From: Greg Kroah-Hartman Date: Mon, 9 Jan 2012 19:41:06 +0000 (-0800) Subject: 3.1-stable patches X-Git-Tag: v3.2.1~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6530a37c40a290806e24bb6be462d7d1289413b6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1-stable patches added patches: documentation-update-stable-address.patch firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch offb-fix-bug-in-calculating-requested-vram-size.patch offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch powerpc-time-handle-wrapping-of-decrementer.patch rt2800usb-move-id-out-of-unknown.patch wl12xx-check-buffer-bound-when-processing-nvs-data.patch wl12xx-restore-testmode-abi.patch wl12xx-validate-fem-index-from-ini-file-and-fw.patch --- diff --git a/queue-3.1/documentation-update-stable-address.patch b/queue-3.1/documentation-update-stable-address.patch new file mode 100644 index 00000000000..8c4082fc52c --- /dev/null +++ b/queue-3.1/documentation-update-stable-address.patch @@ -0,0 +1,52 @@ +From 2eb7f204db51969ea558802a6601d79c2fb273b9 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Fri, 9 Dec 2011 14:12:00 -0800 +Subject: Documentation: Update stable address + +From: Joe Perches + +commit 2eb7f204db51969ea558802a6601d79c2fb273b9 upstream. + +The Japanese/Korean/Chinese versions still need updating. + +Also, the stable kernel 2.6.x.y descriptions are out of date +and should be updated as well. + +Signed-off-by: Joe Perches +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/HOWTO | 4 ++-- + Documentation/development-process/5.Posting | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/Documentation/HOWTO ++++ b/Documentation/HOWTO +@@ -275,8 +275,8 @@ versions. + If no 2.6.x.y kernel is available, then the highest numbered 2.6.x + kernel is the current stable kernel. + +-2.6.x.y are maintained by the "stable" team , and are +-released as needs dictate. The normal release period is approximately ++2.6.x.y are maintained by the "stable" team , and ++are released as needs dictate. The normal release period is approximately + two weeks, but it can be longer if there are no pressing problems. A + security-related problem, instead, can cause a release to happen almost + instantly. +--- a/Documentation/development-process/5.Posting ++++ b/Documentation/development-process/5.Posting +@@ -271,10 +271,10 @@ copies should go to: + the linux-kernel list. + + - If you are fixing a bug, think about whether the fix should go into the +- next stable update. If so, stable@kernel.org should get a copy of the +- patch. Also add a "Cc: stable@kernel.org" to the tags within the patch +- itself; that will cause the stable team to get a notification when your +- fix goes into the mainline. ++ next stable update. If so, stable@vger.kernel.org should get a copy of ++ the patch. Also add a "Cc: stable@vger.kernel.org" to the tags within ++ the patch itself; that will cause the stable team to get a notification ++ when your fix goes into the mainline. + + When selecting recipients for a patch, it is good to have an idea of who + you think will eventually accept the patch and get it merged. While it diff --git a/queue-3.1/firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch b/queue-3.1/firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch new file mode 100644 index 00000000000..52dbb1b19bd --- /dev/null +++ b/queue-3.1/firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch @@ -0,0 +1,78 @@ +From eea915bb0d1358755f151eaefb8208a2d5f3e10c Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Mon, 2 Jan 2012 15:31:23 -0500 +Subject: firmware: Fix an oops on reading fw_priv->fw in sysfs loading file + +From: Neil Horman + +commit eea915bb0d1358755f151eaefb8208a2d5f3e10c upstream. + +This oops was reported recently: +firmware_loading_store+0xf9/0x17b +dev_attr_store+0x20/0x22 +sysfs_write_file+0x101/0x134 +vfs_write+0xac/0xf3 +sys_write+0x4a/0x6e +system_call_fastpath+0x16/0x1b + +The complete backtrace was unfortunately not captured, but details can be found +here: +https://bugzilla.redhat.com/show_bug.cgi?id=769920 + +The cause is fairly clear. + +Its caused by the fact that firmware_loading_store has a case 0 in its +switch statement that reads and writes the fw_priv->fw poniter without the +protection of the fw_lock mutex. since there is a window between the time that +_request_firmware sets fw_priv->fw to NULL and the time the corresponding sysfs +file is unregistered, its possible for a user space application to race in, and +write a zero to the loading file, causing a NULL dereference in +firmware_loading_store. Fix it by extending the protection of the fw_lock mutex +to cover all of the firware_loading_store function. + +Signed-off-by: Neil Horman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_class.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -226,13 +226,13 @@ static ssize_t firmware_loading_store(st + int loading = simple_strtol(buf, NULL, 10); + int i; + ++ mutex_lock(&fw_lock); ++ ++ if (!fw_priv->fw) ++ goto out; ++ + switch (loading) { + case 1: +- mutex_lock(&fw_lock); +- if (!fw_priv->fw) { +- mutex_unlock(&fw_lock); +- break; +- } + firmware_free_data(fw_priv->fw); + memset(fw_priv->fw, 0, sizeof(struct firmware)); + /* If the pages are not owned by 'struct firmware' */ +@@ -243,7 +243,6 @@ static ssize_t firmware_loading_store(st + fw_priv->page_array_size = 0; + fw_priv->nr_pages = 0; + set_bit(FW_STATUS_LOADING, &fw_priv->status); +- mutex_unlock(&fw_lock); + break; + case 0: + if (test_bit(FW_STATUS_LOADING, &fw_priv->status)) { +@@ -274,7 +273,8 @@ static ssize_t firmware_loading_store(st + fw_load_abort(fw_priv); + break; + } +- ++out: ++ mutex_unlock(&fw_lock); + return count; + } + diff --git a/queue-3.1/offb-fix-bug-in-calculating-requested-vram-size.patch b/queue-3.1/offb-fix-bug-in-calculating-requested-vram-size.patch new file mode 100644 index 00000000000..9a2f9d3ae97 --- /dev/null +++ b/queue-3.1/offb-fix-bug-in-calculating-requested-vram-size.patch @@ -0,0 +1,30 @@ +From c055fe0797b7bd8f6f21a13598a55a16d5c13ae7 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Tue, 3 Jan 2012 12:09:15 +1100 +Subject: offb: Fix bug in calculating requested vram size + +From: Benjamin Herrenschmidt + +commit c055fe0797b7bd8f6f21a13598a55a16d5c13ae7 upstream. + +We used to try to request 8 times more vram than needed, which would +fail if the card has a too small BAR (observed with qemu & kvm). + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/offb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/offb.c ++++ b/drivers/video/offb.c +@@ -377,7 +377,7 @@ static void __init offb_init_fb(const ch + int pitch, unsigned long address, + int foreign_endian, struct device_node *dp) + { +- unsigned long res_size = pitch * height * (depth + 7) / 8; ++ unsigned long res_size = pitch * height; + struct offb_par *par = &default_par; + unsigned long res_start = address; + struct fb_fix_screeninfo *fix; diff --git a/queue-3.1/offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch b/queue-3.1/offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch new file mode 100644 index 00000000000..8f8748e892d --- /dev/null +++ b/queue-3.1/offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch @@ -0,0 +1,87 @@ +From 1bb0b7d21584b3f878e2bc880db62351ddee5185 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Wed, 28 Dec 2011 00:10:16 +0000 +Subject: offb: Fix setting of the pseudo-palette for >8bpp + +From: Benjamin Herrenschmidt + +commit 1bb0b7d21584b3f878e2bc880db62351ddee5185 upstream. + +When using a >8bpp framebuffer, offb advertises truecolor, not directcolor, +and doesn't touch the color map even if it has a corresponding access method +for the real hardware. + +Thus it needs to set the pseudo-palette with all 3 components of the color, +like other truecolor framebuffers, not with copies of the color index like +a directcolor framebuffer would do. + +This went unnoticed for a long time because it's pretty hard to get offb +to kick in with anything but 8bpp (old BootX under MacOS will do that and +qemu does it). + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/offb.c | 44 ++++++++++++++++++++------------------------ + 1 file changed, 20 insertions(+), 24 deletions(-) + +--- a/drivers/video/offb.c ++++ b/drivers/video/offb.c +@@ -100,36 +100,32 @@ static int offb_setcolreg(u_int regno, u + u_int transp, struct fb_info *info) + { + struct offb_par *par = (struct offb_par *) info->par; +- int i, depth; +- u32 *pal = info->pseudo_palette; + +- depth = info->var.bits_per_pixel; +- if (depth == 16) +- depth = (info->var.green.length == 5) ? 15 : 16; ++ if (info->fix.visual == FB_VISUAL_TRUECOLOR) { ++ u32 *pal = info->pseudo_palette; ++ u32 cr = red >> (16 - info->var.red.length); ++ u32 cg = green >> (16 - info->var.green.length); ++ u32 cb = blue >> (16 - info->var.blue.length); ++ u32 value; + +- if (regno > 255 || +- (depth == 16 && regno > 63) || +- (depth == 15 && regno > 31)) +- return 1; ++ if (regno >= 16) ++ return -EINVAL; + +- if (regno < 16) { +- switch (depth) { +- case 15: +- pal[regno] = (regno << 10) | (regno << 5) | regno; +- break; +- case 16: +- pal[regno] = (regno << 11) | (regno << 5) | regno; +- break; +- case 24: +- pal[regno] = (regno << 16) | (regno << 8) | regno; +- break; +- case 32: +- i = (regno << 8) | regno; +- pal[regno] = (i << 16) | i; +- break; ++ value = (cr << info->var.red.offset) | ++ (cg << info->var.green.offset) | ++ (cb << info->var.blue.offset); ++ if (info->var.transp.length > 0) { ++ u32 mask = (1 << info->var.transp.length) - 1; ++ mask <<= info->var.transp.offset; ++ value |= mask; + } ++ pal[regno] = value; ++ return 0; + } + ++ if (regno > 255) ++ return -EINVAL; ++ + red >>= 8; + green >>= 8; + blue >>= 8; diff --git a/queue-3.1/powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch b/queue-3.1/powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch new file mode 100644 index 00000000000..fa3e1cc1767 --- /dev/null +++ b/queue-3.1/powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch @@ -0,0 +1,80 @@ +From e4f387d8db3ba3c2dae4d8bdfe7bb5f4fe1bcb0d Mon Sep 17 00:00:00 2001 +From: Li Zhong +Date: Sun, 18 Dec 2011 16:03:04 +0000 +Subject: powerpc: Fix unpaired probe_hcall_entry and probe_hcall_exit + +From: Li Zhong + +commit e4f387d8db3ba3c2dae4d8bdfe7bb5f4fe1bcb0d upstream. + +Unpaired calling of probe_hcall_entry and probe_hcall_exit might happen +as following, which could cause incorrect preempt count. + +__trace_hcall_entry => trace_hcall_entry -> probe_hcall_entry => +get_cpu_var => preempt_disable + +__trace_hcall_exit => trace_hcall_exit -> probe_hcall_exit => +put_cpu_var => preempt_enable + +where: +A => B and A -> B means A calls B, but +=> means A will call B through function name, and B will definitely be +called. +-> means A will call B through function pointer, so B might not be +called if the function pointer is not set. + +So error happens when only one of probe_hcall_entry and probe_hcall_exit +get called during a hcall. + +This patch tries to move the preempt count operations from +probe_hcall_entry and probe_hcall_exit to its callers. + +Reported-by: Paul E. McKenney +Signed-off-by: Li Zhong +Tested-by: Paul E. McKenney +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/hvCall_inst.c | 4 +--- + arch/powerpc/platforms/pseries/lpar.c | 2 ++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/platforms/pseries/hvCall_inst.c ++++ b/arch/powerpc/platforms/pseries/hvCall_inst.c +@@ -109,7 +109,7 @@ static void probe_hcall_entry(void *igno + if (opcode > MAX_HCALL_OPCODE) + return; + +- h = &get_cpu_var(hcall_stats)[opcode / 4]; ++ h = &__get_cpu_var(hcall_stats)[opcode / 4]; + h->tb_start = mftb(); + h->purr_start = mfspr(SPRN_PURR); + } +@@ -126,8 +126,6 @@ static void probe_hcall_exit(void *ignor + h->num_calls++; + h->tb_total += mftb() - h->tb_start; + h->purr_total += mfspr(SPRN_PURR) - h->purr_start; +- +- put_cpu_var(hcall_stats); + } + + static int __init hcall_inst_init(void) +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -553,6 +553,7 @@ void __trace_hcall_entry(unsigned long o + goto out; + + (*depth)++; ++ preempt_disable(); + trace_hcall_entry(opcode, args); + (*depth)--; + +@@ -575,6 +576,7 @@ void __trace_hcall_exit(long opcode, uns + + (*depth)++; + trace_hcall_exit(opcode, retval, retbuf); ++ preempt_enable(); + (*depth)--; + + out: diff --git a/queue-3.1/powerpc-time-handle-wrapping-of-decrementer.patch b/queue-3.1/powerpc-time-handle-wrapping-of-decrementer.patch new file mode 100644 index 00000000000..4cff991b48f --- /dev/null +++ b/queue-3.1/powerpc-time-handle-wrapping-of-decrementer.patch @@ -0,0 +1,87 @@ +From 37fb9a0231ee43d42d069863bdfd567fca2b61af Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Wed, 23 Nov 2011 20:07:17 +0000 +Subject: powerpc/time: Handle wrapping of decrementer + +From: Anton Blanchard + +commit 37fb9a0231ee43d42d069863bdfd567fca2b61af upstream. + +When re-enabling interrupts we have code to handle edge sensitive +decrementers by resetting the decrementer to 1 whenever it is negative. +If interrupts were disabled long enough that the decrementer wrapped to +positive we do nothing. This means interrupts can be delayed for a long +time until it finally goes negative again. + +While we hope interrupts are never be disabled long enough for the +decrementer to go positive, we have a very good test team that can +drive any kernel into the ground. The softlockup data we get back +from these fails could be seconds in the future, completely missing +the cause of the lockup. + +We already keep track of the timebase of the next event so use that +to work out if we should trigger a decrementer exception. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/time.h | 2 ++ + arch/powerpc/kernel/irq.c | 15 ++++++--------- + arch/powerpc/kernel/time.c | 9 +++++++++ + 3 files changed, 17 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/include/asm/time.h ++++ b/arch/powerpc/include/asm/time.h +@@ -219,5 +219,7 @@ DECLARE_PER_CPU(struct cpu_usage, cpu_us + extern void secondary_cpu_time_init(void); + extern void iSeries_time_init_early(void); + ++extern void decrementer_check_overflow(void); ++ + #endif /* __KERNEL__ */ + #endif /* __POWERPC_TIME_H */ +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -164,16 +164,13 @@ notrace void arch_local_irq_restore(unsi + */ + local_paca->hard_enabled = en; + +-#ifndef CONFIG_BOOKE +- /* On server, re-trigger the decrementer if it went negative since +- * some processors only trigger on edge transitions of the sign bit. +- * +- * BookE has a level sensitive decrementer (latches in TSR) so we +- * don't need that ++ /* ++ * Trigger the decrementer if we have a pending event. Some processors ++ * only trigger on edge transitions of the sign bit. We might also ++ * have disabled interrupts long enough that the decrementer wrapped ++ * to positive. + */ +- if ((int)mfspr(SPRN_DEC) < 0) +- mtspr(SPRN_DEC, 1); +-#endif /* CONFIG_BOOKE */ ++ decrementer_check_overflow(); + + /* + * Force the delivery of pending soft-disabled interrupts on PS3. +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -889,6 +889,15 @@ static void __init clocksource_init(void + clock->name, clock->mult, clock->shift); + } + ++void decrementer_check_overflow(void) ++{ ++ u64 now = get_tb_or_rtc(); ++ struct decrementer_clock *decrementer = &__get_cpu_var(decrementers); ++ ++ if (now >= decrementer->next_tb) ++ set_dec(1); ++} ++ + static int decrementer_set_next_event(unsigned long evt, + struct clock_event_device *dev) + { diff --git a/queue-3.1/rt2800usb-move-id-out-of-unknown.patch b/queue-3.1/rt2800usb-move-id-out-of-unknown.patch new file mode 100644 index 00000000000..2f01764a2e9 --- /dev/null +++ b/queue-3.1/rt2800usb-move-id-out-of-unknown.patch @@ -0,0 +1,41 @@ +From 3f81f8f1524ccca24df1029b0cf825ecef5e5cdc Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Tue, 27 Dec 2011 12:22:51 -0600 +Subject: rt2800usb: Move ID out of unknown + +From: Larry Finger + +commit 3f81f8f1524ccca24df1029b0cf825ecef5e5cdc upstream. + +Testing on the openSUSE wireless forum has shown that a Linksys +WUSB54GC v3 with USB ID 1737:0077 works with rt2800usb when the ID is +written to /sys/.../new_id. This ID can therefore be moved out of UNKNOWN. + +Signed-off-by: Larry Finger +Acked-by: Gertjan van Wingerde +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2800usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -970,6 +970,7 @@ static struct usb_device_id rt2800usb_de + { USB_DEVICE(0x13b1, 0x0031) }, + { USB_DEVICE(0x1737, 0x0070) }, + { USB_DEVICE(0x1737, 0x0071) }, ++ { USB_DEVICE(0x1737, 0x0077) }, + /* Logitec */ + { USB_DEVICE(0x0789, 0x0162) }, + { USB_DEVICE(0x0789, 0x0163) }, +@@ -1165,7 +1166,6 @@ static struct usb_device_id rt2800usb_de + { USB_DEVICE(0x1740, 0x0605) }, + { USB_DEVICE(0x1740, 0x0615) }, + /* Linksys */ +- { USB_DEVICE(0x1737, 0x0077) }, + { USB_DEVICE(0x1737, 0x0078) }, + /* Logitec */ + { USB_DEVICE(0x0789, 0x0168) }, diff --git a/queue-3.1/series b/queue-3.1/series index 26643c8a999..f23efb70ea3 100644 --- a/queue-3.1/series +++ b/queue-3.1/series @@ -1 +1,11 @@ maintainers-stable-update-address.patch +documentation-update-stable-address.patch +firmware-fix-an-oops-on-reading-fw_priv-fw-in-sysfs-loading-file.patch +rt2800usb-move-id-out-of-unknown.patch +offb-fix-setting-of-the-pseudo-palette-for-8bpp.patch +offb-fix-bug-in-calculating-requested-vram-size.patch +wl12xx-validate-fem-index-from-ini-file-and-fw.patch +wl12xx-check-buffer-bound-when-processing-nvs-data.patch +wl12xx-restore-testmode-abi.patch +powerpc-time-handle-wrapping-of-decrementer.patch +powerpc-fix-unpaired-probe_hcall_entry-and-probe_hcall_exit.patch diff --git a/queue-3.1/wl12xx-check-buffer-bound-when-processing-nvs-data.patch b/queue-3.1/wl12xx-check-buffer-bound-when-processing-nvs-data.patch new file mode 100644 index 00000000000..9c8fab06bf1 --- /dev/null +++ b/queue-3.1/wl12xx-check-buffer-bound-when-processing-nvs-data.patch @@ -0,0 +1,66 @@ +From f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 Mon Sep 17 00:00:00 2001 +From: Pontus Fuchs +Date: Tue, 18 Oct 2011 09:23:42 +0200 +Subject: wl12xx: Check buffer bound when processing nvs data + +From: Pontus Fuchs + +commit f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 upstream. + +An nvs with malformed contents could cause the processing of the +calibration data to read beyond the end of the buffer. Prevent this +from happening by adding bound checking. + +Signed-off-by: Pontus Fuchs +Reviewed-by: Luciano Coelho +Signed-off-by: Luciano Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/wl12xx/boot.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/wireless/wl12xx/boot.c ++++ b/drivers/net/wireless/wl12xx/boot.c +@@ -358,6 +358,9 @@ static int wl1271_boot_upload_nvs(struct + nvs_ptr += 3; + + for (i = 0; i < burst_len; i++) { ++ if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len) ++ goto out_badnvs; ++ + val = (nvs_ptr[0] | (nvs_ptr[1] << 8) + | (nvs_ptr[2] << 16) | (nvs_ptr[3] << 24)); + +@@ -369,6 +372,9 @@ static int wl1271_boot_upload_nvs(struct + nvs_ptr += 4; + dest_addr += 4; + } ++ ++ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len) ++ goto out_badnvs; + } + + /* +@@ -380,6 +386,10 @@ static int wl1271_boot_upload_nvs(struct + */ + nvs_ptr = (u8 *)wl->nvs + + ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4); ++ ++ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len) ++ goto out_badnvs; ++ + nvs_len -= nvs_ptr - (u8 *)wl->nvs; + + /* Now we must set the partition correctly */ +@@ -395,6 +405,10 @@ static int wl1271_boot_upload_nvs(struct + + kfree(nvs_aligned); + return 0; ++ ++out_badnvs: ++ wl1271_error("nvs data is malformed"); ++ return -EILSEQ; + } + + static void wl1271_boot_enable_interrupts(struct wl1271 *wl) diff --git a/queue-3.1/wl12xx-restore-testmode-abi.patch b/queue-3.1/wl12xx-restore-testmode-abi.patch new file mode 100644 index 00000000000..c921e79a83f --- /dev/null +++ b/queue-3.1/wl12xx-restore-testmode-abi.patch @@ -0,0 +1,30 @@ +From 3f1764945eaac532c20ab1f23afa352a40f797b2 Mon Sep 17 00:00:00 2001 +From: Pontus Fuchs +Date: Thu, 1 Dec 2011 12:13:44 +0100 +Subject: wl12xx: Restore testmode ABI + +From: Pontus Fuchs + +commit 3f1764945eaac532c20ab1f23afa352a40f797b2 upstream. + +Commit 80900d0140a7648587982c8f299830e900e49165 accidently broke +the ABI for testmode commands. Restore the ABI again. + +Signed-off-by: Pontus Fuchs +Signed-off-by: Luciano Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/wl12xx/testmode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/wl12xx/testmode.c ++++ b/drivers/net/wireless/wl12xx/testmode.c +@@ -36,6 +36,7 @@ enum wl1271_tm_commands { + WL1271_TM_CMD_TEST, + WL1271_TM_CMD_INTERROGATE, + WL1271_TM_CMD_CONFIGURE, ++ WL1271_TM_CMD_NVS_PUSH, /* Not in use. Keep to not break ABI */ + WL1271_TM_CMD_SET_PLT_MODE, + WL1271_TM_CMD_RECOVER, + diff --git a/queue-3.1/wl12xx-validate-fem-index-from-ini-file-and-fw.patch b/queue-3.1/wl12xx-validate-fem-index-from-ini-file-and-fw.patch new file mode 100644 index 00000000000..583cdd60aeb --- /dev/null +++ b/queue-3.1/wl12xx-validate-fem-index-from-ini-file-and-fw.patch @@ -0,0 +1,73 @@ +From 2131d3c2f99b081806fdae7662c92fe6acda52af Mon Sep 17 00:00:00 2001 +From: Pontus Fuchs +Date: Tue, 18 Oct 2011 09:23:41 +0200 +Subject: wl12xx: Validate FEM index from ini file and FW + +From: Pontus Fuchs + +commit 2131d3c2f99b081806fdae7662c92fe6acda52af upstream. + +Check for out of bound FEM index to prevent reading beyond ini +memory end. + +Signed-off-by: Pontus Fuchs +Reviewed-by: Luciano Coelho +Signed-off-by: Luciano Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/wl12xx/cmd.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/net/wireless/wl12xx/cmd.c ++++ b/drivers/net/wireless/wl12xx/cmd.c +@@ -120,6 +120,11 @@ int wl1271_cmd_general_parms(struct wl12 + if (!wl->nvs) + return -ENODEV; + ++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) { ++ wl1271_warning("FEM index from INI out of bounds"); ++ return -EINVAL; ++ } ++ + gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL); + if (!gen_parms) + return -ENOMEM; +@@ -148,6 +153,12 @@ int wl1271_cmd_general_parms(struct wl12 + gp->tx_bip_fem_manufacturer = + gen_parms->general_params.tx_bip_fem_manufacturer; + ++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) { ++ wl1271_warning("FEM index from FW out of bounds"); ++ ret = -EINVAL; ++ goto out; ++ } ++ + wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n", + answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer); + +@@ -167,6 +178,11 @@ int wl128x_cmd_general_parms(struct wl12 + if (!wl->nvs) + return -ENODEV; + ++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) { ++ wl1271_warning("FEM index from ini out of bounds"); ++ return -EINVAL; ++ } ++ + gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL); + if (!gen_parms) + return -ENOMEM; +@@ -191,6 +207,12 @@ int wl128x_cmd_general_parms(struct wl12 + gp->tx_bip_fem_manufacturer = + gen_parms->general_params.tx_bip_fem_manufacturer; + ++ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) { ++ wl1271_warning("FEM index from FW out of bounds"); ++ ret = -EINVAL; ++ goto out; ++ } ++ + wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n", + answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer); +