From: Greg Kroah-Hartman Date: Wed, 1 Aug 2012 20:22:47 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.5.1~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0af74daaa9d265d3471b259ccbc2122913b6dd71;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: b43-fix-crash-with-openfwwf.patch ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch iwlwifi-check-bss-ctx-active-before-call-mac80211.patch iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch mac80211-fail-authentication-when-ap-denied-authentication.patch mac80211-fix-crash-with-single-queue-drivers.patch mac80211-fix-read-outside-array-bounds.patch pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch tpm-chip-disabled-state-erronously-being-reported-as-error.patch tun-fix-a-crash-bug-and-a-memory-leak.patch --- diff --git a/queue-3.5/b43-fix-crash-with-openfwwf.patch b/queue-3.5/b43-fix-crash-with-openfwwf.patch new file mode 100644 index 00000000000..63107852e5f --- /dev/null +++ b/queue-3.5/b43-fix-crash-with-openfwwf.patch @@ -0,0 +1,127 @@ +From 097b0e1bf18a00195cd89bb13565ddbc9b0df942 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Jul 2012 17:12:29 +0200 +Subject: b43: fix crash with OpenFWWF + +From: Johannes Berg + +commit 097b0e1bf18a00195cd89bb13565ddbc9b0df942 upstream. + +b43 with open firmware crashes mac80211 because +it changes the number of queues at runtime which, +while it was never really supported, now crashes +mac80211 due to the new hardware queue logic. + +Fix this by detecting open vs. proprietary fw +earlier and registering with mac80211 with the +right number of queues. + +Tested-by: Stefan Lippers-Hollmann +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville + +--- + drivers/net/wireless/b43/b43.h | 7 ------- + drivers/net/wireless/b43/main.c | 32 ++++++++++---------------------- + 2 files changed, 10 insertions(+), 29 deletions(-) + +--- a/drivers/net/wireless/b43/b43.h ++++ b/drivers/net/wireless/b43/b43.h +@@ -870,13 +870,6 @@ struct b43_wl { + * handler, only. This basically is just the IRQ mask register. */ + spinlock_t hardirq_lock; + +- /* The number of queues that were registered with the mac80211 subsystem +- * initially. This is a backup copy of hw->queues in case hw->queues has +- * to be dynamically lowered at runtime (Firmware does not support QoS). +- * hw->queues has to be restored to the original value before unregistering +- * from the mac80211 subsystem. */ +- u16 mac80211_initially_registered_queues; +- + /* Set this if we call ieee80211_register_hw() and check if we call + * ieee80211_unregister_hw(). */ + bool hw_registred; +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2359,6 +2359,8 @@ static int b43_try_request_fw(struct b43 + if (err) + goto err_load; + ++ fw->opensource = (ctx->req_type == B43_FWTYPE_OPENSOURCE); ++ + return 0; + + err_no_ucode: +@@ -2434,6 +2436,10 @@ static void b43_request_firmware(struct + goto out; + + start_ieee80211: ++ wl->hw->queues = B43_QOS_QUEUE_NUM; ++ if (!modparam_qos || dev->fw.opensource) ++ wl->hw->queues = 1; ++ + err = ieee80211_register_hw(wl->hw); + if (err) + goto err_one_core_detach; +@@ -2537,11 +2543,9 @@ static int b43_upload_microcode(struct b + dev->fw.hdr_format = B43_FW_HDR_410; + else + dev->fw.hdr_format = B43_FW_HDR_351; +- dev->fw.opensource = (fwdate == 0xFFFF); ++ WARN_ON(dev->fw.opensource != (fwdate == 0xFFFF)); + +- /* Default to use-all-queues. */ +- dev->wl->hw->queues = dev->wl->mac80211_initially_registered_queues; +- dev->qos_enabled = !!modparam_qos; ++ dev->qos_enabled = dev->wl->hw->queues > 1; + /* Default to firmware/hardware crypto acceleration. */ + dev->hwcrypto_enabled = true; + +@@ -2559,14 +2563,8 @@ static int b43_upload_microcode(struct b + /* Disable hardware crypto and fall back to software crypto. */ + dev->hwcrypto_enabled = false; + } +- if (!(fwcapa & B43_FWCAPA_QOS)) { +- b43info(dev->wl, "QoS not supported by firmware\n"); +- /* Disable QoS. Tweak hw->queues to 1. It will be restored before +- * ieee80211_unregister to make sure the networking core can +- * properly free possible resources. */ +- dev->wl->hw->queues = 1; +- dev->qos_enabled = false; +- } ++ /* adding QoS support should use an offline discovery mechanism */ ++ WARN(fwcapa & B43_FWCAPA_QOS, "QoS in OpenFW not supported\n"); + } else { + b43info(dev->wl, "Loading firmware version %u.%u " + "(20%.2i-%.2i-%.2i %.2i:%.2i:%.2i)\n", +@@ -5298,8 +5296,6 @@ static struct b43_wl *b43_wireless_init( + + hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN; + +- hw->queues = modparam_qos ? B43_QOS_QUEUE_NUM : 1; +- wl->mac80211_initially_registered_queues = hw->queues; + wl->hw_registred = false; + hw->max_rates = 2; + SET_IEEE80211_DEV(hw, dev->dev); +@@ -5374,10 +5370,6 @@ static void b43_bcma_remove(struct bcma_ + + B43_WARN_ON(!wl); + if (wl->current_dev == wldev && wl->hw_registred) { +- /* Restore the queues count before unregistering, because firmware detect +- * might have modified it. Restoring is important, so the networking +- * stack can properly free resources. */ +- wl->hw->queues = wl->mac80211_initially_registered_queues; + b43_leds_stop(wldev); + ieee80211_unregister_hw(wl->hw); + } +@@ -5452,10 +5444,6 @@ static void b43_ssb_remove(struct ssb_de + + B43_WARN_ON(!wl); + if (wl->current_dev == wldev && wl->hw_registred) { +- /* Restore the queues count before unregistering, because firmware detect +- * might have modified it. Restoring is important, so the networking +- * stack can properly free resources. */ +- wl->hw->queues = wl->mac80211_initially_registered_queues; + b43_leds_stop(wldev); + ieee80211_unregister_hw(wl->hw); + } diff --git a/queue-3.5/ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch b/queue-3.5/ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch new file mode 100644 index 00000000000..79a2cb3d33e --- /dev/null +++ b/queue-3.5/ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch @@ -0,0 +1,108 @@ +From 443772d408a25af62498793f6f805ce3c559309a Mon Sep 17 00:00:00 2001 +From: "Srivatsa S. Bhat" +Date: Sat, 16 Jun 2012 15:30:45 +0200 +Subject: ftrace: Disable function tracing during suspend/resume and hibernation, again + +From: "Srivatsa S. Bhat" + +commit 443772d408a25af62498793f6f805ce3c559309a upstream. + +If function tracing is enabled for some of the low-level suspend/resume +functions, it leads to triple fault during resume from suspend, ultimately +ending up in a reboot instead of a resume (or a total refusal to come out +of suspended state, on some machines). + +This issue was explained in more detail in commit f42ac38c59e0a03d (ftrace: +disable tracing for suspend to ram). However, the changes made by that commit +got reverted by commit cbe2f5a6e84eebb (tracing: allow tracing of +suspend/resume & hibernation code again). So, unfortunately since things are +not yet robust enough to allow tracing of low-level suspend/resume functions, +suspend/resume is still broken when ftrace is enabled. + +So fix this by disabling function tracing during suspend/resume & hibernation. + +Signed-off-by: Srivatsa S. Bhat +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/hibernate.c | 6 ++++++ + kernel/power/suspend.c | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -353,6 +353,7 @@ int hibernation_snapshot(int platform_mo + } + + suspend_console(); ++ ftrace_stop(); + pm_restrict_gfp_mask(); + + error = dpm_suspend(PMSG_FREEZE); +@@ -378,6 +379,7 @@ int hibernation_snapshot(int platform_mo + if (error || !in_suspend) + pm_restore_gfp_mask(); + ++ ftrace_start(); + resume_console(); + dpm_complete(msg); + +@@ -480,6 +482,7 @@ int hibernation_restore(int platform_mod + + pm_prepare_console(); + suspend_console(); ++ ftrace_stop(); + pm_restrict_gfp_mask(); + error = dpm_suspend_start(PMSG_QUIESCE); + if (!error) { +@@ -487,6 +490,7 @@ int hibernation_restore(int platform_mod + dpm_resume_end(PMSG_RECOVER); + } + pm_restore_gfp_mask(); ++ ftrace_start(); + resume_console(); + pm_restore_console(); + return error; +@@ -513,6 +517,7 @@ int hibernation_platform_enter(void) + + entering_platform_hibernation = true; + suspend_console(); ++ ftrace_stop(); + error = dpm_suspend_start(PMSG_HIBERNATE); + if (error) { + if (hibernation_ops->recover) +@@ -556,6 +561,7 @@ int hibernation_platform_enter(void) + Resume_devices: + entering_platform_hibernation = false; + dpm_resume_end(PMSG_RESTORE); ++ ftrace_start(); + resume_console(); + + Close: +--- a/kernel/power/suspend.c ++++ b/kernel/power/suspend.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + + #include "power.h" +@@ -212,6 +213,7 @@ int suspend_devices_and_enter(suspend_st + goto Close; + } + suspend_console(); ++ ftrace_stop(); + suspend_test_start(); + error = dpm_suspend_start(PMSG_SUSPEND); + if (error) { +@@ -231,6 +233,7 @@ int suspend_devices_and_enter(suspend_st + suspend_test_start(); + dpm_resume_end(PMSG_RESUME); + suspend_test_finish("resume devices"); ++ ftrace_start(); + resume_console(); + Close: + if (suspend_ops->end) diff --git a/queue-3.5/iwlwifi-check-bss-ctx-active-before-call-mac80211.patch b/queue-3.5/iwlwifi-check-bss-ctx-active-before-call-mac80211.patch new file mode 100644 index 00000000000..4c38bb7e8a8 --- /dev/null +++ b/queue-3.5/iwlwifi-check-bss-ctx-active-before-call-mac80211.patch @@ -0,0 +1,40 @@ +From e19ebcab01cc130fa832764d453b263460ec3b91 Mon Sep 17 00:00:00 2001 +From: Ilan Peer +Date: Thu, 10 May 2012 15:53:14 +0300 +Subject: iwlwifi: Check BSS ctx active before call mac80211 + +From: Ilan Peer + +commit e19ebcab01cc130fa832764d453b263460ec3b91 upstream. + +It is possible that the BSS context is not active (for example +when the current mode is set to GO), or that the vif->type is +different than station. In such a case we cannot +call mac80211 to report the average rssi for the interface +(the function assumes that the vif is valid and that the type +is station). + +Reported-by: Daniel J Blueman +Reviewed-by: Emmanuel Grumbach +Signed-off-by: Ilan Peer +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c +@@ -617,6 +617,11 @@ static bool iwlagn_fill_txpower_mode(str + struct iwl_rxon_context *ctx = &priv->contexts[IWL_RXON_CTX_BSS]; + int ave_rssi; + ++ if (!ctx->vif || (ctx->vif->type != NL80211_IFTYPE_STATION)) { ++ IWL_DEBUG_INFO(priv, "BSS ctx not active or not in sta mode\n"); ++ return false; ++ } ++ + ave_rssi = ieee80211_ave_rssi(ctx->vif); + if (!ave_rssi) { + /* no rssi data, no changes to reduce tx power */ diff --git a/queue-3.5/iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch b/queue-3.5/iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch new file mode 100644 index 00000000000..ec59b515567 --- /dev/null +++ b/queue-3.5/iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch @@ -0,0 +1,32 @@ +From a35e270881a5db1ec9ac8bc6d61ebc3e85c14f33 Mon Sep 17 00:00:00 2001 +From: Meenakshi Venkataraman +Date: Wed, 16 May 2012 22:40:50 +0200 +Subject: iwlwifi: fix debug print in iwl_sta_calc_ht_flags + +From: Meenakshi Venkataraman + +commit a35e270881a5db1ec9ac8bc6d61ebc3e85c14f33 upstream. + +We missed passing an argument to the +debug print. Fix it. + +Signed-off-by: Meenakshi Venkataraman +Reviewed-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-agn-sta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c +@@ -236,6 +236,7 @@ static void iwl_sta_calc_ht_flags(struct + mimo_ps_mode = (sta_ht_inf->cap & IEEE80211_HT_CAP_SM_PS) >> 2; + + IWL_DEBUG_INFO(priv, "STA %pM SM PS mode: %s\n", ++ sta->addr, + (mimo_ps_mode == WLAN_HT_CAP_SM_PS_STATIC) ? + "static" : + (mimo_ps_mode == WLAN_HT_CAP_SM_PS_DYNAMIC) ? diff --git a/queue-3.5/mac80211-fail-authentication-when-ap-denied-authentication.patch b/queue-3.5/mac80211-fail-authentication-when-ap-denied-authentication.patch new file mode 100644 index 00000000000..78fc1d3e5cc --- /dev/null +++ b/queue-3.5/mac80211-fail-authentication-when-ap-denied-authentication.patch @@ -0,0 +1,44 @@ +From dac211ec10d268b9d09000093a9fa2ac1773894f Mon Sep 17 00:00:00 2001 +From: Eliad Peller +Date: Sun, 13 May 2012 18:07:04 +0300 +Subject: mac80211: fail authentication when AP denied authentication + +From: Eliad Peller + +commit dac211ec10d268b9d09000093a9fa2ac1773894f upstream. + +ieee80211_rx_mgmt_auth() doesn't handle denied authentication +properly - it authenticates the station and waits for association +(for 5 seconds) instead of failing the authentication. + +Fix it by destroying auth_data and bailing out instead. + +Signed-off-by: Eliad Peller +Acked-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1805,7 +1805,8 @@ ieee80211_rx_mgmt_auth(struct ieee80211_ + if (status_code != WLAN_STATUS_SUCCESS) { + printk(KERN_DEBUG "%s: %pM denied authentication (status %d)\n", + sdata->name, mgmt->sa, status_code); +- goto out; ++ ieee80211_destroy_auth_data(sdata, false); ++ return RX_MGMT_CFG80211_RX_AUTH; + } + + switch (ifmgd->auth_data->algorithm) { +@@ -1827,7 +1828,6 @@ ieee80211_rx_mgmt_auth(struct ieee80211_ + } + + printk(KERN_DEBUG "%s: authenticated\n", sdata->name); +- out: + ifmgd->auth_data->done = true; + ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC; + run_again(ifmgd, ifmgd->auth_data->timeout); diff --git a/queue-3.5/mac80211-fix-crash-with-single-queue-drivers.patch b/queue-3.5/mac80211-fix-crash-with-single-queue-drivers.patch new file mode 100644 index 00000000000..7d8c12d4776 --- /dev/null +++ b/queue-3.5/mac80211-fix-crash-with-single-queue-drivers.patch @@ -0,0 +1,72 @@ +From a6f38ac3cc853189705006cc1e0f17ce8467a1df Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 4 Jul 2012 12:49:59 +0200 +Subject: mac80211: fix crash with single-queue drivers + +From: Johannes Berg + +commit a6f38ac3cc853189705006cc1e0f17ce8467a1df upstream. + +Larry (and some others I think) reported that with +single-queue drivers mac80211 crashes when waking +the queues. This happens because we allocate just +a single queue for each virtual interface in case +the driver doesn't have at least 4 queues, but the +code stopping/waking the virtual interface queues +wasn't taking this into account. + +Reported-by: Larry Finger +Tested-by: Larry Finger +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/util.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -268,6 +268,10 @@ EXPORT_SYMBOL(ieee80211_ctstoself_durati + void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue) + { + struct ieee80211_sub_if_data *sdata; ++ int n_acs = IEEE80211_NUM_ACS; ++ ++ if (local->hw.queues < IEEE80211_NUM_ACS) ++ n_acs = 1; + + list_for_each_entry_rcu(sdata, &local->interfaces, list) { + int ac; +@@ -279,7 +283,7 @@ void ieee80211_propagate_queue_wake(stru + local->queue_stop_reasons[sdata->vif.cab_queue] != 0) + continue; + +- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ for (ac = 0; ac < n_acs; ac++) { + int ac_queue = sdata->vif.hw_queue[ac]; + + if (ac_queue == queue || +@@ -341,6 +345,7 @@ static void __ieee80211_stop_queue(struc + { + struct ieee80211_local *local = hw_to_local(hw); + struct ieee80211_sub_if_data *sdata; ++ int n_acs = IEEE80211_NUM_ACS; + + trace_stop_queue(local, queue, reason); + +@@ -352,11 +357,14 @@ static void __ieee80211_stop_queue(struc + + __set_bit(reason, &local->queue_stop_reasons[queue]); + ++ if (local->hw.queues < IEEE80211_NUM_ACS) ++ n_acs = 1; ++ + rcu_read_lock(); + list_for_each_entry_rcu(sdata, &local->interfaces, list) { + int ac; + +- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ for (ac = 0; ac < n_acs; ac++) { + if (sdata->vif.hw_queue[ac] == queue || + sdata->vif.cab_queue == queue) + netif_stop_subqueue(sdata->dev, ac); diff --git a/queue-3.5/mac80211-fix-read-outside-array-bounds.patch b/queue-3.5/mac80211-fix-read-outside-array-bounds.patch new file mode 100644 index 00000000000..0508158ca3e --- /dev/null +++ b/queue-3.5/mac80211-fix-read-outside-array-bounds.patch @@ -0,0 +1,31 @@ +From 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 7 Jul 2012 15:07:13 +0200 +Subject: mac80211: fix read outside array bounds + +From: Christian Lamparter + +commit 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f upstream. + +ieee802_1d_to_ac is defined as a const int[8], +but the tid parameter has a range from 0 to 15. + +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2733,7 +2733,7 @@ EXPORT_SYMBOL(ieee80211_get_buffered_bc) + void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb, int tid) + { +- int ac = ieee802_1d_to_ac[tid]; ++ int ac = ieee802_1d_to_ac[tid & 7]; + + skb_set_mac_header(skb, 0); + skb_set_network_header(skb, 0); diff --git a/queue-3.5/pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch b/queue-3.5/pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch new file mode 100644 index 00000000000..50e1e9d04ec --- /dev/null +++ b/queue-3.5/pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch @@ -0,0 +1,47 @@ +From 064b021fbe470ecc9ca10f9f87af48c0fc0865fb Mon Sep 17 00:00:00 2001 +From: Colin Cross +Date: Thu, 19 Jul 2012 10:38:06 +0200 +Subject: PM / Sleep: call early resume handlers when suspend_noirq fails + +From: Colin Cross + +commit 064b021fbe470ecc9ca10f9f87af48c0fc0865fb upstream. + +Commit cf579dfb82550e34de7ccf3ef090d8b834ccd3a9 (PM / Sleep: Introduce +"late suspend" and "early resume" of devices) introduced a bug where +suspend_late handlers would be called, but if dpm_suspend_noirq returned +an error the early_resume handlers would never be called. All devices +would end up on the dpm_late_early_list, and would never be resumed +again. + +Fix it by calling dpm_resume_early when dpm_suspend_noirq returns +an error. + +Signed-off-by: Colin Cross +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -989,8 +989,16 @@ static int dpm_suspend_late(pm_message_t + int dpm_suspend_end(pm_message_t state) + { + int error = dpm_suspend_late(state); ++ if (error) ++ return error; + +- return error ? : dpm_suspend_noirq(state); ++ error = dpm_suspend_noirq(state); ++ if (error) { ++ dpm_resume_early(state); ++ return error; ++ } ++ ++ return 0; + } + EXPORT_SYMBOL_GPL(dpm_suspend_end); + diff --git a/queue-3.5/pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch b/queue-3.5/pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch new file mode 100644 index 00000000000..fed6022fc4c --- /dev/null +++ b/queue-3.5/pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch @@ -0,0 +1,53 @@ +From 11388c87d2abca1f01975ced28ce9eacea239104 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 19 Jul 2012 00:00:58 +0200 +Subject: PM / Sleep: Require CAP_BLOCK_SUSPEND to use wake_lock/wake_unlock + +From: "Rafael J. Wysocki" + +commit 11388c87d2abca1f01975ced28ce9eacea239104 upstream. + +Require processes wanting to use the wake_lock/wake_unlock sysfs +files to have the CAP_BLOCK_SUSPEND capability, which also is +required for the eventpoll EPOLLWAKEUP flag to be effective, so that +all interfaces related to blocking autosleep depend on the same +capability. + +Signed-off-by: Rafael J. Wysocki +Acked-by: Michael Kerrisk +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/wakelock.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -9,6 +9,7 @@ + * manipulate wakelocks on Android. + */ + ++#include + #include + #include + #include +@@ -188,6 +189,9 @@ int pm_wake_lock(const char *buf) + size_t len; + int ret = 0; + ++ if (!capable(CAP_BLOCK_SUSPEND)) ++ return -EPERM; ++ + while (*str && !isspace(*str)) + str++; + +@@ -231,6 +235,9 @@ int pm_wake_unlock(const char *buf) + size_t len; + int ret = 0; + ++ if (!capable(CAP_BLOCK_SUSPEND)) ++ return -EPERM; ++ + len = strlen(buf); + if (!len) + return -EINVAL; diff --git a/queue-3.5/series b/queue-3.5/series index 38149711731..96e00af56a5 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -38,3 +38,14 @@ x86-microcode-sanitize-per-cpu-microcode-reloading-interface.patch x86-mce-fix-siginfo_t-si_addr-value-for-non-recoverable-memory-faults.patch locks-fix-checking-of-fcntl_setlease-argument.patch batman-adv-fix-skb-data-assignment.patch +ftrace-disable-function-tracing-during-suspend-resume-and-hibernation-again.patch +pm-sleep-require-cap_block_suspend-to-use-wake_lock-wake_unlock.patch +pm-sleep-call-early-resume-handlers-when-suspend_noirq-fails.patch +tpm-chip-disabled-state-erronously-being-reported-as-error.patch +tun-fix-a-crash-bug-and-a-memory-leak.patch +mac80211-fix-crash-with-single-queue-drivers.patch +b43-fix-crash-with-openfwwf.patch +mac80211-fix-read-outside-array-bounds.patch +mac80211-fail-authentication-when-ap-denied-authentication.patch +iwlwifi-check-bss-ctx-active-before-call-mac80211.patch +iwlwifi-fix-debug-print-in-iwl_sta_calc_ht_flags.patch diff --git a/queue-3.5/tpm-chip-disabled-state-erronously-being-reported-as-error.patch b/queue-3.5/tpm-chip-disabled-state-erronously-being-reported-as-error.patch new file mode 100644 index 00000000000..e3f4a22ada0 --- /dev/null +++ b/queue-3.5/tpm-chip-disabled-state-erronously-being-reported-as-error.patch @@ -0,0 +1,62 @@ +From 24ebe6670de3d1f0dca11c9eb372134c7ab05503 Mon Sep 17 00:00:00 2001 +From: Rajiv Andrade +Date: Tue, 24 Apr 2012 17:38:17 -0300 +Subject: TPM: chip disabled state erronously being reported as error + +From: Rajiv Andrade + +commit 24ebe6670de3d1f0dca11c9eb372134c7ab05503 upstream. + +tpm_do_selftest() attempts to read a PCR in order to +decide if one can rely on the TPM being used or not. +The function that's used by __tpm_pcr_read() does not +expect the TPM to be disabled or deactivated, and if so, +reports an error. + +It's fine if the TPM returns this error when trying to +use it for the first time after a power cycle, but it's +definitely not if it already returned success for a +previous attempt to read one of its PCRs. + +The tpm_do_selftest() was modified so that the driver only +reports this return code as an error when it really is. + +Reported-and-tested-by: Paul Bolle +Signed-off-by: Rajiv Andrade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -827,10 +827,10 @@ EXPORT_SYMBOL_GPL(tpm_pcr_extend); + int tpm_do_selftest(struct tpm_chip *chip) + { + int rc; +- u8 digest[TPM_DIGEST_SIZE]; + unsigned int loops; + unsigned int delay_msec = 1000; + unsigned long duration; ++ struct tpm_cmd_t cmd; + + duration = tpm_calc_ordinal_duration(chip, + TPM_ORD_CONTINUE_SELFTEST); +@@ -845,7 +845,15 @@ int tpm_do_selftest(struct tpm_chip *chi + return rc; + + do { +- rc = __tpm_pcr_read(chip, 0, digest); ++ /* Attempt to read a PCR value */ ++ cmd.header.in = pcrread_header; ++ cmd.params.pcrread_in.pcr_idx = cpu_to_be32(0); ++ rc = tpm_transmit(chip, (u8 *) &cmd, READ_PCR_RESULT_SIZE); ++ ++ if (rc < TPM_HEADER_SIZE) ++ return -EFAULT; ++ ++ rc = be32_to_cpu(cmd.header.out.return_code); + if (rc == TPM_ERR_DISABLED || rc == TPM_ERR_DEACTIVATED) { + dev_info(chip->dev, + "TPM is disabled/deactivated (0x%X)\n", rc); diff --git a/queue-3.5/tun-fix-a-crash-bug-and-a-memory-leak.patch b/queue-3.5/tun-fix-a-crash-bug-and-a-memory-leak.patch new file mode 100644 index 00000000000..4124980f3a0 --- /dev/null +++ b/queue-3.5/tun-fix-a-crash-bug-and-a-memory-leak.patch @@ -0,0 +1,79 @@ +From b09e786bd1dd66418b69348cb110f3a64764626a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 19 Jul 2012 06:13:36 +0000 +Subject: tun: fix a crash bug and a memory leak + +From: Mikulas Patocka + +commit b09e786bd1dd66418b69348cb110f3a64764626a upstream. + +This patch fixes a crash +tun_chr_close -> netdev_run_todo -> tun_free_netdev -> sk_release_kernel -> +sock_release -> iput(SOCK_INODE(sock)) +introduced by commit 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d + +The problem is that this socket is embedded in struct tun_struct, it has +no inode, iput is called on invalid inode, which modifies invalid memory +and optionally causes a crash. + +sock_release also decrements sockets_in_use, this causes a bug that +"sockets: used" field in /proc/*/net/sockstat keeps on decreasing when +creating and closing tun devices. + +This patch introduces a flag SOCK_EXTERNALLY_ALLOCATED that instructs +sock_release to not free the inode and not decrement sockets_in_use, +fixing both memory corruption and sockets_in_use underflow. + +It should be backported to 3.3 an 3.4 stabke. + +Signed-off-by: Mikulas Patocka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tun.c | 3 +++ + include/linux/net.h | 1 + + net/socket.c | 3 +++ + 3 files changed, 7 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -358,6 +358,8 @@ static void tun_free_netdev(struct net_d + { + struct tun_struct *tun = netdev_priv(dev); + ++ BUG_ON(!test_bit(SOCK_EXTERNALLY_ALLOCATED, &tun->socket.flags)); ++ + sk_release_kernel(tun->socket.sk); + } + +@@ -1115,6 +1117,7 @@ static int tun_set_iff(struct net *net, + tun->flags = flags; + tun->txflt.count = 0; + tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr); ++ set_bit(SOCK_EXTERNALLY_ALLOCATED, &tun->socket.flags); + + err = -ENOMEM; + sk = sk_alloc(&init_net, AF_UNSPEC, GFP_KERNEL, &tun_proto); +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -72,6 +72,7 @@ struct net; + #define SOCK_NOSPACE 2 + #define SOCK_PASSCRED 3 + #define SOCK_PASSSEC 4 ++#define SOCK_EXTERNALLY_ALLOCATED 5 + + #ifndef ARCH_HAS_SOCKET_TYPES + /** +--- a/net/socket.c ++++ b/net/socket.c +@@ -522,6 +522,9 @@ void sock_release(struct socket *sock) + if (rcu_dereference_protected(sock->wq, 1)->fasync_list) + printk(KERN_ERR "sock_release: fasync list not empty!\n"); + ++ if (test_bit(SOCK_EXTERNALLY_ALLOCATED, &sock->flags)) ++ return; ++ + this_cpu_sub(sockets_in_use, 1); + if (!sock->file) { + iput(SOCK_INODE(sock));