user/sven/linux.git, branch v2.6.32.71

Linux 2.6.32.71

2016-03-12T13:25:48Z

Signed-off-by: Willy Tarreau

iw_cxgb3: Fix incorrectly returning error on success

2016-03-12T13:25:48Z

commit 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 upstream. The cxgb3_*_send() functions return NET_XMIT_ values, which are positive integers values. So don't treat positive return values as an error. Signed-off-by: Steve Wise Signed-off-by: Hariprasad Shenai Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

RDMA/cxgb3: Don't free skbs on NET_XMIT_* indications from LLD

2016-03-12T13:25:48Z

commit 73a203d2014f50d874b9e40083ad481ca70408e8 upstream. The low level cxgb3 driver can return NET_XMIT_CN and friends. The iw_cxgb3 driver should _not_ treat these as errors. Signed-off-by: Steve Wise Signed-off-by: Roland Dreier Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: seq: Fix race at timer setup and close

2016-03-12T13:25:48Z

commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: seq: Fix missing NULL check at remove_events ioctl

2016-03-12T13:25:47Z

commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream. snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: usb-audio: avoid freeing umidi object twice

2016-03-12T13:25:47Z

commit 07d86ca93db7e5cdf4743564d98292042ec21af7 upstream. The 'umidi' object will be free'd on the error path by snd_usbmidi_free() when tearing down the rawmidi interface. So we shouldn't try to free it in snd_usbmidi_create() after having registered the rawmidi interface. Found by KASAN. Signed-off-by: Andrey Konovalov Acked-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings [wt: file is sound/midi/usbmidi.c in 2.6.32] Signed-off-by: Willy Tarreau

ALSA: timer: Fix race at concurrent reads

2016-03-12T13:25:47Z

commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 upstream. snd_timer_user_read() has a potential race among parallel reads, as qhead and qused are updated outside the critical section due to copy_to_user() calls. Move them into the critical section, and also sanitize the relevant code a bit. Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: there's no check for tu->connected to fix up] Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: timer: Fix wrong instance passed to slave callbacks

2016-03-12T13:25:47Z

commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream. In snd_timer_notify1(), the wrong timer instance was passed for slave ccallback function. This leads to the access to the wrong data when an incompatible master is handled (e.g. the master is the sequencer timer and the slave is a user timer), as spotted by syzkaller fuzzer. This patch fixes that wrong assignment. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: timer: Fix race among timer ioctls

2016-03-12T13:25:47Z

commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau

ALSA: timer: Fix leftover link at closing

2016-03-12T13:25:47Z

commit 094fd3be87b0f102589e2d5c3fa5d06b7e20496d upstream. In ALSA timer core, the active timer instance is managed in active_list linked list. Each element is added / removed dynamically at timer start, stop and in timer interrupt. The problem is that snd_timer_interrupt() has a thinko and leaves the element in active_list when it's the last opened element. This eventually leads to list corruption or use-after-free error. This hasn't been revealed because we used to delete the list forcibly in snd_timer_stop() in the past. However, the recent fix avoids the double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link corruption due to double start or stop]), and this leak hits reality. This patch fixes the link management in snd_timer_interrupt(). Now it simply unlinks no matter which stream is. BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau