]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.1-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 23 Sep 2015 04:14:36 +0000 (21:14 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 23 Sep 2015 04:14:36 +0000 (21:14 -0700)
added patches:
blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch
cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch
cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch
ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch
igb-fix-oops-caused-by-missing-queue-pairing.patch
mac80211-enable-assoc-check-for-mesh-interfaces.patch
mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch
mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch
nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch
nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch
revert-ext4-remove-block_device_ejected.patch
rtlwifi-rtl8192cu-add-new-device-id.patch
rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch
tg3-fix-temperature-reporting.patch
unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch

15 files changed:
queue-4.1/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch [new file with mode: 0644]
queue-4.1/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch [new file with mode: 0644]
queue-4.1/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch [new file with mode: 0644]
queue-4.1/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch [new file with mode: 0644]
queue-4.1/igb-fix-oops-caused-by-missing-queue-pairing.patch [new file with mode: 0644]
queue-4.1/mac80211-enable-assoc-check-for-mesh-interfaces.patch [new file with mode: 0644]
queue-4.1/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch [new file with mode: 0644]
queue-4.1/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch [new file with mode: 0644]
queue-4.1/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch [new file with mode: 0644]
queue-4.1/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch [new file with mode: 0644]
queue-4.1/revert-ext4-remove-block_device_ejected.patch [new file with mode: 0644]
queue-4.1/rtlwifi-rtl8192cu-add-new-device-id.patch [new file with mode: 0644]
queue-4.1/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch [new file with mode: 0644]
queue-4.1/tg3-fix-temperature-reporting.patch [new file with mode: 0644]
queue-4.1/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch [new file with mode: 0644]

diff --git a/queue-4.1/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch b/queue-4.1/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch
new file mode 100644 (file)
index 0000000..e8ca746
--- /dev/null
@@ -0,0 +1,73 @@
+From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sun, 9 Aug 2015 03:41:50 -0400
+Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending'
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream.
+
+There may be lots of pending requests so that the buffer of PAGE_SIZE
+can't hold them at all.
+
+One typical example is scsi-mq, the queue depth(.can_queue) of
+scsi_host and blk-mq is quite big but scsi_device's queue_depth
+is a bit small(.cmd_per_lun), then it is quite easy to have lots
+of pending requests in hw queue.
+
+This patch fixes the following warning and the related memory
+destruction.
+
+[  359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M
+[  359.055595] irq event stamp: 15537^M
+[  359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
+[  359.055614] Dumping ftrace buffer:^M
+[  359.055660]    (ftrace buffer empty)^M
+[  359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
+[  359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M
+[  359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
+[  359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M
+[  359.055693] RIP: 0010:[<ffffffff811541c5>]  [<ffffffff811541c5>] __kmalloc+0xe8/0x152^M
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c |   21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh
+ static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg)
+ {
+-      char *start_page = page;
+       struct request *rq;
++      int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg);
+-      page += sprintf(page, "%s:\n", msg);
++      list_for_each_entry(rq, list, queuelist) {
++              const int rq_len = 2 * sizeof(rq) + 2;
+-      list_for_each_entry(rq, list, queuelist)
+-              page += sprintf(page, "\t%p\n", rq);
++              /* if the output will be truncated */
++              if (PAGE_SIZE - 1 < len + rq_len) {
++                      /* backspacing if it can't hold '\t...\n' */
++                      if (PAGE_SIZE - 1 < len + 5)
++                              len -= rq_len;
++                      len += snprintf(page + len, PAGE_SIZE - 1 - len,
++                                      "\t...\n");
++                      break;
++              }
++              len += snprintf(page + len, PAGE_SIZE - 1 - len,
++                              "\t%p\n", rq);
++      }
+-      return page - start_page;
++      return len;
+ }
+ static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page)
diff --git a/queue-4.1/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch b/queue-4.1/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch
new file mode 100644 (file)
index 0000000..89379ab
--- /dev/null
@@ -0,0 +1,69 @@
+From 2925c2fdf1e0eb642482f5b30577e9435aaa8edb Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 15 Sep 2015 15:04:07 +1000
+Subject: cxl: Fix unbalanced pci_dev_get in cxl_probe
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 2925c2fdf1e0eb642482f5b30577e9435aaa8edb upstream.
+
+Currently the first thing we do in cxl_probe is to grab a reference
+on the pci device. Later on, we call device_register on our adapter.
+In our remove path, we call device_unregister, but we never call
+pci_dev_put. We therefore leak the device every time we do a
+reflash.
+
+device_register/unregister is sufficient to hold the reference.
+Therefore, drop the call to pci_dev_get.
+
+Here's why this is safe.
+The proposed cxl_probe(pdev) calls cxl_adapter_init:
+    a) init calls cxl_adapter_alloc, which creates a struct cxl,
+       conventionally called adapter. This struct contains a
+       device entry, adapter->dev.
+
+    b) init calls cxl_configure_adapter, where we set
+       adapter->dev.parent = &dev->dev (here dev is the pci dev)
+
+So at this point, the cxl adapter's device's parent is the PCI
+device that I want to be refcounted properly.
+
+    c) init calls cxl_register_adapter
+       *) cxl_register_adapter calls device_register(&adapter->dev)
+
+So now we're in device_register, where dev is the adapter device, and
+we want to know if the PCI device is safe after we return.
+
+device_register(&adapter->dev) calls device_initialize() and then
+device_add().
+
+device_add() does a get_device(). device_add() also explicitly grabs
+the device's parent, and calls get_device() on it:
+
+         parent = get_device(dev->parent);
+
+So therefore, device_register() takes a lock on the parent PCI dev,
+which is what pci_dev_get() was guarding. pci_dev_get() can therefore
+be safely removed.
+
+Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -1046,8 +1046,6 @@ static int cxl_probe(struct pci_dev *dev
+       int slice;
+       int rc;
+-      pci_dev_get(dev);
+-
+       if (cxl_verbose)
+               dump_cxl_config_space(dev);
diff --git a/queue-4.1/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch b/queue-4.1/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch
new file mode 100644 (file)
index 0000000..e02eac6
--- /dev/null
@@ -0,0 +1,73 @@
+From 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 21 Aug 2015 17:25:15 +1000
+Subject: cxl: Remove racy attempt to force EEH invocation in reset
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 upstream.
+
+cxl_reset currently PERSTs the slot, and then repeatedly tries to
+read MMIO space in order to kick off EEH.
+
+There are 2 problems with this: it's unnecessary, and it's racy.
+
+It's unnecessary because the PERST will bring down the PHB link.
+That will be picked up by the CAPP, which will send out an HMI.
+Skiboot, noticing an HMI from the CAPP, will send an OPAL
+notification to the kernel, which will trigger EEH recovery.
+
+It's also racy: the EEH recovery triggered by the CAPP will
+eventually cause the MMIO space to have its mapping invalidated
+and the pointer NULLed out. This races with our attempt to read
+the MMIO space. This is causing OOPSes in testing.
+
+Simply drop all the attempts to force EEH detection, and trust
+that Skiboot will send the notification and that we'll act on it.
+The Skiboot code to send the EEH notification has been in Skiboot
+for as long as CAPP recovery has been supported, so we don't need
+to worry about breaking obscure setups with ancient firmware.
+
+Cc: Ryan Grimm <grimm@linux.vnet.ibm.com>
+Fixes: 62fa19d4b4fd ("cxl: Add ability to reset the card")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c |   16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -778,8 +778,6 @@ int cxl_reset(struct cxl *adapter)
+ {
+       struct pci_dev *dev = to_pci_dev(adapter->dev.parent);
+       int rc;
+-      int i;
+-      u32 val;
+       dev_info(&dev->dev, "CXL reset\n");
+@@ -794,20 +792,6 @@ int cxl_reset(struct cxl *adapter)
+               return rc;
+       }
+-      /* the PERST done above fences the PHB.  So, reset depends on EEH
+-       * to unbind the driver, tell Sapphire to reinit the PHB, and rebind
+-       * the driver.  Do an mmio read explictly to ensure EEH notices the
+-       * fenced PHB.  Retry for a few seconds before giving up. */
+-      i = 0;
+-      while (((val = mmio_read32be(adapter->p1_mmio)) != 0xffffffff) &&
+-              (i < 5)) {
+-              msleep(500);
+-              i++;
+-      }
+-
+-      if (val != 0xffffffff)
+-              dev_err(&dev->dev, "cxl: PERST failed to trigger EEH\n");
+-
+       return rc;
+ }
diff --git a/queue-4.1/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch b/queue-4.1/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch
new file mode 100644 (file)
index 0000000..e5e0d10
--- /dev/null
@@ -0,0 +1,66 @@
+From c642dc9e1aaed953597e7092d7df329e6234096e Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 15 Aug 2015 10:45:06 -0400
+Subject: ext4: don't manipulate recovery flag when freezing no-journal fs
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit c642dc9e1aaed953597e7092d7df329e6234096e upstream.
+
+At some point along this sequence of changes:
+
+f6e63f9 ext4: fold ext4_nojournal_sops into ext4_sops
+bb04457 ext4: support freezing ext2 (nojournal) file systems
+9ca9238 ext4: Use separate super_operations structure for no_journal filesystems
+
+ext4 started setting needs_recovery on filesystems without journals
+when they are unfrozen.  This makes no sense, and in fact confuses
+blkid to the point where it doesn't recognize the filesystem at all.
+
+(freeze ext2; unfreeze ext2; run blkid; see no output; run dumpe2fs,
+see needs_recovery set on fs w/ no journal).
+
+To fix this, don't manipulate the INCOMPAT_RECOVER feature on
+filesystems without journals.
+
+Reported-by: Stu Mark <smark@datto.com>
+Reviewed-by: Jan Kara <jack@suse.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4807,10 +4807,11 @@ static int ext4_freeze(struct super_bloc
+               error = jbd2_journal_flush(journal);
+               if (error < 0)
+                       goto out;
++
++              /* Journal blocked and flushed, clear needs_recovery flag. */
++              EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+       }
+-      /* Journal blocked and flushed, clear needs_recovery flag. */
+-      EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+       error = ext4_commit_super(sb, 1);
+ out:
+       if (journal)
+@@ -4828,8 +4829,11 @@ static int ext4_unfreeze(struct super_bl
+       if (sb->s_flags & MS_RDONLY)
+               return 0;
+-      /* Reset the needs_recovery flag before the fs is unlocked. */
+-      EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++      if (EXT4_SB(sb)->s_journal) {
++              /* Reset the needs_recovery flag before the fs is unlocked. */
++              EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++      }
++
+       ext4_commit_super(sb, 1);
+       return 0;
+ }
diff --git a/queue-4.1/igb-fix-oops-caused-by-missing-queue-pairing.patch b/queue-4.1/igb-fix-oops-caused-by-missing-queue-pairing.patch
new file mode 100644 (file)
index 0000000..2068c33
--- /dev/null
@@ -0,0 +1,116 @@
+From 72ddef0506da852dc82f078f37ced8ef4d74a2bf Mon Sep 17 00:00:00 2001
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Date: Wed, 1 Jul 2015 09:25:52 +0900
+Subject: igb: Fix oops caused by missing queue pairing
+
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+
+commit 72ddef0506da852dc82f078f37ced8ef4d74a2bf upstream.
+
+When initializing igb driver (e.g. 82576, I350), IGB_FLAG_QUEUE_PAIRS is
+set if adapter->rss_queues exceeds half of max_rss_queues in
+igb_init_queue_configuration().
+On the other hand, IGB_FLAG_QUEUE_PAIRS is not set even if the number of
+queues exceeds half of max_combined in igb_set_channels() when changing
+the number of queues by "ethtool -L".
+In this case, if numvecs is larger than MAX_MSIX_ENTRIES (10), the size
+of adapter->msix_entries[], an overflow can occur in
+igb_set_interrupt_capability(), which in turn leads to an oops.
+
+Fix this problem as follows:
+ - When changing the number of queues by "ethtool -L", set
+   IGB_FLAG_QUEUE_PAIRS in the same way as initializing igb driver.
+ - When increasing the size of q_vector, reallocate it appropriately.
+   (With IGB_FLAG_QUEUE_PAIRS set, the size of q_vector gets larger.)
+
+Another possible way to fix this problem is to cap the queues at its
+initial number, which is the number of the initial online cpus. But this
+is not the optimal way because we cannot increase queues when another
+cpu becomes online.
+
+Note that before commit cd14ef54d25b ("igb: Change to use statically
+allocated array for MSIx entries"), this problem did not cause oops
+but just made the number of queues become 1 because of entering msi_only
+mode in igb_set_interrupt_capability().
+
+Fixes: 907b7835799f ("igb: Add ethtool support to configure number of channels")
+Signed-off-by: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igb/igb.h         |    1 +
+ drivers/net/ethernet/intel/igb/igb_ethtool.c |    5 ++++-
+ drivers/net/ethernet/intel/igb/igb_main.c    |   16 ++++++++++++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -540,6 +540,7 @@ void igb_ptp_rx_pktstamp(struct igb_q_ve
+                        struct sk_buff *skb);
+ int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr);
+ int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr);
++void igb_set_flag_queue_pairs(struct igb_adapter *, const u32);
+ #ifdef CONFIG_IGB_HWMON
+ void igb_sysfs_exit(struct igb_adapter *adapter);
+ int igb_sysfs_init(struct igb_adapter *adapter);
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2991,6 +2991,7 @@ static int igb_set_channels(struct net_d
+ {
+       struct igb_adapter *adapter = netdev_priv(netdev);
+       unsigned int count = ch->combined_count;
++      unsigned int max_combined = 0;
+       /* Verify they are not requesting separate vectors */
+       if (!count || ch->rx_count || ch->tx_count)
+@@ -3001,11 +3002,13 @@ static int igb_set_channels(struct net_d
+               return -EINVAL;
+       /* Verify the number of channels doesn't exceed hw limits */
+-      if (count > igb_max_channels(adapter))
++      max_combined = igb_max_channels(adapter);
++      if (count > max_combined)
+               return -EINVAL;
+       if (count != adapter->rss_queues) {
+               adapter->rss_queues = count;
++              igb_set_flag_queue_pairs(adapter, max_combined);
+               /* Hardware has to reinitialize queues and interrupts to
+                * match the new configuration.
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1205,10 +1205,14 @@ static int igb_alloc_q_vector(struct igb
+       /* allocate q_vector and rings */
+       q_vector = adapter->q_vector[v_idx];
+-      if (!q_vector)
++      if (!q_vector) {
+               q_vector = kzalloc(size, GFP_KERNEL);
+-      else
++      } else if (size > ksize(q_vector)) {
++              kfree_rcu(q_vector, rcu);
++              q_vector = kzalloc(size, GFP_KERNEL);
++      } else {
+               memset(q_vector, 0, size);
++      }
+       if (!q_vector)
+               return -ENOMEM;
+@@ -2901,6 +2905,14 @@ static void igb_init_queue_configuration
+       adapter->rss_queues = min_t(u32, max_rss_queues, num_online_cpus());
++      igb_set_flag_queue_pairs(adapter, max_rss_queues);
++}
++
++void igb_set_flag_queue_pairs(struct igb_adapter *adapter,
++                            const u32 max_rss_queues)
++{
++      struct e1000_hw *hw = &adapter->hw;
++
+       /* Determine if we need to pair queues. */
+       switch (hw->mac.type) {
+       case e1000_82575:
diff --git a/queue-4.1/mac80211-enable-assoc-check-for-mesh-interfaces.patch b/queue-4.1/mac80211-enable-assoc-check-for-mesh-interfaces.patch
new file mode 100644 (file)
index 0000000..e8bd696
--- /dev/null
@@ -0,0 +1,41 @@
+From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sat, 13 Jun 2015 10:16:31 -0400
+Subject: mac80211: enable assoc check for mesh interfaces
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 3633ebebab2bbe88124388b7620442315c968e8f upstream.
+
+We already set a station to be associated when peering completes, both
+in user space and in the kernel.  Thus we should always have an
+associated sta before sending data frames to that station.
+
+Failure to check assoc state can cause crashes in the lower-level driver
+due to transmitting unicast data frames before driver sta structures
+(e.g. ampdu state in ath9k) are initialized.  This occurred when
+forwarding in the presence of fixed mesh paths: frames were transmitted
+to stations with whom we hadn't yet completed peering.
+
+Reported-by: Alexis Green <agreen@cococorp.com>
+Tested-by: Jesse Jones <jjones@cococorp.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -301,9 +301,6 @@ ieee80211_tx_h_check_assoc(struct ieee80
+       if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
+               return TX_CONTINUE;
+-      if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
+-              return TX_CONTINUE;
+-
+       if (tx->flags & IEEE80211_TX_PS_BUFFERED)
+               return TX_CONTINUE;
diff --git a/queue-4.1/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch b/queue-4.1/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch
new file mode 100644 (file)
index 0000000..4793dc4
--- /dev/null
@@ -0,0 +1,42 @@
+From e8f80cc1a6d80587136b015e989a12827e1fcfe5 Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:36:03 +0100
+Subject: MIPS: math-emu: Allow m{f,t}hc emulation on MIPS R6
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit e8f80cc1a6d80587136b015e989a12827e1fcfe5 upstream.
+
+The mfhc/mthc instructions are supported on MIPS R6 so emulate
+them if needed.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10737/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1137,7 +1137,7 @@ emul:
+                       break;
+               case mfhc_op:
+-                      if (!cpu_has_mips_r2)
++                      if (!cpu_has_mips_r2_r6)
+                               goto sigill;
+                       /* copregister rd -> gpr[rt] */
+@@ -1148,7 +1148,7 @@ emul:
+                       break;
+               case mthc_op:
+-                      if (!cpu_has_mips_r2)
++                      if (!cpu_has_mips_r2_r6)
+                               goto sigill;
+                       /* copregister rd <- gpr[rt] */
diff --git a/queue-4.1/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch b/queue-4.1/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch
new file mode 100644 (file)
index 0000000..7d581e1
--- /dev/null
@@ -0,0 +1,60 @@
+From c909ca718e8f50cf484ef06a8dd935e738e8e53d Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:38:32 +0100
+Subject: MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit c909ca718e8f50cf484ef06a8dd935e738e8e53d upstream.
+
+Commit c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+added support for emulating the new R6 BC1{EQ,NE}Z branches but it missed
+the case where the instruction that caused the exception was not on a DS.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10738/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c |   20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1181,6 +1181,24 @@ emul:
+                       }
+                       break;
++              case bc1eqz_op:
++              case bc1nez_op:
++                      if (!cpu_has_mips_r6 || delay_slot(xcp))
++                              return SIGILL;
++
++                      cond = likely = 0;
++                      switch (MIPSInst_RS(ir)) {
++                      case bc1eqz_op:
++                              if (get_fpr32(&current->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)
++                                  cond = 1;
++                              break;
++                      case bc1nez_op:
++                              if (!(get_fpr32(&current->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1))
++                                  cond = 1;
++                              break;
++                      }
++                      goto branch_common;
++
+               case bc_op:
+                       if (delay_slot(xcp))
+                               return SIGILL;
+@@ -1207,7 +1225,7 @@ emul:
+                       case bct_op:
+                               break;
+                       }
+-
++branch_common:
+                       set_delay_slot(xcp);
+                       if (cond) {
+                               /*
diff --git a/queue-4.1/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch b/queue-4.1/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch
new file mode 100644 (file)
index 0000000..baf8f90
--- /dev/null
@@ -0,0 +1,32 @@
+From 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Wed, 19 Aug 2015 21:26:42 +0200
+Subject: nfc: nci: hci: Add check on skb nci_hci_send_cmd parameter
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 upstream.
+
+skb can be NULL and may lead to a NULL pointer error.
+
+Add a check condition before setting HCI rx buffer.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -233,7 +233,7 @@ int nci_hci_send_cmd(struct nci_dev *nde
+       r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+                       msecs_to_jiffies(NCI_DATA_TIMEOUT));
+-      if (r == NCI_STATUS_OK)
++      if (r == NCI_STATUS_OK && skb)
+               *skb = conn_info->rx_skb;
+       return r;
diff --git a/queue-4.1/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch b/queue-4.1/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch
new file mode 100644 (file)
index 0000000..b178977
--- /dev/null
@@ -0,0 +1,81 @@
+From 5a3570061a131309143a49e4bbdbce7e23f261e7 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:33 +0200
+Subject: NFC: st21nfca: fix use of uninitialized variables in error path
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a3570061a131309143a49e4bbdbce7e23f261e7 upstream.
+
+st21nfca_hci_load_session() calls kfree_skb() on unitialized
+variables skb_pipe_info and skb_pipe_list if the call to
+nfc_hci_connect_gate() failed. Reword the error path to not use
+these variables when they are not initialized. While at it, there
+seemed to be a memory leak because skb_pipe_info was only freed
+once, after the for-loop, even though several ones were created
+by nfc_hci_send_cmd.
+
+Fixes: ec03ff1a8f9a
+("NFC: st21nfca: Remove skb_pipe_list and skb_pipe_info
+useless allocation")
+
+Acked-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st21nfca/st21nfca.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/nfc/st21nfca/st21nfca.c
++++ b/drivers/nfc/st21nfca/st21nfca.c
+@@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(str
+                               ST21NFCA_DEVICE_MGNT_GATE,
+                               ST21NFCA_DEVICE_MGNT_PIPE);
+       if (r < 0)
+-              goto free_info;
++              return r;
+       /* Get pipe list */
+       r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE,
+                       ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list),
+                       &skb_pipe_list);
+       if (r < 0)
+-              goto free_info;
++              return r;
+       /* Complete the existing gate_pipe table */
+       for (i = 0; i < skb_pipe_list->len; i++) {
+@@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(str
+                       info->src_host_id != ST21NFCA_ESE_HOST_ID) {
+                       pr_err("Unexpected apdu_reader pipe on host %x\n",
+                               info->src_host_id);
++                      kfree_skb(skb_pipe_info);
+                       continue;
+               }
+@@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(str
+                       hdev->pipes[st21nfca_gates[j].pipe].dest_host =
+                                                       info->src_host_id;
+               }
++              kfree_skb(skb_pipe_info);
+       }
+       /*
+@@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(str
+                                       st21nfca_gates[i].gate,
+                                       st21nfca_gates[i].pipe);
+                       if (r < 0)
+-                              goto free_info;
++                              goto free_list;
+               }
+       }
+       memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates));
+-free_info:
+-      kfree_skb(skb_pipe_info);
++free_list:
+       kfree_skb(skb_pipe_list);
+       return r;
+ }
diff --git a/queue-4.1/revert-ext4-remove-block_device_ejected.patch b/queue-4.1/revert-ext4-remove-block_device_ejected.patch
new file mode 100644 (file)
index 0000000..9f12daf
--- /dev/null
@@ -0,0 +1,101 @@
+From bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 16 Aug 2015 10:03:57 -0400
+Subject: Revert "ext4: remove block_device_ejected"
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 upstream.
+
+This reverts commit 08439fec266c3cc5702953b4f54bdf5649357de0.
+
+Unfortunately we still need to test for bdi->dev to avoid a crash when a
+USB stick is yanked out while a file system is mounted:
+
+   usb 2-2: USB disconnect, device number 2
+   Buffer I/O error on dev sdb1, logical block 15237120, lost sync page write
+   JBD2: Error -5 detected when updating journal superblock for sdb1-8.
+   BUG: unable to handle kernel paging request at 34beb000
+   IP: [<c136ce88>] __percpu_counter_add+0x18/0xc0
+   *pdpt = 0000000023db9001 *pde = 0000000000000000
+   Oops: 0000 [#1] SMP
+   CPU: 0 PID: 4083 Comm: umount Tainted: G     U     OE   4.1.1-040101-generic #201507011435
+   Hardware name: LENOVO 7675CTO/7675CTO, BIOS 7NETC2WW (2.22 ) 03/22/2011
+   task: ebf06b50 ti: ebebc000 task.ti: ebebc000
+   EIP: 0060:[<c136ce88>] EFLAGS: 00010082 CPU: 0
+   EIP is at __percpu_counter_add+0x18/0xc0
+   EAX: f21c8e88 EBX: f21c8e88 ECX: 00000000 EDX: 00000001
+   ESI: 00000001 EDI: 00000000 EBP: ebebde60 ESP: ebebde40
+    DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+   CR0: 8005003b CR2: 34beb000 CR3: 33354200 CR4: 000007f0
+   Stack:
+    c1abe100 edcb0098 edcb00ec ffffffff f21c8e68 ffffffff f21c8e68 f286d160
+    ebebde84 c1160454 00000010 00000282 f72a77f8 00000984 f72a77f8 f286d160
+    f286d170 ebebdea0 c11e613f 00000000 00000282 f72a77f8 edd7f4d0 00000000
+   Call Trace:
+    [<c1160454>] account_page_dirtied+0x74/0x110
+    [<c11e613f>] __set_page_dirty+0x3f/0xb0
+    [<c11e6203>] mark_buffer_dirty+0x53/0xc0
+    [<c124a0cb>] ext4_commit_super+0x17b/0x250
+    [<c124ac71>] ext4_put_super+0xc1/0x320
+    [<c11f04ba>] ? fsnotify_unmount_inodes+0x1aa/0x1c0
+    [<c11cfeda>] ? evict_inodes+0xca/0xe0
+    [<c11b925a>] generic_shutdown_super+0x6a/0xe0
+    [<c10a1df0>] ? prepare_to_wait_event+0xd0/0xd0
+    [<c1165a50>] ? unregister_shrinker+0x40/0x50
+    [<c11b92f6>] kill_block_super+0x26/0x70
+    [<c11b94f5>] deactivate_locked_super+0x45/0x80
+    [<c11ba007>] deactivate_super+0x47/0x60
+    [<c11d2b39>] cleanup_mnt+0x39/0x80
+    [<c11d2bc0>] __cleanup_mnt+0x10/0x20
+    [<c1080b51>] task_work_run+0x91/0xd0
+    [<c1011e3c>] do_notify_resume+0x7c/0x90
+    [<c1720da5>] work_notify
+   Code: 8b 55 e8 e9 f4 fe ff ff 90 90 90 90 90 90 90 90 90 90 90 55 89 e5 83 ec 20 89 5d f4 89 c3 89 75 f8 89 d6 89 7d fc 89 cf 8b 48 14 <64> 8b 01 89 45 ec 89 c2 8b 45 08 c1 fa 1f 01 75 ec 89 55 f0 89
+   EIP: [<c136ce88>] __percpu_counter_add+0x18/0xc0 SS:ESP 0068:ebebde40
+   CR2: 0000000034beb000
+   ---[ end trace dd564a7bea834ecd ]---
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101011
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c |   18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -324,6 +324,22 @@ static void save_error_info(struct super
+       ext4_commit_super(sb, 1);
+ }
++/*
++ * The del_gendisk() function uninitializes the disk-specific data
++ * structures, including the bdi structure, without telling anyone
++ * else.  Once this happens, any attempt to call mark_buffer_dirty()
++ * (for example, by ext4_commit_super), will cause a kernel OOPS.
++ * This is a kludge to prevent these oops until we can put in a proper
++ * hook in del_gendisk() to inform the VFS and file system layers.
++ */
++static int block_device_ejected(struct super_block *sb)
++{
++      struct inode *bd_inode = sb->s_bdev->bd_inode;
++      struct backing_dev_info *bdi = inode_to_bdi(bd_inode);
++
++      return bdi->dev == NULL;
++}
++
+ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn)
+ {
+       struct super_block              *sb = journal->j_private;
+@@ -4591,7 +4607,7 @@ static int ext4_commit_super(struct supe
+       struct buffer_head *sbh = EXT4_SB(sb)->s_sbh;
+       int error = 0;
+-      if (!sbh)
++      if (!sbh || block_device_ejected(sb))
+               return error;
+       if (buffer_write_io_error(sbh)) {
+               /*
diff --git a/queue-4.1/rtlwifi-rtl8192cu-add-new-device-id.patch b/queue-4.1/rtlwifi-rtl8192cu-add-new-device-id.patch
new file mode 100644 (file)
index 0000000..d908b0d
--- /dev/null
@@ -0,0 +1,30 @@
+From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+Date: Wed, 19 Aug 2015 17:33:12 +0200
+Subject: rtlwifi: rtl8192cu: Add new device ID
+
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+
+commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream.
+
+The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043
+
+Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/sw.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb
+       {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+       {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+       {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++      {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
+       {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+       {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+       {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
diff --git a/queue-4.1/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch b/queue-4.1/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch
new file mode 100644 (file)
index 0000000..349ecc0
--- /dev/null
@@ -0,0 +1,45 @@
+From 251086f588720277a6f5782020a648ce32c4e00b Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 8 Jul 2015 10:18:50 -0500
+Subject: rtlwifi: rtl8821ae: Fix an expression that is always false
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 251086f588720277a6f5782020a648ce32c4e00b upstream.
+
+In routine _rtl8821ae_set_media_status(), an incorrect mask results in a test
+for AP status to always be false. Similar bugs were fixed in rtl8192cu and
+rtl8192de, but this instance was missed at that time.
+
+Reported-by: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8821ae/hw.c  |    2 +-
+ drivers/net/wireless/rtlwifi/rtl8821ae/reg.h |    1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
+@@ -2180,7 +2180,7 @@ static int _rtl8821ae_set_media_status(s
+       rtl_write_byte(rtlpriv, MSR, bt_msr);
+       rtlpriv->cfg->ops->led_control(hw, ledaction);
+-      if ((bt_msr & 0xfc) == MSR_AP)
++      if ((bt_msr & MSR_MASK) == MSR_AP)
+               rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x00);
+       else
+               rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x66);
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
+@@ -429,6 +429,7 @@
+ #define       MSR_ADHOC                               0x01
+ #define       MSR_INFRA                               0x02
+ #define       MSR_AP                                  0x03
++#define MSR_MASK                              0x03
+ #define       RRSR_RSC_OFFSET                         21
+ #define       RRSR_SHORT_OFFSET                       23
diff --git a/queue-4.1/tg3-fix-temperature-reporting.patch b/queue-4.1/tg3-fix-temperature-reporting.patch
new file mode 100644 (file)
index 0000000..ce4777b
--- /dev/null
@@ -0,0 +1,36 @@
+From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 1 Sep 2015 18:07:41 +0200
+Subject: tg3: Fix temperature reporting
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream.
+
+The temperature registers appear to report values in degrees Celsius
+while the hwmon API mandates values to be exposed in millidegrees
+Celsius. Do the conversion so that the values reported by "sensors"
+are correct.
+
+Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature")
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Cc: Prashant Sreedharan <prashant@broadcom.com>
+Cc: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/tg3.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -10757,7 +10757,7 @@ static ssize_t tg3_show_temp(struct devi
+       tg3_ape_scratchpad_read(tp, &temperature, attr->index,
+                               sizeof(temperature));
+       spin_unlock_bh(&tp->lock);
+-      return sprintf(buf, "%u\n", temperature);
++      return sprintf(buf, "%u\n", temperature * 1000);
+ }
diff --git a/queue-4.1/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch b/queue-4.1/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch
new file mode 100644 (file)
index 0000000..d2445fc
--- /dev/null
@@ -0,0 +1,96 @@
+From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 10 Aug 2015 17:35:07 -0500
+Subject: unshare: Unsharing a thread does not require unsharing a vm
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream.
+
+In the logic in the initial commit of unshare made creating a new
+thread group for a process, contingent upon creating a new memory
+address space for that process.  That is wrong.  Two separate
+processes in different thread groups can share a memory address space
+and clone allows creation of such proceses.
+
+This is significant because it was observed that mm_users > 1 does not
+mean that a process is multi-threaded, as reading /proc/PID/maps
+temporarily increments mm_users, which allows other processes to
+(accidentally) interfere with unshare() calls.
+
+Correct the check in check_unshare_flags() to test for
+!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
+For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
+For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.
+
+By using the correct checks in unshare this removes the possibility of
+an accidental denial of service attack.
+
+Additionally using the correct checks in unshare ensures that only an
+explicit unshare(CLONE_VM) can possibly trigger the slow path of
+current_is_single_threaded().  As an explict unshare(CLONE_VM) is
+pointless it is not expected there are many applications that make
+that call.
+
+Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
+Reported-by: Ricky Zhou <rickyz@chromium.org>
+Reported-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c |   28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1854,13 +1854,21 @@ static int check_unshare_flags(unsigned
+                               CLONE_NEWUSER|CLONE_NEWPID))
+               return -EINVAL;
+       /*
+-       * Not implemented, but pretend it works if there is nothing to
+-       * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
+-       * needs to unshare vm.
++       * Not implemented, but pretend it works if there is nothing
++       * to unshare.  Note that unsharing the address space or the
++       * signal handlers also need to unshare the signal queues (aka
++       * CLONE_THREAD).
+        */
+       if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
+-              /* FIXME: get_task_mm() increments ->mm_users */
+-              if (atomic_read(&current->mm->mm_users) > 1)
++              if (!thread_group_empty(current))
++                      return -EINVAL;
++      }
++      if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
++              if (atomic_read(&current->sighand->count) > 1)
++                      return -EINVAL;
++      }
++      if (unshare_flags & CLONE_VM) {
++              if (!current_is_single_threaded())
+                       return -EINVAL;
+       }
+@@ -1929,16 +1937,16 @@ SYSCALL_DEFINE1(unshare, unsigned long,
+       if (unshare_flags & CLONE_NEWUSER)
+               unshare_flags |= CLONE_THREAD | CLONE_FS;
+       /*
+-       * If unsharing a thread from a thread group, must also unshare vm.
+-       */
+-      if (unshare_flags & CLONE_THREAD)
+-              unshare_flags |= CLONE_VM;
+-      /*
+        * If unsharing vm, must also unshare signal handlers.
+        */
+       if (unshare_flags & CLONE_VM)
+               unshare_flags |= CLONE_SIGHAND;
+       /*
++       * If unsharing a signal handlers, must also unshare the signal queues.
++       */
++      if (unshare_flags & CLONE_SIGHAND)
++              unshare_flags |= CLONE_THREAD;
++      /*
+        * If unsharing namespace, must also unshare filesystem information.
+        */
+       if (unshare_flags & CLONE_NEWNS)