From: Greg Kroah-Hartman Date: Mon, 20 Mar 2017 17:34:24 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.56~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a71ba3e8aa64637be3b06e9495f296b7ff7e70f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: crypto-powerpc-fix-initialisation-of-crc32c-context.patch futex-add-missing-error-handling-to-futex_requeue_pi.patch futex-fix-potential-use-after-free-in-futex_requeue_pi.patch locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch x86-tsc-fix-art-for-tsc_known_freq.patch --- diff --git a/queue-4.9/crypto-powerpc-fix-initialisation-of-crc32c-context.patch b/queue-4.9/crypto-powerpc-fix-initialisation-of-crc32c-context.patch new file mode 100644 index 00000000000..834ad271734 --- /dev/null +++ b/queue-4.9/crypto-powerpc-fix-initialisation-of-crc32c-context.patch @@ -0,0 +1,47 @@ +From aa2be9b3d6d2d699e9ca7cbfc00867c80e5da213 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 3 Mar 2017 17:56:55 +1100 +Subject: crypto: powerpc - Fix initialisation of crc32c context + +From: Daniel Axtens + +commit aa2be9b3d6d2d699e9ca7cbfc00867c80e5da213 upstream. + +Turning on crypto self-tests on a POWER8 shows: + + alg: hash: Test 1 failed for crc32c-vpmsum + 00000000: ff ff ff ff + +Comparing the code with the Intel CRC32c implementation on which +ours is based shows that we are doing an init with 0, not ~0 +as CRC32c requires. + +This probably wasn't caught because btrfs does its own weird +open-coded initialisation. + +Initialise our internal context to ~0 on init. + +This makes the self-tests pass, and btrfs continues to work. + +Fixes: 6dd7a82cc54e ("crypto: powerpc - Add POWER8 optimised crc32c") +Cc: Anton Blanchard +Signed-off-by: Daniel Axtens +Acked-by: Anton Blanchard +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/crypto/crc32c-vpmsum_glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/crypto/crc32c-vpmsum_glue.c ++++ b/arch/powerpc/crypto/crc32c-vpmsum_glue.c +@@ -52,7 +52,7 @@ static int crc32c_vpmsum_cra_init(struct + { + u32 *key = crypto_tfm_ctx(tfm); + +- *key = 0; ++ *key = ~0; + + return 0; + } diff --git a/queue-4.9/futex-add-missing-error-handling-to-futex_requeue_pi.patch b/queue-4.9/futex-add-missing-error-handling-to-futex_requeue_pi.patch new file mode 100644 index 00000000000..1aaea57cdcc --- /dev/null +++ b/queue-4.9/futex-add-missing-error-handling-to-futex_requeue_pi.patch @@ -0,0 +1,42 @@ +From 9bbb25afeb182502ca4f2c4f3f88af0681b34cae Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Sat, 4 Mar 2017 10:27:19 +0100 +Subject: futex: Add missing error handling to FUTEX_REQUEUE_PI + +From: Peter Zijlstra + +commit 9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream. + +Thomas spotted that fixup_pi_state_owner() can return errors and we +fail to unlock the rt_mutex in that case. + +Reported-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Darren Hart +Cc: juri.lelli@arm.com +Cc: bigeasy@linutronix.de +Cc: xlpang@redhat.com +Cc: rostedt@goodmis.org +Cc: mathieu.desnoyers@efficios.com +Cc: jdesfossez@efficios.com +Cc: dvhart@infradead.org +Cc: bristot@redhat.com +Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2896,6 +2896,8 @@ static int futex_wait_requeue_pi(u32 __u + if (q.pi_state && (q.pi_state->owner != current)) { + spin_lock(q.lock_ptr); + ret = fixup_pi_state_owner(uaddr2, &q, current); ++ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current) ++ rt_mutex_unlock(&q.pi_state->pi_mutex); + /* + * Drop the reference to the pi state which + * the requeue_pi() code acquired for us. diff --git a/queue-4.9/futex-fix-potential-use-after-free-in-futex_requeue_pi.patch b/queue-4.9/futex-fix-potential-use-after-free-in-futex_requeue_pi.patch new file mode 100644 index 00000000000..c63e2ec0f8a --- /dev/null +++ b/queue-4.9/futex-fix-potential-use-after-free-in-futex_requeue_pi.patch @@ -0,0 +1,85 @@ +From c236c8e95a3d395b0494e7108f0d41cf36ec107c Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Sat, 4 Mar 2017 10:27:18 +0100 +Subject: futex: Fix potential use-after-free in FUTEX_REQUEUE_PI + +From: Peter Zijlstra + +commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream. + +While working on the futex code, I stumbled over this potential +use-after-free scenario. Dmitry triggered it later with syzkaller. + +pi_mutex is a pointer into pi_state, which we drop the reference on in +unqueue_me_pi(). So any access to that pointer after that is bad. + +Since other sites already do rt_mutex_unlock() with hb->lock held, see +for example futex_lock_pi(), simply move the unlock before +unqueue_me_pi(). + +Reported-by: Dmitry Vyukov +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Darren Hart +Cc: juri.lelli@arm.com +Cc: bigeasy@linutronix.de +Cc: xlpang@redhat.com +Cc: rostedt@goodmis.org +Cc: mathieu.desnoyers@efficios.com +Cc: jdesfossez@efficios.com +Cc: dvhart@infradead.org +Cc: bristot@redhat.com +Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2813,7 +2813,6 @@ static int futex_wait_requeue_pi(u32 __u + { + struct hrtimer_sleeper timeout, *to = NULL; + struct rt_mutex_waiter rt_waiter; +- struct rt_mutex *pi_mutex = NULL; + struct futex_hash_bucket *hb; + union futex_key key2 = FUTEX_KEY_INIT; + struct futex_q q = futex_q_init; +@@ -2905,6 +2904,8 @@ static int futex_wait_requeue_pi(u32 __u + spin_unlock(q.lock_ptr); + } + } else { ++ struct rt_mutex *pi_mutex; ++ + /* + * We have been woken up by futex_unlock_pi(), a timeout, or a + * signal. futex_unlock_pi() will not destroy the lock_ptr nor +@@ -2928,18 +2929,19 @@ static int futex_wait_requeue_pi(u32 __u + if (res) + ret = (res < 0) ? res : 0; + ++ /* ++ * If fixup_pi_state_owner() faulted and was unable to handle ++ * the fault, unlock the rt_mutex and return the fault to ++ * userspace. ++ */ ++ if (ret && rt_mutex_owner(pi_mutex) == current) ++ rt_mutex_unlock(pi_mutex); ++ + /* Unqueue and drop the lock. */ + unqueue_me_pi(&q); + } + +- /* +- * If fixup_pi_state_owner() faulted and was unable to handle the +- * fault, unlock the rt_mutex and return the fault to userspace. +- */ +- if (ret == -EFAULT) { +- if (pi_mutex && rt_mutex_owner(pi_mutex) == current) +- rt_mutex_unlock(pi_mutex); +- } else if (ret == -EINTR) { ++ if (ret == -EINTR) { + /* + * We've already been requeued, but cannot restart by calling + * futex_lock_pi() directly. We could restart this syscall, but diff --git a/queue-4.9/locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch b/queue-4.9/locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch new file mode 100644 index 00000000000..a557b437bc4 --- /dev/null +++ b/queue-4.9/locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch @@ -0,0 +1,85 @@ +From 17fcbd590d0c3e35bd9646e2215f86586378bc42 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 25 Feb 2017 01:17:53 +0100 +Subject: locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y + +From: Niklas Cassel + +commit 17fcbd590d0c3e35bd9646e2215f86586378bc42 upstream. + +We hang if SIGKILL has been sent, but the task is stuck in down_read() +(after do_exit()), even though no task is doing down_write() on the +rwsem in question: + + INFO: task libupnp:21868 blocked for more than 120 seconds. + libupnp D 0 21868 1 0x08100008 + ... + Call Trace: + __schedule() + schedule() + __down_read() + do_exit() + do_group_exit() + __wake_up_parent() + +This bug has already been fixed for CONFIG_RWSEM_XCHGADD_ALGORITHM=y in +the following commit: + + 04cafed7fc19 ("locking/rwsem: Fix down_write_killable()") + +... however, this bug also exists for CONFIG_RWSEM_GENERIC_SPINLOCK=y. + +Signed-off-by: Niklas Cassel +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Niklas Cassel +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: d47996082f52 ("locking/rwsem: Introduce basis for down_write_killable()") +Link: http://lkml.kernel.org/r/1487981873-12649-1-git-send-email-niklass@axis.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/locking/rwsem-spinlock.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/locking/rwsem-spinlock.c ++++ b/kernel/locking/rwsem-spinlock.c +@@ -216,10 +216,8 @@ int __sched __down_write_common(struct r + */ + if (sem->count == 0) + break; +- if (signal_pending_state(state, current)) { +- ret = -EINTR; +- goto out; +- } ++ if (signal_pending_state(state, current)) ++ goto out_nolock; + set_task_state(tsk, state); + raw_spin_unlock_irqrestore(&sem->wait_lock, flags); + schedule(); +@@ -227,12 +225,19 @@ int __sched __down_write_common(struct r + } + /* got the lock */ + sem->count = -1; +-out: + list_del(&waiter.list); + + raw_spin_unlock_irqrestore(&sem->wait_lock, flags); + + return ret; ++ ++out_nolock: ++ list_del(&waiter.list); ++ if (!list_empty(&sem->wait_list)) ++ __rwsem_do_wake(sem, 1); ++ raw_spin_unlock_irqrestore(&sem->wait_lock, flags); ++ ++ return -EINTR; + } + + void __sched __down_write(struct rw_semaphore *sem) diff --git a/queue-4.9/series b/queue-4.9/series index 40cecfa8b4f..63f154cccd1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -84,3 +84,10 @@ drm-vc4-fix-race-between-page-flip-completion-event-and-clean-up.patch drm-vc4-fix-clock_select-setting-for-the-vec-encoder.patch arm64-kvm-vhe-clear-hcr_tge-when-invalidating-guest-tlbs.patch irqchip-gicv3-its-add-workaround-for-qdf2400-its-erratum-0065.patch +x86-tsc-fix-art-for-tsc_known_freq.patch +x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch +x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch +futex-fix-potential-use-after-free-in-futex_requeue_pi.patch +futex-add-missing-error-handling-to-futex_requeue_pi.patch +locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch +crypto-powerpc-fix-initialisation-of-crc32c-context.patch diff --git a/queue-4.9/x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch b/queue-4.9/x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch new file mode 100644 index 00000000000..11a6d42106f --- /dev/null +++ b/queue-4.9/x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch @@ -0,0 +1,52 @@ +From be3606ff739d1c1be36389f8737c577ad87e1f57 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Mon, 13 Mar 2017 19:33:37 +0300 +Subject: x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y + +From: Andrey Ryabinin + +commit be3606ff739d1c1be36389f8737c577ad87e1f57 upstream. + +The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y +options selected. With branch profiling enabled we end up calling +ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is +built with KASAN instrumentation, so calling it before kasan has been +initialized leads to crash. + +Use DISABLE_BRANCH_PROFILING define to make sure that we don't call +ftrace_likely_update() from early code before kasan_early_init(). + +Fixes: ef7f0d6a6ca8 ("x86_64: add KASan support") +Reported-by: Fengguang Wu +Signed-off-by: Andrey Ryabinin +Cc: kasan-dev@googlegroups.com +Cc: Alexander Potapenko +Cc: Andrew Morton +Cc: lkp@01.org +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head64.c | 1 + + arch/x86/mm/kasan_init_64.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2000 Andrea Arcangeli SuSE + */ + ++#define DISABLE_BRANCH_PROFILING + #include + #include + #include +--- a/arch/x86/mm/kasan_init_64.c ++++ b/arch/x86/mm/kasan_init_64.c +@@ -1,3 +1,4 @@ ++#define DISABLE_BRANCH_PROFILING + #define pr_fmt(fmt) "kasan: " fmt + #include + #include diff --git a/queue-4.9/x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch b/queue-4.9/x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch new file mode 100644 index 00000000000..7867a4392e4 --- /dev/null +++ b/queue-4.9/x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch @@ -0,0 +1,47 @@ +From 5dc855d44c2ad960a86f593c60461f1ae1566b6d Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 16 Mar 2017 12:59:39 -0700 +Subject: x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm + +From: Andy Lutomirski + +commit 5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream. + +If one thread mmaps a perf event while another thread in the same mm +is in some context where active_mm != mm (which can happen in the +scheduler, for example), refresh_pce() would write the wrong value +to CR4.PCE. This broke some PAPI tests. + +Reported-and-tested-by: Vince Weaver +Signed-off-by: Andy Lutomirski +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Fixes: 7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped") +Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2096,8 +2096,8 @@ static int x86_pmu_event_init(struct per + + static void refresh_pce(void *ignored) + { +- if (current->mm) +- load_mm_cr4(current->mm); ++ if (current->active_mm) ++ load_mm_cr4(current->active_mm); + } + + static void x86_pmu_event_mapped(struct perf_event *event) diff --git a/queue-4.9/x86-tsc-fix-art-for-tsc_known_freq.patch b/queue-4.9/x86-tsc-fix-art-for-tsc_known_freq.patch new file mode 100644 index 00000000000..0cfa9aaefd2 --- /dev/null +++ b/queue-4.9/x86-tsc-fix-art-for-tsc_known_freq.patch @@ -0,0 +1,57 @@ +From 44fee88cea43d3c2cac962e0439cb10a3cabff6d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 13 Mar 2017 15:57:12 +0100 +Subject: x86/tsc: Fix ART for TSC_KNOWN_FREQ + +From: Peter Zijlstra + +commit 44fee88cea43d3c2cac962e0439cb10a3cabff6d upstream. + +Subhransu reported that convert_art_to_tsc() isn't working for him. + +The ART to TSC relation is only set up for systems which use the refined +TSC calibration. Systems with known TSC frequency (available via CPUID 15) +are not using the refined calibration and therefor the ART to TSC relation +is never established. + +Add the setup to the known frequency init path which skips ART +calibration. The init code needs to be duplicated as for systems which use +refined calibration the ART setup must be delayed until calibration has +been done. + +The problem has been there since the ART support was introdduced, but only +detected now because Subhransu tested the first time on hardware which has +TSC frequency enumerated via CPUID 15. + +Note for stable: The conditional has changed from TSC_RELIABLE to + TSC_KNOWN_FREQUENCY. + +[ tglx: Rewrote changelog and identified the proper 'Fixes' commit ] + +Fixes: f9677e0f8308 ("x86/tsc: Always Running Timer (ART) correlated clocksource") +Reported-by: "Prusty, Subhransu S" +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Cc: christopher.s.hall@intel.com +Cc: kevin.b.stanton@intel.com +Cc: john.stultz@linaro.org +Cc: akataria@vmware.com +Link: http://lkml.kernel.org/r/20170313145712.GI3312@twins.programming.kicks-ass.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/tsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1287,6 +1287,8 @@ static int __init init_tsc_clocksource(v + * exporting a reliable TSC. + */ + if (boot_cpu_has(X86_FEATURE_TSC_RELIABLE)) { ++ if (boot_cpu_has(X86_FEATURE_ART)) ++ art_related_clocksource = &clocksource_tsc; + clocksource_register_khz(&clocksource_tsc, tsc_khz); + return 0; + }