From 3c830a11157c2b4eb2ea9b3b4c3ea6220df583f5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Apr 2013 13:09:14 -0700 Subject: [PATCH] 3.4-stable patches added patches: ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch can-sja1000-fix-define-conflict-on-sh.patch hid-usbhid-quirk-for-realtek-multi-card-reader.patch rtlwifi-usb-add-missing-freeing-of-skbuff.patch staging-comedi-s626-fix-continuous-acquisition.patch sysfs-fix-race-between-readdir-and-lseek.patch sysfs-handle-failure-path-correctly-for-readdir.patch --- ...user-configuration-after-calibration.patch | 50 ++++++++++ ...an-sja1000-fix-define-conflict-on-sh.patch | 91 +++++++++++++++++++ ...-quirk-for-realtek-multi-card-reader.patch | 45 +++++++++ ...fi-usb-add-missing-freeing-of-skbuff.patch | 28 ++++++ queue-3.4/series | 7 ++ ...medi-s626-fix-continuous-acquisition.patch | 65 +++++++++++++ ...s-fix-race-between-readdir-and-lseek.patch | 51 +++++++++++ ...e-failure-path-correctly-for-readdir.patch | 47 ++++++++++ 8 files changed, 384 insertions(+) create mode 100644 queue-3.4/ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch create mode 100644 queue-3.4/can-sja1000-fix-define-conflict-on-sh.patch create mode 100644 queue-3.4/hid-usbhid-quirk-for-realtek-multi-card-reader.patch create mode 100644 queue-3.4/rtlwifi-usb-add-missing-freeing-of-skbuff.patch create mode 100644 queue-3.4/staging-comedi-s626-fix-continuous-acquisition.patch create mode 100644 queue-3.4/sysfs-fix-race-between-readdir-and-lseek.patch create mode 100644 queue-3.4/sysfs-handle-failure-path-correctly-for-readdir.patch diff --git a/queue-3.4/ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch b/queue-3.4/ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch new file mode 100644 index 00000000000..091b044a34c --- /dev/null +++ b/queue-3.4/ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch @@ -0,0 +1,50 @@ +From 74632d11a133b5baf6b9d622dd19d2f944d93d94 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 15 Mar 2013 14:53:31 +0100 +Subject: ath9k_hw: revert chainmask to user configuration after calibration + +From: Felix Fietkau + +commit 74632d11a133b5baf6b9d622dd19d2f944d93d94 upstream. + +The commit 'ath9k_hw: fix calibration issues on chainmask that don't +include chain 0' changed the hardware chainmask to the chip chainmask +for the duration of the calibration, but the revert to user +configuration in the reset path runs too early. + +That causes some issues with limiting the number of antennas (including +spurious failure in hardware-generated packets). + +Fix this by reverting the chainmask after the essential parts of the +calibration that need the workaround, and before NF calibration is run. + +Signed-off-by: Felix Fietkau +Reported-by: Wojciech Dubowik +Tested-by: Wojciech Dubowik +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar9003_calib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c +@@ -938,6 +938,7 @@ static bool ar9003_hw_init_cal(struct at + AR_PHY_CL_TAB_1, + AR_PHY_CL_TAB_2 }; + ++ /* Use chip chainmask only for calibration */ + ar9003_hw_set_chain_masks(ah, ah->caps.rx_chainmask, ah->caps.tx_chainmask); + + if (rtt) { +@@ -1085,6 +1086,9 @@ skip_tx_iqcal: + ar9003_hw_rtt_disable(ah); + } + ++ /* Revert chainmask to runtime parameters */ ++ ar9003_hw_set_chain_masks(ah, ah->rxchainmask, ah->txchainmask); ++ + /* Initialize list pointers */ + ah->cal_list = ah->cal_list_last = ah->cal_list_curr = NULL; + ah->supp_cals = IQ_MISMATCH_CAL; diff --git a/queue-3.4/can-sja1000-fix-define-conflict-on-sh.patch b/queue-3.4/can-sja1000-fix-define-conflict-on-sh.patch new file mode 100644 index 00000000000..c62ccd5075b --- /dev/null +++ b/queue-3.4/can-sja1000-fix-define-conflict-on-sh.patch @@ -0,0 +1,91 @@ +From f901b6bc404b67d96eca739857c097e022727b71 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 27 Mar 2013 11:36:42 +0100 +Subject: can: sja1000: fix define conflict on SH + +From: Marc Kleine-Budde + +commit f901b6bc404b67d96eca739857c097e022727b71 upstream. + +Thias patch fixes a define conflict between the SH architecture and the sja1000 +driver: + + drivers/net/can/sja1000/sja1000.h:59:0: warning: + "REG_SR" redefined [enabled by default] + arch/sh/include/asm/ptrace_32.h:25:0: note: + this is the location of the previous definition + +A SJA1000_ prefix is added to the offending sja1000 define only, to make a +minimal patch suited for stable. A later patch will add a SJA1000_ prefix to +all defines in sja1000.h. + +Reported-by: Fengguang Wu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sja1000/plx_pci.c | 4 ++-- + drivers/net/can/sja1000/sja1000.c | 6 +++--- + drivers/net/can/sja1000/sja1000.h | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/can/sja1000/plx_pci.c ++++ b/drivers/net/can/sja1000/plx_pci.c +@@ -329,7 +329,7 @@ static inline int plx_pci_check_sja1000( + */ + if ((priv->read_reg(priv, REG_CR) & REG_CR_BASICCAN_INITIAL_MASK) == + REG_CR_BASICCAN_INITIAL && +- (priv->read_reg(priv, REG_SR) == REG_SR_BASICCAN_INITIAL) && ++ (priv->read_reg(priv, SJA1000_REG_SR) == REG_SR_BASICCAN_INITIAL) && + (priv->read_reg(priv, REG_IR) == REG_IR_BASICCAN_INITIAL)) + flag = 1; + +@@ -341,7 +341,7 @@ static inline int plx_pci_check_sja1000( + * See states on p. 23 of the Datasheet. + */ + if (priv->read_reg(priv, REG_MOD) == REG_MOD_PELICAN_INITIAL && +- priv->read_reg(priv, REG_SR) == REG_SR_PELICAN_INITIAL && ++ priv->read_reg(priv, SJA1000_REG_SR) == REG_SR_PELICAN_INITIAL && + priv->read_reg(priv, REG_IR) == REG_IR_PELICAN_INITIAL) + return flag; + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -91,7 +91,7 @@ static void sja1000_write_cmdreg(struct + */ + spin_lock_irqsave(&priv->cmdreg_lock, flags); + priv->write_reg(priv, REG_CMR, val); +- priv->read_reg(priv, REG_SR); ++ priv->read_reg(priv, SJA1000_REG_SR); + spin_unlock_irqrestore(&priv->cmdreg_lock, flags); + } + +@@ -496,7 +496,7 @@ irqreturn_t sja1000_interrupt(int irq, v + + while ((isrc = priv->read_reg(priv, REG_IR)) && (n < SJA1000_MAX_IRQ)) { + n++; +- status = priv->read_reg(priv, REG_SR); ++ status = priv->read_reg(priv, SJA1000_REG_SR); + /* check for absent controller due to hw unplug */ + if (status == 0xFF && sja1000_is_absent(priv)) + return IRQ_NONE; +@@ -515,7 +515,7 @@ irqreturn_t sja1000_interrupt(int irq, v + /* receive interrupt */ + while (status & SR_RBS) { + sja1000_rx(dev); +- status = priv->read_reg(priv, REG_SR); ++ status = priv->read_reg(priv, SJA1000_REG_SR); + /* check for absent controller */ + if (status == 0xFF && sja1000_is_absent(priv)) + return IRQ_NONE; +--- a/drivers/net/can/sja1000/sja1000.h ++++ b/drivers/net/can/sja1000/sja1000.h +@@ -56,7 +56,7 @@ + /* SJA1000 registers - manual section 6.4 (Pelican Mode) */ + #define REG_MOD 0x00 + #define REG_CMR 0x01 +-#define REG_SR 0x02 ++#define SJA1000_REG_SR 0x02 + #define REG_IR 0x03 + #define REG_IER 0x04 + #define REG_ALC 0x0B diff --git a/queue-3.4/hid-usbhid-quirk-for-realtek-multi-card-reader.patch b/queue-3.4/hid-usbhid-quirk-for-realtek-multi-card-reader.patch new file mode 100644 index 00000000000..b923e6dabce --- /dev/null +++ b/queue-3.4/hid-usbhid-quirk-for-realtek-multi-card-reader.patch @@ -0,0 +1,45 @@ +From 3d464d9b71ef2f2b40a4bc9dcf06794fd1be9d12 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 18 Mar 2013 09:45:42 -0400 +Subject: HID: usbhid: quirk for Realtek Multi-card reader + +From: Josh Boyer + +commit 3d464d9b71ef2f2b40a4bc9dcf06794fd1be9d12 upstream. + +This device needs to be added to the quirks list with HID_QUIRK_NO_INIT_REPORTS, +otherwise it causes 10 seconds timeout during report initialization. + +This fixes Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=806587 + +Signed-off-by: Josh Boyer +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -644,6 +644,9 @@ + #define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008 0x3008 + #define USB_DEVICE_ID_PIXART_IMAGING_INC_OPTICAL_TOUCH_SCREEN 0x3001 + ++#define USB_VENDOR_ID_REALTEK 0x0bda ++#define USB_DEVICE_ID_REALTEK_READER 0x0152 ++ + #define USB_VENDOR_ID_ROCCAT 0x1e7d + #define USB_DEVICE_ID_ROCCAT_ARVO 0x30d4 + #define USB_DEVICE_ID_ROCCAT_ISKU 0x319c +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -77,6 +77,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_PIXART_IMAGING_INC_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_REALTEK, USB_DEVICE_ID_REALTEK_READER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_SUN, USB_DEVICE_ID_RARITAN_KVM_DONGLE, HID_QUIRK_NOGET }, diff --git a/queue-3.4/rtlwifi-usb-add-missing-freeing-of-skbuff.patch b/queue-3.4/rtlwifi-usb-add-missing-freeing-of-skbuff.patch new file mode 100644 index 00000000000..cabf949e531 --- /dev/null +++ b/queue-3.4/rtlwifi-usb-add-missing-freeing-of-skbuff.patch @@ -0,0 +1,28 @@ +From 36ef0b473fbf43d5db23eea4616cc1d18cec245f Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Sun, 17 Mar 2013 11:54:04 +0200 +Subject: rtlwifi: usb: add missing freeing of skbuff + +From: Jussi Kivilinna + +commit 36ef0b473fbf43d5db23eea4616cc1d18cec245f upstream. + +Signed-off-by: Jussi Kivilinna +Acked-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/usb.c ++++ b/drivers/net/wireless/rtlwifi/usb.c +@@ -853,6 +853,7 @@ static void _rtl_usb_transmit(struct iee + if (unlikely(!_urb)) { + RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, + "Can't allocate urb. Drop skb!\n"); ++ kfree_skb(skb); + return; + } + urb_list = &rtlusb->tx_pending[ep_num]; diff --git a/queue-3.4/series b/queue-3.4/series index 93f2022e65d..2bbdac2b3db 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -3,3 +3,10 @@ tile-expect-new-initramfs-name-from-hypervisor-file-system.patch bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch bluetooth-add-support-for-dell.patch bluetooth-add-support-for-dell_2.patch +staging-comedi-s626-fix-continuous-acquisition.patch +sysfs-fix-race-between-readdir-and-lseek.patch +sysfs-handle-failure-path-correctly-for-readdir.patch +can-sja1000-fix-define-conflict-on-sh.patch +ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch +hid-usbhid-quirk-for-realtek-multi-card-reader.patch +rtlwifi-usb-add-missing-freeing-of-skbuff.patch diff --git a/queue-3.4/staging-comedi-s626-fix-continuous-acquisition.patch b/queue-3.4/staging-comedi-s626-fix-continuous-acquisition.patch new file mode 100644 index 00000000000..f13d0237b08 --- /dev/null +++ b/queue-3.4/staging-comedi-s626-fix-continuous-acquisition.patch @@ -0,0 +1,65 @@ +From e4317ce877a31dbb9d96375391c1c4ad2210d637 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 22 Mar 2013 15:16:29 +0000 +Subject: staging: comedi: s626: fix continuous acquisition + +From: Ian Abbott + +commit e4317ce877a31dbb9d96375391c1c4ad2210d637 upstream. + +For the s626 driver, there is a bug in the handling of asynchronous +commands on the AI subdevice when the stop source is `TRIG_NONE`. The +command should run continuously until cancelled, but the interrupt +handler stops the command running after the first scan. + +The command set-up function `s626_ai_cmd()` contains this code: + + switch (cmd->stop_src) { + case TRIG_COUNT: + /* data arrives as one packet */ + devpriv->ai_sample_count = cmd->stop_arg; + devpriv->ai_continous = 0; + break; + case TRIG_NONE: + /* continous acquisition */ + devpriv->ai_continous = 1; + devpriv->ai_sample_count = 0; + break; + } + +The interrupt handler `s626_irq_handler()` contains this code: + + if (!(devpriv->ai_continous)) + devpriv->ai_sample_count--; + if (devpriv->ai_sample_count <= 0) { + devpriv->ai_cmd_running = 0; + /* ... */ + } + +So `devpriv->ai_sample_count` is only decremented for the `TRIG_COUNT` +case, but `devpriv->ai_cmd_running` is set to 0 (and the command +stopped) regardless. + +Fix this in `s626_ai_cmd()` by setting `devpriv->ai_sample_count = 1` +for the `TRIG_NONE` case. The interrupt handler will not decrement it +so it will remain greater than 0 and the check for stopping the +acquisition will fail. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/s626.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/s626.c ++++ b/drivers/staging/comedi/drivers/s626.c +@@ -1882,7 +1882,7 @@ static int s626_ai_cmd(struct comedi_dev + case TRIG_NONE: + /* continous acquisition */ + devpriv->ai_continous = 1; +- devpriv->ai_sample_count = 0; ++ devpriv->ai_sample_count = 1; + break; + } + diff --git a/queue-3.4/sysfs-fix-race-between-readdir-and-lseek.patch b/queue-3.4/sysfs-fix-race-between-readdir-and-lseek.patch new file mode 100644 index 00000000000..4e38d99a95c --- /dev/null +++ b/queue-3.4/sysfs-fix-race-between-readdir-and-lseek.patch @@ -0,0 +1,51 @@ +From 991f76f837bf22c5bb07261cfd86525a0a96650c Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 20 Mar 2013 23:25:24 +0800 +Subject: sysfs: fix race between readdir and lseek + +From: Ming Lei + +commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream. + +While readdir() is running, lseek() may set filp->f_pos as zero, +then may leave filp->private_data pointing to one sysfs_dirent +object without holding its reference counter, so the sysfs_dirent +object may be used after free in next readdir(). + +This patch holds inode->i_mutex to avoid the problem since +the lock is always held in readdir path. + +Reported-by: Dave Jones +Tested-by: Sasha Levin +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/dir.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -1040,10 +1040,21 @@ static int sysfs_readdir(struct file * f + return 0; + } + ++static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct inode *inode = file_inode(file); ++ loff_t ret; ++ ++ mutex_lock(&inode->i_mutex); ++ ret = generic_file_llseek(file, offset, whence); ++ mutex_unlock(&inode->i_mutex); ++ ++ return ret; ++} + + const struct file_operations sysfs_dir_operations = { + .read = generic_read_dir, + .readdir = sysfs_readdir, + .release = sysfs_dir_release, +- .llseek = generic_file_llseek, ++ .llseek = sysfs_dir_llseek, + }; diff --git a/queue-3.4/sysfs-handle-failure-path-correctly-for-readdir.patch b/queue-3.4/sysfs-handle-failure-path-correctly-for-readdir.patch new file mode 100644 index 00000000000..0764c485838 --- /dev/null +++ b/queue-3.4/sysfs-handle-failure-path-correctly-for-readdir.patch @@ -0,0 +1,47 @@ +From e5110f411d2ee35bf8d202ccca2e89c633060dca Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 20 Mar 2013 23:25:25 +0800 +Subject: sysfs: handle failure path correctly for readdir() + +From: Ming Lei + +commit e5110f411d2ee35bf8d202ccca2e89c633060dca upstream. + +In case of 'if (filp->f_pos == 0 or 1)' of sysfs_readdir(), +the failure from filldir() isn't handled, and the reference counter +of the sysfs_dirent object pointed by filp->private_data will be +released without clearing filp->private_data, so use after free +bug will be triggered later. + +This patch returns immeadiately under the situation for fixing the bug, +and it is reasonable to return from readdir() when filldir() fails. + +Reported-by: Dave Jones +Tested-by: Sasha Levin +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/dir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -1002,6 +1002,8 @@ static int sysfs_readdir(struct file * f + ino = parent_sd->s_ino; + if (filldir(dirent, ".", 1, filp->f_pos, ino, DT_DIR) == 0) + filp->f_pos++; ++ else ++ return 0; + } + if (filp->f_pos == 1) { + if (parent_sd->s_parent) +@@ -1010,6 +1012,8 @@ static int sysfs_readdir(struct file * f + ino = parent_sd->s_ino; + if (filldir(dirent, "..", 2, filp->f_pos, ino, DT_DIR) == 0) + filp->f_pos++; ++ else ++ return 0; + } + mutex_lock(&sysfs_mutex); + for (pos = sysfs_dir_pos(ns, parent_sd, filp->f_pos, pos); -- 2.47.3