+therefore leaving the vectors page intact on ARM. Since reserved pages
+are not candidates for swap, this change should not have any impact on the
+usefulness of clear_refs.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Reported-by: Moussa Ba <moussaba@micron.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Russell King <rmk@arm.linux.org.uk>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Cc: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/task_mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -516,6 +516,9 @@ static int clear_refs_pte_range(pmd_t *p
+ if (!page)
+ continue;
+
++ if (PageReserved(page))
++ continue;
++
+ /* Clear accessed and referenced bits. */
+ ptep_test_and_clear_young(vma, addr, pte);
+ ClearPageReferenced(page);
--- /dev/null
+From c25a785d6647984505fa165b5cd84cfc9a95970b Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 20 Jan 2012 14:34:27 -0800
+Subject: score: fix off-by-one index into syscall table
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream.
+
+If the provided system call number is equal to __NR_syscalls, the
+current check will pass and a function pointer just after the system
+call table may be called, since sys_call_table is an array with total
+size __NR_syscalls.
+
+Whether or not this is a security bug depends on what the compiler puts
+immediately after the system call table. It's likely that this won't do
+anything bad because there is an additional NULL check on the syscall
+entry, but if there happens to be a non-NULL value immediately after the
+system call table, this may result in local privilege escalation.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Chen Liqin <liqin.chen@sunplusct.com>
+Cc: Lennox Wu <lennox.wu@gmail.com>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/score/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/score/kernel/entry.S
++++ b/arch/score/kernel/entry.S
+@@ -408,7 +408,7 @@ ENTRY(handle_sys)
+ sw r9, [r0, PT_EPC]
+
+ cmpi.c r27, __NR_syscalls # check syscall number
+- bgtu illegal_syscall
++ bgeu illegal_syscall
+
+ slli r8, r27, 2 # get syscall routine
+ la r11, sys_call_table
pnfs-obj-must-return-layout-on-io-error.patch
net-fix-driver-name-for-mdio-gpio.c.patch
i2c-eg20t-modified-the-setting-of-transfer-rate.patch
+score-fix-off-by-one-index-into-syscall-table.patch
+kprobes-initialize-before-using-a-hlist.patch
+proc-clear_refs-do-not-clear-reserved-pages.patch
+mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch
+iwlagn-check-for-smps-mode.patch
+iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch
+ubifs-make-debugging-messages-light-again.patch
--- /dev/null
+From 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Wed, 11 Jan 2012 15:13:27 +0200
+Subject: UBIFS: make debugging messages light again
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+commit 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 upstream.
+
+We switch to dynamic debugging in commit
+56e46742e846e4de167dde0e1e1071ace1c882a5 but did not take into account that
+now we do not control anymore whether a specific message is enabled or not.
+So now we lock the "dbg_lock" and release it in every debugging macro, which
+make them not so light-weight.
+
+This commit removes the "dbg_lock" protection from the debugging macros to
+fix the issue.
+
+The downside is that now our DBGKEY() stuff is broken, but this is not
+critical at all and will be fixed later.
+
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/ubifs/debug.h | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/ubifs/debug.h
++++ b/fs/ubifs/debug.h
+@@ -121,17 +121,15 @@ const char *dbg_key_str1(const struct ub
+ const union ubifs_key *key);
+
+ /*
+- * DBGKEY macros require @dbg_lock to be held, which it is in the dbg message
+- * macros.
++ * TODO: these macros are now broken because there is no locking around them
++ * and we use a global buffer for the key string. This means that in case of
++ * concurrent execution we will end up with incorrect and messy key strings.
+ */
+ #define DBGKEY(key) dbg_key_str0(c, (key))
+ #define DBGKEY1(key) dbg_key_str1(c, (key))
+
+-#define ubifs_dbg_msg(type, fmt, ...) do { \
+- spin_lock(&dbg_lock); \
+- pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__); \
+- spin_unlock(&dbg_lock); \
+-} while (0)
++#define ubifs_dbg_msg(type, fmt, ...) \
++ pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__)
+
+ /* Just a debugging messages not related to any specific UBIFS subsystem */
+ #define dbg_msg(fmt, ...) \
projects / thirdparty / kernel / stable-queue.git / commitdiff
