--- /dev/null
+From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sun, 9 Aug 2015 03:41:50 -0400
+Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending'
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream.
+
+There may be lots of pending requests so that the buffer of PAGE_SIZE
+can't hold them at all.
+
+One typical example is scsi-mq, the queue depth(.can_queue) of
+scsi_host and blk-mq is quite big but scsi_device's queue_depth
+is a bit small(.cmd_per_lun), then it is quite easy to have lots
+of pending requests in hw queue.
+
+This patch fixes the following warning and the related memory
+destruction.
+
+[ 359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M
+[ 359.055595] irq event stamp: 15537^M
+[ 359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
+[ 359.055614] Dumping ftrace buffer:^M
+[ 359.055660] (ftrace buffer empty)^M
+[ 359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
+[ 359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M
+[ 359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
+[ 359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M
+[ 359.055693] RIP: 0010:[<ffffffff811541c5>] [<ffffffff811541c5>] __kmalloc+0xe8/0x152^M
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh
+
+ static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg)
+ {
+- char *start_page = page;
+ struct request *rq;
++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg);
+
+- page += sprintf(page, "%s:\n", msg);
++ list_for_each_entry(rq, list, queuelist) {
++ const int rq_len = 2 * sizeof(rq) + 2;
+
+- list_for_each_entry(rq, list, queuelist)
+- page += sprintf(page, "\t%p\n", rq);
++ /* if the output will be truncated */
++ if (PAGE_SIZE - 1 < len + rq_len) {
++ /* backspacing if it can't hold '\t...\n' */
++ if (PAGE_SIZE - 1 < len + 5)
++ len -= rq_len;
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t...\n");
++ break;
++ }
++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
++ "\t%p\n", rq);
++ }
+
+- return page - start_page;
++ return len;
+ }
+
+ static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page)
--- /dev/null
+From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sat, 13 Jun 2015 10:16:31 -0400
+Subject: mac80211: enable assoc check for mesh interfaces
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 3633ebebab2bbe88124388b7620442315c968e8f upstream.
+
+We already set a station to be associated when peering completes, both
+in user space and in the kernel. Thus we should always have an
+associated sta before sending data frames to that station.
+
+Failure to check assoc state can cause crashes in the lower-level driver
+due to transmitting unicast data frames before driver sta structures
+(e.g. ampdu state in ath9k) are initialized. This occurred when
+forwarding in the presence of fixed mesh paths: frames were transmitted
+to stations with whom we hadn't yet completed peering.
+
+Reported-by: Alexis Green <agreen@cococorp.com>
+Tested-by: Jesse Jones <jjones@cococorp.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -297,9 +297,6 @@ ieee80211_tx_h_check_assoc(struct ieee80
+ if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
+ return TX_CONTINUE;
+
+- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
+- return TX_CONTINUE;
+-
+ if (tx->flags & IEEE80211_TX_PS_BUFFERED)
+ return TX_CONTINUE;
+
--- /dev/null
+From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+Date: Wed, 19 Aug 2015 17:33:12 +0200
+Subject: rtlwifi: rtl8192cu: Add new device ID
+
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+
+commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream.
+
+The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043
+
+Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -314,6 +314,7 @@ static struct usb_device_id rtl8192c_usb
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
+ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
--- /dev/null
+From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 1 Sep 2015 18:07:41 +0200
+Subject: tg3: Fix temperature reporting
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream.
+
+The temperature registers appear to report values in degrees Celsius
+while the hwmon API mandates values to be exposed in millidegrees
+Celsius. Do the conversion so that the values reported by "sensors"
+are correct.
+
+Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature")
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Cc: Prashant Sreedharan <prashant@broadcom.com>
+Cc: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/tg3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -10737,7 +10737,7 @@ static ssize_t tg3_show_temp(struct devi
+ tg3_ape_scratchpad_read(tp, &temperature, attr->index,
+ sizeof(temperature));
+ spin_unlock_bh(&tp->lock);
+- return sprintf(buf, "%u\n", temperature);
++ return sprintf(buf, "%u\n", temperature * 1000);
+ }
+
+
--- /dev/null
+From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 10 Aug 2015 17:35:07 -0500
+Subject: unshare: Unsharing a thread does not require unsharing a vm
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream.
+
+In the logic in the initial commit of unshare made creating a new
+thread group for a process, contingent upon creating a new memory
+address space for that process. That is wrong. Two separate
+processes in different thread groups can share a memory address space
+and clone allows creation of such proceses.
+
+This is significant because it was observed that mm_users > 1 does not
+mean that a process is multi-threaded, as reading /proc/PID/maps
+temporarily increments mm_users, which allows other processes to
+(accidentally) interfere with unshare() calls.
+
+Correct the check in check_unshare_flags() to test for
+!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
+For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
+For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.
+
+By using the correct checks in unshare this removes the possibility of
+an accidental denial of service attack.
+
+Additionally using the correct checks in unshare ensures that only an
+explicit unshare(CLONE_VM) can possibly trigger the slow path of
+current_is_single_threaded(). As an explict unshare(CLONE_VM) is
+pointless it is not expected there are many applications that make
+that call.
+
+Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
+Reported-by: Ricky Zhou <rickyz@chromium.org>
+Reported-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1756,13 +1756,21 @@ static int check_unshare_flags(unsigned
+ CLONE_NEWUSER|CLONE_NEWPID))
+ return -EINVAL;
+ /*
+- * Not implemented, but pretend it works if there is nothing to
+- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
+- * needs to unshare vm.
++ * Not implemented, but pretend it works if there is nothing
++ * to unshare. Note that unsharing the address space or the
++ * signal handlers also need to unshare the signal queues (aka
++ * CLONE_THREAD).
+ */
+ if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
+- /* FIXME: get_task_mm() increments ->mm_users */
+- if (atomic_read(¤t->mm->mm_users) > 1)
++ if (!thread_group_empty(current))
++ return -EINVAL;
++ }
++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
++ if (atomic_read(¤t->sighand->count) > 1)
++ return -EINVAL;
++ }
++ if (unshare_flags & CLONE_VM) {
++ if (!current_is_single_threaded())
+ return -EINVAL;
+ }
+
+@@ -1831,16 +1839,16 @@ SYSCALL_DEFINE1(unshare, unsigned long,
+ if (unshare_flags & CLONE_NEWUSER)
+ unshare_flags |= CLONE_THREAD | CLONE_FS;
+ /*
+- * If unsharing a thread from a thread group, must also unshare vm.
+- */
+- if (unshare_flags & CLONE_THREAD)
+- unshare_flags |= CLONE_VM;
+- /*
+ * If unsharing vm, must also unshare signal handlers.
+ */
+ if (unshare_flags & CLONE_VM)
+ unshare_flags |= CLONE_SIGHAND;
+ /*
++ * If unsharing a signal handlers, must also unshare the signal queues.
++ */
++ if (unshare_flags & CLONE_SIGHAND)
++ unshare_flags |= CLONE_THREAD;
++ /*
+ * If unsharing namespace, must also unshare filesystem information.
+ */
+ if (unshare_flags & CLONE_NEWNS)
projects / thirdparty / kernel / stable-queue.git / commitdiff
