From: Greg Kroah-Hartman Date: Wed, 23 Sep 2015 04:14:14 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v4.1.9~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f5b1d376f03851b8891b9838d14644680b5361f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: mac80211-enable-assoc-check-for-mesh-interfaces.patch rtlwifi-rtl8192cu-add-new-device-id.patch tg3-fix-temperature-reporting.patch unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch --- diff --git a/queue-3.10/mac80211-enable-assoc-check-for-mesh-interfaces.patch b/queue-3.10/mac80211-enable-assoc-check-for-mesh-interfaces.patch new file mode 100644 index 00000000000..cae307347fa --- /dev/null +++ b/queue-3.10/mac80211-enable-assoc-check-for-mesh-interfaces.patch @@ -0,0 +1,41 @@ +From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Sat, 13 Jun 2015 10:16:31 -0400 +Subject: mac80211: enable assoc check for mesh interfaces + +From: Bob Copeland + +commit 3633ebebab2bbe88124388b7620442315c968e8f upstream. + +We already set a station to be associated when peering completes, both +in user space and in the kernel. Thus we should always have an +associated sta before sending data frames to that station. + +Failure to check assoc state can cause crashes in the lower-level driver +due to transmitting unicast data frames before driver sta structures +(e.g. ampdu state in ath9k) are initialized. This occurred when +forwarding in the presence of fixed mesh paths: frames were transmitted +to stations with whom we hadn't yet completed peering. + +Reported-by: Alexis Green +Tested-by: Jesse Jones +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -281,9 +281,6 @@ ieee80211_tx_h_check_assoc(struct ieee80 + if (tx->sdata->vif.type == NL80211_IFTYPE_WDS) + return TX_CONTINUE; + +- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT) +- return TX_CONTINUE; +- + if (tx->flags & IEEE80211_TX_PS_BUFFERED) + return TX_CONTINUE; + diff --git a/queue-3.10/rtlwifi-rtl8192cu-add-new-device-id.patch b/queue-3.10/rtlwifi-rtl8192cu-add-new-device-id.patch new file mode 100644 index 00000000000..5e14ef2fd63 --- /dev/null +++ b/queue-3.10/rtlwifi-rtl8192cu-add-new-device-id.patch @@ -0,0 +1,30 @@ +From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001 +From: Adrien Schildknecht +Date: Wed, 19 Aug 2015 17:33:12 +0200 +Subject: rtlwifi: rtl8192cu: Add new device ID + +From: Adrien Schildknecht + +commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream. + +The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043 + +Signed-off-by: Adrien Schildknecht +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -313,6 +313,7 @@ static struct usb_device_id rtl8192c_usb + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ ++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/ + {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..07acbbf09c5 --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,4 @@ +unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch +rtlwifi-rtl8192cu-add-new-device-id.patch +tg3-fix-temperature-reporting.patch +mac80211-enable-assoc-check-for-mesh-interfaces.patch diff --git a/queue-3.10/tg3-fix-temperature-reporting.patch b/queue-3.10/tg3-fix-temperature-reporting.patch new file mode 100644 index 00000000000..273c120ef0d --- /dev/null +++ b/queue-3.10/tg3-fix-temperature-reporting.patch @@ -0,0 +1,36 @@ +From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Tue, 1 Sep 2015 18:07:41 +0200 +Subject: tg3: Fix temperature reporting + +From: Jean Delvare + +commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream. + +The temperature registers appear to report values in degrees Celsius +while the hwmon API mandates values to be exposed in millidegrees +Celsius. Do the conversion so that the values reported by "sensors" +are correct. + +Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature") +Signed-off-by: Jean Delvare +Cc: Prashant Sreedharan +Cc: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -10518,7 +10518,7 @@ static ssize_t tg3_show_temp(struct devi + tg3_ape_scratchpad_read(tp, &temperature, attr->index, + sizeof(temperature)); + spin_unlock_bh(&tp->lock); +- return sprintf(buf, "%u\n", temperature); ++ return sprintf(buf, "%u\n", temperature * 1000); + } + + diff --git a/queue-3.10/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch b/queue-3.10/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch new file mode 100644 index 00000000000..10994a9047f --- /dev/null +++ b/queue-3.10/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch @@ -0,0 +1,96 @@ +From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 10 Aug 2015 17:35:07 -0500 +Subject: unshare: Unsharing a thread does not require unsharing a vm + +From: "Eric W. Biederman" + +commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream. + +In the logic in the initial commit of unshare made creating a new +thread group for a process, contingent upon creating a new memory +address space for that process. That is wrong. Two separate +processes in different thread groups can share a memory address space +and clone allows creation of such proceses. + +This is significant because it was observed that mm_users > 1 does not +mean that a process is multi-threaded, as reading /proc/PID/maps +temporarily increments mm_users, which allows other processes to +(accidentally) interfere with unshare() calls. + +Correct the check in check_unshare_flags() to test for +!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM. +For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM. +For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM. + +By using the correct checks in unshare this removes the possibility of +an accidental denial of service attack. + +Additionally using the correct checks in unshare ensures that only an +explicit unshare(CLONE_VM) can possibly trigger the slow path of +current_is_single_threaded(). As an explict unshare(CLONE_VM) is +pointless it is not expected there are many applications that make +that call. + +Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace +Reported-by: Ricky Zhou +Reported-by: Kees Cook +Reviewed-by: Kees Cook +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1760,13 +1760,21 @@ static int check_unshare_flags(unsigned + CLONE_NEWUSER|CLONE_NEWPID)) + return -EINVAL; + /* +- * Not implemented, but pretend it works if there is nothing to +- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND +- * needs to unshare vm. ++ * Not implemented, but pretend it works if there is nothing ++ * to unshare. Note that unsharing the address space or the ++ * signal handlers also need to unshare the signal queues (aka ++ * CLONE_THREAD). + */ + if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) { +- /* FIXME: get_task_mm() increments ->mm_users */ +- if (atomic_read(¤t->mm->mm_users) > 1) ++ if (!thread_group_empty(current)) ++ return -EINVAL; ++ } ++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) { ++ if (atomic_read(¤t->sighand->count) > 1) ++ return -EINVAL; ++ } ++ if (unshare_flags & CLONE_VM) { ++ if (!current_is_single_threaded()) + return -EINVAL; + } + +@@ -1840,16 +1848,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, + if (unshare_flags & CLONE_NEWPID) + unshare_flags |= CLONE_THREAD; + /* +- * If unsharing a thread from a thread group, must also unshare vm. +- */ +- if (unshare_flags & CLONE_THREAD) +- unshare_flags |= CLONE_VM; +- /* + * If unsharing vm, must also unshare signal handlers. + */ + if (unshare_flags & CLONE_VM) + unshare_flags |= CLONE_SIGHAND; + /* ++ * If unsharing a signal handlers, must also unshare the signal queues. ++ */ ++ if (unshare_flags & CLONE_SIGHAND) ++ unshare_flags |= CLONE_THREAD; ++ /* + * If unsharing namespace, must also unshare filesystem information. + */ + if (unshare_flags & CLONE_NEWNS) diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..d1230ef554d --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,5 @@ +blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch +unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch +rtlwifi-rtl8192cu-add-new-device-id.patch +tg3-fix-temperature-reporting.patch +mac80211-enable-assoc-check-for-mesh-interfaces.patch diff --git a/queue-4.1/series b/queue-4.1/series new file mode 100644 index 00000000000..69885031070 --- /dev/null +++ b/queue-4.1/series @@ -0,0 +1,15 @@ +nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch +nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch +blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch +unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch +rtlwifi-rtl8192cu-add-new-device-id.patch +rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch +igb-fix-oops-caused-by-missing-queue-pairing.patch +tg3-fix-temperature-reporting.patch +mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch +mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch +mac80211-enable-assoc-check-for-mesh-interfaces.patch +cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch +cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch +ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch +revert-ext4-remove-block_device_ejected.patch diff --git a/queue-4.2/series b/queue-4.2/series new file mode 100644 index 00000000000..6a62e993b76 --- /dev/null +++ b/queue-4.2/series @@ -0,0 +1,26 @@ +nfc-st-nci-remove-duplicate-file-platform_data-st_nci.h.patch +nfc-st-nci-fix-typo-when-changing-from-st21nfcb-to-st-nci.patch +nfc-st-nci-fix-non-accurate-comment-for-st_nci_i2c_read.patch +nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch +nfc-st-nci-fix-use-of-uninitialized-variables-in-error-path.patch +nfc-st-nci-remove-data-from-ack_pending_q-when-receiving-a-sync_ack.patch +nfc-st-nci-free-data-with-irrelevant-ndlc-pcb_sync-value.patch +nfc-netlink-add-check-on-nfc_attr_vendor_data.patch +nfc-netlink-warning-fix.patch +nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch +blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch +blk-mq-fix-race-between-timeout-and-freeing-request.patch +unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch +rtlwifi-rtl8192cu-add-new-device-id.patch +rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch +igb-fix-oops-caused-by-missing-queue-pairing.patch +tg3-fix-temperature-reporting.patch +mips-cps-use-32b-accesses-to-gcrs.patch +mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch +mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch +mac80211-enable-assoc-check-for-mesh-interfaces.patch +cxl-allow-release-of-contexts-which-have-been-opened-but-not-started.patch +cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch +cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch +ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch +revert-ext4-remove-block_device_ejected.patch