From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 May 2017 19:18:27 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.55~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=377cf9c5b080cd52722785043e114374e13dd97a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch
	pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch
	usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch
	usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch
---

diff --git a/queue-4.4/of-fdt-add-missing-allocation-failure-check.patch b/queue-4.4/of-fdt-add-missing-allocation-failure-check.patch
deleted file mode 100644
index 65918ec54b8..00000000000
--- a/queue-4.4/of-fdt-add-missing-allocation-failure-check.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 49e67dd17649b60b4d54966e18ec9c80198227f0 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Wed, 17 May 2017 17:29:09 +0200
-Subject: of: fdt: add missing allocation-failure check
-
-From: Johan Hovold <johan@kernel.org>
-
-commit 49e67dd17649b60b4d54966e18ec9c80198227f0 upstream.
-
-The memory allocator passed to __unflatten_device_tree() (e.g. a wrapped
-kzalloc) can fail so add the missing sanity check to avoid dereferencing
-a NULL pointer.
-
-Fixes: fe14042358fa ("of/flattree: Refactor unflatten_device_tree and add fdt_unflatten_tree")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Rob Herring <robh@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/of/fdt.c |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/of/fdt.c
-+++ b/drivers/of/fdt.c
-@@ -416,6 +416,9 @@ static void __unflatten_device_tree(cons
- 
- 	/* Allocate memory for the expanded device tree */
- 	mem = dt_alloc(size + 4, __alignof__(struct device_node));
-+	if (!mem)
-+		return NULL;
-+
- 	memset(mem, 0, size);
- 
- 	*(__be32 *)(mem + size) = cpu_to_be32(0xdeadbeef);
diff --git a/queue-4.4/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch b/queue-4.4/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch
new file mode 100644
index 00000000000..be4963643cd
--- /dev/null
+++ b/queue-4.4/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch
@@ -0,0 +1,103 @@
+From 3fd37226216620c1a468afa999739d5016fbc349 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Fri, 12 May 2017 19:11:31 +0300
+Subject: pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit 3fd37226216620c1a468afa999739d5016fbc349 upstream.
+
+Imagine we have a pid namespace and a task from its parent's pid_ns,
+which made setns() to the pid namespace. The task is doing fork(),
+while the pid namespace's child reaper is dying. We have the race
+between them:
+
+Task from parent pid_ns             Child reaper
+copy_process()                      ..
+  alloc_pid()                       ..
+  ..                                zap_pid_ns_processes()
+  ..                                  disable_pid_allocation()
+  ..                                  read_lock(&tasklist_lock)
+  ..                                  iterate over pids in pid_ns
+  ..                                    kill tasks linked to pids
+  ..                                  read_unlock(&tasklist_lock)
+  write_lock_irq(&tasklist_lock);   ..
+  attach_pid(p, PIDTYPE_PID);       ..
+  ..                                ..
+
+So, just created task p won't receive SIGKILL signal,
+and the pid namespace will be in contradictory state.
+Only manual kill will help there, but does the userspace
+care about this? I suppose, the most users just inject
+a task into a pid namespace and wait a SIGCHLD from it.
+
+The patch fixes the problem. It simply checks for
+(pid_ns->nr_hashed & PIDNS_HASH_ADDING) in copy_process().
+We do it under the tasklist_lock, and can't skip
+PIDNS_HASH_ADDING as noted by Oleg:
+
+"zap_pid_ns_processes() does disable_pid_allocation()
+and then takes tasklist_lock to kill the whole namespace.
+Given that copy_process() checks PIDNS_HASH_ADDING
+under write_lock(tasklist) they can't race;
+if copy_process() takes this lock first, the new child will
+be killed, otherwise copy_process() can't miss
+the change in ->nr_hashed."
+
+If allocation is disabled, we just return -ENOMEM
+like it's made for such cases in alloc_pid().
+
+v2: Do not move disable_pid_allocation(), do not
+introduce a new variable in copy_process() and simplify
+the patch as suggested by Oleg Nesterov.
+Account the problem with double irq enabling
+found by Eric W. Biederman.
+
+Fixes: c876ad768215 ("pidns: Stop pid allocation when init dies")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+CC: Andrew Morton <akpm@linux-foundation.org>
+CC: Ingo Molnar <mingo@kernel.org>
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Oleg Nesterov <oleg@redhat.com>
+CC: Mike Rapoport <rppt@linux.vnet.ibm.com>
+CC: Michal Hocko <mhocko@suse.com>
+CC: Andy Lutomirski <luto@kernel.org>
+CC: "Eric W. Biederman" <ebiederm@xmission.com>
+CC: Andrei Vagin <avagin@openvz.org>
+CC: Cyrill Gorcunov <gorcunov@openvz.org>
+CC: Serge Hallyn <serge@hallyn.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1590,11 +1590,13 @@ static struct task_struct *copy_process(
+ 	*/
+ 	recalc_sigpending();
+ 	if (signal_pending(current)) {
+-		spin_unlock(&current->sighand->siglock);
+-		write_unlock_irq(&tasklist_lock);
+ 		retval = -ERESTARTNOINTR;
+ 		goto bad_fork_cancel_cgroup;
+ 	}
++	if (unlikely(!(ns_of_pid(pid)->nr_hashed & PIDNS_HASH_ADDING))) {
++		retval = -ENOMEM;
++		goto bad_fork_cancel_cgroup;
++	}
+ 
+ 	if (likely(p->pid)) {
+ 		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
+@@ -1645,6 +1647,8 @@ static struct task_struct *copy_process(
+ 	return p;
+ 
+ bad_fork_cancel_cgroup:
++	spin_unlock(&current->sighand->siglock);
++	write_unlock_irq(&tasklist_lock);
+ 	cgroup_cancel_fork(p, cgrp_ss_priv);
+ bad_fork_free_pid:
+ 	threadgroup_change_end(current);
diff --git a/queue-4.4/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch b/queue-4.4/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch
new file mode 100644
index 00000000000..6dab4218523
--- /dev/null
+++ b/queue-4.4/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch
@@ -0,0 +1,40 @@
+From b9a985db98961ae1ba0be169f19df1c567e4ffe0 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 11 May 2017 18:21:01 -0500
+Subject: pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit b9a985db98961ae1ba0be169f19df1c567e4ffe0 upstream.
+
+The code can potentially sleep for an indefinite amount of time in
+zap_pid_ns_processes triggering the hung task timeout, and increasing
+the system average.  This is undesirable.  Sleep with a task state of
+TASK_INTERRUPTIBLE instead of TASK_UNINTERRUPTIBLE to remove these
+undesirable side effects.
+
+Apparently under heavy load this has been allowing Chrome to trigger
+the hung time task timeout error and cause ChromeOS to reboot.
+
+Reported-by: Vovo Yang <vovoy@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Fixes: 6347e9009104 ("pidns: guarantee that the pidns init will be the last pidns process reaped")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/pid_namespace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -255,7 +255,7 @@ void zap_pid_ns_processes(struct pid_nam
+ 	 * if reparented.
+ 	 */
+ 	for (;;) {
+-		set_current_state(TASK_UNINTERRUPTIBLE);
++		set_current_state(TASK_INTERRUPTIBLE);
+ 		if (pid_ns->nr_hashed == init_pids)
+ 			break;
+ 		schedule();
diff --git a/queue-4.4/series b/queue-4.4/series
index 62660f4ef8b..15b68493ce4 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -37,5 +37,8 @@ drm-nouveau-tmr-handle-races-with-hw-when-updating-the-next-alarm-time.patch
 cdc-acm-fix-possible-invalid-access-when-processing-notification.patch
 proc-fix-unbalanced-hard-link-numbers.patch
 of-fix-sparse-warning-in-of_pci_range_parser_one.patch
-of-fdt-add-missing-allocation-failure-check.patch
 iio-dac-ad7303-fix-channel-description.patch
+pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch
+pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch
+usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch
+usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch
diff --git a/queue-4.4/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch b/queue-4.4/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch
new file mode 100644
index 00000000000..d0bedbd554b
--- /dev/null
+++ b/queue-4.4/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch
@@ -0,0 +1,55 @@
+From 5f63424ab7daac840df2b12dd5bcc5b38d50f779 Mon Sep 17 00:00:00 2001
+From: Andrey Korolyov <andrey@xdel.ru>
+Date: Tue, 16 May 2017 23:54:41 +0300
+Subject: USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
+
+From: Andrey Korolyov <andrey@xdel.ru>
+
+commit 5f63424ab7daac840df2b12dd5bcc5b38d50f779 upstream.
+
+This patch adds support for recognition of ARM-USB-TINY(H) devices which
+are almost identical to ARM-USB-OCD(H) but lacking separate barrel jack
+and serial console.
+
+By suggestion from Johan Hovold it is possible to replace
+ftdi_jtag_quirk with a bit more generic construction. Since all
+Olimex-ARM debuggers has exactly two ports, we could safely always use
+only second port within the debugger family.
+
+Signed-off-by: Andrey Korolyov <andrey@xdel.ru>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c     |    8 ++++----
+ drivers/usb/serial/ftdi_sio_ids.h |    2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -809,10 +809,10 @@ static const struct usb_device_id id_tab
+ 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
+ 	{ USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
+ 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID),
+-		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID),
+-		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++	{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) },
++	{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) },
++	{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) },
++	{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) },
+ 	{ USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID),
+ 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID),
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -882,6 +882,8 @@
+ /* Olimex */
+ #define OLIMEX_VID			0x15BA
+ #define OLIMEX_ARM_USB_OCD_PID		0x0003
++#define OLIMEX_ARM_USB_TINY_PID	0x0004
++#define OLIMEX_ARM_USB_TINY_H_PID	0x002a
+ #define OLIMEX_ARM_USB_OCD_H_PID	0x002b
+ 
+ /*
diff --git a/queue-4.4/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch b/queue-4.4/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch
new file mode 100644
index 00000000000..b62482812c7
--- /dev/null
+++ b/queue-4.4/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch
@@ -0,0 +1,47 @@
+From bb246681b3ed0967489a7401ad528c1aaa1a4c2e Mon Sep 17 00:00:00 2001
+From: Anthony Mallet <anthony.mallet@laas.fr>
+Date: Fri, 5 May 2017 17:30:16 +0200
+Subject: USB: serial: ftdi_sio: fix setting latency for unprivileged users
+
+From: Anthony Mallet <anthony.mallet@laas.fr>
+
+commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.
+
+Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
+flag") enables unprivileged users to set the FTDI latency timer,
+but there was a logic flaw that skipped sending the corresponding
+USB control message to the device.
+
+Specifically, the device latency timer would not be updated until next
+open, something which was later also inadvertently broken by commit
+c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
+probe").
+
+A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
+low-latency setting") disabled the low-latency mode by default so we now
+need this fix to allow unprivileged users to again enable it.
+
+Signed-off-by: Anthony Mallet <anthony.mallet@laas.fr>
+[johan: amend commit message]
+Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
+Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1508,9 +1508,9 @@ static int set_serial_info(struct tty_st
+ 					(new_serial.flags & ASYNC_FLAGS));
+ 	priv->custom_divisor = new_serial.custom_divisor;
+ 
++check_and_exit:
+ 	write_latency_timer(port);
+ 
+-check_and_exit:
+ 	if ((old_priv.flags & ASYNC_SPD_MASK) !=
+ 	     (priv->flags & ASYNC_SPD_MASK)) {
+ 		if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)