From: Greg Kroah-Hartman Date: Mon, 22 May 2017 19:27:10 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.55~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f487e653b5745da636c2f30a2a1e066e8338b7a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ib-hfi1-fix-a-subcontext-memory-leak.patch ib-hfi1-return-an-error-on-memory-allocation-failure.patch pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch usb-chaoskey-fix-alea-quirk-on-big-endian-hosts.patch usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch --- diff --git a/queue-4.9/ib-hfi1-fix-a-subcontext-memory-leak.patch b/queue-4.9/ib-hfi1-fix-a-subcontext-memory-leak.patch new file mode 100644 index 00000000000..f58f5b3d7f3 --- /dev/null +++ b/queue-4.9/ib-hfi1-fix-a-subcontext-memory-leak.patch @@ -0,0 +1,130 @@ +From 224d71f910102c966cdcd782c97e096d5e26e4da Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 4 May 2017 05:14:34 -0700 +Subject: IB/hfi1: Fix a subcontext memory leak + +From: Michael J. Ruhl + +commit 224d71f910102c966cdcd782c97e096d5e26e4da upstream. + +The only context that frees user_exp_rcv data structures is the last +context closed (from a sub-context set). This leaks the allocations +from the other sub-contexts. Separate the common frees from the +specific frees and call them at the appropriate time. + +Using KEDR to check for memory leaks we get: + +Before test: + +[leak_check] Possible leaks: 25 + +After test: + +[leak_check] Possible leaks: 31 (6 leaked data structures) + +After patch applied (before and after test have the same value) + +[leak_check] Possible leaks: 25 + +Each leak is 192 + 13440 + 6720 = 20352 bytes per sub-context. + +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 5 +++- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 32 ++++++++++++++++-------------- + drivers/infiniband/hw/hfi1/user_exp_rcv.h | 1 + 3 files changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -751,6 +751,9 @@ static int hfi1_file_close(struct inode + /* release the cpu */ + hfi1_put_proc_affinity(fdata->rec_cpu_num); + ++ /* clean up rcv side */ ++ hfi1_user_exp_rcv_free(fdata); ++ + /* + * Clear any left over, unhandled events so the next process that + * gets this context doesn't get confused. +@@ -790,7 +793,7 @@ static int hfi1_file_close(struct inode + + dd->rcd[uctxt->ctxt] = NULL; + +- hfi1_user_exp_rcv_free(fdata); ++ hfi1_user_exp_rcv_grp_free(uctxt); + hfi1_clear_ctxt_pkey(dd, uctxt->ctxt); + + uctxt->rcvwait_to = 0; +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -250,36 +250,40 @@ done: + return ret; + } + ++void hfi1_user_exp_rcv_grp_free(struct hfi1_ctxtdata *uctxt) ++{ ++ struct tid_group *grp, *gptr; ++ ++ list_for_each_entry_safe(grp, gptr, &uctxt->tid_group_list.list, ++ list) { ++ list_del_init(&grp->list); ++ kfree(grp); ++ } ++ hfi1_clear_tids(uctxt); ++} ++ + int hfi1_user_exp_rcv_free(struct hfi1_filedata *fd) + { + struct hfi1_ctxtdata *uctxt = fd->uctxt; +- struct tid_group *grp, *gptr; + +- if (!test_bit(HFI1_CTXT_SETUP_DONE, &uctxt->event_flags)) +- return 0; + /* + * The notifier would have been removed when the process'es mm + * was freed. + */ +- if (fd->handler) ++ if (fd->handler) { + hfi1_mmu_rb_unregister(fd->handler); +- +- kfree(fd->invalid_tids); +- +- if (!uctxt->cnt) { ++ } else { + if (!EXP_TID_SET_EMPTY(uctxt->tid_full_list)) + unlock_exp_tids(uctxt, &uctxt->tid_full_list, fd); + if (!EXP_TID_SET_EMPTY(uctxt->tid_used_list)) + unlock_exp_tids(uctxt, &uctxt->tid_used_list, fd); +- list_for_each_entry_safe(grp, gptr, &uctxt->tid_group_list.list, +- list) { +- list_del_init(&grp->list); +- kfree(grp); +- } +- hfi1_clear_tids(uctxt); + } + ++ kfree(fd->invalid_tids); ++ fd->invalid_tids = NULL; ++ + kfree(fd->entry_to_rb); ++ fd->entry_to_rb = NULL; + return 0; + } + +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h +@@ -70,6 +70,7 @@ + (tid) |= EXP_TID_SET(field, (value)); \ + } while (0) + ++void hfi1_user_exp_rcv_grp_free(struct hfi1_ctxtdata *uctxt); + int hfi1_user_exp_rcv_init(struct file *); + int hfi1_user_exp_rcv_free(struct hfi1_filedata *); + int hfi1_user_exp_rcv_setup(struct file *, struct hfi1_tid_info *); diff --git a/queue-4.9/ib-hfi1-return-an-error-on-memory-allocation-failure.patch b/queue-4.9/ib-hfi1-return-an-error-on-memory-allocation-failure.patch new file mode 100644 index 00000000000..8c383020e11 --- /dev/null +++ b/queue-4.9/ib-hfi1-return-an-error-on-memory-allocation-failure.patch @@ -0,0 +1,32 @@ +From 94679061dcdddbafcf24e3bfb526e54dedcc2f2f Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 4 May 2017 05:14:28 -0700 +Subject: IB/hfi1: Return an error on memory allocation failure + +From: Michael J. Ruhl + +commit 94679061dcdddbafcf24e3bfb526e54dedcc2f2f upstream. + +If the eager buffer allocation fails, it is necessary to return +an error code. + +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1757,6 +1757,7 @@ int hfi1_setup_eagerbufs(struct hfi1_ctx + !HFI1_CAP_KGET_MASK(rcd->flags, MULTI_PKT_EGR)) { + dd_dev_err(dd, "ctxt%u: Failed to allocate eager buffers\n", + rcd->ctxt); ++ ret = -ENOMEM; + goto bail_rcvegrbuf_phys; + } + diff --git a/queue-4.9/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch b/queue-4.9/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch new file mode 100644 index 00000000000..631290afe55 --- /dev/null +++ b/queue-4.9/pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch @@ -0,0 +1,103 @@ +From 3fd37226216620c1a468afa999739d5016fbc349 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 12 May 2017 19:11:31 +0300 +Subject: pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes() + +From: Kirill Tkhai + +commit 3fd37226216620c1a468afa999739d5016fbc349 upstream. + +Imagine we have a pid namespace and a task from its parent's pid_ns, +which made setns() to the pid namespace. The task is doing fork(), +while the pid namespace's child reaper is dying. We have the race +between them: + +Task from parent pid_ns Child reaper +copy_process() .. + alloc_pid() .. + .. zap_pid_ns_processes() + .. disable_pid_allocation() + .. read_lock(&tasklist_lock) + .. iterate over pids in pid_ns + .. kill tasks linked to pids + .. read_unlock(&tasklist_lock) + write_lock_irq(&tasklist_lock); .. + attach_pid(p, PIDTYPE_PID); .. + .. .. + +So, just created task p won't receive SIGKILL signal, +and the pid namespace will be in contradictory state. +Only manual kill will help there, but does the userspace +care about this? I suppose, the most users just inject +a task into a pid namespace and wait a SIGCHLD from it. + +The patch fixes the problem. It simply checks for +(pid_ns->nr_hashed & PIDNS_HASH_ADDING) in copy_process(). +We do it under the tasklist_lock, and can't skip +PIDNS_HASH_ADDING as noted by Oleg: + +"zap_pid_ns_processes() does disable_pid_allocation() +and then takes tasklist_lock to kill the whole namespace. +Given that copy_process() checks PIDNS_HASH_ADDING +under write_lock(tasklist) they can't race; +if copy_process() takes this lock first, the new child will +be killed, otherwise copy_process() can't miss +the change in ->nr_hashed." + +If allocation is disabled, we just return -ENOMEM +like it's made for such cases in alloc_pid(). + +v2: Do not move disable_pid_allocation(), do not +introduce a new variable in copy_process() and simplify +the patch as suggested by Oleg Nesterov. +Account the problem with double irq enabling +found by Eric W. Biederman. + +Fixes: c876ad768215 ("pidns: Stop pid allocation when init dies") +Signed-off-by: Kirill Tkhai +CC: Andrew Morton +CC: Ingo Molnar +CC: Peter Zijlstra +CC: Oleg Nesterov +CC: Mike Rapoport +CC: Michal Hocko +CC: Andy Lutomirski +CC: "Eric W. Biederman" +CC: Andrei Vagin +CC: Cyrill Gorcunov +CC: Serge Hallyn +Acked-by: Oleg Nesterov +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1773,11 +1773,13 @@ static __latent_entropy struct task_stru + */ + recalc_sigpending(); + if (signal_pending(current)) { +- spin_unlock(¤t->sighand->siglock); +- write_unlock_irq(&tasklist_lock); + retval = -ERESTARTNOINTR; + goto bad_fork_cancel_cgroup; + } ++ if (unlikely(!(ns_of_pid(pid)->nr_hashed & PIDNS_HASH_ADDING))) { ++ retval = -ENOMEM; ++ goto bad_fork_cancel_cgroup; ++ } + + if (likely(p->pid)) { + ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); +@@ -1828,6 +1830,8 @@ static __latent_entropy struct task_stru + return p; + + bad_fork_cancel_cgroup: ++ spin_unlock(¤t->sighand->siglock); ++ write_unlock_irq(&tasklist_lock); + cgroup_cancel_fork(p); + bad_fork_free_pid: + threadgroup_change_end(current); diff --git a/queue-4.9/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch b/queue-4.9/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch new file mode 100644 index 00000000000..df2450c9b21 --- /dev/null +++ b/queue-4.9/pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch @@ -0,0 +1,40 @@ +From b9a985db98961ae1ba0be169f19df1c567e4ffe0 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 11 May 2017 18:21:01 -0500 +Subject: pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes + +From: Eric W. Biederman + +commit b9a985db98961ae1ba0be169f19df1c567e4ffe0 upstream. + +The code can potentially sleep for an indefinite amount of time in +zap_pid_ns_processes triggering the hung task timeout, and increasing +the system average. This is undesirable. Sleep with a task state of +TASK_INTERRUPTIBLE instead of TASK_UNINTERRUPTIBLE to remove these +undesirable side effects. + +Apparently under heavy load this has been allowing Chrome to trigger +the hung time task timeout error and cause ChromeOS to reboot. + +Reported-by: Vovo Yang +Reported-by: Guenter Roeck +Tested-by: Guenter Roeck +Fixes: 6347e9009104 ("pidns: guarantee that the pidns init will be the last pidns process reaped") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/pid_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/pid_namespace.c ++++ b/kernel/pid_namespace.c +@@ -274,7 +274,7 @@ void zap_pid_ns_processes(struct pid_nam + * if reparented. + */ + for (;;) { +- set_current_state(TASK_UNINTERRUPTIBLE); ++ set_current_state(TASK_INTERRUPTIBLE); + if (pid_ns->nr_hashed == init_pids) + break; + schedule(); diff --git a/queue-4.9/series b/queue-4.9/series index c782347cd80..484fd114e49 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -65,3 +65,10 @@ of-fdt-add-missing-allocation-failure-check.patch ibmvscsis-do-not-send-aborted-task-response.patch iio-dac-ad7303-fix-channel-description.patch iio-bmp280-core.c-fix-error-in-humidity-calculation.patch +ib-hfi1-return-an-error-on-memory-allocation-failure.patch +ib-hfi1-fix-a-subcontext-memory-leak.patch +pid_ns-sleep-in-task_interruptible-in-zap_pid_ns_processes.patch +pid_ns-fix-race-between-setns-ed-fork-and-zap_pid_ns_processes.patch +usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch +usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch +usb-chaoskey-fix-alea-quirk-on-big-endian-hosts.patch diff --git a/queue-4.9/usb-chaoskey-fix-alea-quirk-on-big-endian-hosts.patch b/queue-4.9/usb-chaoskey-fix-alea-quirk-on-big-endian-hosts.patch new file mode 100644 index 00000000000..db826327e70 --- /dev/null +++ b/queue-4.9/usb-chaoskey-fix-alea-quirk-on-big-endian-hosts.patch @@ -0,0 +1,37 @@ +From 63afd5cc78775018ea2dec4004428dafa5283e93 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:36:01 +0200 +Subject: USB: chaoskey: fix Alea quirk on big-endian hosts + +From: Johan Hovold + +commit 63afd5cc78775018ea2dec4004428dafa5283e93 upstream. + +Add missing endianness conversion when applying the Alea timeout quirk. + +Found using sparse: + + warning: restricted __le16 degrades to integer + +Fixes: e4a886e811cd ("hwrng: chaoskey - Fix URB warning due to timeout on Alea") +Cc: Bob Ham +Cc: Herbert Xu +Cc: Keith Packard +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/chaoskey.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/chaoskey.c ++++ b/drivers/usb/misc/chaoskey.c +@@ -194,7 +194,7 @@ static int chaoskey_probe(struct usb_int + + dev->in_ep = in_ep; + +- if (udev->descriptor.idVendor != ALEA_VENDOR_ID) ++ if (le16_to_cpu(udev->descriptor.idVendor) != ALEA_VENDOR_ID) + dev->reads_started = 1; + + dev->size = size; diff --git a/queue-4.9/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch b/queue-4.9/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch new file mode 100644 index 00000000000..d0bedbd554b --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch @@ -0,0 +1,55 @@ +From 5f63424ab7daac840df2b12dd5bcc5b38d50f779 Mon Sep 17 00:00:00 2001 +From: Andrey Korolyov +Date: Tue, 16 May 2017 23:54:41 +0300 +Subject: USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs + +From: Andrey Korolyov + +commit 5f63424ab7daac840df2b12dd5bcc5b38d50f779 upstream. + +This patch adds support for recognition of ARM-USB-TINY(H) devices which +are almost identical to ARM-USB-OCD(H) but lacking separate barrel jack +and serial console. + +By suggestion from Johan Hovold it is possible to replace +ftdi_jtag_quirk with a bit more generic construction. Since all +Olimex-ARM debuggers has exactly two ports, we could safely always use +only second port within the debugger family. + +Signed-off-by: Andrey Korolyov +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 8 ++++---- + drivers/usb/serial/ftdi_sio_ids.h | 2 ++ + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -809,10 +809,10 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) }, + { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) }, + { USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID), +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -882,6 +882,8 @@ + /* Olimex */ + #define OLIMEX_VID 0x15BA + #define OLIMEX_ARM_USB_OCD_PID 0x0003 ++#define OLIMEX_ARM_USB_TINY_PID 0x0004 ++#define OLIMEX_ARM_USB_TINY_H_PID 0x002a + #define OLIMEX_ARM_USB_OCD_H_PID 0x002b + + /* diff --git a/queue-4.9/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch b/queue-4.9/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch new file mode 100644 index 00000000000..b62482812c7 --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch @@ -0,0 +1,47 @@ +From bb246681b3ed0967489a7401ad528c1aaa1a4c2e Mon Sep 17 00:00:00 2001 +From: Anthony Mallet +Date: Fri, 5 May 2017 17:30:16 +0200 +Subject: USB: serial: ftdi_sio: fix setting latency for unprivileged users + +From: Anthony Mallet + +commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream. + +Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY +flag") enables unprivileged users to set the FTDI latency timer, +but there was a logic flaw that skipped sending the corresponding +USB control message to the device. + +Specifically, the device latency timer would not be updated until next +open, something which was later also inadvertently broken by commit +c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port +probe"). + +A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme +low-latency setting") disabled the low-latency mode by default so we now +need this fix to allow unprivileged users to again enable it. + +Signed-off-by: Anthony Mallet +[johan: amend commit message] +Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag") +Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe"). +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1508,9 +1508,9 @@ static int set_serial_info(struct tty_st + (new_serial.flags & ASYNC_FLAGS)); + priv->custom_divisor = new_serial.custom_divisor; + ++check_and_exit: + write_latency_timer(port); + +-check_and_exit: + if ((old_priv.flags & ASYNC_SPD_MASK) != + (priv->flags & ASYNC_SPD_MASK)) { + if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)