--- /dev/null
+From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sun, 9 Aug 2015 03:41:50 -0400
+Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending'
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream.
+
+There may be lots of pending requests so that the buffer of PAGE_SIZE
+can't hold them at all.
+
+One typical example is scsi-mq, the queue depth(.can_queue) of
+scsi_host and blk-mq is quite big but scsi_device's queue_depth
+is a bit small(.cmd_per_lun), then it is quite easy to have lots
+of pending requests in hw queue.
+
+This patch fixes the following warning and the related memory
+destruction.
+
+[ 359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M
+[ 359.055595] irq event stamp: 15537^M
+[ 359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
+[ 359.055614] Dumping ftrace buffer:^M
+[ 359.055660] (ftrace buffer empty)^M
+[ 359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
+[ 359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M
+[ 359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
+[ 359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M
+[ 359.055693] RIP: 0010:[<ffffffff811541c5>] [<ffffffff811541c5>] __kmalloc+0xe8/0x152^M
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh
+
+ static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg)
+ {
+- char *start_page = page;
+ struct request *rq;
++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg);
+
+- page += sprintf(page, "%s:\n", msg);
++ list_for_each_entry(rq, list, queuelist) {
++ const int rq_len = 2 * sizeof(rq) + 2;
+
+- list_for_each_entry(rq, list, queuelist)
+- page += sprintf(page, "\t%p\n", rq);
++ /* if the output will be truncated */
++ if (PAGE_SIZE - 1 < len + rq_len) {
++ /* backspacing if it can't hold '\t...\n' */
++ if (PAGE_SIZE - 1 < len + 5)
++ len -= rq_len;
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t...\n");
++ break;
++ }
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t%p\n", rq);
++ }
+
+- return page - start_page;
++ return len;
+ }
+
+ static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page)
--- /dev/null
+From 0048b4837affd153897ed1222283492070027aa9 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sun, 9 Aug 2015 03:41:51 -0400
+Subject: blk-mq: fix race between timeout and freeing request
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 0048b4837affd153897ed1222283492070027aa9 upstream.
+
+Inside timeout handler, blk_mq_tag_to_rq() is called
+to retrieve the request from one tag. This way is obviously
+wrong because the request can be freed any time and some
+fiedds of the request can't be trusted, then kernel oops
+might be triggered[1].
+
+Currently wrt. blk_mq_tag_to_rq(), the only special case is
+that the flush request can share same tag with the request
+cloned from, and the two requests can't be active at the same
+time, so this patch fixes the above issue by updating tags->rqs[tag]
+with the active request(either flush rq or the request cloned
+from) of the tag.
+
+Also blk_mq_tag_to_rq() gets much simplified with this patch.
+
+Given blk_mq_tag_to_rq() is mainly for drivers and the caller must
+make sure the request can't be freed, so in bt_for_each() this
+helper is replaced with tags->rqs[tag].
+
+[1] kernel oops log
+[ 439.696220] BUG: unable to handle kernel NULL pointer dereference at 0000000000000158^M
+[ 439.697162] IP: [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
+[ 439.700653] PGD 7ef765067 PUD 7ef764067 PMD 0 ^M
+[ 439.700653] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
+[ 439.700653] Dumping ftrace buffer:^M
+[ 439.700653] (ftrace buffer empty)^M
+[ 439.700653] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
+[ 439.700653] CPU: 6 PID: 2779 Comm: stress-ng-sigfd Not tainted 4.2.0-rc5-next-20150805+ #265^M
+[ 439.730500] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
+[ 439.730500] task: ffff880605308000 ti: ffff88060530c000 task.ti: ffff88060530c000^M
+[ 439.730500] RIP: 0010:[<ffffffff812d89ba>] [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
+[ 439.730500] RSP: 0018:ffff880819203da0 EFLAGS: 00010283^M
+[ 439.730500] RAX: ffff880811b0e000 RBX: ffff8800bb465f00 RCX: 0000000000000002^M
+[ 439.730500] RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000^M
+[ 439.730500] RBP: ffff880819203db0 R08: 0000000000000002 R09: 0000000000000000^M
+[ 439.730500] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000202^M
+[ 439.730500] R13: ffff880814104800 R14: 0000000000000002 R15: ffff880811a2ea00^M
+[ 439.730500] FS: 00007f165b3f5740(0000) GS:ffff880819200000(0000) knlGS:0000000000000000^M
+[ 439.730500] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b^M
+[ 439.730500] CR2: 0000000000000158 CR3: 00000007ef766000 CR4: 00000000000006e0^M
+[ 439.730500] Stack:^M
+[ 439.730500] 0000000000000008 ffff8808114eed90 ffff880819203e00 ffffffff812dc104^M
+[ 439.755663] ffff880819203e40 ffffffff812d9f5e 0000020000000000 ffff8808114eed80^M
+[ 439.755663] Call Trace:^M
+[ 439.755663] <IRQ> ^M
+[ 439.755663] [<ffffffff812dc104>] bt_for_each+0x6e/0xc8^M
+[ 439.755663] [<ffffffff812d9f5e>] ? blk_mq_rq_timed_out+0x6a/0x6a^M
+[ 439.755663] [<ffffffff812d9f5e>] ? blk_mq_rq_timed_out+0x6a/0x6a^M
+[ 439.755663] [<ffffffff812dc1b3>] blk_mq_tag_busy_iter+0x55/0x5e^M
+[ 439.755663] [<ffffffff812d88b4>] ? blk_mq_bio_to_request+0x38/0x38^M
+[ 439.755663] [<ffffffff812d8911>] blk_mq_rq_timer+0x5d/0xd4^M
+[ 439.755663] [<ffffffff810a3e10>] call_timer_fn+0xf7/0x284^M
+[ 439.755663] [<ffffffff810a3d1e>] ? call_timer_fn+0x5/0x284^M
+[ 439.755663] [<ffffffff812d88b4>] ? blk_mq_bio_to_request+0x38/0x38^M
+[ 439.755663] [<ffffffff810a46d6>] run_timer_softirq+0x1ce/0x1f8^M
+[ 439.755663] [<ffffffff8104c367>] __do_softirq+0x181/0x3a4^M
+[ 439.755663] [<ffffffff8104c76e>] irq_exit+0x40/0x94^M
+[ 439.755663] [<ffffffff81031482>] smp_apic_timer_interrupt+0x33/0x3e^M
+[ 439.755663] [<ffffffff815559a4>] apic_timer_interrupt+0x84/0x90^M
+[ 439.755663] <EOI> ^M
+[ 439.755663] [<ffffffff81554350>] ? _raw_spin_unlock_irq+0x32/0x4a^M
+[ 439.755663] [<ffffffff8106a98b>] finish_task_switch+0xe0/0x163^M
+[ 439.755663] [<ffffffff8106a94d>] ? finish_task_switch+0xa2/0x163^M
+[ 439.755663] [<ffffffff81550066>] __schedule+0x469/0x6cd^M
+[ 439.755663] [<ffffffff8155039b>] schedule+0x82/0x9a^M
+[ 439.789267] [<ffffffff8119b28b>] signalfd_read+0x186/0x49a^M
+[ 439.790911] [<ffffffff8106d86a>] ? wake_up_q+0x47/0x47^M
+[ 439.790911] [<ffffffff811618c2>] __vfs_read+0x28/0x9f^M
+[ 439.790911] [<ffffffff8117a289>] ? __fget_light+0x4d/0x74^M
+[ 439.790911] [<ffffffff811620a7>] vfs_read+0x7a/0xc6^M
+[ 439.790911] [<ffffffff8116292b>] SyS_read+0x49/0x7f^M
+[ 439.790911] [<ffffffff81554c17>] entry_SYSCALL_64_fastpath+0x12/0x6f^M
+[ 439.790911] Code: 48 89 e5 e8 a9 b8 e7 ff 5d c3 0f 1f 44 00 00 55 89
+f2 48 89 e5 41 54 41 89 f4 53 48 8b 47 60 48 8b 1c d0 48 8b 7b 30 48 8b
+53 38 <48> 8b 87 58 01 00 00 48 85 c0 75 09 48 8b 97 88 0c 00 00 eb 10
+^M
+[ 439.790911] RIP [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
+[ 439.790911] RSP <ffff880819203da0>^M
+[ 439.790911] CR2: 0000000000000158^M
+[ 439.790911] ---[ end trace d40af58949325661 ]---^M
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-flush.c | 15 ++++++++++++++-
+ block/blk-mq-tag.c | 4 ++--
+ block/blk-mq-tag.h | 12 ++++++++++++
+ block/blk-mq.c | 16 +---------------
+ block/blk.h | 6 ++++++
+ 5 files changed, 35 insertions(+), 18 deletions(-)
+
+--- a/block/blk-flush.c
++++ b/block/blk-flush.c
+@@ -73,6 +73,7 @@
+
+ #include "blk.h"
+ #include "blk-mq.h"
++#include "blk-mq-tag.h"
+
+ /* FLUSH/FUA sequences */
+ enum {
+@@ -226,7 +227,12 @@ static void flush_end_io(struct request
+ struct blk_flush_queue *fq = blk_get_flush_queue(q, flush_rq->mq_ctx);
+
+ if (q->mq_ops) {
++ struct blk_mq_hw_ctx *hctx;
++
++ /* release the tag's ownership to the req cloned from */
+ spin_lock_irqsave(&fq->mq_flush_lock, flags);
++ hctx = q->mq_ops->map_queue(q, flush_rq->mq_ctx->cpu);
++ blk_mq_tag_set_rq(hctx, flush_rq->tag, fq->orig_rq);
+ flush_rq->tag = -1;
+ }
+
+@@ -308,11 +314,18 @@ static bool blk_kick_flush(struct reques
+
+ /*
+ * Borrow tag from the first request since they can't
+- * be in flight at the same time.
++ * be in flight at the same time. And acquire the tag's
++ * ownership for flush req.
+ */
+ if (q->mq_ops) {
++ struct blk_mq_hw_ctx *hctx;
++
+ flush_rq->mq_ctx = first_rq->mq_ctx;
+ flush_rq->tag = first_rq->tag;
++ fq->orig_rq = first_rq;
++
++ hctx = q->mq_ops->map_queue(q, first_rq->mq_ctx->cpu);
++ blk_mq_tag_set_rq(hctx, first_rq->tag, flush_rq);
+ }
+
+ flush_rq->cmd_type = REQ_TYPE_FS;
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -429,7 +429,7 @@ static void bt_for_each(struct blk_mq_hw
+ for (bit = find_first_bit(&bm->word, bm->depth);
+ bit < bm->depth;
+ bit = find_next_bit(&bm->word, bm->depth, bit + 1)) {
+- rq = blk_mq_tag_to_rq(hctx->tags, off + bit);
++ rq = hctx->tags->rqs[off + bit];
+ if (rq->q == hctx->queue)
+ fn(hctx, rq, data, reserved);
+ }
+@@ -453,7 +453,7 @@ static void bt_tags_for_each(struct blk_
+ for (bit = find_first_bit(&bm->word, bm->depth);
+ bit < bm->depth;
+ bit = find_next_bit(&bm->word, bm->depth, bit + 1)) {
+- rq = blk_mq_tag_to_rq(tags, off + bit);
++ rq = tags->rqs[off + bit];
+ fn(rq, data, reserved);
+ }
+
+--- a/block/blk-mq-tag.h
++++ b/block/blk-mq-tag.h
+@@ -89,4 +89,16 @@ static inline void blk_mq_tag_idle(struc
+ __blk_mq_tag_idle(hctx);
+ }
+
++/*
++ * This helper should only be used for flush request to share tag
++ * with the request cloned from, and both the two requests can't be
++ * in flight at the same time. The caller has to make sure the tag
++ * can't be freed.
++ */
++static inline void blk_mq_tag_set_rq(struct blk_mq_hw_ctx *hctx,
++ unsigned int tag, struct request *rq)
++{
++ hctx->tags->rqs[tag] = rq;
++}
++
+ #endif
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -559,23 +559,9 @@ void blk_mq_abort_requeue_list(struct re
+ }
+ EXPORT_SYMBOL(blk_mq_abort_requeue_list);
+
+-static inline bool is_flush_request(struct request *rq,
+- struct blk_flush_queue *fq, unsigned int tag)
+-{
+- return ((rq->cmd_flags & REQ_FLUSH_SEQ) &&
+- fq->flush_rq->tag == tag);
+-}
+-
+ struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag)
+ {
+- struct request *rq = tags->rqs[tag];
+- /* mq_ctx of flush rq is always cloned from the corresponding req */
+- struct blk_flush_queue *fq = blk_get_flush_queue(rq->q, rq->mq_ctx);
+-
+- if (!is_flush_request(rq, fq, tag))
+- return rq;
+-
+- return fq->flush_rq;
++ return tags->rqs[tag];
+ }
+ EXPORT_SYMBOL(blk_mq_tag_to_rq);
+
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -22,6 +22,12 @@ struct blk_flush_queue {
+ struct list_head flush_queue[2];
+ struct list_head flush_data_in_flight;
+ struct request *flush_rq;
++
++ /*
++ * flush_rq shares tag with this rq, both can't be active
++ * at the same time
++ */
++ struct request *orig_rq;
+ spinlock_t mq_flush_lock;
+ };
+
--- /dev/null
+From 7c26b9cf5347c24272152438cdd9675183804425 Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Date: Wed, 19 Aug 2015 09:27:18 +1000
+Subject: cxl: Allow release of contexts which have been OPENED but not STARTED
+
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+
+commit 7c26b9cf5347c24272152438cdd9675183804425 upstream.
+
+If we open a context but do not start it (either because we do not attempt
+to start it, or because it fails to start for some reason), we are left
+with a context in state OPENED. Previously, cxl_release_context() only
+allowed releasing contexts in state CLOSED, so attempting to release an
+OPENED context would fail.
+
+In particular, this bug causes available contexts to run out after some EEH
+failures, where drivers attempt to release contexts that have failed to
+start.
+
+Allow releasing contexts in any state with a value lower than STARTED, i.e.
+OPENED or CLOSED (we can't release a STARTED context as it's currently
+using the hardware, and we assume that contexts in any new states which may
+be added in future with a value higher than STARTED are also unsafe to
+release).
+
+Fixes: 6f7f0b3df6d4 ("cxl: Add AFU virtual PHB and kernel API")
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/cxl/api.c
++++ b/drivers/misc/cxl/api.c
+@@ -59,7 +59,7 @@ EXPORT_SYMBOL_GPL(cxl_get_phys_dev);
+
+ int cxl_release_context(struct cxl_context *ctx)
+ {
+- if (ctx->status != CLOSED)
++ if (ctx->status >= STARTED)
+ return -EBUSY;
+
+ put_device(&ctx->afu->dev);
--- /dev/null
+From 2925c2fdf1e0eb642482f5b30577e9435aaa8edb Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 15 Sep 2015 15:04:07 +1000
+Subject: cxl: Fix unbalanced pci_dev_get in cxl_probe
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 2925c2fdf1e0eb642482f5b30577e9435aaa8edb upstream.
+
+Currently the first thing we do in cxl_probe is to grab a reference
+on the pci device. Later on, we call device_register on our adapter.
+In our remove path, we call device_unregister, but we never call
+pci_dev_put. We therefore leak the device every time we do a
+reflash.
+
+device_register/unregister is sufficient to hold the reference.
+Therefore, drop the call to pci_dev_get.
+
+Here's why this is safe.
+The proposed cxl_probe(pdev) calls cxl_adapter_init:
+ a) init calls cxl_adapter_alloc, which creates a struct cxl,
+ conventionally called adapter. This struct contains a
+ device entry, adapter->dev.
+
+ b) init calls cxl_configure_adapter, where we set
+ adapter->dev.parent = &dev->dev (here dev is the pci dev)
+
+So at this point, the cxl adapter's device's parent is the PCI
+device that I want to be refcounted properly.
+
+ c) init calls cxl_register_adapter
+ *) cxl_register_adapter calls device_register(&adapter->dev)
+
+So now we're in device_register, where dev is the adapter device, and
+we want to know if the PCI device is safe after we return.
+
+device_register(&adapter->dev) calls device_initialize() and then
+device_add().
+
+device_add() does a get_device(). device_add() also explicitly grabs
+the device's parent, and calls get_device() on it:
+
+ parent = get_device(dev->parent);
+
+So therefore, device_register() takes a lock on the parent PCI dev,
+which is what pci_dev_get() was guarding. pci_dev_get() can therefore
+be safely removed.
+
+Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -1124,8 +1124,6 @@ static int cxl_probe(struct pci_dev *dev
+ int slice;
+ int rc;
+
+- pci_dev_get(dev);
+-
+ if (cxl_verbose)
+ dump_cxl_config_space(dev);
+
--- /dev/null
+From 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 21 Aug 2015 17:25:15 +1000
+Subject: cxl: Remove racy attempt to force EEH invocation in reset
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 upstream.
+
+cxl_reset currently PERSTs the slot, and then repeatedly tries to
+read MMIO space in order to kick off EEH.
+
+There are 2 problems with this: it's unnecessary, and it's racy.
+
+It's unnecessary because the PERST will bring down the PHB link.
+That will be picked up by the CAPP, which will send out an HMI.
+Skiboot, noticing an HMI from the CAPP, will send an OPAL
+notification to the kernel, which will trigger EEH recovery.
+
+It's also racy: the EEH recovery triggered by the CAPP will
+eventually cause the MMIO space to have its mapping invalidated
+and the pointer NULLed out. This races with our attempt to read
+the MMIO space. This is causing OOPSes in testing.
+
+Simply drop all the attempts to force EEH detection, and trust
+that Skiboot will send the notification and that we'll act on it.
+The Skiboot code to send the EEH notification has been in Skiboot
+for as long as CAPP recovery has been supported, so we don't need
+to worry about breaking obscure setups with ancient firmware.
+
+Cc: Ryan Grimm <grimm@linux.vnet.ibm.com>
+Fixes: 62fa19d4b4fd ("cxl: Add ability to reset the card")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -851,8 +851,6 @@ int cxl_reset(struct cxl *adapter)
+ {
+ struct pci_dev *dev = to_pci_dev(adapter->dev.parent);
+ int rc;
+- int i;
+- u32 val;
+
+ dev_info(&dev->dev, "CXL reset\n");
+
+@@ -869,20 +867,6 @@ int cxl_reset(struct cxl *adapter)
+ return rc;
+ }
+
+- /* the PERST done above fences the PHB. So, reset depends on EEH
+- * to unbind the driver, tell Sapphire to reinit the PHB, and rebind
+- * the driver. Do an mmio read explictly to ensure EEH notices the
+- * fenced PHB. Retry for a few seconds before giving up. */
+- i = 0;
+- while (((val = mmio_read32be(adapter->p1_mmio)) != 0xffffffff) &&
+- (i < 5)) {
+- msleep(500);
+- i++;
+- }
+-
+- if (val != 0xffffffff)
+- dev_err(&dev->dev, "cxl: PERST failed to trigger EEH\n");
+-
+ return rc;
+ }
+
--- /dev/null
+From c642dc9e1aaed953597e7092d7df329e6234096e Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 15 Aug 2015 10:45:06 -0400
+Subject: ext4: don't manipulate recovery flag when freezing no-journal fs
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit c642dc9e1aaed953597e7092d7df329e6234096e upstream.
+
+At some point along this sequence of changes:
+
+f6e63f9 ext4: fold ext4_nojournal_sops into ext4_sops
+bb04457 ext4: support freezing ext2 (nojournal) file systems
+9ca9238 ext4: Use separate super_operations structure for no_journal filesystems
+
+ext4 started setting needs_recovery on filesystems without journals
+when they are unfrozen. This makes no sense, and in fact confuses
+blkid to the point where it doesn't recognize the filesystem at all.
+
+(freeze ext2; unfreeze ext2; run blkid; see no output; run dumpe2fs,
+see needs_recovery set on fs w/ no journal).
+
+To fix this, don't manipulate the INCOMPAT_RECOVER feature on
+filesystems without journals.
+
+Reported-by: Stu Mark <smark@datto.com>
+Reviewed-by: Jan Kara <jack@suse.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4833,10 +4833,11 @@ static int ext4_freeze(struct super_bloc
+ error = jbd2_journal_flush(journal);
+ if (error < 0)
+ goto out;
++
++ /* Journal blocked and flushed, clear needs_recovery flag. */
++ EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+ }
+
+- /* Journal blocked and flushed, clear needs_recovery flag. */
+- EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+ error = ext4_commit_super(sb, 1);
+ out:
+ if (journal)
+@@ -4854,8 +4855,11 @@ static int ext4_unfreeze(struct super_bl
+ if (sb->s_flags & MS_RDONLY)
+ return 0;
+
+- /* Reset the needs_recovery flag before the fs is unlocked. */
+- EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++ if (EXT4_SB(sb)->s_journal) {
++ /* Reset the needs_recovery flag before the fs is unlocked. */
++ EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++ }
++
+ ext4_commit_super(sb, 1);
+ return 0;
+ }
--- /dev/null
+From 72ddef0506da852dc82f078f37ced8ef4d74a2bf Mon Sep 17 00:00:00 2001
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Date: Wed, 1 Jul 2015 09:25:52 +0900
+Subject: igb: Fix oops caused by missing queue pairing
+
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+
+commit 72ddef0506da852dc82f078f37ced8ef4d74a2bf upstream.
+
+When initializing igb driver (e.g. 82576, I350), IGB_FLAG_QUEUE_PAIRS is
+set if adapter->rss_queues exceeds half of max_rss_queues in
+igb_init_queue_configuration().
+On the other hand, IGB_FLAG_QUEUE_PAIRS is not set even if the number of
+queues exceeds half of max_combined in igb_set_channels() when changing
+the number of queues by "ethtool -L".
+In this case, if numvecs is larger than MAX_MSIX_ENTRIES (10), the size
+of adapter->msix_entries[], an overflow can occur in
+igb_set_interrupt_capability(), which in turn leads to an oops.
+
+Fix this problem as follows:
+ - When changing the number of queues by "ethtool -L", set
+ IGB_FLAG_QUEUE_PAIRS in the same way as initializing igb driver.
+ - When increasing the size of q_vector, reallocate it appropriately.
+ (With IGB_FLAG_QUEUE_PAIRS set, the size of q_vector gets larger.)
+
+Another possible way to fix this problem is to cap the queues at its
+initial number, which is the number of the initial online cpus. But this
+is not the optimal way because we cannot increase queues when another
+cpu becomes online.
+
+Note that before commit cd14ef54d25b ("igb: Change to use statically
+allocated array for MSIx entries"), this problem did not cause oops
+but just made the number of queues become 1 because of entering msi_only
+mode in igb_set_interrupt_capability().
+
+Fixes: 907b7835799f ("igb: Add ethtool support to configure number of channels")
+Signed-off-by: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igb/igb.h | 1 +
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 ++++-
+ drivers/net/ethernet/intel/igb/igb_main.c | 16 ++++++++++++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -540,6 +540,7 @@ void igb_ptp_rx_pktstamp(struct igb_q_ve
+ struct sk_buff *skb);
+ int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr);
+ int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr);
++void igb_set_flag_queue_pairs(struct igb_adapter *, const u32);
+ #ifdef CONFIG_IGB_HWMON
+ void igb_sysfs_exit(struct igb_adapter *adapter);
+ int igb_sysfs_init(struct igb_adapter *adapter);
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2991,6 +2991,7 @@ static int igb_set_channels(struct net_d
+ {
+ struct igb_adapter *adapter = netdev_priv(netdev);
+ unsigned int count = ch->combined_count;
++ unsigned int max_combined = 0;
+
+ /* Verify they are not requesting separate vectors */
+ if (!count || ch->rx_count || ch->tx_count)
+@@ -3001,11 +3002,13 @@ static int igb_set_channels(struct net_d
+ return -EINVAL;
+
+ /* Verify the number of channels doesn't exceed hw limits */
+- if (count > igb_max_channels(adapter))
++ max_combined = igb_max_channels(adapter);
++ if (count > max_combined)
+ return -EINVAL;
+
+ if (count != adapter->rss_queues) {
+ adapter->rss_queues = count;
++ igb_set_flag_queue_pairs(adapter, max_combined);
+
+ /* Hardware has to reinitialize queues and interrupts to
+ * match the new configuration.
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1205,10 +1205,14 @@ static int igb_alloc_q_vector(struct igb
+
+ /* allocate q_vector and rings */
+ q_vector = adapter->q_vector[v_idx];
+- if (!q_vector)
++ if (!q_vector) {
+ q_vector = kzalloc(size, GFP_KERNEL);
+- else
++ } else if (size > ksize(q_vector)) {
++ kfree_rcu(q_vector, rcu);
++ q_vector = kzalloc(size, GFP_KERNEL);
++ } else {
+ memset(q_vector, 0, size);
++ }
+ if (!q_vector)
+ return -ENOMEM;
+
+@@ -2888,6 +2892,14 @@ static void igb_init_queue_configuration
+
+ adapter->rss_queues = min_t(u32, max_rss_queues, num_online_cpus());
+
++ igb_set_flag_queue_pairs(adapter, max_rss_queues);
++}
++
++void igb_set_flag_queue_pairs(struct igb_adapter *adapter,
++ const u32 max_rss_queues)
++{
++ struct e1000_hw *hw = &adapter->hw;
++
+ /* Determine if we need to pair queues. */
+ switch (hw->mac.type) {
+ case e1000_82575:
--- /dev/null
+From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sat, 13 Jun 2015 10:16:31 -0400
+Subject: mac80211: enable assoc check for mesh interfaces
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 3633ebebab2bbe88124388b7620442315c968e8f upstream.
+
+We already set a station to be associated when peering completes, both
+in user space and in the kernel. Thus we should always have an
+associated sta before sending data frames to that station.
+
+Failure to check assoc state can cause crashes in the lower-level driver
+due to transmitting unicast data frames before driver sta structures
+(e.g. ampdu state in ath9k) are initialized. This occurred when
+forwarding in the presence of fixed mesh paths: frames were transmitted
+to stations with whom we hadn't yet completed peering.
+
+Reported-by: Alexis Green <agreen@cococorp.com>
+Tested-by: Jesse Jones <jjones@cococorp.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -311,9 +311,6 @@ ieee80211_tx_h_check_assoc(struct ieee80
+ if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
+ return TX_CONTINUE;
+
+- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
+- return TX_CONTINUE;
+-
+ if (tx->flags & IEEE80211_TX_PS_BUFFERED)
+ return TX_CONTINUE;
+
--- /dev/null
+From 90996511187d6282db6d02d3f97006b4dbb5c457 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Wed, 5 Aug 2015 15:42:35 -0700
+Subject: MIPS: CPS: use 32b accesses to GCRs
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 90996511187d6282db6d02d3f97006b4dbb5c457 upstream.
+
+Commit b677bc03d757 ("MIPS: cps-vec: Use macros for various arithmetics
+and memory operations") replaced various load & store instructions
+through cps-vec.S with the PTR_L & PTR_S macros. However it was somewhat
+overzealous in doing so for CM GCR accesses, since the bit width of the
+CM doesn't necessarily match that of the CPU. The registers accessed
+(GCR_CL_COHERENCE & GCR_CL_ID) should be safe to simply always access
+using 32b instructions, so do so in order to avoid issues when using a
+32b CM with a 64b CPU.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: James Hogan <james.hogan@imgtec.com>
+Patchwork: https://patchwork.linux-mips.org/patch/10864/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/cps-vec.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/cps-vec.S
++++ b/arch/mips/kernel/cps-vec.S
+@@ -152,7 +152,7 @@ dcache_done:
+
+ /* Enter the coherent domain */
+ li t0, 0xff
+- PTR_S t0, GCR_CL_COHERENCE_OFS(v1)
++ sw t0, GCR_CL_COHERENCE_OFS(v1)
+ ehb
+
+ /* Jump to kseg0 */
+@@ -302,7 +302,7 @@ LEAF(mips_cps_boot_vpes)
+ PTR_L t0, 0(t0)
+
+ /* Calculate a pointer to this cores struct core_boot_config */
+- PTR_L t0, GCR_CL_ID_OFS(t0)
++ lw t0, GCR_CL_ID_OFS(t0)
+ li t1, COREBOOTCFG_SIZE
+ mul t0, t0, t1
+ PTR_LA t1, mips_cps_core_bootcfg
--- /dev/null
+From e8f80cc1a6d80587136b015e989a12827e1fcfe5 Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:36:03 +0100
+Subject: MIPS: math-emu: Allow m{f,t}hc emulation on MIPS R6
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit e8f80cc1a6d80587136b015e989a12827e1fcfe5 upstream.
+
+The mfhc/mthc instructions are supported on MIPS R6 so emulate
+them if needed.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10737/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1137,7 +1137,7 @@ emul:
+ break;
+
+ case mfhc_op:
+- if (!cpu_has_mips_r2)
++ if (!cpu_has_mips_r2_r6)
+ goto sigill;
+
+ /* copregister rd -> gpr[rt] */
+@@ -1148,7 +1148,7 @@ emul:
+ break;
+
+ case mthc_op:
+- if (!cpu_has_mips_r2)
++ if (!cpu_has_mips_r2_r6)
+ goto sigill;
+
+ /* copregister rd <- gpr[rt] */
--- /dev/null
+From c909ca718e8f50cf484ef06a8dd935e738e8e53d Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:38:32 +0100
+Subject: MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit c909ca718e8f50cf484ef06a8dd935e738e8e53d upstream.
+
+Commit c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+added support for emulating the new R6 BC1{EQ,NE}Z branches but it missed
+the case where the instruction that caused the exception was not on a DS.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10738/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1181,6 +1181,24 @@ emul:
+ }
+ break;
+
++ case bc1eqz_op:
++ case bc1nez_op:
++ if (!cpu_has_mips_r6 || delay_slot(xcp))
++ return SIGILL;
++
++ cond = likely = 0;
++ switch (MIPSInst_RS(ir)) {
++ case bc1eqz_op:
++ if (get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)
++ cond = 1;
++ break;
++ case bc1nez_op:
++ if (!(get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1))
++ cond = 1;
++ break;
++ }
++ goto branch_common;
++
+ case bc_op:
+ if (delay_slot(xcp))
+ return SIGILL;
+@@ -1207,7 +1225,7 @@ emul:
+ case bct_op:
+ break;
+ }
+-
++branch_common:
+ set_delay_slot(xcp);
+ if (cond) {
+ /*
--- /dev/null
+From 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Wed, 19 Aug 2015 21:26:42 +0200
+Subject: nfc: nci: hci: Add check on skb nci_hci_send_cmd parameter
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 upstream.
+
+skb can be NULL and may lead to a NULL pointer error.
+
+Add a check condition before setting HCI rx buffer.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -233,7 +233,7 @@ int nci_hci_send_cmd(struct nci_dev *nde
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+
+- if (r == NCI_STATUS_OK)
++ if (r == NCI_STATUS_OK && skb)
+ *skb = conn_info->rx_skb;
+
+ return r;
--- /dev/null
+From fe202fe95564023223ce1910c9e352f391abb1d5 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:40 +0200
+Subject: nfc: netlink: Add check on NFC_ATTR_VENDOR_DATA
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit fe202fe95564023223ce1910c9e352f391abb1d5 upstream.
+
+NFC_ATTR_VENDOR_DATA is an optional vendor_cmd argument.
+The current code was potentially using a non existing argument
+leading to potential catastrophic results.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1518,8 +1518,8 @@ static int nfc_genl_vendor_cmd(struct sk
+ if (!dev || !dev->vendor_cmds || !dev->n_vendor_cmds)
+ return -ENODEV;
+
+- data = nla_data(info->attrs[NFC_ATTR_VENDOR_DATA]);
+- if (data) {
++ if (info->attrs[NFC_ATTR_VENDOR_DATA]) {
++ data = nla_data(info->attrs[NFC_ATTR_VENDOR_DATA]);
+ data_len = nla_len(info->attrs[NFC_ATTR_VENDOR_DATA]);
+ if (data_len == 0)
+ return -EINVAL;
--- /dev/null
+From adca3c38d807b341a965d0aba8721d0784d8471b Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Mon, 17 Aug 2015 08:33:43 +0200
+Subject: nfc: netlink: Warning fix
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit adca3c38d807b341a965d0aba8721d0784d8471b upstream.
+
+When NFC_ATTR_VENDOR_DATA is not set, data_len is 0 and data is NULL.
+
+Fixes the following warning:
+
+net/nfc/netlink.c:1536:3: warning: 'data' may be used uninitialized
++in this function [-Wmaybe-uninitialized]
+ return cmd->doit(dev, data, data_len);
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1524,6 +1524,7 @@ static int nfc_genl_vendor_cmd(struct sk
+ if (data_len == 0)
+ return -EINVAL;
+ } else {
++ data = NULL;
+ data_len = 0;
+ }
+
--- /dev/null
+From e7723b33077b04648213f043bc22654c54e375e4 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:32 +0200
+Subject: nfc: st-nci: Fix non accurate comment for st_nci_i2c_read
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit e7723b33077b04648213f043bc22654c54e375e4 upstream.
+
+Due to a copy and paste error st_nci_i2c_read still contains
+st21nfca header comment.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/i2c.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/nfc/st-nci/i2c.c
++++ b/drivers/nfc/st-nci/i2c.c
+@@ -118,15 +118,10 @@ static int st_nci_i2c_write(void *phy_id
+ /*
+ * Reads an ndlc frame and returns it in a newly allocated sk_buff.
+ * returns:
+- * frame size : if received frame is complete (find ST_NCI_SOF_EOF at
+- * end of read)
+- * -EAGAIN : if received frame is incomplete (not find ST_NCI_SOF_EOF
+- * at end of read)
++ * 0 : if received frame is complete
+ * -EREMOTEIO : i2c read error (fatal)
+ * -EBADMSG : frame was incorrect and discarded
+- * (value returned from st_nci_i2c_repack)
+- * -EIO : if no ST_NCI_SOF_EOF is found after reaching
+- * the read length end sequence
++ * -ENOMEM : cannot allocate skb, frame dropped
+ */
+ static int st_nci_i2c_read(struct st_nci_i2c_phy *phy,
+ struct sk_buff **skb)
--- /dev/null
+From 30458aac63c89771d19f023083d64d018562812e Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:31 +0200
+Subject: nfc: st-nci: Fix typo when changing from st21nfcb to st-nci
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 30458aac63c89771d19f023083d64d018562812e upstream.
+
+Replace ST21NFCB with ST_NCI or st21nfcb with st_nci as it
+was forgotten in commit "nfc: st-nci: Rename st21nfcb to st-nci"
+ed06aeefdac348cfb91a3db5fe1067e3202afd70
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/i2c.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/nfc/st-nci/i2c.c
++++ b/drivers/nfc/st-nci/i2c.c
+@@ -29,11 +29,11 @@
+
+ #include "ndlc.h"
+
+-#define DRIVER_DESC "NCI NFC driver for ST21NFCB"
++#define DRIVER_DESC "NCI NFC driver for ST_NCI"
+
+ /* ndlc header */
+-#define ST21NFCB_FRAME_HEADROOM 1
+-#define ST21NFCB_FRAME_TAILROOM 0
++#define ST_NCI_FRAME_HEADROOM 1
++#define ST_NCI_FRAME_TAILROOM 0
+
+ #define ST_NCI_I2C_MIN_SIZE 4 /* PCB(1) + NCI Packet header(3) */
+ #define ST_NCI_I2C_MAX_SIZE 250 /* req 4.2.1 */
+@@ -118,14 +118,14 @@ static int st_nci_i2c_write(void *phy_id
+ /*
+ * Reads an ndlc frame and returns it in a newly allocated sk_buff.
+ * returns:
+- * frame size : if received frame is complete (find ST21NFCB_SOF_EOF at
++ * frame size : if received frame is complete (find ST_NCI_SOF_EOF at
+ * end of read)
+- * -EAGAIN : if received frame is incomplete (not find ST21NFCB_SOF_EOF
++ * -EAGAIN : if received frame is incomplete (not find ST_NCI_SOF_EOF
+ * at end of read)
+ * -EREMOTEIO : i2c read error (fatal)
+ * -EBADMSG : frame was incorrect and discarded
+ * (value returned from st_nci_i2c_repack)
+- * -EIO : if no ST21NFCB_SOF_EOF is found after reaching
++ * -EIO : if no ST_NCI_SOF_EOF is found after reaching
+ * the read length end sequence
+ */
+ static int st_nci_i2c_read(struct st_nci_i2c_phy *phy,
+@@ -179,7 +179,7 @@ static int st_nci_i2c_read(struct st_nci
+ /*
+ * Reads an ndlc frame from the chip.
+ *
+- * On ST21NFCB, IRQ goes in idle state when read starts.
++ * On ST_NCI, IRQ goes in idle state when read starts.
+ */
+ static irqreturn_t st_nci_irq_thread_fn(int irq, void *phy_id)
+ {
+@@ -325,12 +325,12 @@ static int st_nci_i2c_probe(struct i2c_c
+ }
+ } else {
+ nfc_err(&client->dev,
+- "st21nfcb platform resources not available\n");
++ "st_nci platform resources not available\n");
+ return -ENODEV;
+ }
+
+ r = ndlc_probe(phy, &i2c_phy_ops, &client->dev,
+- ST21NFCB_FRAME_HEADROOM, ST21NFCB_FRAME_TAILROOM,
++ ST_NCI_FRAME_HEADROOM, ST_NCI_FRAME_TAILROOM,
+ &phy->ndlc);
+ if (r < 0) {
+ nfc_err(&client->dev, "Unable to register ndlc layer\n");
--- /dev/null
+From daaf1e1f1640eb11259954d1d847d8a72ab5b938 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:34 +0200
+Subject: NFC: st-nci: fix use of uninitialized variables in error path
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit daaf1e1f1640eb11259954d1d847d8a72ab5b938 upstream.
+
+st_nci_hci_load_session() calls kfree_skb() on unitialized
+variables skb_pipe_info and skb_pipe_list if the call to
+nci_hci_connect_gate() failed. Reword the error path to not use
+these variables when they are not initialized. While at it, there
+seemed to be a memory leak because skb_pipe_info was only freed
+once, after the for-loop, even though several ones were created
+by nci_hci_send_cmd.
+
+Acked-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/st-nci_se.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/nfc/st-nci/st-nci_se.c
++++ b/drivers/nfc/st-nci/st-nci_se.c
+@@ -189,14 +189,14 @@ int st_nci_hci_load_session(struct nci_d
+ ST_NCI_DEVICE_MGNT_GATE,
+ ST_NCI_DEVICE_MGNT_PIPE);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Get pipe list */
+ r = nci_hci_send_cmd(ndev, ST_NCI_DEVICE_MGNT_GATE,
+ ST_NCI_DM_GETINFO, pipe_list, sizeof(pipe_list),
+ &skb_pipe_list);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Complete the existing gate_pipe table */
+ for (i = 0; i < skb_pipe_list->len; i++) {
+@@ -222,6 +222,7 @@ int st_nci_hci_load_session(struct nci_d
+ dm_pipe_info->src_host_id != ST_NCI_ESE_HOST_ID) {
+ pr_err("Unexpected apdu_reader pipe on host %x\n",
+ dm_pipe_info->src_host_id);
++ kfree_skb(skb_pipe_info);
+ continue;
+ }
+
+@@ -241,13 +242,12 @@ int st_nci_hci_load_session(struct nci_d
+ ndev->hci_dev->pipes[st_nci_gates[j].pipe].host =
+ dm_pipe_info->src_host_id;
+ }
++ kfree_skb(skb_pipe_info);
+ }
+
+ memcpy(ndev->hci_dev->init_data.gates, st_nci_gates,
+ sizeof(st_nci_gates));
+
+-free_info:
+- kfree_skb(skb_pipe_info);
+ kfree_skb(skb_pipe_list);
+ return r;
+ }
--- /dev/null
+From 8b706884eac958ec16518315053f77e052627084 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:36 +0200
+Subject: nfc: st-nci: Free data with irrelevant NDLC PCB_SYNC value
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 8b706884eac958ec16518315053f77e052627084 upstream.
+
+PCB_SYNC different than PCB_TYPE_SUPERVISOR or PCB_TYPE_DATAFRAME
+should be discarded.
+
+Irrelevant data may be forwarded up to the ndlc state machine by
+phys like spi to prevent missing potential data during "write"
+transactions.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/ndlc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/st-nci/ndlc.c
++++ b/drivers/nfc/st-nci/ndlc.c
+@@ -198,8 +198,10 @@ static void llt_ndlc_rcv_queue(struct ll
+ kfree_skb(skb);
+ break;
+ }
+- } else {
++ } else if ((pcb & PCB_TYPE_MASK) == PCB_TYPE_DATAFRAME) {
+ nci_recv_frame(ndlc->ndev, skb);
++ } else {
++ kfree_skb(skb);
+ }
+ }
+ }
--- /dev/null
+From 1d816b6eb513498aa28a0ff1e4db7632bded1707 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:35 +0200
+Subject: nfc: st-nci: Remove data from ack_pending_q when receiving a SYNC_ACK
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 1d816b6eb513498aa28a0ff1e4db7632bded1707 upstream.
+
+When receiving a NDLC PCB_SYNC_ACK the pending data was never
+removed from ack_pending_q and cleared.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/ndlc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nfc/st-nci/ndlc.c
++++ b/drivers/nfc/st-nci/ndlc.c
+@@ -171,6 +171,8 @@ static void llt_ndlc_rcv_queue(struct ll
+ if ((pcb & PCB_TYPE_MASK) == PCB_TYPE_SUPERVISOR) {
+ switch (pcb & PCB_SYNC_MASK) {
+ case PCB_SYNC_ACK:
++ skb = skb_dequeue(&ndlc->ack_pending_q);
++ kfree_skb(skb);
+ del_timer_sync(&ndlc->t1_timer);
+ del_timer_sync(&ndlc->t2_timer);
+ ndlc->t2_active = false;
--- /dev/null
+From 76b733d15874128ee2d0365b4cbe7d51decd8d37 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:30 +0200
+Subject: nfc: st-nci: Remove duplicate file platform_data/st_nci.h
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 76b733d15874128ee2d0365b4cbe7d51decd8d37 upstream.
+
+commit "nfc: st-nci: Rename st21nfcb to st-nci" adds
+include/linux/platform_data/st_nci.h duplicated with
+include/linux/platform_data/st-nci.h.
+
+Only drivers/nfc/st-nci/i2c.c uses platform_data/st_nci.h.
+
+Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/i2c.c | 2 +-
+ include/linux/platform_data/st_nci.h | 29 -----------------------------
+ 2 files changed, 1 insertion(+), 30 deletions(-)
+
+--- a/drivers/nfc/st-nci/i2c.c
++++ b/drivers/nfc/st-nci/i2c.c
+@@ -25,7 +25,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+ #include <linux/nfc.h>
+-#include <linux/platform_data/st_nci.h>
++#include <linux/platform_data/st-nci.h>
+
+ #include "ndlc.h"
+
+--- a/include/linux/platform_data/st_nci.h
++++ /dev/null
+@@ -1,29 +0,0 @@
+-/*
+- * Driver include for ST NCI NFC chip family.
+- *
+- * Copyright (C) 2014-2015 STMicroelectronics SAS. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms and conditions of the GNU General Public License,
+- * version 2, as published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+- */
+-
+-#ifndef _ST_NCI_H_
+-#define _ST_NCI_H_
+-
+-#define ST_NCI_DRIVER_NAME "st_nci"
+-
+-struct st_nci_nfc_platform_data {
+- unsigned int gpio_reset;
+- unsigned int irq_polarity;
+-};
+-
+-#endif /* _ST_NCI_H_ */
--- /dev/null
+From 5a3570061a131309143a49e4bbdbce7e23f261e7 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:33 +0200
+Subject: NFC: st21nfca: fix use of uninitialized variables in error path
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a3570061a131309143a49e4bbdbce7e23f261e7 upstream.
+
+st21nfca_hci_load_session() calls kfree_skb() on unitialized
+variables skb_pipe_info and skb_pipe_list if the call to
+nfc_hci_connect_gate() failed. Reword the error path to not use
+these variables when they are not initialized. While at it, there
+seemed to be a memory leak because skb_pipe_info was only freed
+once, after the for-loop, even though several ones were created
+by nfc_hci_send_cmd.
+
+Fixes: ec03ff1a8f9a
+("NFC: st21nfca: Remove skb_pipe_list and skb_pipe_info
+useless allocation")
+
+Acked-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st21nfca/st21nfca.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/nfc/st21nfca/st21nfca.c
++++ b/drivers/nfc/st21nfca/st21nfca.c
+@@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(str
+ ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DEVICE_MGNT_PIPE);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Get pipe list */
+ r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list),
+ &skb_pipe_list);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Complete the existing gate_pipe table */
+ for (i = 0; i < skb_pipe_list->len; i++) {
+@@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(str
+ info->src_host_id != ST21NFCA_ESE_HOST_ID) {
+ pr_err("Unexpected apdu_reader pipe on host %x\n",
+ info->src_host_id);
++ kfree_skb(skb_pipe_info);
+ continue;
+ }
+
+@@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(str
+ hdev->pipes[st21nfca_gates[j].pipe].dest_host =
+ info->src_host_id;
+ }
++ kfree_skb(skb_pipe_info);
+ }
+
+ /*
+@@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(str
+ st21nfca_gates[i].gate,
+ st21nfca_gates[i].pipe);
+ if (r < 0)
+- goto free_info;
++ goto free_list;
+ }
+ }
+
+ memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates));
+-free_info:
+- kfree_skb(skb_pipe_info);
++free_list:
+ kfree_skb(skb_pipe_list);
+ return r;
+ }
--- /dev/null
+From bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 16 Aug 2015 10:03:57 -0400
+Subject: Revert "ext4: remove block_device_ejected"
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 upstream.
+
+This reverts commit 08439fec266c3cc5702953b4f54bdf5649357de0.
+
+Unfortunately we still need to test for bdi->dev to avoid a crash when a
+USB stick is yanked out while a file system is mounted:
+
+ usb 2-2: USB disconnect, device number 2
+ Buffer I/O error on dev sdb1, logical block 15237120, lost sync page write
+ JBD2: Error -5 detected when updating journal superblock for sdb1-8.
+ BUG: unable to handle kernel paging request at 34beb000
+ IP: [<c136ce88>] __percpu_counter_add+0x18/0xc0
+ *pdpt = 0000000023db9001 *pde = 0000000000000000
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 4083 Comm: umount Tainted: G U OE 4.1.1-040101-generic #201507011435
+ Hardware name: LENOVO 7675CTO/7675CTO, BIOS 7NETC2WW (2.22 ) 03/22/2011
+ task: ebf06b50 ti: ebebc000 task.ti: ebebc000
+ EIP: 0060:[<c136ce88>] EFLAGS: 00010082 CPU: 0
+ EIP is at __percpu_counter_add+0x18/0xc0
+ EAX: f21c8e88 EBX: f21c8e88 ECX: 00000000 EDX: 00000001
+ ESI: 00000001 EDI: 00000000 EBP: ebebde60 ESP: ebebde40
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ CR0: 8005003b CR2: 34beb000 CR3: 33354200 CR4: 000007f0
+ Stack:
+ c1abe100 edcb0098 edcb00ec ffffffff f21c8e68 ffffffff f21c8e68 f286d160
+ ebebde84 c1160454 00000010 00000282 f72a77f8 00000984 f72a77f8 f286d160
+ f286d170 ebebdea0 c11e613f 00000000 00000282 f72a77f8 edd7f4d0 00000000
+ Call Trace:
+ [<c1160454>] account_page_dirtied+0x74/0x110
+ [<c11e613f>] __set_page_dirty+0x3f/0xb0
+ [<c11e6203>] mark_buffer_dirty+0x53/0xc0
+ [<c124a0cb>] ext4_commit_super+0x17b/0x250
+ [<c124ac71>] ext4_put_super+0xc1/0x320
+ [<c11f04ba>] ? fsnotify_unmount_inodes+0x1aa/0x1c0
+ [<c11cfeda>] ? evict_inodes+0xca/0xe0
+ [<c11b925a>] generic_shutdown_super+0x6a/0xe0
+ [<c10a1df0>] ? prepare_to_wait_event+0xd0/0xd0
+ [<c1165a50>] ? unregister_shrinker+0x40/0x50
+ [<c11b92f6>] kill_block_super+0x26/0x70
+ [<c11b94f5>] deactivate_locked_super+0x45/0x80
+ [<c11ba007>] deactivate_super+0x47/0x60
+ [<c11d2b39>] cleanup_mnt+0x39/0x80
+ [<c11d2bc0>] __cleanup_mnt+0x10/0x20
+ [<c1080b51>] task_work_run+0x91/0xd0
+ [<c1011e3c>] do_notify_resume+0x7c/0x90
+ [<c1720da5>] work_notify
+ Code: 8b 55 e8 e9 f4 fe ff ff 90 90 90 90 90 90 90 90 90 90 90 55 89 e5 83 ec 20 89 5d f4 89 c3 89 75 f8 89 d6 89 7d fc 89 cf 8b 48 14 <64> 8b 01 89 45 ec 89 c2 8b 45 08 c1 fa 1f 01 75 ec 89 55 f0 89
+ EIP: [<c136ce88>] __percpu_counter_add+0x18/0xc0 SS:ESP 0068:ebebde40
+ CR2: 0000000034beb000
+ ---[ end trace dd564a7bea834ecd ]---
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101011
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -325,6 +325,22 @@ static void save_error_info(struct super
+ ext4_commit_super(sb, 1);
+ }
+
++/*
++ * The del_gendisk() function uninitializes the disk-specific data
++ * structures, including the bdi structure, without telling anyone
++ * else. Once this happens, any attempt to call mark_buffer_dirty()
++ * (for example, by ext4_commit_super), will cause a kernel OOPS.
++ * This is a kludge to prevent these oops until we can put in a proper
++ * hook in del_gendisk() to inform the VFS and file system layers.
++ */
++static int block_device_ejected(struct super_block *sb)
++{
++ struct inode *bd_inode = sb->s_bdev->bd_inode;
++ struct backing_dev_info *bdi = inode_to_bdi(bd_inode);
++
++ return bdi->dev == NULL;
++}
++
+ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn)
+ {
+ struct super_block *sb = journal->j_private;
+@@ -4617,7 +4633,7 @@ static int ext4_commit_super(struct supe
+ struct buffer_head *sbh = EXT4_SB(sb)->s_sbh;
+ int error = 0;
+
+- if (!sbh)
++ if (!sbh || block_device_ejected(sb))
+ return error;
+ if (buffer_write_io_error(sbh)) {
+ /*
--- /dev/null
+From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+Date: Wed, 19 Aug 2015 17:33:12 +0200
+Subject: rtlwifi: rtl8192cu: Add new device ID
+
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+
+commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream.
+
+The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043
+
+Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
+ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
--- /dev/null
+From 251086f588720277a6f5782020a648ce32c4e00b Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 8 Jul 2015 10:18:50 -0500
+Subject: rtlwifi: rtl8821ae: Fix an expression that is always false
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 251086f588720277a6f5782020a648ce32c4e00b upstream.
+
+In routine _rtl8821ae_set_media_status(), an incorrect mask results in a test
+for AP status to always be false. Similar bugs were fixed in rtl8192cu and
+rtl8192de, but this instance was missed at that time.
+
+Reported-by: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8821ae/hw.c | 2 +-
+ drivers/net/wireless/rtlwifi/rtl8821ae/reg.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
+@@ -2180,7 +2180,7 @@ static int _rtl8821ae_set_media_status(s
+
+ rtl_write_byte(rtlpriv, MSR, bt_msr);
+ rtlpriv->cfg->ops->led_control(hw, ledaction);
+- if ((bt_msr & 0xfc) == MSR_AP)
++ if ((bt_msr & MSR_MASK) == MSR_AP)
+ rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x00);
+ else
+ rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x66);
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
+@@ -429,6 +429,7 @@
+ #define MSR_ADHOC 0x01
+ #define MSR_INFRA 0x02
+ #define MSR_AP 0x03
++#define MSR_MASK 0x03
+
+ #define RRSR_RSC_OFFSET 21
+ #define RRSR_SHORT_OFFSET 23
--- /dev/null
+From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 1 Sep 2015 18:07:41 +0200
+Subject: tg3: Fix temperature reporting
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream.
+
+The temperature registers appear to report values in degrees Celsius
+while the hwmon API mandates values to be exposed in millidegrees
+Celsius. Do the conversion so that the values reported by "sensors"
+are correct.
+
+Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature")
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Cc: Prashant Sreedharan <prashant@broadcom.com>
+Cc: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/tg3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -10757,7 +10757,7 @@ static ssize_t tg3_show_temp(struct devi
+ tg3_ape_scratchpad_read(tp, &temperature, attr->index,
+ sizeof(temperature));
+ spin_unlock_bh(&tp->lock);
+- return sprintf(buf, "%u\n", temperature);
++ return sprintf(buf, "%u\n", temperature * 1000);
+ }
+
+
--- /dev/null
+From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 10 Aug 2015 17:35:07 -0500
+Subject: unshare: Unsharing a thread does not require unsharing a vm
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream.
+
+In the logic in the initial commit of unshare made creating a new
+thread group for a process, contingent upon creating a new memory
+address space for that process. That is wrong. Two separate
+processes in different thread groups can share a memory address space
+and clone allows creation of such proceses.
+
+This is significant because it was observed that mm_users > 1 does not
+mean that a process is multi-threaded, as reading /proc/PID/maps
+temporarily increments mm_users, which allows other processes to
+(accidentally) interfere with unshare() calls.
+
+Correct the check in check_unshare_flags() to test for
+!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
+For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
+For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.
+
+By using the correct checks in unshare this removes the possibility of
+an accidental denial of service attack.
+
+Additionally using the correct checks in unshare ensures that only an
+explicit unshare(CLONE_VM) can possibly trigger the slow path of
+current_is_single_threaded(). As an explict unshare(CLONE_VM) is
+pointless it is not expected there are many applications that make
+that call.
+
+Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
+Reported-by: Ricky Zhou <rickyz@chromium.org>
+Reported-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1871,13 +1871,21 @@ static int check_unshare_flags(unsigned
+ CLONE_NEWUSER|CLONE_NEWPID))
+ return -EINVAL;
+ /*
+- * Not implemented, but pretend it works if there is nothing to
+- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
+- * needs to unshare vm.
++ * Not implemented, but pretend it works if there is nothing
++ * to unshare. Note that unsharing the address space or the
++ * signal handlers also need to unshare the signal queues (aka
++ * CLONE_THREAD).
+ */
+ if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
+- /* FIXME: get_task_mm() increments ->mm_users */
+- if (atomic_read(¤t->mm->mm_users) > 1)
++ if (!thread_group_empty(current))
++ return -EINVAL;
++ }
++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
++ if (atomic_read(¤t->sighand->count) > 1)
++ return -EINVAL;
++ }
++ if (unshare_flags & CLONE_VM) {
++ if (!current_is_single_threaded())
+ return -EINVAL;
+ }
+
+@@ -1946,16 +1954,16 @@ SYSCALL_DEFINE1(unshare, unsigned long,
+ if (unshare_flags & CLONE_NEWUSER)
+ unshare_flags |= CLONE_THREAD | CLONE_FS;
+ /*
+- * If unsharing a thread from a thread group, must also unshare vm.
+- */
+- if (unshare_flags & CLONE_THREAD)
+- unshare_flags |= CLONE_VM;
+- /*
+ * If unsharing vm, must also unshare signal handlers.
+ */
+ if (unshare_flags & CLONE_VM)
+ unshare_flags |= CLONE_SIGHAND;
+ /*
++ * If unsharing a signal handlers, must also unshare the signal queues.
++ */
++ if (unshare_flags & CLONE_SIGHAND)
++ unshare_flags |= CLONE_THREAD;
++ /*
+ * If unsharing namespace, must also unshare filesystem information.
+ */
+ if (unshare_flags & CLONE_NEWNS)
projects / thirdparty / kernel / stable-queue.git / commitdiff
