commit 12470e74f393b006a133f7169416f7e1af59e542 Author: Greg Kroah-Hartman Date: Thu Jun 26 15:10:41 2014 -0400 Linux 3.4.95 commit dc687f5effaf57fe62695468e3db6b50dc49bee1 Author: Greg Kroah-Hartman Date: Fri Jun 20 22:00:53 2014 -0700 lzo: properly check for overruns commit 206a81c18401c0cde6e579164f752c4b147324ce upstream. The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" Tested-by: "Don A. Bailey" Signed-off-by: Greg Kroah-Hartman commit 39085c8966f550d4b39d18683e39e79be7660a72 Author: Markus F.X.J. Oberhumer Date: Mon Aug 13 17:25:44 2012 +0200 lib/lzo: Update LZO compression to current upstream version commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7 upstream. This commit updates the kernel LZO code to the current upsteam version which features a significant speed improvement - benchmarking the Calgary and Silesia test corpora typically shows a doubled performance in both compression and decompression on modern i386/x86_64/powerpc machines. Signed-off-by: Markus F.X.J. Oberhumer Signed-off-by: Greg Kroah-Hartman commit db7d0670393b6febc8967f193c08427bbd6f55d3 Author: Markus F.X.J. Oberhumer Date: Mon Aug 13 17:24:24 2012 +0200 lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c commit b6bec26cea948148a9420e7a0ac337f925de49e7 upstream. Rename the source file to match the function name and thereby also make room for a possible future even slightly faster "non-safe" decompressor version. Signed-off-by: Markus F.X.J. Oberhumer Signed-off-by: Greg Kroah-Hartman commit 2e5f14a6472167bb91ccf2e4ec1fc6586a99500b Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:35 2014 +0200 ALSA: control: Make sure that id->index does not overflow commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ab59a4b59f1e0aa0b2279be893a39a406c938c21 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:34 2014 +0200 ALSA: control: Handle numid overflow commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 291cd312b3c2826892299a74249fc9a88fb3305f Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:33 2014 +0200 ALSA: control: Don't access controls outside of protected regions commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream. A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8e6cbc9765746148dbebd35b2531f31b3ee8dbf8 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:32 2014 +0200 ALSA: control: Fix replacing user controls commit 82262a46627bebb0febcc26664746c25cef08563 upstream. There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e4036860a70f956370a18ef06a19fa10a25990d2 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:31 2014 +0200 ALSA: control: Protect user controls against concurrent access commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream. The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 118264918814946dd5ce4c87f1c643f2d20e70f6 Author: Kailang Yang Date: Thu Jun 5 11:13:44 2014 +0800 ALSA: hda/realtek - Add support of ALC891 codec commit b6c5fbad16aa5026f508093a8d651c25e1cb6179 upstream. New codec support for ALC891. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3f8f4ae48f4023e1c53722b1dc1a7ab897cbca14 Author: Thomas Gleixner Date: Fri Nov 29 12:18:13 2013 +0100 nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off commit 0e576acbc1d9600cf2d9b4a141a2554639959d50 upstream. If CONFIG_NO_HZ=n tick_nohz_get_sleep_length() returns NSEC_PER_SEC/HZ. If CONFIG_NO_HZ=y and the nohz functionality is disabled via the command line option "nohz=off" or not enabled due to missing hardware support, then tick_nohz_get_sleep_length() returns 0. That happens because ts->sleep_length is never set in that case. Set it to NSEC_PER_SEC/HZ when the NOHZ mode is inactive. Reported-by: Michal Hocko Reported-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 7be9d6cd4b57ebd5b344e4a006c0aa6e7a08aba3 Author: Johan Hovold Date: Mon May 26 19:23:45 2014 +0200 USB: cdc-acm: fix runtime PM imbalance at shutdown commit 5292afa657d0e790b7479ad8eef9450c1e040b3d upstream. Make sure only to decrement the PM counters if they were actually incremented. Note that the USB PM counter, but not necessarily the driver core PM counter, is reset when the interface is unbound. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8fd20d5a377f5baa510a804a3b2c9b21d31bb445 Author: Johan Hovold Date: Mon May 26 19:23:44 2014 +0200 USB: cdc-acm: fix I/O after failed open commit e4c36076c2a6195ec62c35b03c3fde84d0087dc8 upstream. Make sure to kill any already submitted read urbs on read-urb submission failures in open in order to prevent doing I/O for a closed port. Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 181614f0f226983c59be4f6e11eecd333bfd933b Author: Johan Hovold Date: Mon May 26 19:23:40 2014 +0200 USB: cdc-acm: fix shutdown and suspend race commit ed797074031a37bb9bf4a70952fffc606b77274d upstream. We should stop I/O unconditionally at suspend rather than rely on the tty-port initialised flag (which is set prior to stopping I/O during shutdown) in order to prevent suspend returning with URBs still active. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9f81ca861395bb48d06493d8b0e8d5e798913074 Author: Johan Hovold Date: Mon May 26 19:23:39 2014 +0200 USB: cdc-acm: fix runtime PM for control messages commit bae3f4c53585e9a170da9436e0f06919874bda9a upstream. Fix runtime PM handling of control messages by adding the required PM counter operations. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 21ffba35838100b5d332a75b418f9de43080d406 Author: Johan Hovold Date: Mon May 26 19:23:38 2014 +0200 USB: cdc-acm: fix broken runtime suspend commit 140cb81ac8c625942a1d695875932c615767a526 upstream. The current ACM runtime-suspend implementation is broken in several ways: Firstly, it buffers only the first write request being made while suspended -- any further writes are silently dropped. Secondly, writes being dropped also leak write urbs, which are never reclaimed (until the device is unbound). Thirdly, even the single buffered write is not cleared at shutdown (which may happen before the device is resumed), something which can lead to another urb leak as well as a PM usage-counter leak. Fix this by implementing a delayed-write queue using urb anchors and making sure to discard the queue properly at shutdown. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Reported-by: Xiao Jin Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 97e72c4aa615b5ed6a7c4b22b9fa766679c749bc Author: Johan Hovold Date: Mon May 26 19:23:37 2014 +0200 USB: cdc-acm: fix write and resume race commit e144ed28bed10684f9aaec6325ed974d53f76110 upstream. Fix race between write() and resume() due to improper locking that could lead to writes being reordered. Resume must be done atomically and susp_count be protected by the write_lock in order to prevent racing with write(). This could otherwise lead to writes being reordered if write() grabs the write_lock after susp_count is decremented, but before the delayed urb is submitted. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit be7978bb5b91ef7168a93cf91acd672dfb65f0d0 Author: Johan Hovold Date: Mon May 26 19:23:36 2014 +0200 USB: cdc-acm: fix write and suspend race commit 5a345c20c17d87099224a4be12e69e5bd7023dca upstream. Fix race between write() and suspend() which could lead to writes being dropped (or I/O while suspended) if the device is runtime suspended while a write request is being processed. Specifically, suspend() releases the write_lock after determining the device is idle but before incrementing the susp_count, thus leaving a window where a concurrent write() can submit an urb. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6fa2946224569a4f3f975f86193c02c754acc9d8 Author: Michal Schmidt Date: Mon Jun 2 18:25:02 2014 +0200 netlink: rate-limit leftover bytes warning and print process name [ Upstream commit bfc5184b69cf9eeb286137640351c650c27f118a ] Any process is able to send netlink messages with leftover bytes. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help find userspace bugs, so print the triggering command name to implicate the buggy program. [v2: Use pr_warn_ratelimited instead of printk_ratelimited.] Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6ddc168fe00751a47139f5e6fd432aea799c654d Author: Wei Yang Date: Sun Jun 1 15:25:20 2014 +0800 net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() [ Upstream commit befdf8978accecac2e0739e6b5075afc62db37fe ] This patch wrap up a helper function __mlx4_remove_one() which does the tear down function but preserve the drv_data. Functions like mlx4_pci_err_detected() and mlx4_restart_one() will call this one with out releasing drvdata. Signed-off-by: Wei Yang Signed-off-by: Greg Kroah-Hartman commit ff2005a4a5ba32505030b0bcb3c2a163ea417c53 Author: Wei Yang Date: Sun Jun 1 15:25:19 2014 +0800 mlx4_core: Stash PCI ID driver_data in mlx4_priv structure [ No upstream commit, this is a cherry picked backport enabler. ] From: Roland Dreier That way we can check flags later on, when we've finished with the pci_device_id structure. Also convert the "is VF" flag to an enum: "Never do in the preprocessor what can be done in C." Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 3309a9750b319afc809caa29b8091e9746ec8ce0 Author: Xufeng Zhang Date: Thu Jun 12 10:53:36 2014 +0800 sctp: Fix sk_ack_backlog wrap-around problem [ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] Consider the scenario: For a TCP-style socket, while processing the COOKIE_ECHO chunk in sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, a new association would be created in sctp_unpack_cookie(), but afterwards, some processing maybe failed, and sctp_association_free() will be called to free the previously allocated association, in sctp_association_free(), sk_ack_backlog value is decremented for this socket, since the initial value for sk_ack_backlog is 0, after the decrement, it will be 65535, a wrap-around problem happens, and if we want to establish new associations afterward in the same socket, ABORT would be triggered since sctp deem the accept queue as full. Fix this issue by only decrementing sk_ack_backlog for associations in the endpoint's list. Fix-suggested-by: Neil Horman Signed-off-by: Xufeng Zhang Acked-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 843c0172bce9a30d77c85f33268b1469ead716ad Author: Jiri Pirko Date: Thu May 29 20:46:17 2014 +0200 team: fix mtu setting [ Upstream commit 9d0d68faea6962d62dd501cd6e71ce5cc8ed262b ] Now it is not possible to set mtu to team device which has a port enslaved to it. The reason is that when team_change_mtu() calls dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU event is called and team_device_event() returns NOTIFY_BAD forbidding the change. So fix this by returning NOTIFY_DONE here in case team is changing mtu in team_change_mtu(). Introduced-by: 3d249d4c "net: introduce ethernet teaming device" Signed-off-by: Jiri Pirko Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a4474aaad97472efcd10a3e8d897d5798206f0e Author: Eric Dumazet Date: Thu May 29 08:45:14 2014 -0700 net: fix inet_getid() and ipv6_select_ident() bugs [ Upstream commit 39c36094d78c39e038c1e499b2364e13bce36f54 ] I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery is disabled. Note how GSO/TSO packets do not have monotonically incrementing ID. 06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396) 06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212) 06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972) 06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292) 06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764) It appears I introduced this bug in linux-3.1. inet_getid() must return the old value of peer->ip_id_count, not the new one. Lets revert this part, and remove the prevention of a null identification field in IPv6 Fragment Extension Header, which is dubious and not even done properly. Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d0e49724c557974bb109ffee5cd3eb4864b8cc1d Author: Tom Gundersen Date: Thu May 15 23:21:30 2014 +0200 net: tunnels - enable module autoloading [ Upstream commit f98f89a0104454f35a62d681683c844f6dbf4043 ] Enable the module alias hookup to allow tunnel modules to be autoloaded on demand. This is in line with how most other netdev kinds work, and will allow userspace to create tunnels without having CAP_SYS_MODULE. Signed-off-by: Tom Gundersen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12a38b8f1dd7c65d01aa4c759f29a700c194ecec Author: Mimi Zohar Date: Sun May 11 00:05:23 2014 -0400 evm: prohibit userspace writing 'security.evm' HMAC value commit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream. Calculating the 'security.evm' HMAC value requires access to the EVM encrypted key. Only the kernel should have access to it. This patch prevents userspace tools(eg. setfattr, cp --preserve=xattr) from setting/modifying the 'security.evm' HMAC value directly. Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit 7f53daea4dd53f43dd10ac24f752f74063abe4fa Author: Nicholas Bellinger Date: Thu Jun 5 18:08:57 2014 -0700 iscsi-target: Reject mutual authentication with reflected CHAP_C commit 1d2b60a5545942b1376cb48c1d55843d71e3a08f upstream. This patch adds an explicit check in chap_server_compute_md5() to ensure the CHAP_C value received from the initiator during mutual authentication does not match the original CHAP_C provided by the target. This is in line with RFC-3720, section 8.2.1: Originators MUST NOT reuse the CHAP challenge sent by the Responder for the other direction of a bidirectional authentication. Responders MUST check for this condition and close the iSCSI TCP connection if it occurs. Reported-by: Tejas Vaykole Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman