--- /dev/null
+From 116d2f7496c51b2e02e8e4ecdd2bdf5fb9d5a641 Mon Sep 17 00:00:00 2001
+From: Prateek Sood <prsood@codeaurora.org>
+Date: Tue, 19 Dec 2017 12:56:57 +0530
+Subject: cgroup: Fix deadlock in cpu hotplug path
+
+From: Prateek Sood <prsood@codeaurora.org>
+
+commit 116d2f7496c51b2e02e8e4ecdd2bdf5fb9d5a641 upstream.
+
+Deadlock during cgroup migration from cpu hotplug path when a task T is
+being moved from source to destination cgroup.
+
+kworker/0:0
+cpuset_hotplug_workfn()
+ cpuset_hotplug_update_tasks()
+ hotplug_update_tasks_legacy()
+ remove_tasks_in_empty_cpuset()
+ cgroup_transfer_tasks() // stuck in iterator loop
+ cgroup_migrate()
+ cgroup_migrate_add_task()
+
+In cgroup_migrate_add_task() it checks for PF_EXITING flag of task T.
+Task T will not migrate to destination cgroup. css_task_iter_start()
+will keep pointing to task T in loop waiting for task T cg_list node
+to be removed.
+
+Task T
+do_exit()
+ exit_signals() // sets PF_EXITING
+ exit_task_namespaces()
+ switch_task_namespaces()
+ free_nsproxy()
+ put_mnt_ns()
+ drop_collected_mounts()
+ namespace_unlock()
+ synchronize_rcu()
+ _synchronize_rcu_expedited()
+ schedule_work() // on cpu0 low priority worker pool
+ wait_event() // waiting for work item to execute
+
+Task T inserted a work item in the worklist of cpu0 low priority
+worker pool. It is waiting for expedited grace period work item
+to execute. This work item will only be executed once kworker/0:0
+complete execution of cpuset_hotplug_workfn().
+
+kworker/0:0 ==> Task T ==>kworker/0:0
+
+In case of PF_EXITING task being migrated from source to destination
+cgroup, migrate next available task in source cgroup.
+
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+[AmitP: Upstream commit cherry-pick failed, so I picked the
+ backported changes from CAF/msm-4.9 tree instead:
+ https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=49b74f1696417b270c89cd893ca9f37088928078]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+This patch can be cleanly applied and build tested on 4.4.y and 3.18.y
+as well but I couldn't find it in msm-4.4 and msm-3.18 trees. So this
+patch is really untested on those stable trees.
+Build tested on 4.9.131, 4.4.159 and 3.18.123 for ARCH=arm/arm64 allmodconfig.
+
+ kernel/cgroup.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4083,7 +4083,11 @@ int cgroup_transfer_tasks(struct cgroup
+ */
+ do {
+ css_task_iter_start(&from->self, &it);
+- task = css_task_iter_next(&it);
++
++ do {
++ task = css_task_iter_next(&it);
++ } while (task && (task->flags & PF_EXITING));
++
+ if (task)
+ get_task_struct(task);
+ css_task_iter_end(&it);
--- /dev/null
+From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:23:11 -0400
+Subject: ext4: add corruption check in ext4_xattr_set_entry()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.
+
+In theory this should have been caught earlier when the xattr list was
+verified, but in case it got missed, it's simple enough to add check
+to make sure we don't overrun the xattr buffer.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+[bwh: Backported to 3.16:
+ - Add inode parameter to ext4_xattr_set_entry() and update callers
+ - Return -EIO instead of -EFSCORRUPTED on error
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[adjusted for 4.4 context]
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru
+ }
+
+ static int
+-ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s)
++ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s,
++ struct inode *inode)
+ {
+- struct ext4_xattr_entry *last;
++ struct ext4_xattr_entry *last, *next;
+ size_t free, min_offs = s->end - s->base, name_len = strlen(i->name);
+
+ /* Compute min_offs and last. */
+ last = s->first;
+- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++ for (; !IS_LAST_ENTRY(last); last = next) {
++ next = EXT4_XATTR_NEXT(last);
++ if ((void *)next >= s->end) {
++ EXT4_ERROR_INODE(inode, "corrupted xattr entries");
++ return -EIO;
++ }
+ if (!last->e_value_block && last->e_value_size) {
+ size_t offs = le16_to_cpu(last->e_value_offs);
+ if (offs < min_offs)
+@@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s
+ ce = NULL;
+ }
+ ea_bdebug(bs->bh, "modifying in-place");
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (!error) {
+ if (!IS_LAST_ENTRY(s->first))
+ ext4_xattr_rehash(header(s->base),
+@@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s
+ s->end = s->base + sb->s_blocksize;
+ }
+
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error == -EFSCORRUPTED)
+ goto bad_block;
+ if (error)
+@@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t
+
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error) {
+ if (error == -ENOSPC &&
+ ext4_has_inline_data(inode)) {
+@@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t
+ error = ext4_xattr_ibody_find(inode, i, is);
+ if (error)
+ return error;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ }
+ if (error)
+ return error;
+@@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t
+
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error)
+ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
--- /dev/null
+From 513f86d73855ce556ea9522b6bfd79f87356dc3a Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:51:28 -0400
+Subject: ext4: always verify the magic number in xattr blocks
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
+
+If there an inode points to a block which is also some other type of
+metadata block (such as a block allocation bitmap), the
+buffer_verified flag can be set when it was validated as that other
+metadata block type; however, it would make a really terrible external
+attribute block. The reason why we use the verified flag is to avoid
+constantly reverifying the block. However, it doesn't take much
+overhead to make sure the magic number of the xattr block is correct,
+and this will avoid potential crashes.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+[Backported to 4.4: adjust context]
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -220,12 +220,12 @@ ext4_xattr_check_block(struct inode *ino
+ {
+ int error;
+
+- if (buffer_verified(bh))
+- return 0;
+-
+ if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
+ BHDR(bh)->h_blocks != cpu_to_le32(1))
+ return -EFSCORRUPTED;
++ if (buffer_verified(bh))
++ return 0;
++
+ if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))
+ return -EFSBADCRC;
+ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
xhci-add-missing-cas-workaround-for-intel-sunrise-point-xhci.patch
usb-serial-simple-add-motorola-tetra-mtp6550-id.patch
of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch
+ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
+ext4-always-verify-the-magic-number-in-xattr-blocks.patch
+cgroup-fix-deadlock-in-cpu-hotplug-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
