From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 2 Feb 2016 01:30:35 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v4.4.2~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99e7b8e3f65564ec6c86f9e5f5b524c1b8cbf19c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
	dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
	drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch
	hid-usbhid-fix-recursive-deadlock.patch
---

diff --git a/queue-3.14/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch b/queue-3.14/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
new file mode 100644
index 00000000000..f76ea14e79f
--- /dev/null
+++ b/queue-3.14/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
@@ -0,0 +1,54 @@
+From 4afa5f9617927453ac04b24b584f6c718dfb4f45 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 1 Nov 2015 17:11:19 +0800
+Subject: crypto: algif_hash - Only export and import on sockets with data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream.
+
+The hash_accept call fails to work on sockets that have not received
+any data.  For some algorithm implementations it may cause crashes.
+
+This patch fixes this by ensuring that we only export and import on
+sockets that have received data.
+
+Reported-by: Harsh Jain <harshjain.prof@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_hash.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -192,9 +192,14 @@ static int hash_accept(struct socket *so
+ 	struct sock *sk2;
+ 	struct alg_sock *ask2;
+ 	struct hash_ctx *ctx2;
++	bool more;
+ 	int err;
+ 
+-	err = crypto_ahash_export(req, state);
++	lock_sock(sk);
++	more = ctx->more;
++	err = more ? crypto_ahash_export(req, state) : 0;
++	release_sock(sk);
++
+ 	if (err)
+ 		return err;
+ 
+@@ -205,7 +210,10 @@ static int hash_accept(struct socket *so
+ 	sk2 = newsock->sk;
+ 	ask2 = alg_sk(sk2);
+ 	ctx2 = ask2->private;
+-	ctx2->more = 1;
++	ctx2->more = more;
++
++	if (!more)
++		return err;
+ 
+ 	err = crypto_ahash_import(&ctx2->req, state);
+ 	if (err) {
diff --git a/queue-3.14/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch b/queue-3.14/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
new file mode 100644
index 00000000000..c8f84e36ce1
--- /dev/null
+++ b/queue-3.14/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
@@ -0,0 +1,37 @@
+From 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Mon, 23 Nov 2015 16:24:45 -0500
+Subject: dm btree: fix leak of bufio-backed block in btree_split_sibling error path
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream.
+
+The block allocated at the start of btree_split_sibling() is never
+released if later insert_at() fails.
+
+Fix this by releasing the previously allocated bufio block using
+unlock_block().
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -471,8 +471,10 @@ static int btree_split_sibling(struct sh
+ 
+ 	r = insert_at(sizeof(__le64), pn, parent_index + 1,
+ 		      le64_to_cpu(rn->keys[0]), &location);
+-	if (r)
++	if (r) {
++		unlock_block(s->info, right);
+ 		return r;
++	}
+ 
+ 	if (key < le64_to_cpu(rn->keys[0])) {
+ 		unlock_block(s->info, right);
diff --git a/queue-3.14/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch b/queue-3.14/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch
new file mode 100644
index 00000000000..96fd2ed485a
--- /dev/null
+++ b/queue-3.14/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch
@@ -0,0 +1,52 @@
+From 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 Mon Sep 17 00:00:00 2001
+From: Seth Jennings <sjennings@variantweb.net>
+Date: Fri, 11 Dec 2015 13:40:57 -0800
+Subject: drivers/base/memory.c: prohibit offlining of memory blocks with missing sections
+
+From: Seth Jennings <sjennings@variantweb.net>
+
+commit 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 upstream.
+
+Commit bdee237c0343 ("x86: mm: Use 2GB memory block size on large-memory
+x86-64 systems") and 982792c782ef ("x86, mm: probe memory block size for
+generic x86 64bit") introduced large block sizes for x86.  This made it
+possible to have multiple sections per memory block where previously,
+there was a only every one section per block.
+
+Since blocks consist of contiguous ranges of section, there can be holes
+in the blocks where sections are not present.  If one attempts to
+offline such a block, a crash occurs since the code is not designed to
+deal with this.
+
+This patch is a quick fix to gaurd against the crash by not allowing
+blocks with non-present sections to be offlined.
+
+Addresses https://bugzilla.kernel.org/show_bug.cgi?id=107781
+
+Signed-off-by: Seth Jennings <sjennings@variantweb.net>
+Reported-by: Andrew Banman <abanman@sgi.com>
+Cc: Daniel J Blueman <daniel@numascale.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Greg KH <greg@kroah.com>
+Cc: Russ Anderson <rja@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/memory.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -311,6 +311,10 @@ static int memory_subsys_offline(struct
+ 	if (mem->state == MEM_OFFLINE)
+ 		return 0;
+ 
++	/* Can't offline block with non-present sections */
++	if (mem->section_count != sections_per_block)
++		return -EINVAL;
++
+ 	return memory_block_change_state(mem, MEM_OFFLINE, MEM_ONLINE);
+ }
+ 
diff --git a/queue-3.14/hid-usbhid-fix-recursive-deadlock.patch b/queue-3.14/hid-usbhid-fix-recursive-deadlock.patch
new file mode 100644
index 00000000000..4006b93e335
--- /dev/null
+++ b/queue-3.14/hid-usbhid-fix-recursive-deadlock.patch
@@ -0,0 +1,61 @@
+From e470127e9606b1fa151c4184243e61296d1e0c0f Mon Sep 17 00:00:00 2001
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+Date: Fri, 20 Nov 2015 22:19:02 +0200
+Subject: HID: usbhid: fix recursive deadlock
+
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+
+commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream.
+
+The critical section protected by usbhid->lock in hid_ctrl() is too
+big and because of this it causes a recursive deadlock. "Too big" means
+the case statement and the call to hid_input_report() do not need to be
+protected by the spinlock (no URB operations are done inside them).
+
+The deadlock happens because in certain rare cases drivers try to grab
+the lock while handling the ctrl irq which grabs the lock before them
+as described above. For example newer wacom tablets like 056a:033c try
+to reschedule proximity reads from wacom_intuos_schedule_prox_event()
+calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
+which tries to grab the usbhid lock already held by hid_ctrl().
+
+There are two ways to get out of this deadlock:
+    1. Make the drivers work "around" the ctrl critical region, in the
+    wacom case for ex. by delaying the scheduling of the proximity read
+    request itself to a workqueue.
+    2. Shrink the critical region so the usbhid lock protects only the
+    instructions which modify usbhid state, calling hid_input_report()
+    with the spinlock unlocked, allowing the device driver to grab the
+    lock first, finish and then grab the lock afterwards in hid_ctrl().
+
+This patch implements the 2nd solution.
+
+Signed-off-by: Ioan-Adrian Ratiu <adi@adirat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hid-core.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -492,8 +492,6 @@ static void hid_ctrl(struct urb *urb)
+ 	struct usbhid_device *usbhid = hid->driver_data;
+ 	int unplug = 0, status = urb->status;
+ 
+-	spin_lock(&usbhid->lock);
+-
+ 	switch (status) {
+ 	case 0:			/* success */
+ 		if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN)
+@@ -513,6 +511,8 @@ static void hid_ctrl(struct urb *urb)
+ 		hid_warn(urb->dev, "ctrl urb status %d received\n", status);
+ 	}
+ 
++	spin_lock(&usbhid->lock);
++
+ 	if (unplug) {
+ 		usbhid->ctrltail = usbhid->ctrlhead;
+ 	} else {
diff --git a/queue-3.14/series b/queue-3.14/series
index af2c04d39e0..1cd87e6454f 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -1,2 +1,6 @@
 xhci-fix-placement-of-call-to-usb_disabled.patch
 recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch
+crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
+dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
+drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch
+hid-usbhid-fix-recursive-deadlock.patch