--- /dev/null
+From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sun, 9 Aug 2015 03:41:50 -0400
+Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending'
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream.
+
+There may be lots of pending requests so that the buffer of PAGE_SIZE
+can't hold them at all.
+
+One typical example is scsi-mq, the queue depth(.can_queue) of
+scsi_host and blk-mq is quite big but scsi_device's queue_depth
+is a bit small(.cmd_per_lun), then it is quite easy to have lots
+of pending requests in hw queue.
+
+This patch fixes the following warning and the related memory
+destruction.
+
+[ 359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M
+[ 359.055595] irq event stamp: 15537^M
+[ 359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
+[ 359.055614] Dumping ftrace buffer:^M
+[ 359.055660] (ftrace buffer empty)^M
+[ 359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
+[ 359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M
+[ 359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
+[ 359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M
+[ 359.055693] RIP: 0010:[<ffffffff811541c5>] [<ffffffff811541c5>] __kmalloc+0xe8/0x152^M
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh
+
+ static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg)
+ {
+- char *start_page = page;
+ struct request *rq;
++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg);
+
+- page += sprintf(page, "%s:\n", msg);
++ list_for_each_entry(rq, list, queuelist) {
++ const int rq_len = 2 * sizeof(rq) + 2;
+
+- list_for_each_entry(rq, list, queuelist)
+- page += sprintf(page, "\t%p\n", rq);
++ /* if the output will be truncated */
++ if (PAGE_SIZE - 1 < len + rq_len) {
++ /* backspacing if it can't hold '\t...\n' */
++ if (PAGE_SIZE - 1 < len + 5)
++ len -= rq_len;
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t...\n");
++ break;
++ }
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t%p\n", rq);
++ }
+
+- return page - start_page;
++ return len;
+ }
+
+ static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page)
--- /dev/null
+From 2925c2fdf1e0eb642482f5b30577e9435aaa8edb Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 15 Sep 2015 15:04:07 +1000
+Subject: cxl: Fix unbalanced pci_dev_get in cxl_probe
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 2925c2fdf1e0eb642482f5b30577e9435aaa8edb upstream.
+
+Currently the first thing we do in cxl_probe is to grab a reference
+on the pci device. Later on, we call device_register on our adapter.
+In our remove path, we call device_unregister, but we never call
+pci_dev_put. We therefore leak the device every time we do a
+reflash.
+
+device_register/unregister is sufficient to hold the reference.
+Therefore, drop the call to pci_dev_get.
+
+Here's why this is safe.
+The proposed cxl_probe(pdev) calls cxl_adapter_init:
+ a) init calls cxl_adapter_alloc, which creates a struct cxl,
+ conventionally called adapter. This struct contains a
+ device entry, adapter->dev.
+
+ b) init calls cxl_configure_adapter, where we set
+ adapter->dev.parent = &dev->dev (here dev is the pci dev)
+
+So at this point, the cxl adapter's device's parent is the PCI
+device that I want to be refcounted properly.
+
+ c) init calls cxl_register_adapter
+ *) cxl_register_adapter calls device_register(&adapter->dev)
+
+So now we're in device_register, where dev is the adapter device, and
+we want to know if the PCI device is safe after we return.
+
+device_register(&adapter->dev) calls device_initialize() and then
+device_add().
+
+device_add() does a get_device(). device_add() also explicitly grabs
+the device's parent, and calls get_device() on it:
+
+ parent = get_device(dev->parent);
+
+So therefore, device_register() takes a lock on the parent PCI dev,
+which is what pci_dev_get() was guarding. pci_dev_get() can therefore
+be safely removed.
+
+Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -1046,8 +1046,6 @@ static int cxl_probe(struct pci_dev *dev
+ int slice;
+ int rc;
+
+- pci_dev_get(dev);
+-
+ if (cxl_verbose)
+ dump_cxl_config_space(dev);
+
--- /dev/null
+From 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 21 Aug 2015 17:25:15 +1000
+Subject: cxl: Remove racy attempt to force EEH invocation in reset
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 upstream.
+
+cxl_reset currently PERSTs the slot, and then repeatedly tries to
+read MMIO space in order to kick off EEH.
+
+There are 2 problems with this: it's unnecessary, and it's racy.
+
+It's unnecessary because the PERST will bring down the PHB link.
+That will be picked up by the CAPP, which will send out an HMI.
+Skiboot, noticing an HMI from the CAPP, will send an OPAL
+notification to the kernel, which will trigger EEH recovery.
+
+It's also racy: the EEH recovery triggered by the CAPP will
+eventually cause the MMIO space to have its mapping invalidated
+and the pointer NULLed out. This races with our attempt to read
+the MMIO space. This is causing OOPSes in testing.
+
+Simply drop all the attempts to force EEH detection, and trust
+that Skiboot will send the notification and that we'll act on it.
+The Skiboot code to send the EEH notification has been in Skiboot
+for as long as CAPP recovery has been supported, so we don't need
+to worry about breaking obscure setups with ancient firmware.
+
+Cc: Ryan Grimm <grimm@linux.vnet.ibm.com>
+Fixes: 62fa19d4b4fd ("cxl: Add ability to reset the card")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/pci.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -778,8 +778,6 @@ int cxl_reset(struct cxl *adapter)
+ {
+ struct pci_dev *dev = to_pci_dev(adapter->dev.parent);
+ int rc;
+- int i;
+- u32 val;
+
+ dev_info(&dev->dev, "CXL reset\n");
+
+@@ -794,20 +792,6 @@ int cxl_reset(struct cxl *adapter)
+ return rc;
+ }
+
+- /* the PERST done above fences the PHB. So, reset depends on EEH
+- * to unbind the driver, tell Sapphire to reinit the PHB, and rebind
+- * the driver. Do an mmio read explictly to ensure EEH notices the
+- * fenced PHB. Retry for a few seconds before giving up. */
+- i = 0;
+- while (((val = mmio_read32be(adapter->p1_mmio)) != 0xffffffff) &&
+- (i < 5)) {
+- msleep(500);
+- i++;
+- }
+-
+- if (val != 0xffffffff)
+- dev_err(&dev->dev, "cxl: PERST failed to trigger EEH\n");
+-
+ return rc;
+ }
+
--- /dev/null
+From c642dc9e1aaed953597e7092d7df329e6234096e Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 15 Aug 2015 10:45:06 -0400
+Subject: ext4: don't manipulate recovery flag when freezing no-journal fs
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit c642dc9e1aaed953597e7092d7df329e6234096e upstream.
+
+At some point along this sequence of changes:
+
+f6e63f9 ext4: fold ext4_nojournal_sops into ext4_sops
+bb04457 ext4: support freezing ext2 (nojournal) file systems
+9ca9238 ext4: Use separate super_operations structure for no_journal filesystems
+
+ext4 started setting needs_recovery on filesystems without journals
+when they are unfrozen. This makes no sense, and in fact confuses
+blkid to the point where it doesn't recognize the filesystem at all.
+
+(freeze ext2; unfreeze ext2; run blkid; see no output; run dumpe2fs,
+see needs_recovery set on fs w/ no journal).
+
+To fix this, don't manipulate the INCOMPAT_RECOVER feature on
+filesystems without journals.
+
+Reported-by: Stu Mark <smark@datto.com>
+Reviewed-by: Jan Kara <jack@suse.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4807,10 +4807,11 @@ static int ext4_freeze(struct super_bloc
+ error = jbd2_journal_flush(journal);
+ if (error < 0)
+ goto out;
++
++ /* Journal blocked and flushed, clear needs_recovery flag. */
++ EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+ }
+
+- /* Journal blocked and flushed, clear needs_recovery flag. */
+- EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
+ error = ext4_commit_super(sb, 1);
+ out:
+ if (journal)
+@@ -4828,8 +4829,11 @@ static int ext4_unfreeze(struct super_bl
+ if (sb->s_flags & MS_RDONLY)
+ return 0;
+
+- /* Reset the needs_recovery flag before the fs is unlocked. */
+- EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++ if (EXT4_SB(sb)->s_journal) {
++ /* Reset the needs_recovery flag before the fs is unlocked. */
++ EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
++ }
++
+ ext4_commit_super(sb, 1);
+ return 0;
+ }
--- /dev/null
+From 72ddef0506da852dc82f078f37ced8ef4d74a2bf Mon Sep 17 00:00:00 2001
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Date: Wed, 1 Jul 2015 09:25:52 +0900
+Subject: igb: Fix oops caused by missing queue pairing
+
+From: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+
+commit 72ddef0506da852dc82f078f37ced8ef4d74a2bf upstream.
+
+When initializing igb driver (e.g. 82576, I350), IGB_FLAG_QUEUE_PAIRS is
+set if adapter->rss_queues exceeds half of max_rss_queues in
+igb_init_queue_configuration().
+On the other hand, IGB_FLAG_QUEUE_PAIRS is not set even if the number of
+queues exceeds half of max_combined in igb_set_channels() when changing
+the number of queues by "ethtool -L".
+In this case, if numvecs is larger than MAX_MSIX_ENTRIES (10), the size
+of adapter->msix_entries[], an overflow can occur in
+igb_set_interrupt_capability(), which in turn leads to an oops.
+
+Fix this problem as follows:
+ - When changing the number of queues by "ethtool -L", set
+ IGB_FLAG_QUEUE_PAIRS in the same way as initializing igb driver.
+ - When increasing the size of q_vector, reallocate it appropriately.
+ (With IGB_FLAG_QUEUE_PAIRS set, the size of q_vector gets larger.)
+
+Another possible way to fix this problem is to cap the queues at its
+initial number, which is the number of the initial online cpus. But this
+is not the optimal way because we cannot increase queues when another
+cpu becomes online.
+
+Note that before commit cd14ef54d25b ("igb: Change to use statically
+allocated array for MSIx entries"), this problem did not cause oops
+but just made the number of queues become 1 because of entering msi_only
+mode in igb_set_interrupt_capability().
+
+Fixes: 907b7835799f ("igb: Add ethtool support to configure number of channels")
+Signed-off-by: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igb/igb.h | 1 +
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 ++++-
+ drivers/net/ethernet/intel/igb/igb_main.c | 16 ++++++++++++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -540,6 +540,7 @@ void igb_ptp_rx_pktstamp(struct igb_q_ve
+ struct sk_buff *skb);
+ int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr);
+ int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr);
++void igb_set_flag_queue_pairs(struct igb_adapter *, const u32);
+ #ifdef CONFIG_IGB_HWMON
+ void igb_sysfs_exit(struct igb_adapter *adapter);
+ int igb_sysfs_init(struct igb_adapter *adapter);
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2991,6 +2991,7 @@ static int igb_set_channels(struct net_d
+ {
+ struct igb_adapter *adapter = netdev_priv(netdev);
+ unsigned int count = ch->combined_count;
++ unsigned int max_combined = 0;
+
+ /* Verify they are not requesting separate vectors */
+ if (!count || ch->rx_count || ch->tx_count)
+@@ -3001,11 +3002,13 @@ static int igb_set_channels(struct net_d
+ return -EINVAL;
+
+ /* Verify the number of channels doesn't exceed hw limits */
+- if (count > igb_max_channels(adapter))
++ max_combined = igb_max_channels(adapter);
++ if (count > max_combined)
+ return -EINVAL;
+
+ if (count != adapter->rss_queues) {
+ adapter->rss_queues = count;
++ igb_set_flag_queue_pairs(adapter, max_combined);
+
+ /* Hardware has to reinitialize queues and interrupts to
+ * match the new configuration.
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1205,10 +1205,14 @@ static int igb_alloc_q_vector(struct igb
+
+ /* allocate q_vector and rings */
+ q_vector = adapter->q_vector[v_idx];
+- if (!q_vector)
++ if (!q_vector) {
+ q_vector = kzalloc(size, GFP_KERNEL);
+- else
++ } else if (size > ksize(q_vector)) {
++ kfree_rcu(q_vector, rcu);
++ q_vector = kzalloc(size, GFP_KERNEL);
++ } else {
+ memset(q_vector, 0, size);
++ }
+ if (!q_vector)
+ return -ENOMEM;
+
+@@ -2901,6 +2905,14 @@ static void igb_init_queue_configuration
+
+ adapter->rss_queues = min_t(u32, max_rss_queues, num_online_cpus());
+
++ igb_set_flag_queue_pairs(adapter, max_rss_queues);
++}
++
++void igb_set_flag_queue_pairs(struct igb_adapter *adapter,
++ const u32 max_rss_queues)
++{
++ struct e1000_hw *hw = &adapter->hw;
++
+ /* Determine if we need to pair queues. */
+ switch (hw->mac.type) {
+ case e1000_82575:
--- /dev/null
+From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sat, 13 Jun 2015 10:16:31 -0400
+Subject: mac80211: enable assoc check for mesh interfaces
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 3633ebebab2bbe88124388b7620442315c968e8f upstream.
+
+We already set a station to be associated when peering completes, both
+in user space and in the kernel. Thus we should always have an
+associated sta before sending data frames to that station.
+
+Failure to check assoc state can cause crashes in the lower-level driver
+due to transmitting unicast data frames before driver sta structures
+(e.g. ampdu state in ath9k) are initialized. This occurred when
+forwarding in the presence of fixed mesh paths: frames were transmitted
+to stations with whom we hadn't yet completed peering.
+
+Reported-by: Alexis Green <agreen@cococorp.com>
+Tested-by: Jesse Jones <jjones@cococorp.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -301,9 +301,6 @@ ieee80211_tx_h_check_assoc(struct ieee80
+ if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
+ return TX_CONTINUE;
+
+- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
+- return TX_CONTINUE;
+-
+ if (tx->flags & IEEE80211_TX_PS_BUFFERED)
+ return TX_CONTINUE;
+
--- /dev/null
+From e8f80cc1a6d80587136b015e989a12827e1fcfe5 Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:36:03 +0100
+Subject: MIPS: math-emu: Allow m{f,t}hc emulation on MIPS R6
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit e8f80cc1a6d80587136b015e989a12827e1fcfe5 upstream.
+
+The mfhc/mthc instructions are supported on MIPS R6 so emulate
+them if needed.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10737/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1137,7 +1137,7 @@ emul:
+ break;
+
+ case mfhc_op:
+- if (!cpu_has_mips_r2)
++ if (!cpu_has_mips_r2_r6)
+ goto sigill;
+
+ /* copregister rd -> gpr[rt] */
+@@ -1148,7 +1148,7 @@ emul:
+ break;
+
+ case mthc_op:
+- if (!cpu_has_mips_r2)
++ if (!cpu_has_mips_r2_r6)
+ goto sigill;
+
+ /* copregister rd <- gpr[rt] */
--- /dev/null
+From c909ca718e8f50cf484ef06a8dd935e738e8e53d Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Fri, 17 Jul 2015 10:38:32 +0100
+Subject: MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit c909ca718e8f50cf484ef06a8dd935e738e8e53d upstream.
+
+Commit c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+added support for emulating the new R6 BC1{EQ,NE}Z branches but it missed
+the case where the instruction that caused the exception was not on a DS.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10738/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1181,6 +1181,24 @@ emul:
+ }
+ break;
+
++ case bc1eqz_op:
++ case bc1nez_op:
++ if (!cpu_has_mips_r6 || delay_slot(xcp))
++ return SIGILL;
++
++ cond = likely = 0;
++ switch (MIPSInst_RS(ir)) {
++ case bc1eqz_op:
++ if (get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)
++ cond = 1;
++ break;
++ case bc1nez_op:
++ if (!(get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1))
++ cond = 1;
++ break;
++ }
++ goto branch_common;
++
+ case bc_op:
+ if (delay_slot(xcp))
+ return SIGILL;
+@@ -1207,7 +1225,7 @@ emul:
+ case bct_op:
+ break;
+ }
+-
++branch_common:
+ set_delay_slot(xcp);
+ if (cond) {
+ /*
--- /dev/null
+From 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Wed, 19 Aug 2015 21:26:42 +0200
+Subject: nfc: nci: hci: Add check on skb nci_hci_send_cmd parameter
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 upstream.
+
+skb can be NULL and may lead to a NULL pointer error.
+
+Add a check condition before setting HCI rx buffer.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -233,7 +233,7 @@ int nci_hci_send_cmd(struct nci_dev *nde
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+
+- if (r == NCI_STATUS_OK)
++ if (r == NCI_STATUS_OK && skb)
+ *skb = conn_info->rx_skb;
+
+ return r;
--- /dev/null
+From 5a3570061a131309143a49e4bbdbce7e23f261e7 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Fri, 14 Aug 2015 22:33:33 +0200
+Subject: NFC: st21nfca: fix use of uninitialized variables in error path
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 5a3570061a131309143a49e4bbdbce7e23f261e7 upstream.
+
+st21nfca_hci_load_session() calls kfree_skb() on unitialized
+variables skb_pipe_info and skb_pipe_list if the call to
+nfc_hci_connect_gate() failed. Reword the error path to not use
+these variables when they are not initialized. While at it, there
+seemed to be a memory leak because skb_pipe_info was only freed
+once, after the for-loop, even though several ones were created
+by nfc_hci_send_cmd.
+
+Fixes: ec03ff1a8f9a
+("NFC: st21nfca: Remove skb_pipe_list and skb_pipe_info
+useless allocation")
+
+Acked-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st21nfca/st21nfca.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/nfc/st21nfca/st21nfca.c
++++ b/drivers/nfc/st21nfca/st21nfca.c
+@@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(str
+ ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DEVICE_MGNT_PIPE);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Get pipe list */
+ r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list),
+ &skb_pipe_list);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Complete the existing gate_pipe table */
+ for (i = 0; i < skb_pipe_list->len; i++) {
+@@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(str
+ info->src_host_id != ST21NFCA_ESE_HOST_ID) {
+ pr_err("Unexpected apdu_reader pipe on host %x\n",
+ info->src_host_id);
++ kfree_skb(skb_pipe_info);
+ continue;
+ }
+
+@@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(str
+ hdev->pipes[st21nfca_gates[j].pipe].dest_host =
+ info->src_host_id;
+ }
++ kfree_skb(skb_pipe_info);
+ }
+
+ /*
+@@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(str
+ st21nfca_gates[i].gate,
+ st21nfca_gates[i].pipe);
+ if (r < 0)
+- goto free_info;
++ goto free_list;
+ }
+ }
+
+ memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates));
+-free_info:
+- kfree_skb(skb_pipe_info);
++free_list:
+ kfree_skb(skb_pipe_list);
+ return r;
+ }
--- /dev/null
+From bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 16 Aug 2015 10:03:57 -0400
+Subject: Revert "ext4: remove block_device_ejected"
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 upstream.
+
+This reverts commit 08439fec266c3cc5702953b4f54bdf5649357de0.
+
+Unfortunately we still need to test for bdi->dev to avoid a crash when a
+USB stick is yanked out while a file system is mounted:
+
+ usb 2-2: USB disconnect, device number 2
+ Buffer I/O error on dev sdb1, logical block 15237120, lost sync page write
+ JBD2: Error -5 detected when updating journal superblock for sdb1-8.
+ BUG: unable to handle kernel paging request at 34beb000
+ IP: [<c136ce88>] __percpu_counter_add+0x18/0xc0
+ *pdpt = 0000000023db9001 *pde = 0000000000000000
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 4083 Comm: umount Tainted: G U OE 4.1.1-040101-generic #201507011435
+ Hardware name: LENOVO 7675CTO/7675CTO, BIOS 7NETC2WW (2.22 ) 03/22/2011
+ task: ebf06b50 ti: ebebc000 task.ti: ebebc000
+ EIP: 0060:[<c136ce88>] EFLAGS: 00010082 CPU: 0
+ EIP is at __percpu_counter_add+0x18/0xc0
+ EAX: f21c8e88 EBX: f21c8e88 ECX: 00000000 EDX: 00000001
+ ESI: 00000001 EDI: 00000000 EBP: ebebde60 ESP: ebebde40
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ CR0: 8005003b CR2: 34beb000 CR3: 33354200 CR4: 000007f0
+ Stack:
+ c1abe100 edcb0098 edcb00ec ffffffff f21c8e68 ffffffff f21c8e68 f286d160
+ ebebde84 c1160454 00000010 00000282 f72a77f8 00000984 f72a77f8 f286d160
+ f286d170 ebebdea0 c11e613f 00000000 00000282 f72a77f8 edd7f4d0 00000000
+ Call Trace:
+ [<c1160454>] account_page_dirtied+0x74/0x110
+ [<c11e613f>] __set_page_dirty+0x3f/0xb0
+ [<c11e6203>] mark_buffer_dirty+0x53/0xc0
+ [<c124a0cb>] ext4_commit_super+0x17b/0x250
+ [<c124ac71>] ext4_put_super+0xc1/0x320
+ [<c11f04ba>] ? fsnotify_unmount_inodes+0x1aa/0x1c0
+ [<c11cfeda>] ? evict_inodes+0xca/0xe0
+ [<c11b925a>] generic_shutdown_super+0x6a/0xe0
+ [<c10a1df0>] ? prepare_to_wait_event+0xd0/0xd0
+ [<c1165a50>] ? unregister_shrinker+0x40/0x50
+ [<c11b92f6>] kill_block_super+0x26/0x70
+ [<c11b94f5>] deactivate_locked_super+0x45/0x80
+ [<c11ba007>] deactivate_super+0x47/0x60
+ [<c11d2b39>] cleanup_mnt+0x39/0x80
+ [<c11d2bc0>] __cleanup_mnt+0x10/0x20
+ [<c1080b51>] task_work_run+0x91/0xd0
+ [<c1011e3c>] do_notify_resume+0x7c/0x90
+ [<c1720da5>] work_notify
+ Code: 8b 55 e8 e9 f4 fe ff ff 90 90 90 90 90 90 90 90 90 90 90 55 89 e5 83 ec 20 89 5d f4 89 c3 89 75 f8 89 d6 89 7d fc 89 cf 8b 48 14 <64> 8b 01 89 45 ec 89 c2 8b 45 08 c1 fa 1f 01 75 ec 89 55 f0 89
+ EIP: [<c136ce88>] __percpu_counter_add+0x18/0xc0 SS:ESP 0068:ebebde40
+ CR2: 0000000034beb000
+ ---[ end trace dd564a7bea834ecd ]---
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101011
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -324,6 +324,22 @@ static void save_error_info(struct super
+ ext4_commit_super(sb, 1);
+ }
+
++/*
++ * The del_gendisk() function uninitializes the disk-specific data
++ * structures, including the bdi structure, without telling anyone
++ * else. Once this happens, any attempt to call mark_buffer_dirty()
++ * (for example, by ext4_commit_super), will cause a kernel OOPS.
++ * This is a kludge to prevent these oops until we can put in a proper
++ * hook in del_gendisk() to inform the VFS and file system layers.
++ */
++static int block_device_ejected(struct super_block *sb)
++{
++ struct inode *bd_inode = sb->s_bdev->bd_inode;
++ struct backing_dev_info *bdi = inode_to_bdi(bd_inode);
++
++ return bdi->dev == NULL;
++}
++
+ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn)
+ {
+ struct super_block *sb = journal->j_private;
+@@ -4591,7 +4607,7 @@ static int ext4_commit_super(struct supe
+ struct buffer_head *sbh = EXT4_SB(sb)->s_sbh;
+ int error = 0;
+
+- if (!sbh)
++ if (!sbh || block_device_ejected(sb))
+ return error;
+ if (buffer_write_io_error(sbh)) {
+ /*
--- /dev/null
+From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+Date: Wed, 19 Aug 2015 17:33:12 +0200
+Subject: rtlwifi: rtl8192cu: Add new device ID
+
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+
+commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream.
+
+The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043
+
+Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
+ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
--- /dev/null
+From 251086f588720277a6f5782020a648ce32c4e00b Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 8 Jul 2015 10:18:50 -0500
+Subject: rtlwifi: rtl8821ae: Fix an expression that is always false
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 251086f588720277a6f5782020a648ce32c4e00b upstream.
+
+In routine _rtl8821ae_set_media_status(), an incorrect mask results in a test
+for AP status to always be false. Similar bugs were fixed in rtl8192cu and
+rtl8192de, but this instance was missed at that time.
+
+Reported-by: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8821ae/hw.c | 2 +-
+ drivers/net/wireless/rtlwifi/rtl8821ae/reg.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
+@@ -2180,7 +2180,7 @@ static int _rtl8821ae_set_media_status(s
+
+ rtl_write_byte(rtlpriv, MSR, bt_msr);
+ rtlpriv->cfg->ops->led_control(hw, ledaction);
+- if ((bt_msr & 0xfc) == MSR_AP)
++ if ((bt_msr & MSR_MASK) == MSR_AP)
+ rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x00);
+ else
+ rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x66);
+--- a/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h
+@@ -429,6 +429,7 @@
+ #define MSR_ADHOC 0x01
+ #define MSR_INFRA 0x02
+ #define MSR_AP 0x03
++#define MSR_MASK 0x03
+
+ #define RRSR_RSC_OFFSET 21
+ #define RRSR_SHORT_OFFSET 23
--- /dev/null
+From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 1 Sep 2015 18:07:41 +0200
+Subject: tg3: Fix temperature reporting
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream.
+
+The temperature registers appear to report values in degrees Celsius
+while the hwmon API mandates values to be exposed in millidegrees
+Celsius. Do the conversion so that the values reported by "sensors"
+are correct.
+
+Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature")
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Cc: Prashant Sreedharan <prashant@broadcom.com>
+Cc: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/tg3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -10757,7 +10757,7 @@ static ssize_t tg3_show_temp(struct devi
+ tg3_ape_scratchpad_read(tp, &temperature, attr->index,
+ sizeof(temperature));
+ spin_unlock_bh(&tp->lock);
+- return sprintf(buf, "%u\n", temperature);
++ return sprintf(buf, "%u\n", temperature * 1000);
+ }
+
+
--- /dev/null
+From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 10 Aug 2015 17:35:07 -0500
+Subject: unshare: Unsharing a thread does not require unsharing a vm
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream.
+
+In the logic in the initial commit of unshare made creating a new
+thread group for a process, contingent upon creating a new memory
+address space for that process. That is wrong. Two separate
+processes in different thread groups can share a memory address space
+and clone allows creation of such proceses.
+
+This is significant because it was observed that mm_users > 1 does not
+mean that a process is multi-threaded, as reading /proc/PID/maps
+temporarily increments mm_users, which allows other processes to
+(accidentally) interfere with unshare() calls.
+
+Correct the check in check_unshare_flags() to test for
+!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
+For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
+For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.
+
+By using the correct checks in unshare this removes the possibility of
+an accidental denial of service attack.
+
+Additionally using the correct checks in unshare ensures that only an
+explicit unshare(CLONE_VM) can possibly trigger the slow path of
+current_is_single_threaded(). As an explict unshare(CLONE_VM) is
+pointless it is not expected there are many applications that make
+that call.
+
+Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
+Reported-by: Ricky Zhou <rickyz@chromium.org>
+Reported-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1854,13 +1854,21 @@ static int check_unshare_flags(unsigned
+ CLONE_NEWUSER|CLONE_NEWPID))
+ return -EINVAL;
+ /*
+- * Not implemented, but pretend it works if there is nothing to
+- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
+- * needs to unshare vm.
++ * Not implemented, but pretend it works if there is nothing
++ * to unshare. Note that unsharing the address space or the
++ * signal handlers also need to unshare the signal queues (aka
++ * CLONE_THREAD).
+ */
+ if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
+- /* FIXME: get_task_mm() increments ->mm_users */
+- if (atomic_read(¤t->mm->mm_users) > 1)
++ if (!thread_group_empty(current))
++ return -EINVAL;
++ }
++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
++ if (atomic_read(¤t->sighand->count) > 1)
++ return -EINVAL;
++ }
++ if (unshare_flags & CLONE_VM) {
++ if (!current_is_single_threaded())
+ return -EINVAL;
+ }
+
+@@ -1929,16 +1937,16 @@ SYSCALL_DEFINE1(unshare, unsigned long,
+ if (unshare_flags & CLONE_NEWUSER)
+ unshare_flags |= CLONE_THREAD | CLONE_FS;
+ /*
+- * If unsharing a thread from a thread group, must also unshare vm.
+- */
+- if (unshare_flags & CLONE_THREAD)
+- unshare_flags |= CLONE_VM;
+- /*
+ * If unsharing vm, must also unshare signal handlers.
+ */
+ if (unshare_flags & CLONE_VM)
+ unshare_flags |= CLONE_SIGHAND;
+ /*
++ * If unsharing a signal handlers, must also unshare the signal queues.
++ */
++ if (unshare_flags & CLONE_SIGHAND)
++ unshare_flags |= CLONE_THREAD;
++ /*
+ * If unsharing namespace, must also unshare filesystem information.
+ */
+ if (unshare_flags & CLONE_NEWNS)