Permalink
Commits on Jul 15, 2016
  1. netfilter: x_tables: make sure e->next_offset covers remaining blob size

    Florian Westphal 9Lukas5
    Florian Westphal authored and 9Lukas5 committed Mar 22, 2016
    Otherwise this function may read data beyond the ruleset blob.
    
    Change-Id: I02140df375cb2d746a6dd687abe51befcb735c12
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Commits on Jul 3, 2016
  1. HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES com…

    ScottyBauer authored and mdmower committed Jun 23, 2016
    …mands
    
    This patch validates the num_values parameter from userland during the
    HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
    to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
    leading to a heap overflow.
    
    Change-Id: Ic70137aa9fe2dc2ac67b751a9ac5f5dd852fd46f
    Cc: stable@vger.kernel.org
    Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Commits on Jun 26, 2016
  1. ASoC: msm: Validate pcm buffer size

    Kuirong Wang authored and mdmower committed Mar 26, 2015
    Check if pcm samples to be copied is greater than
    the kernel buffer size.
    
    Change-Id: Ieddd3a3299640ebea0225985d13952045d5dc5c9
    CRs-fixed: 813448
    Signed-off-by: Kuirong Wang <kuirongw@codeaurora.org>
  2. ALSA: compress: add support for gapless playback

    kpjeeja authored and mdmower committed Feb 14, 2013
    this add new API for sound compress to support gapless playback.
    As noted in Documentation change, we add API to send metadata of encoder and
    padding delay to DSP. Also add API for indicating EOF and switching to
    subsequent track
    
    Also bump the compress API version
    
    Conflicts:
    	include/uapi/sound/compress_offload.h
    
    Signed-off-by: Jeeja KP <jeeja.kp@intel.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    
    Conflicts:
    
    	include/sound/compress_offload.h
    
    Change-Id: I62de413012796d61455f0ef484703d8b096f59c5
    Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Commits on Jun 24, 2016
  1. net: validate the range we feed to iov_iter_init() in sys_sendto/sys_…

    Al Viro authored and mdmower committed Mar 20, 2015
    …recvfrom
    
    Change-Id: Ida19e5102b7faca17c685a261c20fbbf5c9614f9
    Cc: stable@vger.kernel.org # v3.19
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. mnt: Fail collect_mounts when applied to unmounted mounts

    ebiederm authored and mdmower committed Jan 7, 2015
    The only users of collect_mounts are in audit_tree.c
    
    In audit_trim_trees and audit_add_tree_rule the path passed into
    collect_mounts is generated from kern_path passed an audit_tree
    pathname which is guaranteed to be an absolute path.   In those cases
    collect_mounts is obviously intended to work on mounted paths and
    if a race results in paths that are unmounted when collect_mounts
    it is reasonable to fail early.
    
    The paths passed into audit_tag_tree don't have the absolute path
    check.  But are used to play with fsnotify and otherwise interact with
    the audit_trees, so again operating only on mounted paths appears
    reasonable.
    
    Avoid having to worry about what happens when we try and audit
    unmounted filesystems by restricting collect_mounts to mounts
    that appear in the mount tree.
    
    Change-Id: I2edfee6d6951a2179ce8f53785b65ddb1eb95629
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
  3. KEYS: potential uninitialized variable

    Dan Carpenter authored and mdmower committed May 26, 2016
    If __key_link_begin() failed then "edit" would be uninitialized.  I've
    added a check to fix that.
    
    Change-Id: I0e28bdba07f645437db2b08daf67ca27f16c6f5c
    Fixes: f70e2e0 ('KEYS: Do preallocation for __key_link()')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  4. net: wireless: bcmdhd: check privilege on priv cmd

    Jerry Lee authored and mdmower committed Apr 15, 2016
      check net admin capability for ioctl calls
    
    BUG=26425765
    
    Change-Id: Idae75c9fc530add3ead3508d25e994bbfec9a6de
  5. msm: kgsl: Add missing checks for alloc size and sglen

    Rajesh Kemisetti authored and mdmower committed Apr 13, 2016
    In _kgsl_sharedmem_page_alloc():
    
    - Make len of type size_t to be in line with size.
      - Check for boundary limits of requested alloc size before honoring.
        - Make sure sglen is greater than zero before marking it as end
          of sg list.
    
    BUG=27475454
    
    Change-Id: I8e18aad2118f58ce677050ff4c4a4b0823c4b4b3
  6. USB: usbfs: fix potential infoleak in devio

    kengiter authored and mdmower committed May 3, 2016
    The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
    are padding bytes which are not initialized and leaked to userland
    via “copy_to_user”.
    
    Change-Id: Icd49231ee1862682739a871ae78a5602ee104731
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commits on Jun 18, 2016
  1. msm: HTC: m7: Enable CONFIG_SWAP

    9Lukas5 Gerrit Code Review
    9Lukas5 authored and Gerrit Code Review committed Feb 13, 2016
    Change-Id: I13a12eac34dae5d491aaf02940390b315bc39e38
Commits on Jun 3, 2016
  1. f2fs: Squashed update from f2fs-stable

    mdmower committed Jun 3, 2016
    https://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-stable.git
    Branch: linux-3.4.y
    Up to and including:
      f2fs: adjust other changes
      2ba43a590c3fd78b3d05edd49aab3d2c34ae7232
    
    Change-Id: If67141f1a9d23e42bd972ad9aaef6e6aa3ac28b8
Commits on May 30, 2016
  1. msm: HTC: Remove unused voltage storage from reboot handler

    mdmower committed May 30, 2016
    Nothing reads these values anymore.
    
    Change-Id: I618a8ea88c629e5f9b776eb934ebc92f1e2d31fc
  2. power: pm8921-bms-htc: Remove usage of read_backup_cc_uv()

    mdmower committed May 28, 2016
    Do not rely on HTC's restart handler to store reliable voltages for use
    subsequent restarts. We've see this fail on a ville device. So, remove
    usage of read_backup_cc_uv(). This change matches that introduced by
    m7gpe 6.04.1700.6.
    
    CYAN-7738
    
    Change-Id: I6089441dceac8d3f2d1d2782773957dd846ea66d
    (cherry picked from commit 1e1d896)
Commits on May 24, 2016
  1. ppp: take reference on channels netns

    Guillaume Nault authored and mdmower committed Mar 23, 2016
    Let channels hold a reference on their network namespace.
    Some channel types, like ppp_async and ppp_synctty, can have their
    userspace controller running in a different namespace. Therefore they
    can't rely on them to preclude their netns from being removed from
    under them.
    
    ==================================================================
    BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
    addr ffff880064e217e0
    Read of size 8 by task syz-executor/11581
    =============================================================================
    BUG net_namespace (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------
    
    Disabling lock debugging due to kernel taint
    INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
    [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
    [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
    [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
    [<     inline     >] slab_alloc kernel/mm/slub.c:2574
    [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
    [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
    [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
    [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
    [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
    [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
    [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
    [<     inline     >] copy_process kernel/kernel/fork.c:1274
    [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
    [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
    [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
    [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
    
    INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
    [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
    [<     inline     >] slab_free kernel/mm/slub.c:2805
    [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
    [<     inline     >] net_free kernel/net/core/net_namespace.c:341
    [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
    [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
    [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
    [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
    [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
    [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
    INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
    flags=0x5fffc0000004080
    INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
    
    CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
     00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
     ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
     ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
    Call Trace:
     [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
     [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
     [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
     [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
     [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
     [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
     [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
     [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
     [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
     [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
     [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
     [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
     [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
     [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
     [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
     [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
     [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
     [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
     [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
     [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
     [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
     [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
     [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
     [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
     [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
     [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
     [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
     [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
     [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
     [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
     [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
     [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
     [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
     [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
     [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
     [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
     [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
     [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
     [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
     [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
     [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
     [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
     [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
    Memory state around the buggy address:
     ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
     ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Change-Id: I591b30eafa1b57bd2e211e1f33c39128702ff0b0
    Fixes: 273ec51 ("net: ppp_generic - introduce net-namespace functionality v2")
    Reported-by: Baozeng Ding <sploving1@gmail.com>
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. netfilter: x_tables: check for size overflow

    Florian Westphal authored and mdmower committed Mar 10, 2016
    Ben Hawkes says:
     integer overflow in xt_alloc_table_info, which on 32-bit systems can
     lead to small structure allocation and a copy_from_user based heap
     corruption.
    
    Change-Id: I13c554c630651a37e3f6a195e9a5f40cddcb29a1
    Reported-by: Ben Hawkes <hawkes@google.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  3. ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

    kengiter authored and mdmower committed May 3, 2016
    The stack object “r1” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: Ie3dcdee7da8ad292712814e8402c571a717ab8d1
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  4. ALSA: timer: Fix leak in events via snd_timer_user_ccallback

    kengiter authored and mdmower committed May 3, 2016
    The stack object “r1” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: I5ece63432f6ca6251fa31c046c211c8c03313a59
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  5. ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

    kengiter authored and mdmower committed May 3, 2016
    The stack object “tread” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: Ibf2868136a538eed0f2e75395a5f14a8608dd86d
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  6. netfilter: x_tables: fix unconditional helper

    Florian Westphal authored and mdmower committed Mar 22, 2016
    Ben Hawkes says:
    
     In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
     is possible for a user-supplied ipt_entry structure to have a large
     next_offset field. This field is not bounds checked prior to writing a
     counter value at the supplied offset.
    
    Problem is that mark_source_chains should not have been called --
    the rule doesn't have a next entry, so its supposed to return
    an absolute verdict of either ACCEPT or DROP.
    
    However, the function conditional() doesn't work as the name implies.
    It only checks that the rule is using wildcard address matching.
    
    However, an unconditional rule must also not be using any matches
    (no -m args).
    
    The underflow validator only checked the addresses, therefore
    passing the 'unconditional absolute verdict' test, while
    mark_source_chains also tested for presence of matches, and thus
    proceeeded to the next (not-existent) rule.
    
    Unify this so that all the callers have same idea of 'unconditional rule'.
    
    Change-Id: Id2b4779f2e41b1a82b1d266bb9e11118c4428afc
    Reported-by: Ben Hawkes <hawkes@google.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  7. ipv4: Don't do expensive useless work during inetdev destroy.

    davem330 authored and mdmower committed Mar 14, 2016
    When an inetdev is destroyed, every address assigned to the interface
    is removed.  And in this scenerio we do two pointless things which can
    be very expensive if the number of assigned interfaces is large:
    
    1) Address promotion.  We are deleting all addresses, so there is no
       point in doing this.
    
    2) A full nf conntrack table purge for every address.  We only need to
       do this once, as is already caught by the existing
       masq_dev_notifier so masq_inet_event() can skip this.
    
    Change-Id: I4b2a3ed665543728451c21465fb90ec89f739135
    Reported-by: Solar Designer <solar@openwall.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
    [bwh: Backported to 3.2: adjust filename, context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  8. USB: cdc-acm: more sanity checking

    oneukum authored and mdmower committed Mar 15, 2016
    An attack has become available which pretends to be a quirky
    device circumventing normal sanity checks and crashes the kernel
    by an insufficient number of interfaces. This patch adds a check
    to the code path for quirky devices.
    
    Change-Id: Ie96a95d833e4ca9c3c3c3557679115ffb7069b5b
    Signed-off-by: Oliver Neukum <ONeukum@suse.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. usbnet: cleanup after bind() in probe()

    oneukum authored and mdmower committed Mar 7, 2016
    In case bind() works, but a later error forces bailing
    in probe() in error cases work and a timer may be scheduled.
    They must be killed. This fixes an error case related to
    the double free reported in
    http://www.spinics.net/lists/netdev/msg367669.html
    and needs to go on top of Linus' fix to cdc-ncm.
    
    Change-Id: I43b1673bc31b3af05789e461b39c55062735cc56
    Signed-off-by: Oliver Neukum <ONeukum@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  10. ALSA: hrtimer: Fix stall by hrtimer_cancel()

    tiwai authored and mdmower committed Jan 18, 2016
    hrtimer_cancel() waits for the completion from the callback, thus it
    must not be called inside the callback itself.  This was already a
    problem in the past with ALSA hrtimer driver, and the early commit
    [fcfdebe: ALSA: hrtimer - Fix lock-up] tried to address it.
    
    However, the previous fix is still insufficient: it may still cause a
    lockup when the ALSA timer instance reprograms itself in its callback.
    Then it invokes the start function even in snd_timer_interrupt() that
    is called in hrtimer callback itself, results in a CPU stall.  This is
    no hypothetical problem but actually triggered by syzkaller fuzzer.
    
    This patch tries to fix the issue again.  Now we call
    hrtimer_try_to_cancel() at both start and stop functions so that it
    won't fall into a deadlock, yet giving some chance to cancel the queue
    if the functions have been called outside the callback.  The proper
    hrtimer_cancel() is called in anyway at closing, so this should be
    enough.
    
    Change-Id: Id6224b2a3ade0d217e891e6af09744df4d0b2e5c
    Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  11. pipe: limit the per-user amount of pages allocated in pipes

    Willy Tarreau authored and mdmower committed Jan 18, 2016
    On no-so-small systems, it is possible for a single process to cause an
    OOM condition by filling large pipes with data that are never read. A
    typical process filling 4000 pipes with 1 MB of data will use 4 GB of
    memory. On small systems it may be tricky to set the pipe max size to
    prevent this from happening.
    
    This patch makes it possible to enforce a per-user soft limit above
    which new pipes will be limited to a single page, effectively limiting
    them to 4 kB each, as well as a hard limit above which no new pipes may
    be created for this user. This has the effect of protecting the system
    against memory abuse without hurting other users, and still allowing
    pipes to work correctly though with less data at once.
    
    The limit are controlled by two new sysctls : pipe-user-pages-soft, and
    pipe-user-pages-hard. Both may be disabled by setting them to zero. The
    default soft limit allows the default number of FDs per process (1024)
    to create pipes of the default size (64kB), thus reaching a limit of 64MB
    before starting to create only smaller pipes. With 256 processes limited
    to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
    1084 MB of memory allocated for a user. The hard limit is disabled by
    default to avoid breaking existing applications that make intensive use
    of pipes (eg: for splicing).
    
    Reported-by: socketpair@gmail.com
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Mitigates: CVE-2013-4312 (Linux 2.0+)
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    	Documentation/sysctl/fs.txt
    	fs/pipe.c
    	include/linux/sched.h
    
    Change-Id: Ic7c678af18129943e16715fdaa64a97a7f0854be
  12. ALSA: timer: Harden slave timer list handling

    tiwai authored and mdmower committed Jan 14, 2016
    A slave timer instance might be still accessible in a racy way while
    operating the master instance as it lacks of locking.  Since the
    master operation is mostly protected with timer->lock, we should cope
    with it while changing the slave instance, too.  Also, some linked
    lists (active_list and ack_list) of slave instances aren't unlinked
    immediately at stopping or closing, and this may lead to unexpected
    accesses.
    
    This patch tries to address these issues.  It adds spin lock of
    timer->lock (either from master or slave, which is equivalent) in a
    few places.  For avoiding a deadlock, we ensure that the global
    slave_active_lock is always locked at first before each timer lock.
    
    Also, ack and active_list of slave instances are properly unlinked at
    snd_timer_stop() and snd_timer_close().
    
    Last but not least, remove the superfluous call of _snd_timer_stop()
    at removing slave links.  This is a noop, and calling it may confuse
    readers wrt locking.  Further cleanup will follow in a later patch.
    
    Actually we've got reports of use-after-free by syzkaller fuzzer, and
    this hopefully fixes these issues.
    
    Change-Id: I572878b909dda522dbedc84633414185802bc974
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  13. ALSA: timer: Fix race among timer ioctls

    tiwai authored and mdmower committed Jan 13, 2016
    ALSA timer ioctls have an open race and this may lead to a
    use-after-free of timer instance object.  A simplistic fix is to make
    each ioctl exclusive.  We have already tread_sem for controlling the
    tread, and extend this as a global mutex to be applied to each ioctl.
    
    The downside is, of course, the worse concurrency.  But these ioctls
    aren't to be parallel accessible, in anyway, so it should be fine to
    serialize there.
    
    Change-Id: Iaa21b00f62e02cc58e346a29846e0fce6536e860
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  14. ALSA: timer: Fix double unlink of active_list

    tiwai authored and mdmower committed Jan 13, 2016
    ALSA timer instance object has a couple of linked lists and they are
    unlinked unconditionally at snd_timer_stop().  Meanwhile
    snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
    the element list itself unchanged.  This ends up with unlinking twice,
    and it was caught by syzkaller fuzzer.
    
    The fix is to use list_del_init() variant properly there, too.
    
    Change-Id: I95e2ab06180dfe43fb6b7c2875a866b53ca245ce
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  15. ALSA: usb-audio: avoid freeing umidi object twice

    xairy authored and mdmower committed Feb 13, 2016
    The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
    when tearing down the rawmidi interface. So we shouldn't try to free it
    in snd_usbmidi_create() after having registered the rawmidi interface.
    
    Found by KASAN.
    
    Change-Id: I8534867beeac111370017ef246adc17e23e1a3b1
    Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
    Acked-by: Clemens Ladisch <clemens@ladisch.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  16. msm: perf: Protect buffer overflow due to malicious user

    Swetha Chikkaboraiah authored and mdmower committed Jan 27, 2016
    In function krait_pmu_disable_event, parameter hwc comes from
    userspace and is untrusted.The function krait_clearpmu is called
    after the function get_krait_evtinfo.
    Function get_krait_evtinfo as parameter krait_evt_type variable
    which is used to extract the groupcode(reg) which is bound to
     KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies
    groupcode(reg):If this code path executes, groupcode(reg) can be
    3,4, 5, or 6. In krait_clearpmu groupcode used to access array
    krait_functions whose size is 3. Since groupcode can be 3,4,5,6
    accessing array krait_functions lead to bufferoverlflow.
    This change will validate groupcode not to exceed 3.
    
    Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1
    CRs-fixed: 962450
    Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
Commits on May 23, 2016
  1. f2fs: fix to update dirty page count correctly

    chaseyu authored and mdmower committed May 20, 2016
    Once we failed to merge inline data into inode page during flushing inline
    inode, we will skip invoking inode_dec_dirty_pages, which makes dirty page
    count incorrect, result in panic in ->evict_inode, Fix it.
    
    ------------[ cut here ]------------
    kernel BUG at /home/yuchao/git/devf2fs/inode.c:336!
    invalid opcode: 0000 [CyanogenMod#1] PREEMPT SMP
    CPU: 3 PID: 10004 Comm: umount Tainted: G           O    4.6.0-rc5+ CyanogenMod#17
    Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    task: f0c33000 ti: c5212000 task.ti: c5212000
    EIP: 0060:[<f89aacb5>] EFLAGS: 00010202 CPU: 3
    EIP is at f2fs_evict_inode+0x85/0x490 [f2fs]
    EAX: 00000001 EBX: c4529ea0 ECX: 00000001 EDX: 00000000
    ESI: c0131000 EDI: f89dd0a0 EBP: c5213e9c ESP: c5213e78
     DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    CR0: 80050033 CR2: b75878c0 CR3: 1a36a700 CR4: 000406f0
    Stack:
     c4529ea0 c4529ef4 c5213e8c c176d45c c4529ef4 00000000 c4529ea0 c4529fac
     f89dd0a0 c5213eb0 c1204a68 c5213ed8 c452a2b4 c6680930 c5213ec0 c1204b64
     c6680d44 c6680620 c5213eec c120588d ee84b000 ee84b5c0 c5214000 ee84b5e0
    Call Trace:
     [<c176d45c>] ? _raw_spin_unlock+0x2c/0x50
     [<c1204a68>] evict+0xa8/0x170
     [<c1204b64>] dispose_list+0x34/0x50
     [<c120588d>] evict_inodes+0x10d/0x130
     [<c11ea941>] generic_shutdown_super+0x41/0xe0
     [<c1185190>] ? unregister_shrinker+0x40/0x50
     [<c1185190>] ? unregister_shrinker+0x40/0x50
     [<c11eac52>] kill_block_super+0x22/0x70
     [<f89af23e>] kill_f2fs_super+0x1e/0x20 [f2fs]
     [<c11eae1d>] deactivate_locked_super+0x3d/0x70
     [<c11eb383>] deactivate_super+0x43/0x60
     [<c1208ec9>] cleanup_mnt+0x39/0x80
     [<c1208f50>] __cleanup_mnt+0x10/0x20
     [<c107d091>] task_work_run+0x71/0x90
     [<c105725a>] exit_to_usermode_loop+0x72/0x9e
     [<c1001c7c>] do_fast_syscall_32+0x19c/0x1c0
     [<c176dd48>] sysenter_past_esp+0x45/0x74
    EIP: [<f89aacb5>] f2fs_evict_inode+0x85/0x490 [f2fs] SS:ESP 0068:c5213e78
    ---[ end trace d30536330b7fdc58 ]---
    
    Signed-off-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    
    Change-Id: Iad209ae94828e8e38955459d1ea9573c9e11ede6
  2. f2fs: Squashed update of f2fs-stable

    mdmower committed May 23, 2016
    https://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-stable.git
    Branch: linux-3.4.y
    Up to and including:
      Revert "f2fs: use cryptoapi crc32 functions"
      5b2523fc731f68cb48ca3d82f3ef2952a61ae5ba
    
    Change-Id: I062d186a7525d6a2ac431f811e5ca550c41ecf0f
Commits on May 13, 2016
  1. input: evdev: use bma250 sensor for evita, fighter and jet

    JoseGalRe committed May 13, 2016
    Change-Id: If35b77c77c894ddce9c4b225bdacc52ca32f1f49
Commits on May 1, 2016
  1. input: evdev: use boottime for sensors

    duud authored and Gerrit Code Review committed Apr 21, 2016
    This makes android-m happy since it requires CLOCK_BOOTTIME
    for it's event timestamps.
    See /proc/bus/input/devices for the naming of input devices.
    
    Change-Id: I84b7da35f434105d6ff14042a2de9b3cefeecef7
  2. Input: evdev - add CLOCK_BOOTTIME support

    aniroop-mathur authored and Gerrit Code Review committed Dec 17, 2014
    This patch adds support for CLOCK_BOOTTIME for input event timestamp.
    CLOCK_BOOTTIME includes suspend time, so it would allow aplications
    to get correct time difference between two events even when system
    resumes from suspend state.
    
    Change-Id: I0f9bdf6bf5143ebbc6ef36757e62b866d3bd3539