+++ /dev/null
-From 7681bfeeccff5efa9eb29bf09249a3c400b15327 Mon Sep 17 00:00:00 2001
-From: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
-Date: Tue, 19 Oct 2010 09:05:00 +0200
-Subject: block: fix accounting bug on cross partition merges
-
-From: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
-
-commit 7681bfeeccff5efa9eb29bf09249a3c400b15327 upstream.
-
-/proc/diskstats would display a strange output as follows.
-
-$ cat /proc/diskstats |grep sda
- 8 0 sda 90524 7579 102154 20464 0 0 0 0 0 14096 20089
- 8 1 sda1 19085 1352 21841 4209 0 0 0 0 4294967064 15689 4293424691
- ~~~~~~~~~~
- 8 2 sda2 71252 3624 74891 15950 0 0 0 0 232 23995 1562390
- 8 3 sda3 54 487 2188 92 0 0 0 0 0 88 92
- 8 4 sda4 4 0 8 0 0 0 0 0 0 0 0
- 8 5 sda5 81 2027 2130 138 0 0 0 0 0 87 137
-
-Its reason is the wrong way of accounting hd_struct->in_flight. When a bio is
-merged into a request belongs to different partition by ELEVATOR_FRONT_MERGE.
-
-The detailed root cause is as follows.
-
-Assuming that there are two partition, sda1 and sda2.
-
-1. A request for sda2 is in request_queue. Hence sda1's hd_struct->in_flight
- is 0 and sda2's one is 1.
-
- | hd_struct->in_flight
- ---------------------------
- sda1 | 0
- sda2 | 1
- ---------------------------
-
-2. A bio belongs to sda1 is issued and is merged into the request mentioned on
- step1 by ELEVATOR_BACK_MERGE. The first sector of the request is changed
- from sda2 region to sda1 region. However the two partition's
- hd_struct->in_flight are not changed.
-
- | hd_struct->in_flight
- ---------------------------
- sda1 | 0
- sda2 | 1
- ---------------------------
-
-3. The request is finished and blk_account_io_done() is called. In this case,
- sda2's hd_struct->in_flight, not a sda1's one, is decremented.
-
- | hd_struct->in_flight
- ---------------------------
- sda1 | -1
- sda2 | 1
- ---------------------------
-
-The patch fixes the problem by caching the partition lookup
-inside the request structure, hence making sure that the increment
-and decrement will always happen on the same partition struct. This
-also speeds up IO with accounting enabled, since it cuts down on
-the number of lookups we have to do.
-
-When reloading partition tables, quiesce IO to ensure that no
-request references to the partition struct exists. When it is safe
-to free the partition table, the IO for that device is restarted
-again.
-
-Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- block/blk-core.c | 24 ++++++++++++++++--------
- block/blk-merge.c | 2 +-
- block/blk.h | 4 ----
- block/genhd.c | 14 ++++++++++++++
- fs/partitions/check.c | 12 ++++++++++++
- include/linux/blkdev.h | 1 +
- include/linux/elevator.h | 2 ++
- include/linux/genhd.h | 1 +
- 8 files changed, 47 insertions(+), 13 deletions(-)
-
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -64,13 +64,15 @@ static void drive_stat_acct(struct reque
- return;
-
- cpu = part_stat_lock();
-- part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
-
-- if (!new_io)
-+ if (!new_io) {
-+ part = rq->part;
- part_stat_inc(cpu, part, merges[rw]);
-- else {
-+ } else {
-+ part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
- part_round_stats(cpu, part);
- part_inc_in_flight(part, rw);
-+ rq->part = part;
- }
-
- part_stat_unlock();
-@@ -128,6 +130,7 @@ void blk_rq_init(struct request_queue *q
- rq->ref_count = 1;
- rq->start_time = jiffies;
- set_start_time_ns(rq);
-+ rq->part = NULL;
- }
- EXPORT_SYMBOL(blk_rq_init);
-
-@@ -796,11 +799,16 @@ static struct request *get_request(struc
- rl->starved[is_sync] = 0;
-
- priv = !test_bit(QUEUE_FLAG_ELVSWITCH, &q->queue_flags);
-- if (priv)
-+ if (priv) {
- rl->elvpriv++;
-
-- if (blk_queue_io_stat(q))
-- rw_flags |= REQ_IO_STAT;
-+ /*
-+ * Don't do stats for non-priv requests
-+ */
-+ if (blk_queue_io_stat(q))
-+ rw_flags |= REQ_IO_STAT;
-+ }
-+
- spin_unlock_irq(q->queue_lock);
-
- rq = blk_alloc_request(q, rw_flags, priv, gfp_mask);
-@@ -1759,7 +1767,7 @@ static void blk_account_io_completion(st
- int cpu;
-
- cpu = part_stat_lock();
-- part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
-+ part = req->part;
- part_stat_add(cpu, part, sectors[rw], bytes >> 9);
- part_stat_unlock();
- }
-@@ -1779,7 +1787,7 @@ static void blk_account_io_done(struct r
- int cpu;
-
- cpu = part_stat_lock();
-- part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
-+ part = req->part;
-
- part_stat_inc(cpu, part, ios[rw]);
- part_stat_add(cpu, part, ticks[rw], duration);
---- a/block/blk-merge.c
-+++ b/block/blk-merge.c
-@@ -343,7 +343,7 @@ static void blk_account_io_merge(struct
- int cpu;
-
- cpu = part_stat_lock();
-- part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
-+ part = req->part;
-
- part_round_stats(cpu, part);
- part_dec_in_flight(part, rq_data_dir(req));
---- a/block/blk.h
-+++ b/block/blk.h
-@@ -110,10 +110,6 @@ void blk_queue_congestion_threshold(stru
-
- int blk_dev_init(void);
-
--void elv_quiesce_start(struct request_queue *q);
--void elv_quiesce_end(struct request_queue *q);
--
--
- /*
- * Return the threshold (number of used requests) at which the queue is
- * considered to be congested. It include a little hysteresis to keep the
---- a/block/genhd.c
-+++ b/block/genhd.c
-@@ -925,8 +925,15 @@ static void disk_free_ptbl_rcu_cb(struct
- {
- struct disk_part_tbl *ptbl =
- container_of(head, struct disk_part_tbl, rcu_head);
-+ struct gendisk *disk = ptbl->disk;
-+ struct request_queue *q = disk->queue;
-+ unsigned long flags;
-
- kfree(ptbl);
-+
-+ spin_lock_irqsave(q->queue_lock, flags);
-+ elv_quiesce_end(q);
-+ spin_unlock_irqrestore(q->queue_lock, flags);
- }
-
- /**
-@@ -944,11 +951,17 @@ static void disk_replace_part_tbl(struct
- struct disk_part_tbl *new_ptbl)
- {
- struct disk_part_tbl *old_ptbl = disk->part_tbl;
-+ struct request_queue *q = disk->queue;
-
- rcu_assign_pointer(disk->part_tbl, new_ptbl);
-
- if (old_ptbl) {
- rcu_assign_pointer(old_ptbl->last_lookup, NULL);
-+
-+ spin_lock_irq(q->queue_lock);
-+ elv_quiesce_start(q);
-+ spin_unlock_irq(q->queue_lock);
-+
- call_rcu(&old_ptbl->rcu_head, disk_free_ptbl_rcu_cb);
- }
- }
-@@ -989,6 +1002,7 @@ int disk_expand_part_tbl(struct gendisk
- return -ENOMEM;
-
- new_ptbl->len = target;
-+ new_ptbl->disk = disk;
-
- for (i = 0; i < len; i++)
- rcu_assign_pointer(new_ptbl->part[i], old_ptbl->part[i]);
---- a/fs/partitions/check.c
-+++ b/fs/partitions/check.c
-@@ -364,17 +364,25 @@ struct device_type part_type = {
- static void delete_partition_rcu_cb(struct rcu_head *head)
- {
- struct hd_struct *part = container_of(head, struct hd_struct, rcu_head);
-+ struct gendisk *disk = part_to_disk(part);
-+ struct request_queue *q = disk->queue;
-+ unsigned long flags;
-
- part->start_sect = 0;
- part->nr_sects = 0;
- part_stat_set_all(part, 0);
- put_device(part_to_dev(part));
-+
-+ spin_lock_irqsave(q->queue_lock, flags);
-+ elv_quiesce_end(q);
-+ spin_unlock_irqrestore(q->queue_lock, flags);
- }
-
- void delete_partition(struct gendisk *disk, int partno)
- {
- struct disk_part_tbl *ptbl = disk->part_tbl;
- struct hd_struct *part;
-+ struct request_queue *q = disk->queue;
-
- if (partno >= ptbl->len)
- return;
-@@ -389,6 +397,10 @@ void delete_partition(struct gendisk *di
- kobject_put(part->holder_dir);
- device_del(part_to_dev(part));
-
-+ spin_lock_irq(q->queue_lock);
-+ elv_quiesce_start(q);
-+ spin_unlock_irq(q->queue_lock);
-+
- call_rcu(&part->rcu_head, delete_partition_rcu_cb);
- }
-
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -115,6 +115,7 @@ struct request {
- void *elevator_private3;
-
- struct gendisk *rq_disk;
-+ struct hd_struct *part;
- unsigned long start_time;
- #ifdef CONFIG_BLK_CGROUP
- unsigned long long start_time_ns;
---- a/include/linux/elevator.h
-+++ b/include/linux/elevator.h
-@@ -122,6 +122,8 @@ extern void elv_completed_request(struct
- extern int elv_set_request(struct request_queue *, struct request *, gfp_t);
- extern void elv_put_request(struct request_queue *, struct request *);
- extern void elv_drain_elevator(struct request_queue *);
-+extern void elv_quiesce_start(struct request_queue *);
-+extern void elv_quiesce_end(struct request_queue *);
-
- /*
- * io scheduler registration
---- a/include/linux/genhd.h
-+++ b/include/linux/genhd.h
-@@ -130,6 +130,7 @@ struct disk_part_tbl {
- struct rcu_head rcu_head;
- int len;
- struct hd_struct *last_lookup;
-+ struct gendisk *disk;
- struct hd_struct *part[];
- };
-
--- /dev/null
+From 9236d838c920e90708570d9bbd7bb82d30a38130 Mon Sep 17 00:00:00 2001
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+Date: Fri, 12 Nov 2010 16:31:23 -0800
+Subject: cfg80211: fix extension channel checks to initiate communication
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+commit 9236d838c920e90708570d9bbd7bb82d30a38130 upstream.
+
+When operating in a mode that initiates communication and using
+HT40 we should fail if we cannot use both primary and secondary
+channels to initiate communication. Our current ht40 allowmap
+only covers STA mode of operation, for beaconing modes we need
+a check on the fly as the mode of operation is dynamic and
+there other flags other than disable which we should read
+to check if we can initiate communication.
+
+Do not allow for initiating communication if our secondary HT40
+channel has is either disabled, has a passive scan flag, a
+no-ibss flag or is a radar channel. Userspace now has similar
+checks but this is also needed in-kernel.
+
+Reported-by: Jouni Malinen <jouni.malinen@atheros.com>
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/chan.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+--- a/net/wireless/chan.c
++++ b/net/wireless/chan.c
+@@ -44,6 +44,36 @@ rdev_freq_to_chan(struct cfg80211_regist
+ return chan;
+ }
+
++static bool can_beacon_sec_chan(struct wiphy *wiphy,
++ struct ieee80211_channel *chan,
++ enum nl80211_channel_type channel_type)
++{
++ struct ieee80211_channel *sec_chan;
++ int diff;
++
++ switch (channel_type) {
++ case NL80211_CHAN_HT40PLUS:
++ diff = 20;
++ case NL80211_CHAN_HT40MINUS:
++ diff = -20;
++ default:
++ return false;
++ }
++
++ sec_chan = ieee80211_get_channel(wiphy, chan->center_freq + diff);
++ if (!sec_chan)
++ return false;
++
++ /* we'll need a DFS capability later */
++ if (sec_chan->flags & (IEEE80211_CHAN_DISABLED |
++ IEEE80211_CHAN_PASSIVE_SCAN |
++ IEEE80211_CHAN_NO_IBSS |
++ IEEE80211_CHAN_RADAR))
++ return false;
++
++ return true;
++}
++
+ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
+ struct wireless_dev *wdev, int freq,
+ enum nl80211_channel_type channel_type)
+@@ -68,6 +98,27 @@ int cfg80211_set_freq(struct cfg80211_re
+ if (!chan)
+ return -EINVAL;
+
++ /* Both channels should be able to initiate communication */
++ if (wdev && (wdev->iftype == NL80211_IFTYPE_ADHOC ||
++ wdev->iftype == NL80211_IFTYPE_AP ||
++ wdev->iftype == NL80211_IFTYPE_AP_VLAN ||
++ wdev->iftype == NL80211_IFTYPE_MESH_POINT)) {
++ switch (channel_type) {
++ case NL80211_CHAN_HT40PLUS:
++ case NL80211_CHAN_HT40MINUS:
++ if (!can_beacon_sec_chan(&rdev->wiphy, chan,
++ channel_type)) {
++ printk(KERN_DEBUG
++ "cfg80211: Secondary channel not "
++ "allowed to initiate communication\n");
++ return -EINVAL;
++ }
++ break;
++ default:
++ break;
++ }
++ }
++
+ result = rdev->ops->set_channel(&rdev->wiphy,
+ wdev ? wdev->netdev : NULL,
+ chan, channel_type);
--- /dev/null
+From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:19 -0800
+Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+From: Phil Blundell <philb@gnu.org>
+
+commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
+
+Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+with EINVAL if NULL was passed otherwise an oops may occur.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *
+
+ mutex_lock(&econet_mutex);
+
+- if (saddr == NULL) {
+- struct econet_sock *eo = ec_sk(sk);
+-
+- addr.station = eo->station;
+- addr.net = eo->net;
+- port = eo->port;
+- cb = eo->cb;
+- } else {
+- if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+- mutex_unlock(&econet_mutex);
+- return -EINVAL;
+- }
+- addr.station = saddr->addr.station;
+- addr.net = saddr->addr.net;
+- port = saddr->port;
+- cb = saddr->cb;
+- }
++ if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++ mutex_unlock(&econet_mutex);
++ return -EINVAL;
++ }
++ addr.station = saddr->addr.station;
++ addr.net = saddr->addr.net;
++ port = saddr->port;
++ cb = saddr->cb;
+
+ /* Look for a device with the right network number. */
+ dev = net2dev_map[addr.net];
+@@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *
+
+ eb = (struct ec_cb *)&skb->cb;
+
+- /* BUG: saddr may be NULL */
+ eb->cookie = saddr->cookie;
+ eb->sec = *saddr;
+ eb->sent = ec_tx_done;
--- /dev/null
+From a27e13d370415add3487949c60810e36069a23a6 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:51:47 -0800
+Subject: econet: fix CVE-2010-3848
+
+From: Phil Blundell <philb@gnu.org>
+
+commit a27e13d370415add3487949c60810e36069a23a6 upstream.
+
+Don't declare variable sized array of iovecs on the stack since this
+could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
+the user-supplied data into a new buffer and use a single iovec for it.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 62 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -31,6 +31,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/udp.h>
+ #include <linux/slab.h>
++#include <linux/vmalloc.h>
+ #include <net/sock.h>
+ #include <net/inet_common.h>
+ #include <linux/stat.h>
+@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *
+ #endif
+ #ifdef CONFIG_ECONET_AUNUDP
+ struct msghdr udpmsg;
+- struct iovec iov[msg->msg_iovlen+1];
++ struct iovec iov[2];
+ struct aunhdr ah;
+ struct sockaddr_in udpdest;
+ __kernel_size_t size;
+- int i;
+ mm_segment_t oldfs;
++ char *userbuf;
+ #endif
+
+ /*
+@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb *
+ }
+ }
+
+- if (len + 15 > dev->mtu) {
+- mutex_unlock(&econet_mutex);
+- return -EMSGSIZE;
+- }
+-
+ if (dev->type == ARPHRD_ECONET) {
+ /* Real hardware Econet. We're not worthy etc. */
+ #ifdef CONFIG_ECONET_NATIVE
+ unsigned short proto = 0;
+ int res;
+
++ if (len + 15 > dev->mtu) {
++ mutex_unlock(&econet_mutex);
++ return -EMSGSIZE;
++ }
++
+ dev_hold(dev);
+
+ skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb *
+ return -ENETDOWN; /* No socket - can't send */
+ }
+
++ if (len > 32768) {
++ err = -E2BIG;
++ goto error;
++ }
++
+ /* Make up a UDP datagram and hand it off to some higher intellect. */
+
+ memset(&udpdest, 0, sizeof(udpdest));
+@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb *
+
+ /* tack our header on the front of the iovec */
+ size = sizeof(struct aunhdr);
+- /*
+- * XXX: that is b0rken. We can't mix userland and kernel pointers
+- * in iovec, since on a lot of platforms copy_from_user() will
+- * *not* work with the kernel and userland ones at the same time,
+- * regardless of what we do with set_fs(). And we are talking about
+- * econet-over-ethernet here, so "it's only ARM anyway" doesn't
+- * apply. Any suggestions on fixing that code? -- AV
+- */
+ iov[0].iov_base = (void *)&ah;
+ iov[0].iov_len = size;
+- for (i = 0; i < msg->msg_iovlen; i++) {
+- void __user *base = msg->msg_iov[i].iov_base;
+- size_t iov_len = msg->msg_iov[i].iov_len;
+- /* Check it now since we switch to KERNEL_DS later. */
+- if (!access_ok(VERIFY_READ, base, iov_len)) {
+- mutex_unlock(&econet_mutex);
+- return -EFAULT;
+- }
+- iov[i+1].iov_base = base;
+- iov[i+1].iov_len = iov_len;
+- size += iov_len;
++
++ userbuf = vmalloc(len);
++ if (userbuf == NULL) {
++ err = -ENOMEM;
++ goto error;
+ }
+
++ iov[1].iov_base = userbuf;
++ iov[1].iov_len = len;
++ err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
++ if (err)
++ goto error_free_buf;
++
+ /* Get a skbuff (no data, just holds our cb information) */
+ if ((skb = sock_alloc_send_skb(sk, 0,
+ msg->msg_flags & MSG_DONTWAIT,
+- &err)) == NULL) {
+- mutex_unlock(&econet_mutex);
+- return err;
+- }
++ &err)) == NULL)
++ goto error_free_buf;
+
+ eb = (struct ec_cb *)&skb->cb;
+
+@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb *
+ udpmsg.msg_name = (void *)&udpdest;
+ udpmsg.msg_namelen = sizeof(udpdest);
+ udpmsg.msg_iov = &iov[0];
+- udpmsg.msg_iovlen = msg->msg_iovlen + 1;
++ udpmsg.msg_iovlen = 2;
+ udpmsg.msg_control = NULL;
+ udpmsg.msg_controllen = 0;
+ udpmsg.msg_flags=0;
+@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb *
+ oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
+ err = sock_sendmsg(udpsock, &udpmsg, size);
+ set_fs(oldfs);
++
++error_free_buf:
++ vfree(userbuf);
+ #else
+ err = -EPROTOTYPE;
+ #endif
++ error:
+ mutex_unlock(&econet_mutex);
+
+ return err;
--- /dev/null
+From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:53 -0800
+Subject: econet: fix CVE-2010-3850
+
+From: Phil Blundell <philb@gnu.org>
+
+commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
+
+Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -661,6 +661,9 @@ static int ec_dev_ioctl(struct socket *s
+ err = 0;
+ switch (cmd) {
+ case SIOCSIFADDR:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ edev = dev->ec_ptr;
+ if (edev == NULL) {
+ /* Magic up a new one. */
--- /dev/null
+From 0310871d8f71da4ad8643687fbc40f219a0dac4d Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Sun, 17 Oct 2010 07:24:20 -0300
+Subject: [media] msp3400: fix mute audio regression
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 0310871d8f71da4ad8643687fbc40f219a0dac4d upstream.
+
+The switch to the new control framework caused a regression where the audio was
+no longer unmuted after the carrier scan finished.
+
+The original code attempted to set the volume control to its current value in
+order to have the set-volume control code to be called that handles the volume
+and muting. However, the framework will not call that code unless the new volume
+value is different from the old.
+
+Instead we now call msp_s_ctrl directly.
+
+It is a bit of a hack: we really need a v4l2_ctrl_refresh_ctrl function for this
+(or something along those lines).
+
+Thanks to Andy Walls for bisecting this and to Shane Shrybman for reporting it!
+
+Reported-by: Shane Shrybman <shrybman@teksavvy.com>
+Thanks-to: Andy Walls <awalls@md.metrocast.net>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/msp3400-driver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/video/msp3400-driver.c
++++ b/drivers/media/video/msp3400-driver.c
+@@ -382,7 +382,12 @@ static int msp_s_ctrl(struct v4l2_ctrl *
+
+ void msp_update_volume(struct msp_state *state)
+ {
+- v4l2_ctrl_s_ctrl(state->volume, v4l2_ctrl_g_ctrl(state->volume));
++ /* Force an update of the volume/mute cluster */
++ v4l2_ctrl_lock(state->volume);
++ state->volume->val = state->volume->cur.val;
++ state->muted->val = state->muted->cur.val;
++ msp_s_ctrl(state->volume);
++ v4l2_ctrl_unlock(state->volume);
+ }
+
+ /* --- v4l2 ioctls --- */
cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
-index 83f534d..5e95844 100644
+---
+ arch/powerpc/mm/hash_utils_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
--- a/arch/powerpc/mm/hash_utils_64.c
+++ b/arch/powerpc/mm/hash_utils_64.c
-@@ -1123,7 +1123,7 @@ void hash_preload(struct mm_struct *mm, unsigned long ea,
+@@ -1122,7 +1122,7 @@ void hash_preload(struct mm_struct *mm,
else
#endif /* CONFIG_PPC_HAS_HASH_64K */
rc = __hash_page_4K(ea, access, vsid, ptep, trap, local, ssize,
--- /dev/null
+From 4da26e162b69d89c3186a35a052c05e61a555637 Mon Sep 17 00:00:00 2001
+From: Chad Dupuis <chad.dupuis@qlogic.com>
+Date: Fri, 15 Oct 2010 11:27:40 -0700
+Subject: [SCSI] qla2xxx: Add module parameter to enable/disable GFF_ID device type check.
+
+From: Chad Dupuis <chad.dupuis@qlogic.com>
+
+commit 4da26e162b69d89c3186a35a052c05e61a555637 upstream.
+
+Add the module parameter ql2xgffidenable to disable/enable the use of the
+GFF_ID name server command to prevent non FCP SCSI devices from being added to
+the driver's internal fc_port database.
+
+Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/qla2xxx/qla_gbl.h | 1 +
+ drivers/scsi/qla2xxx/qla_init.c | 5 +++--
+ drivers/scsi/qla2xxx/qla_os.c | 5 +++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -92,6 +92,7 @@ extern int ql2xshiftctondsd;
+ extern int ql2xdbwr;
+ extern int ql2xdontresethba;
+ extern int ql2xasynctmfenable;
++extern int ql2xgffidenable;
+ extern int ql2xenabledif;
+ extern int ql2xenablehba_err_chk;
+ extern int ql2xtargetreset;
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -3258,8 +3258,9 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho
+ continue;
+
+ /* Bypass ports whose FCP-4 type is not FCP_SCSI */
+- if (new_fcport->fc4_type != FC4_TYPE_FCP_SCSI &&
+- new_fcport->fc4_type != FC4_TYPE_UNKNOWN)
++ if (ql2xgffidenable &&
++ (new_fcport->fc4_type != FC4_TYPE_FCP_SCSI &&
++ new_fcport->fc4_type != FC4_TYPE_UNKNOWN))
+ continue;
+
+ /* Locate matching device in database. */
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -160,6 +160,11 @@ MODULE_PARM_DESC(ql2xtargetreset,
+ "Enable target reset."
+ "Default is 1 - use hw defaults.");
+
++int ql2xgffidenable;
++module_param(ql2xgffidenable, int, S_IRUGO|S_IRUSR);
++MODULE_PARM_DESC(ql2xgffidenable,
++ "Enables GFF_ID checks of port type. "
++ "Default is 0 - Do not use GFF_ID information.");
+
+ int ql2xasynctmfenable;
+ module_param(ql2xasynctmfenable, int, S_IRUGO|S_IRUSR);
--- /dev/null
+From 218854af84038d828a32f061858b1902ed2beec6 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 17 Nov 2010 06:37:16 +0000
+Subject: rds: Integer overflow in RDS cmsg handling
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
+
+In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
+restricted to less than UINT_MAX. This seems to need a tighter upper
+bound, since the calculation of total iov_size can overflow, resulting
+in a small sock_kmalloc() allocation. This would probably just result
+in walking off the heap and crashing when calling rds_rdma_pages() with
+a high count value. If it somehow doesn't crash here, then memory
+corruption could occur soon after.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rds/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -474,7 +474,7 @@ static struct rds_rdma_op *rds_rdma_prep
+ goto out;
+ }
+
+- if (args->nr_local > (u64)UINT_MAX) {
++ if (args->nr_local > UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }
block-ensure-physical-block-size-is-unsigned-int.patch
-block-fix-accounting-bug-on-cross-partition-merges.patch
block-fix-race-during-disk-initialization.patch
block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
crypto-padlock-fix-aes-cbc-handling-on-odd-block-sized-input.patch
ext4-fix-null-pointer-dereference-in-print_daily_error_info.patch
+econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
+econet-fix-cve-2010-3850.patch
+econet-fix-cve-2010-3848.patch
+rds-integer-overflow-in-rds-cmsg-handling.patch
+cfg80211-fix-extension-channel-checks-to-initiate-communication.patch
+qla2xxx-add-module-parameter-to-enable-disable-gff_id-device-type-check.patch
+msp3400-fix-mute-audio-regression.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
