From: Greg Kroah-Hartman Date: Fri, 13 Jan 2012 19:58:04 +0000 (-0800) Subject: 3.2-stable patches X-Git-Tag: v3.1.10~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a3746aa7b01979e5701b32b994965087ad9843d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.2-stable patches added patches: asix-fix-setting-custom-mac-address-on-asix-88178-devices.patch asix-fix-setting-custom-mac-address-on-asix-88772-devices.patch ath9k-fix-regression-in-channelwidth-switch-at-the-same-channel.patch include-linux-crash_dump.h-needs-elf.h.patch mac80211-fix-rx-key-null-pointer-dereference-in-promiscuous-mode.patch memcg-add-mem_cgroup_replace_page_cache-to-fix-lru-issue.patch rtl8192se-fix-bug-caused-by-failure-to-check-skb-allocation.patch x86-fix-mmap-random-address-range.patch --- diff --git a/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88178-devices.patch b/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88178-devices.patch new file mode 100644 index 00000000000..71f756fe39f --- /dev/null +++ b/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88178-devices.patch @@ -0,0 +1,42 @@ +From 71bc5d94061516c4e70303570128797bcf768b10 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Tue, 10 Jan 2012 06:40:23 +0000 +Subject: asix: fix setting custom MAC address on Asix 88178 devices + +From: Jussi Kivilinna + +commit 71bc5d94061516c4e70303570128797bcf768b10 upstream. + +In kernel v3.2 initialization sequence for Asix 88178 devices was changed so +that hardware is reseted on every time interface is brought up (ifconfig up), +instead just at USB probe time. This causes problem with setting custom MAC +address to device as ax88178_reset causes reload of MAC address from EEPROM. + +This patch fixes the issue by rewriting MAC address at end of ax88178_reset. + +Signed-off-by: Jussi Kivilinna +Acked-by: Grant Grundler +Cc: Allan Chou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/asix.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -1316,6 +1316,13 @@ static int ax88178_reset(struct usbnet * + if (ret < 0) + return ret; + ++ /* Rewrite MAC address */ ++ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN); ++ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN, ++ data->mac_addr); ++ if (ret < 0) ++ return ret; ++ + ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL); + if (ret < 0) + return ret; diff --git a/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88772-devices.patch b/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88772-devices.patch new file mode 100644 index 00000000000..830c02852d8 --- /dev/null +++ b/queue-3.2/asix-fix-setting-custom-mac-address-on-asix-88772-devices.patch @@ -0,0 +1,50 @@ +From 8ef66bdc4bda6aac2dae73b84d79dc8c2db33637 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Tue, 10 Jan 2012 06:40:17 +0000 +Subject: asix: fix setting custom MAC address on Asix 88772 devices + +From: Jussi Kivilinna + +commit 8ef66bdc4bda6aac2dae73b84d79dc8c2db33637 upstream. + +In kernel v3.2 initialization sequence for Asix 88772 devices was changed so +that hardware is reseted on every time interface is brought up (ifconfig up), +instead just at USB probe time. This causes problem with setting custom MAC +address to device as ax88772_reset causes reload of MAC address from EEPROM. + +This patch fixes the issue by rewriting MAC address at end of ax88772_reset. + +Signed-off-by: Jussi Kivilinna +Acked-by: Grant Grundler +Cc: Allan Chou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/asix.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -974,6 +974,7 @@ static int ax88772_link_reset(struct usb + + static int ax88772_reset(struct usbnet *dev) + { ++ struct asix_data *data = (struct asix_data *)&dev->data; + int ret, embd_phy; + u16 rx_ctl; + +@@ -1051,6 +1052,13 @@ static int ax88772_reset(struct usbnet * + goto out; + } + ++ /* Rewrite MAC address */ ++ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN); ++ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN, ++ data->mac_addr); ++ if (ret < 0) ++ goto out; ++ + /* Set RX_CTL to default values with 2k buffer, and enable cactus */ + ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL); + if (ret < 0) diff --git a/queue-3.2/ath9k-fix-regression-in-channelwidth-switch-at-the-same-channel.patch b/queue-3.2/ath9k-fix-regression-in-channelwidth-switch-at-the-same-channel.patch new file mode 100644 index 00000000000..61baae203ca --- /dev/null +++ b/queue-3.2/ath9k-fix-regression-in-channelwidth-switch-at-the-same-channel.patch @@ -0,0 +1,63 @@ +From 1a19f77f3642b8194ad9cf55548cc5d92e841766 Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan +Date: Mon, 9 Jan 2012 15:37:53 +0530 +Subject: ath9k: Fix regression in channelwidth switch at the same channel + +From: Rajkumar Manoharan + +commit 1a19f77f3642b8194ad9cf55548cc5d92e841766 upstream. + +The commit "ath9k: Fix invalid noisefloor reading due to channel update" +preserves the current channel noisefloor readings before updating +channel type at the same channel index. It is also updating the curchan +pointer. As survey updation is also referring curchan pointer to fetch +the appropriate index, which might leads to invalid memory access. This +patch partially reverts the change and stores the noise floor history +buffer before updating channel type w/o updating curchan. + +Cc: Gary Morain +Cc: Paul Stewart +Reported-by: Mohammed Shafi Shajakhan +Signed-off-by: Rajkumar Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/calib.c | 1 + + drivers/net/wireless/ath/ath9k/main.c | 8 ++------ + 2 files changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/calib.c ++++ b/drivers/net/wireless/ath/ath9k/calib.c +@@ -402,6 +402,7 @@ bool ath9k_hw_getnf(struct ath_hw *ah, s + ah->noise = ath9k_hw_getchan_noise(ah, chan); + return true; + } ++EXPORT_SYMBOL(ath9k_hw_getnf); + + void ath9k_init_nfcal_hist_buffer(struct ath_hw *ah, + struct ath9k_channel *chan) +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -1667,7 +1667,6 @@ static int ath9k_config(struct ieee80211 + + if (changed & IEEE80211_CONF_CHANGE_CHANNEL) { + struct ieee80211_channel *curchan = hw->conf.channel; +- struct ath9k_channel old_chan; + int pos = curchan->hw_value; + int old_pos = -1; + unsigned long flags; +@@ -1693,11 +1692,8 @@ static int ath9k_config(struct ieee80211 + * Preserve the current channel values, before updating + * the same channel + */ +- if (old_pos == pos) { +- memcpy(&old_chan, &sc->sc_ah->channels[pos], +- sizeof(struct ath9k_channel)); +- ah->curchan = &old_chan; +- } ++ if (ah->curchan && (old_pos == pos)) ++ ath9k_hw_getnf(ah, ah->curchan); + + ath9k_cmn_update_ichannel(&sc->sc_ah->channels[pos], + curchan, conf->channel_type); diff --git a/queue-3.2/include-linux-crash_dump.h-needs-elf.h.patch b/queue-3.2/include-linux-crash_dump.h-needs-elf.h.patch new file mode 100644 index 00000000000..22cb55bdffe --- /dev/null +++ b/queue-3.2/include-linux-crash_dump.h-needs-elf.h.patch @@ -0,0 +1,52 @@ +From 1f536b9e9f85456df93614b3c2f6a1a2b7d7cb9b Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 12 Jan 2012 17:20:20 -0800 +Subject: include/linux/crash_dump.h needs elf.h + +From: Fabio Estevam + +commit 1f536b9e9f85456df93614b3c2f6a1a2b7d7cb9b upstream. + +Building an ARM target we get the following warnings: + + CC arch/arm/kernel/setup.o + In file included from arch/arm/kernel/setup.c:39: + arch/arm/include/asm/elf.h:102:1: warning: "vmcore_elf64_check_arch" redefined + In file included from arch/arm/kernel/setup.c:24: + include/linux/crash_dump.h:30:1: warning: this is the location of the previous definition + +Quoting Russell King: + +"linux/crash_dump.h makes no attempt to include asm/elf.h, but it depends +on stuff in asm/elf.h to determine how stuff inside this file is defined +at parse time. + +So, if asm/elf.h is included after linux/crash_dump.h or not at all, you +get a different result from the situation where asm/elf.h is included +before." + +So add elf.h header to crash_dump.h to avoid this problem. + +The original discussion about this can be found at: +http://www.spinics.net/lists/arm-kernel/msg154113.html + +Signed-off-by: Fabio Estevam +Cc: Russell King +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/crash_dump.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/crash_dump.h ++++ b/include/linux/crash_dump.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #define ELFCORE_ADDR_MAX (-1ULL) + #define ELFCORE_ADDR_ERR (-2ULL) diff --git a/queue-3.2/mac80211-fix-rx-key-null-pointer-dereference-in-promiscuous-mode.patch b/queue-3.2/mac80211-fix-rx-key-null-pointer-dereference-in-promiscuous-mode.patch new file mode 100644 index 00000000000..3899288aaf4 --- /dev/null +++ b/queue-3.2/mac80211-fix-rx-key-null-pointer-dereference-in-promiscuous-mode.patch @@ -0,0 +1,49 @@ +From 1140afa862842ac3e56678693050760edc4ecde9 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 11 Jan 2012 09:26:54 +0100 +Subject: mac80211: fix rx->key NULL pointer dereference in promiscuous mode + +From: Stanislaw Gruszka + +commit 1140afa862842ac3e56678693050760edc4ecde9 upstream. + +Since: + +commit 816c04fe7ef01dd9649f5ccfe796474db8708be5 +Author: Christian Lamparter +Date: Sat Apr 30 15:24:30 2011 +0200 + + mac80211: consolidate MIC failure report handling + +is possible to that we dereference rx->key == NULL when driver set +RX_FLAG_MMIC_STRIPPED and not RX_FLAG_IV_STRIPPED and we are in +promiscuous mode. This happen with rt73usb and rt61pci at least. + +Before the commit we always check rx->key against NULL, so I assume +fix should be done in mac80211 (also mic_fail path has similar check). + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=769766 +http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/2012-January/004395.html + +Reported-by: Stuart D Gathman +Reported-by: Kai Wohlfahrt +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/wpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/wpa.c ++++ b/net/mac80211/wpa.c +@@ -106,7 +106,7 @@ ieee80211_rx_h_michael_mic_verify(struct + if (status->flag & RX_FLAG_MMIC_ERROR) + goto mic_fail; + +- if (!(status->flag & RX_FLAG_IV_STRIPPED)) ++ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) + goto update_iv; + + return RX_CONTINUE; diff --git a/queue-3.2/memcg-add-mem_cgroup_replace_page_cache-to-fix-lru-issue.patch b/queue-3.2/memcg-add-mem_cgroup_replace_page_cache-to-fix-lru-issue.patch new file mode 100644 index 00000000000..2034d322683 --- /dev/null +++ b/queue-3.2/memcg-add-mem_cgroup_replace_page_cache-to-fix-lru-issue.patch @@ -0,0 +1,172 @@ +From ab936cbcd02072a34b60d268f94440fd5cf1970b Mon Sep 17 00:00:00 2001 +From: KAMEZAWA Hiroyuki +Date: Thu, 12 Jan 2012 17:17:44 -0800 +Subject: memcg: add mem_cgroup_replace_page_cache() to fix LRU issue + +From: KAMEZAWA Hiroyuki + +commit ab936cbcd02072a34b60d268f94440fd5cf1970b upstream. + +Commit ef6a3c6311 ("mm: add replace_page_cache_page() function") added a +function replace_page_cache_page(). This function replaces a page in the +radix-tree with a new page. WHen doing this, memory cgroup needs to fix +up the accounting information. memcg need to check PCG_USED bit etc. + +In some(many?) cases, 'newpage' is on LRU before calling +replace_page_cache(). So, memcg's LRU accounting information should be +fixed, too. + +This patch adds mem_cgroup_replace_page_cache() and removes the old hooks. + In that function, old pages will be unaccounted without touching +res_counter and new page will be accounted to the memcg (of old page). +WHen overwriting pc->mem_cgroup of newpage, take zone->lru_lock and avoid +races with LRU handling. + +Background: + replace_page_cache_page() is called by FUSE code in its splice() handling. + Here, 'newpage' is replacing oldpage but this newpage is not a newly allocated + page and may be on LRU. LRU mis-accounting will be critical for memory cgroup + because rmdir() checks the whole LRU is empty and there is no account leak. + If a page is on the other LRU than it should be, rmdir() will fail. + +This bug was added in March 2011, but no bug report yet. I guess there +are not many people who use memcg and FUSE at the same time with upstream +kernels. + +The result of this bug is that admin cannot destroy a memcg because of +account leak. So, no panic, no deadlock. And, even if an active cgroup +exist, umount can succseed. So no problem at shutdown. + +Signed-off-by: KAMEZAWA Hiroyuki +Acked-by: Johannes Weiner +Acked-by: Michal Hocko +Cc: Miklos Szeredi +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/memcontrol.h | 6 ++++++ + mm/filemap.c | 18 ++---------------- + mm/memcontrol.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 52 insertions(+), 16 deletions(-) + +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -119,6 +119,8 @@ struct zone_reclaim_stat* + mem_cgroup_get_reclaim_stat_from_page(struct page *page); + extern void mem_cgroup_print_oom_info(struct mem_cgroup *memcg, + struct task_struct *p); ++extern void mem_cgroup_replace_page_cache(struct page *oldpage, ++ struct page *newpage); + + #ifdef CONFIG_CGROUP_MEM_RES_CTLR_SWAP + extern int do_swap_account; +@@ -366,6 +368,10 @@ static inline + void mem_cgroup_count_vm_event(struct mm_struct *mm, enum vm_event_item idx) + { + } ++static inline void mem_cgroup_replace_page_cache(struct page *oldpage, ++ struct page *newpage) ++{ ++} + #endif /* CONFIG_CGROUP_MEM_CONT */ + + #if !defined(CONFIG_CGROUP_MEM_RES_CTLR) || !defined(CONFIG_DEBUG_VM) +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -393,24 +393,11 @@ EXPORT_SYMBOL(filemap_write_and_wait_ran + int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask) + { + int error; +- struct mem_cgroup *memcg = NULL; + + VM_BUG_ON(!PageLocked(old)); + VM_BUG_ON(!PageLocked(new)); + VM_BUG_ON(new->mapping); + +- /* +- * This is not page migration, but prepare_migration and +- * end_migration does enough work for charge replacement. +- * +- * In the longer term we probably want a specialized function +- * for moving the charge from old to new in a more efficient +- * manner. +- */ +- error = mem_cgroup_prepare_migration(old, new, &memcg, gfp_mask); +- if (error) +- return error; +- + error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM); + if (!error) { + struct address_space *mapping = old->mapping; +@@ -432,13 +419,12 @@ int replace_page_cache_page(struct page + if (PageSwapBacked(new)) + __inc_zone_page_state(new, NR_SHMEM); + spin_unlock_irq(&mapping->tree_lock); ++ /* mem_cgroup codes must not be called under tree_lock */ ++ mem_cgroup_replace_page_cache(old, new); + radix_tree_preload_end(); + if (freepage) + freepage(old); + page_cache_release(old); +- mem_cgroup_end_migration(memcg, old, new, true); +- } else { +- mem_cgroup_end_migration(memcg, old, new, false); + } + + return error; +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3366,6 +3366,50 @@ void mem_cgroup_end_migration(struct mem + cgroup_release_and_wakeup_rmdir(&memcg->css); + } + ++/* ++ * At replace page cache, newpage is not under any memcg but it's on ++ * LRU. So, this function doesn't touch res_counter but handles LRU ++ * in correct way. Both pages are locked so we cannot race with uncharge. ++ */ ++void mem_cgroup_replace_page_cache(struct page *oldpage, ++ struct page *newpage) ++{ ++ struct mem_cgroup *memcg; ++ struct page_cgroup *pc; ++ struct zone *zone; ++ enum charge_type type = MEM_CGROUP_CHARGE_TYPE_CACHE; ++ unsigned long flags; ++ ++ if (mem_cgroup_disabled()) ++ return; ++ ++ pc = lookup_page_cgroup(oldpage); ++ /* fix accounting on old pages */ ++ lock_page_cgroup(pc); ++ memcg = pc->mem_cgroup; ++ mem_cgroup_charge_statistics(memcg, PageCgroupCache(pc), -1); ++ ClearPageCgroupUsed(pc); ++ unlock_page_cgroup(pc); ++ ++ if (PageSwapBacked(oldpage)) ++ type = MEM_CGROUP_CHARGE_TYPE_SHMEM; ++ ++ zone = page_zone(newpage); ++ pc = lookup_page_cgroup(newpage); ++ /* ++ * Even if newpage->mapping was NULL before starting replacement, ++ * the newpage may be on LRU(or pagevec for LRU) already. We lock ++ * LRU while we overwrite pc->mem_cgroup. ++ */ ++ spin_lock_irqsave(&zone->lru_lock, flags); ++ if (PageLRU(newpage)) ++ del_page_from_lru_list(zone, newpage, page_lru(newpage)); ++ __mem_cgroup_commit_charge(memcg, newpage, 1, pc, type); ++ if (PageLRU(newpage)) ++ add_page_to_lru_list(zone, newpage, page_lru(newpage)); ++ spin_unlock_irqrestore(&zone->lru_lock, flags); ++} ++ + #ifdef CONFIG_DEBUG_VM + static struct page_cgroup *lookup_page_cgroup_used(struct page *page) + { diff --git a/queue-3.2/nfs-fix-recent-breakage-to-nfs-error-handling.patch b/queue-3.2/nfs-fix-recent-breakage-to-nfs-error-handling.patch index 8f55da04720..cc559c4a849 100644 --- a/queue-3.2/nfs-fix-recent-breakage-to-nfs-error-handling.patch +++ b/queue-3.2/nfs-fix-recent-breakage-to-nfs-error-handling.patch @@ -7,10 +7,10 @@ From: NeilBrown commit 2edb6bc3852c681c0d948245bd55108dc6407604 upstream. -From c6d615d2b97fe305cbf123a8751ced859dca1d5e Mon Sep 17 00:00:00 2001 -From: NeilBrown -Date: Wed, 16 Nov 2011 09:39:05 +1100 -Subject: NFS - fix recent breakage to NFS error handling. + From c6d615d2b97fe305cbf123a8751ced859dca1d5e Mon Sep 17 00:00:00 2001 + From: NeilBrown + Date: Wed, 16 Nov 2011 09:39:05 +1100 + Subject: NFS - fix recent breakage to NFS error handling. commit 02c24a82187d5a628c68edfe71ae60dc135cd178 made a small and presumably unintended change to write error handling in NFS. diff --git a/queue-3.2/rtl8192se-fix-bug-caused-by-failure-to-check-skb-allocation.patch b/queue-3.2/rtl8192se-fix-bug-caused-by-failure-to-check-skb-allocation.patch new file mode 100644 index 00000000000..45de3af7b4b --- /dev/null +++ b/queue-3.2/rtl8192se-fix-bug-caused-by-failure-to-check-skb-allocation.patch @@ -0,0 +1,41 @@ +From d90db4b12bc1b9b8a787ef28550fdb767ee25a49 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 4 Jan 2012 20:50:47 -0600 +Subject: rtl8192se: Fix BUG caused by failure to check skb allocation + +From: Larry Finger + +commit d90db4b12bc1b9b8a787ef28550fdb767ee25a49 upstream. + +When downloading firmware into the device, the driver fails to check the +return when allocating an skb. When the allocation fails, a BUG can be +generated, as seen in https://bugzilla.redhat.com/show_bug.cgi?id=771656. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192se/fw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.c +@@ -196,6 +196,8 @@ static bool _rtl92s_firmware_downloadcod + /* Allocate skb buffer to contain firmware */ + /* info and tx descriptor info. */ + skb = dev_alloc_skb(frag_length); ++ if (!skb) ++ return false; + skb_reserve(skb, extra_descoffset); + seg_ptr = (u8 *)skb_put(skb, (u32)(frag_length - + extra_descoffset)); +@@ -573,6 +575,8 @@ static bool _rtl92s_firmware_set_h2c_cmd + + len = _rtl92s_get_h2c_cmdlen(MAX_TRANSMIT_BUFFER_SIZE, 1, &cmd_len); + skb = dev_alloc_skb(len); ++ if (!skb) ++ return false; + cb_desc = (struct rtl_tcb_desc *)(skb->cb); + cb_desc->queue_index = TXCMD_QUEUE; + cb_desc->cmd_or_init = DESC_PACKET_TYPE_NORMAL; diff --git a/queue-3.2/series b/queue-3.2/series index d0333965283..e5c29e9f153 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -41,3 +41,11 @@ ima-free-duplicate-measurement-memory.patch ima-fix-invalid-memory-reference.patch slub-fix-a-possible-memleak-in-__slab_alloc.patch pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch +asix-fix-setting-custom-mac-address-on-asix-88178-devices.patch +asix-fix-setting-custom-mac-address-on-asix-88772-devices.patch +include-linux-crash_dump.h-needs-elf.h.patch +rtl8192se-fix-bug-caused-by-failure-to-check-skb-allocation.patch +mac80211-fix-rx-key-null-pointer-dereference-in-promiscuous-mode.patch +ath9k-fix-regression-in-channelwidth-switch-at-the-same-channel.patch +memcg-add-mem_cgroup_replace_page_cache-to-fix-lru-issue.patch +x86-fix-mmap-random-address-range.patch diff --git a/queue-3.2/x86-fix-mmap-random-address-range.patch b/queue-3.2/x86-fix-mmap-random-address-range.patch new file mode 100644 index 00000000000..1a5d92848a6 --- /dev/null +++ b/queue-3.2/x86-fix-mmap-random-address-range.patch @@ -0,0 +1,45 @@ +From 9af0c7a6fa860698d080481f24a342ba74b68982 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 15 Nov 2011 14:46:46 -0800 +Subject: x86: Fix mmap random address range + +From: Ludwig Nussel + +commit 9af0c7a6fa860698d080481f24a342ba74b68982 upstream. + +On x86_32 casting the unsigned int result of get_random_int() to +long may result in a negative value. On x86_32 the range of +mmap_rnd() therefore was -255 to 255. The 32bit mode on x86_64 +used 0 to 255 as intended. + +The bug was introduced by 675a081 ("x86: unify mmap_{32|64}.c") +in January 2008. + +Signed-off-by: Ludwig Nussel +Cc: Linus Torvalds +Cc: harvey.harrison@gmail.com +Cc: "H. Peter Anvin" +Cc: Harvey Harrison +Signed-off-by: Andrew Morton +Link: http://lkml.kernel.org/r/201111152246.pAFMklOB028527@wpaz5.hot.corp.google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -75,9 +75,9 @@ static unsigned long mmap_rnd(void) + */ + if (current->flags & PF_RANDOMIZE) { + if (mmap_is_ia32()) +- rnd = (long)get_random_int() % (1<<8); ++ rnd = get_random_int() % (1<<8); + else +- rnd = (long)(get_random_int() % (1<<28)); ++ rnd = get_random_int() % (1<<28); + } + return rnd << PAGE_SHIFT; + }