--- /dev/null
+From 4c8a9d4bfaf7dbc7d2168494904d79d22cc01db7 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 May 2013 01:06:09 +0200
+Subject: mac80211: close AP_VLAN interfaces before unregistering all
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4c8a9d4bfaf7dbc7d2168494904d79d22cc01db7 upstream.
+
+Since Eric's commit efe117ab8 ("Speedup ieee80211_remove_interfaces")
+there's a bug in mac80211 when it unregisters with AP_VLAN interfaces
+up. If the AP_VLAN interface was registered after the AP it belongs
+to (which is the typical case) and then we get into this code path,
+unregister_netdevice_many() will crash because it isn't prepared to
+deal with interfaces being closed in the middle of it. Exactly this
+happens though, because we iterate the list, find the AP master this
+AP_VLAN belongs to and dev_close() the dependent VLANs. After this,
+unregister_netdevice_many() won't pick up the fact that the AP_VLAN
+is already down and will do it again, causing a crash.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1726,6 +1726,15 @@ void ieee80211_remove_interfaces(struct
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ dev_close(sdata->dev);
+
++ /*
++ * Close all AP_VLAN interfaces first, as otherwise they
++ * might be closed while the AP interface they belong to
++ * is closed, causing unregister_netdevice_many() to crash.
++ */
++ list_for_each_entry(sdata, &local->interfaces, list)
++ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++ dev_close(sdata->dev);
++
+ mutex_lock(&local->iflist_mtx);
+ list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+ list_del(&sdata->list);
--- /dev/null
+From dbda92d16f8655044e082930e4e9d244b87fde77 Mon Sep 17 00:00:00 2001
+From: "Bu, Yitian" <ybu@qti.qualcomm.com>
+Date: Mon, 18 Feb 2013 12:53:37 +0000
+Subject: printk: Fix rq->lock vs logbuf_lock unlock lock inversion
+
+From: "Bu, Yitian" <ybu@qti.qualcomm.com>
+
+commit dbda92d16f8655044e082930e4e9d244b87fde77 upstream.
+
+commit 07354eb1a74d1 ("locking printk: Annotate logbuf_lock as raw")
+reintroduced a lock inversion problem which was fixed in commit
+0b5e1c5255 ("printk: Release console_sem after logbuf_lock"). This
+happened probably when fixing up patch rejects.
+
+Restore the ordering and unlock logbuf_lock before releasing
+console_sem.
+
+Signed-off-by: ybu <ybu@qti.qualcomm.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Link: http://lkml.kernel.org/r/E807E903FE6CBE4D95E420FBFCC273B827413C@nasanexd01h.na.qualcomm.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -1369,9 +1369,9 @@ static int console_trylock_for_printk(un
+ }
+ }
+ logbuf_cpu = UINT_MAX;
++ raw_spin_unlock(&logbuf_lock);
+ if (wake)
+ up(&console_sem);
+- raw_spin_unlock(&logbuf_lock);
+ return retval;
+ }
+
sunrpc-fix-races-on-pipefs-umount-notifications.patch
virtio_balloon-leak_balloon-only-tell-host-if-we-got-pages-deflated.patch
b43-ensue-that-bcma-is-y-when-b43-is-y.patch
+mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
+printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
+uprobes-fix-return-value-in-error-handling-path.patch
+svcrpc-fix-failures-to-handle-1-uid-s.patch
+svcrpc-fix-handling-of-too-short-rpc-s.patch
--- /dev/null
+From 0979292bfa301cb87d936b69af428090d2feea1b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 8 Jul 2013 13:44:45 -0400
+Subject: svcrpc: fix failures to handle -1 uid's
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 0979292bfa301cb87d936b69af428090d2feea1b upstream.
+
+As of f025adf191924e3a75ce80e130afcd2485b53bb8 "sunrpc: Properly decode
+kuids and kgids in RPC_AUTH_UNIX credentials" any rpc containing a -1
+(0xffff) uid or gid would fail with a badcred error.
+
+Commit afe3c3fd5392b2f0066930abc5dbd3f4b14a0f13 "svcrpc: fix failures to
+handle -1 uid's and gid's" fixed part of the problem, but overlooked the
+gid upcall--the kernel can request supplementary gid's for the -1 uid,
+but mountd's attempt write a response will get -EINVAL.
+
+Symptoms were nfsd failing to reply to the first attempt to use a newly
+negotiated krb5 context.
+
+Reported-by: Sven Geggus <lists@fuchsschwanzdomain.de>
+Tested-by: Sven Geggus <lists@fuchsschwanzdomain.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svcauth_unix.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/sunrpc/svcauth_unix.c
++++ b/net/sunrpc/svcauth_unix.c
+@@ -493,8 +493,6 @@ static int unix_gid_parse(struct cache_d
+ if (rv)
+ return -EINVAL;
+ uid = make_kuid(&init_user_ns, id);
+- if (!uid_valid(uid))
+- return -EINVAL;
+ ug.uid = uid;
+
+ expiry = get_expiry(&mesg);
--- /dev/null
+From cf3aa02cb4a0c5af5557dd47f15a08a7df33182a Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 26 Jun 2013 11:09:06 -0400
+Subject: svcrpc: fix handling of too-short rpc's
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit cf3aa02cb4a0c5af5557dd47f15a08a7df33182a upstream.
+
+If we detect that an rpc is too short, we abort and close the
+connection. Except, there's a bug here: we're leaving sk_datalen
+nonzero without leaving any pages in the sk_pages array. The most
+likely result of the inconsistency is a subsequent crash in
+svc_tcp_clear_pages.
+
+Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svcsock.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -917,7 +917,10 @@ static void svc_tcp_clear_pages(struct s
+ len = svsk->sk_datalen;
+ npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ for (i = 0; i < npages; i++) {
+- BUG_ON(svsk->sk_pages[i] == NULL);
++ if (svsk->sk_pages[i] == NULL) {
++ WARN_ON_ONCE(1);
++ continue;
++ }
+ put_page(svsk->sk_pages[i]);
+ svsk->sk_pages[i] = NULL;
+ }
+@@ -1092,8 +1095,10 @@ static int svc_tcp_recvfrom(struct svc_r
+ goto err_noclose;
+ }
+
+- if (svc_sock_reclen(svsk) < 8)
++ if (svc_sock_reclen(svsk) < 8) {
++ svsk->sk_datalen = 0;
+ goto err_delete; /* client is nuts. */
++ }
+
+ rqstp->rq_arg.len = svsk->sk_datalen;
+ rqstp->rq_arg.page_base = 0;
--- /dev/null
+From fa44063f9ef163c3a4c8d8c0465bb8a056b42035 Mon Sep 17 00:00:00 2001
+From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
+Date: Thu, 13 Jun 2013 14:21:51 +0800
+Subject: uprobes: Fix return value in error handling path
+
+From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
+
+commit fa44063f9ef163c3a4c8d8c0465bb8a056b42035 upstream.
+
+When wrong argument is passed into uprobe_events it does not return
+an error:
+
+[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
+[root@jovi tracing]#
+
+The proper response is:
+
+[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
+-bash: echo: write error: Invalid argument
+
+Link: http://lkml.kernel.org/r/51B964FF.5000106@huawei.com
+
+Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: <srikar@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -283,8 +283,10 @@ static int create_trace_uprobe(int argc,
+ return -EINVAL;
+ }
+ arg = strchr(argv[1], ':');
+- if (!arg)
++ if (!arg) {
++ ret = -EINVAL;
+ goto fail_address_parse;
++ }
+
+ *arg++ = '\0';
+ filename = argv[1];
projects / thirdparty / kernel / stable-queue.git / commitdiff
