--- /dev/null
+From 4afa5f9617927453ac04b24b584f6c718dfb4f45 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 1 Nov 2015 17:11:19 +0800
+Subject: crypto: algif_hash - Only export and import on sockets with data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream.
+
+The hash_accept call fails to work on sockets that have not received
+any data. For some algorithm implementations it may cause crashes.
+
+This patch fixes this by ensuring that we only export and import on
+sockets that have received data.
+
+Reported-by: Harsh Jain <harshjain.prof@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_hash.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -192,9 +192,14 @@ static int hash_accept(struct socket *so
+ struct sock *sk2;
+ struct alg_sock *ask2;
+ struct hash_ctx *ctx2;
++ bool more;
+ int err;
+
+- err = crypto_ahash_export(req, state);
++ lock_sock(sk);
++ more = ctx->more;
++ err = more ? crypto_ahash_export(req, state) : 0;
++ release_sock(sk);
++
+ if (err)
+ return err;
+
+@@ -205,7 +210,10 @@ static int hash_accept(struct socket *so
+ sk2 = newsock->sk;
+ ask2 = alg_sk(sk2);
+ ctx2 = ask2->private;
+- ctx2->more = 1;
++ ctx2->more = more;
++
++ if (!more)
++ return err;
+
+ err = crypto_ahash_import(&ctx2->req, state);
+ if (err) {
--- /dev/null
+From 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Mon, 23 Nov 2015 16:24:45 -0500
+Subject: dm btree: fix leak of bufio-backed block in btree_split_sibling error path
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream.
+
+The block allocated at the start of btree_split_sibling() is never
+released if later insert_at() fails.
+
+Fix this by releasing the previously allocated bufio block using
+unlock_block().
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -455,8 +455,10 @@ static int btree_split_sibling(struct sh
+
+ r = insert_at(sizeof(__le64), pn, parent_index + 1,
+ le64_to_cpu(rn->keys[0]), &location);
+- if (r)
++ if (r) {
++ unlock_block(s->info, right);
+ return r;
++ }
+
+ if (key < le64_to_cpu(rn->keys[0])) {
+ unlock_block(s->info, right);
--- /dev/null
+From e470127e9606b1fa151c4184243e61296d1e0c0f Mon Sep 17 00:00:00 2001
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+Date: Fri, 20 Nov 2015 22:19:02 +0200
+Subject: HID: usbhid: fix recursive deadlock
+
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+
+commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream.
+
+The critical section protected by usbhid->lock in hid_ctrl() is too
+big and because of this it causes a recursive deadlock. "Too big" means
+the case statement and the call to hid_input_report() do not need to be
+protected by the spinlock (no URB operations are done inside them).
+
+The deadlock happens because in certain rare cases drivers try to grab
+the lock while handling the ctrl irq which grabs the lock before them
+as described above. For example newer wacom tablets like 056a:033c try
+to reschedule proximity reads from wacom_intuos_schedule_prox_event()
+calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
+which tries to grab the usbhid lock already held by hid_ctrl().
+
+There are two ways to get out of this deadlock:
+ 1. Make the drivers work "around" the ctrl critical region, in the
+ wacom case for ex. by delaying the scheduling of the proximity read
+ request itself to a workqueue.
+ 2. Shrink the critical region so the usbhid lock protects only the
+ instructions which modify usbhid state, calling hid_input_report()
+ with the spinlock unlocked, allowing the device driver to grab the
+ lock first, finish and then grab the lock afterwards in hid_ctrl().
+
+This patch implements the 2nd solution.
+
+Signed-off-by: Ioan-Adrian Ratiu <adi@adirat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -490,8 +490,6 @@ static void hid_ctrl(struct urb *urb)
+ struct usbhid_device *usbhid = hid->driver_data;
+ int unplug = 0, status = urb->status;
+
+- spin_lock(&usbhid->lock);
+-
+ switch (status) {
+ case 0: /* success */
+ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN)
+@@ -511,6 +509,8 @@ static void hid_ctrl(struct urb *urb)
+ hid_warn(urb->dev, "ctrl urb status %d received\n", status);
+ }
+
++ spin_lock(&usbhid->lock);
++
+ if (unplug) {
+ usbhid->ctrltail = usbhid->ctrlhead;
+ } else {
recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch
xhci-fix-placement-of-call-to-usb_disabled.patch
+crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
+dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
+hid-usbhid-fix-recursive-deadlock.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
