--- /dev/null
+From 3c322a56b01695df15c70bfdc2d02e0ccd80654e Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri, 9 Aug 2013 11:44:06 +0200
+Subject: can: pcan_usb: fix wrong memcpy() bytes length
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit 3c322a56b01695df15c70bfdc2d02e0ccd80654e upstream.
+
+Fix possibly wrong memcpy() bytes length since some CAN records received from
+PCAN-USB could define a DLC field in range [9..15].
+In that case, the real DLC value MUST be used to move forward the record pointer
+but, only 8 bytes max. MUST be copied into the data field of the struct
+can_frame object of the skb given to the network core.
+
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
+@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct p
+ if ((mc->ptr + rec_len) > mc->end)
+ goto decode_failed;
+
+- memcpy(cf->data, mc->ptr, rec_len);
++ memcpy(cf->data, mc->ptr, cf->can_dlc);
+ mc->ptr += rec_len;
+ }
+
--- /dev/null
+From 58ad436fcf49810aa006016107f494c9ac9013db Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 13 Aug 2013 09:04:05 +0200
+Subject: genetlink: fix family dump race
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 58ad436fcf49810aa006016107f494c9ac9013db upstream.
+
+When dumping generic netlink families, only the first dump call
+is locked with genl_lock(), which protects the list of families,
+and thus subsequent calls can access the data without locking,
+racing against family addition/removal. This can cause a crash.
+Fix it - the locking needs to be conditional because the first
+time around it's already locked.
+
+A similar bug was reported to me on an old kernel (3.4.47) but
+the exact scenario that happened there is no longer possible,
+on those kernels the first round wasn't locked either. Looking
+at the current code I found the race described above, which had
+also existed on the old kernel.
+
+Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/genetlink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -744,6 +744,10 @@ static int ctrl_dumpfamily(struct sk_buf
+ struct net *net = sock_net(skb->sk);
+ int chains_to_skip = cb->args[0];
+ int fams_to_skip = cb->args[1];
++ bool need_locking = chains_to_skip || fams_to_skip;
++
++ if (need_locking)
++ genl_lock();
+
+ for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
+ n = 0;
+@@ -765,6 +769,9 @@ errout:
+ cb->args[0] = i;
+ cb->args[1] = n;
+
++ if (need_locking)
++ genl_unlock();
++
+ return skb->len;
+ }
+
--- /dev/null
+From 788f7a56fce1bcb2067b62b851a086fca48a0056 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 1 Aug 2013 12:07:55 +0200
+Subject: iwl4965: reset firmware after rfkill off
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 788f7a56fce1bcb2067b62b851a086fca48a0056 upstream.
+
+Using rfkill switch can make firmware unstable, what cause various
+Microcode errors and kernel warnings. Reseting firmware just after
+rfkill off (radio on) helped with that.
+
+Resolve:
+https://bugzilla.redhat.com/show_bug.cgi?id=977053
+
+Reported-and-tested-by: Justin Pearce <whitefox@guardianfox.net>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlegacy/4965-mac.c | 10 +++++-----
+ drivers/net/wireless/iwlegacy/common.c | 1 +
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/iwlegacy/4965-mac.c
+@@ -4411,12 +4411,12 @@ il4965_irq_tasklet(struct il_priv *il)
+ * is killed. Hence update the killswitch state here. The
+ * rfkill handler will care about restarting if needed.
+ */
+- if (!test_bit(S_ALIVE, &il->status)) {
+- if (hw_rf_kill)
+- set_bit(S_RFKILL, &il->status);
+- else
+- clear_bit(S_RFKILL, &il->status);
++ if (hw_rf_kill) {
++ set_bit(S_RFKILL, &il->status);
++ } else {
++ clear_bit(S_RFKILL, &il->status);
+ wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
++ il_force_reset(il, true);
+ }
+
+ handled |= CSR_INT_BIT_RF_KILL;
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -4659,6 +4659,7 @@ il_force_reset(struct il_priv *il, bool
+
+ return 0;
+ }
++EXPORT_SYMBOL(il_force_reset);
+
+ int
+ il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
--- /dev/null
+From eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 1 Aug 2013 12:07:13 +0200
+Subject: iwl4965: set power mode early
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 upstream.
+
+If device was put into a sleep and system was restarted or module
+reloaded, we have to wake device up before sending other commands.
+Otherwise it will fail to start with Microcode error.
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlegacy/4965-mac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/iwlegacy/4965-mac.c
+@@ -5285,6 +5285,9 @@ il4965_alive_start(struct il_priv *il)
+
+ il->active_rate = RATES_MASK;
+
++ il_power_update_mode(il, true);
++ D_INFO("Updated power mode\n");
++
+ if (il_is_associated(il)) {
+ struct il_rxon_cmd *active_rxon =
+ (struct il_rxon_cmd *)&il->active;
+@@ -5315,9 +5318,6 @@ il4965_alive_start(struct il_priv *il)
+ D_INFO("ALIVE processing complete.\n");
+ wake_up(&il->wait_command_queue);
+
+- il_power_update_mode(il, true);
+- D_INFO("Updated power mode\n");
+-
+ return;
+
+ restart:
sparc32-add-ucmpdi2.o-to-obj-y-instead-of-lib-y.patch
mips-rewrite-pfn_valid-to-work-in-modules-too.patch
af_key-initialize-satype-in-key_notify_policy_flush.patch
+iwl4965-set-power-mode-early.patch
+iwl4965-reset-firmware-after-rfkill-off.patch
+can-pcan_usb-fix-wrong-memcpy-bytes-length.patch
+genetlink-fix-family-dump-race.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
