From: Greg Kroah-Hartman Date: Fri, 16 Aug 2013 20:21:51 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.92~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f51ad26e69bcf429ef40127901a13da7b491f6c0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: can-pcan_usb-fix-wrong-memcpy-bytes-length.patch genetlink-fix-family-dump-race.patch iwl4965-reset-firmware-after-rfkill-off.patch iwl4965-set-power-mode-early.patch --- diff --git a/queue-3.4/can-pcan_usb-fix-wrong-memcpy-bytes-length.patch b/queue-3.4/can-pcan_usb-fix-wrong-memcpy-bytes-length.patch new file mode 100644 index 00000000000..65a021933c6 --- /dev/null +++ b/queue-3.4/can-pcan_usb-fix-wrong-memcpy-bytes-length.patch @@ -0,0 +1,35 @@ +From 3c322a56b01695df15c70bfdc2d02e0ccd80654e Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Fri, 9 Aug 2013 11:44:06 +0200 +Subject: can: pcan_usb: fix wrong memcpy() bytes length + +From: Stephane Grosjean + +commit 3c322a56b01695df15c70bfdc2d02e0ccd80654e upstream. + +Fix possibly wrong memcpy() bytes length since some CAN records received from +PCAN-USB could define a DLC field in range [9..15]. +In that case, the real DLC value MUST be used to move forward the record pointer +but, only 8 bytes max. MUST be copied into the data field of the struct +can_frame object of the skb given to the network core. + +Signed-off-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct p + if ((mc->ptr + rec_len) > mc->end) + goto decode_failed; + +- memcpy(cf->data, mc->ptr, rec_len); ++ memcpy(cf->data, mc->ptr, cf->can_dlc); + mc->ptr += rec_len; + } + diff --git a/queue-3.4/genetlink-fix-family-dump-race.patch b/queue-3.4/genetlink-fix-family-dump-race.patch new file mode 100644 index 00000000000..e5bb356b775 --- /dev/null +++ b/queue-3.4/genetlink-fix-family-dump-race.patch @@ -0,0 +1,54 @@ +From 58ad436fcf49810aa006016107f494c9ac9013db Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 13 Aug 2013 09:04:05 +0200 +Subject: genetlink: fix family dump race + +From: Johannes Berg + +commit 58ad436fcf49810aa006016107f494c9ac9013db upstream. + +When dumping generic netlink families, only the first dump call +is locked with genl_lock(), which protects the list of families, +and thus subsequent calls can access the data without locking, +racing against family addition/removal. This can cause a crash. +Fix it - the locking needs to be conditional because the first +time around it's already locked. + +A similar bug was reported to me on an old kernel (3.4.47) but +the exact scenario that happened there is no longer possible, +on those kernels the first round wasn't locked either. Looking +at the current code I found the race described above, which had +also existed on the old kernel. + +Reported-by: Andrei Otcheretianski +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlink/genetlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -744,6 +744,10 @@ static int ctrl_dumpfamily(struct sk_buf + struct net *net = sock_net(skb->sk); + int chains_to_skip = cb->args[0]; + int fams_to_skip = cb->args[1]; ++ bool need_locking = chains_to_skip || fams_to_skip; ++ ++ if (need_locking) ++ genl_lock(); + + for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) { + n = 0; +@@ -765,6 +769,9 @@ errout: + cb->args[0] = i; + cb->args[1] = n; + ++ if (need_locking) ++ genl_unlock(); ++ + return skb->len; + } + diff --git a/queue-3.4/iwl4965-reset-firmware-after-rfkill-off.patch b/queue-3.4/iwl4965-reset-firmware-after-rfkill-off.patch new file mode 100644 index 00000000000..39eef42f45f --- /dev/null +++ b/queue-3.4/iwl4965-reset-firmware-after-rfkill-off.patch @@ -0,0 +1,56 @@ +From 788f7a56fce1bcb2067b62b851a086fca48a0056 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 1 Aug 2013 12:07:55 +0200 +Subject: iwl4965: reset firmware after rfkill off + +From: Stanislaw Gruszka + +commit 788f7a56fce1bcb2067b62b851a086fca48a0056 upstream. + +Using rfkill switch can make firmware unstable, what cause various +Microcode errors and kernel warnings. Reseting firmware just after +rfkill off (radio on) helped with that. + +Resolve: +https://bugzilla.redhat.com/show_bug.cgi?id=977053 + +Reported-and-tested-by: Justin Pearce +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 10 +++++----- + drivers/net/wireless/iwlegacy/common.c | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -4411,12 +4411,12 @@ il4965_irq_tasklet(struct il_priv *il) + * is killed. Hence update the killswitch state here. The + * rfkill handler will care about restarting if needed. + */ +- if (!test_bit(S_ALIVE, &il->status)) { +- if (hw_rf_kill) +- set_bit(S_RFKILL, &il->status); +- else +- clear_bit(S_RFKILL, &il->status); ++ if (hw_rf_kill) { ++ set_bit(S_RFKILL, &il->status); ++ } else { ++ clear_bit(S_RFKILL, &il->status); + wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); ++ il_force_reset(il, true); + } + + handled |= CSR_INT_BIT_RF_KILL; +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -4659,6 +4659,7 @@ il_force_reset(struct il_priv *il, bool + + return 0; + } ++EXPORT_SYMBOL(il_force_reset); + + int + il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif, diff --git a/queue-3.4/iwl4965-set-power-mode-early.patch b/queue-3.4/iwl4965-set-power-mode-early.patch new file mode 100644 index 00000000000..d2c8a75c8be --- /dev/null +++ b/queue-3.4/iwl4965-set-power-mode-early.patch @@ -0,0 +1,43 @@ +From eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 1 Aug 2013 12:07:13 +0200 +Subject: iwl4965: set power mode early + +From: Stanislaw Gruszka + +commit eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 upstream. + +If device was put into a sleep and system was restarted or module +reloaded, we have to wake device up before sending other commands. +Otherwise it will fail to start with Microcode error. + +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -5285,6 +5285,9 @@ il4965_alive_start(struct il_priv *il) + + il->active_rate = RATES_MASK; + ++ il_power_update_mode(il, true); ++ D_INFO("Updated power mode\n"); ++ + if (il_is_associated(il)) { + struct il_rxon_cmd *active_rxon = + (struct il_rxon_cmd *)&il->active; +@@ -5315,9 +5318,6 @@ il4965_alive_start(struct il_priv *il) + D_INFO("ALIVE processing complete.\n"); + wake_up(&il->wait_command_queue); + +- il_power_update_mode(il, true); +- D_INFO("Updated power mode\n"); +- + return; + + restart: diff --git a/queue-3.4/series b/queue-3.4/series index 5436d62abfa..7a97c2c2319 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -20,3 +20,7 @@ sparc32-add-ucmpdi2.patch sparc32-add-ucmpdi2.o-to-obj-y-instead-of-lib-y.patch mips-rewrite-pfn_valid-to-work-in-modules-too.patch af_key-initialize-satype-in-key_notify_policy_flush.patch +iwl4965-set-power-mode-early.patch +iwl4965-reset-firmware-after-rfkill-off.patch +can-pcan_usb-fix-wrong-memcpy-bytes-length.patch +genetlink-fix-family-dump-race.patch