--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 25 05:40:25 2008
+From: Stefano Brivio <stefano.brivio@polimi.it>
+Date: Fri, 25 Jan 2008 14:29:50 +0100
+Subject: b43legacy: drop packets we are not able to encrypt
+To: stable@kernel.org
+Cc: Michael@hera.kernel.org, linux-wireless@vger.kernel.org, bcm43xx-dev@lists.berlios.de, Buesch <mb@bu3sch.de>
+Message-ID: <20080125142950.3146020a@morte>
+
+From: Stefano Brivio <stefano.brivio@polimi.it>
+
+patch 9eca9a8e81928685b4de00ecef83a7c13c340fc9 in mainline.
+
+We must drop any packets we are not able to encrypt.
+We must not send them unencrypted or with an all-zero-key (which
+basically is the same as unencrypted, from a security point of view).
+
+This might only trigger shortly after resume before mac80211 reassociated
+and reconfigured the keys.
+
+It is safe to drop these packets, as the association they belong to
+is not guaranteed anymore anyway.
+This is a security fix in the sense that it prevents information leakage.
+
+This patch by Michael Buesch has been ported to b43legacy.
+
+Cc: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43legacy/dma.c | 11 ++++++++++-
+ drivers/net/wireless/b43legacy/pio.c | 18 +++++++++++++++---
+ drivers/net/wireless/b43legacy/xmit.c | 15 ++++++++++++---
+ drivers/net/wireless/b43legacy/xmit.h | 2 +-
+ 4 files changed, 38 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/b43legacy/dma.c
++++ b/drivers/net/wireless/b43legacy/dma.c
+@@ -1181,9 +1181,11 @@ static int dma_tx_fragment(struct b43leg
+
+ header = &(ring->txhdr_cache[slot * sizeof(
+ struct b43legacy_txhdr_fw3)]);
+- b43legacy_generate_txhdr(ring->dev, header,
++ err = b43legacy_generate_txhdr(ring->dev, header,
+ skb->data, skb->len, ctl,
+ generate_cookie(ring, slot));
++ if (unlikely(err))
++ return err;
+
+ meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
+ sizeof(struct b43legacy_txhdr_fw3), 1);
+@@ -1282,6 +1284,13 @@ int b43legacy_dma_tx(struct b43legacy_wl
+ B43legacy_BUG_ON(ring->stopped);
+
+ err = dma_tx_fragment(ring, skb, ctl);
++ if (unlikely(err == -ENOKEY)) {
++ /* Drop this packet, as we don't have the encryption key
++ * anymore and must not transmit it unencrypted. */
++ dev_kfree_skb_any(skb);
++ err = 0;
++ goto out_unlock;
++ }
+ if (unlikely(err)) {
+ b43legacyerr(dev->wl, "DMA tx mapping failure\n");
+ goto out_unlock;
+--- a/drivers/net/wireless/b43legacy/pio.c
++++ b/drivers/net/wireless/b43legacy/pio.c
+@@ -181,7 +181,7 @@ union txhdr_union {
+ struct b43legacy_txhdr_fw3 txhdr_fw3;
+ };
+
+-static void pio_tx_write_fragment(struct b43legacy_pioqueue *queue,
++static int pio_tx_write_fragment(struct b43legacy_pioqueue *queue,
+ struct sk_buff *skb,
+ struct b43legacy_pio_txpacket *packet,
+ size_t txhdr_size)
+@@ -189,14 +189,17 @@ static void pio_tx_write_fragment(struct
+ union txhdr_union txhdr_data;
+ u8 *txhdr = NULL;
+ unsigned int octets;
++ int err;
+
+ txhdr = (u8 *)(&txhdr_data.txhdr_fw3);
+
+ B43legacy_WARN_ON(skb_shinfo(skb)->nr_frags != 0);
+- b43legacy_generate_txhdr(queue->dev,
++ err = b43legacy_generate_txhdr(queue->dev,
+ txhdr, skb->data, skb->len,
+ &packet->txstat.control,
+ generate_cookie(queue, packet));
++ if (err)
++ return err;
+
+ tx_start(queue);
+ octets = skb->len + txhdr_size;
+@@ -204,6 +207,8 @@ static void pio_tx_write_fragment(struct
+ octets--;
+ tx_data(queue, txhdr, (u8 *)skb->data, octets);
+ tx_complete(queue, skb);
++
++ return 0;
+ }
+
+ static void free_txpacket(struct b43legacy_pio_txpacket *packet,
+@@ -226,6 +231,7 @@ static int pio_tx_packet(struct b43legac
+ struct b43legacy_pioqueue *queue = packet->queue;
+ struct sk_buff *skb = packet->skb;
+ u16 octets;
++ int err;
+
+ octets = (u16)skb->len + sizeof(struct b43legacy_txhdr_fw3);
+ if (queue->tx_devq_size < octets) {
+@@ -247,8 +253,14 @@ static int pio_tx_packet(struct b43legac
+ if (queue->tx_devq_used + octets > queue->tx_devq_size)
+ return -EBUSY;
+ /* Now poke the device. */
+- pio_tx_write_fragment(queue, skb, packet,
++ err = pio_tx_write_fragment(queue, skb, packet,
+ sizeof(struct b43legacy_txhdr_fw3));
++ if (unlikely(err == -ENOKEY)) {
++ /* Drop this packet, as we don't have the encryption key
++ * anymore and must not transmit it unencrypted. */
++ free_txpacket(packet, 1);
++ return 0;
++ }
+
+ /* Account for the packet size.
+ * (We must not overflow the device TX queue)
+--- a/drivers/net/wireless/b43legacy/xmit.c
++++ b/drivers/net/wireless/b43legacy/xmit.c
+@@ -181,7 +181,7 @@ static u8 b43legacy_calc_fallback_rate(u
+ return 0;
+ }
+
+-static void generate_txhdr_fw3(struct b43legacy_wldev *dev,
++static int generate_txhdr_fw3(struct b43legacy_wldev *dev,
+ struct b43legacy_txhdr_fw3 *txhdr,
+ const unsigned char *fragment_data,
+ unsigned int fragment_len,
+@@ -252,6 +252,13 @@ static void generate_txhdr_fw3(struct b4
+ iv_len = min((size_t)txctl->iv_len,
+ ARRAY_SIZE(txhdr->iv));
+ memcpy(txhdr->iv, ((u8 *)wlhdr) + wlhdr_len, iv_len);
++ } else {
++ /* This key is invalid. This might only happen
++ * in a short timeframe after machine resume before
++ * we were able to reconfigure keys.
++ * Drop this packet completely. Do not transmit it
++ * unencrypted to avoid leaking information. */
++ return -ENOKEY;
+ }
+ }
+ b43legacy_generate_plcp_hdr((struct b43legacy_plcp_hdr4 *)
+@@ -344,16 +351,18 @@ static void generate_txhdr_fw3(struct b4
+ /* Apply the bitfields */
+ txhdr->mac_ctl = cpu_to_le32(mac_ctl);
+ txhdr->phy_ctl = cpu_to_le16(phy_ctl);
++
++ return 0;
+ }
+
+-void b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
++int b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
+ u8 *txhdr,
+ const unsigned char *fragment_data,
+ unsigned int fragment_len,
+ const struct ieee80211_tx_control *txctl,
+ u16 cookie)
+ {
+- generate_txhdr_fw3(dev, (struct b43legacy_txhdr_fw3 *)txhdr,
++ return generate_txhdr_fw3(dev, (struct b43legacy_txhdr_fw3 *)txhdr,
+ fragment_data, fragment_len,
+ txctl, cookie);
+ }
+--- a/drivers/net/wireless/b43legacy/xmit.h
++++ b/drivers/net/wireless/b43legacy/xmit.h
+@@ -76,7 +76,7 @@ struct b43legacy_txhdr_fw3 {
+
+
+
+-void b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
++int b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
+ u8 *txhdr,
+ const unsigned char *fragment_data,
+ unsigned int fragment_len,
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 25 05:42:44 2008
+From: Stefano Brivio <stefano.brivio@polimi.it>
+Date: Fri, 25 Jan 2008 14:32:00 +0100
+Subject: b43legacy: fix DMA slot resource leakage
+To: stable@kernel.org
+Cc: Michael@hera.kernel.org, linux-wireless@vger.kernel.org, bcm43xx-dev@lists.berlios.de, Buesch <mb@bu3sch.de>
+Message-ID: <20080125143200.4a77d304@morte>
+
+From: Stefano Brivio <stefano.brivio@polimi.it>
+
+patch 8dd0100ce9511e52614ecd0a6587c13ce5769c8b in mainline.
+
+This fixes four resource leakages.
+In any error path we must deallocate the DMA frame slots we
+previously allocated by request_slot().
+This is done by storing the ring pointers before doing any ring
+allocation and restoring the old pointers in case of an error.
+
+This patch by Michael Buesch has been ported to b43legacy.
+
+Cc: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43legacy/dma.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/b43legacy/dma.c
++++ b/drivers/net/wireless/b43legacy/dma.c
+@@ -1164,7 +1164,7 @@ static int dma_tx_fragment(struct b43leg
+ {
+ const struct b43legacy_dma_ops *ops = ring->ops;
+ u8 *header;
+- int slot;
++ int slot, old_top_slot, old_used_slots;
+ int err;
+ struct b43legacy_dmadesc_generic *desc;
+ struct b43legacy_dmadesc_meta *meta;
+@@ -1174,6 +1174,9 @@ static int dma_tx_fragment(struct b43leg
+ #define SLOTS_PER_PACKET 2
+ B43legacy_WARN_ON(skb_shinfo(skb)->nr_frags != 0);
+
++ old_top_slot = ring->current_slot;
++ old_used_slots = ring->used_slots;
++
+ /* Get a slot for the header. */
+ slot = request_slot(ring);
+ desc = ops->idx2desc(ring, slot, &meta_hdr);
+@@ -1184,8 +1187,11 @@ static int dma_tx_fragment(struct b43leg
+ err = b43legacy_generate_txhdr(ring->dev, header,
+ skb->data, skb->len, ctl,
+ generate_cookie(ring, slot));
+- if (unlikely(err))
++ if (unlikely(err)) {
++ ring->current_slot = old_top_slot;
++ ring->used_slots = old_used_slots;
+ return err;
++ }
+
+ meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
+ sizeof(struct b43legacy_txhdr_fw3), 1);
+@@ -1208,6 +1214,8 @@ static int dma_tx_fragment(struct b43leg
+ if (dma_mapping_error(meta->dmaaddr)) {
+ bounce_skb = __dev_alloc_skb(skb->len, GFP_ATOMIC | GFP_DMA);
+ if (!bounce_skb) {
++ ring->current_slot = old_top_slot;
++ ring->used_slots = old_used_slots;
+ err = -ENOMEM;
+ goto out_unmap_hdr;
+ }
+@@ -1218,6 +1226,8 @@ static int dma_tx_fragment(struct b43leg
+ meta->skb = skb;
+ meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
+ if (dma_mapping_error(meta->dmaaddr)) {
++ ring->current_slot = old_top_slot;
++ ring->used_slots = old_used_slots;
+ err = -EIO;
+ goto out_free_bounce;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 25 05:34:45 2008
+From: Stefano Brivio <stefano.brivio@polimi.it>
+Date: Fri, 25 Jan 2008 14:24:05 +0100
+Subject: b43legacy: fix PIO crash
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, bcm43xx-dev@lists.berlios.de
+Message-ID: <20080125142405.00429ede@morte>
+
+From: Stefano Brivio <stefano.brivio@polimi.it>
+
+patch 0cd67d48b519c3d8d89d238fab1cf68a5289638a in mainline.
+
+Fix the crash reported below, which seems to happen on bcm4306 rev. 2 devices
+only while using PIO:
+
+Oops: 0000 [#1] PREEMPT
+Modules linked in: b43(F) rfkill(F) led_class(F) input_polldev(F) arc4 b43legacy mac80211 cfg80211 i915 drm snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device ohci1394 ieee1394 ssb pcmcia snd_intel8x0m ehci_hcd uhci_hcd evdev
+
+Pid: 0, comm: swapper Tainted: GF (2.6.24st3 #2)
+EIP: 0060:[<f90f667b>] EFLAGS: 00010002 CPU: 0
+EIP is at b43legacy_pio_handle_txstatus+0xbb/0x210 [b43legacy]
+EAX: 0000049b EBX: f11f8044 ECX: 00000001 EDX: 00000000
+ESI: f1ff8000 EDI: 00000000 EBP: f11f8040 ESP: c04f4ef4
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
+Process swapper (pid: 0, ti=c04f4000 task=c0488300 task.ti=c04b8000)
+Stack: f90f2788 c05009f0 c0500900 000010f7 f1053823 c04f4f24 dfb8e800 00000003
+ f1368000 00000007 00000296 f90f1975 00001000 010c0800 01000000 00000007
+ f90f6391 f11f8000 00000082 c04f4f4a 00000000 00004fd0 10f70000 8c061000
+Call Trace:
+ [<f90f2788>] b43legacy_debugfs_log_txstat+0x48/0xb0 [b43legacy]
+ [<f90f1975>] b43legacy_handle_hwtxstatus+0x75/0x80 [b43legacy]
+ [<f90f6391>] b43legacy_pio_rx+0x201/0x280 [b43legacy]
+ [<f90e4fa3>] b43legacy_interrupt_tasklet+0x2e3/0x870 [b43legacy]
+ [<c0123567>] tasklet_action+0x27/0x60
+ [<c01237b4>] __do_softirq+0x54/0xb0
+ [<c010686b>] do_softirq+0x7b/0xe0
+ [<c01457c0>] handle_level_irq+0x0/0x110
+ [<c01457c0>] handle_level_irq+0x0/0x110
+ [<c0123758>] irq_exit+0x38/0x40
+ [<c0106953>] do_IRQ+0x83/0xd0
+ [<c011812f>] __update_rq_clock+0x4f/0x180
+ [<c0104b4f>] common_interrupt+0x23/0x28
+ [<c011007b>] wakeup_code+0x7b/0xde
+ [<c02b1039>] acpi_processor_idle+0x24a/0x3c9
+ [<c01025c7>] cpu_idle+0x47/0x80
+ [<c04b9ad5>] start_kernel+0x205/0x290
+ [<c04b9360>] unknown_bootoption+0x0/0x1f0
+ =======================
+Code: 0f 00 00 81 fb ff 00 00 00 0f 87 36 01 00 00 8d 04 db 85 ff 8d 6c c6 40 8d 5d 04 0f 85 ef 00 00 00 fe 4e 0e 0f b7 46 0c 8b 53 04 <8b> 4a 50 29 c8 83 e8 52 66 89 46 0c 8b 54 24 14 80 7a 0b 00 74
+EIP: [<f90f667b>] b43legacy_pio_handle_txstatus+0xbb/0x210 [b43legacy] SS:ESP 0068:c04f4ef4
+Kernel panic - not syncing: Fatal exception in interrupt
+
+Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+---
+ drivers/net/wireless/b43legacy/pio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/b43legacy/pio.c
++++ b/drivers/net/wireless/b43legacy/pio.c
+@@ -486,6 +486,9 @@ void b43legacy_pio_handle_txstatus(struc
+ queue = parse_cookie(dev, status->cookie, &packet);
+ B43legacy_WARN_ON(!queue);
+
++ if (!packet->skb)
++ return;
++
+ queue->tx_devq_packets--;
+ queue->tx_devq_used -= (packet->skb->len +
+ sizeof(struct b43legacy_txhdr_fw3));
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 25 05:37:00 2008
+From: Stefano Brivio <stefano.brivio@polimi.it>
+Date: Fri, 25 Jan 2008 14:26:21 +0100
+Subject: b43legacy: fix suspend/resume
+To: stable@kernel.org
+Cc: Michael@hera.kernel.org, linux-wireless@vger.kernel.org, bcm43xx-dev@lists.berlios.de, Buesch <mb@bu3sch.de>
+Message-ID: <20080125142621.0d240fd8@morte>
+
+From: Stefano Brivio <stefano.brivio@polimi.it>
+
+patch ada50731c0346bf900dc387edd3a6961297bf2d3 in mainline.
+
+This patch makes suspend/resume work with the b43legacy driver.
+We must not overwrite the MAC addresses in the init function, as this
+would also overwrite the MAC on resume. With an all-zero MAC the device
+firmware is not able to ACK any received packets anymore.
+Fix this by moving the initializion stuff that must be done on init but
+not on resume to the start function.
+Also zero out filter_flags to make sure we don't have some flags
+from a previous instance for a tiny timeframe until mac80211 reconfigures
+them.
+
+This patch by Michael Buesch has been ported to b43legacy.
+
+Cc: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+---
+ drivers/net/wireless/b43legacy/main.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/b43legacy/main.c
++++ b/drivers/net/wireless/b43legacy/main.c
+@@ -3215,8 +3215,6 @@ static int b43legacy_wireless_core_init(
+ b43legacy_shm_write16(dev, B43legacy_SHM_SHARED, 0x0414, 0x01F4);
+
+ ssb_bus_powerup(bus, 1); /* Enable dynamic PCTL */
+- memset(wl->bssid, 0, ETH_ALEN);
+- memset(wl->mac_addr, 0, ETH_ALEN);
+ b43legacy_upload_card_macaddress(dev);
+ b43legacy_security_init(dev);
+ b43legacy_rng_init(wl);
+@@ -3311,6 +3309,13 @@ static int b43legacy_start(struct ieee80
+ int did_init = 0;
+ int err = 0;
+
++ /* Kill all old instance specific information to make sure
++ * the card won't use it in the short timeframe between start
++ * and mac80211 reconfiguring it. */
++ memset(wl->bssid, 0, ETH_ALEN);
++ memset(wl->mac_addr, 0, ETH_ALEN);
++ wl->filter_flags = 0;
++
+ mutex_lock(&wl->mutex);
+
+ if (b43legacy_status(dev) < B43legacy_STAT_INITIALIZED) {
--- /dev/null
+From b1aa5301b9f88a4891061650c591fb8fe1c1d1da Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Fri, 25 Jan 2008 13:03:42 -0500
+Subject: selinux: fix labeling of /proc/net inodes
+Message-ID: <Xine.LNX.4.64.0801261602360.32278@us.intercode.com.au>
+
+patch b1aa5301b9f88a4891061650c591fb8fe1c1d1da in mainline.
+
+The proc net rewrite had a side effect on selinux, leading it to mislabel
+the /proc/net inodes, thereby leading to incorrect denials. Fix
+security_genfs_sid to ignore extra leading / characters in the path supplied
+by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/ss/services.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -1744,6 +1744,9 @@ int security_genfs_sid(const char *fstyp
+ struct ocontext *c;
+ int rc = 0, cmp = 0;
+
++ while (path[0] == '/' && path[1] == '/')
++ path++;
++
+ POLICY_RDLOCK;
+
+ for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
b43-fix-suspend-resume.patch
b43-drop-packets-we-are-not-able-to-encrypt.patch
b43-fix-dma-slot-resource-leakage.patch
+b43legacy-fix-pio-crash.patch
+b43legacy-fix-suspend-resume.patch
+b43legacy-drop-packets-we-are-not-able-to-encrypt.patch
+b43legacy-fix-dma-slot-resource-leakage.patch
+selinux-fix-labeling-of-proc-net-inodes.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
