From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Apr 2019 13:53:09 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.139~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11f484d3ee92b55a329b65350cd6f7f2926a52bc;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	alsa-info-fix-racy-addition-deletion-of-nodes.patch
	device_cgroup-fix-rcu-imbalance-in-error-case.patch
	mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
	percpu-stop-printing-kernel-addresses.patch
---

diff --git a/queue-4.9/alsa-info-fix-racy-addition-deletion-of-nodes.patch b/queue-4.9/alsa-info-fix-racy-addition-deletion-of-nodes.patch
new file mode 100644
index 00000000000..2376752fac4
--- /dev/null
+++ b/queue-4.9/alsa-info-fix-racy-addition-deletion-of-nodes.patch
@@ -0,0 +1,59 @@
+From 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Apr 2019 15:25:00 +0200
+Subject: ALSA: info: Fix racy addition/deletion of nodes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.
+
+The ALSA proc helper manages the child nodes in a linked list, but its
+addition and deletion is done without any lock.  This leads to a
+corruption if they are operated concurrently.  Usually this isn't a
+problem because the proc entries are added sequentially in the driver
+probe procedure itself.  But the card registrations are done often
+asynchronously, and the crash could be actually reproduced with
+syzkaller.
+
+This patch papers over it by protecting the link addition and deletion
+with the parent's mutex.  There is "access" mutex that is used for the
+file access, and this can be reused for this purpose as well.
+
+Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/info.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -724,8 +724,11 @@ snd_info_create_entry(const char *name,
+ 	INIT_LIST_HEAD(&entry->children);
+ 	INIT_LIST_HEAD(&entry->list);
+ 	entry->parent = parent;
+-	if (parent)
++	if (parent) {
++		mutex_lock(&parent->access);
+ 		list_add_tail(&entry->list, &parent->children);
++		mutex_unlock(&parent->access);
++	}
+ 	return entry;
+ }
+ 
+@@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info
+ 	list_for_each_entry_safe(p, n, &entry->children, list)
+ 		snd_info_free_entry(p);
+ 
+-	list_del(&entry->list);
++	p = entry->parent;
++	if (p) {
++		mutex_lock(&p->access);
++		list_del(&entry->list);
++		mutex_unlock(&p->access);
++	}
+ 	kfree(entry->name);
+ 	if (entry->private_free)
+ 		entry->private_free(entry);
diff --git a/queue-4.9/device_cgroup-fix-rcu-imbalance-in-error-case.patch b/queue-4.9/device_cgroup-fix-rcu-imbalance-in-error-case.patch
new file mode 100644
index 00000000000..90c833ea22e
--- /dev/null
+++ b/queue-4.9/device_cgroup-fix-rcu-imbalance-in-error-case.patch
@@ -0,0 +1,42 @@
+From 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 Mar 2019 02:36:59 +0100
+Subject: device_cgroup: fix RCU imbalance in error case
+
+From: Jann Horn <jannh@google.com>
+
+commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.
+
+When dev_exception_add() returns an error (due to a failed memory
+allocation), make sure that we move the RCU preemption count back to where
+it was before we were called. We dropped the RCU read lock inside the loop
+body, so we can't just "break".
+
+sparse complains about this, too:
+
+$ make -s C=2 security/device_cgroup.o
+./include/linux/rcupdate.h:647:9: warning: context imbalance in
+'propagate_exception' - unexpected unlock
+
+Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/device_cgroup.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -568,7 +568,7 @@ static int propagate_exception(struct de
+ 		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
+ 			rc = dev_exception_add(devcg, ex);
+ 			if (rc)
+-				break;
++				return rc;
+ 		} else {
+ 			/*
+ 			 * in the other possible cases:
diff --git a/queue-4.9/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch b/queue-4.9/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
new file mode 100644
index 00000000000..747ef0460f8
--- /dev/null
+++ b/queue-4.9/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
@@ -0,0 +1,50 @@
+From e8277b3b52240ec1caad8e6df278863e4bf42eac Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Thu, 18 Apr 2019 17:50:20 -0700
+Subject: mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.
+
+Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+depends on skipping vmstat entries with empty name introduced in
+7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in
+/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
+semantics of nr_indirectly_reclaimable_bytes").
+
+So skipping no longer works and /proc/vmstat has misformatted lines " 0".
+
+This patch simply shows debug counters "nr_tlb_remote_*" for UP.
+
+Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
+Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1075,13 +1075,8 @@ const char * const vmstat_text[] = {
+ #endif
+ #endif /* CONFIG_MEMORY_BALLOON */
+ #ifdef CONFIG_DEBUG_TLBFLUSH
+-#ifdef CONFIG_SMP
+ 	"nr_tlb_remote_flush",
+ 	"nr_tlb_remote_flush_received",
+-#else
+-	"", /* nr_tlb_remote_flush */
+-	"", /* nr_tlb_remote_flush_received */
+-#endif /* CONFIG_SMP */
+ 	"nr_tlb_local_flush_all",
+ 	"nr_tlb_local_flush_one",
+ #endif /* CONFIG_DEBUG_TLBFLUSH */
diff --git a/queue-4.9/percpu-stop-printing-kernel-addresses.patch b/queue-4.9/percpu-stop-printing-kernel-addresses.patch
new file mode 100644
index 00000000000..b0bdd0a402f
--- /dev/null
+++ b/queue-4.9/percpu-stop-printing-kernel-addresses.patch
@@ -0,0 +1,50 @@
+From 00206a69ee32f03e6f40837684dcbe475ea02266 Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 18 Mar 2019 02:32:36 +0100
+Subject: percpu: stop printing kernel addresses
+
+From: Matteo Croce <mcroce@redhat.com>
+
+commit 00206a69ee32f03e6f40837684dcbe475ea02266 upstream.
+
+Since commit ad67b74d2469d9b8 ("printk: hash addresses printed with %p"),
+at boot "____ptrval____" is printed instead of actual addresses:
+
+    percpu: Embedded 38 pages/cpu @(____ptrval____) s124376 r0 d31272 u524288
+
+Instead of changing the print to "%px", and leaking kernel addresses,
+just remove the print completely, cfr. e.g. commit 071929dbdd865f77
+("arm64: Stop printing the virtual memory layout").
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Dennis Zhou <dennis@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/percpu.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -2048,8 +2048,8 @@ int __init pcpu_embed_first_chunk(size_t
+ 		ai->groups[group].base_offset = areas[group] - base;
+ 	}
+ 
+-	pr_info("Embedded %zu pages/cpu @%p s%zu r%zu d%zu u%zu\n",
+-		PFN_DOWN(size_sum), base, ai->static_size, ai->reserved_size,
++	pr_info("Embedded %zu pages/cpu s%zu r%zu d%zu u%zu\n",
++		PFN_DOWN(size_sum), ai->static_size, ai->reserved_size,
+ 		ai->dyn_size, ai->unit_size);
+ 
+ 	rc = pcpu_setup_first_chunk(ai, base);
+@@ -2162,8 +2162,8 @@ int __init pcpu_page_first_chunk(size_t
+ 	}
+ 
+ 	/* we're ready, commit */
+-	pr_info("%d %s pages/cpu @%p s%zu r%zu d%zu\n",
+-		unit_pages, psize_str, vm.addr, ai->static_size,
++	pr_info("%d %s pages/cpu s%zu r%zu d%zu\n",
++		unit_pages, psize_str, ai->static_size,
+ 		ai->reserved_size, ai->dyn_size);
+ 
+ 	rc = pcpu_setup_first_chunk(ai, vm.addr);
diff --git a/queue-4.9/series b/queue-4.9/series
index b2618a7b6fd..0a39bee1cac 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -37,3 +37,7 @@ mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch
 perf-x86-amd-add-event-map-for-amd-family-17h.patch
 revert-kbuild-use-oz-instead-of-os-when-using-clang.patch
 sched-fair-limit-sched_cfs_period_timer-loop-to-avoi.patch
+device_cgroup-fix-rcu-imbalance-in-error-case.patch
+mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
+alsa-info-fix-racy-addition-deletion-of-nodes.patch
+percpu-stop-printing-kernel-addresses.patch