From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Feb 2012 20:16:51 +0000 (-0800)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.22~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21ebd183bc812be88644f8bdfc800702bdd83208;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	hwmon-f75375s-fix-bit-shifting-in-f75375_write16.patch
	lib-proportion-lower-prop_max_shift-to-32-on-64-bit-kernel.patch
	mac80211-timeout-a-single-frame-in-the-rx-reorder-buffer.patch
	relay-prevent-integer-overflow-in-relay_open.patch
	writeback-fix-dereferencing-null-bdi-dev-on-trace_writeback_queue.patch
---

diff --git a/queue-3.0/hwmon-f75375s-fix-bit-shifting-in-f75375_write16.patch b/queue-3.0/hwmon-f75375s-fix-bit-shifting-in-f75375_write16.patch
new file mode 100644
index 00000000000..55139f72e43
--- /dev/null
+++ b/queue-3.0/hwmon-f75375s-fix-bit-shifting-in-f75375_write16.patch
@@ -0,0 +1,31 @@
+From eb2f255b2d360df3f500042a2258dcf2fcbe89a2 Mon Sep 17 00:00:00 2001
+From: Nikolaus Schulz <schulz@macnetix.de>
+Date: Wed, 8 Feb 2012 18:56:10 +0100
+Subject: hwmon: (f75375s) Fix bit shifting in f75375_write16
+
+From: Nikolaus Schulz <schulz@macnetix.de>
+
+commit eb2f255b2d360df3f500042a2258dcf2fcbe89a2 upstream.
+
+In order to extract the high byte of the 16-bit word, shift the word to
+the right, not to the left.
+
+Signed-off-by: Nikolaus Schulz <mail@microschulz.de>
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/f75375s.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/f75375s.c
++++ b/drivers/hwmon/f75375s.c
+@@ -159,7 +159,7 @@ static inline void f75375_write8(struct
+ static inline void f75375_write16(struct i2c_client *client, u8 reg,
+ 		u16 value)
+ {
+-	int err = i2c_smbus_write_byte_data(client, reg, (value << 8));
++	int err = i2c_smbus_write_byte_data(client, reg, (value >> 8));
+ 	if (err)
+ 		return;
+ 	i2c_smbus_write_byte_data(client, reg + 1, (value & 0xFF));
diff --git a/queue-3.0/lib-proportion-lower-prop_max_shift-to-32-on-64-bit-kernel.patch b/queue-3.0/lib-proportion-lower-prop_max_shift-to-32-on-64-bit-kernel.patch
new file mode 100644
index 00000000000..1d31ace7432
--- /dev/null
+++ b/queue-3.0/lib-proportion-lower-prop_max_shift-to-32-on-64-bit-kernel.patch
@@ -0,0 +1,45 @@
+From 3310225dfc71a35a2cc9340c15c0e08b14b3c754 Mon Sep 17 00:00:00 2001
+From: Wu Fengguang <fengguang.wu@intel.com>
+Date: Mon, 9 Jan 2012 11:53:50 -0600
+Subject: lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel
+
+From: Wu Fengguang <fengguang.wu@intel.com>
+
+commit 3310225dfc71a35a2cc9340c15c0e08b14b3c754 upstream.
+
+PROP_MAX_SHIFT should be set to <=32 on 64-bit box. This fixes two bugs
+in the below lines of bdi_dirty_limit():
+
+	bdi_dirty *= numerator;
+	do_div(bdi_dirty, denominator);
+
+1) divide error: do_div() only uses the lower 32 bit of the denominator,
+   which may trimmed to be 0 when PROP_MAX_SHIFT > 32.
+
+2) overflow: (bdi_dirty * numerator) could easily overflow if numerator
+   used up to 48 bits, leaving only 16 bits to bdi_dirty
+
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Reported-by: Ilya Tumaykin <librarian_rus@yahoo.com>
+Tested-by: Ilya Tumaykin <librarian_rus@yahoo.com>
+Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/proportions.h |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/linux/proportions.h
++++ b/include/linux/proportions.h
+@@ -81,7 +81,11 @@ void prop_inc_percpu(struct prop_descrip
+  * Limit the time part in order to ensure there are some bits left for the
+  * cycle counter and fraction multiply.
+  */
++#if BITS_PER_LONG == 32
+ #define PROP_MAX_SHIFT (3*BITS_PER_LONG/4)
++#else
++#define PROP_MAX_SHIFT (BITS_PER_LONG/2)
++#endif
+ 
+ #define PROP_FRAC_SHIFT		(BITS_PER_LONG - PROP_MAX_SHIFT - 1)
+ #define PROP_FRAC_BASE		(1UL << PROP_FRAC_SHIFT)
diff --git a/queue-3.0/mac80211-timeout-a-single-frame-in-the-rx-reorder-buffer.patch b/queue-3.0/mac80211-timeout-a-single-frame-in-the-rx-reorder-buffer.patch
new file mode 100644
index 00000000000..3d26accc398
--- /dev/null
+++ b/queue-3.0/mac80211-timeout-a-single-frame-in-the-rx-reorder-buffer.patch
@@ -0,0 +1,33 @@
+From 07ae2dfcf4f7143ce191c6436da1c33f179af0d6 Mon Sep 17 00:00:00 2001
+From: Eliad Peller <eliad@wizery.com>
+Date: Wed, 1 Feb 2012 18:48:09 +0200
+Subject: mac80211: timeout a single frame in the rx reorder buffer
+
+From: Eliad Peller <eliad@wizery.com>
+
+commit 07ae2dfcf4f7143ce191c6436da1c33f179af0d6 upstream.
+
+The current code checks for stored_mpdu_num > 1, causing
+the reorder_timer to be triggered indefinitely, but the
+frame is never timed-out (until the next packet is received)
+
+Signed-off-by: Eliad Peller <eliad@wizery.com>
+Acked-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -610,7 +610,7 @@ static void ieee80211_sta_reorder_releas
+ 	index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
+ 						tid_agg_rx->buf_size;
+ 	if (!tid_agg_rx->reorder_buf[index] &&
+-	    tid_agg_rx->stored_mpdu_num > 1) {
++	    tid_agg_rx->stored_mpdu_num) {
+ 		/*
+ 		 * No buffers ready to be released, but check whether any
+ 		 * frames in the reorder buffer have timed out.
diff --git a/queue-3.0/relay-prevent-integer-overflow-in-relay_open.patch b/queue-3.0/relay-prevent-integer-overflow-in-relay_open.patch
new file mode 100644
index 00000000000..cb25b3d958a
--- /dev/null
+++ b/queue-3.0/relay-prevent-integer-overflow-in-relay_open.patch
@@ -0,0 +1,48 @@
+From f6302f1bcd75a042df69866d98b8d775a668f8f1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 10 Feb 2012 09:03:58 +0100
+Subject: relay: prevent integer overflow in relay_open()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.
+
+"subbuf_size" and "n_subbufs" come from the user and they need to be
+capped to prevent an integer overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/relay.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -164,10 +164,14 @@ depopulate:
+  */
+ static struct rchan_buf *relay_create_buf(struct rchan *chan)
+ {
+-	struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+-	if (!buf)
++	struct rchan_buf *buf;
++
++	if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+ 		return NULL;
+ 
++	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
++	if (!buf)
++		return NULL;
+ 	buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
+ 	if (!buf->padding)
+ 		goto free_buf;
+@@ -574,6 +578,8 @@ struct rchan *relay_open(const char *bas
+ 
+ 	if (!(subbuf_size && n_subbufs))
+ 		return NULL;
++	if (subbuf_size > UINT_MAX / n_subbufs)
++		return NULL;
+ 
+ 	chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
+ 	if (!chan)
diff --git a/queue-3.0/series b/queue-3.0/series
index 4698ed88b56..9f0e52fee91 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -1,3 +1,8 @@
 perf-evsel-fix-an-issue-where-perf-report-fails-to-show-the-proper-percentage.patch
 perf-tools-fix-perf-stack-to-non-executable-on-x86_64.patch
 drm-i915-no-lvds-quirk-for-aopen-mp45.patch
+hwmon-f75375s-fix-bit-shifting-in-f75375_write16.patch
+lib-proportion-lower-prop_max_shift-to-32-on-64-bit-kernel.patch
+relay-prevent-integer-overflow-in-relay_open.patch
+mac80211-timeout-a-single-frame-in-the-rx-reorder-buffer.patch
+writeback-fix-dereferencing-null-bdi-dev-on-trace_writeback_queue.patch
diff --git a/queue-3.0/writeback-fix-dereferencing-null-bdi-dev-on-trace_writeback_queue.patch b/queue-3.0/writeback-fix-dereferencing-null-bdi-dev-on-trace_writeback_queue.patch
new file mode 100644
index 00000000000..baecf02787f
--- /dev/null
+++ b/queue-3.0/writeback-fix-dereferencing-null-bdi-dev-on-trace_writeback_queue.patch
@@ -0,0 +1,41 @@
+From 977b7e3a52a7421ad33a393a38ece59f3d41c2fa Mon Sep 17 00:00:00 2001
+From: Wu Fengguang <fengguang.wu@intel.com>
+Date: Sat, 4 Feb 2012 20:54:03 -0600
+Subject: writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue
+
+From: Wu Fengguang <fengguang.wu@intel.com>
+
+commit 977b7e3a52a7421ad33a393a38ece59f3d41c2fa upstream.
+
+When a SD card is hot removed without umount, del_gendisk() will call
+bdi_unregister() without destroying/freeing it. This leaves the bdi in
+the bdi->dev = NULL, bdi->wb.task = NULL, bdi->bdi_list removed state.
+
+When sync(2) gets the bdi before bdi_unregister() and calls
+bdi_queue_work() after the unregister, trace_writeback_queue will be
+dereferencing the NULL bdi->dev. Fix it with a simple test for NULL.
+
+LKML-reference: http://lkml.org/lkml/2012/1/18/346
+Reported-by: Rabin Vincent <rabin@rab.in>
+Tested-by: Namjae Jeon <linkinjeon@gmail.com>
+Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/writeback.h |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/writeback.h
++++ b/include/trace/events/writeback.h
+@@ -23,7 +23,10 @@ DECLARE_EVENT_CLASS(writeback_work_class
+ 		__field(int, for_background)
+ 	),
+ 	TP_fast_assign(
+-		strncpy(__entry->name, dev_name(bdi->dev), 32);
++		struct device *dev = bdi->dev;
++		if (!dev)
++			dev = default_backing_dev_info.dev;
++		strncpy(__entry->name, dev_name(dev), 32);
+ 		__entry->nr_pages = work->nr_pages;
+ 		__entry->sb_dev = work->sb ? work->sb->s_dev : 0;
+ 		__entry->sync_mode = work->sync_mode;