From: Greg Kroah-Hartman Date: Mon, 10 Jul 2017 15:56:15 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v4.9.37~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b10333a41a27f08b9806f375b76b382a041b02e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: crypto-drbg-fixes-panic-in-wait_for_completion-call.patch xen-avoid-deadlock-in-xenbus-driver.patch --- diff --git a/queue-4.12/crypto-drbg-fixes-panic-in-wait_for_completion-call.patch b/queue-4.12/crypto-drbg-fixes-panic-in-wait_for_completion-call.patch new file mode 100644 index 00000000000..c299d861056 --- /dev/null +++ b/queue-4.12/crypto-drbg-fixes-panic-in-wait_for_completion-call.patch @@ -0,0 +1,31 @@ +From b61929c654f2e725644935737c4c1ea9c741e2f8 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Fri, 26 May 2017 12:11:31 +0200 +Subject: crypto: drbg - Fixes panic in wait_for_completion call + +From: Stephan Mueller + +commit b61929c654f2e725644935737c4c1ea9c741e2f8 upstream. + +Initialise ctr_completion variable before use. + +Cc: +Signed-off-by: Harsh Jain +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/drbg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1691,6 +1691,7 @@ static int drbg_init_sym_kernel(struct d + return PTR_ERR(sk_tfm); + } + drbg->ctr_handle = sk_tfm; ++ init_completion(&drbg->ctr_completion); + + req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); + if (!req) { diff --git a/queue-4.12/series b/queue-4.12/series index 991517d0cc8..b1260142540 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -23,3 +23,5 @@ sched-fair-simplify-wake_affine-for-the-single-socket-case.patch sched-numa-implement-numa-node-level-wake_affine.patch sched-fair-remove-effective_load.patch sched-numa-hide-numa_wake_affine-from-up-build.patch +xen-avoid-deadlock-in-xenbus-driver.patch +crypto-drbg-fixes-panic-in-wait_for_completion-call.patch diff --git a/queue-4.12/xen-avoid-deadlock-in-xenbus-driver.patch b/queue-4.12/xen-avoid-deadlock-in-xenbus-driver.patch new file mode 100644 index 00000000000..6c23e0a3cce --- /dev/null +++ b/queue-4.12/xen-avoid-deadlock-in-xenbus-driver.patch @@ -0,0 +1,105 @@ +From 1a3fc2c402810bf336882e695abd1678dbc8d279 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 8 Jun 2017 16:03:42 +0200 +Subject: xen: avoid deadlock in xenbus driver + +From: Juergen Gross + +commit 1a3fc2c402810bf336882e695abd1678dbc8d279 upstream. + +There has been a report about a deadlock in the xenbus driver: + +[ 247.979498] ====================================================== +[ 247.985688] WARNING: possible circular locking dependency detected +[ 247.991882] 4.12.0-rc4-00022-gc4b25c0 #575 Not tainted +[ 247.997040] ------------------------------------------------------ +[ 248.003232] xenbus/91 is trying to acquire lock: +[ 248.007875] (&u->msgbuffer_mutex){+.+.+.}, at: [] +xenbus_dev_queue_reply+0x3c/0x230 +[ 248.017163] +[ 248.017163] but task is already holding lock: +[ 248.023096] (xb_write_mutex){+.+...}, at: [] +xenbus_thread+0x5f0/0x798 +[ 248.031267] +[ 248.031267] which lock already depends on the new lock. +[ 248.031267] +[ 248.039615] +[ 248.039615] the existing dependency chain (in reverse order) is: +[ 248.047176] +[ 248.047176] -> #1 (xb_write_mutex){+.+...}: +[ 248.052943] __lock_acquire+0x1728/0x1778 +[ 248.057498] lock_acquire+0xc4/0x288 +[ 248.061630] __mutex_lock+0x84/0x868 +[ 248.065755] mutex_lock_nested+0x3c/0x50 +[ 248.070227] xs_send+0x164/0x1f8 +[ 248.074015] xenbus_dev_request_and_reply+0x6c/0x88 +[ 248.079427] xenbus_file_write+0x260/0x420 +[ 248.084073] __vfs_write+0x48/0x138 +[ 248.088113] vfs_write+0xa8/0x1b8 +[ 248.091983] SyS_write+0x54/0xb0 +[ 248.095768] el0_svc_naked+0x24/0x28 +[ 248.099897] +[ 248.099897] -> #0 (&u->msgbuffer_mutex){+.+.+.}: +[ 248.106088] print_circular_bug+0x80/0x2e0 +[ 248.110730] __lock_acquire+0x1768/0x1778 +[ 248.115288] lock_acquire+0xc4/0x288 +[ 248.119417] __mutex_lock+0x84/0x868 +[ 248.123545] mutex_lock_nested+0x3c/0x50 +[ 248.128016] xenbus_dev_queue_reply+0x3c/0x230 +[ 248.133005] xenbus_thread+0x788/0x798 +[ 248.137306] kthread+0x110/0x140 +[ 248.141087] ret_from_fork+0x10/0x40 + +It is rather easy to avoid by dropping xb_write_mutex before calling +xenbus_dev_queue_reply(). + +Fixes: fd8aa9095a95c02dcc35540a263267c29b8fda9d ("xen: optimize xenbus +driver for multiple concurrent xenstore accesses"). + +Reported-by: Andre Przywara +Signed-off-by: Juergen Gross +Tested-by: Andre Przywara +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_comms.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_comms.c ++++ b/drivers/xen/xenbus/xenbus_comms.c +@@ -299,17 +299,7 @@ static int process_msg(void) + mutex_lock(&xb_write_mutex); + list_for_each_entry(req, &xs_reply_list, list) { + if (req->msg.req_id == state.msg.req_id) { +- if (req->state == xb_req_state_wait_reply) { +- req->msg.type = state.msg.type; +- req->msg.len = state.msg.len; +- req->body = state.body; +- req->state = xb_req_state_got_reply; +- list_del(&req->list); +- req->cb(req); +- } else { +- list_del(&req->list); +- kfree(req); +- } ++ list_del(&req->list); + err = 0; + break; + } +@@ -317,6 +307,15 @@ static int process_msg(void) + mutex_unlock(&xb_write_mutex); + if (err) + goto out; ++ ++ if (req->state == xb_req_state_wait_reply) { ++ req->msg.type = state.msg.type; ++ req->msg.len = state.msg.len; ++ req->body = state.body; ++ req->state = xb_req_state_got_reply; ++ req->cb(req); ++ } else ++ kfree(req); + } + + mutex_unlock(&xs_response_mutex);