From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Nov 2012 13:34:26 +0000 (+0100)
Subject: 3.4-stable patches
X-Git-Tag: v3.0.52~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d05380ef5dc45c095755a43e26acd46821b6ef1a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
	ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch
	input-tsc40-remove-wrong-announcement-of-pressure-support.patch
---

diff --git a/queue-3.4/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch b/queue-3.4/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
new file mode 100644
index 00000000000..8e78131746b
--- /dev/null
+++ b/queue-3.4/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
@@ -0,0 +1,43 @@
+From 8c6e30936a7893a85f6222084f0f26aceb81137a Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Fri, 26 Oct 2012 00:31:11 +0200
+Subject: ath9k: fix stale pointers potentially causing access to free'd skbs
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 8c6e30936a7893a85f6222084f0f26aceb81137a upstream.
+
+bf->bf_next is only while buffers are chained as part of an A-MPDU
+in the tx queue. When a tid queue is flushed (e.g. on tearing down
+an aggregation session), frames can be enqueued again as normal
+transmission, without bf_next being cleared. This can lead to the
+old pointer being dereferenced again later.
+
+This patch might fix crashes and "Failed to stop TX DMA!" messages.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/xmit.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -337,6 +337,7 @@ static struct ath_buf *ath_tx_get_buffer
+ 	}
+ 
+ 	bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list);
++	bf->bf_next = NULL;
+ 	list_del(&bf->list);
+ 
+ 	spin_unlock_bh(&sc->tx.txbuflock);
+@@ -1760,6 +1761,7 @@ static void ath_tx_send_normal(struct at
+ 	list_add_tail(&bf->list, &bf_head);
+ 	bf->bf_state.bf_type = 0;
+ 
++	bf->bf_next = NULL;
+ 	bf->bf_lastbf = bf;
+ 	ath_tx_fill_desc(sc, bf, txq, fi->framelen);
+ 	ath_tx_txqaddbuf(sc, txq, &bf_head, false);
diff --git a/queue-3.4/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch b/queue-3.4/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch
new file mode 100644
index 00000000000..da8fdc1260c
--- /dev/null
+++ b/queue-3.4/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch
@@ -0,0 +1,65 @@
+From 6fe7cc71bbf3a0bc28c9cec3c00bc11e81344412 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 29 Oct 2012 13:25:20 +0100
+Subject: ath9k: Test for TID only in BlockAcks while checking tx status
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 6fe7cc71bbf3a0bc28c9cec3c00bc11e81344412 upstream.
+
+The ath9k xmit functions for AMPDUs can send frames as non-aggregate in case
+only one frame is currently available. The client will then answer using a
+normal Ack instead of a BlockAck. This acknowledgement has no TID stored and
+therefore the hardware is not able to provide us the corresponding TID.
+
+The TID set by the hardware in the tx status descriptor has to be seen as
+undefined and not as a valid TID value for normal acknowledgements. Doing
+otherwise results in a massive amount of retransmissions and stalls of
+connections.
+
+Users may experience low bandwidth and complete connection stalls in
+environments with transfers using multiple TIDs.
+
+This regression was introduced in b11b160defc48e4daa283f785192ea3a23a51f8e
+("ath9k: validate the TID in the tx status information").
+
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Acked-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/xmit.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -419,7 +419,7 @@ static void ath_tx_complete_aggr(struct
+ 	u16 seq_st = 0, acked_cnt = 0, txfail_cnt = 0, seq_first;
+ 	u32 ba[WME_BA_BMP_SIZE >> 5];
+ 	int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0;
+-	bool rc_update = true;
++	bool rc_update = true, isba;
+ 	struct ieee80211_tx_rate rates[4];
+ 	struct ath_frame_info *fi;
+ 	int nframes;
+@@ -463,13 +463,17 @@ static void ath_tx_complete_aggr(struct
+ 	tidno = ieee80211_get_qos_ctl(hdr)[0] & IEEE80211_QOS_CTL_TID_MASK;
+ 	tid = ATH_AN_2_TID(an, tidno);
+ 	seq_first = tid->seq_start;
++	isba = ts->ts_flags & ATH9K_TX_BA;
+ 
+ 	/*
+ 	 * The hardware occasionally sends a tx status for the wrong TID.
+ 	 * In this case, the BA status cannot be considered valid and all
+ 	 * subframes need to be retransmitted
++	 *
++	 * Only BlockAcks have a TID and therefore normal Acks cannot be
++	 * checked
+ 	 */
+-	if (tidno != ts->tid)
++	if (isba && tidno != ts->tid)
+ 		txok = false;
+ 
+ 	isaggr = bf_isaggr(bf);
diff --git a/queue-3.4/input-tsc40-remove-wrong-announcement-of-pressure-support.patch b/queue-3.4/input-tsc40-remove-wrong-announcement-of-pressure-support.patch
new file mode 100644
index 00000000000..4f08e428ea9
--- /dev/null
+++ b/queue-3.4/input-tsc40-remove-wrong-announcement-of-pressure-support.patch
@@ -0,0 +1,33 @@
+From 32ed1911fc79908d704023317d4ddeb3883fd07e Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Date: Tue, 30 Oct 2012 23:39:10 -0700
+Subject: Input: tsc40 - remove wrong announcement of pressure support
+
+From: Rolf Eike Beer <eike-kernel@sf-tec.de>
+
+commit 32ed1911fc79908d704023317d4ddeb3883fd07e upstream.
+
+The tsc40 driver announces it supports the pressure event, but will never
+send one. The announcement will cause tslib to wait for such events and
+sending all touch events with a pressure of 0. Removing the announcement
+will make tslib fall back to emulating the pressure on touch events so
+everything works as expected.
+
+Signed-off-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/tsc40.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/input/touchscreen/tsc40.c
++++ b/drivers/input/touchscreen/tsc40.c
+@@ -107,7 +107,6 @@ static int tsc_connect(struct serio *ser
+ 	__set_bit(BTN_TOUCH, input_dev->keybit);
+ 	input_set_abs_params(ptsc->dev, ABS_X, 0, 0x3ff, 0, 0);
+ 	input_set_abs_params(ptsc->dev, ABS_Y, 0, 0x3ff, 0, 0);
+-	input_set_abs_params(ptsc->dev, ABS_PRESSURE, 0, 0, 0, 0);
+ 
+ 	serio_set_drvdata(serio, ptsc);
+ 
diff --git a/queue-3.4/series b/queue-3.4/series
index 7801ed1dbc8..462ec612a99 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -1,2 +1,5 @@
 xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch
 xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch
+input-tsc40-remove-wrong-announcement-of-pressure-support.patch
+ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
+ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch