--- /dev/null
+From a2b76b3b31568da9d281a393845f17689594ccdf Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 29 Mar 2011 06:29:37 -0700
+Subject: iwlwifi: fix bugs in change_interface
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a2b76b3b31568da9d281a393845f17689594ccdf upstream.
+
+If change_interface gets invoked during a firmware
+restart, it may crash; prevent that from happening
+by checking if ctx->vif is assigned.
+
+Additionally, in my initial commit I forgot to set
+the vif->p2p variable correctly, so fix that too.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-core.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-core.c
++++ b/drivers/net/wireless/iwlwifi/iwl-core.c
+@@ -1879,6 +1879,15 @@ int iwl_mac_change_interface(struct ieee
+
+ mutex_lock(&priv->mutex);
+
++ if (!ctx->vif || !iwl_is_ready_rf(priv)) {
++ /*
++ * Huh? But wait ... this can maybe happen when
++ * we're in the middle of a firmware restart!
++ */
++ err = -EBUSY;
++ goto out;
++ }
++
+ interface_modes = ctx->interface_modes | ctx->exclusive_interface_modes;
+
+ if (!(interface_modes & BIT(newtype))) {
+@@ -1906,6 +1915,7 @@ int iwl_mac_change_interface(struct ieee
+ /* success */
+ iwl_teardown_interface(priv, vif, true);
+ vif->type = newtype;
++ vif->p2p = newp2p;
+ err = iwl_setup_interface(priv, ctx);
+ WARN_ON(err);
+ /*
--- /dev/null
+From 5f4e206666f834340b69ddb43f86de3851c8675a Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 17 May 2011 22:13:23 -0400
+Subject: libata: Use Maximum Write Same Length to report discard size
+ limit
+
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+
+commit 5f4e206666f834340b69ddb43f86de3851c8675a upstream.
+
+Previously we used Maximum Unmap LBA Count in the Block Limits VPD to
+signal the maximum number of sectors we could handle in a single Write
+Same command.
+
+Starting with SBC3r26 the Block Limits VPD has an explicit limit on the
+number of blocks in a Write Same. This means we can stop abusing a field
+related to the Unmap command and let our SAT use the proper value in the
+VPD (Maximum Write Same Length).
+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/libata-scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2127,7 +2127,7 @@ static unsigned int ata_scsiop_inq_b0(st
+ * with the unmap bit set.
+ */
+ if (ata_id_has_trim(args->id)) {
+- put_unaligned_be32(65535 * 512 / 8, &rbuf[20]);
++ put_unaligned_be64(65535 * 512 / 8, &rbuf[36]);
+ put_unaligned_be32(1, &rbuf[28]);
+ }
+
--- /dev/null
+From a3836e02ba4c50db958d32d710b226f2408623dc Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 12 May 2011 15:11:37 +0200
+Subject: mac80211: fix a few RCU issues
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a3836e02ba4c50db958d32d710b226f2408623dc upstream.
+
+A few configuration functions correctly do
+rcu_read_lock() but don't correctly reference
+some pointers protected by RCU. Fix that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/cfg.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -228,11 +228,11 @@ static int ieee80211_get_key(struct wiph
+ goto out;
+
+ if (pairwise)
+- key = sta->ptk;
++ key = rcu_dereference(sta->ptk);
+ else if (key_idx < NUM_DEFAULT_KEYS)
+- key = sta->gtk[key_idx];
++ key = rcu_dereference(sta->gtk[key_idx]);
+ } else
+- key = sdata->keys[key_idx];
++ key = rcu_dereference(sdata->keys[key_idx]);
+
+ if (!key)
+ goto out;
+@@ -904,8 +904,10 @@ static int ieee80211_change_mpath(struct
+ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
+ struct mpath_info *pinfo)
+ {
+- if (mpath->next_hop)
+- memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
++ struct sta_info *next_hop_sta = rcu_dereference(mpath->next_hop);
++
++ if (next_hop_sta)
++ memcpy(next_hop, next_hop_sta->sta.addr, ETH_ALEN);
+ else
+ memset(next_hop, 0, ETH_ALEN);
+
--- /dev/null
+From 0e579d6a8f4aea346da818f13ee71401c125e639 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni.malinen@atheros.com>
+Date: Tue, 3 May 2011 22:45:16 -0700
+Subject: nl80211: Fix set_key regression with some drivers
+
+From: Jouni Malinen <jouni.malinen@atheros.com>
+
+commit 0e579d6a8f4aea346da818f13ee71401c125e639 upstream.
+
+Commit dbd2fd656f2060abfd3a16257f8b51ec60f6d2ed added a mechanism for
+user space to indicate whether a default key is being configured for
+only unicast or only multicast frames instead of all frames. This
+commit added a driver capability flag for indicating whether separate
+default keys are supported and validation of the set_key command based
+on that capability.
+
+However, this single capability flag is not enough to cover possible
+difference based on mode (AP/IBSS/STA) and the way this change was
+introduced resulted in a regression with drivers that do not indicate
+the new capability (i.e.., more or less any non-mac80211 driver using
+cfg80211) when using a recent wpa_supplicant snapshot.
+
+Fix the regression by removing the new check which is not strictly
+speaking needed. The new separate default key functionality is needed
+only for RSN IBSS which has a separate capability indication.
+
+Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/nl80211.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -1679,14 +1679,6 @@ static int nl80211_set_key(struct sk_buf
+ if (err)
+ goto out;
+
+- if (!(rdev->wiphy.flags &
+- WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS)) {
+- if (!key.def_uni || !key.def_multi) {
+- err = -EOPNOTSUPP;
+- goto out;
+- }
+- }
+-
+ err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
+ key.def_uni, key.def_multi);
+
block-always-allocate-genhd-ev-if-check_events-is.patch
mtd-mtdconcat-fix-nand-oob-write.patch
mtd-return-badblockbits-back.patch
+x86-64-bit-fix-copy__user-checks-for-the.patch
+libata-use-maximum-write-same-length-to-report-discard-size.patch
+iwlwifi-fix-bugs-in-change_interface.patch
+nl80211-fix-set_key-regression-with-some-drivers.patch
+mac80211-fix-a-few-rcu-issues.patch
+wire-up-fanotify-syscalls.patch
+wire-up-clock_adjtime-syscall.patch
+wire-up-the-fhandle-syscalls.patch
+wire-up-syncfs-syscall.patch
--- /dev/null
+From c3f957a22eca106bd28136943305b390b4337ebf Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 15 Apr 2011 08:55:45 -0700
+Subject: [PARISC] wire up clock_adjtime syscall
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit c3f957a22eca106bd28136943305b390b4337ebf upstream.
+
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/parisc/include/asm/unistd.h | 3 ++-
+ arch/parisc/kernel/syscall_table.S | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/unistd.h
++++ b/arch/parisc/include/asm/unistd.h
+@@ -816,8 +816,9 @@
+ #define __NR_prlimit64 (__NR_Linux + 321)
+ #define __NR_fanotify_init (__NR_Linux + 322)
+ #define __NR_fanotify_mark (__NR_Linux + 323)
++#define __NR_clock_adjtime (__NR_Linux + 324)
+
+-#define __NR_Linux_syscalls (__NR_fanotify_mark + 1)
++#define __NR_Linux_syscalls (__NR_clock_adjtime + 1)
+
+
+ #define __IGNORE_select /* newselect */
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -422,6 +422,7 @@
+ ENTRY_SAME(prlimit64)
+ ENTRY_SAME(fanotify_init)
+ ENTRY_COMP(fanotify_mark)
++ ENTRY_COMP(clock_adjtime)
+
+ /* Nothing yet */
+
--- /dev/null
+From 1824074b07ee66fa0f714e08579ad85075132d7b Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 15 Apr 2011 08:55:44 -0700
+Subject: [PARISC] wire up fanotify syscalls
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 1824074b07ee66fa0f714e08579ad85075132d7b upstream.
+
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/parisc/include/asm/unistd.h | 4 +++-
+ arch/parisc/kernel/sys_parisc32.c | 8 ++++++++
+ arch/parisc/kernel/syscall_table.S | 2 ++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/unistd.h
++++ b/arch/parisc/include/asm/unistd.h
+@@ -814,8 +814,10 @@
+ #define __NR_recvmmsg (__NR_Linux + 319)
+ #define __NR_accept4 (__NR_Linux + 320)
+ #define __NR_prlimit64 (__NR_Linux + 321)
++#define __NR_fanotify_init (__NR_Linux + 322)
++#define __NR_fanotify_mark (__NR_Linux + 323)
+
+-#define __NR_Linux_syscalls (__NR_prlimit64 + 1)
++#define __NR_Linux_syscalls (__NR_fanotify_mark + 1)
+
+
+ #define __IGNORE_select /* newselect */
+--- a/arch/parisc/kernel/sys_parisc32.c
++++ b/arch/parisc/kernel/sys_parisc32.c
+@@ -228,3 +228,11 @@ asmlinkage long compat_sys_fallocate(int
+ return sys_fallocate(fd, mode, ((loff_t)offhi << 32) | offlo,
+ ((loff_t)lenhi << 32) | lenlo);
+ }
++
++asmlinkage long compat_sys_fanotify_mark(int fan_fd, int flags, u32 mask_hi,
++ u32 mask_lo, int fd,
++ const char __user *pathname)
++{
++ return sys_fanotify_mark(fan_fd, flags, ((u64)mask_hi << 32) | mask_lo,
++ fd, pathname);
++}
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -420,6 +420,8 @@
+ ENTRY_COMP(recvmmsg)
+ ENTRY_SAME(accept4) /* 320 */
+ ENTRY_SAME(prlimit64)
++ ENTRY_SAME(fanotify_init)
++ ENTRY_COMP(fanotify_mark)
+
+ /* Nothing yet */
+
--- /dev/null
+From 2e7bad5f34b5beed47542490c760ed26574e38ba Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 15 Apr 2011 08:55:47 -0700
+Subject: [PARISC] wire up syncfs syscall
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 2e7bad5f34b5beed47542490c760ed26574e38ba upstream.
+
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/parisc/include/asm/unistd.h | 3 ++-
+ arch/parisc/kernel/syscall_table.S | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/unistd.h
++++ b/arch/parisc/include/asm/unistd.h
+@@ -819,8 +819,9 @@
+ #define __NR_clock_adjtime (__NR_Linux + 324)
+ #define __NR_name_to_handle_at (__NR_Linux + 325)
+ #define __NR_open_by_handle_at (__NR_Linux + 326)
++#define __NR_syncfs (__NR_Linux + 327)
+
+-#define __NR_Linux_syscalls (__NR_open_by_handle_at + 1)
++#define __NR_Linux_syscalls (__NR_syncfs + 1)
+
+
+ #define __IGNORE_select /* newselect */
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -425,6 +425,7 @@
+ ENTRY_COMP(clock_adjtime)
+ ENTRY_SAME(name_to_handle_at) /* 325 */
+ ENTRY_COMP(open_by_handle_at)
++ ENTRY_SAME(syncfs)
+
+ /* Nothing yet */
+
--- /dev/null
+From a71aae4cec120ee85cf32608fca40a4605461214 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 15 Apr 2011 08:55:46 -0700
+Subject: [PARISC] wire up the fhandle syscalls
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit a71aae4cec120ee85cf32608fca40a4605461214 upstream.
+
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/parisc/include/asm/unistd.h | 4 +++-
+ arch/parisc/kernel/syscall_table.S | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/unistd.h
++++ b/arch/parisc/include/asm/unistd.h
+@@ -817,8 +817,10 @@
+ #define __NR_fanotify_init (__NR_Linux + 322)
+ #define __NR_fanotify_mark (__NR_Linux + 323)
+ #define __NR_clock_adjtime (__NR_Linux + 324)
++#define __NR_name_to_handle_at (__NR_Linux + 325)
++#define __NR_open_by_handle_at (__NR_Linux + 326)
+
+-#define __NR_Linux_syscalls (__NR_clock_adjtime + 1)
++#define __NR_Linux_syscalls (__NR_open_by_handle_at + 1)
+
+
+ #define __IGNORE_select /* newselect */
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -423,6 +423,8 @@
+ ENTRY_SAME(fanotify_init)
+ ENTRY_COMP(fanotify_mark)
+ ENTRY_COMP(clock_adjtime)
++ ENTRY_SAME(name_to_handle_at) /* 325 */
++ ENTRY_COMP(open_by_handle_at)
+
+ /* Nothing yet */
+
--- /dev/null
+From 26afb7c661080ae3f1f13ddf7f0c58c4f931c22b Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Thu, 12 May 2011 16:30:30 +0200
+Subject: x86, 64-bit: Fix copy_[to/from]_user() checks for the
+ userspace address limit
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+commit 26afb7c661080ae3f1f13ddf7f0c58c4f931c22b upstream.
+
+As reported in BZ #30352:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=30352
+
+there's a kernel bug related to reading the last allowed page on x86_64.
+
+The _copy_to_user() and _copy_from_user() functions use the following
+check for address limit:
+
+ if (buf + size >= limit)
+ fail();
+
+while it should be more permissive:
+
+ if (buf + size > limit)
+ fail();
+
+That's because the size represents the number of bytes being
+read/write from/to buf address AND including the buf address.
+So the copy function will actually never touch the limit
+address even if "buf + size == limit".
+
+Following program fails to use the last page as buffer
+due to the wrong limit check:
+
+ #include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <assert.h>
+
+ #define PAGE_SIZE (4096)
+ #define LAST_PAGE ((void*)(0x7fffffffe000))
+
+ int main()
+ {
+ int fds[2], err;
+ void * ptr = mmap(LAST_PAGE, PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+ assert(ptr == LAST_PAGE);
+ err = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds);
+ assert(err == 0);
+ err = send(fds[0], ptr, PAGE_SIZE, 0);
+ perror("send");
+ assert(err == PAGE_SIZE);
+ err = recv(fds[1], ptr, PAGE_SIZE, MSG_WAITALL);
+ perror("recv");
+ assert(err == PAGE_SIZE);
+ return 0;
+ }
+
+The other place checking the addr limit is the access_ok() function,
+which is working properly. There's just a misleading comment
+for the __range_not_ok() macro - which this patch fixes as well.
+
+The last page of the user-space address range is a guard page and
+Brian Gerst observed that the guard page itself due to an erratum on K8 cpus
+(#121 Sequential Execution Across Non-Canonical Boundary Causes Processor
+Hang).
+
+However, the test code is using the last valid page before the guard page.
+The bug is that the last byte before the guard page can't be read
+because of the off-by-one error. The guard page is left in place.
+
+This bug would normally not show up because the last page is
+part of the process stack and never accessed via syscalls.
+
+Signed-off-by: Jiri Olsa <jolsa@redhat.com>
+Acked-by: Brian Gerst <brgerst@gmail.com>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Link: http://lkml.kernel.org/r/1305210630-7136-1-git-send-email-jolsa@redhat.com
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/uaccess.h | 2 +-
+ arch/x86/lib/copy_user_64.S | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -42,7 +42,7 @@
+ * Returns 0 if the range is valid, nonzero otherwise.
+ *
+ * This is equivalent to the following test:
+- * (u33)addr + (u33)size >= (u33)current->addr_limit.seg (u65 for x86_64)
++ * (u33)addr + (u33)size > (u33)current->addr_limit.seg (u65 for x86_64)
+ *
+ * This needs 33-bit (65-bit for x86_64) arithmetic. We have a carry...
+ */
+--- a/arch/x86/lib/copy_user_64.S
++++ b/arch/x86/lib/copy_user_64.S
+@@ -72,7 +72,7 @@ ENTRY(_copy_to_user)
+ addq %rdx,%rcx
+ jc bad_to_user
+ cmpq TI_addr_limit(%rax),%rcx
+- jae bad_to_user
++ ja bad_to_user
+ ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
+ CFI_ENDPROC
+ ENDPROC(_copy_to_user)
+@@ -85,7 +85,7 @@ ENTRY(_copy_from_user)
+ addq %rdx,%rcx
+ jc bad_from_user
+ cmpq TI_addr_limit(%rax),%rcx
+- jae bad_from_user
++ ja bad_from_user
+ ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
+ CFI_ENDPROC
+ ENDPROC(_copy_from_user)
projects / thirdparty / kernel / stable-queue.git / commitdiff
