--- /dev/null
+From 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 6 Feb 2017 15:09:48 +0100
+Subject: ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream.
+
+snd_seq_pool_done() syncs with closing of all opened threads, but it
+aborts the wait loop with a timeout, and proceeds to the release
+resource even if not all threads have been closed. The timeout was 5
+seconds, and if you run a crazy stuff, it can exceed easily, and may
+result in the access of the invalid memory address -- this is what
+syzkaller detected in a bug report.
+
+As a fix, let the code graduate from naiveness, simply remove the loop
+timeout.
+
+BugLink: http://lkml.kernel.org/r/CACT4Y+YdhDV2H5LLzDTJDVF-qiYHUHhtRaW4rbb4gUhTCQB81w@mail.gmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_memory.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_poo
+ {
+ unsigned long flags;
+ struct snd_seq_event_cell *ptr;
+- int max_count = 5 * HZ;
+
+ if (snd_BUG_ON(!pool))
+ return -EINVAL;
+@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_poo
+ if (waitqueue_active(&pool->output_sleep))
+ wake_up(&pool->output_sleep);
+
+- while (atomic_read(&pool->counter) > 0) {
+- if (max_count == 0) {
+- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter));
+- break;
+- }
++ while (atomic_read(&pool->counter) > 0)
+ schedule_timeout_uninterruptible(1);
+- max_count--;
+- }
+
+ /* release all resources */
+ spin_lock_irqsave(&pool->lock, flags);
--- /dev/null
+From 4842e98f26dd80be3623c4714a244ba52ea096a8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 8 Feb 2017 12:35:39 +0100
+Subject: ALSA: seq: Fix race at creating a queue
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.
+
+When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
+new queue element to the public list before referencing it. Thus the
+queue might be deleted before the call of snd_seq_queue_use(), and it
+results in the use-after-free error, as spotted by syzkaller.
+
+The fix is to reference the queue object at the right time.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void)
+ }
+ }
+
++static void queue_use(struct snd_seq_queue *queue, int client, int use);
++
+ /* allocate a new queue -
+ * return queue index value or negative value for error
+ */
+@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int
+ if (q == NULL)
+ return -ENOMEM;
+ q->info_flags = info_flags;
++ queue_use(q, client, 1);
+ if (queue_list_add(q) < 0) {
+ queue_delete(q);
+ return -ENOMEM;
+ }
+- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
+ return q->queue;
+ }
+
+@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int qu
+ return result;
+ }
+
+-
+-/* use or unuse this queue -
+- * if it is the first client, starts the timer.
+- * if it is not longer used by any clients, stop the timer.
+- */
+-int snd_seq_queue_use(int queueid, int client, int use)
++/* use or unuse this queue */
++static void queue_use(struct snd_seq_queue *queue, int client, int use)
+ {
+- struct snd_seq_queue *queue;
+-
+- queue = queueptr(queueid);
+- if (queue == NULL)
+- return -EINVAL;
+- mutex_lock(&queue->timer_mutex);
+ if (use) {
+ if (!test_and_set_bit(client, queue->clients_bitmap))
+ queue->clients++;
+@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int c
+ } else {
+ snd_seq_timer_close(queue);
+ }
++}
++
++/* use or unuse this queue -
++ * if it is the first client, starts the timer.
++ * if it is not longer used by any clients, stop the timer.
++ */
++int snd_seq_queue_use(int queueid, int client, int use)
++{
++ struct snd_seq_queue *queue;
++
++ queue = queueptr(queueid);
++ if (queue == NULL)
++ return -EINVAL;
++ mutex_lock(&queue->timer_mutex);
++ queue_use(queue, client, use);
+ mutex_unlock(&queue->timer_mutex);
+ queuefree(queue);
+ return 0;
--- /dev/null
+From 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Thu, 9 Feb 2017 11:04:47 -0700
+Subject: scsi: aacraid: Fix INTx/MSI-x issue with older controllers
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+commit 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 upstream.
+
+commit 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang")
+
+caused a problem on older controllers which do not support MSI-x (namely
+ASR3405,ASR3805). This patch conditionalizes the previous patch to
+controllers which support MSI-x
+
+Fixes: 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang")
+Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/comminit.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -50,9 +50,13 @@ struct aac_common aac_config = {
+
+ static inline int aac_is_msix_mode(struct aac_dev *dev)
+ {
+- u32 status;
++ u32 status = 0;
+
+- status = src_readl(dev, MUnit.OMR);
++ if (dev->pdev->device == PMC_DEVICE_S6 ||
++ dev->pdev->device == PMC_DEVICE_S7 ||
++ dev->pdev->device == PMC_DEVICE_S8) {
++ status = src_readl(dev, MUnit.OMR);
++ }
+ return (status & AAC_INT_MODE_MSIX);
+ }
+
--- /dev/null
+From ffdadd68af5a397b8a52289ab39d62e1acb39e63 Mon Sep 17 00:00:00 2001
+From: ojab <ojab@ojab.ru>
+Date: Wed, 28 Dec 2016 11:05:24 +0000
+Subject: scsi: mpt3sas: disable ASPM for MPI2 controllers
+
+From: ojab <ojab@ojab.ru>
+
+commit ffdadd68af5a397b8a52289ab39d62e1acb39e63 upstream.
+
+MPI2 controllers sometimes got lost (i.e. disappear from
+/sys/bus/pci/devices) if ASMP is enabled.
+
+Signed-off-by: Slava Kardakov <ojab@ojab.ru>
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60644
+Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -51,6 +51,7 @@
+ #include <linux/workqueue.h>
+ #include <linux/delay.h>
+ #include <linux/pci.h>
++#include <linux/pci-aspm.h>
+ #include <linux/interrupt.h>
+ #include <linux/aer.h>
+ #include <linux/raid_class.h>
+@@ -8483,6 +8484,8 @@ _scsih_probe(struct pci_dev *pdev, const
+
+ switch (hba_mpi_version) {
+ case MPI2_VERSION:
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S |
++ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
+ /* Use mpt2sas driver host template for SAS 2.0 HBA's */
+ shost = scsi_host_alloc(&mpt2sas_driver_template,
+ sizeof(struct MPT3SAS_ADAPTER));
--- /dev/null
+From 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+Date: Wed, 8 Feb 2017 15:34:22 +0100
+Subject: scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
+
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+
+commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream.
+
+Dan Carpenter kindly reported:
+<quote>
+The patch d27a7cb91960: "zfcp: trace on request for open and close of
+WKA port" from Aug 10, 2016, leads to the following static checker
+warning:
+
+ drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port()
+ warn: 'req' was already freed.
+
+drivers/s390/scsi/zfcp_fsf.c
+ 1609 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ 1610 retval = zfcp_fsf_req_send(req);
+ 1611 if (retval)
+ 1612 zfcp_fsf_req_free(req);
+ ^^^
+Freed.
+
+ 1613 out:
+ 1614 spin_unlock_irq(&qdio->req_q_lock);
+ 1615 if (req && !IS_ERR(req))
+ 1616 zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
+ ^^^^^^^^^^^
+Use after free.
+
+ 1617 return retval;
+ 1618 }
+
+Same thing for zfcp_fsf_close_wka_port() as well.
+</quote>
+
+Rather than relying on req being NULL (or ERR_PTR) for all cases where
+we don't want to trace or should not trace,
+simply check retval which is unconditionally initialized with -EIO != 0
+and it can only become 0 on successful retval = zfcp_fsf_req_send(req).
+With that we can also remove the then again unnecessary unconditional
+initialization of req which was introduced with that earlier commit.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Suggested-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
+Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_fsf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_fsf.c
++++ b/drivers/s390/scsi/zfcp_fsf.c
+@@ -1583,7 +1583,7 @@ out:
+ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+- struct zfcp_fsf_req *req = NULL;
++ struct zfcp_fsf_req *req;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_f
+ zfcp_fsf_req_free(req);
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+- if (req && !IS_ERR(req))
++ if (!retval)
+ zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
+ return retval;
+ }
+@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_hand
+ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+- struct zfcp_fsf_req *req = NULL;
++ struct zfcp_fsf_req *req;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_
+ zfcp_fsf_req_free(req);
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+- if (req && !IS_ERR(req))
++ if (!retval)
+ zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
+ return retval;
+ }
arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch
mac80211-fix-adding-of-mesh-vendor-ies.patch
netvsc-set-maximum-gso-size-in-the-right-place.patch
+scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch
+scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch
+scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch
+tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch
+xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch
+alsa-seq-fix-race-at-creating-a-queue.patch
+alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch
--- /dev/null
+From 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Tue, 7 Feb 2017 17:44:54 +0100
+Subject: tick/nohz: Fix possible missing clock reprog after tick soft restart
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 upstream.
+
+ts->next_tick keeps track of the next tick deadline in order to optimize
+clock programmation on irq exit and avoid redundant clock device writes.
+
+Now if ts->next_tick missed an update, we may spuriously miss a clock
+reprog later as the nohz code is fooled by an obsolete next_tick value.
+
+This is what happens here on a specific path: when we observe an
+expired timer from the nohz update code on irq exit, we perform a soft
+tick restart which simply fires the closest possible tick without
+actually exiting the nohz mode and restoring a periodic state. But we
+forget to update ts->next_tick accordingly.
+
+As a result, after the next tick resulting from such soft tick restart,
+the nohz code sees a stale value on ts->next_tick which doesn't match
+the clock deadline that just expired. If that obsolete ts->next_tick
+value happens to collide with the actual next tick deadline to be
+scheduled, we may spuriously bypass the clock reprogramming. In the
+worst case, the tick may never fire again.
+
+Fix this with a ts->next_tick reset on soft tick restart.
+
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Reviewed: Wanpeng Li <wanpeng.li@hotmail.com>
+Acked-by: Rik van Riel <riel@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1486485894-29173-1-git-send-email-fweisbec@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/tick-sched.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -613,6 +613,11 @@ static ktime_t tick_nohz_stop_sched_tick
+ if (delta == 0) {
+ /* Tick is stopped, but required now. Enforce it */
+ tick_nohz_restart(ts, now);
++ /*
++ * Make sure next tick stop doesn't get fooled by past
++ * clock deadline
++ */
++ ts->next_tick = 0;
+ goto out;
+ }
+ }
--- /dev/null
+From 74470954857c264168d2b5a113904cf0cfd27d18 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Mon, 30 Jan 2017 12:45:46 -0500
+Subject: xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream.
+
+rx_refill_timer should be deleted as soon as we disconnect from the
+backend since otherwise it is possible for the timer to go off before
+we get to xennet_destroy_queues(). If this happens we may dereference
+queue->rx.sring which is set to NULL in xennet_disconnect_backend().
+
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1391,6 +1391,8 @@ static void xennet_disconnect_backend(st
+ for (i = 0; i < num_queues && info->queues; ++i) {
+ struct netfront_queue *queue = &info->queues[i];
+
++ del_timer_sync(&queue->rx_refill_timer);
++
+ if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
+ unbind_from_irqhandler(queue->tx_irq, queue);
+ if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
+@@ -1745,7 +1747,6 @@ static void xennet_destroy_queues(struct
+
+ if (netif_running(info->netdev))
+ napi_disable(&queue->napi);
+- del_timer_sync(&queue->rx_refill_timer);
+ netif_napi_del(&queue->napi);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
