From: Greg Kroah-Hartman Date: Mon, 6 Jan 2014 19:18:01 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.76~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0485654e2e1c3017d5a40a5784e13bc3c6df820;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: radiotap-fix-bitmap-end-finding-buffer-overrun.patch rtlwifi-pci-fix-oops-on-driver-unload.patch --- diff --git a/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch b/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch new file mode 100644 index 00000000000..de508d24f00 --- /dev/null +++ b/queue-3.4/radiotap-fix-bitmap-end-finding-buffer-overrun.patch @@ -0,0 +1,35 @@ +From bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 16 Dec 2013 12:04:36 +0100 +Subject: radiotap: fix bitmap-end-finding buffer overrun + +From: Johannes Berg + +commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream. + +Evan Huus found (by fuzzing in wireshark) that the radiotap +iterator code can access beyond the length of the buffer if +the first bitmap claims an extension but then there's no +data at all. Fix this. + +Reported-by: Evan Huus +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/radiotap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/wireless/radiotap.c ++++ b/net/wireless/radiotap.c +@@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init( + /* find payload start allowing for extended bitmap(s) */ + + if (iterator->_bitmap_shifter & (1<_arg - ++ (unsigned long)iterator->_rtheader + sizeof(uint32_t) > ++ (unsigned long)iterator->_max_length) ++ return -EINVAL; + while (get_unaligned_le32(iterator->_arg) & + (1 << IEEE80211_RADIOTAP_EXT)) { + iterator->_arg += sizeof(uint32_t); diff --git a/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch b/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch new file mode 100644 index 00000000000..a860ec349ce --- /dev/null +++ b/queue-3.4/rtlwifi-pci-fix-oops-on-driver-unload.patch @@ -0,0 +1,47 @@ +From 9278db6279e28d4d433bc8a848e10b4ece8793ed Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 11 Dec 2013 17:13:10 -0600 +Subject: rtlwifi: pci: Fix oops on driver unload + +From: Larry Finger + +commit 9278db6279e28d4d433bc8a848e10b4ece8793ed upstream. + +On Fedora systems, unloading rtl8192ce causes an oops. This patch fixes the +problem reported at https://bugzilla.redhat.com/show_bug.cgi?id=852761. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/pci.c ++++ b/drivers/net/wireless/rtlwifi/pci.c +@@ -678,6 +678,8 @@ static void _rtl_pci_rx_interrupt(struct + }; + int index = rtlpci->rx_ring[rx_queue_idx].idx; + ++ if (rtlpci->driver_is_goingto_unload) ++ return; + /*RX NORMAL PKT */ + while (count--) { + /*rx descriptor */ +@@ -1553,6 +1555,7 @@ static void rtl_pci_stop(struct ieee8021 + */ + set_hal_stop(rtlhal); + ++ rtlpci->driver_is_goingto_unload = true; + rtlpriv->cfg->ops->disable_interrupt(hw); + cancel_work_sync(&rtlpriv->works.lps_leave_work); + +@@ -1570,7 +1573,6 @@ static void rtl_pci_stop(struct ieee8021 + ppsc->rfchange_inprogress = true; + spin_unlock_irqrestore(&rtlpriv->locks.rf_ps_lock, flags); + +- rtlpci->driver_is_goingto_unload = true; + rtlpriv->cfg->ops->hw_disable(hw); + /* some things are not needed if firmware not available */ + if (!rtlpriv->max_fw_size) diff --git a/queue-3.4/series b/queue-3.4/series index 4367b758849..ebe6de19823 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -28,3 +28,5 @@ powerpc-fix-bad-stack-check-in-exception-entry.patch powerpc-align-p_end.patch cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch libata-add-ata_horkage_broken_fpdma_aa-quirk-for-seagate-momentus-spinpoint-m8.patch +radiotap-fix-bitmap-end-finding-buffer-overrun.patch +rtlwifi-pci-fix-oops-on-driver-unload.patch