--- /dev/null
+From d0784829ae3b0beeb69b476f017d5c8a2eb95198 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 29 Feb 2016 18:01:12 +0100
+Subject: ASoC: wm8958: Fix enum ctl accesses in a wrong type
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d0784829ae3b0beeb69b476f017d5c8a2eb95198 upstream.
+
+"MBC Mode", "VSS Mode", "VSS HPF Mode" and "Enhanced EQ Mode" ctls in
+wm8958 codec driver are enum, while the current driver accesses
+wrongly via value.integer.value[]. They have to be via
+value.enumerated.item[] instead.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8958-dsp2.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/codecs/wm8958-dsp2.c
++++ b/sound/soc/codecs/wm8958-dsp2.c
+@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct sn
+ struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+ struct wm8994 *control = wm8994->wm8994;
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+ int reg;
+
+ /* Don't allow on the fly reconfiguration */
+@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct sn
+ struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+ struct wm8994 *control = wm8994->wm8994;
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+ int reg;
+
+ /* Don't allow on the fly reconfiguration */
+@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struc
+ struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+ struct wm8994 *control = wm8994->wm8994;
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+ int reg;
+
+ /* Don't allow on the fly reconfiguration */
+@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct
+ struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+ struct wm8994 *control = wm8994->wm8994;
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+ int reg;
+
+ /* Don't allow on the fly reconfiguration */
--- /dev/null
+From 8019c0b37cd5a87107808300a496388b777225bf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 29 Feb 2016 18:01:15 +0100
+Subject: ASoC: wm8994: Fix enum ctl accesses in a wrong type
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8019c0b37cd5a87107808300a496388b777225bf upstream.
+
+The DRC Mode like "AIF1DRC1 Mode" and EQ Mode like "AIF1.1 EQ Mode" in
+wm8994 codec driver are enum ctls, while the current driver accesses
+wrongly via value.integer.value[]. They have to be via
+value.enumerated.item[] instead.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8994.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wm8994.c
++++ b/sound/soc/codecs/wm8994.c
+@@ -360,7 +360,7 @@ static int wm8994_put_drc_enum(struct sn
+ struct wm8994 *control = wm8994->wm8994;
+ struct wm8994_pdata *pdata = &control->pdata;
+ int drc = wm8994_get_drc(kcontrol->id.name);
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+
+ if (drc < 0)
+ return drc;
+@@ -467,7 +467,7 @@ static int wm8994_put_retune_mobile_enum
+ struct wm8994 *control = wm8994->wm8994;
+ struct wm8994_pdata *pdata = &control->pdata;
+ int block = wm8994_get_retune_mobile_block(kcontrol->id.name);
+- int value = ucontrol->value.integer.value[0];
++ int value = ucontrol->value.enumerated.item[0];
+
+ if (block < 0)
+ return block;
--- /dev/null
+From fb896c44f88a75843a072cd6961b1615732f7811 Mon Sep 17 00:00:00 2001
+From: Liad Kaufman <liad.kaufman@intel.com>
+Date: Sun, 14 Feb 2016 15:32:58 +0200
+Subject: iwlwifi: mvm: inc pending frames counter also when txing non-sta
+
+From: Liad Kaufman <liad.kaufman@intel.com>
+
+commit fb896c44f88a75843a072cd6961b1615732f7811 upstream.
+
+Until this patch, when TXing non-sta the pending_frames counter
+wasn't increased, but it WAS decreased in
+iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain
+conditions. This in turn caused much trouble when we need to
+remove the station since we won't be waiting forever until
+pending_frames gets 0. In certain cases, we were exhausting
+the station table even in BSS mode, because we had a lot of
+stale stations.
+
+Increase the counter also in iwl_mvm_tx_skb_non_sta() after a
+successful TX to avoid this outcome.
+
+Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
+@@ -341,6 +341,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ return -1;
+ }
+
++ /*
++ * Increase the pending frames counter, so that later when a reply comes
++ * in and the counter is decreased - we don't start getting negative
++ * values.
++ * Note that we don't need to make sure it isn't agg'd, since we're
++ * TXing non-sta
++ */
++ atomic_inc(&mvm->pending_frames[sta_id]);
++
+ return 0;
+ }
+
--- /dev/null
+From ccec44563b18a0ce90e2d4f332784b3cb25c8e9c Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@samba.org>
+Date: Sat, 5 Mar 2016 19:34:39 +1100
+Subject: KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit
+
+From: Paul Mackerras <paulus@samba.org>
+
+commit ccec44563b18a0ce90e2d4f332784b3cb25c8e9c upstream.
+
+Thomas Huth discovered that a guest could cause a hard hang of a
+host CPU by setting the Instruction Authority Mask Register (IAMR)
+to a suitable value. It turns out that this is because when the
+code was added to context-switch the new special-purpose registers
+(SPRs) that were added in POWER8, we forgot to add code to ensure
+that they were restored to a sane value on guest exit.
+
+This adds code to set those registers where a bad value could
+compromise the execution of the host kernel to a suitable neutral
+value on guest exit.
+
+Fixes: b005255e12a3
+Reported-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -1148,6 +1148,20 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
+ std r6, VCPU_ACOP(r9)
+ stw r7, VCPU_GUEST_PID(r9)
+ std r8, VCPU_WORT(r9)
++ /*
++ * Restore various registers to 0, where non-zero values
++ * set by the guest could disrupt the host.
++ */
++ li r0, 0
++ mtspr SPRN_IAMR, r0
++ mtspr SPRN_CIABR, r0
++ mtspr SPRN_DAWRX, r0
++ mtspr SPRN_TCSCR, r0
++ mtspr SPRN_WORT, r0
++ /* Set MMCRS to 1<<31 to freeze and disable the SPMC counters */
++ li r0, 1
++ sldi r0, r0, 31
++ mtspr SPRN_MMCRS, r0
+ 8:
+
+ /* Save and reset AMR and UAMOR before turning on the MMU */
--- /dev/null
+From 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Fri, 4 Mar 2016 15:08:42 +0100
+Subject: KVM: VMX: disable PEBS before a guest entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef upstream.
+
+Linux guests on Haswell (and also SandyBridge and Broadwell, at least)
+would crash if you decided to run a host command that uses PEBS, like
+ perf record -e 'cpu/mem-stores/pp' -a
+
+This happens because KVM is using VMX MSR switching to disable PEBS, but
+SDM [2015-12] 18.4.4.4 Re-configuring PEBS Facilities explains why it
+isn't safe:
+ When software needs to reconfigure PEBS facilities, it should allow a
+ quiescent period between stopping the prior event counting and setting
+ up a new PEBS event. The quiescent period is to allow any latent
+ residual PEBS records to complete its capture at their previously
+ specified buffer address (provided by IA32_DS_AREA).
+
+There might not be a quiescent period after the MSR switch, so a CPU
+ends up using host's MSR_IA32_DS_AREA to access an area in guest's
+memory. (Or MSR switching is just buggy on some models.)
+
+The guest can learn something about the host this way:
+If the guest doesn't map address pointed by MSR_IA32_DS_AREA, it results
+in #PF where we leak host's MSR_IA32_DS_AREA through CR2.
+
+After that, a malicious guest can map and configure memory where
+MSR_IA32_DS_AREA is pointing and can therefore get an output from
+host's tracing.
+
+This is not a critical leak as the host must initiate with PEBS tracing
+and I have not been able to get a record from more than one instruction
+before vmentry in vmx_vcpu_run() (that place has most registers already
+overwritten with guest's).
+
+We could disable PEBS just few instructions before vmentry, but
+disabling it earlier shouldn't affect host tracing too much.
+We also don't need to switch MSR_IA32_PEBS_ENABLE on VMENTRY, but that
+optimization isn't worth its code, IMO.
+
+(If you are implementing PEBS for guests, be sure to handle the case
+ where both host and guest enable PEBS, because this patch doesn't.)
+
+Fixes: 26a4f3c08de4 ("perf/x86: disable PEBS on a guest entry.")
+Reported-by: Jiří Olša <jolsa@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1555,6 +1555,13 @@ static void add_atomic_switch_msr(struct
+ return;
+ }
+ break;
++ case MSR_IA32_PEBS_ENABLE:
++ /* PEBS needs a quiescent period after being disabled (to write
++ * a record). Disabling PEBS through VMX MSR swapping doesn't
++ * provide that period, so a CPU could write host's record into
++ * guest's memory.
++ */
++ wrmsrl(MSR_IA32_PEBS_ENABLE, 0);
+ }
+
+ for (i = 0; i < m->nr; ++i)
--- /dev/null
+From f39ea2690bd61efec97622c48323f40ed6e16317 Mon Sep 17 00:00:00 2001
+From: Chris Bainbridge <chris.bainbridge@gmail.com>
+Date: Wed, 27 Jan 2016 15:46:18 +0000
+Subject: mac80211: fix use of uninitialised values in RX aggregation
+
+From: Chris Bainbridge <chris.bainbridge@gmail.com>
+
+commit f39ea2690bd61efec97622c48323f40ed6e16317 upstream.
+
+Use kzalloc instead of kmalloc for struct tid_ampdu_rx to
+initialize the "removed" field (all others are initialized
+manually). That fixes:
+
+UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29
+load of value 2 is not a valid value for type '_Bool'
+CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
+Workqueue: phy0 rt2x00usb_work_rxdone
+ 0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007
+ ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500
+ ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032
+Call Trace:
+ [<ffffffff8181d866>] dump_stack+0x45/0x5f
+ [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
+ [<ffffffff81884747>] __ubsan_handle_load_invalid_value+0x67/0x70
+ [<ffffffff82227b4d>] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730
+ [<ffffffff8222ca14>] ieee80211_prepare_and_rx_handle+0xd04/0x1c00
+ [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
+ [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
+
+While at it, convert to use sizeof(*tid_agg_rx) instead.
+
+Fixes: 788211d81bfdf ("mac80211: fix RX A-MPDU session reorder timer deletion")
+Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+[reword commit message, use sizeof(*tid_agg_rx)]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/agg-rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(str
+ }
+
+ /* prepare A-MPDU MLME for Rx aggregation */
+- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL);
++ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL);
+ if (!tid_agg_rx)
+ goto end;
+
--- /dev/null
+From 7a36b930e6ed4702c866dc74a5ad07318a57c688 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Thu, 18 Feb 2016 19:49:18 +0100
+Subject: mac80211: minstrel_ht: set default tx aggregation timeout to 0
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 7a36b930e6ed4702c866dc74a5ad07318a57c688 upstream.
+
+The value 5000 was put here with the addition of the timeout field to
+ieee80211_start_tx_ba_session. It was originally added in mac80211 to
+save resources for drivers like iwlwifi, which only supports a limited
+number of concurrent aggregation sessions.
+
+Since iwlwifi does not use minstrel_ht and other drivers don't need
+this, 0 is a better default - especially since there have been
+recent reports of aggregation setup related issues reproduced with
+ath9k. This should improve stability without causing any adverse
+effects.
+
+Acked-by: Avery Pennarun <apenwarr@gmail.com>
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rc80211_minstrel_ht.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rc80211_minstrel_ht.c
++++ b/net/mac80211/rc80211_minstrel_ht.c
+@@ -463,7 +463,7 @@ minstrel_aggr_check(struct ieee80211_sta
+ if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO)
+ return;
+
+- ieee80211_start_tx_ba_session(pubsta, tid, 5000);
++ ieee80211_start_tx_ba_session(pubsta, tid, 0);
+ }
+
+ static void
--- /dev/null
+From f15838e9cac8f78f0cc506529bb9d3b9fa589c1f Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Fri, 5 Feb 2016 19:50:03 +0100
+Subject: powerpc: Fix dedotify for binutils >= 2.26
+
+From: Andreas Schwab <schwab@linux-m68k.org>
+
+commit f15838e9cac8f78f0cc506529bb9d3b9fa589c1f upstream.
+
+Since binutils 2.26 BFD is doing suffix merging on STRTAB sections. But
+dedotify modifies the symbol names in place, which can also modify
+unrelated symbols with a name that matches a suffix of a dotted name. To
+remove the leading dot of a symbol name we can just increment the pointer
+into the STRTAB section instead.
+
+Backport to all stables to avoid breakage when people update their
+binutils - mpe.
+
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/module_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/module_64.c
++++ b/arch/powerpc/kernel/module_64.c
+@@ -202,7 +202,7 @@ static void dedotify(Elf64_Sym *syms, un
+ if (syms[i].st_shndx == SHN_UNDEF) {
+ char *name = strtab + syms[i].st_name;
+ if (name[0] == '.')
+- memmove(name, name+1, strlen(name));
++ syms[i].st_name++;
+ }
+ }
+ }
--- /dev/null
+From dc17147de328a74bbdee67c1bf37d2f1992de756 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 9 Mar 2016 11:58:41 -0500
+Subject: tracing: Fix check for cpu online when event is disabled
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit dc17147de328a74bbdee67c1bf37d2f1992de756 upstream.
+
+Commit f37755490fe9b ("tracepoints: Do not trace when cpu is offline") added
+a check to make sure that tracepoints only get called when the cpu is
+online, as it uses rcu_read_lock_sched() for protection.
+
+Commit 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints
+are disabled") added lockdep checks (including rcu checks) for events that
+are not enabled to catch possible RCU issues that would only be triggered if
+a trace event was enabled. Commit f37755490fe9b only stopped the warnings
+when the trace event was enabled but did not prevent warnings if the trace
+event was called when disabled.
+
+To fix this, the cpu online check is moved to where the condition is added
+to the trace event. This will place the cpu online check in all places that
+it may be used now and in the future.
+
+Fixes: f37755490fe9b ("tracepoints: Do not trace when cpu is offline")
+Fixes: 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints are disabled")
+Reported-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/tracepoint.h | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/include/linux/tracepoint.h
++++ b/include/linux/tracepoint.h
+@@ -129,9 +129,6 @@ static inline void tracepoint_synchroniz
+ void *it_func; \
+ void *__data; \
+ \
+- if (!cpu_online(raw_smp_processor_id())) \
+- return; \
+- \
+ if (!(cond)) \
+ return; \
+ prercu; \
+@@ -265,15 +262,19 @@ static inline void tracepoint_synchroniz
+ * "void *__data, proto" as the callback prototype.
+ */
+ #define DECLARE_TRACE_NOARGS(name) \
+- __DECLARE_TRACE(name, void, , 1, void *__data, __data)
++ __DECLARE_TRACE(name, void, , \
++ cpu_online(raw_smp_processor_id()), \
++ void *__data, __data)
+
+ #define DECLARE_TRACE(name, proto, args) \
+- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \
+- PARAMS(void *__data, proto), \
+- PARAMS(__data, args))
++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \
++ cpu_online(raw_smp_processor_id()), \
++ PARAMS(void *__data, proto), \
++ PARAMS(__data, args))
+
+ #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \
+- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \
++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \
++ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \
+ PARAMS(void *__data, proto), \
+ PARAMS(__data, args))
+
--- /dev/null
+From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 27 Jan 2016 12:37:52 +0100
+Subject: wext: fix message delay/ordering
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 8bf862739a7786ae72409220914df960a0aa80d8 upstream.
+
+Beniamino reported that he was getting an RTM_NEWLINK message for a
+given interface, after the RTM_DELLINK for it. It turns out that the
+message is a wireless extensions message, which was sent because the
+interface had been connected and disconnection while it was deleted
+caused a wext message.
+
+For its netlink messages, wext uses RTM_NEWLINK, but the message is
+without all the regular rtnetlink attributes, so "ip monitor link"
+prints just rudimentary information:
+
+5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
+ link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
+Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
+ link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
+5: wlan1: <BROADCAST,MULTICAST,UP>
+ link/ether
+(from my hwsim reproduction)
+
+This can cause userspace to get confused since it doesn't expect an
+RTM_NEWLINK message after RTM_DELLINK.
+
+The reason for this is that wext schedules a worker to send out the
+messages, and the scheduling delay can cause the messages to get out
+to userspace in different order.
+
+To fix this, have wext register a netdevice notifier and flush out
+any pending messages when netdevice state changes. This fixes any
+ordering whenever the original message wasn't sent by a notifier
+itself.
+
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-core.c | 51 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 40 insertions(+), 11 deletions(-)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -342,6 +342,39 @@ static const int compat_event_type_size[
+
+ /* IW event code */
+
++static void wireless_nlevent_flush(void)
++{
++ struct sk_buff *skb;
++ struct net *net;
++
++ ASSERT_RTNL();
++
++ for_each_net(net) {
++ while ((skb = skb_dequeue(&net->wext_nlevents)))
++ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
++ GFP_KERNEL);
++ }
++}
++
++static int wext_netdev_notifier_call(struct notifier_block *nb,
++ unsigned long state, void *ptr)
++{
++ /*
++ * When a netdev changes state in any way, flush all pending messages
++ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after
++ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close()
++ * or similar - all of which could otherwise happen due to delays from
++ * schedule_work().
++ */
++ wireless_nlevent_flush();
++
++ return NOTIFY_OK;
++}
++
++static struct notifier_block wext_netdev_notifier = {
++ .notifier_call = wext_netdev_notifier_call,
++};
++
+ static int __net_init wext_pernet_init(struct net *net)
+ {
+ skb_queue_head_init(&net->wext_nlevents);
+@@ -360,7 +393,12 @@ static struct pernet_operations wext_per
+
+ static int __init wireless_nlevent_init(void)
+ {
+- return register_pernet_subsys(&wext_pernet_ops);
++ int err = register_pernet_subsys(&wext_pernet_ops);
++
++ if (err)
++ return err;
++
++ return register_netdevice_notifier(&wext_netdev_notifier);
+ }
+
+ subsys_initcall(wireless_nlevent_init);
+@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init);
+ /* Process events generated by the wireless layer or the driver. */
+ static void wireless_nlevent_process(struct work_struct *work)
+ {
+- struct sk_buff *skb;
+- struct net *net;
+-
+ rtnl_lock();
+-
+- for_each_net(net) {
+- while ((skb = skb_dequeue(&net->wext_nlevents)))
+- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
+- GFP_KERNEL);
+- }
+-
++ wireless_nlevent_flush();
+ rtnl_unlock();
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
