From ed42b980cb96487be358171508d580b06433d229 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Nov 2011 15:58:15 -0800 Subject: [PATCH] 3.0 patches added patches: arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch ip6_tunnel-copy-parms.name-after-register_netdevice.patch mac80211-fix-bug-in-ieee80211_build_probe_req.patch mac80211-fix-null-dereference-in-radiotap-code.patch net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch nl80211-fix-ht-capability-attribute-validation.patch pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch --- ...w-kernel-unaligned-accesses-on-armv6.patch | 36 +++++++ ...-core-exit-on-access-to-last_request.patch | 101 ++++++++++++++++++ ...-parms.name-after-register_netdevice.patch | 76 +++++++++++++ ...fix-bug-in-ieee80211_build_probe_req.patch | 41 +++++++ ...ix-null-dereference-in-radiotap-code.patch | 65 +++++++++++ ...e-memory-leak-in-if_spi_host_to_card.patch | 32 ++++++ ...x-ht-capability-attribute-validation.patch | 34 ++++++ ...-device-s-runtime-pm-during-shutdown.patch | 50 +++++++++ ...while-atomic-bug-in-powersaving-code.patch | 92 ++++++++++++++++ queue-3.0/series | 9 ++ 10 files changed, 536 insertions(+) create mode 100644 queue-3.0/arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch create mode 100644 queue-3.0/cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch create mode 100644 queue-3.0/ip6_tunnel-copy-parms.name-after-register_netdevice.patch create mode 100644 queue-3.0/mac80211-fix-bug-in-ieee80211_build_probe_req.patch create mode 100644 queue-3.0/mac80211-fix-null-dereference-in-radiotap-code.patch create mode 100644 queue-3.0/net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch create mode 100644 queue-3.0/nl80211-fix-ht-capability-attribute-validation.patch create mode 100644 queue-3.0/pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch create mode 100644 queue-3.0/rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch diff --git a/queue-3.0/arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch b/queue-3.0/arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch new file mode 100644 index 00000000000..95c425734ca --- /dev/null +++ b/queue-3.0/arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch @@ -0,0 +1,36 @@ +From 8428e84d42179c2a00f5f6450866e70d802d1d05 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Mon, 7 Nov 2011 18:05:53 +0100 +Subject: ARM: 7150/1: Allow kernel unaligned accesses on ARMv6+ + processors + +From: Catalin Marinas + +commit 8428e84d42179c2a00f5f6450866e70d802d1d05 upstream. + +Recent gcc versions generate unaligned accesses by default on ARMv6 and +later processors. This patch ensures that the SCTLR.A bit is always +cleared on such processors to avoid kernel traping before +alignment_init() is called. + +Signed-off-by: Catalin Marinas +Tested-by: John Linn +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/head.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/head.S ++++ b/arch/arm/kernel/head.S +@@ -348,7 +348,7 @@ __secondary_data: + * r13 = *virtual* address to jump to upon completion + */ + __enable_mmu: +-#ifdef CONFIG_ALIGNMENT_TRAP ++#if defined(CONFIG_ALIGNMENT_TRAP) && __LINUX_ARM_ARCH__ < 6 + orr r0, r0, #CR_A + #else + bic r0, r0, #CR_A diff --git a/queue-3.0/cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch b/queue-3.0/cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch new file mode 100644 index 00000000000..28462bd164c --- /dev/null +++ b/queue-3.0/cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch @@ -0,0 +1,101 @@ +From 58ebacc66bd11be2327edcefc79de94bd6f5bb4a Mon Sep 17 00:00:00 2001 +From: "Luis R. Rodriguez" +Date: Tue, 8 Nov 2011 14:28:06 -0800 +Subject: cfg80211: fix bug on regulatory core exit on access to last_request + +From: "Luis R. Rodriguez" + +commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream. + +Commit 4d9d88d1 by Scott James Remnant added +the .uevent() callback for the regulatory device used during +the platform device registration. The change was done to account +for queuing up udev change requests through udevadm triggers. +The change also meant that upon regulatory core exit we will now +send a uevent() but the uevent() callback, reg_device_uevent(), +also accessed last_request. Right before commiting device suicide +we free'd last_request but never set it to NULL so +platform_device_unregister() would lead to bogus kernel paging +request. Fix this and also simply supress uevents right before +we commit suicide as they are pointless. + +This fix is required for kernels >= v2.6.39 + +$ git describe --contains 4d9d88d1 +v2.6.39-rc1~468^2~25^2^2~21 + +The impact of not having this present is that a bogus paging +access may occur (only read) upon cfg80211 unload time. You +may also get this BUG complaint below. Although Johannes +could not reproduce the issue this fix is theoretically correct. + +mac80211_hwsim: unregister radios +mac80211_hwsim: closing netlink +BUG: unable to handle kernel paging request at ffff88001a06b5ab +IP: [] reg_device_uevent+0x1a/0x50 [cfg80211] +PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160 +Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +CPU 0 +Modules linked in: cfg80211(-) [last unloaded: mac80211] + +Pid: 2279, comm: rmmod Tainted: G W 3.1.0-wl+ #663 Bochs Bochs +RIP: 0010:[] [] reg_device_uevent+0x1a/0x50 [cfg80211] +RSP: 0000:ffff88001c5f9d58 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc +RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0 +RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff +R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0 +R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001 +FS: 00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780) +Stack: + ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2 + 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820 + ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189 +Call Trace: + [] dev_uevent+0xc5/0x170 + [] kobject_uevent_env+0x1f7/0x490 + [] ? sub_preempt_count+0x29/0x60 + [] ? _raw_spin_unlock_irqrestore+0x4a/0x90 + [] ? devres_release_all+0x27/0x60 + [] kobject_uevent+0xb/0x10 + [] device_del+0x157/0x1b0 + [] platform_device_del+0x1d/0x90 + [] platform_device_unregister+0x16/0x30 + [] regulatory_exit+0x5d/0x180 [cfg80211] + [] cfg80211_exit+0x2b/0x45 [cfg80211] + [] sys_delete_module+0x16c/0x220 + [] ? trace_hardirqs_on_caller+0x7e/0x120 + [] system_call_fastpath+0x16/0x1b +Code: +RIP [] reg_device_uevent+0x1a/0x50 [cfg80211] + RSP +CR2: ffff88001a06b5ab +---[ end trace 147c5099a411e8c0 ]--- + +Reported-by: Johannes Berg +Cc: Scott James Remnant +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2254,6 +2254,9 @@ void /* __init_or_exit */ regulatory_exi + + kfree(last_request); + ++ last_request = NULL; ++ dev_set_uevent_suppress(®_pdev->dev, true); ++ + platform_device_unregister(reg_pdev); + + spin_lock_bh(®_pending_beacons_lock); diff --git a/queue-3.0/ip6_tunnel-copy-parms.name-after-register_netdevice.patch b/queue-3.0/ip6_tunnel-copy-parms.name-after-register_netdevice.patch new file mode 100644 index 00000000000..8c11e0be935 --- /dev/null +++ b/queue-3.0/ip6_tunnel-copy-parms.name-after-register_netdevice.patch @@ -0,0 +1,76 @@ +From 731abb9cb27aef6013ce60808a04e04a545f3f4e Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 10 Nov 2011 15:10:23 +0000 +Subject: ip6_tunnel: copy parms.name after register_netdevice + +From: Josh Boyer + +commit 731abb9cb27aef6013ce60808a04e04a545f3f4e upstream. + +Commit 1c5cae815d removed an explicit call to dev_alloc_name in ip6_tnl_create +because register_netdevice will now create a valid name. This works for the +net_device itself. + +However the tunnel keeps a copy of the name in the parms structure for the +ip6_tnl associated with the tunnel. parms.name is set by copying the net_device +name in ip6_tnl_dev_init_gen. That function is called from ip6_tnl_dev_init in +ip6_tnl_create, but it is done before register_netdevice is called so the name +is set to a bogus value in the parms.name structure. + +This shows up if you do a simple tunnel add, followed by a tunnel show: + +[root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200 +[root@localhost ~]# ip -6 tunnel show +ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000) +ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000) +[root@localhost ~]# + +Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after +register_netdevice has successfully returned. + +Signed-off-by: Josh Boyer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_tunnel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -289,6 +289,8 @@ static struct ip6_tnl *ip6_tnl_create(st + if ((err = register_netdevice(dev)) < 0) + goto failed_free; + ++ strcpy(t->parms.name, dev->name); ++ + dev_hold(dev); + ip6_tnl_link(ip6n, t); + return t; +@@ -1397,7 +1399,6 @@ ip6_tnl_dev_init_gen(struct net_device * + struct ip6_tnl *t = netdev_priv(dev); + + t->dev = dev; +- strcpy(t->parms.name, dev->name); + dev->tstats = alloc_percpu(struct pcpu_tstats); + if (!dev->tstats) + return -ENOMEM; +@@ -1477,6 +1478,7 @@ static void __net_exit ip6_tnl_destroy_t + static int __net_init ip6_tnl_init_net(struct net *net) + { + struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); ++ struct ip6_tnl *t = NULL; + int err; + + ip6n->tnls[0] = ip6n->tnls_wc; +@@ -1497,6 +1499,10 @@ static int __net_init ip6_tnl_init_net(s + err = register_netdev(ip6n->fb_tnl_dev); + if (err < 0) + goto err_register; ++ ++ t = netdev_priv(ip6n->fb_tnl_dev); ++ ++ strcpy(t->parms.name, ip6n->fb_tnl_dev->name); + return 0; + + err_register: diff --git a/queue-3.0/mac80211-fix-bug-in-ieee80211_build_probe_req.patch b/queue-3.0/mac80211-fix-bug-in-ieee80211_build_probe_req.patch new file mode 100644 index 00000000000..dd4176947eb --- /dev/null +++ b/queue-3.0/mac80211-fix-bug-in-ieee80211_build_probe_req.patch @@ -0,0 +1,41 @@ +From 5b2bbf75a24d6b06afff6de0eb4819413fd81971 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 8 Nov 2011 13:04:41 +0100 +Subject: mac80211: fix bug in ieee80211_build_probe_req + +From: Johannes Berg + +commit 5b2bbf75a24d6b06afff6de0eb4819413fd81971 upstream. + +ieee80211_probereq_get() can return NULL in +which case we should clean up & return NULL +in ieee80211_build_probe_req() as well. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1047,6 +1047,8 @@ struct sk_buff *ieee80211_build_probe_re + skb = ieee80211_probereq_get(&local->hw, &sdata->vif, + ssid, ssid_len, + buf, buf_len); ++ if (!skb) ++ goto out; + + if (dst) { + mgmt = (struct ieee80211_mgmt *) skb->data; +@@ -1055,6 +1057,8 @@ struct sk_buff *ieee80211_build_probe_re + } + + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT; ++ ++ out: + kfree(buf); + + return skb; diff --git a/queue-3.0/mac80211-fix-null-dereference-in-radiotap-code.patch b/queue-3.0/mac80211-fix-null-dereference-in-radiotap-code.patch new file mode 100644 index 00000000000..1b624ce682c --- /dev/null +++ b/queue-3.0/mac80211-fix-null-dereference-in-radiotap-code.patch @@ -0,0 +1,65 @@ +From f8d1ccf15568268c76f913b45ecdd33134387f1a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 8 Nov 2011 12:28:33 +0100 +Subject: mac80211: fix NULL dereference in radiotap code + +From: Johannes Berg + +commit f8d1ccf15568268c76f913b45ecdd33134387f1a upstream. + +When receiving failed PLCP frames is enabled, there +won't be a rate pointer when we add the radiotap +header and thus the kernel will crash. Fix this by +not assuming the rate pointer is always valid. It's +still always valid for frames that have good PLCP +though, and that is checked & enforced. + +This was broken by my +commit fc88518916793af8ad6a02e05ff254d95c36d875 +Author: Johannes Berg +Date: Fri Jul 30 13:23:12 2010 +0200 + + mac80211: don't check rates on PLCP error frames + +where I removed the check in this case but didn't +take into account that the rate info would be used. + +Reported-by: Xiaokang Qin +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -140,8 +140,9 @@ ieee80211_add_rx_radiotap_header(struct + pos++; + + /* IEEE80211_RADIOTAP_RATE */ +- if (status->flag & RX_FLAG_HT) { ++ if (!rate || status->flag & RX_FLAG_HT) { + /* ++ * Without rate information don't add it. If we have, + * MCS information is a separate field in radiotap, + * added below. The byte here is needed as padding + * for the channel though, so initialise it to 0. +@@ -162,12 +163,14 @@ ieee80211_add_rx_radiotap_header(struct + else if (status->flag & RX_FLAG_HT) + put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ, + pos); +- else if (rate->flags & IEEE80211_RATE_ERP_G) ++ else if (rate && rate->flags & IEEE80211_RATE_ERP_G) + put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, + pos); +- else ++ else if (rate) + put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, + pos); ++ else ++ put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos); + pos += 2; + + /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ diff --git a/queue-3.0/net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch b/queue-3.0/net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch new file mode 100644 index 00000000000..e19c0d2f0fa --- /dev/null +++ b/queue-3.0/net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch @@ -0,0 +1,32 @@ +From fe09b32a4361bea44169b2063e8c867cabb6a8ba Mon Sep 17 00:00:00 2001 +From: Jesper Juhl +Date: Sun, 13 Nov 2011 22:14:32 +0100 +Subject: Net, libertas: Resolve memory leak in if_spi_host_to_card() + +From: Jesper Juhl + +commit fe09b32a4361bea44169b2063e8c867cabb6a8ba upstream. + +If we hit the default case in the switch in if_spi_host_to_card() we'll leak +the memory we allocated for 'packet'. This patch resolves the leak by freeing +the allocated memory in that case. + +Signed-off-by: Jesper Juhl +Acked-by: Dan Williams +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/if_spi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/libertas/if_spi.c ++++ b/drivers/net/wireless/libertas/if_spi.c +@@ -997,6 +997,7 @@ static int if_spi_host_to_card(struct lb + spin_unlock_irqrestore(&card->buffer_lock, flags); + break; + default: ++ kfree(packet); + netdev_err(priv->dev, "can't transfer buffer of type %d\n", + type); + err = -EINVAL; diff --git a/queue-3.0/nl80211-fix-ht-capability-attribute-validation.patch b/queue-3.0/nl80211-fix-ht-capability-attribute-validation.patch new file mode 100644 index 00000000000..00774d18b81 --- /dev/null +++ b/queue-3.0/nl80211-fix-ht-capability-attribute-validation.patch @@ -0,0 +1,34 @@ +From 6c7394197af90f6a332180e33f5d025d3037d883 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 3 Nov 2011 09:27:01 +0100 +Subject: nl80211: fix HT capability attribute validation + +From: Johannes Berg + +commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream. + +Since the NL80211_ATTR_HT_CAPABILITY attribute is +used as a struct, it needs a minimum, not maximum +length. Enforce that properly. Not doing so could +potentially lead to reading after the buffer. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -126,8 +126,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED }, + [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG }, + +- [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY, +- .len = NL80211_HT_CAPABILITY_LEN }, ++ [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN }, + + [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 }, + [NL80211_ATTR_IE] = { .type = NLA_BINARY, diff --git a/queue-3.0/pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch b/queue-3.0/pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch new file mode 100644 index 00000000000..405abc93994 --- /dev/null +++ b/queue-3.0/pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch @@ -0,0 +1,50 @@ +From af8db1508f2c9f3b6e633e2d2d906c6557c617f9 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 15 Nov 2011 21:52:29 +0100 +Subject: PM / driver core: disable device's runtime PM during shutdown + +From: Peter Chen + +commit af8db1508f2c9f3b6e633e2d2d906c6557c617f9 upstream. + +There may be an issue when the user issue "reboot/shutdown" command, then +the device has shut down its hardware, after that, this runtime-pm featured +device's driver will probably be scheduled to do its suspend routine, +and at its suspend routine, it may access hardware, but the device has +already shutdown physically, then the system hang may be occurred. + +I ran out this issue using an auto-suspend supported USB devices, like +3G modem, keyboard. The usb runtime suspend routine may be scheduled +after the usb controller has been shut down, and the usb runtime suspend +routine will try to suspend its roothub(controller), it will access +register, then the system hang occurs as the controller is shutdown. + +Signed-off-by: Peter Chen +Acked-by: Ming Lei +Acked-by: Greg Kroah-Hartman +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include "base.h" + #include "power/power.h" +@@ -1742,6 +1743,8 @@ void device_shutdown(void) + */ + list_del_init(&dev->kobj.entry); + spin_unlock(&devices_kset->list_lock); ++ /* Disable all device's runtime power management */ ++ pm_runtime_disable(dev); + + if (dev->bus && dev->bus->shutdown) { + dev_dbg(dev, "shutdown\n"); diff --git a/queue-3.0/rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch b/queue-3.0/rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch new file mode 100644 index 00000000000..39d48baa510 --- /dev/null +++ b/queue-3.0/rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch @@ -0,0 +1,92 @@ +From ed66ba472a742cd8df37d7072804b2111cdb1014 Mon Sep 17 00:00:00 2001 +From: Gertjan van Wingerde +Date: Sat, 12 Nov 2011 19:10:44 +0100 +Subject: rt2x00: Fix sleep-while-atomic bug in powersaving code. + +From: Gertjan van Wingerde + +commit ed66ba472a742cd8df37d7072804b2111cdb1014 upstream. + +The generic powersaving code that determines after reception of a frame +whether the device should go back to sleep or whether is could stay +awake was calling rt2x00lib_config directly from RX tasklet context. +On a number of the devices this call can actually sleep, due to having +to confirm that the sleeping commands have been executed successfully. + +Fix this by moving the call to rt2x00lib_config to a workqueue call. + +This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=731672 + +Tested-by: Tomas Trnka +Signed-off-by: Gertjan van Wingerde +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2x00.h | 1 + + drivers/net/wireless/rt2x00/rt2x00dev.c | 22 ++++++++++++++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/rt2x00/rt2x00.h +@@ -922,6 +922,7 @@ struct rt2x00_dev { + * Powersaving work + */ + struct delayed_work autowakeup_work; ++ struct work_struct sleep_work; + + /* + * Data queue arrays for RX, TX, Beacon and ATIM. +--- a/drivers/net/wireless/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c +@@ -449,6 +449,23 @@ static u8 *rt2x00lib_find_ie(u8 *data, u + return NULL; + } + ++static void rt2x00lib_sleep(struct work_struct *work) ++{ ++ struct rt2x00_dev *rt2x00dev = ++ container_of(work, struct rt2x00_dev, sleep_work); ++ ++ if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) ++ return; ++ ++ /* ++ * Check again is powersaving is enabled, to prevent races from delayed ++ * work execution. ++ */ ++ if (!test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags)) ++ rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf, ++ IEEE80211_CONF_CHANGE_PS); ++} ++ + static void rt2x00lib_rxdone_check_ps(struct rt2x00_dev *rt2x00dev, + struct sk_buff *skb, + struct rxdone_entry_desc *rxdesc) +@@ -496,8 +513,7 @@ static void rt2x00lib_rxdone_check_ps(st + cam |= (tim_ie->bitmap_ctrl & 0x01); + + if (!cam && !test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags)) +- rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf, +- IEEE80211_CONF_CHANGE_PS); ++ queue_work(rt2x00dev->workqueue, &rt2x00dev->sleep_work); + } + + static int rt2x00lib_rxdone_read_signal(struct rt2x00_dev *rt2x00dev, +@@ -1108,6 +1124,7 @@ int rt2x00lib_probe_dev(struct rt2x00_de + + INIT_WORK(&rt2x00dev->intf_work, rt2x00lib_intf_scheduled); + INIT_DELAYED_WORK(&rt2x00dev->autowakeup_work, rt2x00lib_autowakeup); ++ INIT_WORK(&rt2x00dev->sleep_work, rt2x00lib_sleep); + + /* + * Let the driver probe the device to detect the capabilities. +@@ -1164,6 +1181,7 @@ void rt2x00lib_remove_dev(struct rt2x00_ + */ + cancel_work_sync(&rt2x00dev->intf_work); + cancel_delayed_work_sync(&rt2x00dev->autowakeup_work); ++ cancel_work_sync(&rt2x00dev->sleep_work); + if (rt2x00_is_usb(rt2x00dev)) { + del_timer_sync(&rt2x00dev->txstatus_timer); + cancel_work_sync(&rt2x00dev->rxdone_work); diff --git a/queue-3.0/series b/queue-3.0/series index a4455377b24..b7f3988bbec 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -4,3 +4,12 @@ hpsa-disable-aspm.patch aacraid-controller-hangs-if-kernel-uses-non-default-aspm-policy.patch saa7164-add-support-for-another-hvr2200-hardware-revision.patch drm-i915-pch-save-restore-pch_port_hotplug-across-suspend.patch +arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch +net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch +rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch +mac80211-fix-null-dereference-in-radiotap-code.patch +mac80211-fix-bug-in-ieee80211_build_probe_req.patch +nl80211-fix-ht-capability-attribute-validation.patch +cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch +ip6_tunnel-copy-parms.name-after-register_netdevice.patch +pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch -- 2.47.3