From: Greg Kroah-Hartman Date: Tue, 15 Jan 2013 12:44:19 +0000 (-0800) Subject: 3.0-stable patches X-Git-Tag: v3.7.3~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a012045d689569bef52d89da5e516f2aa449e204;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: mac80211-use-del_timer_sync-for-final-sta-cleanup-timer-deletion.patch radeon-kms-force-rn50-chip-to-always-report-connected-on-analog-output.patch staging-comedi-comedi_test-fix-race-when-cancelling-command.patch staging-comedi-prevent-auto-unconfig-of-manually-configured-devices.patch staging-r8712u-add-new-device-id.patch staging-speakup-avoid-out-of-range-access-in-synth_add.patch staging-speakup-avoid-out-of-range-access-in-synth_init.patch --- diff --git a/queue-3.0/mac80211-use-del_timer_sync-for-final-sta-cleanup-timer-deletion.patch b/queue-3.0/mac80211-use-del_timer_sync-for-final-sta-cleanup-timer-deletion.patch new file mode 100644 index 00000000000..b3d21786ced --- /dev/null +++ b/queue-3.0/mac80211-use-del_timer_sync-for-final-sta-cleanup-timer-deletion.patch @@ -0,0 +1,35 @@ +From a56f992cdabc63f56b4b142885deebebf936ff76 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 13 Dec 2012 23:08:52 +0100 +Subject: mac80211: use del_timer_sync for final sta cleanup timer deletion + +From: Johannes Berg + +commit a56f992cdabc63f56b4b142885deebebf936ff76 upstream. + +This is a very old bug, but there's nothing that prevents the +timer from running while the module is being removed when we +only do del_timer() instead of del_timer_sync(). + +The timer should normally not be running at this point, but +it's not clearly impossible (or we could just remove this.) + +Tested-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -793,7 +793,7 @@ void sta_info_init(struct ieee80211_loca + + void sta_info_stop(struct ieee80211_local *local) + { +- del_timer(&local->sta_cleanup); ++ del_timer_sync(&local->sta_cleanup); + sta_info_flush(local, NULL); + } + diff --git a/queue-3.0/radeon-kms-force-rn50-chip-to-always-report-connected-on-analog-output.patch b/queue-3.0/radeon-kms-force-rn50-chip-to-always-report-connected-on-analog-output.patch new file mode 100644 index 00000000000..b610592e8b6 --- /dev/null +++ b/queue-3.0/radeon-kms-force-rn50-chip-to-always-report-connected-on-analog-output.patch @@ -0,0 +1,38 @@ +From 51861d4eebc2ddc25c77084343d060fa79f6e291 Mon Sep 17 00:00:00 2001 +From: Jerome Glisse +Date: Tue, 8 Jan 2013 18:41:01 -0500 +Subject: radeon/kms: force rn50 chip to always report connected on analog output + +From: Jerome Glisse + +commit 51861d4eebc2ddc25c77084343d060fa79f6e291 upstream. + +Those rn50 chip are often connected to console remoting hw and load +detection often fails with those. Just don't try to load detect and +report connect. + +Signed-off-by: Jerome Glisse +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_legacy_encoders.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c +@@ -617,6 +617,14 @@ static enum drm_connector_status radeon_ + enum drm_connector_status found = connector_status_disconnected; + bool color = true; + ++ /* just don't bother on RN50 those chip are often connected to remoting ++ * console hw and often we get failure to load detect those. So to make ++ * everyone happy report the encoder as always connected. ++ */ ++ if (ASIC_IS_RN50(rdev)) { ++ return connector_status_connected; ++ } ++ + /* save the regs we need */ + vclk_ecp_cntl = RREG32_PLL(RADEON_VCLK_ECP_CNTL); + crtc_ext_cntl = RREG32(RADEON_CRTC_EXT_CNTL); diff --git a/queue-3.0/series b/queue-3.0/series index 55cf69aa519..bd24d0a9099 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -46,3 +46,10 @@ rtnetlink-fix-rtnl_calcit-and-rtnl_dump_ifinfo.patch epoll-prevent-missed-events-on-epoll_ctl_mod.patch asoc-wm2000-fix-sense-of-speech-clarity-enable.patch alsa-pxa27x-fix-ac97-cold-reset.patch +staging-comedi-prevent-auto-unconfig-of-manually-configured-devices.patch +staging-comedi-comedi_test-fix-race-when-cancelling-command.patch +staging-r8712u-add-new-device-id.patch +staging-speakup-avoid-out-of-range-access-in-synth_init.patch +staging-speakup-avoid-out-of-range-access-in-synth_add.patch +radeon-kms-force-rn50-chip-to-always-report-connected-on-analog-output.patch +mac80211-use-del_timer_sync-for-final-sta-cleanup-timer-deletion.patch diff --git a/queue-3.0/staging-comedi-comedi_test-fix-race-when-cancelling-command.patch b/queue-3.0/staging-comedi-comedi_test-fix-race-when-cancelling-command.patch new file mode 100644 index 00000000000..68f40e96c83 --- /dev/null +++ b/queue-3.0/staging-comedi-comedi_test-fix-race-when-cancelling-command.patch @@ -0,0 +1,45 @@ +From c0729eeefdcd76db338f635162bf0739fd2c5f6f Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 4 Jan 2013 11:33:21 +0000 +Subject: staging: comedi: comedi_test: fix race when cancelling command + +From: Ian Abbott + +commit c0729eeefdcd76db338f635162bf0739fd2c5f6f upstream. + +Éric Piel reported a kernel oops in the "comedi_test" module. It was a +NULL pointer dereference within `waveform_ai_interrupt()` (actually a +timer function) that sometimes occurred when a running asynchronous +command is cancelled (either by the `COMEDI_CANCEL` ioctl or by closing +the device file). + +This seems to be a race between the caller of `waveform_ai_cancel()` +which on return from that function goes and tears down the running +command, and the timer function which uses the command. In particular, +`async->cmd.chanlist` gets freed (and the pointer set to NULL) by +`do_become_nonbusy()` in "comedi_fops.c" but a previously scheduled +`waveform_ai_interrupt()` timer function will dereference that pointer +regardless, leading to the oops. + +Fix it by replacing the `del_timer()` call in `waveform_ai_cancel()` +with `del_timer_sync()`. + +Signed-off-by: Ian Abbott +Reported-by: Éric Piel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/comedi_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/comedi_test.c ++++ b/drivers/staging/comedi/drivers/comedi_test.c +@@ -461,7 +461,7 @@ static int waveform_ai_cancel(struct com + struct comedi_subdevice *s) + { + devpriv->timer_running = 0; +- del_timer(&devpriv->timer); ++ del_timer_sync(&devpriv->timer); + return 0; + } + diff --git a/queue-3.0/staging-comedi-prevent-auto-unconfig-of-manually-configured-devices.patch b/queue-3.0/staging-comedi-prevent-auto-unconfig-of-manually-configured-devices.patch new file mode 100644 index 00000000000..7390739214b --- /dev/null +++ b/queue-3.0/staging-comedi-prevent-auto-unconfig-of-manually-configured-devices.patch @@ -0,0 +1,48 @@ +From 7d3135af399e92cf4c9bbc5f86b6c140aab3b88c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 4 Dec 2012 15:59:55 +0000 +Subject: staging: comedi: prevent auto-unconfig of manually configured devices + +From: Ian Abbott + +commit 7d3135af399e92cf4c9bbc5f86b6c140aab3b88c upstream. + +When a low-level comedi driver auto-configures a device, a `struct +comedi_dev_file_info` is allocated (as well as a `struct +comedi_device`) by `comedi_alloc_board_minor()`. A pointer to the +hardware `struct device` is stored as a cookie in the `struct +comedi_dev_file_info`. When the low-level comedi driver +auto-unconfigures the device, `comedi_auto_unconfig()` uses the cookie +to find the `struct comedi_dev_file_info` so it can detach the comedi +device from the driver, clean it up and free it. + +A problem arises if the user manually unconfigures and reconfigures the +comedi device using the `COMEDI_DEVCONFIG` ioctl so that is no longer +associated with the original hardware device. The problem is that the +cookie is not cleared, so that a call to `comedi_auto_unconfig()` from +the low-level driver will still find it, detach it, clean it up and free +it. + +Stop this problem occurring by always clearing the `hardware_device` +cookie in the `struct comedi_dev_file_info` whenever the +`COMEDI_DEVCONFIG` ioctl call is successful. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -138,6 +138,9 @@ static long comedi_unlocked_ioctl(struct + if (cmd == COMEDI_DEVCONFIG) { + rc = do_devconfig_ioctl(dev, + (struct comedi_devconfig __user *)arg); ++ if (rc == 0) ++ /* Evade comedi_auto_unconfig(). */ ++ dev_file_info->hardware_device = NULL; + goto done; + } + diff --git a/queue-3.0/staging-r8712u-add-new-device-id.patch b/queue-3.0/staging-r8712u-add-new-device-id.patch new file mode 100644 index 00000000000..ea4bf1fa4c2 --- /dev/null +++ b/queue-3.0/staging-r8712u-add-new-device-id.patch @@ -0,0 +1,32 @@ +From da849a92d3bafaf24d770e971c2c9e5c3f60b5d1 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sat, 29 Dec 2012 11:36:53 -0600 +Subject: staging: r8712u: Add new device ID + +From: Larry Finger + +commit da849a92d3bafaf24d770e971c2c9e5c3f60b5d1 upstream. + +The ISY IWL 1000 USB WLAN stick with USB ID 050d:11f1 is a clone of +the Belkin F7D1101 V1 device. + +Reported-by: Thomas Hartmann +Signed-off-by: Larry Finger +Cc: Thomas Hartmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/usb_intf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -62,6 +62,8 @@ static struct usb_device_id rtl871x_usb_ + {USB_DEVICE(0x0B05, 0x1791)}, /* 11n mode disable */ + /* Belkin */ + {USB_DEVICE(0x050D, 0x945A)}, ++ /* ISY IWL - Belkin clone */ ++ {USB_DEVICE(0x050D, 0x11F1)}, + /* Corega */ + {USB_DEVICE(0x07AA, 0x0047)}, + /* D-Link */ diff --git a/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_add.patch b/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_add.patch new file mode 100644 index 00000000000..26b556d4554 --- /dev/null +++ b/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_add.patch @@ -0,0 +1,30 @@ +From 6102c48bd421074a33e102f2ebda3724e8d275f9 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 7 Jan 2013 22:03:51 +0100 +Subject: staging: speakup: avoid out-of-range access in synth_add() + +From: Samuel Thibault + +commit 6102c48bd421074a33e102f2ebda3724e8d275f9 upstream. + +Check that array index is in-bounds before accessing the synths[] array. + +Signed-off-by: Samuel Thibault +Cc: Nickolai Zeldovich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/synth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/speakup/synth.c ++++ b/drivers/staging/speakup/synth.c +@@ -423,7 +423,7 @@ int synth_add(struct spk_synth *in_synth + int i; + int status = 0; + mutex_lock(&spk_mutex); +- for (i = 0; synths[i] != NULL && i < MAXSYNTHS; i++) ++ for (i = 0; i < MAXSYNTHS && synths[i] != NULL; i++) + /* synth_remove() is responsible for rotating the array down */ + if (in_synth == synths[i]) { + mutex_unlock(&spk_mutex); diff --git a/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_init.patch b/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_init.patch new file mode 100644 index 00000000000..0cd3e613d8e --- /dev/null +++ b/queue-3.0/staging-speakup-avoid-out-of-range-access-in-synth_init.patch @@ -0,0 +1,30 @@ +From ae428655b826f2755a8101b27beda42a275ef8ad Mon Sep 17 00:00:00 2001 +From: Nickolai Zeldovich +Date: Sat, 5 Jan 2013 14:17:45 -0500 +Subject: staging: speakup: avoid out-of-range access in synth_init() + +From: Nickolai Zeldovich + +commit ae428655b826f2755a8101b27beda42a275ef8ad upstream. + +Check that array index is in-bounds before accessing the synths[] array. + +Signed-off-by: Nickolai Zeldovich +Cc: Samuel Thibault +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/synth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/speakup/synth.c ++++ b/drivers/staging/speakup/synth.c +@@ -342,7 +342,7 @@ int synth_init(char *synth_name) + + mutex_lock(&spk_mutex); + /* First, check if we already have it loaded. */ +- for (i = 0; synths[i] != NULL && i < MAXSYNTHS; i++) ++ for (i = 0; i < MAXSYNTHS && synths[i] != NULL; i++) + if (strcmp(synths[i]->name, synth_name) == 0) + synth = synths[i]; +