1. 02 Feb, 2016 15 commits
    • Borislav Petkov's avatar
      EDAC: Robustify workqueues destruction · 3089ebbd
      Borislav Petkov authored
      commit fcd5c4dd upstream.
      
      EDAC workqueue destruction is really fragile. We cancel delayed work
      but if it is still running and requeues itself, we still go ahead and
      destroy the workqueue and the queued work explodes when workqueue core
      attempts to run it.
      
      Make the destruction more robust by switching op_state to offline so
      that requeuing stops. Cancel any pending work *synchronously* too.
      
        EDAC i7core: Driver loaded.
        general protection fault: 0000 [#1] SMP
        CPU 12
        Modules linked in:
        Supported: Yes
        Pid: 0, comm: kworker/0:1 Tainted: G          IE   3.0.101-0-default #1 HP ProLiant DL380 G7
        RIP: 0010:[<ffffffff8107dcd7>]  [<ffffffff8107dcd7>] __queue_work+0x17/0x3f0
        < ... regs ...>
        Process kworker/0:1 (pid: 0, threadinfo ffff88019def6000, task ffff88019def4600)
        Stack:
         ...
        Call Trace:
         call_timer_fn
         run_timer_softirq
         __do_softirq
         call_softirq
         do_softirq
         irq_exit
         smp_apic_timer_interrupt
         apic_timer_interrupt
         intel_idle
         cpuidle_idle_call
         cpu_idle
        Code: ...
        RIP  __queue_work
         RSP <...>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3089ebbd
    • Borislav Petkov's avatar
      EDAC, mc_sysfs: Fix freeing bus' name · 777701c4
      Borislav Petkov authored
      commit 12e26969 upstream.
      
      I get the splat below when modprobing/rmmoding EDAC drivers. It happens
      because bus->name is invalid after bus_unregister() has run. The Code: section
      below corresponds to:
      
        .loc 1 1108 0
        movq    672(%rbx), %rax # mci_1(D)->bus, mci_1(D)->bus
        .loc 1 1109 0
        popq    %rbx    #
      
        .loc 1 1108 0
        movq    (%rax), %rdi    # _7->name,
        jmp     kfree   #
      
      and %rax has some funky stuff 2030203020312030 which looks a lot like
      something walked over it.
      
      Fix that by saving the name ptr before doing stuff to string it points to.
      
        general protection fault: 0000 [#1] SMP
        Modules linked in: ...
        CPU: 4 PID: 10318 Comm: modprobe Tainted: G          I EN  3.12.51-11-default+ #48
        Hardware name: HP ProLiant DL380 G7, BIOS P67 05/05/2011
        task: ffff880311320280 ti: ffff88030da3e000 task.ti: ffff88030da3e000
        RIP: 0010:[<ffffffffa019da92>]  [<ffffffffa019da92>] edac_unregister_sysfs+0x22/0x30 [edac_core]
        RSP: 0018:ffff88030da3fe28  EFLAGS: 00010292
        RAX: 2030203020312030 RBX: ffff880311b4e000 RCX: 000000000000095c
        RDX: 0000000000000001 RSI: ffff880327bb9600 RDI: 0000000000000286
        RBP: ffff880311b4e750 R08: 0000000000000000 R09: ffffffff81296110
        R10: 0000000000000400 R11: 0000000000000000 R12: ffff88030ba1ac68
        R13: 0000000000000001 R14: 00000000011b02f0 R15: 0000000000000000
        FS:  00007fc9bf8f5700(0000) GS:ffff8801a7c40000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
        CR2: 0000000000403c90 CR3: 000000019ebdf000 CR4: 00000000000007e0
        Stack:
        Call Trace:
          i7core_unregister_mci.isra.9
          i7core_remove
          pci_device_remove
          __device_release_driver
          driver_detach
          bus_remove_driver
          pci_unregister_driver
          i7core_exit
          SyS_delete_module
          system_call_fastpath
          0x7fc9bf426536
        Code: 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 53 48 89 fb e8 52 2a 1f e1 48 8b bb a0 02 00 00 e8 46 59 1f e1 48 8b 83 a0 02 00 00 5b <48> 8b 38 e9 26 9a fe e0 66 0f 1f 44 00 00 66 66 66 66 90 48 8b
        RIP  [<ffffffffa019da92>] edac_unregister_sysfs+0x22/0x30 [edac_core]
         RSP <ffff88030da3fe28>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Fixes: 7a623c03 ("edac: rewrite the sysfs code to use struct device")
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      777701c4
    • Junjie Mao's avatar
      EDAC: Fix the leak of mci->bus->name when bus_register fails · 36d04acf
      Junjie Mao authored
      commit 1bf1950c upstream.
      
      Also use goto labels for all failure paths in
      edac_create_sysfs_mci_device and update meaningless labels.
      Signed-off-by: default avatarJunjie Mao <junjie.mao@hotmail.com>
      Link: http://lkml.kernel.org/r/BLU436-SMTP25291B6B612942A212AEBFE95300@phx.gbl
      [ Boris: Use ! for 0 checks and add newlines for less crammed code. ]
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      36d04acf
    • Uri Mashiach's avatar
      wlcore/wl12xx: spi: fix oops on firmware load · b8b4a3a0
      Uri Mashiach authored
      commit 9b2761cb upstream.
      
      The maximum chunks used by the function is
      (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1).
      The original commands array had space for
      (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands.
      When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last
      command is stored outside the bounds of the commands array.
      
      Oops 5 (page fault) is generated during current wl1271 firmware load
      attempt:
      
      root@debian-armhf:~# ifconfig wlan0 up
      [  294.312399] Unable to handle kernel paging request at virtual address
      00203fc4
      [  294.320173] pgd = de528000
      [  294.323028] [00203fc4] *pgd=00000000
      [  294.326916] Internal error: Oops: 5 [#1] SMP ARM
      [  294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx
      wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common
      wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys
      hwmon
      [  294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted
      4.2.0-00002-g3e9ad27-dirty #78
      [  294.360154] Hardware name: Generic AM33XX (Flattened Device Tree)
      [  294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000
      [  294.372236] PC is at __spi_validate+0xa8/0x2ac
      [  294.376902] LR is at __spi_sync+0x78/0x210
      [  294.381200] pc : [<c049c760>]    lr : [<c049ebe0>]    psr: 60000013
      [  294.381200] sp : de551998  ip : de5519d8  fp : 00200000
      [  294.393242] r10: de551c8c  r9 : de5519d8  r8 : de3a9000
      [  294.398730] r7 : de3a9258  r6 : de3a9400  r5 : de551a48  r4 :
      00203fbc
      [  294.405577] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 :
      de3a9000
      [  294.412420] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
      Segment user
      [  294.419918] Control: 10c5387d  Table: 9e528019  DAC: 00000015
      [  294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218)
      [  294.432437] Stack: (0xde551998 to 0xde552000)
      
      ...
      
      [  294.883613] [<c049c760>] (__spi_validate) from [<c049ebe0>]
      (__spi_sync+0x78/0x210)
      [  294.891670] [<c049ebe0>] (__spi_sync) from [<bf036598>]
      (wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi])
      [  294.901661] [<bf036598>] (wl12xx_spi_raw_write [wlcore_spi]) from
      [<bf21c694>] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore])
      [  294.914038] [<bf21c694>] (wlcore_boot_upload_firmware [wlcore]) from
      [<bf24532c>] (wl12xx_boot+0xc10/0xfac [wl12xx])
      [  294.925161] [<bf24532c>] (wl12xx_boot [wl12xx]) from [<bf20d5cc>]
      (wl1271_op_add_interface+0x5b0/0x910 [wlcore])
      [  294.936364] [<bf20d5cc>] (wl1271_op_add_interface [wlcore]) from
      [<bf15c4ac>] (ieee80211_do_open+0x44c/0xf7c [mac80211])
      [  294.947963] [<bf15c4ac>] (ieee80211_do_open [mac80211]) from
      [<c0537978>] (__dev_open+0xa8/0x110)
      [  294.957307] [<c0537978>] (__dev_open) from [<c0537bf8>]
      (__dev_change_flags+0x88/0x148)
      [  294.965713] [<c0537bf8>] (__dev_change_flags) from [<c0537cd0>]
      (dev_change_flags+0x18/0x48)
      [  294.974576] [<c0537cd0>] (dev_change_flags) from [<c05a55a0>]
      (devinet_ioctl+0x6b4/0x7d0)
      [  294.983191] [<c05a55a0>] (devinet_ioctl) from [<c0517040>]
      (sock_ioctl+0x1e4/0x2bc)
      [  294.991244] [<c0517040>] (sock_ioctl) from [<c017d378>]
      (do_vfs_ioctl+0x420/0x6b0)
      [  294.999208] [<c017d378>] (do_vfs_ioctl) from [<c017d674>]
      (SyS_ioctl+0x6c/0x7c)
      [  295.006880] [<c017d674>] (SyS_ioctl) from [<c000f4c0>]
      (ret_fast_syscall+0x0/0x54)
      [  295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008)
      [  295.021544] ---[ end trace 66ed188198f4e24e ]---
      Signed-off-by: default avatarUri Mashiach <uri.mashiach@compulab.co.il>
      Acked-by: default avatarIgor Grinberg <grinberg@compulab.co.il>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b8b4a3a0
    • Peter Wu's avatar
      rtlwifi: fix memory leak for USB device · fb322165
      Peter Wu authored
      commit 17bc5586 upstream.
      
      Free skb for received frames with a wrong checksum. This can happen
      pretty rapidly, exhausting all memory.
      
      This fixes a memleak (detected with kmemleak). Originally found while
      using monitor mode, but it also appears during managed mode (once the
      link is up).
      Signed-off-by: default avatarPeter Wu <peter@lekensteyn.nl>
      ACKed-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [ luis: backported to 3.16:
        - file rename: drivers/net/wireless/realtek/rtlwifi/usb.c ->
          drivers/net/wireless/rtlwifi/usb.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fb322165
    • Dmitry Tunin's avatar
      Bluetooth: Add support of Toshiba Broadcom based devices · eb43bef3
      Dmitry Tunin authored
      commit 1623d0bf upstream.
      
      BugLink: https://bugs.launchpad.net/bugs/1522949
      
          T: Bus=03 Lev=02 Prnt=02 Port=05 Cnt=02 Dev#= 4 Spd=12 MxCh= 0
          D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
          P: Vendor=0930 ProdID=0225 Rev=01.12
          S: Manufacturer=Broadcom Corp
          S: Product=BCM43142A0
          S: SerialNumber=4CBB58034671
          C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
          I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
          I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
          I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
          I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      eb43bef3
    • David Gibson's avatar
      time: Avoid signed overflow in timekeeping_get_ns() · 1b69e00d
      David Gibson authored
      commit 35a4933a upstream.
      
      1e75fa8b "time: Condense timekeeper.xtime into xtime_sec" replaced a call to
      clocksource_cyc2ns() from timekeeping_get_ns() with an open-coded version
      of the same logic to avoid keeping a semi-redundant struct timespec
      in struct timekeeper.
      
      However, the commit also introduced a subtle semantic change - where
      clocksource_cyc2ns() uses purely unsigned math, the new version introduces
      a signed temporary, meaning that if (delta * tk->mult) has a 63-bit
      overflow the following shift will still give a negative result.  The
      choice of 'maxsec' in __clocksource_updatefreq_scale() means this will
      generally happen if there's a ~10 minute pause in examining the
      clocksource.
      
      This can be triggered on a powerpc KVM guest by stopping it from qemu for
      a bit over 10 minutes.  After resuming time has jumped backwards several
      minutes causing numerous problems (jiffies does not advance, msleep()s can
      be extended by minutes..).  It doesn't happen on x86 KVM guests, because
      the guest TSC is effectively frozen while the guest is stopped, which is
      not the case for the powerpc timebase.
      
      Obviously an unsigned (64 bit) overflow will only take twice as long as a
      signed, 63-bit overflow.  I don't know the time code well enough to know
      if that will still cause incorrect calculations, or if a 64-bit overflow
      is avoided elsewhere.
      
      Still, an incorrect forwards clock adjustment will cause less trouble than
      time going backwards.  So, this patch removes the potential for
      intermediate signed overflow.
      Suggested-by: default avatarLaurent Vivier <lvivier@redhat.com>
      Tested-by: default avatarLaurent Vivier <lvivier@redhat.com>
      Signed-off-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1b69e00d
    • John Blackwood's avatar
      arm64: Clear out any singlestep state on a ptrace detach operation · cb220afb
      John Blackwood authored
      commit 5db4fd8c upstream.
      
      Make sure to clear out any ptrace singlestep state when a ptrace(2)
      PTRACE_DETACH call is made on arm64 systems.
      
      Otherwise, the previously ptraced task will die off with a SIGTRAP
      signal if the debugger just previously singlestepped the ptraced task.
      Signed-off-by: default avatarJohn Blackwood <john.blackwood@ccur.com>
      [will: added comment to justify why this is in the arch code]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cb220afb
    • Oliver Neukum's avatar
      xhci: refuse loading if nousb is used · fa25f0e6
      Oliver Neukum authored
      commit 1eaf35e4 upstream.
      
      The module should fail to load.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [ luis: backported to 3.16:
        - moved usb_disabled() check to the top of the function so that there's
          no need to invoke xhci_unregister_pci() before returning.  Suggested
          by gregkh. ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fa25f0e6
    • Alex Deucher's avatar
      drm/radeon: call hpd_irq_event on resume · 133742f9
      Alex Deucher authored
      commit dbb17a21 upstream.
      
      Need to call this on resume if displays changes during
      suspend in order to properly be notified of changes.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      133742f9
    • Paolo Bonzini's avatar
      KVM: x86: correctly print #AC in traces · abe7f4d6
      Paolo Bonzini authored
      commit aba2f06c upstream.
      
      Poor #AC was so unimportant until a few days ago that we were
      not even tracing its name correctly.  But now it's all over
      the place.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      abe7f4d6
    • Paolo Bonzini's avatar
      KVM: x86: expose MSR_TSC_AUX to userspace · a79ed0ed
      Paolo Bonzini authored
      commit 9dbe6cf9 upstream.
      
      If we do not do this, it is not properly saved and restored across
      migration.  Windows notices due to its self-protection mechanisms,
      and is very upset about it (blue screen of death).
      
      Cc: Radim Krcmar <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a79ed0ed
    • Steven Rostedt's avatar
      tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines · a62c2e1e
      Steven Rostedt authored
      commit 32abc2ed upstream.
      
      When a long value is read on 32 bit machines for 64 bit output, the
      parsing needs to change "%lu" into "%llu", as the value is read
      natively.
      
      Unfortunately, if "%llu" is already there, the code will add another "l"
      to it and fail to parse it properly.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Acked-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Link: http://lkml.kernel.org/r/20151116172516.4b79b109@gandalf.local.homeSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a62c2e1e
    • Malcolm Priestley's avatar
      [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode · 2e2e5f3d
      Malcolm Priestley authored
      commit c9d57de6 upstream.
      
      When in FE_TUNE_MODE_ONESHOT the frontend must report
      the actual capabilities so user can take appropriate
      action.
      
      With frontends that can't do auto inversion this is done
      by dvb-core automatically so CAN_INVERSION_AUTO is valid.
      
      However, when in FE_TUNE_MODE_ONESHOT this is not true.
      
      So only set FE_CAN_INVERSION_AUTO in modes other than
      FE_TUNE_MODE_ONESHOT
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2e2e5f3d
    • Antonio Ospite's avatar
      [media] gspca: ov534/topro: prevent a division by 0 · ba3a6167
      Antonio Ospite authored
      commit dcc7fdbe upstream.
      
      v4l2-compliance sends a zeroed struct v4l2_streamparm in
      v4l2-test-formats.cpp::testParmType(), and this results in a division by
      0 in some gspca subdrivers:
      
        divide error: 0000 [#1] SMP
        Modules linked in: gspca_ov534 gspca_main ...
        CPU: 0 PID: 17201 Comm: v4l2-compliance Not tainted 4.3.0-rc2-ao2 #1
        Hardware name: System manufacturer System Product Name/M2N-E SLI, BIOS
          ASUS M2N-E SLI ACPI BIOS Revision 1301 09/16/2010
        task: ffff8800818306c0 ti: ffff880095c4c000 task.ti: ffff880095c4c000
        RIP: 0010:[<ffffffffa079bd62>]  [<ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
        RSP: 0018:ffff880095c4fce8  EFLAGS: 00010296
        RAX: 0000000000000000 RBX: ffff8800c9522000 RCX: ffffffffa077a140
        RDX: 0000000000000000 RSI: ffff880095e0c100 RDI: ffff8800c9522000
        RBP: ffff880095e0c100 R08: ffffffffa077a100 R09: 00000000000000cc
        R10: ffff880067ec7740 R11: 0000000000000016 R12: ffffffffa07bb400
        R13: 0000000000000000 R14: ffff880081b6a800 R15: 0000000000000000
        FS:  00007fda0de78740(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000014630f8 CR3: 00000000cf349000 CR4: 00000000000006f0
        Stack:
         ffffffffa07a6431 ffff8800c9522000 ffffffffa077656e 00000000c0cc5616
         ffff8800c9522000 ffffffffa07a5e20 ffff880095e0c100 0000000000000000
         ffff880067ec7740 ffffffffa077a140 ffff880067ec7740 0000000000000016
        Call Trace:
         [<ffffffffa07a6431>] ? v4l_s_parm+0x21/0x50 [videodev]
         [<ffffffffa077656e>] ? vidioc_s_parm+0x4e/0x60 [gspca_main]
         [<ffffffffa07a5e20>] ? __video_do_ioctl+0x280/0x2f0 [videodev]
         [<ffffffffa07a5ba0>] ? video_ioctl2+0x20/0x20 [videodev]
         [<ffffffffa07a59b9>] ? video_usercopy+0x319/0x4e0 [videodev]
         [<ffffffff81182dc1>] ? page_add_new_anon_rmap+0x71/0xa0
         [<ffffffff811afb92>] ? mem_cgroup_commit_charge+0x52/0x90
         [<ffffffff81179b18>] ? handle_mm_fault+0xc18/0x1680
         [<ffffffffa07a15cc>] ? v4l2_ioctl+0xac/0xd0 [videodev]
         [<ffffffff811c846f>] ? do_vfs_ioctl+0x28f/0x480
         [<ffffffff811c86d4>] ? SyS_ioctl+0x74/0x80
         [<ffffffff8154a8b6>] ? entry_SYSCALL_64_fastpath+0x16/0x75
        Code: c7 93 d9 79 a0 5b 5d e9 f1 f3 9a e0 0f 1f 00 66 2e 0f 1f 84 00
          00 00 00 00 66 66 66 66 90 53 31 d2 48 89 fb 48 83 ec 08 8b 46 10 <f7>
          76 0c 80 bf ac 0c 00 00 00 88 87 4e 0e 00 00 74 09 80 bf 4f
        RIP  [<ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
         RSP <ffff880095c4fce8>
        ---[ end trace 279710c2c6c72080 ]---
      
      Following what the doc says about a zeroed timeperframe (see
      http://www.linuxtv.org/downloads/v4l-dvb-apis/vidioc-g-parm.html):
      
        ...
        To reset manually applications can just set this field to zero.
      
      fix the issue by resetting the frame rate to a default value in case of
      an unusable timeperframe.
      
      The fix is done in the subdrivers instead of gspca.c because only the
      subdrivers have notion of a default frame rate to reset the camera to.
      Signed-off-by: default avatarAntonio Ospite <ao2@ao2.it>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ba3a6167
  2. 28 Jan, 2016 24 commits
  3. 25 Jan, 2016 1 commit
    • Yevgeny Pats's avatar
      KEYS: Fix keyring ref leak in join_session_keyring() · 63b2438c
      Yevgeny Pats authored
      commit 23567fd0 upstream.
      
      This fixes CVE-2016-0728.
      
      If a thread is asked to join as a session keyring the keyring that's already
      set as its session, we leak a keyring reference.
      
      This can be tested with the following program:
      
      	#include <stddef.h>
      	#include <stdio.h>
      	#include <sys/types.h>
      	#include <keyutils.h>
      
      	int main(int argc, const char *argv[])
      	{
      		int i = 0;
      		key_serial_t serial;
      
      		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      				"leaked-keyring");
      		if (serial < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		if (keyctl(KEYCTL_SETPERM, serial,
      			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		for (i = 0; i < 100; i++) {
      			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      					"leaked-keyring");
      			if (serial < 0) {
      				perror("keyctl");
      				return -1;
      			}
      		}
      
      		return 0;
      	}
      
      If, after the program has run, there something like the following line in
      /proc/keys:
      
      3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
      
      with a usage count of 100 * the number of times the program has been run,
      then the kernel is malfunctioning.  If leaked-keyring has zero usages or
      has been garbage collected, then the problem is fixed.
      Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDon Zickus <dzickus@redhat.com>
      Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Acked-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      63b2438c