From: Greg Kroah-Hartman Date: Tue, 24 Sep 2013 14:47:17 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.97~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec13d4d9e779e1555cc49a0121683db4f6b3bc73;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch ath9k-always-clear-ps-filter-bit-on-new-assoc.patch ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch ath9k-fix-rx-descriptor-related-race-condition.patch brcmsmac-fix-warning-caused-by-lack-of-calls-to-dma_mapping_error.patch hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch hid-pantherlord-validate-output-report-details.patch --- diff --git a/queue-3.4/alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch b/queue-3.4/alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch new file mode 100644 index 00000000000..379b6c4ca40 --- /dev/null +++ b/queue-3.4/alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch @@ -0,0 +1,31 @@ +From 83f72151352791836a1b9c1542614cc9bf71ac61 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Sep 2013 10:20:48 +0200 +Subject: ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist + +From: Takashi Iwai + +commit 83f72151352791836a1b9c1542614cc9bf71ac61 upstream. + +Toshiba Satellite C870 shows interrupt problems occasionally when +certain mixer controls like "Mic Switch" is toggled. This seems +worked around by not using MSI. + +Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=833585 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2602,6 +2602,7 @@ static struct snd_pci_quirk msi_black_li + SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */ + SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */ + SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */ ++ SND_PCI_QUIRK(0x1179, 0xfb44, "Toshiba Satellite C870", 0), /* AMD Hudson */ + SND_PCI_QUIRK(0x1849, 0x0888, "ASRock", 0), /* Athlon64 X2 + nvidia */ + SND_PCI_QUIRK(0xa0a0, 0x0575, "Aopen MZ915-M", 0), /* ICH6 */ + {} diff --git a/queue-3.4/ath9k-always-clear-ps-filter-bit-on-new-assoc.patch b/queue-3.4/ath9k-always-clear-ps-filter-bit-on-new-assoc.patch new file mode 100644 index 00000000000..70da5b449db --- /dev/null +++ b/queue-3.4/ath9k-always-clear-ps-filter-bit-on-new-assoc.patch @@ -0,0 +1,30 @@ +From 026d5b07c03458f9c0ccd19c3850564a5409c325 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 6 Aug 2013 14:18:10 +0200 +Subject: ath9k: always clear ps filter bit on new assoc + +From: Felix Fietkau + +commit 026d5b07c03458f9c0ccd19c3850564a5409c325 upstream. + +Otherwise in some cases, EAPOL frames might be filtered during the +initial handshake, causing delays and assoc failures. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/xmit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -2479,6 +2479,7 @@ void ath_tx_node_init(struct ath_softc * + for (acno = 0, ac = &an->ac[acno]; + acno < WME_NUM_AC; acno++, ac++) { + ac->sched = false; ++ ac->clear_ps_filter = true; + ac->txq = sc->tx.txq_map[acno]; + INIT_LIST_HEAD(&ac->tid_q); + } diff --git a/queue-3.4/ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch b/queue-3.4/ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch new file mode 100644 index 00000000000..d462b4f1003 --- /dev/null +++ b/queue-3.4/ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch @@ -0,0 +1,32 @@ +From a1c781bb20ac1e03280e420abd47a99eb8bbdd3b Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 13 Aug 2013 12:33:28 +0200 +Subject: ath9k: avoid accessing MRC registers on single-chain devices + +From: Felix Fietkau + +commit a1c781bb20ac1e03280e420abd47a99eb8bbdd3b upstream. + +They are not implemented, and accessing them might trigger errors + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar9003_phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c +@@ -1030,6 +1030,10 @@ static bool ar9003_hw_ani_control(struct + * is_on == 0 means MRC CCK is OFF (more noise imm) + */ + bool is_on = param ? 1 : 0; ++ ++ if (ah->caps.rx_chainmask == 1) ++ break; ++ + REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL, + AR_PHY_MRC_CCK_ENABLE, is_on); + REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL, diff --git a/queue-3.4/ath9k-fix-rx-descriptor-related-race-condition.patch b/queue-3.4/ath9k-fix-rx-descriptor-related-race-condition.patch new file mode 100644 index 00000000000..03329a45904 --- /dev/null +++ b/queue-3.4/ath9k-fix-rx-descriptor-related-race-condition.patch @@ -0,0 +1,107 @@ +From e96542e55a2aacf4bdeccfe2f17b77c4895b4df2 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 10 Aug 2013 15:59:15 +0200 +Subject: ath9k: fix rx descriptor related race condition + +From: Felix Fietkau + +commit e96542e55a2aacf4bdeccfe2f17b77c4895b4df2 upstream. + +Similar to a race condition that exists in the tx path, the hardware +might re-read the 'next' pointer of a descriptor of the last completed +frame. This only affects non-EDMA (pre-AR93xx) devices. + +To deal with this race, defer clearing and re-linking a completed rx +descriptor until the next one has been processed. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ath9k.h | 5 +---- + drivers/net/wireless/ath/ath9k/recv.c | 17 +++++++++++++---- + 2 files changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/ath9k.h ++++ b/drivers/net/wireless/ath/ath9k/ath9k.h +@@ -78,10 +78,6 @@ struct ath_config { + sizeof(struct ath_buf_state)); \ + } while (0) + +-#define ATH_RXBUF_RESET(_bf) do { \ +- (_bf)->bf_stale = false; \ +- } while (0) +- + /** + * enum buffer_type - Buffer type flags + * +@@ -314,6 +310,7 @@ struct ath_rx { + struct ath_buf *rx_bufptr; + struct ath_rx_edma rx_edma[ATH9K_RX_QUEUE_MAX]; + ++ struct ath_buf *buf_hold; + struct sk_buff *frag; + }; + +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -78,8 +78,6 @@ static void ath_rx_buf_link(struct ath_s + struct ath_desc *ds; + struct sk_buff *skb; + +- ATH_RXBUF_RESET(bf); +- + ds = bf->bf_desc; + ds->ds_link = 0; /* link to null */ + ds->ds_data = bf->bf_buf_addr; +@@ -106,6 +104,14 @@ static void ath_rx_buf_link(struct ath_s + sc->rx.rxlink = &ds->ds_link; + } + ++static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_buf *bf) ++{ ++ if (sc->rx.buf_hold) ++ ath_rx_buf_link(sc, sc->rx.buf_hold); ++ ++ sc->rx.buf_hold = bf; ++} ++ + static void ath_setdefantenna(struct ath_softc *sc, u32 antenna) + { + /* XXX block beacon interrupts */ +@@ -153,7 +159,6 @@ static bool ath_rx_edma_buf_link(struct + + skb = bf->bf_mpdu; + +- ATH_RXBUF_RESET(bf); + memset(skb->data, 0, ah->caps.rx_status_len); + dma_sync_single_for_device(sc->dev, bf->bf_buf_addr, + ah->caps.rx_status_len, DMA_TO_DEVICE); +@@ -485,6 +490,7 @@ int ath_startrecv(struct ath_softc *sc) + if (list_empty(&sc->rx.rxbuf)) + goto start_recv; + ++ sc->rx.buf_hold = NULL; + sc->rx.rxlink = NULL; + list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) { + ath_rx_buf_link(sc, bf); +@@ -734,6 +740,9 @@ static struct ath_buf *ath_get_next_rx_b + } + + bf = list_first_entry(&sc->rx.rxbuf, struct ath_buf, list); ++ if (bf == sc->rx.buf_hold) ++ return NULL; ++ + ds = bf->bf_desc; + + /* +@@ -1974,7 +1983,7 @@ requeue: + if (edma) { + ath_rx_edma_buf_link(sc, qtype); + } else { +- ath_rx_buf_link(sc, bf); ++ ath_rx_buf_relink(sc, bf); + ath9k_hw_rxena(ah); + } + } while (1); diff --git a/queue-3.4/brcmsmac-fix-warning-caused-by-lack-of-calls-to-dma_mapping_error.patch b/queue-3.4/brcmsmac-fix-warning-caused-by-lack-of-calls-to-dma_mapping_error.patch new file mode 100644 index 00000000000..d041b4c84bb --- /dev/null +++ b/queue-3.4/brcmsmac-fix-warning-caused-by-lack-of-calls-to-dma_mapping_error.patch @@ -0,0 +1,103 @@ +From 67d0cf50bd32b66eab709871714e55725ee30ce4 Mon Sep 17 00:00:00 2001 +From: "John W. Linville" +Date: Fri, 9 Aug 2013 13:36:21 -0400 +Subject: brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error() + +From: "John W. Linville" + +commit 67d0cf50bd32b66eab709871714e55725ee30ce4 upstream. + +The driver fails to check the results of DMA mapping in twp places, +which results in the following warning: + +[ 28.078515] ------------[ cut here ]------------ +[ 28.078529] WARNING: at lib/dma-debug.c:937 check_unmap+0x47e/0x930() +[ 28.078533] bcma-pci-bridge 0000:0e:00.0: DMA-API: device driver failed to check map error[device address=0x00000000b5d60d6c] [size=1876 bytes] [mapped as + single] +[ 28.078536] Modules linked in: bnep bluetooth vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) ipv6 b43 brcmsmac rtl8192cu rtl8192c_common rtlwifi mac802 +11 brcmutil cfg80211 snd_hda_codec_conexant rng_core snd_hda_intel kvm_amd snd_hda_codec ssb kvm mmc_core snd_pcm snd_seq snd_timer snd_seq_device snd k8temp + cordic joydev serio_raw hwmon sr_mod sg pcmcia pcmcia_core soundcore cdrom i2c_nforce2 i2c_core forcedeth bcma snd_page_alloc autofs4 ext4 jbd2 mbcache crc1 +6 scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic pata_amd +[ 28.078602] CPU: 1 PID: 2570 Comm: NetworkManager Tainted: G O 3.10.0-rc7-wl+ #42 +[ 28.078605] Hardware name: Hewlett-Packard HP Pavilion dv2700 Notebook PC/30D6, BIOS F.27 11/27/2008 +[ 28.078607] 0000000000000009 ffff8800bbb03ad8 ffffffff8144f898 ffff8800bbb03b18 +[ 28.078612] ffffffff8103e1eb 0000000000000002 ffff8800b719f480 ffff8800b7b9c010 +[ 28.078617] ffffffff824204c0 ffffffff81754d57 0000000000000754 ffff8800bbb03b78 +[ 28.078622] Call Trace: +[ 28.078624] [] dump_stack+0x19/0x1b +[ 28.078634] [] warn_slowpath_common+0x6b/0xa0 +[ 28.078638] [] warn_slowpath_fmt+0x41/0x50 +[ 28.078650] [] check_unmap+0x47e/0x930 +[ 28.078655] [] debug_dma_unmap_page+0x5c/0x70 +[ 28.078679] [] dma64_getnextrxp+0x10c/0x190 [brcmsmac] +[ 28.078691] [] dma_rx+0x62/0x240 [brcmsmac] +[ 28.078707] [] brcms_c_dpc+0x211/0x9d0 [brcmsmac] +[ 28.078717] [] ? brcms_dpc+0x27/0xf0 [brcmsmac] +[ 28.078731] [] brcms_dpc+0x47/0xf0 [brcmsmac] +[ 28.078736] [] tasklet_action+0x6c/0xf0 +--snip-- +[ 28.078974] [] SyS_sendmsg+0xd/0x20 +[ 28.078979] [] tracesys+0xdd/0xe2 +[ 28.078982] ---[ end trace 6164d1a08148e9c8 ]--- +[ 28.078984] Mapped at: +[ 28.078985] [] debug_dma_map_page+0x9d/0x150 +[ 28.078989] [] dma_rxfill+0x102/0x3d0 [brcmsmac] +[ 28.079001] [] brcms_c_init+0x87d/0x1100 [brcmsmac] +[ 28.079010] [] brcms_init+0x21/0x30 [brcmsmac] +[ 28.079018] [] brcms_c_up+0x150/0x430 [brcmsmac] + +As the patch adds a new failure mechanism to dma_rxfill(). When I changed the +comment at the start of the routine to add that information, I also polished +the wording. + +Signed-off-by: Larry Finger +Cc: Brett Rudley +Cc: Franky (Zhenhui) Lin +Cc: Hante Meuleman +Cc: brcm80211-dev-list@broadcom.com +Acked-by: Arend van Spriel +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmsmac/dma.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c +@@ -1013,9 +1013,10 @@ static bool dma64_rxidle(struct dma_info + + /* + * post receive buffers +- * return false is refill failed completely and ring is empty this will stall +- * the rx dma and user might want to call rxfill again asap. This unlikely +- * happens on memory-rich NIC, but often on memory-constrained dongle ++ * Return false if refill failed completely or dma mapping failed. The ring ++ * is empty, which will stall the rx dma and user might want to call rxfill ++ * again asap. This is unlikely to happen on a memory-rich NIC, but often on ++ * memory-constrained dongle. + */ + bool dma_rxfill(struct dma_pub *pub) + { +@@ -1074,6 +1075,8 @@ bool dma_rxfill(struct dma_pub *pub) + + pa = dma_map_single(di->dmadev, p->data, di->rxbufsize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(di->dmadev, pa)) ++ return false; + + /* save the free packet pointer */ + di->rxp[rxout] = p; +@@ -1294,7 +1297,11 @@ int dma_txfast(struct dma_pub *pub, stru + + /* get physical address of buffer start */ + pa = dma_map_single(di->dmadev, data, len, DMA_TO_DEVICE); +- ++ /* if mapping failed, free skb */ ++ if (dma_mapping_error(di->dmadev, pa)) { ++ brcmu_pkt_buf_free_skb(p); ++ return; ++ } + /* With a DMA segment list, Descriptor table is filled + * using the segment list instead of looping over + * buffers in multi-chain DMA. Therefore, EOF for SGLIST diff --git a/queue-3.4/hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch b/queue-3.4/hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch new file mode 100644 index 00000000000..eac05fe5e3a --- /dev/null +++ b/queue-3.4/hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch @@ -0,0 +1,52 @@ +From 06bb5219118fb098f4b0c7dcb484b28a52bf1c14 Mon Sep 17 00:00:00 2001 +From: Stefan Kriwanek +Date: Sun, 25 Aug 2013 10:46:13 +0200 +Subject: HID: Fix Speedlink VAD Cezanne support for some devices + +From: Stefan Kriwanek + +commit 06bb5219118fb098f4b0c7dcb484b28a52bf1c14 upstream. + +Some devices of the "Speedlink VAD Cezanne" model need more aggressive fixing +than already done. + +I made sure through testing that this patch would not interfere with the proper +working of a device that is bug-free. (The driver drops EV_REL events with +abs(val) >= 256, which are not achievable even on the highest laser resolution +hardware setting.) + +Signed-off-by: Stefan Kriwanek +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-speedlink.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-speedlink.c ++++ b/drivers/hid/hid-speedlink.c +@@ -3,7 +3,7 @@ + * Fixes "jumpy" cursor and removes nonexistent keyboard LEDS from + * the HID descriptor. + * +- * Copyright (c) 2011 Stefan Kriwanek ++ * Copyright (c) 2011, 2013 Stefan Kriwanek + */ + + /* +@@ -48,8 +48,13 @@ static int speedlink_event(struct hid_de + struct hid_usage *usage, __s32 value) + { + /* No other conditions due to usage_table. */ +- /* Fix "jumpy" cursor (invalid events sent by device). */ +- if (value == 256) ++ ++ /* This fixes the "jumpy" cursor occuring due to invalid events sent ++ * by the device. Some devices only send them with value==+256, others ++ * don't. However, catching abs(value)>=256 is restrictive enough not ++ * to interfere with devices that were bug-free (has been tested). ++ */ ++ if (abs(value) >= 256) + return 1; + /* Drop useless distance 0 events (on button clicks etc.) as well */ + if (value == 0) diff --git a/queue-3.4/hid-pantherlord-validate-output-report-details.patch b/queue-3.4/hid-pantherlord-validate-output-report-details.patch new file mode 100644 index 00000000000..36114e62f22 --- /dev/null +++ b/queue-3.4/hid-pantherlord-validate-output-report-details.patch @@ -0,0 +1,46 @@ +From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:30:49 +0200 +Subject: HID: pantherlord: validate output report details + +From: Kees Cook + +commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream. + +A HID device could send a malicious output report that would cause the +pantherlord HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 +... +[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2892 + +Signed-off-by: Kees Cook +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -129,8 +129,14 @@ static int plff_init(struct hid_device * + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; diff --git a/queue-3.4/series b/queue-3.4/series index 66d9d279974..4dd1a7b1a7a 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -14,3 +14,10 @@ usb-cdc-wdm-fix-race-between-interrupt-handler-and-tasklet.patch usb-config-desc.blength-may-not-exceed-amount-of-data-returned-by-the-device.patch rculist-list_first_or_null_rcu-should-use-list_entry_rcu.patch asoc-wm8960-fix-pll-register-writes.patch +alsa-hda-add-toshiba-satellite-c870-to-msi-blacklist.patch +brcmsmac-fix-warning-caused-by-lack-of-calls-to-dma_mapping_error.patch +ath9k-always-clear-ps-filter-bit-on-new-assoc.patch +ath9k-fix-rx-descriptor-related-race-condition.patch +ath9k-avoid-accessing-mrc-registers-on-single-chain-devices.patch +hid-pantherlord-validate-output-report-details.patch +hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch