From 9dcdc6dfc3e9e377441ee7d970cd081ad9301190 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Feb 2016 17:01:22 -0800
Subject: [PATCH] 3.10-stable patches

added patches:
	crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
	dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
	hid-usbhid-fix-recursive-deadlock.patch
---
 ...port-and-import-on-sockets-with-data.patch | 54 ++++++++++++++++
 ...ck-in-btree_split_sibling-error-path.patch | 37 +++++++++++
 .../hid-usbhid-fix-recursive-deadlock.patch   | 61 +++++++++++++++++++
 queue-3.10/series                             |  3 +
 4 files changed, 155 insertions(+)
 create mode 100644 queue-3.10/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
 create mode 100644 queue-3.10/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
 create mode 100644 queue-3.10/hid-usbhid-fix-recursive-deadlock.patch

diff --git a/queue-3.10/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch b/queue-3.10/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
new file mode 100644
index 00000000000..f76ea14e79f
--- /dev/null
+++ b/queue-3.10/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
@@ -0,0 +1,54 @@
+From 4afa5f9617927453ac04b24b584f6c718dfb4f45 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 1 Nov 2015 17:11:19 +0800
+Subject: crypto: algif_hash - Only export and import on sockets with data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream.
+
+The hash_accept call fails to work on sockets that have not received
+any data.  For some algorithm implementations it may cause crashes.
+
+This patch fixes this by ensuring that we only export and import on
+sockets that have received data.
+
+Reported-by: Harsh Jain <harshjain.prof@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_hash.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -192,9 +192,14 @@ static int hash_accept(struct socket *so
+ 	struct sock *sk2;
+ 	struct alg_sock *ask2;
+ 	struct hash_ctx *ctx2;
++	bool more;
+ 	int err;
+ 
+-	err = crypto_ahash_export(req, state);
++	lock_sock(sk);
++	more = ctx->more;
++	err = more ? crypto_ahash_export(req, state) : 0;
++	release_sock(sk);
++
+ 	if (err)
+ 		return err;
+ 
+@@ -205,7 +210,10 @@ static int hash_accept(struct socket *so
+ 	sk2 = newsock->sk;
+ 	ask2 = alg_sk(sk2);
+ 	ctx2 = ask2->private;
+-	ctx2->more = 1;
++	ctx2->more = more;
++
++	if (!more)
++		return err;
+ 
+ 	err = crypto_ahash_import(&ctx2->req, state);
+ 	if (err) {
diff --git a/queue-3.10/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch b/queue-3.10/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
new file mode 100644
index 00000000000..bfb39d2bb63
--- /dev/null
+++ b/queue-3.10/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
@@ -0,0 +1,37 @@
+From 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Mon, 23 Nov 2015 16:24:45 -0500
+Subject: dm btree: fix leak of bufio-backed block in btree_split_sibling error path
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream.
+
+The block allocated at the start of btree_split_sibling() is never
+released if later insert_at() fails.
+
+Fix this by releasing the previously allocated bufio block using
+unlock_block().
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -455,8 +455,10 @@ static int btree_split_sibling(struct sh
+ 
+ 	r = insert_at(sizeof(__le64), pn, parent_index + 1,
+ 		      le64_to_cpu(rn->keys[0]), &location);
+-	if (r)
++	if (r) {
++		unlock_block(s->info, right);
+ 		return r;
++	}
+ 
+ 	if (key < le64_to_cpu(rn->keys[0])) {
+ 		unlock_block(s->info, right);
diff --git a/queue-3.10/hid-usbhid-fix-recursive-deadlock.patch b/queue-3.10/hid-usbhid-fix-recursive-deadlock.patch
new file mode 100644
index 00000000000..245f248ec4b
--- /dev/null
+++ b/queue-3.10/hid-usbhid-fix-recursive-deadlock.patch
@@ -0,0 +1,61 @@
+From e470127e9606b1fa151c4184243e61296d1e0c0f Mon Sep 17 00:00:00 2001
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+Date: Fri, 20 Nov 2015 22:19:02 +0200
+Subject: HID: usbhid: fix recursive deadlock
+
+From: Ioan-Adrian Ratiu <adi@adirat.com>
+
+commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream.
+
+The critical section protected by usbhid->lock in hid_ctrl() is too
+big and because of this it causes a recursive deadlock. "Too big" means
+the case statement and the call to hid_input_report() do not need to be
+protected by the spinlock (no URB operations are done inside them).
+
+The deadlock happens because in certain rare cases drivers try to grab
+the lock while handling the ctrl irq which grabs the lock before them
+as described above. For example newer wacom tablets like 056a:033c try
+to reschedule proximity reads from wacom_intuos_schedule_prox_event()
+calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
+which tries to grab the usbhid lock already held by hid_ctrl().
+
+There are two ways to get out of this deadlock:
+    1. Make the drivers work "around" the ctrl critical region, in the
+    wacom case for ex. by delaying the scheduling of the proximity read
+    request itself to a workqueue.
+    2. Shrink the critical region so the usbhid lock protects only the
+    instructions which modify usbhid state, calling hid_input_report()
+    with the spinlock unlocked, allowing the device driver to grab the
+    lock first, finish and then grab the lock afterwards in hid_ctrl().
+
+This patch implements the 2nd solution.
+
+Signed-off-by: Ioan-Adrian Ratiu <adi@adirat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hid-core.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -490,8 +490,6 @@ static void hid_ctrl(struct urb *urb)
+ 	struct usbhid_device *usbhid = hid->driver_data;
+ 	int unplug = 0, status = urb->status;
+ 
+-	spin_lock(&usbhid->lock);
+-
+ 	switch (status) {
+ 	case 0:			/* success */
+ 		if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN)
+@@ -511,6 +509,8 @@ static void hid_ctrl(struct urb *urb)
+ 		hid_warn(urb->dev, "ctrl urb status %d received\n", status);
+ 	}
+ 
++	spin_lock(&usbhid->lock);
++
+ 	if (unplug) {
+ 		usbhid->ctrltail = usbhid->ctrlhead;
+ 	} else {
diff --git a/queue-3.10/series b/queue-3.10/series
index 83f88016439..e6868474890 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -1,2 +1,5 @@
 recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch
 xhci-fix-placement-of-call-to-usb_disabled.patch
+crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
+dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch
+hid-usbhid-fix-recursive-deadlock.patch
-- 
2.47.3