Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2015-8970

crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.

CVE
#vulnerability#ios#mac#microsoft#linux#debian#red_hat#dos#js#git#intel#c++#perl#bios#acer#auth#ibm#dell#wifi#ssl

commit 1cb8570bf04ab12a03c31c397a4d158f24895d9c Author: Greg Kroah-Hartman Date: Wed Feb 17 12:31:25 2016 -0800 Linux 4.4.2 commit bedd67e92725dc7742f53fda328bfc90119fe1e0 Author: Benjamin Tissoires Date: Tue Dec 1 12:41:38 2015 +0100 HID: multitouch: fix input mode switching on some Elan panels commit 73e7d63efb4d774883a338997943bfa59e127085 upstream. as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481 This bug reports mentions 6d4f5440 (“HID: multitouch: Fetch feature reports on demand for Win8 devices”) as the origin of the problem but this commit actually masked 2 firmware bugs that are annihilating each other: The report descriptor declares two features in reports 3 and 5: 0x05, 0x0d, // Usage Page (Digitizers) 318 0x09, 0x0e, // Usage (Device Configuration) 320 0xa1, 0x01, // Collection (Application) 322 0x85, 0x03, // Report ID (3) 324 0x09, 0x22, // Usage (Finger) 326 0xa1, 0x00, // Collection (Physical) 328 0x09, 0x52, // Usage (Inputmode) 330 0x15, 0x00, // Logical Minimum (0) 332 0x25, 0x0a, // Logical Maximum (10) 334 0x75, 0x08, // Report Size (8) 336 0x95, 0x02, // Report Count (2) 338 0xb1, 0x02, // Feature (Data,Var,Abs) 340 0xc0, // End Collection 342 0x09, 0x22, // Usage (Finger) 343 0xa1, 0x00, // Collection (Physical) 345 0x85, 0x05, // Report ID (5) 347 0x09, 0x57, // Usage (Surface Switch) 349 0x09, 0x58, // Usage (Button Switch) 351 0x15, 0x00, // Logical Minimum (0) 353 0x75, 0x01, // Report Size (1) 355 0x95, 0x02, // Report Count (2) 357 0x25, 0x03, // Logical Maximum (3) 359 0xb1, 0x02, // Feature (Data,Var,Abs) 361 0x95, 0x0e, // Report Count (14) 363 0xb1, 0x03, // Feature (Cnst,Var,Abs) 365 0xc0, // End Collection 367 The report ID 3 presents 2 input mode features, while only the first one is handled by the device. Given that we did not checked if one was previously assigned, we were dealing with the ignored featured and we should never have been able to switch this panel into the multitouch mode. However, the firmware presents an other bugs which allowed 6d4f5440 to counteract the faulty report descriptor. When we request the values of the feature 5, the firmware answers "03 03 00". The fields are correct but the report id is wrong. Before 6d4f5440, we retrieved all the features and injected them in the system. So when we called report 5, we injected in the system the report 3 with the values “03 00". Setting the second input mode to 03 in this report changed it to “03 03” and the touchpad switched to the mt mode. We could have set anything in the second field because the actual value (the first 03 in this report) was given by the query of report ID 5. To sum up: 2 bugs in the firmware were hiding that we were accessing the wrong feature. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit fe5c164ef32ffbf441b33ff24088e09fca266dad Author: Tetsuo Handa Date: Fri Feb 5 15:36:30 2016 -0800 mm, vmstat: fix wrong WQ sleep when memory reclaim doesn’t make any progress commit 564e81a57f9788b1475127012e0fd44e9049e342 upstream. Jan Stancek has reported that system occasionally hanging after “oom01” testcase from LTP triggers OOM. Guessing from a result that there is a kworker thread doing memory allocation and the values between “Node 0 Normal free:” and “Node 0 Normal:” differs when hanging, vmstat is not up-to-date for some reason. According to commit 373ccbe59270 (“mm, vmstat: allow WQ concurrency to discover memory reclaim doesn’t make any progress”), it meant to force the kworker thread to take a short sleep, but it by error used schedule_timeout(1). We missed that schedule_timeout() in state TASK_RUNNING doesn’t do anything. Fix it by using schedule_timeout_uninterruptible(1) which forces the kworker thread to take a short sleep in order to make sure that vmstat is up-to-date. Fixes: 373ccbe59270 (“mm, vmstat: allow WQ concurrency to discover memory reclaim doesn’t make any progress”) Signed-off-by: Tetsuo Handa Reported-by: Jan Stancek Acked-by: Michal Hocko Cc: Tejun Heo Cc: Cristopher Lameter Cc: Joonsoo Kim Cc: Arkadiusz Miskiewicz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bddaf79195c4b9bae86b494fb6cfe855f8415afb Author: Junil Lee Date: Wed Jan 20 14:58:18 2016 -0800 zsmalloc: fix migrate_zspage-zs_free race condition commit c102f07ca0b04f2cb49cfc161c83f6239d17f491 upstream. record_obj() in migrate_zspage() does not preserve handle’s HANDLE_PIN_BIT, set by find_aloced_obj()->trypin_tag(), and implicitly (accidentally) un-pins the handle, while migrate_zspage() still performs an explicit unpin_tag() on the that handle. This additional explicit unpin_tag() introduces a race condition with zs_free(), which can pin that handle by this time, so the handle becomes un-pinned. Schematically, it goes like this: CPU0 CPU1 migrate_zspage find_alloced_obj trypin_tag set HANDLE_PIN_BIT zs_free() pin_tag() obj_malloc() – new object, no tag record_obj() – remove HANDLE_PIN_BIT set HANDLE_PIN_BIT unpin_tag() – remove zs_free’s HANDLE_PIN_BIT The race condition may result in a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 00000000 CPU: 0 PID: 19001 Comm: CookieMonsterCl Tainted: PC is at get_zspage_mapping+0x0/0x24 LR is at obj_free.isra.22+0x64/0x128 Call trace: get_zspage_mapping+0x0/0x24 zs_free+0x88/0x114 zram_free_page+0x64/0xcc zram_slot_free_notify+0x90/0x108 swap_entry_free+0x278/0x294 free_swap_and_cache+0x38/0x11c unmap_single_vma+0x480/0x5c8 unmap_vmas+0x44/0x60 exit_mmap+0x50/0x110 mmput+0x58/0xe0 do_exit+0x320/0x8dc do_group_exit+0x44/0xa8 get_signal+0x538/0x580 do_signal+0x98/0x4b8 do_notify_resume+0x14/0x5c This patch keeps the lock bit in migration path and update value atomically. Signed-off-by: Junil Lee Signed-off-by: Minchan Kim Acked-by: Vlastimil Babka Cc: Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit aee0848f2e83f9a2a6acfcae0cdd411a8e8222f9 Author: Jerome Marchand Date: Fri Jan 15 16:54:48 2016 -0800 zram: don’t call idr_remove() from zram_remove() commit 17ec4cd985780a7e30aa45bb8f272237c12502a4 upstream. The use of idr_remove() is forbidden in the callback functions of idr_for_each(). It is therefore unsafe to call idr_remove in zram_remove(). This patch moves the call to idr_remove() from zram_remove() to hot_remove_store(). In the detroy_devices() path, idrs are removed by idr_destroy(). This solves an use-after-free detected by KASan. [[email protected]: fix coding stype, per Sergey] Signed-off-by: Jerome Marchand Acked-by: Sergey Senozhatsky Cc: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73f6736093323247103ad59ef04676ea2bb000c7 Author: Kyeongdon Kim Date: Thu Jan 14 15:22:29 2016 -0800 zram: try vmalloc() after kmalloc() commit d913897abace843bba20249f3190167f7895e9c3 upstream. When we’re using LZ4 multi compression streams for zram swap, we found out page allocation failure message in system running test. That was not only once, but a few(2 - 5 times per test). Also, some failure cases were continually occurring to try allocation order 3. In order to make parallel compression private data, we should call kzalloc() with order 2/3 in runtime(lzo/lz4). But if there is no order 2/3 size memory to allocate in that time, page allocation fails. This patch makes to use vmalloc() as fallback of kmalloc(), this prevents page alloc failure warning. After using this, we never found warning message in running test, also It could reduce process startup latency about 60-120ms in each case. For reference a call trace : Binder_1: page allocation failure: order:3, mode:0x10c0d0 CPU: 0 PID: 424 Comm: Binder_1 Tainted: GW 3.10.49-perf-g991d02b-dirty #20 Call trace: dump_backtrace+0x0/0x270 show_stack+0x10/0x1c dump_stack+0x1c/0x28 warn_alloc_failed+0xfc/0x11c __alloc_pages_nodemask+0x724/0x7f0 __get_free_pages+0x14/0x5c kmalloc_order_trace+0x38/0xd8 zcomp_lz4_create+0x2c/0x38 zcomp_strm_alloc+0x34/0x78 zcomp_strm_multi_find+0x124/0x1ec zcomp_strm_find+0xc/0x18 zram_bvec_rw+0x2fc/0x780 zram_make_request+0x25c/0x2d4 generic_make_request+0x80/0xbc submit_bio+0xa4/0x15c __swap_writepage+0x218/0x230 swap_writepage+0x3c/0x4c shrink_page_list+0x51c/0x8d0 shrink_inactive_list+0x3f8/0x60c shrink_lruvec+0x33c/0x4cc shrink_zone+0x3c/0x100 try_to_free_pages+0x2b8/0x54c __alloc_pages_nodemask+0x514/0x7f0 __get_free_pages+0x14/0x5c proc_info_read+0x50/0xe4 vfs_read+0xa0/0x12c SyS_read+0x44/0x74 DMA: 3397*4kB (MC) 26*8kB (RC) 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 13796kB [[email protected]: change vmalloc gfp and adding comment about gfp] [[email protected]: tweak comments and styles] Signed-off-by: Kyeongdon Kim Signed-off-by: Minchan Kim Acked-by: Sergey Senozhatsky Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 80c554f5f22f9760472ad47b24246cea59474e15 Author: Sergey Senozhatsky Date: Thu Jan 14 15:22:26 2016 -0800 zram/zcomp: use GFP_NOIO to allocate streams commit 3d5fe03a3ea013060ebba2a811aeb0f23f56aefa upstream. We can end up allocating a new compression stream with GFP_KERNEL from within the IO path, which may result is nested (recursive) IO operations. That can introduce problems if the IO path in question is a reclaimer, holding some locks that will deadlock nested IOs. Allocate streams and working memory using GFP_NOIO flag, forbidding recursive IO and FS operations. An example: inconsistent {IN-RECLAIM_FS-W} -> {RECLAIM_FS-ON-W} usage. git/20158 [HC0[0]:SC0[0]:HE1:SE1] takes: (jbd2_handle){+.+.?.}, at: start_this_handle+0x4ca/0x555 {IN-RECLAIM_FS-W} state was registered at: __lock_acquire+0x8da/0x117b lock_acquire+0x10c/0x1a7 start_this_handle+0x52d/0x555 jbd2__journal_start+0xb4/0x237 __ext4_journal_start_sb+0x108/0x17e ext4_dirty_inode+0x32/0x61 __mark_inode_dirty+0x16b/0x60c iput+0x11e/0x274 __dentry_kill+0x148/0x1b8 shrink_dentry_list+0x274/0x44a prune_dcache_sb+0x4a/0x55 super_cache_scan+0xfc/0x176 shrink_slab.part.14.constprop.25+0x2a2/0x4d3 shrink_zone+0x74/0x140 kswapd+0x6b7/0x930 kthread+0x107/0x10f ret_from_fork+0x3f/0x70 irq event stamp: 138297 hardirqs last enabled at (138297): debug_check_no_locks_freed+0x113/0x12f hardirqs last disabled at (138296): debug_check_no_locks_freed+0x33/0x12f softirqs last enabled at (137818): __do_softirq+0x2d3/0x3e9 softirqs last disabled at (137813): irq_exit+0x41/0x95 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(jbd2_handle); lock(jbd2_handle); *** DEADLOCK *** 5 locks held by git/20158: #0: (sb_writers#7){.+.+.+}, at: [] mnt_want_write+0x24/0x4b #1: (&type->i_mutex_dir_key#2/1){+.+.+.}, at: [] lock_rename+0xd9/0xe3 #2: (&sb->s_type->i_mutex_key#11){+.+.+.}, at: [] lock_two_nondirectories+0x3f/0x6b #3: (&sb->s_type->i_mutex_key#11/4){+.+.+.}, at: [] lock_two_nondirectories+0x66/0x6b #4: (jbd2_handle){+.+.?.}, at: [] start_this_handle+0x4ca/0x555 stack backtrace: CPU: 2 PID: 20158 Comm: git Not tainted 4.1.0-rc7-next-20150615-dbg-00016-g8bdf555-dirty #211 Call Trace: dump_stack+0x4c/0x6e mark_lock+0x384/0x56d mark_held_locks+0x5f/0x76 lockdep_trace_alloc+0xb2/0xb5 kmem_cache_alloc_trace+0x32/0x1e2 zcomp_strm_alloc+0x25/0x73 [zram] zcomp_strm_multi_find+0xe7/0x173 [zram] zcomp_strm_find+0xc/0xe [zram] zram_bvec_rw+0x2ca/0x7e0 [zram] zram_make_request+0x1fa/0x301 [zram] generic_make_request+0x9c/0xdb submit_bio+0xf7/0x120 ext4_io_submit+0x2e/0x43 ext4_bio_write_page+0x1b7/0x300 mpage_submit_page+0x60/0x77 mpage_map_and_submit_buffers+0x10f/0x21d ext4_writepages+0xc8c/0xe1b do_writepages+0x23/0x2c __filemap_fdatawrite_range+0x84/0x8b filemap_flush+0x1c/0x1e ext4_alloc_da_blocks+0xb8/0x117 ext4_rename+0x132/0x6dc ? mark_held_locks+0x5f/0x76 ext4_rename2+0x29/0x2b vfs_rename+0x540/0x636 SyS_renameat2+0x359/0x44d SyS_rename+0x1e/0x20 entry_SYSCALL_64_fastpath+0x12/0x6f [[email protected]: add stable mark] Signed-off-by: Sergey Senozhatsky Acked-by: Minchan Kim Cc: Kyeongdon Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 724f135b755a628a5e3f8693f105553152e02c23 Author: Larry Finger Date: Wed Jan 20 21:58:39 2016 -0600 rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly encoded commit c72fc9093718a3f8597249863a1bac345ba00859 upstream. Recently, it has been reported that D-Link DWA-582 cards, which use an RTL8812AE chip are not able to scan for 5G networks. The problems started with kernel 4.2, which is the first version that had commit d10101a60372 (“rtlwifi: rtl8821ae: Fix problem with regulatory information”). With this patch, the driver went from setting a default channel plan to using the value derived from EEPROM. Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this problem. The problem was solved once I learned that the internal country code was resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE chips available to me, the country code was such that both 2.4 and 5 GHz channels are allowed. The fix is to allow both bands even when the EEPROM is incorrectly encoded. Fixes: d10101a60372 (“rtlwifi: rtl8821ae: Fix problem with regulatory information”) Signed-off-by: Larry Finger Cc: [email protected] Cc: [email protected] Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 7d4bf40d4e2cdf59f83a96cb32ed0411530a547d Author: Larry Finger Date: Mon Dec 14 16:34:33 2015 -0600 rtlwifi: rtl8821ae: Fix errors in parameter initialization commit 78bae1de422a7f6f2b4b61f6a5c379e3d7f96f44 upstream. This driver failed to copy parameters sw_crypto and disable_watchdog into the locations actually used by the driver. In addition, msi_support was initialized three times and one of them used the wrong variable. The initialization of parameter int_clear was moved so that it is near that of the rest of the parameters. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 2827c1d0344b3d8e43b5ac17aa211d141b94302c Author: Boris BREZILLON Date: Fri Feb 5 17:45:48 2016 +0100 crypto: marvell/cesa - fix test in mv_cesa_dev_dma_init() commit 8a3978ad55fb4c0564d285fb2f6cdee2313fce01 upstream. We are checking twice if dma->cache_pool is not NULL but are never testing dma->padding_pool value. Signed-off-by: Boris Brezillon Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit ee36c87a655325a7b5e442a9650a782db4ea20d2 Author: Cyrille Pitchen Date: Fri Feb 5 13:45:13 2016 +0100 crypto: atmel-sha - remove calls of clk_prepare() from atomic contexts commit c033042aa8f69894df37dabcaa0231594834a4e4 upstream. clk_prepare()/clk_unprepare() must not be called within atomic context. This patch calls clk_prepare() once for all from atmel_sha_probe() and clk_unprepare() from atmel_sha_remove(). Then calls of clk_prepare_enable()/clk_disable_unprepare() were replaced by calls of clk_enable()/clk_disable(). Signed-off-by: Cyrille Pitchen Reported-by: Matthias Mayr Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 714e7964f79e3b74e16b1d040efa34705da891f8 Author: Cyrille Pitchen Date: Fri Feb 5 13:45:12 2016 +0100 crypto: atmel-sha - fix atmel_sha_remove() commit d961436c11482e974b702c8324426208f00cd7c4 upstream. Since atmel_sha_probe() uses devm_xxx functions to allocate resources, atmel_sha_remove() should no longer explicitly release them. Signed-off-by: Cyrille Pitchen Fixes: b0e8b3417a62 (“crypto: atmel - use devm_xxx() managed function”) Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 12426bd6b05f286fe252ddb69c4aea3209d01d5b Author: Herbert Xu Date: Wed Feb 3 21:39:27 2016 +0800 crypto: algif_skcipher - Do not set MAY_BACKLOG on the async path commit dad41997063723eaf5f77bc2015606a5a9bce320 upstream. The async path cannot use MAY_BACKLOG because it is not meant to block, which is what MAY_BACKLOG does. On the other hand, both the sync and async paths can make use of MAY_SLEEP. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 66bca97f21762ba58ce3d6767b27f782c702ef65 Author: Herbert Xu Date: Wed Feb 3 21:39:26 2016 +0800 crypto: algif_skcipher - Do not dereference ctx without socket lock commit 6454c2b83f719057069777132b13949e4c6b6350 upstream. Any access to non-constant bits of the private context must be done under the socket lock, in particular, this includes ctx->req. This patch moves such accesses under the lock, and fetches the tfm from the parent socket which is guaranteed to be constant, rather than from ctx->req. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3e597bb7c3be2c69c03a6af95d27d5ed16b7b882 Author: Herbert Xu Date: Wed Feb 3 21:39:24 2016 +0800 crypto: algif_skcipher - Do not assume that req is unchanged commit ec69bbfb9902c32a5c1492f2b1b8ad032a66d724 upstream. The async path in algif_skcipher assumes that the crypto completion function will be called with the original request. This is not necessarily the case. In fact there is no need for this anyway since we already embed information into the request with struct skcipher_async_req. This patch adds a pointer to that struct and then passes it as the data to the callback function. Signed-off-by: Herbert Xu Tested-by: Tadeusz Struk Signed-off-by: Greg Kroah-Hartman commit cfeab1cf35bcd023bb5db62635eccf8e8def7527 Author: Mathias Krause Date: Mon Feb 1 14:27:30 2016 +0100 crypto: user - lock crypto_alg_list on alg dump commit 63e41ebc6630f39422d87f8a4bade1e793f37a01 upstream. We miss to take the crypto_alg_sem semaphore when traversing the crypto_alg_list for CRYPTO_MSG_GETALG dumps. This allows a race with crypto_unregister_alg() removing algorithms from the list while we’re still traversing it, thereby leading to a use-after-free as show below: [ 3482.071639] general protection fault: 0000 [#1] SMP [ 3482.075639] Modules linked in: aes_x86_64 glue_helper lrw ablk_helper cryptd gf128mul ipv6 pcspkr serio_raw virtio_net microcode virtio_pci virtio_ring virtio sr_mod cdrom [last unloaded: aesni_intel] [ 3482.075639] CPU: 1 PID: 11065 Comm: crconf Not tainted 4.3.4-grsec+ #126 [ 3482.075639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 3482.075639] task: ffff88001cd41a40 ti: ffff88001cd422c8 task.ti: ffff88001cd422c8 [ 3482.075639] RIP: 0010:[] [] strncpy+0x13/0x30 [ 3482.075639] RSP: 0018:ffff88001f713b60 EFLAGS: 00010202 [ 3482.075639] RAX: ffff88001f6c4430 RBX: ffff88001f6c43a0 RCX: ffff88001f6c4430 [ 3482.075639] RDX: 0000000000000040 RSI: fefefefefefeff16 RDI: ffff88001f6c4430 [ 3482.075639] RBP: ffff88001f713b60 R08: ffff88001f6c4470 R09: ffff88001f6c4480 [ 3482.075639] R10: 0000000000000002 R11: 0000000000000246 R12: ffff88001ce2aa28 [ 3482.075639] R13: ffff880000093700 R14: ffff88001f5e4bf8 R15: 0000000000003b20 [ 3482.075639] FS: 0000033826fa2700(0000) GS:ffff88001e900000(0000) knlGS:0000000000000000 [ 3482.075639] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3482.075639] CR2: ffffffffff600400 CR3: 00000000139ec000 CR4: 00000000001606f0 [ 3482.075639] Stack: [ 3482.075639] ffff88001f713bd8 ffffffff936ccd00 ffff88001e5c4200 ffff880000093700 [ 3482.075639] ffff88001f713bd0 ffffffff938ef4bf 0000000000000000 0000000000003b20 [ 3482.075639] ffff88001f5e4bf8 ffff88001f5e4848 0000000000000000 0000000000003b20 [ 3482.075639] Call Trace: [ 3482.075639] [] crypto_report_alg+0xc0/0x3e0 [ 3482.075639] [] ? __alloc_skb+0x16f/0x300 [ 3482.075639] [] crypto_dump_report+0x6a/0x90 [ 3482.075639] [] netlink_dump+0x147/0x2e0 [ 3482.075639] [] __netlink_dump_start+0x159/0x190 [ 3482.075639] [] crypto_user_rcv_msg+0xc3/0x130 [ 3482.075639] [] ? crypto_report_alg+0x3e0/0x3e0 [ 3482.075639] [] ? alg_test_crc32c+0x120/0x120 [ 3482.075639] [] ? __netlink_lookup+0xd5/0x120 [ 3482.075639] [] ? crypto_add_alg+0x1d0/0x1d0 [ 3482.075639] [] netlink_rcv_skb+0xe1/0x130 [ 3482.075639] [] crypto_netlink_rcv+0x28/0x40 [ 3482.075639] [] netlink_unicast+0x108/0x180 [ 3482.075639] [] netlink_sendmsg+0x541/0x770 [ 3482.075639] [] sock_sendmsg+0x21/0x40 [ 3482.075639] [] SyS_sendto+0xf3/0x130 [ 3482.075639] [] ? bad_area_nosemaphore+0x13/0x20 [ 3482.075639] [] ? __do_page_fault+0x80/0x3a0 [ 3482.075639] [] entry_SYSCALL_64_fastpath+0x12/0x6e [ 3482.075639] Code: 88 4a ff 75 ed 5d 48 0f ba 2c 24 3f c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 85 d2 48 89 f8 48 89 f9 4c 8d 04 17 48 89 e5 74 15 <0f> b6 16 80 fa 01 88 11 48 83 de ff 48 83 c1 01 4c 39 c1 75 eb [ 3482.075639] RIP [] strncpy+0x13/0x30 To trigger the race run the following loops simultaneously for a while: $ while : ; do modprobe aesni-intel; rmmod aesni-intel; done $ while : ; do crconf show all > /dev/null; done Fix the race by taking the crypto_alg_sem read lock, thereby preventing crypto_unregister_alg() from modifying the algorithm list during the dump. This bug has been detected by the PaX memory sanitize feature. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: PaX Team Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 8592536bcfcbc717a3bf7cec57d7c1b38f4eec1d Author: Ryan Ware Date: Thu Feb 11 15:58:44 2016 -0800 EVM: Use crypto_memneq() for digest comparisons commit 613317bd212c585c20796c10afe5daaa95d4b0a1 upstream. This patch fixes vulnerability CVE-2016-2085. The problem exists because the vm_verify_hmac() function includes a use of memcmp(). Unfortunately, this allows timing side channel attacks; specifically a MAC forgery complexity drop from 2^128 to 2^12. This patch changes the memcmp() to the cryptographically safe crypto_memneq(). Reported-by: Xiaofei Rex Guo Signed-off-by: Ryan Ware Signed-off-by: Mimi Zohar Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 792c6ff0d8ce1a3d1da9f7b657aa6a8017515216 Author: Wang, Rui Y Date: Wed Jan 27 17:08:37 2016 +0800 crypto: algif_hash - wait for crypto_ahash_init() to complete commit fe09786178f9df713a4b2dd6b93c0a722346bf5e upstream. hash_sendmsg/sendpage() need to wait for the completion of crypto_ahash_init() otherwise it can cause panic. Signed-off-by: Rui Wang Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 6bb06a4fa1894533beaab22f0c657866b0e61b06 Author: Herbert Xu Date: Wed Jan 27 00:16:37 2016 +0800 crypto: shash - Fix has_key setting commit 00420a65fa2beb3206090ead86942484df2275f3 upstream. The has_key logic is wrong for shash algorithms as they always have a setkey function. So we should instead be testing against shash_no_setkey. Fixes: a5596d633278 (“crypto: hash - Add crypto_ahash_has_setkey”) Reported-by: Stephan Mueller Signed-off-by: Herbert Xu Tested-by: Stephan Mueller Signed-off-by: Greg Kroah-Hartman commit 936a322b57b4d98b42724af04c2d457bf1292514 Author: Eli Cooper Date: Fri Jan 22 00:24:08 2016 +0800 crypto: chacha20-ssse3 - Align stack pointer to 64 bytes commit cbe09bd51bf23b42c3a94c5fb6815e1397c5fc3f upstream. This aligns the stack pointer in chacha20_4block_xor_ssse3 to 64 bytes. Fixes general protection faults and potential kernel panics. Signed-off-by: Eli Cooper Acked-by: Martin Willi Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2a6c3d5457e0e63c20125845ff7ccd41b32b53d3 Author: Horia Geant? Date: Tue Jan 12 17:59:29 2016 +0200 crypto: caam - make write transactions bufferable on PPC platforms commit e7a7104e432c0db8469ca3568daf4f1d1afe3e73 upstream. Previous change (see “Fixes” tag) to the MCFGR register clears AWCACHE[0] (“bufferable” AXI3 attribute) (which is “1” at POR). This makes all writes non-bufferable, causing a ~ 5% performance drop for PPC-based platforms. Rework previous change such that MCFGR[AWCACHE]=4’b0011 (bufferable + cacheable) for all platforms. Note: For ARM-based platforms, AWCACHE[0] is ignored by the interconnect IP. Fixes: f10967495144 (“crypto: caam - fix snooping for write transactions”) Signed-off-by: Horia Geant? Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3dd3e2544c48d55e975efca5f34b77dbbe8895c9 Author: Herbert Xu Date: Tue Jan 19 21:23:57 2016 +0800 crypto: algif_skcipher - sendmsg SG marking is off by one commit 202736d99b7f29279db9da61587f11a08a04a9c6 upstream. We mark the end of the SG list in sendmsg and sendpage and unmark it on the next send call. Unfortunately the unmarking in sendmsg is off-by-one, leading to an SG list that is too short. Fixes: 0f477b655a52 (“crypto: algif - Mark sgl end at the end of data”) Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit fec8beab63283003b546f83eebbbe32efb9acc53 Author: Herbert Xu Date: Mon Jan 18 18:46:10 2016 +0800 crypto: algif_skcipher - Load TX SG list after waiting commit 4f0414e54e4d1893c6f08260693f8ef84c929293 upstream. We need to load the TX SG list in sendmsg(2) after waiting for incoming data, not before. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Tested-by: Dmitry Vyukov Signed-off-by: Greg Kroah-Hartman commit d175a4ee836be6be37de8637b0fed5b4daedea77 Author: Jean Delvare Date: Mon Jan 18 17:06:05 2016 +0100 crypto: crc32c - Fix crc32c soft dependency commit fd7f6727102a1ccf6b4c1dfcc631f9b546526b26 upstream. I don’t think it makes sense for a module to have a soft dependency on itself. This seems quite cyclic by nature and I can’t see what purpose it could serve. OTOH libcrc32c calls crypto_alloc_shash(“crc32c", 0, 0) so it pretty much assumes that some incarnation of the “crc32c” hash algorithm has been loaded. Therefore it makes sense to have the soft dependency there (as crc-t10dif does.) Cc: Tim Chen Cc: “David S. Miller” Signed-off-by: Jean Delvare Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit f84d1fcb59c6b17dec972932c05674127babf476 Author: Herbert Xu Date: Fri Jan 15 22:02:20 2016 +0800 crypto: algif_skcipher - Fix race condition in skcipher_check_key commit 1822793a523e5d5730b19cc21160ff1717421bc8 upstream. We need to lock the child socket in skcipher_check_key as otherwise two simultaneous calls can cause the parent socket to be freed. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit aa51954b30e7d07522689452aba08b24f748a005 Author: Herbert Xu Date: Fri Jan 15 22:01:08 2016 +0800 crypto: algif_hash - Fix race condition in hash_check_key commit ad46d7e33219218605ea619e32553daf4f346b9f upstream. We need to lock the child socket in hash_check_key as otherwise two simultaneous calls can cause the parent socket to be freed. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1bdbb041755b19975a9b87e22a02bd584a45e99c Author: Herbert Xu Date: Wed Jan 13 15:03:32 2016 +0800 crypto: af_alg - Forbid bind(2) when nokey child sockets are present commit a6a48c565f6f112c6983e2a02b1602189ed6e26e upstream. This patch forbids the calling of bind(2) when there are child sockets created by accept(2) in existence, even if they are created on the nokey path. This is needed as those child sockets have references to the tfm object which bind(2) will destroy. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 40bfd37ab95c89b20d1fa63aeea25ba5799bc125 Author: Herbert Xu Date: Wed Jan 13 15:01:06 2016 +0800 crypto: algif_skcipher - Remove custom release parent function commit d7b65aee1e7b4c87922b0232eaba56a8a143a4a0 upstream. This patch removes the custom release parent function as the generic af_alg_release_parent now works for nokey sockets too. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 20509d916186a2fcc6f248d9fb8882d3988834d2 Author: Herbert Xu Date: Wed Jan 13 15:00:36 2016 +0800 crypto: algif_hash - Remove custom release parent function commit f1d84af1835846a5a2b827382c5848faf2bb0e75 upstream. This patch removes the custom release parent function as the generic af_alg_release_parent now works for nokey sockets too. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 758c560bcbc7d7814a391597fbcba02f087fb7f7 Author: Herbert Xu Date: Wed Jan 13 14:59:03 2016 +0800 crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path commit 6a935170a980024dd29199e9dbb5c4da4767a1b9 upstream. This patch allows af_alg_release_parent to be called even for nokey sockets. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2f129c2d4fdbdf159a5a86e0ee071406a4dd7a20 Author: Alexandra Yates Date: Fri Feb 5 15:27:49 2016 -0800 ahci: Intel DNV device IDs SATA commit 342decff2b846b46fa61eb5ee40986fab79a9a32 upstream. Adding Intel codename DNV platform device IDs for SATA. Signed-off-by: Alexandra Yates Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 1489f5d951089debd2a533e3a109fba9b36e3461 Author: Tejun Heo Date: Fri Jan 15 15:13:05 2016 -0500 libata: disable forced PORTS_IMPL for >= AHCI 1.3 commit 566d1827df2ef0cbe921d3d6946ac3007b1a6938 upstream. Some early controllers incorrectly reported zero ports in PORTS_IMPL register and the ahci driver fabricates PORTS_IMPL from the number of ports in those cases. This hasn’t mattered but with the new nvme controllers there are cases where zero PORTS_IMPL is valid and should be honored. Disable the workaround for >= AHCI 1.3. Signed-off-by: Tejun Heo Reported-by: Andy Lutomirski Link: http://lkml.kernel.org/g/CALCETrU7yMvXEDhjAUShoHEhDwifJGapdw–[email protected] Cc: Sergei Shtylyov Signed-off-by: Greg Kroah-Hartman commit a8e70a1a4fd6c0bc634a2b3f7b4b77ee378c3134 Author: Herbert Xu Date: Mon Jan 11 21:29:41 2016 +0800 crypto: algif_skcipher - Add key check exception for cipher_null commit 6e8d8ecf438792ecf7a3207488fb4eebc4edb040 upstream. This patch adds an exception to the key check so that cipher_null users may continue to use algif_skcipher without setting a key. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7f5c995746ebc3f431c596ffabb98af1b3e3de86 Author: Herbert Xu Date: Mon Jan 11 21:26:50 2016 +0800 crypto: skcipher - Add crypto_skcipher_has_setkey commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream. This patch adds a way for skcipher users to determine whether a key is required by a transform. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 017db8bc9a1d62710af99b0eec605ee1f0285277 Author: Herbert Xu Date: Fri Jan 8 21:31:04 2016 +0800 crypto: algif_hash - Require setkey before accept(2) commit 6de62f15b581f920ade22d758f4c338311c2f0d4 upstream. Hash implementations that require a key may crash if you use them without setting a key. This patch adds the necessary checks so that if you do attempt to use them without a key that we return -ENOKEY instead of proceeding. This patch also adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit f2e274ce8bfe8ab928ab1968a82a3b7eec27a69b Author: Herbert Xu Date: Fri Jan 8 21:28:26 2016 +0800 crypto: hash - Add crypto_ahash_has_setkey commit a5596d6332787fd383b3b5427b41f94254430827 upstream. This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit eeb2e2e72bce3c4f3e74d1ea2c621aa574b8ef18 Author: Herbert Xu Date: Mon Jan 4 13:36:12 2016 +0900 crypto: algif_skcipher - Add nokey compatibility path commit a0fa2d037129a9849918a92d91b79ed6c7bd2818 upstream. This patch adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d1b886e326f3578e8d6066c590d32a5c7028afbd Author: Herbert Xu Date: Mon Jan 4 13:35:18 2016 +0900 crypto: af_alg - Add nokey compatibility path commit 37766586c965d63758ad542325a96d5384f4a8c9 upstream. This patch adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit aa435a11e4bb37e23dbfc45fea2c11ddf6b813e0 Author: Herbert Xu Date: Wed Dec 30 20:24:17 2015 +0800 crypto: af_alg - Fix socket double-free when accept fails commit a383292c86663bbc31ac62cc0c04fc77504636a6 upstream. When we fail an accept(2) call we will end up freeing the socket twice, once due to the direct sk_free call and once again through newsock. This patch fixes this by removing the sk_free call. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7509864bb2ec8a4dfbda52a9bda577ecdcb6b2c4 Author: Herbert Xu Date: Wed Dec 30 11:47:53 2015 +0800 crypto: af_alg - Disallow bind/setkey/… after accept(2) commit c840ac6af3f8713a71b4d2363419145760bd6044 upstream. Each af_alg parent socket obtained by socket(2) corresponds to a tfm object once bind(2) has succeeded. An accept(2) call on that parent socket creates a context which then uses the tfm object. Therefore as long as any child sockets created by accept(2) exist the parent socket must not be modified or freed. This patch guarantees this by using locks and a reference count on the parent socket. Any attempt to modify the parent socket will fail with EBUSY. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit b238717c0bb4606e2e36fc0de745306b0c900d83 Author: Herbert Xu Date: Fri Dec 25 15:40:05 2015 +0800 crypto: algif_skcipher - Require setkey before accept(2) commit dd504589577d8e8e70f51f997ad487a4cb6c026f upstream. Some cipher implementations will crash if you try to use them without calling setkey first. This patch adds a check so that the accept(2) call will fail with -ENOKEY if setkey hasn’t been done on the socket yet. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Tested-by: Dmitry Vyukov Signed-off-by: Greg Kroah-Hartman commit a800cbddbc2042b042491867e96e2f3c5c0d3e3b Author: Raghavendra K T Date: Sat Jan 16 00:31:23 2016 +0530 sched: Fix crash in sched_init_numa() commit 9c03ee147193645be4c186d3688232fa438c57c7 upstream. The following PowerPC commit: c118baf80256 (“arch/powerpc/mm/numa.c: do not allocate bootmem memory for non existing nodes”) avoids allocating bootmem memory for non existent nodes. But when DEBUG_PER_CPU_MAPS=y is enabled, my powerNV system failed to boot because in sched_init_numa(), cpumask_or() operation was done on unallocated nodes. Fix that by making cpumask_or() operation only on existing nodes. [ Tested with and w/o DEBUG_PER_CPU_MAPS=y on x86 and PowerPC. ] Reported-by: Jan Stancek Tested-by: Jan Stancek Signed-off-by: Raghavendra K T Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1452884483-11676-1-git-send-email-raghavendra.kt@linux.vnet.ibm.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b80b70ef40459ec9e7493cef5e91e4e11dad9e42 Author: Theodore Ts’o Date: Thu Dec 10 00:57:58 2015 -0500 ext4 crypto: add missing locking for keyring_key access commit db7730e3091a52c2fcd8fcc952b964d88998e675 upstream. Signed-off-by: Theodore Ts’o Signed-off-by: Greg Kroah-Hartman commit 740c56110a2548ae353af93d07354f67f14f4b4e Author: Will Deacon Date: Tue Dec 15 16:08:12 2015 +0000 iommu/io-pgtable-arm: Ensure we free the final level on teardown commit 12c2ab09571e8aae3a87da2a4a452632a5fac1e5 upstream. When tearing down page tables, we return early for the final level since we know that we won’t have any table pointers to follow. Unfortunately, this also means that we forget to free the final level, so we end up leaking memory. Fix the issue by always freeing the current level, but just don’t bother to iterate over the ptes if we’re at the final level. Reported-by: Zhang Bo Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d343601a19410f71bf1765df5e2edda66fe5de5f Author: Peter Hurley Date: Sun Jan 10 22:40:55 2016 -0800 tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) commit 5c17c861a357e9458001f021a7afa7aab9937439 upstream. ioctl(TIOCGETD) retrieves the line discipline id directly from the ldisc because the line discipline id (c_line) in termios is untrustworthy; userspace may have set termios via ioctl(TCSETS*) without actually changing the line discipline via ioctl(TIOCSETD). However, directly accessing the current ldisc via tty->ldisc is unsafe; the ldisc ptr dereferenced may be stale if the line discipline is changing via ioctl(TIOCSETD) or hangup. Wait for the line discipline reference (just like read() or write()) to retrieve the “current” line discipline id. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman commit b4312250147d42dceed6c8d44aa02cb29539db19 Author: Peter Hurley Date: Sat Jan 9 21:13:45 2016 -0800 tty: Retry failed reopen if tty teardown in-progress commit 7f22f6c935cda600660e623a411fe380015d28d9 upstream. A small window exists where a tty reopen will observe the tty just prior to imminent teardown (tty->count == 0); in this case, open() returns EIO to userspace. Instead, retry the open after checking for signals and yielding; this interruptible retry loop allows teardown to commence and initialize a new tty on retry. Never retry the BSD master pty reopen; there is no guarantee the pty pair teardown is imminent since the slave file descriptors may remain open indefinitely. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman commit c35f1234931e2cae81726440ad4df8ef1f313219 Author: Peter Hurley Date: Sat Jan 9 21:13:44 2016 -0800 tty: Wait interruptibly for tty lock on reopen commit 0bfd464d3fdd5bb322f9cace4cc47f1796545cf7 upstream. Allow a signal to interrupt the wait for a tty reopen; eg., if the tty has starting final close and is waiting for the device to drain. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman commit cccd9546e993ddcd10a482e43a821420cb09c05d Author: Peter Hurley Date: Sun Jan 10 22:40:56 2016 -0800 n_tty: Fix unsafe reference to “other” ldisc commit 6d27a63caad3f13e96cf065d2d96828c2006be6b upstream. Although n_tty_check_unthrottle() has a valid ldisc reference (since the tty core gets the ldisc ref in tty_read() before calling the line discipline read() method), it does not have a valid ldisc reference to the “other” pty of a pty pair. Since getting an ldisc reference for tty->link essentially open-codes tty_wakeup(), just replace with the equivalent tty_wakeup(). Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman commit 46f0b319cd828cc52bce8a94ff6c010efbfbb660 Author: Lu Baolu Date: Tue Jan 26 17:50:08 2016 +0200 usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms commit ccc04afb72cddbdf7c0e1c17e92886405a71b754 upstream. Intel Broxton M was verifed to require XHCI_PME_STUCK_QUIRK quirk as well. Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit bfa2ee5ddf3dd102f2ffc9842225591461a08f16 Author: Lu Baolu Date: Tue Jan 26 17:50:05 2016 +0200 usb: xhci: handle both SSIC ports in PME stuck quirk commit fa89537783cb442263fa5a14df6c7693eaf32f11 upstream. Commit abce329c27b3 (“xhci: Workaround to get D3 working in Intel xHCI”) adds a workaround for a limitation of PME storm caused by SSIC port in some Intel SoCs. This commit only handled one SSIC port, while there are actually two SSIC ports in the chips. This patch handles both SSIC ports. Without this fix, users still see PME storm. Signed-off-by: Zhuang Jin Can Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 7ab0e9d0a2283c6d1f2337847b89f86c53a1f9b7 Author: Srinivas Kandagatla Date: Wed Jan 13 09:13:10 2016 +0000 usb: phy: msm: fix error handling in probe. commit a38a08dfaaab978dced63aa9cad45f0f62e23a66 upstream. This driver registers for extcon events as part of its probe, but never unregisters them in case of error in the probe path. There were multiple issues noticed due to this missing error handling. One of them is random crashes if the regulators are not ready yet by the time probe is invoked. Ivan’s previous attempt [1] to fix this issue, did not really address all the failure cases like regualtor/get_irq failures. [1] https://lkml.org/lkml/2015/9/7/62 Without this patch the kernel would carsh with log: … Unable to handle kernel paging request at virtual address 17d78410 pgd = ffffffc001a5c000 [17d78410] *pgd=00000000b6806003, *pud=00000000b6806003, *pmd=0000000000000000 Internal error: Oops: 96000005 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.4.0+ #48 Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) Workqueue: deferwq deferred_probe_work_func task: ffffffc03686e900 ti: ffffffc0368b0000 task.ti: ffffffc0368b0000 PC is at raw_notifier_chain_register+0x1c/0x44 LR is at extcon_register_notifier+0x88/0xc8 pc : [] lr : [] pstate: 80000085 sp : ffffffc0368b3a70 x29: ffffffc0368b3a70 x28: ffffffc03680c310 x27: ffffffc035518000 x26: ffffffc035518000 x25: ffffffc03bfa20e0 x24: ffffffc035580a18 x23: 0000000000000000 x22: ffffffc035518458 x21: ffffffc0355e9a60 x20: ffffffc035518000 x19: 0000000000000000 x18: 0000000000000028 x17: 0000000000000003 x16: ffffffc0018153c8 x15: 0000000000000001 x14: ffffffc03686f0f8 x13: ffffffc03686f0f8 x12: 0000000000000003 x11: 0000000000000001 x10: 0000000000000001 x9 : ffffffc03686f0f8 x8 : 0000e3872014c1a1 x7 : 0000000000000028 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000000 x3 : 00000000354fb170 x2 : 0000000017d78400 x1 : ffffffc0355e9a60 x0 : ffffffc0354fb268 Fixes: 591fc116f330 (“usb: phy: msm: Use extcon framework for VBUS and ID detection”) Signed-off-by: Srinivas Kandagatla Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit dde53ae3ad07b6b3978d5dc22633edbaa42db431 Author: Lu Baolu Date: Wed Jan 6 15:10:04 2016 +0800 usb: cdc-acm: send zero packet for intel 7260 modem commit ffdb1e369a73b380fce95b05f8498d92c43842b4 upstream. For Intel 7260 modem, it is needed for host side to send zero packet if the BULK OUT size is equal to USB endpoint max packet length. Otherwise, modem side may still wait for more data and cannot give response to host side. Signed-off-by: Konrad Leszczynski Signed-off-by: Lu Baolu Signed-off-by: Greg Kroah-Hartman commit 858e9d4a226435e45401757ccda952254e4e251c Author: Lu Baolu Date: Wed Dec 30 12:59:08 2015 +0800 usb: cdc-acm: handle unlinked urb in acm read callback commit 19454462acb1bdef80542061bdc9b410e4ed1ff6 upstream. In current acm driver, the bulk-in callback function ignores the URBs unlinked in usb core. This causes unexpected data loss in some cases. For example, runtime suspend entry will unlinked all urbs and set urb->status to -ENOENT even those urbs might have data not processed yet. Hence, data loss occurs. This patch lets bulk-in callback function handle unlinked urbs to avoid data loss. Signed-off-by: Tang Jian Qiang Signed-off-by: Lu Baolu Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 8d85f027360ac66c481751b458153ee0cc0da37c Author: John Ernberg Date: Mon Jan 25 12:27:17 2016 +0000 USB: option: fix Cinterion AHxx enumeration commit 4152b387da81617c80cb2946b2d56e3958906b3e upstream. In certain kernel configurations where the cdc_ether and option drivers are compiled as modules there can occur a race condition in enumeration. This causes the option driver to enumerate the ethernet(wwan) interface as usb-serial interfaces. usb-devices output for the modem: T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1e2d ProdID=0055 Rev=00.00 S: Manufacturer=Cinterion S: Product=AHx C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=10mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether Signed-off-by: John Ernberg Fixes: 1941138e1c02 (“USB: added support for Cinterion’s products…”) Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 185db3a5ab58e2d4fbc54176e755bf53398e37e1 Author: Daniele Palmas Date: Tue Jan 12 17:22:06 2016 +0100 USB: serial: option: Adding support for Telit LE922 commit ff4e2494dc17b173468e1713fdf6237fd8578bc7 upstream. This patch adds support for two PIDs of LE922. Signed-off-by: Daniele Palmas Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7e13854aa55956198eda63095bb0ec9022816811 Author: Peter Dedecker Date: Fri Jan 8 12:34:41 2016 +0100 USB: cp210x: add ID for IAI USB to RS485 adaptor commit f487c54ddd544e1c9172cd510954f697b77b76e3 upstream. Added the USB serial console device ID for IAI Corp. RCB-CV-USB USB to RS485 adaptor. Signed-off-by: Peter Dedecker Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f463b2e192a0576fe988c694fbd4c4c809ddae7f Author: Greg Kroah-Hartman Date: Tue Jan 19 23:43:13 2016 -0800 USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable commit e03cdf22a2727c60307be6a729233edab3bfda9c upstream. Harald Linden reports that the ftdi_sio driver works properly for the Yaesu SCU-18 cable if the device ids are added to the driver. So let’s add them. Reported-by: Harald Linden Signed-off-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit c9b1074e18b607f54ac195959d5a4daacaa81325 Author: Du, Changbin Date: Mon Jan 18 21:02:42 2016 +0800 usb: hub: do not clear BOS field during reset device commit d8f00cd685f5c8e0def8593e520a7fef12c22407 upstream. In function usb_reset_and_verify_device, the old BOS descriptor may still be used before allocating a new one. (usb_unlocked_disable_lpm function uses it under the situation that it fails to disable lpm.) So we cannot set the udev->bos to NULL before that, just keep what it was. It will be overwrite when allocating a new one. Crash log: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] usb_enable_link_state+0x2d/0x2f0 Call Trace: [] ? usb_set_lpm_timeout+0x12b/0x140 [] usb_enable_lpm+0x81/0xa0 [] usb_disable_lpm+0xa8/0xc0 [] usb_unlocked_disable_lpm+0x2c/0x50 [] usb_reset_and_verify_device+0xc3/0x710 [] ? usb_sg_wait+0x13d/0x190 [] usb_reset_device+0x133/0x280 [] usb_stor_port_reset+0x61/0x70 [] usb_stor_invoke_transport+0x88/0x520 Signed-off-by: Du, Changbin Signed-off-by: Greg Kroah-Hartman commit ee4207bda5e15d0eecb834c4fc39c6069487279d Author: Johan Hovold Date: Tue Jan 12 12:05:20 2016 +0100 USB: visor: fix null-deref at probe commit cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 upstream. Fix null-pointer dereference at probe should a (malicious) Treo device lack the expected endpoints. Specifically, the Treo port-setup hack was dereferencing the bulk-in and interrupt-in urbs without first making sure they had been allocated by core. Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”) Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2dc803d0740f0c493a7db8a1baf6514d5b95b6a3 Author: Vladis Dronov Date: Tue Jan 12 15:10:50 2016 +0100 USB: serial: visor: fix crash on detecting device without write_urbs commit cb3232138e37129e88240a98a1d2aba2187ff57c upstream. The visor driver crashes in clie_5_attach() when a specially crafted USB device without bulk-out endpoint is detected. This fix adds a check that the device has proper configuration expected by the driver. Reported-by: Ralf Spenneberg Signed-off-by: Vladis Dronov Fixes: cfb8da8f69b8 (“USB: visor: fix initialisation of UX50/TH55 devices”) Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2bbe5162bacd8b8f120b08f641bf695329d90017 Author: Bard Liao Date: Thu Jan 21 13:13:40 2016 +0800 ASoC: rt5645: fix the shift bit of IN1 boost commit b28785fa9cede0d4f47310ca0dd2a4e1d50478b5 upstream. The shift bit of IN1 boost gain control is 12. Signed-off-by: Bard Liao Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 18203289cea5010bc5dac4cebcdff91af76b8b6c Author: Mauro Carvalho Chehab Date: Thu Feb 4 15:59:43 2016 -0200 saa7134-alsa: Only frees registered sound cards commit ac75fe5d8fe4a0bf063be18fb29684405279e79e upstream. That prevents this bug: [ 2382.269496] BUG: unable to handle kernel NULL pointer dereference at 0000000000000540 [ 2382.270013] IP: [] snd_card_free+0x36/0x70 [snd] [ 2382.270013] PGD 0 [ 2382.270013] Oops: 0002 [#1] SMP [ 2382.270013] Modules linked in: saa7134_alsa(-) tda1004x saa7134_dvb videobuf2_dvb dvb_core tda827x tda8290 tuner saa7134 tveeprom videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_core v4l2_common videodev media auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc tun bridge stp llc ebtables ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack it87 hwmon_vid snd_hda_codec_idt snd_hda_codec_generic iTCO_wdt iTCO_vendor_support snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_seq pcspkr i2c_i801 snd_seq_device snd_pcm snd_timer lpc_ich snd mfd_core soundcore binfmt_misc i915 video i2c_algo_bit drm_kms_helper drm r8169 ata_generic serio_raw pata_acpi mii i2c_core [last unloaded: videobuf2_memops] [ 2382.270013] CPU: 0 PID: 4899 Comm: rmmod Not tainted 4.5.0-rc1+ #4 [ 2382.270013] Hardware name: PCCHIPS P17G/P17G, BIOS 080012 05/14/2008 [ 2382.270013] task: ffff880039c38000 ti: ffff88003c764000 task.ti: ffff88003c764000 [ 2382.270013] RIP: 0010:[] [] snd_card_free+0x36/0x70 [snd] [ 2382.270013] RSP: 0018:ffff88003c767ea0 EFLAGS: 00010286 [ 2382.270013] RAX: ffff88003c767eb8 RBX: 0000000000000000 RCX: 0000000000006260 [ 2382.270013] RDX: ffffffffa020a060 RSI: ffffffffa0206de1 RDI: ffff88003c767eb0 [ 2382.270013] RBP: ffff88003c767ed8 R08: 0000000000019960 R09: ffffffff811a5412 [ 2382.270013] R10: ffffea0000d7c200 R11: 0000000000000000 R12: ffff88003c767ea8 [ 2382.270013] R13: 00007ffe760617f7 R14: 0000000000000000 R15: 0000557625d7f1e0 [ 2382.270013] FS: 00007f80bb1c0700(0000) GS:ffff88003f400000(0000) knlGS:0000000000000000 [ 2382.270013] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 2382.270013] CR2: 0000000000000540 CR3: 000000003c00f000 CR4: 00000000000006f0 [ 2382.270013] Stack: [ 2382.270013] 000000003c767ed8 ffffffff00000000 ffff880000000000 ffff88003c767eb8 [ 2382.270013] ffff88003c767eb8 ffffffffa049a890 00007ffe76060060 ffff88003c767ef0 [ 2382.270013] ffffffffa049889d ffffffffa049a500 ffff88003c767f48 ffffffff8111079c [ 2382.270013] Call Trace: [ 2382.270013] [] saa7134_alsa_exit+0x1d/0x780 [saa7134_alsa] [ 2382.270013] [] SyS_delete_module+0x19c/0x1f0 [ 2382.270013] [] entry_SYSCALL_64_fastpath+0x12/0x71 [ 2382.270013] Code: 20 a0 48 c7 c6 e1 6d 20 a0 48 89 e5 41 54 53 4c 8d 65 d0 48 89 fb 48 83 ec 28 c7 45 d0 00 00 00 00 49 8d 7c 24 08 e8 7a 55 ed e0 <4c> 89 a3 40 05 00 00 48 89 df e8 eb fd ff ff 85 c0 75 1a 48 8d [ 2382.270013] RIP [] snd_card_free+0x36/0x70 [snd] [ 2382.270013] RSP [ 2382.270013] CR2: 0000000000000540 Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 4634f985fb4a43a89f1b6523509d30de4651ef89 Author: Takashi Iwai Date: Tue Feb 2 15:27:36 2016 +0100 ALSA: dummy: Implement timer backend switching more safely commit ddce57a6f0a2d8d1bfacfa77f06043bc760403c2 upstream. Currently the selected timer backend is referred at any moment from the running PCM callbacks. When the backend is switched, it’s possible to lead to inconsistency from the running backend. This was pointed by syzkaller fuzzer, and the commit [7ee96216c31a: ALSA: dummy: Disable switching timer backend via sysfs] disabled the dynamic switching for avoiding the crash. This patch improves the handling of timer backend switching. It keeps the reference to the selected backend during the whole operation of an opened stream so that it won’t be changed by other streams. Together with this change, the hrtimer parameter is reenabled as writable now. NOTE: this patch also turned out to fix the still remaining race. Namely, ops was still replaced dynamically at dummy_pcm_open: static int dummy_pcm_open(struct snd_pcm_substream *substream) { … dummy->timer_ops = &dummy_systimer_ops; if (hrtimer) dummy->timer_ops = &dummy_hrtimer_ops; Since dummy->timer_ops is common among all streams, and when the replacement happens during accesses of other streams, it may lead to a crash. This was actually triggered by syzkaller fuzzer and KASAN. This patch rewrites the code not to use the ops shared by all streams any longer, too. BugLink: http://lkml.kernel.org/r/CACT4Y+aZ+xisrpuM6cOXbL21DuM0yVxPYXf4cD4Md9uw0C3dBQ@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fc1cf67cbf44ea100c9994d8d6a594415926eab8 Author: Takashi Iwai Date: Tue Feb 9 10:23:52 2016 +0100 ALSA: hda - Fix bad dereference of jack object commit 2ebab40eb74a0225d5dfba72bfae317dd948fa2d upstream. The hda_jack_tbl entries are managed by snd_array for allowing multiple jacks. It’s good per se, but the problem is that struct hda_jack_callback keeps the hda_jack_tbl pointer. Since snd_array doesn’t preserve each pointer at resizing the array, we can’t keep the original pointer but have to deduce the pointer at each time via snd_array_entry() instead. Actually, this resulted in the deference to the wrong pointer on codecs that have many pins such as CS4208. This patch replaces the pointer to the NID value as the search key. As an unexpected good side effect, this even simplifies the code, as only NID is needed in most cases. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1d9c34c147785319d16cb0e9be6a791bc446b334 Author: Takashi Iwai Date: Sun Feb 7 09:38:26 2016 +0100 ALSA: hda - Fix speaker output from VAIO AiO machines commit c44d9b1181cf34e0860c72cc8a00e0c47417aac0 upstream. Some Sony VAIO AiO models (VGC-JS4EF and VGC-JS25G, both with PCI SSID 104d:9044) need the same quirk to make the speaker working properly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112031 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dc4d5c42bf59682a82ccd8c67eee5313e6c43c63 Author: Takashi Iwai Date: Fri Feb 5 20:12:24 2016 +0100 Revert “ALSA: hda - Fix noise on Gigabyte Z170X mobo” commit 6c361d10e0eb859233c71954abcd20d2d8700587 upstream. This reverts commit 0c25ad80408e95e0a4fbaf0056950206e95f726f. The original commit disabled the aamixer path due to the noise problem, but it turned out that some mobo with the same PCI SSID doesn’t suffer from the issue, and the disabled function (analog loopback) is still demanded by users. Since the recent commit [e7fdd52779a6: ALSA: hda - Implement loopback control switch for Realtek and other codecs], we have the dynamic mixer switch to enable/disable the aamix path, and we don’t have to disable the path statically any longer. So, let’s revert the disablement, so that only the user suffering from the noise problem can turn off the aamix on the fly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=108301 Reported-by: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c9a35bd4bc91c98895b1f2d4392f003828caa9ed Author: David Henningsson Date: Fri Feb 5 09:05:41 2016 +0100 ALSA: hda - Fix static checker warning in patch_hdmi.c commit 360a8245680053619205a3ae10e6bfe624a5da1d upstream. The static checker warning is: sound/pci/hda/patch_hdmi.c:460 hdmi_eld_ctl_get() error: __memcpy() ‘eld->eld_buffer’ too small (256 vs 512) I have a hard time figuring out if this can ever cause an information leak (I don’t think so), but nonetheless it does not hurt to increase the robustness of the code. Fixes: 68e03de98507 (‘ALSA: hda - hdmi: Do not expose eld data when eld is invalid’) Reported-by: Dan Carpenter Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 32495f0543b10630a2ecc2ed5432b13d85358496 Author: Takashi Iwai Date: Wed Feb 3 12:32:51 2016 +0100 ALSA: hda - Add fixup for Mac Mini 7,1 model commit 2154cc0e2d4ae15132d005d17e473327c70c9a06 upstream. Mac Mini 7,1 model with CS4208 codec reports the headphone jack detection wrongly in an inverted way. Moreover, the advertised pins for the audio input and SPDIF output have actually no jack detection. This patch addresses these issues. The inv_jack_detect flag is set for fixing the headphone jack detection, and the pin configs for audio input and SPDIF output are marked as non-detectable. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105161 Report-and-tested-by: [email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 92cc7c5788b090c2a15d5dfdfdcb772d9b25e91a Author: Takashi Iwai Date: Tue Feb 9 12:02:32 2016 +0100 ALSA: timer: Fix race between stop and interrupt commit ed8b1d6d2c741ab26d60d499d7fbb7ac801f0f51 upstream. A slave timer element also unlinks at snd_timer_stop() but it takes only slave_active_lock. When a slave is assigned to a master, however, this may become a race against the master’s interrupt handling, eventually resulting in a list corruption. The actual bug could be seen with a syzkaller fuzzer test case in BugLink below. As a fix, we need to take timeri->timer->lock when timer isn’t NULL, i.e. assigned to a master, while the assignment to a master itself is protected by slave_active_lock. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4333cce1e75701f5ffb0f17cbe43c170e09e7e46 Author: Takashi Iwai Date: Mon Feb 8 17:36:25 2016 +0100 ALSA: timer: Fix wrong instance passed to slave callbacks commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream. In snd_timer_notify1(), the wrong timer instance was passed for slave ccallback function. This leads to the access to the wrong data when an incompatible master is handled (e.g. the master is the sequencer timer and the slave is a user timer), as spotted by syzkaller fuzzer. This patch fixes that wrong assignment. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 925249d5172a31d7d430fdf364fc9229223c7942 Author: Takashi Iwai Date: Mon Feb 8 17:26:58 2016 +0100 ALSA: timer: Fix race at concurrent reads commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 upstream. snd_timer_user_read() has a potential race among parallel reads, as qhead and qused are updated outside the critical section due to copy_to_user() calls. Move them into the critical section, and also sanitize the relevant code a bit. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ce60478a9959a8e1d1dcc70325e72678e78d85c5 Author: Takashi Iwai Date: Sat Jan 30 23:09:08 2016 +0100 ALSA: timer: Fix link corruption due to double start or stop commit f784beb75ce82f4136f8a0960d3ee872f7109e09 upstream. Although ALSA timer code got hardening for races, it still causes use-after-free error. This is however rather a corrupted linked list, not actually the concurrent accesses. Namely, when timer start is triggered twice, list_add_tail() is called twice, too. This ends up with the link corruption and triggers KASAN error. The simplest fix would be replacing list_add_tail() with list_move_tail(), but fundamentally it’s the problem that we don’t check the double start/stop correctly. So, the right fix here is to add the proper checks to snd_timer_start() and snd_timer_stop() (and their variants). BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 43d2ac7b542a862b55d22d179468df5290590801 Author: Takashi Iwai Date: Thu Feb 4 17:06:13 2016 +0100 ALSA: timer: Fix leftover link at closing commit 094fd3be87b0f102589e2d5c3fa5d06b7e20496d upstream. In ALSA timer core, the active timer instance is managed in active_list linked list. Each element is added / removed dynamically at timer start, stop and in timer interrupt. The problem is that snd_timer_interrupt() has a thinko and leaves the element in active_list when it’s the last opened element. This eventually leads to list corruption or use-after-free error. This hasn’t been revealed because we used to delete the list forcibly in snd_timer_stop() in the past. However, the recent fix avoids the double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link corruption due to double start or stop]), and this leak hits reality. This patch fixes the link management in snd_timer_interrupt(). Now it simply unlinks no matter which stream is. BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3f75d8ad63e42d5e1f46bd7fc2ba643cda3aa5e7 Author: Takashi Iwai Date: Thu Jan 14 17:01:46 2016 +0100 ALSA: timer: Code cleanup commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 upstream. This is a minor code cleanup without any functional changes: - Kill keep_flag argument from _snd_timer_stop(), as all callers pass only it false. - Remove redundant NULL check in _snd_timer_stop(). Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 144b7ecc3bd6fdf791d54def453d73168d99569f Author: Takashi Iwai Date: Wed Feb 3 08:32:44 2016 +0100 ALSA: seq: Fix lockdep warnings due to double mutex locks commit 7f0973e973cd74aa40747c9d38844560cd184ee8 upstream. The port subscription code uses double mutex locks for source and destination ports, and this may become racy once when wrongly set up. It leads to lockdep warning splat, typically triggered by fuzzer like syzkaller, although the actual deadlock hasn’t been seen, so far. This patch simplifies the handling by reducing to two single locks, so that no lockdep warning will be trigger any longer. By splitting to two actions, a still-in-progress element shall be added in one list while handling another. For ignoring this element, a new check is added in deliver_to_subscribers(). Along with it, the code to add/remove the subscribers list element was cleaned up and refactored. BugLink: http://lkml.kernel.org/r/CACT4Y+aKQXV7xkBW9hpQbzaDO7LrUvohxWh-UwMxXjDy-yBD=A@mail.gmail.com Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 80f6a124a398b6e08ee86d3253dd461cfff85fe3 Author: Takashi Iwai Date: Mon Feb 1 12:06:42 2016 +0100 ALSA: seq: Fix race at closing in virmidi driver commit 2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 upstream. The virmidi driver has an open race at closing its assigned rawmidi device, and this may lead to use-after-free in snd_seq_deliver_single_event(). Plug the hole by properly protecting the linked list deletion and calling in the right order in snd_virmidi_input_close(). BugLink: http://lkml.kernel.org/r/CACT4Y+Zd66+w12fNN85-425cVQT=K23kWbhnCEcMB8s3us-Frw@mail.gmail.com Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3ed5d283254aab50d90525d8ea4dd713aac08d1d Author: Takashi Iwai Date: Sat Jan 30 23:30:25 2016 +0100 ALSA: seq: Fix yet another races among ALSA timer accesses commit 2cdc7b636d55cbcf42e1e6c8accd85e62d3e9ae8 upstream. ALSA sequencer may open/close and control ALSA timer instance dynamically either via sequencer events or direct ioctls. These are done mostly asynchronously, and it may call still some timer action like snd_timer_start() while another is calling snd_timer_close(). Since the instance gets removed by snd_timer_close(), it may lead to a use-after-free. This patch tries to address such a race by protecting each snd_timer_*() call via the existing spinlock and also by avoiding the access to timer during close call. BugLink: http://lkml.kernel.org/r/CACT4Y+Z6RzW5MBr-HUdV-8zwg71WQfKTdPpYGvOeS7v4cyurNQ@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f8ae77d05089c8a7d3b626cd783970a55dba5577 Author: Vinod Koul Date: Mon Feb 1 22:26:40 2016 +0530 ASoC: dpcm: fix the BE state on hw_free commit 5e82d2be6ee53275c72e964507518d7964c82753 upstream. While performing hw_free, DPCM checks the BE state but leaves out the suspend state. The suspend state needs to be checked as well, as we might be suspended and then usermode closes rather than resuming the audio stream. This was found by a stress testing of system with playback in loop and killed after few seconds running in background and second script running suspend-resume test in loop Signed-off-by: Vinod Koul Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 195988d298fc4c2af1162a960fd7772c311dc747 Author: Takashi Iwai Date: Sun Jan 31 10:32:37 2016 +0100 ALSA: pcm: Fix potential deadlock in OSS emulation commit b248371628aad599a48540962f6b85a21a8a0c3f upstream. There are potential deadlocks in PCM OSS emulation code while accessing read/write and mmap concurrently. This comes from the infamous mmap_sem usage in copy_from/to_user(). Namely, snd_pcm_oss_write() -> &runtime->oss.params_lock -> copy_to_user() -> &mm->mmap_sem mmap() -> &mm->mmap_sem -> snd_pcm_oss_mmap() -> &runtime->oss.params_lock Since we can’t avoid taking params_lock from mmap code path, use trylock variant and aborts with -EAGAIN as a workaround of this AB/BA deadlock. BugLink: http://lkml.kernel.org/r/CACT4Y+bVrBKDG0G2_AcUgUQa+X91VKTeS4v+wN7BSHwHtqn3kQ@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f7fd4634b65c517321f1e7f30f5632d77b4208b4 Author: Kailang Yang Date: Wed Feb 3 15:20:39 2016 +0800 ALSA: hda/realtek - Support Dell headset mode for ALC225 commit cfc5a845e62853edd36e564c23c64588f4adcae6 upstream. Dell create new platform with ALC298 codec. This patch will enable headset mode for ALC225/ALC3253 platform. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fbc546e238785fae3085a8e0318fa628281c61fc Author: Kailang Yang Date: Wed Feb 3 15:09:35 2016 +0800 ALSA: hda/realtek - Support headset mode for ALC225 commit 4cc9b9d627af2c443cf98e651e3738d84f991cec upstream. Support headset mode for ALC225 platforms. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1732e58646b4b2adf0cfaff757365a4472e4b6ab Author: Kailang Yang Date: Wed Feb 3 15:03:50 2016 +0800 ALSA: hda/realtek - New codec support of ALC225 commit 4231430da9607fb2eb7ea92f3b93ceef3bc2ed93 upstream. Add new support for ALC225, yet another variant of ALC298 codec. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 49ba9e222aa5a079cf89d2a86da9838aa0213a60 Author: Takashi Iwai Date: Wed Feb 3 14:41:22 2016 +0100 ALSA: rawmidi: Fix race at copying & updating the position commit 81f577542af15640cbcb6ef68baa4caa610cbbfc upstream. The rawmidi read and write functions manage runtime stream status such as runtime->appl_ptr and runtime->avail. These point where to copy the new data and how many bytes have been copied (or to be read). The problem is that rawmidi read/write call copy_from_user() or copy_to_user(), and the runtime spinlock is temporarily unlocked and relocked while copying user-space. Since the current code advances and updates the runtime status after the spin unlock/relock, the copy and the update may be asynchronous, and eventually runtime->avail might go to a negative value when many concurrent accesses are done. This may lead to memory corruption in the end. For fixing this race, in this patch, the status update code is performed in the same lock before the temporary unlock. Also, the spinlock is now taken more widely in snd_rawmidi_kernel_read1() for protecting more properly during the whole operation. BugLink: http://lkml.kernel.org/r/CACT4Y+b-dCmNf1GpgPKfDO0ih+uZCL2JV4__j-r1kdhPLSgQCQ@mail.gmail.com Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8af97f7c418ddc9c3e7a649414c70e798b134e50 Author: Takashi Iwai Date: Mon Feb 1 12:04:55 2016 +0100 ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check commit cc85f7a634cfaf9f0713c6aa06d08817424db37a upstream. NULL user-space buffer can be passed even in a normal path, thus it’s not good to spew a kernel warning with stack trace at each time. Just drop snd_BUG_ON() macro usage there. BugLink: http://lkml.kernel.org/r/CACT4Y+YfVJ3L+q0i-4vyQVyyPD7V=OMX0PWPi29x9Bo3QaBLdw@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c3f8a5000e75da9dc40215bf1acf3aa5515c75fe Author: Takashi Iwai Date: Sun Jan 31 11:57:41 2016 +0100 ALSA: rawmidi: Make snd_rawmidi_transmit() race-free commit 06ab30034ed9c200a570ab13c017bde248ddb2a6 upstream. A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by syzkaller fuzzer: WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136 [] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223 [] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273 [] __vfs_write+0x113/0x480 fs/read_write.c:528 [] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [] SyS_write+0x111/0x220 fs/read_write.c:616 [] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Also a similar warning is found but in another path: Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133 [] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163 [] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252 [] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302 [] __vfs_write+0x113/0x480 fs/read_write.c:528 [] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [] SyS_write+0x111/0x220 fs/read_write.c:616 [] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 In the former case, the reason is that virmidi has an open code calling snd_rawmidi_transmit_ack() with the value calculated outside the spinlock. We may use snd_rawmidi_transmit() in a loop just for consuming the input data, but even there, there is a race between snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack(). Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack() separately without protection, so they are racy as well. The patch tries to address these issues by the following ways: - Introduce the unlocked versions of snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack() to be called inside the explicit lock. - Rewrite snd_rawmidi_transmit() to be race-free (the former case). - Make the split calls (the latter case) protected in the rawmidi spin lock. BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit aef1181d08fd293398fb3bda39cca05dc07c95e0 Author: Takashi Iwai Date: Mon Jan 25 11:24:56 2016 +0100 ALSA: seq: Degrade the error message for too many opens commit da10816e3d923565b470fec78a674baba794ed33 upstream. ALSA OSS sequencer spews a kernel error message (“ALSA: seq_oss: too many applications”) when user-space tries to open more than the limit. This means that it can easily fill the log buffer. Since it’s merely a normal error, it’s safe to suppress it via pr_debug() instead. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fa8fcbe38317a90094a29120ea959fb361b895fb Author: Takashi Iwai Date: Mon Jan 25 11:01:47 2016 +0100 ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() commit 599151336638d57b98d92338aa59c048e3a3e97d upstream. ALSA sequencer OSS emulation code has a sanity check for currently opened devices, but there is a thinko there, eventually it spews warnings and skips the operation wrongly like: WARNING: CPU: 1 PID: 7573 at sound/core/seq/oss/seq_oss_synth.c:311 Fix this off-by-one error. Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d0cc6515b1238f90c61b713160e94ff768b43325 Author: Takashi Iwai Date: Thu Jan 28 07:54:16 2016 +0100 ALSA: dummy: Disable switching timer backend via sysfs commit 7ee96216c31aabe1eb42fb91ff50dae9fcd014b2 upstream. ALSA dummy driver can switch the timer backend between system timer and hrtimer via its hrtimer module option. This can be also switched dynamically via sysfs, but it may lead to a memory corruption when switching is done while a PCM stream is running; the stream instance for the newly switched timer method tries to access the memory that was allocated by another timer method although the sizes differ. As the simplest fix, this patch just disables the switch via sysfs by dropping the writable bit. BugLink: http://lkml.kernel.org/r/CACT4Y+ZGEeEBntHW5WHn2GoeE0G_kRrCmUh6=dWyy-wfzvuJLg@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1963ffef4a1a92a07773bf8a30ce1224dd861bd5 Author: Takashi Iwai Date: Mon Jan 25 13:59:21 2016 +0100 ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures commit 462b3f161beb62eeb290f4ec52f5ead29a2f8ac7 upstream. Some architectures like PowerPC can handle the maximum struct size in an ioctl only up to 13 bits, and struct snd_compr_codec_caps used by SNDRV_COMPRESS_GET_CODEC_CAPS ioctl overflows this limit. This problem was revealed recently by a powerpc change, as it’s now treated as a fatal build error. This patch is a stop-gap for that: for architectures with less than 14 bit ioctl struct size, get rid of the handling of the relevant ioctl. We should provide an alternative equivalent ioctl code later, but for now just paper over it. Luckily, the compress API hasn’t been used on such architectures, so the impact must be effectively zero. Reviewed-by: Mark Brown Acked-by: Sudip Mukherjee Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fc3e5563763429755a652b365b04c3cca562b92b Author: Libin Yang Date: Fri Jan 29 20:39:09 2016 +0800 ALSA: hda - disable dynamic clock gating on Broxton before reset commit 6639484ddaf6707b41082c9fa9ca9af342df6402 upstream. On Broxton, to make sure the reset controller works properly, MISCBDCGE bit (bit 6) in CGCTL (0x48) of PCI configuration space need be cleared before reset and set back to 1 after reset. Otherwise, it may prevent the CORB/RIRB logic from being reset. Signed-off-by: Libin Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9f080d37c73948b187698c368cc87b191afd269a Author: Takashi Iwai Date: Wed Jan 27 07:05:56 2016 +0100 ALSA: Add missing dependency on CONFIG_SND_TIMER commit 61595dca742a9ba9a4c998b9af1f468adc816275 upstream. Since the build of PCM timer may be disabled via Kconfig now, each driver that provides a timer interface needs to set CONFIG_SND_TIMER explicitly. Otherwise it may get a build error due to missing symbol. Fixes: 90bbaf66ee7b (‘ALSA: timer: add config item to export PCM timer disabling for expert’) Reported-by: kbuild test robot Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2f32c8c003b35510b4b4515e70046e6a6e5967ca Author: Lucas Tanure Date: Mon Jan 25 19:30:23 2016 -0200 ALSA: bebob: Use a signed return type for get_formation_index commit 07905298e4d5777eb58516cdc242f7ac1ca387a2 upstream. The return type “unsigned int” was used by the get_formation_index function despite of the aspect that it will eventually return a negative error code. So, change to signed int and get index by reference in the parameters. Done with the help of Coccinelle. [Fix the missing braces suggested by Julia Lawall – tiwai] Signed-off-by: Lucas Tanure Reviewed-by: Takashi Sakamoto Tested-by: Takashi Sakamoto Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fbb430c51d7ac989b79bf1adb40cce7af581682a Author: Andrey Konovalov Date: Sat Feb 13 11:08:06 2016 +0300 ALSA: usb-audio: avoid freeing umidi object twice commit 07d86ca93db7e5cdf4743564d98292042ec21af7 upstream. The ‘umidi’ object will be free’d on the error path by snd_usbmidi_free() when tearing down the rawmidi interface. So we shouldn’t try to free it in snd_usbmidi_create() after having registered the rawmidi interface. Found by KASAN. Signed-off-by: Andrey Konovalov Acked-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bb1066e621a195c5e9013f05b4f3d7dc46809923 Author: Jurgen Kramer Date: Fri Jan 29 14:59:25 2016 +0100 ALSA: usb-audio: Add native DSD support for PS Audio NuWave DAC commit ad678b4ccd41aa51cf5f142c0e8cffe9d61fc2bf upstream. This patch adds native DSD support for the PS Audio NuWave DAC. Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 29a928ff8c1055ab34a0b40d285cbb2e4b0a4fd0 Author: Jurgen Kramer Date: Fri Jan 29 14:49:55 2016 +0100 ALSA: usb-audio: Fix OPPO HA-1 vendor ID commit 5327d6ba975042fd3da50ac6e94d1e9551ebeaec upstream. In my patch adding native DSD support for the Oppo HA-1, the wrong vendor ID got through. This patch fixes the vendor ID and aligns the comment. Fixes: a4eae3a506ea (‘ALSA: usb: Add native DSD support for Oppo HA-1’) Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 11e7913d54c97bd999724264ac7f2d78900bbbd5 Author: Lev Lybin Date: Fri Jan 29 22:55:11 2016 +0700 ALSA: usb-audio: Add quirk for Microsoft LifeCam HD-6000 commit 1b3c993a699bed282e47c3f7c49d539c331dae04 upstream. Microsoft LifeCam HD-6000 (045e:076f) requires the similar quirk for avoiding the stall due to the invalid sample rate reads. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111491 Signed-off-by: Lev Lybin Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1eb90d90eadad21dfae3d31b7865abe17e9c5d91 Author: Guillaume Fougnies Date: Tue Jan 26 00:28:27 2016 +0100 ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay commit 5a4ff9ec8d6edd2ab1cfe8ce6a080d6e57cbea9a upstream. TEAC UD-501/UD-503/NT-503 fail to switch properly between different rate/format. Similar to 'Playback Design’, this patch corrects the invalid clock source error for TEAC products and avoids complete freeze of the usb interface of 503 series. Signed-off-by: Guillaume Fougnies Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dd0d511548ea1ad8f233e9fa4a4acfb83af9bd29 Author: Thomas Gleixner Date: Thu Jan 14 16:54:46 2016 +0000 hrtimer: Handle remaining time proper for TIME_LOW_RES commit 203cbf77de59fc8f13502dcfd11350c6d4a5c95f upstream. If CONFIG_TIME_LOW_RES is enabled we add a jiffie to the relative timeout to prevent short sleeps, but we do not account for that in interfaces which retrieve the remaining time. Helge observed that timerfd can return a remaining time larger than the relative timeout. That’s not expected and breaks userland test programs. Store the information that the timer was armed relative and provide functions to adjust the remaining time. To avoid bloating the hrtimer struct make state a u8, which as a bonus results in better code on x86 at least. Reported-and-tested-by: Helge Deller Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: John Stultz Cc: [email protected] Cc: [email protected] Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 2c4b95da2335088ba85dcdfa39d374491d76fbba Author: Dan Williams Date: Wed Jan 13 16:00:07 2016 -0800 md/raid: only permit hot-add of compatible integrity profiles commit 1501efadc524a0c99494b576923091589a52d2a4 upstream. It is not safe for an integrity profile to be changed while i/o is in-flight in the queue. Prevent adding new disks or otherwise online spares to an array if the device has an incompatible integrity profile. The original change to the blk_integrity_unregister implementation in md, commmit c7bfced9a671 “md: suspend i/o during runtime blk_integrity_unregister” introduced an immediate hang regression. This policy of disallowing changes the integrity profile once one has been established is shared with DM. Here is an abbreviated log from a test run that: 1/ Creates a degraded raid1 with an integrity-enabled device (pmem0s) [ 59.076127] 2/ Tries to add an integrity-disabled device (pmem1m) [ 90.489209] 3/ Retries with an integrity-enabled device (pmem1s) [ 205.671277] [ 59.076127] md/raid1:md0: active with 1 out of 2 mirrors [ 59.078302] md: data integrity enabled on md0 […] [ 90.489209] md0: incompatible integrity profile for pmem1m […] [ 205.671277] md: super_written gets error=-5 [ 205.677386] md/raid1:md0: Disk failure on pmem1m, disabling device. [ 205.677386] md/raid1:md0: Operation continuing on 1 devices. [ 205.683037] RAID1 conf printout: [ 205.684699] — wd:1 rd:2 [ 205.685972] disk 0, wo:0, o:1, dev:pmem0s [ 205.687562] disk 1, wo:1, o:1, dev:pmem1s [ 205.691717] md: recovery of RAID array md0 Fixes: c7bfced9a671 (“md: suspend i/o during runtime blk_integrity_unregister”) Cc: Mike Snitzer Reported-by: NeilBrown Signed-off-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 3809abbacf588dc2fa020a984ddf13d9ab71e752 Author: Javier Martinez Canillas Date: Wed Jan 27 12:03:23 2016 -0200 media: i2c: Don’t export ir-kbd-i2c module alias commit 329d88da4df9a96da43018aceabd3a06e6a7e7ae upstream. This is a partial revert of commit ed8d1cf07cb16d ("[media] Export I2C module alias information in missing drivers”) that exported the module aliases for the I2C drivers that were missing to make autoload to work. But there is a bug report [0] that auto load of the ir-kbd-i2c driver cause the Hauppauge HD-PVR driver to not behave correctly. This is a hdpvr latent bug that was just exposed by ir-kbd-i2c module autoloading working and will also happen if the I2C driver is built-in or a user calls modprobe to load the module and register the driver. But there is a regression experimented by users so until the real bug is fixed, let’s not export the module alias for the ir-kbd-i2c driver even when this just masks the actual issue. [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810726 Fixes: ed8d1cf07cb1 ("[media] Export I2C module alias information in missing drivers”) Signed-off-by: Javier Martinez Canillas Signed-off-by: Greg Kroah-Hartman commit 702ea6de7132e65ca41e8055a02910a695b447e7 Author: Helge Deller Date: Sun Jan 10 09:30:42 2016 +0100 parisc: Fix __ARCH_SI_PREAMBLE_SIZE commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream. On a 64bit kernel build the compiler aligns the _sifields union in the struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define compensates for this alignment and thus fixes the wait testcase of the strace package. The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that _sigchld.si_stime variable is missed to be copied and thus after a copy_siginfo() will have uninitialized values. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 583097a3b2cef0bee535c8acc4189ceacb8bb6c6 Author: Helge Deller Date: Thu Nov 26 21:14:02 2015 +0100 parisc: Protect huge page pte changes with spinlocks commit b0e551313ebde17764f3a5ed273df524d1e7e690 upstream. PA-RISC doesn’t have atomic instructions to modify page table entries, so it takes spinlock in the TLB handler and modifies the page table entry non-atomically. If you modify the page table entry without the spinlock, you may race with TLB handler on another CPU and your modification may be lost. Protect against that with usage of purge_tlb_start() and purge_tlb_end() which handles the TLB spinlock. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit a623f87a72de35096a9eae7cc7764d0c9533c2e9 Author: Tejun Heo Date: Fri Jan 15 16:58:24 2016 -0800 printk: do cond_resched() between lines while outputting to consoles commit 8d91f8b15361dfb438ab6eb3b319e2ded43458ff upstream. @console_may_schedule tracks whether console_sem was acquired through lock or trylock. If the former, we’re inside a sleepable context and console_conditional_schedule() performs cond_resched(). This allows console drivers which use console_lock for synchronization to yield while performing time-consuming operations such as scrolling. However, the actual console outputting is performed while holding irq-safe logbuf_lock, so console_unlock() clears @console_may_schedule before starting outputting lines. Also, only a few drivers call console_conditional_schedule() to begin with. This means that when a lot of lines need to be output by console_unlock(), for example on a console registration, the task doing console_unlock() may not yield for a long time on a non-preemptible kernel. If this happens with a slow console devices, for example a serial console, the outputting task may occupy the cpu for a very long time. Long enough to trigger softlockup and/or RCU stall warnings, which in turn pile more messages, sometimes enough to trigger the next cycle of warnings incapacitating the system. Fix it by making console_unlock() insert cond_resched() between lines if @console_may_schedule. Signed-off-by: Tejun Heo Reported-by: Calvin Owens Acked-by: Jan Kara Cc: Dave Jones Cc: Kyle McMartin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bf46aa7ec7417cab8b4402dc8117e17af54f5d8e Author: Steven Rostedt Date: Fri Jan 29 10:22:41 2016 -0500 tracing/stacktrace: Show entire trace if passed in function not found commit 6ccd83714a009ee301b50c15f6c3a5dc1f30164c upstream. When a max stack trace is discovered, the stack dump is saved. In order to not record the overhead of the stack tracer, the ip of the traced function is looked for within the dump. The trace is started from the location of that function. But if for some reason the ip is not found, the entire stack trace is then truncated. That’s not very useful. Instead, print everything if the ip of the traced function is not found within the trace. This issue showed up on s390. Link: http://lkml.kernel.org/r/[email protected] Fixes: 72ac426a5bb0 (“tracing: Clean up stack tracing and fix fentry updates”) Reported-by: Heiko Carstens Tested-by: Heiko Carstens Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit cc6d98006b1a713abaa8852de02a3c6f7ce62941 Author: Steven Rostedt (Red Hat) Date: Wed Jan 13 15:48:54 2016 -0500 tracing: Fix stacktrace skip depth in trace_buffer_unlock_commit_regs() commit 7717c6be699975f6733d278b13b7c4295d73caf6 upstream. While cleaning the stacktrace code I unintentially changed the skip depth of trace_buffer_unlock_commit_regs() from 0 to 6. kprobes uses this function, and with skipping 6 call backs, it can easily produce no stack. Here’s how I tested it: # echo 'p:ext4_sync_fs ext4_sync_fs ' > /sys/kernel/debug/tracing/kprobe_events # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable # cat /sys/kernel/debug/trace sync-2394 [005] 502.457060: ext4_sync_fs: (ffffffff81317650) sync-2394 [005] 502.457063: kernel_stack: sync-2394 [005] 502.457086: ext4_sync_fs: (ffffffff81317650) sync-2394 [005] 502.457087: kernel_stack: sync-2394 [005] 502.457091: ext4_sync_fs: (ffffffff81317650) After putting back the skip stack to zero, we have: sync-2270 [000] 748.052693: ext4_sync_fs: (ffffffff81317650) sync-2270 [000] 748.052695: kernel_stack: => iterate_supers (ffffffff8126412e) => sys_sync (ffffffff8129c4b6) => entry_SYSCALL_64_fastpath (ffffffff8181f0b2) sync-2270 [000] 748.053017: ext4_sync_fs: (ffffffff81317650) sync-2270 [000] 748.053019: kernel_stack: => iterate_supers (ffffffff8126412e) => sys_sync (ffffffff8129c4b6) => entry_SYSCALL_64_fastpath (ffffffff8181f0b2) sync-2270 [000] 748.053381: ext4_sync_fs: (ffffffff81317650) sync-2270 [000] 748.053383: kernel_stack: => iterate_supers (ffffffff8126412e) => sys_sync (ffffffff8129c4b6) => entry_SYSCALL_64_fastpath (ffffffff8181f0b2) Fixes: 73dddbb57bb0 “tracing: Only create stacktrace option when STACKTRACE is configured” Reported-by: Brendan Gregg Tested-by: Brendan Gregg Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 695f6c8798c6c4a0be6df79082e9890b22af4d8b Author: Christoph Biedl Date: Wed Dec 23 16:51:57 2015 +0100 PCI: Fix minimum allocation address overwrite commit 3460baa620685c20f5ee19afb6d99d26150c382c upstream. Commit 36e097a8a297 (“PCI: Split out bridge window override of minimum allocation address”) claimed to do no functional changes but unfortunately did: The “min” variable is altered. At least the AVM A1 PCMCIA adapter was no longer detected, breaking ISDN operation. Use a local copy of “min” to restore the previous behaviour. [bhelgaas: avoid gcc “?:” extension for portability and readability] Fixes: 36e097a8a297 (“PCI: Split out bridge window override of minimum allocation address”) Signed-off-by: Christoph Biedl Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit ad53ae59587bcd110229d2594e059349b4306b6c Author: Grygorii Strashko Date: Thu Dec 10 21:18:20 2015 +0200 PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD commit 8ff0ef996ca00028519c70e8d51d32bd37eb51dc upstream. On -RT and if kernel is booting with “threadirqs” cmd line parameter, PCIe/PCI (MSI) IRQ cascade handlers (like dra7xx_pcie_msi_irq_handler()) will be forced threaded and, as result, will generate warnings like this: WARNING: CPU: 1 PID: 82 at kernel/irq/handle.c:150 handle_irq_event_percpu+0x14c/0x174() irq 460 handler irq_default_primary_handler+0x0/0x14 enabled interrupts Backtrace: (warn_slowpath_common) from (warn_slowpath_fmt+0x38/0x40) (warn_slowpath_fmt) from (handle_irq_event_percpu+0x14c/0x174) (handle_irq_event_percpu) from (handle_irq_event+0x84/0xb8) (handle_irq_event) from (handle_simple_irq+0x90/0x118) (handle_simple_irq) from (generic_handle_irq+0x30/0x44) (generic_handle_irq) from (dra7xx_pcie_msi_irq_handler+0x7c/0x8c) (dra7xx_pcie_msi_irq_handler) from (irq_forced_thread_fn+0x28/0x5c) (irq_forced_thread_fn) from (irq_thread+0x128/0x204) This happens because all of them invoke generic_handle_irq() from the requested handler. generic_handle_irq() grabs raw_locks and thus needs to run in raw-IRQ context. This issue was originally reproduced on TI dra7-evem, but, as was identified during discussion [1], other hosts can also suffer from this issue. Fix all them at once by marking PCIe/PCI (MSI) IRQ cascade handlers IRQF_NO_THREAD explicitly. [1] http://lkml.kernel.org/r/[email protected] [bhelgaas: add stable tag, fix typos] Signed-off-by: Grygorii Strashko Signed-off-by: Bjorn Helgaas Acked-by: Lucas Stach CC: Kishon Vijay Abraham I CC: Jingoo Han CC: Kukjin Kim CC: Krzysztof Kozlowski CC: Richard Zhu CC: Thierry Reding CC: Stephen Warren CC: Alexandre Courbot CC: Simon Horman CC: Pratyush Anand CC: Michal Simek CC: “Sören Brinkmann” CC: Sebastian Andrzej Siewior Signed-off-by: Greg Kroah-Hartman commit e18da11fc0f95979d14adc8e506707ed2fdab602 Author: Brian Norris Date: Tue Jan 5 10:39:45 2016 -0800 mtd: nand: assign reasonable default name for NAND drivers commit f7a8e38f07a17be90758559fe66fe7337096053f upstream. Commits such as commit 853f1c58c4b2 (“mtd: nand: omap2: show parent device structure in sysfs”) attempt to rely on the core MTD code to set the MTD name based on the parent device. However, nand_base tries to set a different default name according to the flash name (e.g., extracted from the ONFI parameter page), which means NAND drivers will never make use of the MTD defaults. This is not the intention of commit 853f1c58c4b2. This results in problems when trying to use the cmdline partition parser, since the MTD name is different than expected. Let’s fix this by providing a default NAND name, where possible. Note that this is not really a great default name in the long run, since this means that if there are multiple MTDs attached to the same controller device, they will have the same name. But that is an existing issue and requires future work on a better controller vs. flash chip abstraction to fix properly. Fixes: 853f1c58c4b2 (“mtd: nand: omap2: show parent device structure in sysfs”) Reported-by: Heiko Schocher Signed-off-by: Brian Norris Reviewed-by: Boris Brezillon Tested-by: Heiko Schocher Cc: Heiko Schocher Cc: Frans Klaver Signed-off-by: Greg Kroah-Hartman commit c13c92acfa9b46470de819db0706e4457f503399 Author: Uri Mashiach Date: Thu Dec 24 16:05:00 2015 +0200 wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) commit e47301b06d5a65678690f04c2248fd181db1e59a upstream. Fix the below Oops when trying to modprobe wlcore_spi. The oops occurs because the wl1271_power_{off,on}() function doesn’t check the power() function pointer. [ 23.401447] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 23.409954] pgd = c0004000 [ 23.412922] [00000000] *pgd=00000000 [ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM [ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211 musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23 c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon [ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted 4.2.0-00002-g951efee-dirty #233 [ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree) [ 23.468123] Workqueue: events request_firmware_work_func [ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000 [ 23.479341] PC is at 0x0 [ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore] [ 23.488074] pc : [<00000000>] lr : [] psr: 60000013 [ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000 [ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00 [ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 : dce0d2e0 [ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 : dc848810 [ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel [ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015 [ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218) [ 23.539760] Stack: (0xde4efe50 to 0xde4f0000) […] [ 23.665030] [] (wl12xx_set_power_on [wlcore]) from [] (wlcore_nvs_cb+0x118/0xa4c [wlcore]) [ 23.675604] [] (wlcore_nvs_cb [wlcore]) from [] (request_firmware_work_func+0x30/0x58) [ 23.685784] [] (request_firmware_work_func) from [] (process_one_work+0x1b4/0x4b4) [ 23.695591] [] (process_one_work) from [] (worker_thread+0x3c/0x4a4) [ 23.704124] [] (worker_thread) from [] (kthread+0xd4/0xf0) [ 23.711747] [] (kthread) from [] (ret_from_fork+0x14/0x3c) [ 23.719357] Code: bad PC value [ 23.722760] —[ end trace 981be8510db9b3a9 ]— Prevent oops by validationg power() pointer value before calling the function. Signed-off-by: Uri Mashiach Acked-by: Igor Grinberg Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 1463df0fa8e286d50edd897a6f61eed999031e48 Author: Uri Mashiach Date: Thu Dec 10 15:12:56 2015 +0200 wlcore/wl12xx: spi: fix oops on firmware load commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream. The maximum chunks used by the function is (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1). The original commands array had space for (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands. When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last command is stored outside the bounds of the commands array. Oops 5 (page fault) is generated during current wl1271 firmware load attempt: root@debian-armhf:~# ifconfig wlan0 up [ 294.312399] Unable to handle kernel paging request at virtual address 00203fc4 [ 294.320173] pgd = de528000 [ 294.323028] [00203fc4] *pgd=00000000 [ 294.326916] Internal error: Oops: 5 [#1] SMP ARM [ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys hwmon [ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted 4.2.0-00002-g3e9ad27-dirty #78 [ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree) [ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000 [ 294.372236] PC is at __spi_validate+0xa8/0x2ac [ 294.376902] LR is at __spi_sync+0x78/0x210 [ 294.381200] pc : [] lr : [] psr: 60000013 [ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000 [ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000 [ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 : 00203fbc [ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : de3a9000 [ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015 [ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218) [ 294.432437] Stack: (0xde551998 to 0xde552000) … [ 294.883613] [] (__spi_validate) from [] (__spi_sync+0x78/0x210) [ 294.891670] [] (__spi_sync) from [] (wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi]) [ 294.901661] [] (wl12xx_spi_raw_write [wlcore_spi]) from [] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore]) [ 294.914038] [] (wlcore_boot_upload_firmware [wlcore]) from [] (wl12xx_boot+0xc10/0xfac [wl12xx]) [ 294.925161] [] (wl12xx_boot [wl12xx]) from [] (wl1271_op_add_interface+0x5b0/0x910 [wlcore]) [ 294.936364] [] (wl1271_op_add_interface [wlcore]) from [] (ieee80211_do_open+0x44c/0xf7c [mac80211]) [ 294.947963] [] (ieee80211_do_open [mac80211]) from [] (__dev_open+0xa8/0x110) [ 294.957307] [] (__dev_open) from [] (__dev_change_flags+0x88/0x148) [ 294.965713] [] (__dev_change_flags) from [] (dev_change_flags+0x18/0x48) [ 294.974576] [] (dev_change_flags) from [] (devinet_ioctl+0x6b4/0x7d0) [ 294.983191] [] (devinet_ioctl) from [] (sock_ioctl+0x1e4/0x2bc) [ 294.991244] [] (sock_ioctl) from [] (do_vfs_ioctl+0x420/0x6b0) [ 294.999208] [] (do_vfs_ioctl) from [] (SyS_ioctl+0x6c/0x7c) [ 295.006880] [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x54) [ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008) [ 295.021544] —[ end trace 66ed188198f4e24e ]— Signed-off-by: Uri Mashiach Acked-by: Igor Grinberg Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit e6fe2687ef2727b687f31340da8edda25ed4e472 Author: xuejiufei Date: Fri Feb 5 15:36:47 2016 -0800 ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup commit c95a51807b730e4681e2ecbdfd669ca52601959e upstream. When recovery master down, dlm_do_local_recovery_cleanup() only remove the $RECOVERY lock owned by dead node, but do not clear the refmap bit. Which will make umount thread falling in dead loop migrating $RECOVERY to the dead node. Signed-off-by: xuejiufei Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7889b844ba4b9dc0b311b6daa6f6376a10fa9a75 Author: xuejiufei Date: Thu Jan 14 15:17:38 2016 -0800 ocfs2/dlm: ignore cleaning the migration mle that is inuse commit bef5502de074b6f6fa647b94b73155d675694420 upstream. We have found that migration source will trigger a BUG that the refcount of mle is already zero before put when the target is down during migration. The situation is as follows: dlm_migrate_lockres dlm_add_migration_mle dlm_mark_lockres_migrating dlm_get_mle_inuse <<<<<< Now the refcount of the mle is 2. dlm_send_one_lockres and wait for the target to become the new master. <<<<<< o2hb detect the target down and clean the migration mle. Now the refcount is 1. dlm_migrate_lockres woken, and put the mle twice when found the target goes down which trigger the BUG with the following message: "ERROR: bad mle: ". Signed-off-by: Jiufei Xue Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5feecbf0568ab2395e57d0bdd9eb4babb58e4b1f Author: Takashi Iwai Date: Tue Dec 8 17:00:42 2015 +0100 ALSA: hda - Implement loopback control switch for Realtek and other codecs commit e7fdd52779a6c2b49d457f452296a77c8cffef6a upstream. Many codecs, typically found on Realtek codecs, have the analog loopback path merged to the secondary input of the middle of the output paths. Currently, we don’t offer the dynamic switching in such configuration but let each loopback path mute by itself. This should work well in theory, but in reality, we often see that such a dead loopback path causes some background noises even if all the elements get muted. Such a problem has been fixed by adding the quirk accordingly to disable aamix, and it’s the right fix, per se. The only problem is that it’s not so trivial to achieve it; user needs to pass a hint string via patch module option or sysfs. This patch gives a bit improvement on the situation: it adds “Loopback Mixing” control element for such codecs like other codecs (e.g. IDT or VIA codecs) with the individual loopback paths. User can turn on/off the loopback path simply via a mixer app. For keeping the compatibility, the loopback is still enabled on these codecs. But user can try to turn it off if experiencing a suspicious background or click noise on the fly, then build a static fixup later once after the problem is addressed. Other than the addition of the loopback enable/disablement control, there should be no changes. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bfc5caf7569e39999c6515bd9f945bde14f2990f Author: Ming Lei Date: Sat Jan 23 08:05:33 2016 +0800 block: fix bio splitting on max sectors commit d0e5fbb01a67e400e82fefe4896ea40c6447ab98 upstream. After commit e36f62042880(block: split bios to maxpossible length), bio can be splitted in the middle of a vector entry, then it is easy to split out one bio which size isn’t aligned with block size, especially when the block size is bigger than 512. This patch fixes the issue by making the max io size aligned to logical block size. Fixes: e36f62042880(block: split bios to maxpossible length) Reported-by: Stefan Haberland Cc: Keith Busch Suggested-by: Linus Torvalds Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 9e5d4a6c799565346b677484f7348effd6f2d877 Author: Martin Wilck Date: Mon Nov 30 12:50:05 2015 +0100 base/platform: Fix platform drivers with no probe callback commit 25cad69f21f5532d99e2ee73c8ab6512bcab614c upstream. Since b8b2c7d845d5, platform_drv_probe() is called for all platform devices. If drv->probe is NULL, and dev_pm_domain_attach() fails, platform_drv_probe() will return the error code from dev_pm_domain_attach(). This causes real_probe() to enter the “probe_failed” path and set dev->driver to NULL. Before b8b2c7d845d5, real_probe() would assume success if both dev->bus->probe and drv->probe were missing. As a result, a device and driver could be “bound” together just by matching their names; this doesn’t work any more after b8b2c7d845d5. This may cause problems later for certain usage of platform_driver_register() and platform_device_register_simple(). I observed a panic while loading the tpm_tis driver with parameter “force=1” (i.e. registering tpm_tis as a platform driver), because tpm_tis_init’s assumption that the device returned by platform_device_register_simple() was bound didn’t hold any more (tpmm_chip_alloc() dereferences chip->pdev->driver, causing panic). This patch restores the previous (4.3.0 and earlier) behavior of platform_drv_probe() in the case when the associated platform driver has no “probe” function. Fixes: b8b2c7d845d5 (“base/platform: assert that dev_pm_domain callbacks are called unconditionally”) Signed-off-by: Martin Wilck Cc: Martin Fuzzey Acked-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 0fc93ba93bdbd73b94c67fc6250ac6e9ae9deb97 Author: Ioan-Adrian Ratiu Date: Fri Nov 20 22:19:02 2015 +0200 HID: usbhid: fix recursive deadlock commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream. The critical section protected by usbhid->lock in hid_ctrl() is too big and because of this it causes a recursive deadlock. “Too big” means the case statement and the call to hid_input_report() do not need to be protected by the spinlock (no URB operations are done inside them). The deadlock happens because in certain rare cases drivers try to grab the lock while handling the ctrl irq which grabs the lock before them as described above. For example newer wacom tablets like 056a:033c try to reschedule proximity reads from wacom_intuos_schedule_prox_event() calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report() which tries to grab the usbhid lock already held by hid_ctrl(). There are two ways to get out of this deadlock: 1. Make the drivers work “around” the ctrl critical region, in the wacom case for ex. by delaying the scheduling of the proximity read request itself to a workqueue. 2. Shrink the critical region so the usbhid lock protects only the instructions which modify usbhid state, calling hid_input_report() with the spinlock unlocked, allowing the device driver to grab the lock first, finish and then grab the lock afterwards in hid_ctrl(). This patch implements the 2nd solution. Signed-off-by: Ioan-Adrian Ratiu Signed-off-by: Jiri Kosina Signed-off-by: Jason Gerecke Signed-off-by: Greg Kroah-Hartman commit 001915457e3488b8c647ea77cb475e2374136a31 Author: Tariq Saeed Date: Thu Jan 21 16:40:39 2016 -0800 ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock commit b1b1e15ef6b80facf76d6757649dfd7295eda29f upstream. NFS on a 2 node ocfs2 cluster each node exporting dir. The lock causing the hang is the global bit map inode lock. Node 1 is master, has the lock granted in PR mode; Node 2 is in the converting list (PR -> EX). There are no holders of the lock on the master node so it should downconvert to NL and grant EX to node 2 but that does not happen. BLOCKED + QUEUED in lock res are set and it is on osb blocked list. Threads are waiting in __ocfs2_cluster_lock on BLOCKED. One thread wants EX, rest want PR. So it is as though the downconvert thread needs to be kicked to complete the conv. The hang is caused by an EX req coming into __ocfs2_cluster_lock on the heels of a PR req after it sets BUSY (drops l_lock, releasing EX thread), forcing the incoming EX to wait on BUSY without doing anything. PR has called ocfs2_dlm_lock, which sets the node 1 lock from NL -> PR, queues ast. At this time, upconvert (PR ->EX) arrives from node 2, finds conflict with node 1 lock in PR, so the lock res is put on dlm thread’s dirty listt. After ret from ocf2_dlm_lock, PR thread now waits behind EX on BUSY till awoken by ast. Now it is dlm_thread that serially runs dlm_shuffle_lists, ast, bast, in that order. dlm_shuffle_lists ques a bast on behalf of node 2 (which will be run by dlm_thread right after the ast). ast does its part, sets UPCONVERT_FINISHING, clears BUSY and wakes its waiters. Next, dlm_thread runs bast. It sets BLOCKED and kicks dc thread. dc thread runs ocfs2_unblock_lock, but since UPCONVERT_FINISHING set, skips doing anything and reques. Inside of __ocfs2_cluster_lock, since EX has been waiting on BUSY ahead of PR, it wakes up first, finds BLOCKED set and skips doing anything but clearing UPCONVERT_FINISHING (which was actually “meant” for the PR thread), and this time waits on BLOCKED. Next, the PR thread comes out of wait but since UPCONVERT_FINISHING is not set, it skips updating the l_ro_holders and goes straight to wait on BLOCKED. So there, we have a hang! Threads in __ocfs2_cluster_lock wait on BLOCKED, lock res in osb blocked list. Only when dc thread is awoken, it will run ocfs2_unblock_lock and things will unhang. One way to fix this is to wake the dc thread on the flag after clearing UPCONVERT_FINISHING Orabug: 20933419 Signed-off-by: Tariq Saeed Signed-off-by: Santosh Shilimkar Reviewed-by: Wengang Wang Reviewed-by: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Reviewed-by: Joseph Qi Cc: Eric Ren Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2081cfe624b5decaaf68088ca256ed1b140672c Author: Keith Busch Date: Tue Jan 12 15:08:39 2016 -0700 block: split bios to max possible length commit e36f6204288088fda50d1c84830340ccb70f85ff upstream. This splits bio in the middle of a vector to form the largest possible bio at the h/w’s desired alignment, and guarantees the bio being split will have some data. The criteria for splitting is changed from the max sectors to the h/w’s optimal sector alignment if it is provided. For h/w that advertise their block storage’s underlying chunk size, it’s a big performance win to not submit commands that cross them. If sector alignment is not provided, this patch uses the max sectors as before. This addresses the performance issue commit d380561113 attempted to fix, but was reverted due to splitting logic error. Signed-off-by: Keith Busch Cc: Jens Axboe Cc: Ming Lei Cc: Kent Overstreet Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1f1c9c9befd45d61ff0a91ea78892be03a4087e7 Author: Trond Myklebust Date: Mon Dec 28 11:27:15 2015 -0500 NFSv4.1/pnfs: Fixup an lo->plh_block_lgets imbalance in layoutreturn commit 1a093ceb053832c25b92f3cf26b957543c7baf9b upstream. Since commit 2d8ae84fbc32, nothing is bumping lo->plh_block_lgets in the layoutreturn path, so it should not be touched in nfs4_layoutreturn_release either. Fixes: 2d8ae84fbc32 (“NFSv4.1/pnfs: Remove redundant lo->plh_block_lgets…”) Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6abc65624a647f5e27d2dbccff03335f3c28504a Author: LABBE Corentin Date: Mon Nov 16 09:35:54 2015 +0100 crypto: sun4i-ss - add missing statesize commit 4f9ea86604e3ba64edd2817795798168fbb3c1a6 upstream. sun4i-ss implementaton of md5/sha1 is via ahash algorithms. Commit 8996eafdcbad (“crypto: ahash - ensure statesize is non-zero”) made impossible to load them without giving statesize. This patch specifiy statesize for sha1 and md5. Fixes: 6298e948215f (“crypto: sunxi-ss - Add Allwinner Security System crypto accelerator”) Tested-by: Chen-Yu Tsai Signed-off-by: LABBE Corentin Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907