From: Greg Kroah-Hartman Date: Sun, 1 Dec 2013 20:29:34 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.72~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98aadc283cc9be8f727492038c064462046d763b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: audit-fix-info-leak-in-audit_get-requests.patch audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch audit-use-nlmsg_len-to-get-message-payload-length.patch avr32-fix-out-of-range-jump-in-large-kernels.patch avr32-setup-crt-for-early-panic.patch ftrace-fix-function-graph-with-loading-of-modules.patch mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch prism54-set-netdev-type-to-wlan.patch selinux-correct-locking-in-selinux_netlbl_socket_connect.patch --- diff --git a/queue-3.4/audit-fix-info-leak-in-audit_get-requests.patch b/queue-3.4/audit-fix-info-leak-in-audit_get-requests.patch new file mode 100644 index 00000000000..d4d843e748c --- /dev/null +++ b/queue-3.4/audit-fix-info-leak-in-audit_get-requests.patch @@ -0,0 +1,33 @@ +From 64fbff9ae0a0a843365d922e0057fc785f23f0e3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:04:24 +0200 +Subject: audit: fix info leak in AUDIT_GET requests + +From: Mathias Krause + +commit 64fbff9ae0a0a843365d922e0057fc785f23f0e3 upstream. + +We leak 4 bytes of kernel stack in response to an AUDIT_GET request as +we miss to initialize the mask member of status_set. Fix that. + +Cc: Al Viro +Cc: Eric Paris +Signed-off-by: Mathias Krause +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -684,6 +684,7 @@ static int audit_receive_msg(struct sk_b + + switch (msg_type) { + case AUDIT_GET: ++ status_set.mask = 0; + status_set.enabled = audit_enabled; + status_set.failure = audit_failure; + status_set.pid = audit_pid; diff --git a/queue-3.4/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch b/queue-3.4/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch new file mode 100644 index 00000000000..fc36e49ccb5 --- /dev/null +++ b/queue-3.4/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch @@ -0,0 +1,48 @@ +From 0868a5e150bc4c47e7a003367cd755811eb41e0b Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 25 Jul 2013 18:02:55 -0700 +Subject: audit: printk USER_AVC messages when audit isn't enabled + +From: Tyler Hicks + +commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. + +When the audit=1 kernel parameter is absent and auditd is not running, +AUDIT_USER_AVC messages are being silently discarded. + +AUDIT_USER_AVC messages should be sent to userspace using printk(), as +mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the +audit-disabled case for discarding user messages"). + +When audit_enabled is 0, audit_receive_msg() discards all user messages +except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() +refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to +special case AUDIT_USER_AVC messages in both functions. + +It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") +introduced this bug. + +Signed-off-by: Tyler Hicks +Cc: Al Viro +Cc: Eric Paris +Cc: linux-audit@redhat.com +Acked-by: Kees Cook +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(str + char *ctx = NULL; + u32 len; + +- if (!audit_enabled) { ++ if (!audit_enabled && msg_type != AUDIT_USER_AVC) { + *ab = NULL; + return rc; + } diff --git a/queue-3.4/audit-use-nlmsg_len-to-get-message-payload-length.patch b/queue-3.4/audit-use-nlmsg_len-to-get-message-payload-length.patch new file mode 100644 index 00000000000..526823d303d --- /dev/null +++ b/queue-3.4/audit-use-nlmsg_len-to-get-message-payload-length.patch @@ -0,0 +1,41 @@ +From 4d8fe7376a12bf4524783dd95cbc00f1fece6232 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:04:25 +0200 +Subject: audit: use nlmsg_len() to get message payload length + +From: Mathias Krause + +commit 4d8fe7376a12bf4524783dd95cbc00f1fece6232 upstream. + +Using the nlmsg_len member of the netlink header to test if the message +is valid is wrong as it includes the size of the netlink header itself. +Thereby allowing to send short netlink messages that pass those checks. + +Use nlmsg_len() instead to test for the right message length. The result +of nlmsg_len() is guaranteed to be non-negative as the netlink message +already passed the checks of nlmsg_ok(). + +Also switch to min_t() to please checkpatch.pl. + +Cc: Al Viro +Cc: Eric Paris +Signed-off-by: Mathias Krause +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -695,7 +695,7 @@ static int audit_receive_msg(struct sk_b + &status_set, sizeof(status_set)); + break; + case AUDIT_SET: +- if (nlh->nlmsg_len < sizeof(struct audit_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_status)) + return -EINVAL; + status_get = (struct audit_status *)data; + if (status_get->mask & AUDIT_STATUS_ENABLED) { diff --git a/queue-3.4/avr32-fix-out-of-range-jump-in-large-kernels.patch b/queue-3.4/avr32-fix-out-of-range-jump-in-large-kernels.patch new file mode 100644 index 00000000000..701b829d365 --- /dev/null +++ b/queue-3.4/avr32-fix-out-of-range-jump-in-large-kernels.patch @@ -0,0 +1,65 @@ +From d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 Mon Sep 17 00:00:00 2001 +From: Andreas Bießmann +Date: Thu, 24 Oct 2013 12:31:04 +0200 +Subject: avr32: fix out-of-range jump in large kernels + +From: Andreas Bießmann + +commit d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 upstream. + +This patch fixes following error (for big kernels): + +---8<--- +arch/avr32/boot/u-boot/head.o: In function `no_tag_table': +(.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o +arch/avr32/kernel/built-in.o: In function `bad_return': +(.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o +--->8--- + +It comes up when the kernel increases and 'panic()' is too far away to fit in +the +/- 2MiB range. Which in turn issues from the 21-bit displacement in +'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just +10-bit displacement and therefore a way smaller range). This fact was stated +before in 8d29b7b9f81d6b83d869ff054e6c189d6da73f1f. +One solution to solve this is to add a local storage for the symbol address +and just load the $pc with that value. + +Signed-off-by: Andreas Bießmann +Acked-by: Hans-Christian Egtvedt +Cc: Haavard Skinnemoen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/boot/u-boot/head.S | 5 ++++- + arch/avr32/kernel/entry-avr32b.S | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/avr32/boot/u-boot/head.S ++++ b/arch/avr32/boot/u-boot/head.S +@@ -73,8 +73,11 @@ init_sr: + .long 0x007f0000 /* Supervisor mode, everything masked */ + stack_addr: + .long init_thread_union ++panic_addr: ++ .long panic + + no_tag_table: + sub r12, pc, (. - 2f) +- bral panic ++ /* branch to panic() which can be far away with that construct */ ++ lddpc pc, panic_addr + 2: .asciz "Boot loader didn't provide correct magic number\n" +--- a/arch/avr32/kernel/entry-avr32b.S ++++ b/arch/avr32/kernel/entry-avr32b.S +@@ -399,9 +399,10 @@ handle_critical: + /* We should never get here... */ + bad_return: + sub r12, pc, (. - 1f) +- bral panic ++ lddpc pc, 2f + .align 2 + 1: .asciz "Return from critical exception!" ++2: .long panic + + .align 1 + do_bus_error_write: diff --git a/queue-3.4/avr32-setup-crt-for-early-panic.patch b/queue-3.4/avr32-setup-crt-for-early-panic.patch new file mode 100644 index 00000000000..4b2a0bee72c --- /dev/null +++ b/queue-3.4/avr32-setup-crt-for-early-panic.patch @@ -0,0 +1,121 @@ +From 7a2a74f4b856993218aa7cdeeb6c3103101340db Mon Sep 17 00:00:00 2001 +From: Andreas Bießmann +Date: Thu, 24 Oct 2013 12:31:03 +0200 +Subject: avr32: setup crt for early panic() + +From: Andreas Bießmann + +commit 7a2a74f4b856993218aa7cdeeb6c3103101340db upstream. + +Before the CRT was (fully) set up in kernel_entry (bss cleared before in +_start, but also not before jump to panic() in no_tag_table case). + +This patch fixes this up to have a fully working CRT when branching to panic() +in no_tag_table. + +Signed-off-by: Andreas Bießmann +Acked-by: Hans-Christian Egtvedt +Cc: Haavard Skinnemoen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/boot/u-boot/head.S | 30 +++++++++++++++++++++++++----- + arch/avr32/kernel/head.S | 20 -------------------- + 2 files changed, 25 insertions(+), 25 deletions(-) + +--- a/arch/avr32/boot/u-boot/head.S ++++ b/arch/avr32/boot/u-boot/head.S +@@ -8,6 +8,8 @@ + * published by the Free Software Foundation. + */ + #include ++#include ++#include + + /* + * The kernel is loaded where we want it to be and all caches +@@ -20,11 +22,6 @@ + .section .init.text,"ax" + .global _start + _start: +- /* Check if the boot loader actually provided a tag table */ +- lddpc r0, magic_number +- cp.w r12, r0 +- brne no_tag_table +- + /* Initialize .bss */ + lddpc r2, bss_start_addr + lddpc r3, end_addr +@@ -34,6 +31,25 @@ _start: + cp r2, r3 + brlo 1b + ++ /* Initialize status register */ ++ lddpc r0, init_sr ++ mtsr SYSREG_SR, r0 ++ ++ /* Set initial stack pointer */ ++ lddpc sp, stack_addr ++ sub sp, -THREAD_SIZE ++ ++#ifdef CONFIG_FRAME_POINTER ++ /* Mark last stack frame */ ++ mov lr, 0 ++ mov r7, 0 ++#endif ++ ++ /* Check if the boot loader actually provided a tag table */ ++ lddpc r0, magic_number ++ cp.w r12, r0 ++ brne no_tag_table ++ + /* + * Save the tag table address for later use. This must be done + * _after_ .bss has been initialized... +@@ -53,6 +69,10 @@ bss_start_addr: + .long __bss_start + end_addr: + .long _end ++init_sr: ++ .long 0x007f0000 /* Supervisor mode, everything masked */ ++stack_addr: ++ .long init_thread_union + + no_tag_table: + sub r12, pc, (. - 2f) +--- a/arch/avr32/kernel/head.S ++++ b/arch/avr32/kernel/head.S +@@ -10,33 +10,13 @@ + #include + + #include +-#include +-#include + + .section .init.text,"ax" + .global kernel_entry + kernel_entry: +- /* Initialize status register */ +- lddpc r0, init_sr +- mtsr SYSREG_SR, r0 +- +- /* Set initial stack pointer */ +- lddpc sp, stack_addr +- sub sp, -THREAD_SIZE +- +-#ifdef CONFIG_FRAME_POINTER +- /* Mark last stack frame */ +- mov lr, 0 +- mov r7, 0 +-#endif +- + /* Start the show */ + lddpc pc, kernel_start_addr + + .align 2 +-init_sr: +- .long 0x007f0000 /* Supervisor mode, everything masked */ +-stack_addr: +- .long init_thread_union + kernel_start_addr: + .long start_kernel diff --git a/queue-3.4/ftrace-fix-function-graph-with-loading-of-modules.patch b/queue-3.4/ftrace-fix-function-graph-with-loading-of-modules.patch new file mode 100644 index 00000000000..7f0f782263d --- /dev/null +++ b/queue-3.4/ftrace-fix-function-graph-with-loading-of-modules.patch @@ -0,0 +1,244 @@ +From 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Mon, 25 Nov 2013 20:59:46 -0500 +Subject: ftrace: Fix function graph with loading of modules + +From: "Steven Rostedt (Red Hat)" + +commit 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 upstream. + +Commit 8c4f3c3fa9681 "ftrace: Check module functions being traced on reload" +fixed module loading and unloading with respect to function tracing, but +it missed the function graph tracer. If you perform the following + + # cd /sys/kernel/debug/tracing + # echo function_graph > current_tracer + # modprobe nfsd + # echo nop > current_tracer + +You'll get the following oops message: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9() + Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt + CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7 + Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 + 0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000 + 0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668 + ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000 + Call Trace: + [] dump_stack+0x4f/0x7c + [] warn_slowpath_common+0x81/0x9b + [] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9 + [] warn_slowpath_null+0x1a/0x1c + [] __ftrace_hash_rec_update.part.35+0x168/0x1b9 + [] ? __mutex_lock_slowpath+0x364/0x364 + [] ftrace_shutdown+0xd7/0x12b + [] unregister_ftrace_graph+0x49/0x78 + [] graph_trace_reset+0xe/0x10 + [] tracing_set_tracer+0xa7/0x26a + [] tracing_set_trace_write+0x8b/0xbd + [] ? ftrace_return_to_handler+0xb2/0xde + [] ? __sb_end_write+0x5e/0x5e + [] vfs_write+0xab/0xf6 + [] ftrace_graph_caller+0x85/0x85 + [] SyS_write+0x59/0x82 + [] ftrace_graph_caller+0x85/0x85 + [] system_call_fastpath+0x16/0x1b + ---[ end trace 940358030751eafb ]--- + +The above mentioned commit didn't go far enough. Well, it covered the +function tracer by adding checks in __register_ftrace_function(). The +problem is that the function graph tracer circumvents that (for a slight +efficiency gain when function graph trace is running with a function +tracer. The gain was not worth this). + +The problem came with ftrace_startup() which should always be called after +__register_ftrace_function(), if you want this bug to be completely fixed. + +Anyway, this solution moves __register_ftrace_function() inside of +ftrace_startup() and removes the need to call them both. + +Reported-by: Dave Wysochanski +Fixes: ed926f9b35cd ("ftrace: Use counters to enable functions to trace") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 64 +++++++++++++++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 29 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -312,9 +312,6 @@ static int remove_ftrace_list_ops(struct + + static int __register_ftrace_function(struct ftrace_ops *ops) + { +- if (ftrace_disabled) +- return -ENODEV; +- + if (FTRACE_WARN_ON(ops == &global_ops)) + return -EINVAL; + +@@ -348,9 +345,6 @@ static int __unregister_ftrace_function( + { + int ret; + +- if (ftrace_disabled) +- return -ENODEV; +- + if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED))) + return -EBUSY; + +@@ -1940,10 +1934,15 @@ static void ftrace_startup_enable(int co + static int ftrace_startup(struct ftrace_ops *ops, int command) + { + bool hash_enable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) + return -ENODEV; + ++ ret = __register_ftrace_function(ops); ++ if (ret) ++ return ret; ++ + ftrace_start_up++; + command |= FTRACE_UPDATE_CALLS; + +@@ -1965,12 +1964,17 @@ static int ftrace_startup(struct ftrace_ + return 0; + } + +-static void ftrace_shutdown(struct ftrace_ops *ops, int command) ++static int ftrace_shutdown(struct ftrace_ops *ops, int command) + { + bool hash_disable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) +- return; ++ return -ENODEV; ++ ++ ret = __unregister_ftrace_function(ops); ++ if (ret) ++ return ret; + + ftrace_start_up--; + /* +@@ -2005,9 +2009,10 @@ static void ftrace_shutdown(struct ftrac + } + + if (!command || !ftrace_enabled) +- return; ++ return 0; + + ftrace_run_update_code(command); ++ return 0; + } + + static void ftrace_startup_sysctl(void) +@@ -2873,16 +2878,13 @@ static void __enable_ftrace_function_pro + if (i == FTRACE_FUNC_HASHSIZE) + return; + +- ret = __register_ftrace_function(&trace_probe_ops); +- if (!ret) +- ret = ftrace_startup(&trace_probe_ops, 0); ++ ret = ftrace_startup(&trace_probe_ops, 0); + + ftrace_probe_registered = 1; + } + + static void __disable_ftrace_function_probe(void) + { +- int ret; + int i; + + if (!ftrace_probe_registered) +@@ -2895,9 +2897,7 @@ static void __disable_ftrace_function_pr + } + + /* no more funcs left */ +- ret = __unregister_ftrace_function(&trace_probe_ops); +- if (!ret) +- ftrace_shutdown(&trace_probe_ops, 0); ++ ftrace_shutdown(&trace_probe_ops, 0); + + ftrace_probe_registered = 0; + } +@@ -3948,12 +3948,15 @@ device_initcall(ftrace_nodyn_init); + static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; } + static inline void ftrace_startup_enable(int command) { } + /* Keep as macros so we do not need to define the commands */ +-# define ftrace_startup(ops, command) \ +- ({ \ +- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ +- 0; \ ++# define ftrace_startup(ops, command) \ ++ ({ \ ++ int ___ret = __register_ftrace_function(ops); \ ++ if (!___ret) \ ++ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ ++ ___ret; \ + }) +-# define ftrace_shutdown(ops, command) do { } while (0) ++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops) ++ + # define ftrace_startup_sysctl() do { } while (0) + # define ftrace_shutdown_sysctl() do { } while (0) + +@@ -4326,9 +4329,7 @@ int register_ftrace_function(struct ftra + if (unlikely(ftrace_disabled)) + goto out_unlock; + +- ret = __register_ftrace_function(ops); +- if (!ret) +- ret = ftrace_startup(ops, 0); ++ ret = ftrace_startup(ops, 0); + + + out_unlock: +@@ -4348,9 +4349,7 @@ int unregister_ftrace_function(struct ft + int ret; + + mutex_lock(&ftrace_lock); +- ret = __unregister_ftrace_function(ops); +- if (!ret) +- ftrace_shutdown(ops, 0); ++ ret = ftrace_shutdown(ops, 0); + mutex_unlock(&ftrace_lock); + + return ret; +@@ -4544,6 +4543,13 @@ ftrace_suspend_notifier_call(struct noti + return NOTIFY_DONE; + } + ++/* Just a place holder for function graph */ ++static struct ftrace_ops fgraph_ops __read_mostly = { ++ .func = ftrace_stub, ++ .flags = FTRACE_OPS_FL_STUB | FTRACE_OPS_FL_GLOBAL | ++ FTRACE_OPS_FL_RECURSION_SAFE, ++}; ++ + int register_ftrace_graph(trace_func_graph_ret_t retfunc, + trace_func_graph_ent_t entryfunc) + { +@@ -4570,7 +4576,7 @@ int register_ftrace_graph(trace_func_gra + ftrace_graph_return = retfunc; + ftrace_graph_entry = entryfunc; + +- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET); ++ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET); + + out: + mutex_unlock(&ftrace_lock); +@@ -4587,7 +4593,7 @@ void unregister_ftrace_graph(void) + ftrace_graph_active--; + ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub; + ftrace_graph_entry = ftrace_graph_entry_stub; +- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET); ++ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET); + unregister_pm_notifier(&ftrace_suspend_notifier); + unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL); + diff --git a/queue-3.4/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch b/queue-3.4/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch new file mode 100644 index 00000000000..527e46d0b26 --- /dev/null +++ b/queue-3.4/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch @@ -0,0 +1,35 @@ +From d03b4aa77e1187b77dfe37d14a923547f00baa66 Mon Sep 17 00:00:00 2001 +From: Avinash Patil +Date: Tue, 5 Nov 2013 15:01:44 -0800 +Subject: mwifiex: correct packet length for packets from SDIO interface + +From: Avinash Patil + +commit d03b4aa77e1187b77dfe37d14a923547f00baa66 upstream. + +While receiving a packet on SDIO interface, we allocate skb with +size multiple of SDIO block size. We need to resize this skb +after RX using packet length from RX header. + +Signed-off-by: Avinash Patil +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sdio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -938,7 +938,10 @@ static int mwifiex_decode_rx_packet(stru + struct sk_buff *skb, u32 upld_typ) + { + u8 *cmd_buf; ++ __le16 *curr_ptr = (__le16 *)skb->data; ++ u16 pkt_len = le16_to_cpu(*curr_ptr); + ++ skb_trim(skb, pkt_len); + skb_pull(skb, INTF_HEADER_LEN); + + switch (upld_typ) { diff --git a/queue-3.4/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch b/queue-3.4/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch new file mode 100644 index 00000000000..53d98f47933 --- /dev/null +++ b/queue-3.4/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch @@ -0,0 +1,42 @@ +From e7cc5cf74544d97d7b69e2701595037474db1f96 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Mon, 18 Nov 2013 17:02:45 -0700 +Subject: PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove() + +From: Yinghai Lu + +commit e7cc5cf74544d97d7b69e2701595037474db1f96 upstream. + +The pcie_portdrv .probe() method calls pci_enable_device() once, in +pcie_port_device_register(), but the .remove() method calls +pci_disable_device() twice, in pcie_port_device_remove() and in +pcie_portdrv_remove(). + +That causes a "disabling already-disabled device" warning when removing a +PCIe port device. This happens all the time when removing Thunderbolt +devices, but is also easy to reproduce with, e.g., +"echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind" + +This patch removes the disable from pcie_portdrv_remove(). + +[bhelgaas: changelog, tag for stable] +Reported-by: David Bulkow +Reported-by: Mika Westerberg +Signed-off-by: Yinghai Lu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/portdrv_pci.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/pcie/portdrv_pci.c ++++ b/drivers/pci/pcie/portdrv_pci.c +@@ -151,7 +151,6 @@ static int __devinit pcie_portdrv_probe( + static void pcie_portdrv_remove(struct pci_dev *dev) + { + pcie_port_device_remove(dev); +- pci_disable_device(dev); + } + + static int error_detected_iter(struct device *device, void *data) diff --git a/queue-3.4/prism54-set-netdev-type-to-wlan.patch b/queue-3.4/prism54-set-netdev-type-to-wlan.patch new file mode 100644 index 00000000000..2c4c6b7d8ab --- /dev/null +++ b/queue-3.4/prism54-set-netdev-type-to-wlan.patch @@ -0,0 +1,45 @@ +From 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 8 Nov 2013 13:39:44 -0600 +Subject: prism54: set netdev type to "wlan" + +From: Dan Williams + +commit 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 upstream. + +Userspace uses the netdev devtype for stuff like device naming and type +detection. Be nice and set it. Remove the pointless #if/#endif around +SET_NETDEV_DEV too. + +Signed-off-by: Dan Williams +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/prism54/islpci_dev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/prism54/islpci_dev.c ++++ b/drivers/net/wireless/prism54/islpci_dev.c +@@ -811,6 +811,10 @@ static const struct net_device_ops islpc + .ndo_validate_addr = eth_validate_addr, + }; + ++static struct device_type wlan_type = { ++ .name = "wlan", ++}; ++ + struct net_device * + islpci_setup(struct pci_dev *pdev) + { +@@ -821,9 +825,8 @@ islpci_setup(struct pci_dev *pdev) + return ndev; + + pci_set_drvdata(pdev, ndev); +-#if defined(SET_NETDEV_DEV) + SET_NETDEV_DEV(ndev, &pdev->dev); +-#endif ++ SET_NETDEV_DEVTYPE(ndev, &wlan_type); + + /* setup the structure members */ + ndev->base_addr = pci_resource_start(pdev, 0); diff --git a/queue-3.4/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch b/queue-3.4/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch new file mode 100644 index 00000000000..9f2d7cd10a5 --- /dev/null +++ b/queue-3.4/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch @@ -0,0 +1,78 @@ +From 42d64e1add3a1ce8a787116036163b8724362145 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 26 Sep 2013 17:00:46 -0400 +Subject: selinux: correct locking in selinux_netlbl_socket_connect) + +From: Paul Moore + +commit 42d64e1add3a1ce8a787116036163b8724362145 upstream. + +The SELinux/NetLabel glue code has a locking bug that affects systems +with NetLabel enabled, see the kernel error message below. This patch +corrects this problem by converting the bottom half socket lock to a +more conventional, and correct for this call-path, lock_sock() call. + + =============================== + [ INFO: suspicious RCU usage. ] + 3.11.0-rc3+ #19 Not tainted + ------------------------------- + net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 1, debug_locks = 0 + 2 locks held by ping/731: + #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect + #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr + + stack backtrace: + CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500 + ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000 + 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7 + Call Trace: + [] dump_stack+0x54/0x74 + [] lockdep_rcu_suspicious+0xe7/0x120 + [] cipso_v4_sock_setattr+0x187/0x1a0 + [] netlbl_conn_setattr+0x187/0x190 + [] ? netlbl_conn_setattr+0x5/0x190 + [] selinux_netlbl_socket_connect+0xae/0xc0 + [] selinux_socket_connect+0x135/0x170 + [] ? might_fault+0x57/0xb0 + [] security_socket_connect+0x16/0x20 + [] SYSC_connect+0x73/0x130 + [] ? sysret_check+0x22/0x5d + [] ? trace_hardirqs_on_caller+0xfd/0x1c0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] SyS_connect+0xe/0x10 + [] system_call_fastpath+0x16/0x1b + +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/netlabel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/security/selinux/netlabel.c ++++ b/security/selinux/netlabel.c +@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct + sksec->nlbl_state != NLBL_CONNLABELED) + return 0; + +- local_bh_disable(); +- bh_lock_sock_nested(sk); ++ lock_sock(sk); + + /* connected sockets are allowed to disconnect when the address family + * is set to AF_UNSPEC, if that is what is happening we want to reset +@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct + sksec->nlbl_state = NLBL_CONNLABELED; + + socket_connect_return: +- bh_unlock_sock(sk); +- local_bh_enable(); ++ release_sock(sk); + return rc; + } diff --git a/queue-3.4/series b/queue-3.4/series index b81892968b7..360e3171150 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -32,3 +32,13 @@ qeth-avoid-buffer-overflow-in-snmp-ioctl.patch rt2400pci-fix-rssi-read.patch dm-allocate-buffer-for-messages-with-small-number-of-arguments-using-gfp_noio.patch pm-hibernate-avoid-overflow-in-hibernate_preallocate_memory.patch +mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch +audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch +audit-use-nlmsg_len-to-get-message-payload-length.patch +audit-fix-info-leak-in-audit_get-requests.patch +pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch +selinux-correct-locking-in-selinux_netlbl_socket_connect.patch +avr32-setup-crt-for-early-panic.patch +avr32-fix-out-of-range-jump-in-large-kernels.patch +prism54-set-netdev-type-to-wlan.patch +ftrace-fix-function-graph-with-loading-of-modules.patch