From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Mar 2012 21:13:44 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.26~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6642610d98689f9115b730d3091c4d14b3b89fb;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	iwl3945-fix-possible-il-txq-null-pointer-dereference-in-delayed-works.patch
	powerpc-pmac-fix-smp-kernels-on-pre-core99-up-machines.patch
---

diff --git a/queue-3.0/iwl3945-fix-possible-il-txq-null-pointer-dereference-in-delayed-works.patch b/queue-3.0/iwl3945-fix-possible-il-txq-null-pointer-dereference-in-delayed-works.patch
new file mode 100644
index 00000000000..cb01cfb6849
--- /dev/null
+++ b/queue-3.0/iwl3945-fix-possible-il-txq-null-pointer-dereference-in-delayed-works.patch
@@ -0,0 +1,60 @@
+From 210787e82a0ac1ffb5d7be1c796f0c51050849ad Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 8 Mar 2012 13:16:01 +0100
+Subject: iwl3945: fix possible il->txq NULL pointer dereference in delayed works
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 210787e82a0ac1ffb5d7be1c796f0c51050849ad upstream.
+
+On il3945_down procedure we free tx queue data and nullify il->txq
+pointer. After that we drop mutex and then cancel delayed works. There
+is possibility, that after drooping mutex and before the cancel, some
+delayed work will start and crash while trying to send commands to
+the device. For example, here is reported crash in
+il3945_bg_reg_txpower_periodic():
+https://bugzilla.kernel.org/show_bug.cgi?id=42766#c10
+
+Patch fix problem by adding il->txq check on works that send commands,
+hence utilize tx queue.
+
+Reported-by: Clemens Eisserer <linuxhippy@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+
+
+---
+ drivers/net/wireless/iwlegacy/iwl-3945.c     |    7 ++++---
+ drivers/net/wireless/iwlegacy/iwl3945-base.c |    2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/iwlegacy/iwl-3945.c
++++ b/drivers/net/wireless/iwlegacy/iwl-3945.c
+@@ -1872,11 +1872,12 @@ static void iwl3945_bg_reg_txpower_perio
+ 	struct iwl_priv *priv = container_of(work, struct iwl_priv,
+ 					     _3945.thermal_periodic.work);
+ 
+-	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
+-		return;
+-
+ 	mutex_lock(&priv->mutex);
++	if (test_bit(STATUS_EXIT_PENDING, &priv->status) || priv->txq == NULL)
++		goto out;
++
+ 	iwl3945_reg_txpower_periodic(priv);
++out:
+ 	mutex_unlock(&priv->mutex);
+ }
+ 
+--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c
+@@ -2763,7 +2763,7 @@ static void iwl3945_bg_alive_start(struc
+ 	    container_of(data, struct iwl_priv, alive_start.work);
+ 
+ 	mutex_lock(&priv->mutex);
+-	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
++	if (test_bit(STATUS_EXIT_PENDING, &priv->status) || priv->txq == NULL)
+ 		goto out;
+ 
+ 	iwl3945_alive_start(priv);
diff --git a/queue-3.0/powerpc-pmac-fix-smp-kernels-on-pre-core99-up-machines.patch b/queue-3.0/powerpc-pmac-fix-smp-kernels-on-pre-core99-up-machines.patch
new file mode 100644
index 00000000000..8c009bd9583
--- /dev/null
+++ b/queue-3.0/powerpc-pmac-fix-smp-kernels-on-pre-core99-up-machines.patch
@@ -0,0 +1,33 @@
+From 78c5c68a4cf4329d17abfa469345ddf323d4fd62 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 9 Dec 2011 15:06:18 +1100
+Subject: powerpc/pmac: Fix SMP kernels on pre-core99 UP machines
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 78c5c68a4cf4329d17abfa469345ddf323d4fd62 upstream.
+
+The code for "powersurge" SMP would kick in and cause a crash
+at boot due to the lack of a NULL test.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
+Reported-by: Adam Conrad <adconrad@ubuntu.com>
+Tested-by: Adam Conrad <adconrad@ubuntu.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powermac/smp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powermac/smp.c
++++ b/arch/powerpc/platforms/powermac/smp.c
+@@ -414,7 +414,7 @@ static struct irqaction psurge_irqaction
+ 
+ static void __init smp_psurge_setup_cpu(int cpu_nr)
+ {
+-	if (cpu_nr != 0)
++	if (cpu_nr != 0 || !psurge_start)
+ 		return;
+ 
+ 	/* reset the entry point so if we get another intr we won't
diff --git a/queue-3.0/series b/queue-3.0/series
index e01c950b009..6949b5fb322 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -4,3 +4,5 @@ afs-remote-abort-can-cause-bug-in-rxrpc-code.patch
 perf-tools-incorrect-use-of-snprintf-results-in-segv.patch
 tcp-fix-syncookie-regression.patch
 ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch
+iwl3945-fix-possible-il-txq-null-pointer-dereference-in-delayed-works.patch
+powerpc-pmac-fix-smp-kernels-on-pre-core99-up-machines.patch