1. 12 Jul, 2012 10 commits
    • Johannes Berg's avatar
      mac80211: correct behaviour on unrecognised action frames · 8be32365
      Johannes Berg authored
      commit 4b5ebccc upstream.
      
      When receiving an "individually addressed" action frame, the
      receiver is required to return it to the sender. mac80211
      gets this wrong as it also returns group addressed (mcast)
      frames to the sender. Fix this and update the reference to
      the new 802.11 standards version since things were shuffled
      around significantly.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8be32365
    • Panayiotis Karabassis's avatar
      8055d02b
    • Larry Finger's avatar
      rtlwifi: rtl8192cu: New USB IDs · 9eec182c
      Larry Finger authored
      commit f63d7dab upstream.
      
      The latest Realtek driver for the RTL8188CU and RTL8192CU chips adds three
      new USB IDs.
      Reported-by: default avatarXose Vazquez Perez <xose.vazquez@gmail.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9eec182c
    • Eric Dumazet's avatar
      NFC: Return from rawsock_release when sk is NULL · b82b566a
      Eric Dumazet authored
      commit 03e934f6 upstream.
      
      Sasha Levin reported following panic :
      
      [ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at
      00000000000003b0
      [ 2136.384022] IP: [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
      [ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0
      [ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [ 2136.388106] CPU 1
      [ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G        W
      3.5.0-rc2-sasha-00015-g7b268f7 #374
      [ 2136.388106] RIP: 0010:[<ffffffff8114e400>]  [<ffffffff8114e400>]
      __lock_acquire+0xc0/0x4b0
      [ 2136.388106] RSP: 0018:ffff8800130b3ca8  EFLAGS: 00010046
      [ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:
      0000000000000000
      [ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
      0000000000000000
      [ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:
      0000000000000000
      [ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:
      0000000000000002
      [ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:
      0000000000000000
      [ 2136.388106] FS:  00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)
      knlGS:0000000000000000
      [ 2136.388106] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:
      00000000000406e0
      [ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
      0000000000000400
      [ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo
      ffff8800130b2000, task ffff88001186b000)
      [ 2136.388106] Stack:
      [ 2136.388106]  ffff8800130b3cd8 ffffffff81121785 ffffffff81236774
      000080d000000001
      [ 2136.388106]  ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08
      ffff88001186b000
      [ 2136.388106]  0000000000000000 0000000000000002 0000000000000000
      0000000000000000
      [ 2136.388106] Call Trace:
      [ 2136.388106]  [<ffffffff81121785>] ? sched_clock_local+0x25/0x90
      [ 2136.388106]  [<ffffffff81236774>] ? get_empty_filp+0x74/0x220
      [ 2136.388106]  [<ffffffff8114e97a>] lock_acquire+0x18a/0x1e0
      [ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
      [ 2136.388106]  [<ffffffff837c0ef0>] _raw_write_lock_bh+0x40/0x80
      [ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
      [ 2136.388106]  [<ffffffff836b37df>] rawsock_release+0x4f/0xa0
      [ 2136.388106]  [<ffffffff8321cfe8>] sock_release+0x18/0x70
      [ 2136.388106]  [<ffffffff8321d069>] sock_close+0x29/0x30
      [ 2136.388106]  [<ffffffff81236bca>] __fput+0x11a/0x2c0
      [ 2136.388106]  [<ffffffff81236d85>] fput+0x15/0x20
      [ 2136.388106]  [<ffffffff8321de34>] sys_accept4+0x1b4/0x200
      [ 2136.388106]  [<ffffffff837c165c>] ? _raw_spin_unlock_irq+0x4c/0x80
      [ 2136.388106]  [<ffffffff837c1669>] ? _raw_spin_unlock_irq+0x59/0x80
      [ 2136.388106]  [<ffffffff837c2565>] ? sysret_check+0x22/0x5d
      [ 2136.388106]  [<ffffffff8321de8b>] sys_accept+0xb/0x10
      [ 2136.388106]  [<ffffffff837c2539>] system_call_fastpath+0x16/0x1b
      [ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7
      8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00
      00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77
      [ 2136.388106] RIP  [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
      [ 2136.388106]  RSP <ffff8800130b3ca8>
      [ 2136.388106] CR2: 00000000000003b0
      [ 2136.388106] ---[ end trace 6d450e935ee18982 ]---
      [ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt
      
      rawsock_release() should test if sock->sk is NULL before calling
      sock_orphan()/sock_put()
      Reported-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Tested-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      [bwh: Backported to 3.2: keep using nfc_dbg(), not pr_debug()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b82b566a
    • Felix Fietkau's avatar
      ath9k: fix dynamic WEP related regression · e087c013
      Felix Fietkau authored
      commit bed3d9c0 upstream.
      
      commit 7a532fe7
      ath9k_hw: fix interpretation of the rx KeyMiss flag
      
      This commit used the rx key miss indication to detect packets that were
      passed from the hardware without being decrypted, however it seems that
      this bit is not only undefined in the static WEP case, but also for
      dynamically allocated WEP keys. This caused a regression when using
      WEP-LEAP.
      
      This patch fixes the regression by keeping track of which key indexes
      refer to CCMP keys and only using the key miss indication for those.
      Reported-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e087c013
    • Dan Rosenberg's avatar
      NFC: Prevent multiple buffer overflows in NCI · ec5b2b02
      Dan Rosenberg authored
      commit 67de956f upstream.
      
      Fix multiple remotely-exploitable stack-based buffer overflows due to
      the NCI code pulling length fields directly from incoming frames and
      copying too much data into statically-sized arrays.
      Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
      Cc: security@kernel.org
      Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
      Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: David S. Miller <davem@davemloft.net>
      Acked-by: default avatarIlan Elias <ilane@ti.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      [bwh: Backported to 3.2:
       - Drop changes to parsing of tech B and tech F parameters
       - Various renaming]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ec5b2b02
    • Stone Piao's avatar
      mwifiex: fix WPS eapol handshake failure · a49edd12
      Stone Piao authored
      commit f03ba7e9 upstream.
      
      After association, STA will go through eapol handshake with WPS
      enabled AP. It's observed that WPS handshake fails with some 11n
      AP. The reason for the failure is that the eapol packet is sent
      via 11n frame aggregation.
      
      The eapol packet should be sent directly without 11n aggregation.
      
      This patch fixes the problem by adding WPS session control while
      dequeuing Tx packets for transmission.
      Signed-off-by: default avatarStone Piao <piaoyun@marvell.com>
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      [bwh: Backported to 3.2: reformat the if-statement per earlier
       upstream commit c65a30f3]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a49edd12
    • Stone Piao's avatar
      mwifiex: fix 11n rx packet drop issue · 7b6d20c1
      Stone Piao authored
      commit 92583924 upstream.
      
      Currently we check the sequence number of last packet received
      against start_win. If a sequence hole is detected, start_win is
      updated to next sequence number.
      
      Since the rx sequence number is initialized to 0, a corner case
      exists when BA setup happens immediately after association. As
      0 is a valid sequence number, start_win gets increased to 1
      incorrectly. This causes the first packet with sequence number 0
      being dropped.
      
      Initialize rx sequence number as 0xffff and skip adjusting
      start_win if the sequence number remains 0xffff. The sequence
      number will be updated once the first packet is received.
      Signed-off-by: default avatarStone Piao <piaoyun@marvell.com>
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarKiran Divekar <dkiran@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7b6d20c1
    • Tao Guo's avatar
      umem: fix up unplugging · a7afeb90
      Tao Guo authored
      commit 32587371 upstream.
      
      Fix a regression introduced by 7eaceacc ("block: remove per-queue
      plugging").  In that patch, Jens removed the whole mm_unplug_device()
      function, which used to be the trigger to make umem start to work.
      
      We need to implement unplugging to make umem start to work, or I/O will
      never be triggered.
      Signed-off-by: default avatarTao Guo <Tao.Guo@emc.com>
      Cc: Neil Brown <neilb@suse.de>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Shaohua Li <shli@kernel.org>
      Acked-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a7afeb90
    • Eric Dumazet's avatar
      splice: fix racy pipe->buffers uses · 9558b2ab
      Eric Dumazet authored
      commit 047fe360 upstream.
      
      Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered
      by splice_shrink_spd() called from vmsplice_to_pipe()
      
      commit 35f3d14d (pipe: add support for shrinking and growing pipes)
      added capability to adjust pipe->buffers.
      
      Problem is some paths don't hold pipe mutex and assume pipe->buffers
      doesn't change for their duration.
      
      Fix this by adding nr_pages_max field in struct splice_pipe_desc, and
      use it in place of pipe->buffers where appropriate.
      
      splice_shrink_spd() loses its struct pipe_inode_info argument.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Tom Herbert <therbert@google.com>
      Tested-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      [bwh: Backported to 3.2:
       - Adjust context in vmsplice_to_pipe()
       - Update one more call to splice_shrink_spd(), from skb_splice_bits()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9558b2ab
  2. 04 Jul, 2012 30 commits