1. 30 Apr, 2016 30 commits
  2. 01 Apr, 2016 10 commits
    • Ben Hutchings's avatar
      Linux 3.2.79 · 16180256
      Ben Hutchings authored
      16180256
    • Ioan-Adrian Ratiu's avatar
      HID: usbhid: fix recursive deadlock · 7f613852
      Ioan-Adrian Ratiu authored
      commit e470127e upstream.
      
      The critical section protected by usbhid->lock in hid_ctrl() is too
      big and because of this it causes a recursive deadlock. "Too big" means
      the case statement and the call to hid_input_report() do not need to be
      protected by the spinlock (no URB operations are done inside them).
      
      The deadlock happens because in certain rare cases drivers try to grab
      the lock while handling the ctrl irq which grabs the lock before them
      as described above. For example newer wacom tablets like 056a:033c try
      to reschedule proximity reads from wacom_intuos_schedule_prox_event()
      calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
      which tries to grab the usbhid lock already held by hid_ctrl().
      
      There are two ways to get out of this deadlock:
          1. Make the drivers work "around" the ctrl critical region, in the
          wacom case for ex. by delaying the scheduling of the proximity read
          request itself to a workqueue.
          2. Shrink the critical region so the usbhid lock protects only the
          instructions which modify usbhid state, calling hid_input_report()
          with the spinlock unlocked, allowing the device driver to grab the
          lock first, finish and then grab the lock afterwards in hid_ctrl().
      
      This patch implements the 2nd solution.
      Signed-off-by: default avatarIoan-Adrian Ratiu <adi@adirat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      [bwh: Backported to 3.2: adjust context]
      Cc: Jason Gerecke <jason.gerecke@wacom.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7f613852
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · d7a1adec
      Vasily Kulikov authored
      commit 8a5e5e02 upstream.
      
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6Signed-off-by: default avatarVasily Kulikov <segoon@openwall.com>
      Cc: Solar Designer <solar@openwall.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d7a1adec
    • Vladis Dronov's avatar
      Input: aiptek - fix crash on detecting device without endpoints · 90eb3c03
      Vladis Dronov authored
      commit 8e20cf2b upstream.
      
      The aiptek driver crashes in aiptek_probe() when a specially crafted USB
      device without endpoints is detected. This fix adds a check that the device
      has proper configuration expected by the driver. Also an error return value
      is changed to more matching one in one of the error paths.
      Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      90eb3c03
    • Martin Schwidefsky's avatar
      s390/mm: four page table levels vs. fork · 03aeac30
      Martin Schwidefsky authored
      commit 3446c13b upstream.
      
      The fork of a process with four page table levels is broken since
      git commit 6252d702 "[S390] dynamic page tables."
      
      All new mm contexts are created with three page table levels and
      an asce limit of 4TB. If the parent has four levels dup_mmap will
      add vmas to the new context which are outside of the asce limit.
      The subsequent call to copy_page_range will walk the three level
      page table structure of the new process with non-zero pgd and pud
      indexes. This leads to memory clobbers as the pgd_index *and* the
      pud_index is added to the mm->pgd pointer without a pgd_deref
      in between.
      
      The init_new_context() function is selecting the number of page
      table levels for a new context. The function is used by mm_init()
      which in turn is called by dup_mm() and mm_alloc(). These two are
      used by fork() and exec(). The init_new_context() function can
      distinguish the two cases by looking at mm->context.asce_limit,
      for fork() the mm struct has been copied and the number of page
      table levels may not change. For exec() the mm_alloc() function
      set the new mm structure to zero, in this case a three-level page
      table is created as the temporary stack space is located at
      STACK_TOP_MAX = 4TB.
      
      This fixes CVE-2016-2143.
      Reported-by: default avatarMarcin Kościelnicki <koriakin@0x04.net>
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      [bwh: Backported to 3.2:
       - 31-bit s390 is still supported so keep the #ifdef CONFIG_64BIT conditions
       - Split page table locks are not implemented for PMDs so don't call
         pgtable_pmd_page_{ctor,dtor}()
       - PMDs are not accounted so don't call mm_inc_nr_pmds()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      03aeac30
    • Linus Torvalds's avatar
      Revert "drm/radeon: call hpd_irq_event on resume" · 688d5477
      Linus Torvalds authored
      commit 256faedc upstream.
      
      This reverts commit dbb17a21.
      
      It turns out that commit can cause problems for systems with multiple
      GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid
      graphics.
      
      This got noticed originally in 4.4.4, where this patch had already
      gotten back-ported, but 4.5-rc7 was verified to have the same problem.
      
      Alexander Deucher says:
       "It looks like you have a muxed system so I suspect what's happening is
        that one of the display is being reported as connected for both the
        IGP and the dGPU and then the desktop environment gets confused or
        there some sort problem in the detect functions since the mux is not
        switched to the dGPU.  I don't see an easy fix unless Dave has any
        ideas.  I'd say just revert for now"
      Reported-by: default avatarJörg-Volker Peetz <jvpeetz@web.de>
      Acked-by: default avatarAlexander Deucher <Alexander.Deucher@amd.com>
      Cc: Dave Airlie <airlied@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      688d5477
    • Richard Weinberger's avatar
      ubi: Fix out of bounds write in volume update code · 7aae7964
      Richard Weinberger authored
      commit e4f6daac upstream.
      
      ubi_start_leb_change() allocates too few bytes.
      ubi_more_leb_change_data() will write up to req->upd_bytes +
      ubi->min_io_size bytes.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7aae7964
    • Maciej W. Rozycki's avatar
      MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp' · 5476a24d
      Maciej W. Rozycki authored
      commit e723e3f7 upstream.
      
      Avoid sending a partially initialised `siginfo_t' structure along SIGFPE
      signals issued from `do_ov' and `do_trap_or_bp', leading to information
      leaking from the kernel stack.
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5476a24d
    • Benjamin Poirier's avatar
      mld, igmp: Fix reserved tailroom calculation · a2a17573
      Benjamin Poirier authored
      commit 1837b2e2 upstream.
      
      The current reserved_tailroom calculation fails to take hlen and tlen into
      account.
      
      skb:
      [__hlen__|__data____________|__tlen___|__extra__]
      ^                                               ^
      head                                            skb_end_offset
      
      In this representation, hlen + data + tlen is the size passed to alloc_skb.
      "extra" is the extra space made available in __alloc_skb because of
      rounding up by kmalloc. We can reorder the representation like so:
      
      [__hlen__|__data____________|__extra__|__tlen___]
      ^                                               ^
      head                                            skb_end_offset
      
      The maximum space available for ip headers and payload without
      fragmentation is min(mtu, data + extra). Therefore,
      reserved_tailroom
      = data + extra + tlen - min(mtu, data + extra)
      = skb_end_offset - hlen - min(mtu, skb_end_offset - hlen - tlen)
      = skb_tailroom - min(mtu, skb_tailroom - tlen) ; after skb_reserve(hlen)
      
      Compare the second line to the current expression:
      reserved_tailroom = skb_end_offset - min(mtu, skb_end_offset)
      and we can see that hlen and tlen are not taken into account.
      
      The min() in the third line can be expanded into:
      if mtu < skb_tailroom - tlen:
      	reserved_tailroom = skb_tailroom - mtu
      else:
      	reserved_tailroom = tlen
      
      Depending on hlen, tlen, mtu and the number of multicast address records,
      the current code may output skbs that have less tailroom than
      dev->needed_tailroom or it may output more skbs than needed because not all
      space available is used.
      
      Fixes: 4c672e4b ("ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a2a17573
    • Or Gerlitz's avatar
      IB/core: Use GRH when the path hop-limit > 0 · a1663179
      Or Gerlitz authored
      commit 11d8d645 upstream.
      
      According to IBTA spec v1.3 section 12.7.19, QPs should use GRH when
      the path returned by the SA has hop-limit > 0. Currently, we do that
      only for the > 1 case, fix that.
      
      Fixes: 6d969a47 ('IB/sa: Add ib_init_ah_from_path()')
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Reviewed-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a1663179