rpms/kernel/devel linux-2.6-upstream-reverts.patch, NONE, 1.1 patch-2.6.24.1-rc1.bz2.sign, NONE, 1.1 .cvsignore, 1.758, 1.759 kernel.spec, 1.407, 1.408 mirrors, 1.4, 1.5 sources, 1.718, 1.719 upstream, 1.640, 1.641 linux-2.6-epoll-lockdep-annotation.patch, 1.1, NONE linux-2.6-selinux-strip-leading-slashes.patch, 1.1, NONE
Chuck Ebbert (cebbert)
fedora-extras-commits at redhat.com
Fri Feb 8 18:14:58 UTC 2008
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4676
Modified Files:
.cvsignore kernel.spec mirrors sources upstream
Added Files:
linux-2.6-upstream-reverts.patch patch-2.6.24.1-rc1.bz2.sign
Removed Files:
linux-2.6-epoll-lockdep-annotation.patch
linux-2.6-selinux-strip-leading-slashes.patch
Log Message:
* Fri Feb 08 2008 Chuck Ebbert <cebbert at redhat.com>
- Linux 2.6.24.1
linux-2.6-upstream-reverts.patch:
--- NEW FILE linux-2.6-upstream-reverts.patch ---
>From stable-bounces at linux.kernel.org Sat Jan 26 04:57:05 2008
From: Michael Buesch <mb at bu3sch.de>
Date: Sat, 26 Jan 2008 13:54:52 +0100
Subject: b43: Reject new firmware early
To: stable at kernel.org
Cc: linux-wireless at vger.kernel.org, Bcm43xx-dev at lists.berlios.de
Message-ID: <200801261354.52659.mb at bu3sch.de>
Content-Disposition: inline
From: Michael Buesch <mb at bu3sch.de>
(not in mainline, as it is not applicable.)
We must reject new incompatible firmware early to avoid
running into strange transmission failures.
The current development tree supports newer firmware revisions.
These revisions cause strange failures on the stable 2.6.24 kernel.
Add a check to avoid confusing users a lot.
Signed-off-by: Michael Buesch <mb at bu3sch.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43/main.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -1800,6 +1800,18 @@ static int b43_upload_microcode(struct b
err = -EOPNOTSUPP;
goto out;
}
+ if (fwrev > 351) {
+ b43err(dev->wl, "YOUR FIRMWARE IS TOO NEW. Please downgrade your "
+ "firmware.\n");
+ b43err(dev->wl, "Use this firmware tarball: "
+ "http://downloads.openwrt.org/sources/broadcom-wl-4.80.53.0.tar.bz2\n");
+ b43err(dev->wl, "Use this b43-fwcutter tarball: "
+ "http://bu3sch.de/b43/fwcutter/b43-fwcutter-009.tar.bz2\n");
+ b43err(dev->wl, "Read, understand and _do_ what this message says, please.\n");
+ b43_write32(dev, B43_MMIO_MACCTL, 0);
+ err = -EOPNOTSUPP;
+ goto out;
+ }
b43dbg(dev->wl, "Loading firmware version %u.%u "
"(20%.2i-%.2i-%.2i %.2i:%.2i:%.2i)\n",
fwrev, fwpatch,
>From stable-bounces at linux.kernel.org Fri Jan 25 05:42:44 2008
From: Stefano Brivio <stefano.brivio at polimi.it>
Date: Fri, 25 Jan 2008 14:32:00 +0100
Subject: b43legacy: fix DMA slot resource leakage
To: stable at kernel.org
Cc: Michael at hera.kernel.org, linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de, Buesch <mb at bu3sch.de>
Message-ID: <20080125143200.4a77d304 at morte>
From: Stefano Brivio <stefano.brivio at polimi.it>
patch 8dd0100ce9511e52614ecd0a6587c13ce5769c8b in mainline.
This fixes four resource leakages.
In any error path we must deallocate the DMA frame slots we
previously allocated by request_slot().
This is done by storing the ring pointers before doing any ring
allocation and restoring the old pointers in case of an error.
This patch by Michael Buesch has been ported to b43legacy.
Cc: Michael Buesch <mb at bu3sch.de>
Signed-off-by: Stefano Brivio <stefano.brivio at polimi.it>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43legacy/dma.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/b43legacy/dma.c
+++ b/drivers/net/wireless/b43legacy/dma.c
@@ -1164,7 +1164,7 @@ static int dma_tx_fragment(struct b43leg
{
const struct b43legacy_dma_ops *ops = ring->ops;
u8 *header;
- int slot;
+ int slot, old_top_slot, old_used_slots;
int err;
struct b43legacy_dmadesc_generic *desc;
struct b43legacy_dmadesc_meta *meta;
@@ -1174,6 +1174,9 @@ static int dma_tx_fragment(struct b43leg
#define SLOTS_PER_PACKET 2
B43legacy_WARN_ON(skb_shinfo(skb)->nr_frags != 0);
+ old_top_slot = ring->current_slot;
+ old_used_slots = ring->used_slots;
+
/* Get a slot for the header. */
slot = request_slot(ring);
desc = ops->idx2desc(ring, slot, &meta_hdr);
@@ -1184,8 +1187,11 @@ static int dma_tx_fragment(struct b43leg
err = b43legacy_generate_txhdr(ring->dev, header,
skb->data, skb->len, ctl,
generate_cookie(ring, slot));
- if (unlikely(err))
+ if (unlikely(err)) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
return err;
+ }
meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
sizeof(struct b43legacy_txhdr_fw3), 1);
@@ -1208,6 +1214,8 @@ static int dma_tx_fragment(struct b43leg
if (dma_mapping_error(meta->dmaaddr)) {
bounce_skb = __dev_alloc_skb(skb->len, GFP_ATOMIC | GFP_DMA);
if (!bounce_skb) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
err = -ENOMEM;
goto out_unmap_hdr;
}
@@ -1218,6 +1226,8 @@ static int dma_tx_fragment(struct b43leg
meta->skb = skb;
meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
if (dma_mapping_error(meta->dmaaddr)) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
err = -EIO;
goto out_free_bounce;
}
>From stable-bounces at linux.kernel.org Fri Jan 25 05:40:25 2008
From: Stefano Brivio <stefano.brivio at polimi.it>
Date: Fri, 25 Jan 2008 14:29:50 +0100
Subject: b43legacy: drop packets we are not able to encrypt
To: stable at kernel.org
Cc: Michael at hera.kernel.org, linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de, Buesch <mb at bu3sch.de>
Message-ID: <20080125142950.3146020a at morte>
From: Stefano Brivio <stefano.brivio at polimi.it>
patch 9eca9a8e81928685b4de00ecef83a7c13c340fc9 in mainline.
We must drop any packets we are not able to encrypt.
We must not send them unencrypted or with an all-zero-key (which
basically is the same as unencrypted, from a security point of view).
This might only trigger shortly after resume before mac80211 reassociated
and reconfigured the keys.
It is safe to drop these packets, as the association they belong to
is not guaranteed anymore anyway.
This is a security fix in the sense that it prevents information leakage.
This patch by Michael Buesch has been ported to b43legacy.
Cc: Michael Buesch <mb at bu3sch.de>
Signed-off-by: Stefano Brivio <stefano.brivio at polimi.it>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43legacy/dma.c | 11 ++++++++++-
drivers/net/wireless/b43legacy/pio.c | 18 +++++++++++++++---
drivers/net/wireless/b43legacy/xmit.c | 15 ++++++++++++---
drivers/net/wireless/b43legacy/xmit.h | 2 +-
4 files changed, 38 insertions(+), 8 deletions(-)
--- a/drivers/net/wireless/b43legacy/dma.c
+++ b/drivers/net/wireless/b43legacy/dma.c
@@ -1181,9 +1181,11 @@ static int dma_tx_fragment(struct b43leg
header = &(ring->txhdr_cache[slot * sizeof(
struct b43legacy_txhdr_fw3)]);
- b43legacy_generate_txhdr(ring->dev, header,
+ err = b43legacy_generate_txhdr(ring->dev, header,
skb->data, skb->len, ctl,
generate_cookie(ring, slot));
+ if (unlikely(err))
+ return err;
meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
sizeof(struct b43legacy_txhdr_fw3), 1);
@@ -1282,6 +1284,13 @@ int b43legacy_dma_tx(struct b43legacy_wl
B43legacy_BUG_ON(ring->stopped);
err = dma_tx_fragment(ring, skb, ctl);
+ if (unlikely(err == -ENOKEY)) {
+ /* Drop this packet, as we don't have the encryption key
+ * anymore and must not transmit it unencrypted. */
+ dev_kfree_skb_any(skb);
+ err = 0;
+ goto out_unlock;
+ }
if (unlikely(err)) {
b43legacyerr(dev->wl, "DMA tx mapping failure\n");
goto out_unlock;
--- a/drivers/net/wireless/b43legacy/pio.c
+++ b/drivers/net/wireless/b43legacy/pio.c
@@ -181,7 +181,7 @@ union txhdr_union {
struct b43legacy_txhdr_fw3 txhdr_fw3;
};
-static void pio_tx_write_fragment(struct b43legacy_pioqueue *queue,
+static int pio_tx_write_fragment(struct b43legacy_pioqueue *queue,
struct sk_buff *skb,
struct b43legacy_pio_txpacket *packet,
size_t txhdr_size)
@@ -189,14 +189,17 @@ static void pio_tx_write_fragment(struct
union txhdr_union txhdr_data;
u8 *txhdr = NULL;
unsigned int octets;
+ int err;
txhdr = (u8 *)(&txhdr_data.txhdr_fw3);
B43legacy_WARN_ON(skb_shinfo(skb)->nr_frags != 0);
- b43legacy_generate_txhdr(queue->dev,
+ err = b43legacy_generate_txhdr(queue->dev,
txhdr, skb->data, skb->len,
&packet->txstat.control,
generate_cookie(queue, packet));
+ if (err)
+ return err;
tx_start(queue);
octets = skb->len + txhdr_size;
@@ -204,6 +207,8 @@ static void pio_tx_write_fragment(struct
octets--;
tx_data(queue, txhdr, (u8 *)skb->data, octets);
tx_complete(queue, skb);
+
+ return 0;
}
static void free_txpacket(struct b43legacy_pio_txpacket *packet,
@@ -226,6 +231,7 @@ static int pio_tx_packet(struct b43legac
struct b43legacy_pioqueue *queue = packet->queue;
struct sk_buff *skb = packet->skb;
u16 octets;
+ int err;
octets = (u16)skb->len + sizeof(struct b43legacy_txhdr_fw3);
if (queue->tx_devq_size < octets) {
@@ -247,8 +253,14 @@ static int pio_tx_packet(struct b43legac
if (queue->tx_devq_used + octets > queue->tx_devq_size)
return -EBUSY;
/* Now poke the device. */
- pio_tx_write_fragment(queue, skb, packet,
+ err = pio_tx_write_fragment(queue, skb, packet,
sizeof(struct b43legacy_txhdr_fw3));
+ if (unlikely(err == -ENOKEY)) {
+ /* Drop this packet, as we don't have the encryption key
+ * anymore and must not transmit it unencrypted. */
+ free_txpacket(packet, 1);
+ return 0;
+ }
/* Account for the packet size.
* (We must not overflow the device TX queue)
--- a/drivers/net/wireless/b43legacy/xmit.c
+++ b/drivers/net/wireless/b43legacy/xmit.c
@@ -181,7 +181,7 @@ static u8 b43legacy_calc_fallback_rate(u
return 0;
}
-static void generate_txhdr_fw3(struct b43legacy_wldev *dev,
+static int generate_txhdr_fw3(struct b43legacy_wldev *dev,
struct b43legacy_txhdr_fw3 *txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
@@ -252,6 +252,13 @@ static void generate_txhdr_fw3(struct b4
iv_len = min((size_t)txctl->iv_len,
ARRAY_SIZE(txhdr->iv));
memcpy(txhdr->iv, ((u8 *)wlhdr) + wlhdr_len, iv_len);
+ } else {
+ /* This key is invalid. This might only happen
+ * in a short timeframe after machine resume before
+ * we were able to reconfigure keys.
+ * Drop this packet completely. Do not transmit it
+ * unencrypted to avoid leaking information. */
+ return -ENOKEY;
}
}
b43legacy_generate_plcp_hdr((struct b43legacy_plcp_hdr4 *)
@@ -344,16 +351,18 @@ static void generate_txhdr_fw3(struct b4
/* Apply the bitfields */
txhdr->mac_ctl = cpu_to_le32(mac_ctl);
txhdr->phy_ctl = cpu_to_le16(phy_ctl);
+
+ return 0;
}
-void b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
+int b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
u8 *txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
const struct ieee80211_tx_control *txctl,
u16 cookie)
{
- generate_txhdr_fw3(dev, (struct b43legacy_txhdr_fw3 *)txhdr,
+ return generate_txhdr_fw3(dev, (struct b43legacy_txhdr_fw3 *)txhdr,
fragment_data, fragment_len,
txctl, cookie);
}
--- a/drivers/net/wireless/b43legacy/xmit.h
+++ b/drivers/net/wireless/b43legacy/xmit.h
@@ -76,7 +76,7 @@ struct b43legacy_txhdr_fw3 {
-void b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
+int b43legacy_generate_txhdr(struct b43legacy_wldev *dev,
u8 *txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
>From stable-bounces at linux.kernel.org Fri Jan 25 05:37:00 2008
From: Stefano Brivio <stefano.brivio at polimi.it>
Date: Fri, 25 Jan 2008 14:26:21 +0100
Subject: b43legacy: fix suspend/resume
To: stable at kernel.org
Cc: Michael at hera.kernel.org, linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de, Buesch <mb at bu3sch.de>
Message-ID: <20080125142621.0d240fd8 at morte>
From: Stefano Brivio <stefano.brivio at polimi.it>
patch ada50731c0346bf900dc387edd3a6961297bf2d3 in mainline.
This patch makes suspend/resume work with the b43legacy driver.
We must not overwrite the MAC addresses in the init function, as this
would also overwrite the MAC on resume. With an all-zero MAC the device
firmware is not able to ACK any received packets anymore.
Fix this by moving the initializion stuff that must be done on init but
not on resume to the start function.
Also zero out filter_flags to make sure we don't have some flags
from a previous instance for a tiny timeframe until mac80211 reconfigures
them.
This patch by Michael Buesch has been ported to b43legacy.
Cc: Michael Buesch <mb at bu3sch.de>
Signed-off-by: Stefano Brivio <stefano.brivio at polimi.it>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43legacy/main.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/b43legacy/main.c
+++ b/drivers/net/wireless/b43legacy/main.c
@@ -3215,8 +3215,6 @@ static int b43legacy_wireless_core_init(
b43legacy_shm_write16(dev, B43legacy_SHM_SHARED, 0x0414, 0x01F4);
ssb_bus_powerup(bus, 1); /* Enable dynamic PCTL */
- memset(wl->bssid, 0, ETH_ALEN);
- memset(wl->mac_addr, 0, ETH_ALEN);
b43legacy_upload_card_macaddress(dev);
b43legacy_security_init(dev);
b43legacy_rng_init(wl);
@@ -3311,6 +3309,13 @@ static int b43legacy_start(struct ieee80
int did_init = 0;
int err = 0;
+ /* Kill all old instance specific information to make sure
+ * the card won't use it in the short timeframe between start
+ * and mac80211 reconfiguring it. */
+ memset(wl->bssid, 0, ETH_ALEN);
+ memset(wl->mac_addr, 0, ETH_ALEN);
+ wl->filter_flags = 0;
+
mutex_lock(&wl->mutex);
if (b43legacy_status(dev) < B43legacy_STAT_INITIALIZED) {
>From stable-bounces at linux.kernel.org Fri Jan 25 05:34:45 2008
From: Stefano Brivio <stefano.brivio at polimi.it>
Date: Fri, 25 Jan 2008 14:24:05 +0100
Subject: b43legacy: fix PIO crash
To: stable at kernel.org
Cc: linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de
Message-ID: <20080125142405.00429ede at morte>
From: Stefano Brivio <stefano.brivio at polimi.it>
patch 0cd67d48b519c3d8d89d238fab1cf68a5289638a in mainline.
Fix the crash reported below, which seems to happen on bcm4306 rev. 2 devices
only while using PIO:
Oops: 0000 [#1] PREEMPT
Modules linked in: b43(F) rfkill(F) led_class(F) input_polldev(F) arc4 b43legacy mac80211 cfg80211 i915 drm snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device ohci1394 ieee1394 ssb pcmcia snd_intel8x0m ehci_hcd uhci_hcd evdev
Pid: 0, comm: swapper Tainted: GF (2.6.24st3 #2)
EIP: 0060:[<f90f667b>] EFLAGS: 00010002 CPU: 0
EIP is at b43legacy_pio_handle_txstatus+0xbb/0x210 [b43legacy]
EAX: 0000049b EBX: f11f8044 ECX: 00000001 EDX: 00000000
ESI: f1ff8000 EDI: 00000000 EBP: f11f8040 ESP: c04f4ef4
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c04f4000 task=c0488300 task.ti=c04b8000)
Stack: f90f2788 c05009f0 c0500900 000010f7 f1053823 c04f4f24 dfb8e800 00000003
f1368000 00000007 00000296 f90f1975 00001000 010c0800 01000000 00000007
f90f6391 f11f8000 00000082 c04f4f4a 00000000 00004fd0 10f70000 8c061000
Call Trace:
[<f90f2788>] b43legacy_debugfs_log_txstat+0x48/0xb0 [b43legacy]
[<f90f1975>] b43legacy_handle_hwtxstatus+0x75/0x80 [b43legacy]
[<f90f6391>] b43legacy_pio_rx+0x201/0x280 [b43legacy]
[<f90e4fa3>] b43legacy_interrupt_tasklet+0x2e3/0x870 [b43legacy]
[<c0123567>] tasklet_action+0x27/0x60
[<c01237b4>] __do_softirq+0x54/0xb0
[<c010686b>] do_softirq+0x7b/0xe0
[<c01457c0>] handle_level_irq+0x0/0x110
[<c01457c0>] handle_level_irq+0x0/0x110
[<c0123758>] irq_exit+0x38/0x40
[<c0106953>] do_IRQ+0x83/0xd0
[<c011812f>] __update_rq_clock+0x4f/0x180
[<c0104b4f>] common_interrupt+0x23/0x28
[<c011007b>] wakeup_code+0x7b/0xde
[<c02b1039>] acpi_processor_idle+0x24a/0x3c9
[<c01025c7>] cpu_idle+0x47/0x80
[<c04b9ad5>] start_kernel+0x205/0x290
[<c04b9360>] unknown_bootoption+0x0/0x1f0
=======================
Code: 0f 00 00 81 fb ff 00 00 00 0f 87 36 01 00 00 8d 04 db 85 ff 8d 6c c6 40 8d 5d 04 0f 85 ef 00 00 00 fe 4e 0e 0f b7 46 0c 8b 53 04 <8b> 4a 50 29 c8 83 e8 52 66 89 46 0c 8b 54 24 14 80 7a 0b 00 74
EIP: [<f90f667b>] b43legacy_pio_handle_txstatus+0xbb/0x210 [b43legacy] SS:ESP 0068:c04f4ef4
Kernel panic - not syncing: Fatal exception in interrupt
Signed-off-by: Stefano Brivio <stefano.brivio at polimi.it>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43legacy/pio.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/b43legacy/pio.c
+++ b/drivers/net/wireless/b43legacy/pio.c
@@ -486,6 +486,9 @@ void b43legacy_pio_handle_txstatus(struc
queue = parse_cookie(dev, status->cookie, &packet);
B43legacy_WARN_ON(!queue);
+ if (!packet->skb)
+ return;
+
queue->tx_devq_packets--;
queue->tx_devq_used -= (packet->skb->len +
sizeof(struct b43legacy_txhdr_fw3));
>From stable-bounces at linux.kernel.org Fri Jan 25 03:23:28 2008
From: Michael Buesch <mb at bu3sch.de>
Date: Fri, 25 Jan 2008 12:20:20 +0100
Subject: b43: Fix dma-slot resource leakage
To: stable at kernel.org
Cc: linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de
Message-ID: <200801251220.20332.mb at bu3sch.de>
Content-Disposition: inline
From: Michael Buesch <mb at bu3sch.de>
patch 8dd0100ce9511e52614ecd0a6587c13ce5769c8b in mainline.
This fixes four resource leakages.
In any error path we must deallocate the DMA frame slots we
previously allocated by request_slot().
This is done by storing the ring pointers before doing any ring
allocation and restoring the old pointers in case of an error.
Signed-off-by: Michael Buesch <mb at bu3sch.de>
Signed-off-by: Stefano Brivio <stefano.brivio at polimi.it>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43/dma.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -1106,7 +1106,7 @@ static int dma_tx_fragment(struct b43_dm
{
const struct b43_dma_ops *ops = ring->ops;
u8 *header;
- int slot;
+ int slot, old_top_slot, old_used_slots;
int err;
struct b43_dmadesc_generic *desc;
struct b43_dmadesc_meta *meta;
@@ -1116,6 +1116,9 @@ static int dma_tx_fragment(struct b43_dm
#define SLOTS_PER_PACKET 2
B43_WARN_ON(skb_shinfo(skb)->nr_frags);
+ old_top_slot = ring->current_slot;
+ old_used_slots = ring->used_slots;
+
/* Get a slot for the header. */
slot = request_slot(ring);
desc = ops->idx2desc(ring, slot, &meta_hdr);
@@ -1125,13 +1128,19 @@ static int dma_tx_fragment(struct b43_dm
err = b43_generate_txhdr(ring->dev, header,
skb->data, skb->len, ctl,
generate_cookie(ring, slot));
- if (unlikely(err))
+ if (unlikely(err)) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
return err;
+ }
meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
sizeof(struct b43_txhdr_fw4), 1);
- if (dma_mapping_error(meta_hdr->dmaaddr))
+ if (dma_mapping_error(meta_hdr->dmaaddr)) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
return -EIO;
+ }
ops->fill_descriptor(ring, desc, meta_hdr->dmaaddr,
sizeof(struct b43_txhdr_fw4), 1, 0, 0);
@@ -1149,6 +1158,8 @@ static int dma_tx_fragment(struct b43_dm
if (dma_mapping_error(meta->dmaaddr)) {
bounce_skb = __dev_alloc_skb(skb->len, GFP_ATOMIC | GFP_DMA);
if (!bounce_skb) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
err = -ENOMEM;
goto out_unmap_hdr;
}
@@ -1159,6 +1170,8 @@ static int dma_tx_fragment(struct b43_dm
meta->skb = skb;
meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
if (dma_mapping_error(meta->dmaaddr)) {
+ ring->current_slot = old_top_slot;
+ ring->used_slots = old_used_slots;
err = -EIO;
goto out_free_bounce;
}
>From stable-bounces at linux.kernel.org Fri Jan 25 03:23:38 2008
From: Michael Buesch <mb at bu3sch.de>
Date: Fri, 25 Jan 2008 12:15:07 +0100
Subject: b43: Drop packets we are not able to encrypt
To: stable at kernel.org
Cc: linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de
Message-ID: <200801251215.08164.mb at bu3sch.de>
Content-Disposition: inline
From: Michael Buesch <mb at bu3sch.de>
patch 09552ccd8277e6382097e93a40f7311a09449367 in mainline
We must drop any packets we are not able to encrypt.
We must not send them unencrypted or with an all-zero-key (which
basically is the same as unencrypted, from a security point of view).
This might only trigger shortly after resume before mac80211 reassociated
and reconfigured the keys.
It is safe to drop these packets, as the association they belong to
is not guaranteed anymore anyway.
This is a security fix in the sense that it prevents information leakage.
Signed-off-by: Michael Buesch <mb at bu3sch.de>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43/dma.c | 11 ++++++++++-
drivers/net/wireless/b43/xmit.c | 20 +++++++++++++++-----
drivers/net/wireless/b43/xmit.h | 2 +-
3 files changed, 26 insertions(+), 7 deletions(-)
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -1122,9 +1122,11 @@ static int dma_tx_fragment(struct b43_dm
memset(meta_hdr, 0, sizeof(*meta_hdr));
header = &(ring->txhdr_cache[slot * sizeof(struct b43_txhdr_fw4)]);
- b43_generate_txhdr(ring->dev, header,
+ err = b43_generate_txhdr(ring->dev, header,
skb->data, skb->len, ctl,
generate_cookie(ring, slot));
+ if (unlikely(err))
+ return err;
meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
sizeof(struct b43_txhdr_fw4), 1);
@@ -1219,6 +1221,13 @@ int b43_dma_tx(struct b43_wldev *dev,
B43_WARN_ON(ring->stopped);
err = dma_tx_fragment(ring, skb, ctl);
+ if (unlikely(err == -ENOKEY)) {
+ /* Drop this packet, as we don't have the encryption key
+ * anymore and must not transmit it unencrypted. */
+ dev_kfree_skb_any(skb);
+ err = 0;
+ goto out_unlock;
+ }
if (unlikely(err)) {
b43err(dev->wl, "DMA tx mapping failure\n");
goto out_unlock;
--- a/drivers/net/wireless/b43/xmit.c
+++ b/drivers/net/wireless/b43/xmit.c
@@ -177,7 +177,7 @@ static u8 b43_calc_fallback_rate(u8 bitr
return 0;
}
-static void generate_txhdr_fw4(struct b43_wldev *dev,
+static int generate_txhdr_fw4(struct b43_wldev *dev,
struct b43_txhdr_fw4 *txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
@@ -235,7 +235,15 @@ static void generate_txhdr_fw4(struct b4
B43_WARN_ON(key_idx >= dev->max_nr_keys);
key = &(dev->key[key_idx]);
- B43_WARN_ON(!key->keyconf);
+
+ if (unlikely(!key->keyconf)) {
+ /* This key is invalid. This might only happen
+ * in a short timeframe after machine resume before
+ * we were able to reconfigure keys.
+ * Drop this packet completely. Do not transmit it
+ * unencrypted to avoid leaking information. */
+ return -ENOKEY;
+ }
/* Hardware appends ICV. */
plcp_fragment_len += txctl->icv_len;
@@ -352,16 +360,18 @@ static void generate_txhdr_fw4(struct b4
txhdr->mac_ctl = cpu_to_le32(mac_ctl);
txhdr->phy_ctl = cpu_to_le16(phy_ctl);
txhdr->extra_ft = extra_ft;
+
+ return 0;
}
-void b43_generate_txhdr(struct b43_wldev *dev,
+int b43_generate_txhdr(struct b43_wldev *dev,
u8 * txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
const struct ieee80211_tx_control *txctl, u16 cookie)
{
- generate_txhdr_fw4(dev, (struct b43_txhdr_fw4 *)txhdr,
- fragment_data, fragment_len, txctl, cookie);
+ return generate_txhdr_fw4(dev, (struct b43_txhdr_fw4 *)txhdr,
+ fragment_data, fragment_len, txctl, cookie);
}
static s8 b43_rssi_postprocess(struct b43_wldev *dev,
--- a/drivers/net/wireless/b43/xmit.h
+++ b/drivers/net/wireless/b43/xmit.h
@@ -82,7 +82,7 @@ struct b43_txhdr_fw4 {
#define B43_TX4_PHY_ANT1 0x0100 /* Use antenna 1 */
#define B43_TX4_PHY_ANTLAST 0x0300 /* Use last used antenna */
-void b43_generate_txhdr(struct b43_wldev *dev,
+int b43_generate_txhdr(struct b43_wldev *dev,
u8 * txhdr,
const unsigned char *fragment_data,
unsigned int fragment_len,
>From stable-bounces at linux.kernel.org Fri Jan 25 03:23:28 2008
From: Michael Buesch <mb at bu3sch.de>
Date: Fri, 25 Jan 2008 12:11:45 +0100
Subject: b43: Fix suspend/resume
To: stable at kernel.org
Cc: linux-wireless at vger.kernel.org, bcm43xx-dev at lists.berlios.de
Message-ID: <200801251211.45980.mb at bu3sch.de>
Content-Disposition: inline
From: Michael Buesch <mb at bu3sch.de>
patch 7be1bb6b798d506693d2d8668e801951996b5a4a in mainline.
This patch makes suspend/resume work with the b43 driver.
We must not overwrite the MAC addresses in the init function, as this
would also overwrite the MAC on resume. With an all-zero MAC the device
firmware is not able to ACK any received packets anymore.
Fix this by moving the initializion stuff that must be done on init but
not on resume to the start function.
Also zero out filter_flags to make sure we don't have some flags
from a previous instance for a tiny timeframe until mac80211 reconfigures
them.
Signed-off-by: Michael Buesch <mb at bu3sch.de>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/net/wireless/b43/main.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -3395,8 +3395,6 @@ static int b43_wireless_core_init(struct
b43_bluetooth_coext_enable(dev);
ssb_bus_powerup(bus, 1); /* Enable dynamic PCTL */
- memset(wl->bssid, 0, ETH_ALEN);
- memset(wl->mac_addr, 0, ETH_ALEN);
b43_upload_card_macaddress(dev);
b43_security_init(dev);
b43_rng_init(wl);
@@ -3493,6 +3491,13 @@ static int b43_start(struct ieee80211_hw
int did_init = 0;
int err = 0;
+ /* Kill all old instance specific information to make sure
+ * the card won't use it in the short timeframe between start
+ * and mac80211 reconfiguring it. */
+ memset(wl->bssid, 0, ETH_ALEN);
+ memset(wl->mac_addr, 0, ETH_ALEN);
+ wl->filter_flags = 0;
+
/* First register RFkill.
* LEDs that are registered later depend on it. */
b43_rfkill_init(dev);
--- NEW FILE patch-2.6.24.1-rc1.bz2.sign ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info
iD8DBQBHq+goyGugalF9Dw4RAkh/AJ45EOaO6VnadxILxnLMyuQhqwn9/gCeIyWo
BptCO3kKobK1T0U+uTMbjUg=
=6OTZ
-----END PGP SIGNATURE-----
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/.cvsignore,v
retrieving revision 1.758
retrieving revision 1.759
diff -u -r1.758 -r1.759
--- .cvsignore 25 Jan 2008 15:59:56 -0000 1.758
+++ .cvsignore 8 Feb 2008 18:14:13 -0000 1.759
@@ -4,3 +4,4 @@
temp-*
kernel-2.6.24
linux-2.6.24.tar.bz2
+patch-2.6.24.1-rc1.bz2
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.407
retrieving revision 1.408
diff -u -r1.407 -r1.408
--- kernel.spec 6 Feb 2008 15:58:27 -0000 1.407
+++ kernel.spec 8 Feb 2008 18:14:13 -0000 1.408
@@ -548,8 +548,17 @@
### BRANCH PATCH ###
%endif
+# stable release candidate
+Patch03: patch-2.6.24.1-rc1.bz2
+
+# we always need nonintconfig, even for -vanilla kernels
+Patch06: linux-2.6-build-nonintconfig.patch
+
%if !%{nopatches}
+# revert upstream changes we get from elsewhere
+Patch09: linux-2.6-upstream-reverts.patch
+
Patch21: linux-2.6-utrace-tracehook.patch
Patch22: linux-2.6-utrace-tracehook-ia64.patch
Patch23: linux-2.6-utrace-tracehook-sparc64.patch
@@ -592,12 +601,6 @@
Patch142: linux-2.6-ps3-legacy-bootloader-hack.patch
Patch143: linux-2.6-g5-therm-shutdown.patch
-%endif
-
-Patch150: linux-2.6-build-nonintconfig.patch
-
-%if !%{nopatches}
-
Patch160: linux-2.6-execshield.patch
Patch250: linux-2.6-debug-sizeof-structs.patch
Patch260: linux-2.6-debug-nmi-timeout.patch
@@ -614,16 +617,18 @@
Patch460: linux-2.6-serial-460800.patch
Patch510: linux-2.6-silence-noise.patch
Patch570: linux-2.6-selinux-mprotect-checks.patch
-Patch571: linux-2.6-selinux-strip-leading-slashes.patch
+# Patch571: linux-2.6-selinux-strip-leading-slashes.patch
Patch590: linux-2.6-unexport-symbols.patch
Patch610: linux-2.6-defaults-fat-utf8.patch
Patch660: linux-2.6-libata-ali-atapi-dma.patch
Patch670: linux-2.6-ata-quirk.patch
+
Patch680: linux-2.6-wireless.patch
Patch681: linux-2.6-wireless-pending.patch
Patch690: linux-2.6-at76.patch
Patch691: linux-2.6-rndis_wlan.patch
Patch692: linux-2.6-ath5k-use-soft-wep.patch
+
Patch820: linux-2.6-compile-fixes.patch
Patch821: linux-2.6-compile-fix-gcc-43.patch
Patch1101: linux-2.6-default-mmf_dump_elf_headers.patch
@@ -663,7 +668,7 @@
Patch2201: linux-2.6-firewire-git-pending.patch
# epoll lockdep annotation (bz #323411)
-Patch2205: linux-2.6-epoll-lockdep-annotation.patch
+# Patch2205: linux-2.6-epoll-lockdep-annotation.patch
# make USB EHCI driver respect "nousb" parameter
Patch2300: linux-2.6-usb-ehci-hcd-respect-nousb.patch
@@ -986,6 +991,9 @@
done
%endif
+# stable release candidate
+ApplyPatch patch-2.6.24.1-rc1.bz2
+
# This patch adds a "make nonint_oldconfig" which is non-interactive and
# also gives a list of missing options at the end. Useful for automated
# builds (as used in the buildsystem).
@@ -993,6 +1001,9 @@
%if !%{nopatches}
+# Revert -stable pieces we get from elsewhere here
+ApplyPatch linux-2.6-upstream-reverts.patch -R
+
# Roland's utrace ptrace replacement.
# Main patch includes i386, x86_64, powerpc.
ApplyPatch linux-2.6-utrace-tracehook.patch
@@ -1129,8 +1140,6 @@
# Fix the SELinux mprotect checks on executable mappings
ApplyPatch linux-2.6-selinux-mprotect-checks.patch
-# strip extra leading slashes in pathnames
-ApplyPatch linux-2.6-selinux-strip-leading-slashes.patch
# Remove kernel-internal functionality that nothing external should use.
ApplyPatch linux-2.6-unexport-symbols.patch
@@ -1215,9 +1224,6 @@
ApplyPatch linux-2.6-firewire-git-pending.patch
fi
-# epoll lockdep annotation (bz #323411)
-ApplyPatch linux-2.6-epoll-lockdep-annotation.patch
-
# usb video
ApplyPatch linux-2.6-uvcvideo.patch
@@ -1789,6 +1795,9 @@
%kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL} -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.conf %{with_xen} xen
%changelog
+* Fri Feb 08 2008 Chuck Ebbert <cebbert at redhat.com>
+- Linux 2.6.24.1
+
* Wed Feb 06 2008 John W. Linville <linville at redhat.com>
- at76_usb: Add ID for Uniden PCW100
- b43: fix build with CONFIG_SSB_PCIHOST=n
Index: mirrors
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/mirrors,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mirrors 7 Aug 2007 20:52:32 -0000 1.4
+++ mirrors 8 Feb 2008 18:14:13 -0000 1.5
@@ -2,3 +2,4 @@
http://ftp.kernel.org/pub/linux/kernel/v2.6/
http://ftp.kernel.org/pub/linux/kernel/v2.6/snapshots/old/
http://ftp.kernel.org/pub/linux/kernel/v2.6/testing/
+http://ftp.kernel.org/pub/linux/kernel/v2.6/stable-review/
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/sources,v
retrieving revision 1.718
retrieving revision 1.719
diff -u -r1.718 -r1.719
--- sources 25 Jan 2008 15:59:56 -0000 1.718
+++ sources 8 Feb 2008 18:14:13 -0000 1.719
@@ -1 +1,2 @@
3f23ad4b69d0a552042d1ed0f4399857 linux-2.6.24.tar.bz2
+932b50d904ddb0dfd0db419620b8b452 patch-2.6.24.1-rc1.bz2
Index: upstream
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/upstream,v
retrieving revision 1.640
retrieving revision 1.641
diff -u -r1.640 -r1.641
--- upstream 25 Jan 2008 15:59:56 -0000 1.640
+++ upstream 8 Feb 2008 18:14:13 -0000 1.641
@@ -1 +1,2 @@
linux-2.6.24.tar.bz2
+patch-2.6.24.1-rc1.bz2
--- linux-2.6-epoll-lockdep-annotation.patch DELETED ---
--- linux-2.6-selinux-strip-leading-slashes.patch DELETED ---
More information about the fedora-extras-commits
mailing list