1. 12 Apr, 2016 11 commits
    • Shuah Khan's avatar
      [media] au0828: fix au0828_v4l2_close() dev_state race condition · 6326de42
      Shuah Khan authored
      commit ed940cd2 upstream.
      
      au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
      detect the device disconnected state correctly, if au0828_v4l2_open() runs
      to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
      by increasing the likelihood of au0828_v4l2_open() occurring while unbind
      is in progress. When au0828_v4l2_close() fails to detect that the device
      is in disconnect state, it attempts to power down the device and fails with
      the following general protection fault:
      
      [  260.992962] Call Trace:
      [  260.993008]  [<ffffffffa0f80f0f>] ? xc5000_sleep+0x8f/0xd0 [xc5000]
      [  260.993095]  [<ffffffffa0f6803c>] ? fe_standby+0x3c/0x50 [tuner]
      [  260.993186]  [<ffffffffa0ef541c>] au0828_v4l2_close+0x53c/0x620 [au0828]
      [  260.993298]  [<ffffffffa0d08ec0>] v4l2_release+0xf0/0x210 [videodev]
      [  260.993382]  [<ffffffff81570f9c>] __fput+0x1fc/0x6c0
      [  260.993449]  [<ffffffff815714ce>] ____fput+0xe/0x10
      [  260.993519]  [<ffffffff8116eb83>] task_work_run+0x133/0x1f0
      [  260.993602]  [<ffffffff810035d0>] exit_to_usermode_loop+0x140/0x170
      [  260.993681]  [<ffffffff810061ca>] syscall_return_slowpath+0x16a/0x1a0
      [  260.993754]  [<ffffffff82835fb3>] entry_SYSCALL_64_fastpath+0xa6/0xa8
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6326de42
    • Oliver Neukum's avatar
      USB: digi_acceleport: do sanity checking for the number of ports · 0be04f5b
      Oliver Neukum authored
      commit 5a07975a upstream.
      
      The driver can be crashed with devices that expose crafted descriptors
      with too few endpoints.
      
      See: http://seclists.org/bugtraq/2016/Mar/61Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      [johan: fix OOB endpoint check and add error messages ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      0be04f5b
    • Oliver Neukum's avatar
      USB: cypress_m8: add endpoint sanity check · 5ad7c513
      Oliver Neukum authored
      commit c55aee1b upstream.
      
      An attack using missing endpoints exists.
      
      CVE-2016-3137
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      5ad7c513
    • Oliver Neukum's avatar
      USB: mct_u232: add sanity checking in probe · b1ac47d7
      Oliver Neukum authored
      commit 4e9a0b05 upstream.
      
      An attack using the lack of sanity checking in probe is known. This
      patch checks for the existence of a second port.
      
      CVE-2016-3136
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      [johan: add error message ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b1ac47d7
    • Vladis Dronov's avatar
      ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call · ee5e823a
      Vladis Dronov authored
      commit 836b34a9 upstream.
      
      create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
      create_uaxx_quirk() functions allocate the audioformat object by themselves
      and free it upon error before returning. However, once the object is linked
      to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
      double-freed, eventually resulting in a memory corruption.
      
      This patch fixes these failures in the error paths by unlinking the audioformat
      object before freeing it.
      
      Based on a patch by Takashi Iwai <tiwai@suse.de>
      
      [Note for stable backports:
       this patch requires the commit 902eb7fd ('ALSA: usb-audio: Minor
       code cleanup in create_fixed_stream_quirk()')]
      
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ee5e823a
    • Takashi Iwai's avatar
      ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() · 48426697
      Takashi Iwai authored
      commit 902eb7fd upstream.
      
      Just a minor code cleanup: unify the error paths.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      48426697
    • Filipe Manana's avatar
      btrfs: fix crash/invalid memory access on fsync when using overlayfs · dd0500af
      Filipe Manana authored
      commit de17e793 upstream.
      
      If the lower or upper directory of an overlayfs mount belong to a btrfs
      file system and we fsync the file through the overlayfs' merged directory
      we ended up accessing an inode that didn't belong to btrfs as if it were
      a btrfs inode at btrfs_sync_file() resulting in a crash like the following:
      
      [ 7782.588845] BUG: unable to handle kernel NULL pointer dereference at 0000000000000544
      [ 7782.590624] IP: [<ffffffffa030b7ab>] btrfs_sync_file+0x11b/0x3e9 [btrfs]
      [ 7782.591931] PGD 4d954067 PUD 1e878067 PMD 0
      [ 7782.592016] Oops: 0002 [#6] PREEMPT SMP DEBUG_PAGEALLOC
      [ 7782.592016] Modules linked in: btrfs overlay ppdev crc32c_generic evdev xor raid6_pq psmouse pcspkr sg serio_raw acpi_cpufreq parport_pc parport tpm_tis i2c_piix4 tpm i2c_core processor button loop autofs4 ext4 crc16 mbcache jbd2 sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix virtio_pci libata virtio_ring virtio scsi_mod e1000 floppy [last unloaded: btrfs]
      [ 7782.592016] CPU: 10 PID: 16437 Comm: xfs_io Tainted: G      D         4.5.0-rc6-btrfs-next-26+ #1
      [ 7782.592016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
      [ 7782.592016] task: ffff88001b8d40c0 ti: ffff880137488000 task.ti: ffff880137488000
      [ 7782.592016] RIP: 0010:[<ffffffffa030b7ab>]  [<ffffffffa030b7ab>] btrfs_sync_file+0x11b/0x3e9 [btrfs]
      [ 7782.592016] RSP: 0018:ffff88013748be40  EFLAGS: 00010286
      [ 7782.592016] RAX: 0000000080000000 RBX: ffff880133b30c88 RCX: 0000000000000001
      [ 7782.592016] RDX: 0000000000000001 RSI: ffffffff8148fec0 RDI: 00000000ffffffff
      [ 7782.592016] RBP: ffff88013748bec0 R08: 0000000000000001 R09: 0000000000000000
      [ 7782.624248] R10: ffff88013748be40 R11: 0000000000000246 R12: 0000000000000000
      [ 7782.624248] R13: 0000000000000000 R14: 00000000009305a0 R15: ffff880015e3be40
      [ 7782.624248] FS:  00007fa83b9cb700(0000) GS:ffff88023ed40000(0000) knlGS:0000000000000000
      [ 7782.624248] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 7782.624248] CR2: 0000000000000544 CR3: 00000001fa652000 CR4: 00000000000006e0
      [ 7782.624248] Stack:
      [ 7782.624248]  ffffffff8108b5cc ffff88013748bec0 0000000000000246 ffff8800b005ded0
      [ 7782.624248]  ffff880133b30d60 8000000000000000 7fffffffffffffff 0000000000000246
      [ 7782.624248]  0000000000000246 ffffffff81074f9b ffffffff8104357c ffff880015e3be40
      [ 7782.624248] Call Trace:
      [ 7782.624248]  [<ffffffff8108b5cc>] ? arch_local_irq_save+0x9/0xc
      [ 7782.624248]  [<ffffffff81074f9b>] ? ___might_sleep+0xce/0x217
      [ 7782.624248]  [<ffffffff8104357c>] ? __do_page_fault+0x3c0/0x43a
      [ 7782.624248]  [<ffffffff811a2351>] vfs_fsync_range+0x8c/0x9e
      [ 7782.624248]  [<ffffffff811a237f>] vfs_fsync+0x1c/0x1e
      [ 7782.624248]  [<ffffffff811a24d6>] do_fsync+0x31/0x4a
      [ 7782.624248]  [<ffffffff811a2700>] SyS_fsync+0x10/0x14
      [ 7782.624248]  [<ffffffff81493617>] entry_SYSCALL_64_fastpath+0x12/0x6b
      [ 7782.624248] Code: 85 c0 0f 85 e2 02 00 00 48 8b 45 b0 31 f6 4c 29 e8 48 ff c0 48 89 45 a8 48 8d 83 d8 00 00 00 48 89 c7 48 89 45 a0 e8 fc 43 18 e1 <f0> 41 ff 84 24 44 05 00 00 48 8b 83 58 ff ff ff 48 c1 e8 07 83
      [ 7782.624248] RIP  [<ffffffffa030b7ab>] btrfs_sync_file+0x11b/0x3e9 [btrfs]
      [ 7782.624248]  RSP <ffff88013748be40>
      [ 7782.624248] CR2: 0000000000000544
      [ 7782.661994] ---[ end trace 721e14960eb939bc ]---
      
      This started happening since commit 4bacc9c9 (overlayfs: Make f_path
      always point to the overlay and f_inode to the underlay) and even though
      after this change we could still access the btrfs inode through
      struct file->f_mapping->host or struct file->f_inode, we would end up
      resulting in more similar issues later on at check_parent_dirs_for_sync()
      because the dentry we got (from struct file->f_path.dentry) was from
      overlayfs and not from btrfs, that is, we had no way of getting the dentry
      that belonged to btrfs (we always got the dentry that belonged to
      overlayfs).
      
      The new patch from Miklos Szeredi, titled "vfs: add file_dentry()" and
      recently submitted to linux-fsdevel, adds a file_dentry() API that allows
      us to get the btrfs dentry from the input file and therefore being able
      to fsync when the upper and lower directories belong to btrfs filesystems.
      
      This issue has been reported several times by users in the mailing list
      and bugzilla. A test case for xfstests is being submitted as well.
      
      Fixes: 4bacc9c9 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101951
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109791Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      dd0500af
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer · 21e561fb
      Yoshihiro Shimoda authored
      commit 6490865c upstream.
      
      This patch adds a code to surely disable TX IRQ of the pipe before
      starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
      may happen in rare cases when DMAC is used.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      21e561fb
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() · c5ec967f
      Yoshihiro Shimoda authored
      commit 894f2fc4 upstream.
      
      When unexpected situation happened (e.g. tx/rx irq happened while
      DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
      pointer dereference like the followings:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0004000
      [00000000] *pgd=00000000
      Internal error: Oops: 80000007 [#1] SMP ARM
      Modules linked in: usb_f_acm u_serial g_serial libcomposite
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
      Hardware name: Generic R8A7790 (Flattened Device Tree)
      task: c0729c00 ti: c0724000 task.ti: c0724000
      PC is at 0x0
      LR is at usbhsf_pkt_handler+0xac/0x118
      pc : [<00000000>]    lr : [<c03257e0>]    psr: 60000193
      sp : c0725db8  ip : 00000000  fp : c0725df4
      r10: 00000001  r9 : 00000193  r8 : ef3ccab4
      r7 : ef3cca10  r6 : eea4586c  r5 : 00000000  r4 : ef19ceb4
      r3 : 00000000  r2 : 0000009c  r1 : c0725dc4  r0 : ef19ceb4
      
      This patch adds a condition to avoid the dereference.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c5ec967f
    • Hans de Goede's avatar
      pinctrl: sunxi: Fix A33 external interrupts not working · 3e9aeba1
      Hans de Goede authored
      commit 5e7515ba upstream.
      
      pinctrl-sun8i-a33.c (and the dts) declare only 2 interrupt banks,
      where as the closely related a23 has 3 banks. This matches with the
      datasheet for the A33 where only interrupt banks B and G are specified
      where as the A23 has banks A, B and G.
      
      However the A33 being the A23 derative it is means that the interrupt
      configure/status io-addresses for the 2 banks it has are not changed
      from the A23, iow they have the same address as if bank A was still
      present. Where as the sunxi pinctrl currently tries to use the A23 bank
      A addresses for bank B, since the pinctrl code does not know about the
      removed bank A.
      
      Add a irq_bank_base parameter and use this where appropriate to take
      the missing bank A into account.
      
      This fixes external interrupts not working on the A33 (tested with
      an i2c touchscreen controller which uses an external interrupt).
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3e9aeba1
    • Govindraj Raja's avatar
      pinctrl: pistachio: fix mfio84-89 function description and pinmux. · 0c3a5264
      Govindraj Raja authored
      commit e9adb336 upstream.
      
      mfio 84 to 89 are described wrongly, fix it to describe
      the right pin and add them to right pin-mux group.
      
      The correct order is:
      	pll1_lock => mips_pll	-- MFIO_83
      	pll2_lock => audio_pll	-- MFIO_84
      	pll3_lock => rpu_v_pll	-- MFIO_85
      	pll4_lock => rpu_l_pll	-- MFIO_86
      	pll5_lock => sys_pll	-- MFIO_87
      	pll6_lock => wifi_pll	-- MFIO_88
      	pll7_lock => bt_pll	-- MFIO_89
      
      Cc: linux-gpio@vger.kernel.org
      Cc: devicetree@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: James Hartley <James.Hartley@imgtec.com>
      Fixes: cefc03e5("pinctrl: Add Pistachio SoC pin control driver")
      Signed-off-by: default avatarGovindraj Raja <Govindraj.Raja@imgtec.com>
      Acked-by: default avatarAndrew Bresticker <abrestic@chromium.org>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      0c3a5264
  2. 11 Apr, 2016 11 commits
  3. 05 Apr, 2016 3 commits
  4. 31 Mar, 2016 15 commits