From: Greg Kroah-Hartman Date: Tue, 10 Oct 2017 18:16:17 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.75~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=404abaf81b2512258ea8fb57c1cdf8522951623e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch brcmfmac-setup-passive-scan-if-requested-by-user-space.patch drm-i915-bios-ignore-hdmi-on-port-a.patch ext4-don-t-allow-encrypted-operations-without-keys.patch ext4-don-t-clear-sgid-when-inheriting-acls.patch ext4-fix-data-corruption-for-mmap-writes.patch f2fs-don-t-allow-encrypted-operations-without-keys.patch nvme-protect-against-simultaneous-shutdown-invocations.patch sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch --- diff --git a/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch b/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch new file mode 100644 index 00000000000..2140cb59043 --- /dev/null +++ b/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch @@ -0,0 +1,71 @@ +From 17df6453d4be17910456e99c5a85025aa1b7a246 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Tue, 12 Sep 2017 10:47:53 +0200 +Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler() + +From: Arend Van Spriel + +commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. + +Upon handling the firmware notification for scans the length was +checked properly and may result in corrupting kernel heap memory +due to buffer overruns. This fix addresses CVE-2017-0786. + +Cc: Kevin Cernekee +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -2914,6 +2914,7 @@ brcmf_cfg80211_escan_handler(struct brcm + struct brcmf_cfg80211_info *cfg = ifp->drvr->config; + s32 status; + struct brcmf_escan_result_le *escan_result_le; ++ u32 escan_buflen; + struct brcmf_bss_info_le *bss_info_le; + struct brcmf_bss_info_le *bss = NULL; + u32 bi_length; +@@ -2930,11 +2931,23 @@ brcmf_cfg80211_escan_handler(struct brcm + + if (status == BRCMF_E_STATUS_PARTIAL) { + brcmf_dbg(SCAN, "ESCAN Partial result\n"); ++ if (e->datalen < sizeof(*escan_result_le)) { ++ brcmf_err("invalid event data length\n"); ++ goto exit; ++ } + escan_result_le = (struct brcmf_escan_result_le *) data; + if (!escan_result_le) { + brcmf_err("Invalid escan result (NULL pointer)\n"); + goto exit; + } ++ escan_buflen = le32_to_cpu(escan_result_le->buflen); ++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || ++ escan_buflen > e->datalen || ++ escan_buflen < sizeof(*escan_result_le)) { ++ brcmf_err("Invalid escan buffer length: %d\n", ++ escan_buflen); ++ goto exit; ++ } + if (le16_to_cpu(escan_result_le->bss_count) != 1) { + brcmf_err("Invalid bss_count %d: ignoring\n", + escan_result_le->bss_count); +@@ -2951,9 +2964,8 @@ brcmf_cfg80211_escan_handler(struct brcm + } + + bi_length = le32_to_cpu(bss_info_le->length); +- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - +- WL_ESCAN_RESULTS_FIXED_SIZE)) { +- brcmf_err("Invalid bss_info length %d: ignoring\n", ++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { ++ brcmf_err("Ignoring invalid bss_info length: %d\n", + bi_length); + goto exit; + } diff --git a/queue-4.4/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch b/queue-4.4/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch new file mode 100644 index 00000000000..fec15721ad2 --- /dev/null +++ b/queue-4.4/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch @@ -0,0 +1,85 @@ +From 35f62727df0ed8e5e4857e162d94fd46d861f1cf Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Tue, 12 Sep 2017 10:47:54 +0200 +Subject: brcmfmac: setup passive scan if requested by user-space + +From: Arend Van Spriel + +commit 35f62727df0ed8e5e4857e162d94fd46d861f1cf upstream. + +The driver was not properly configuring firmware with regard to the +type of scan. It always performed an active scan even when user-space +was requesting for passive scan, ie. the scan request was done without +any SSIDs specified. + +Reported-by: Huang, Jiangyang +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 19 ++++--------------- + drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h | 5 +++++ + 2 files changed, 9 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -876,7 +876,7 @@ static void brcmf_escan_prep(struct brcm + + eth_broadcast_addr(params_le->bssid); + params_le->bss_type = DOT11_BSSTYPE_ANY; +- params_le->scan_type = 0; ++ params_le->scan_type = BRCMF_SCANTYPE_ACTIVE; + params_le->channel_num = 0; + params_le->nprobes = cpu_to_le32(-1); + params_le->active_time = cpu_to_le32(-1); +@@ -884,12 +884,9 @@ static void brcmf_escan_prep(struct brcm + params_le->home_time = cpu_to_le32(-1); + memset(¶ms_le->ssid_le, 0, sizeof(params_le->ssid_le)); + +- /* if request is null exit so it will be all channel broadcast scan */ +- if (!request) +- return; +- + n_ssids = request->n_ssids; + n_channels = request->n_channels; ++ + /* Copy channel array if applicable */ + brcmf_dbg(SCAN, "### List of channelspecs to scan ### %d\n", + n_channels); +@@ -926,16 +923,8 @@ static void brcmf_escan_prep(struct brcm + ptr += sizeof(ssid_le); + } + } else { +- brcmf_dbg(SCAN, "Broadcast scan %p\n", request->ssids); +- if ((request->ssids) && request->ssids->ssid_len) { +- brcmf_dbg(SCAN, "SSID %s len=%d\n", +- params_le->ssid_le.SSID, +- request->ssids->ssid_len); +- params_le->ssid_le.SSID_len = +- cpu_to_le32(request->ssids->ssid_len); +- memcpy(¶ms_le->ssid_le.SSID, request->ssids->ssid, +- request->ssids->ssid_len); +- } ++ brcmf_dbg(SCAN, "Performing passive scan\n"); ++ params_le->scan_type = BRCMF_SCANTYPE_PASSIVE; + } + /* Adding mask to channel numbers */ + params_le->channel_num = +--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h +@@ -45,6 +45,11 @@ + #define BRCMF_SCAN_PARAMS_COUNT_MASK 0x0000ffff + #define BRCMF_SCAN_PARAMS_NSSID_SHIFT 16 + ++/* scan type definitions */ ++#define BRCMF_SCANTYPE_DEFAULT 0xFF ++#define BRCMF_SCANTYPE_ACTIVE 0 ++#define BRCMF_SCANTYPE_PASSIVE 1 ++ + /* primary (ie tx) key */ + #define BRCMF_PRIMARY_KEY (1 << 1) + #define DOT11_BSSTYPE_ANY 2 diff --git a/queue-4.4/drm-i915-bios-ignore-hdmi-on-port-a.patch b/queue-4.4/drm-i915-bios-ignore-hdmi-on-port-a.patch new file mode 100644 index 00000000000..4a99080ca00 --- /dev/null +++ b/queue-4.4/drm-i915-bios-ignore-hdmi-on-port-a.patch @@ -0,0 +1,48 @@ +From 2ba7d7e0437127314864238f8bfcb8369d81075c Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 21 Sep 2017 17:19:20 +0300 +Subject: drm/i915/bios: ignore HDMI on port A +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 2ba7d7e0437127314864238f8bfcb8369d81075c upstream. + +The hardware state readout oopses after several warnings when trying to +use HDMI on port A, if such a combination is configured in VBT. Filter +the combo out already at the VBT parsing phase. + +v2: also ignore DVI (Ville) + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102889 +Cc: Imre Deak +Reviewed-by: Ville Syrjälä +Tested-by: Daniel Drake +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20170921141920.18172-1-jani.nikula@intel.com +(cherry picked from commit d27ffc1d00327c29b3aa97f941b42f0949f9e99f) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -957,6 +957,13 @@ static void parse_ddi_port(struct drm_i9 + is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0; + is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR); + ++ if (port == PORT_A && is_dvi) { ++ DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n", ++ is_hdmi ? "/HDMI" : ""); ++ is_dvi = false; ++ is_hdmi = false; ++ } ++ + info->supports_dvi = is_dvi; + info->supports_hdmi = is_hdmi; + info->supports_dp = is_dp; diff --git a/queue-4.4/ext4-don-t-allow-encrypted-operations-without-keys.patch b/queue-4.4/ext4-don-t-allow-encrypted-operations-without-keys.patch new file mode 100644 index 00000000000..da97a6ecdbd --- /dev/null +++ b/queue-4.4/ext4-don-t-allow-encrypted-operations-without-keys.patch @@ -0,0 +1,55 @@ +From 173b8439e1ba362007315868928bf9d26e5cc5a6 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 28 Dec 2016 00:22:52 -0500 +Subject: ext4: don't allow encrypted operations without keys + +From: Theodore Ts'o + +commit 173b8439e1ba362007315868928bf9d26e5cc5a6 upstream. + +While we allow deletes without the key, the following should not be +permitted: + +# cd /vdc/encrypted-dir-without-key +# ls -l +total 4 +-rw-r--r-- 1 root root 0 Dec 27 22:35 6,LKNRJsp209FbXoSvJWzB +-rw-r--r-- 1 root root 286 Dec 27 22:35 uRJ5vJh9gE7vcomYMqTAyD +# mv uRJ5vJh9gE7vcomYMqTAyD 6,LKNRJsp209FbXoSvJWzB + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/ext4/namei.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3506,6 +3506,12 @@ static int ext4_rename(struct inode *old + int credits; + u8 old_file_type; + ++ if ((ext4_encrypted_inode(old_dir) && ++ !ext4_has_encryption_key(old_dir)) || ++ (ext4_encrypted_inode(new_dir) && ++ !ext4_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + retval = dquot_initialize(old.dir); + if (retval) + return retval; +@@ -3706,6 +3712,12 @@ static int ext4_cross_rename(struct inod + u8 new_file_type; + int retval; + ++ if ((ext4_encrypted_inode(old_dir) && ++ !ext4_has_encryption_key(old_dir)) || ++ (ext4_encrypted_inode(new_dir) && ++ !ext4_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((ext4_encrypted_inode(old_dir) || + ext4_encrypted_inode(new_dir)) && + (old_dir != new_dir) && diff --git a/queue-4.4/ext4-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.4/ext4-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..e0d0644b39a --- /dev/null +++ b/queue-4.4/ext4-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,77 @@ +From a3bb2d5587521eea6dab2d05326abb0afb460abd Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sun, 30 Jul 2017 23:33:01 -0400 +Subject: ext4: Don't clear SGID when inheriting ACLs + +From: Jan Kara + +commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream. + +When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit +set, DIR1 is expected to have SGID bit set (and owning group equal to +the owning group of 'DIR0'). However when 'DIR0' also has some default +ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on +'DIR1' to get cleared if user is not member of the owning group. + +Fix the problem by moving posix_acl_update_mode() out of +__ext4_set_acl() into ext4_set_acl(). That way the function will not be +called when inheriting ACLs which is what we want as it prevents SGID +bit clearing and the mode has been properly set by posix_acl_create() +anyway. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +Signed-off-by: Theodore Ts'o +Signed-off-by: Jan Kara +Reviewed-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/acl.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -195,13 +195,6 @@ __ext4_set_acl(handle_t *handle, struct + switch (type) { + case ACL_TYPE_ACCESS: + name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (error) +- return error; +- inode->i_ctime = ext4_current_time(inode); +- ext4_mark_inode_dirty(handle, inode); +- } + break; + + case ACL_TYPE_DEFAULT: +@@ -234,6 +227,8 @@ ext4_set_acl(struct inode *inode, struct + { + handle_t *handle; + int error, retries = 0; ++ umode_t mode = inode->i_mode; ++ int update_mode = 0; + + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, +@@ -241,7 +236,20 @@ retry: + if (IS_ERR(handle)) + return PTR_ERR(handle); + ++ if ((type == ACL_TYPE_ACCESS) && acl) { ++ error = posix_acl_update_mode(inode, &mode, &acl); ++ if (error) ++ goto out_stop; ++ update_mode = 1; ++ } ++ + error = __ext4_set_acl(handle, inode, type, acl); ++ if (!error && update_mode) { ++ inode->i_mode = mode; ++ inode->i_ctime = ext4_current_time(inode); ++ ext4_mark_inode_dirty(handle, inode); ++ } ++out_stop: + ext4_journal_stop(handle); + if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; diff --git a/queue-4.4/ext4-fix-data-corruption-for-mmap-writes.patch b/queue-4.4/ext4-fix-data-corruption-for-mmap-writes.patch new file mode 100644 index 00000000000..8be8c3018ac --- /dev/null +++ b/queue-4.4/ext4-fix-data-corruption-for-mmap-writes.patch @@ -0,0 +1,65 @@ +From a056bdaae7a181f7dcc876cfab2f94538e508709 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 26 May 2017 17:45:45 -0400 +Subject: ext4: fix data corruption for mmap writes + +From: Jan Kara + +commit a056bdaae7a181f7dcc876cfab2f94538e508709 upstream. + +mpage_submit_page() can race with another process growing i_size and +writing data via mmap to the written-back page. As mpage_submit_page() +samples i_size too early, it may happen that ext4_bio_write_page() +zeroes out too large tail of the page and thus corrupts user data. + +Fix the problem by sampling i_size only after the page has been +write-protected in page tables by clear_page_dirty_for_io() call. + +Reported-by: Michael Zimmer +CC: stable@vger.kernel.org +Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1946,15 +1946,29 @@ static int ext4_writepage(struct page *p + static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page) + { + int len; +- loff_t size = i_size_read(mpd->inode); ++ loff_t size; + int err; + + BUG_ON(page->index != mpd->first_page); +- if (page->index == size >> PAGE_CACHE_SHIFT) +- len = size & ~PAGE_CACHE_MASK; +- else +- len = PAGE_CACHE_SIZE; + clear_page_dirty_for_io(page); ++ /* ++ * We have to be very careful here! Nothing protects writeback path ++ * against i_size changes and the page can be writeably mapped into ++ * page tables. So an application can be growing i_size and writing ++ * data through mmap while writeback runs. clear_page_dirty_for_io() ++ * write-protects our page in page tables and the page cannot get ++ * written to again until we release page lock. So only after ++ * clear_page_dirty_for_io() we are safe to sample i_size for ++ * ext4_bio_write_page() to zero-out tail of the written page. We rely ++ * on the barrier provided by TestClearPageDirty in ++ * clear_page_dirty_for_io() to make sure i_size is really sampled only ++ * after page tables are updated. ++ */ ++ size = i_size_read(mpd->inode); ++ if (page->index == size >> PAGE_SHIFT) ++ len = size & ~PAGE_MASK; ++ else ++ len = PAGE_SIZE; + err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc, false); + if (!err) + mpd->wbc->nr_to_write--; diff --git a/queue-4.4/f2fs-don-t-allow-encrypted-operations-without-keys.patch b/queue-4.4/f2fs-don-t-allow-encrypted-operations-without-keys.patch new file mode 100644 index 00000000000..05a82e88c95 --- /dev/null +++ b/queue-4.4/f2fs-don-t-allow-encrypted-operations-without-keys.patch @@ -0,0 +1,50 @@ +From 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Wed, 28 Dec 2016 17:31:15 -0800 +Subject: f2fs: don't allow encrypted operations without keys + +From: Jaegeuk Kim + +commit 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 upstream. + +This patch fixes the renaming bug on encrypted filenames, which was pointed by + + (ext4: don't allow encrypted operations without keys) + +Cc: Theodore Ts'o +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/namei.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -597,6 +597,12 @@ static int f2fs_rename(struct inode *old + struct f2fs_dir_entry *new_entry; + int err = -ENOENT; + ++ if ((f2fs_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (f2fs_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && + !f2fs_is_child_context_consistent_with_parent(new_dir, + old_inode)) { +@@ -755,6 +761,12 @@ static int f2fs_cross_rename(struct inod + int old_nlink = 0, new_nlink = 0; + int err = -ENOENT; + ++ if ((f2fs_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (f2fs_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && + (old_dir != new_dir) && + (!f2fs_is_child_context_consistent_with_parent(new_dir, diff --git a/queue-4.4/nvme-protect-against-simultaneous-shutdown-invocations.patch b/queue-4.4/nvme-protect-against-simultaneous-shutdown-invocations.patch new file mode 100644 index 00000000000..5c24152bcf8 --- /dev/null +++ b/queue-4.4/nvme-protect-against-simultaneous-shutdown-invocations.patch @@ -0,0 +1,71 @@ +From 77bf25ea70200cddf083f74b7f617e5f07fac8bd Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 26 Nov 2015 12:21:29 +0100 +Subject: nvme: protect against simultaneous shutdown invocations + +From: Keith Busch + +commit 77bf25ea70200cddf083f74b7f617e5f07fac8bd upstream. + +[Back-ported to 4.4. The difference is the file location of the struct +definition that's adding the mutex. + +This fixes reported kernel panics in 4.4-stable from simultaneous +controller resets that was never supposed to be allowed to happen.] + +Signed-off-by: Keith Busch +[hch: split from a larger patch] +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/nvme/host/nvme.h | 2 ++ + drivers/nvme/host/pci.c | 3 +++ + 2 files changed, 5 insertions(+) + +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -14,6 +14,7 @@ + #ifndef _NVME_H + #define _NVME_H + ++#include + #include + #include + #include +@@ -62,6 +63,7 @@ struct nvme_dev { + struct work_struct reset_work; + struct work_struct probe_work; + struct work_struct scan_work; ++ struct mutex shutdown_lock; + char name[12]; + char serial[20]; + char model[40]; +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2954,6 +2954,7 @@ static void nvme_dev_shutdown(struct nvm + + nvme_dev_list_remove(dev); + ++ mutex_lock(&dev->shutdown_lock); + if (pci_is_enabled(to_pci_dev(dev->dev))) { + nvme_freeze_queues(dev); + csts = readl(&dev->bar->csts); +@@ -2972,6 +2973,7 @@ static void nvme_dev_shutdown(struct nvm + + for (i = dev->queue_count - 1; i >= 0; i--) + nvme_clear_queue(dev->queues[i]); ++ mutex_unlock(&dev->shutdown_lock); + } + + static void nvme_dev_remove(struct nvme_dev *dev) +@@ -3328,6 +3330,7 @@ static int nvme_probe(struct pci_dev *pd + + INIT_LIST_HEAD(&dev->namespaces); + INIT_WORK(&dev->reset_work, nvme_reset_work); ++ mutex_init(&dev->shutdown_lock); + dev->dev = get_device(&pdev->dev); + pci_set_drvdata(pdev, dev); + diff --git a/queue-4.4/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch b/queue-4.4/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch new file mode 100644 index 00000000000..594ab92632d --- /dev/null +++ b/queue-4.4/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch @@ -0,0 +1,169 @@ +From 50e76632339d4655859523a39249dd95ee5e93e7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Sep 2017 11:13:38 +0200 +Subject: sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs + +From: Peter Zijlstra + +commit 50e76632339d4655859523a39249dd95ee5e93e7 upstream. + +Cpusets vs. suspend-resume is _completely_ broken. And it got noticed +because it now resulted in non-cpuset usage breaking too. + +On suspend cpuset_cpu_inactive() doesn't call into +cpuset_update_active_cpus() because it doesn't want to move tasks about, +there is no need, all tasks are frozen and won't run again until after +we've resumed everything. + +But this means that when we finally do call into +cpuset_update_active_cpus() after resuming the last frozen cpu in +cpuset_cpu_active(), the top_cpuset will not have any difference with +the cpu_active_mask and this it will not in fact do _anything_. + +So the cpuset configuration will not be restored. This was largely +hidden because we would unconditionally create identity domains and +mobile users would not in fact use cpusets much. And servers what do use +cpusets tend to not suspend-resume much. + +An addition problem is that we'd not in fact wait for the cpuset work to +finish before resuming the tasks, allowing spurious migrations outside +of the specified domains. + +Fix the rebuild by introducing cpuset_force_rebuild() and fix the +ordering with cpuset_wait_for_hotplug(). + +Reported-by: Andy Lutomirski +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: Andy Lutomirski +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Rafael J. Wysocki +Cc: Tejun Heo +Cc: Thomas Gleixner +Fixes: deb7aa308ea2 ("cpuset: reorganize CPU / memory hotplug handling") +Link: http://lkml.kernel.org/r/20170907091338.orwxrqkbfkki3c24@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Mike Galbraith +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cpuset.h | 6 ++++++ + kernel/cpuset.c | 16 +++++++++++++++- + kernel/power/process.c | 5 ++++- + kernel/sched/core.c | 7 +++---- + 4 files changed, 28 insertions(+), 6 deletions(-) + +--- a/include/linux/cpuset.h ++++ b/include/linux/cpuset.h +@@ -43,7 +43,9 @@ static inline void cpuset_dec(void) + + extern int cpuset_init(void); + extern void cpuset_init_smp(void); ++extern void cpuset_force_rebuild(void); + extern void cpuset_update_active_cpus(bool cpu_online); ++extern void cpuset_wait_for_hotplug(void); + extern void cpuset_cpus_allowed(struct task_struct *p, struct cpumask *mask); + extern void cpuset_cpus_allowed_fallback(struct task_struct *p); + extern nodemask_t cpuset_mems_allowed(struct task_struct *p); +@@ -147,11 +149,15 @@ static inline bool cpusets_enabled(void) + static inline int cpuset_init(void) { return 0; } + static inline void cpuset_init_smp(void) {} + ++static inline void cpuset_force_rebuild(void) { } ++ + static inline void cpuset_update_active_cpus(bool cpu_online) + { + partition_sched_domains(1, NULL, NULL); + } + ++static inline void cpuset_wait_for_hotplug(void) { } ++ + static inline void cpuset_cpus_allowed(struct task_struct *p, + struct cpumask *mask) + { +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -2281,6 +2281,13 @@ retry: + mutex_unlock(&cpuset_mutex); + } + ++static bool force_rebuild; ++ ++void cpuset_force_rebuild(void) ++{ ++ force_rebuild = true; ++} ++ + /** + * cpuset_hotplug_workfn - handle CPU/memory hotunplug for a cpuset + * +@@ -2355,8 +2362,10 @@ static void cpuset_hotplug_workfn(struct + } + + /* rebuild sched domains if cpus_allowed has changed */ +- if (cpus_updated) ++ if (cpus_updated || force_rebuild) { ++ force_rebuild = false; + rebuild_sched_domains(); ++ } + } + + void cpuset_update_active_cpus(bool cpu_online) +@@ -2375,6 +2384,11 @@ void cpuset_update_active_cpus(bool cpu_ + schedule_work(&cpuset_hotplug_work); + } + ++void cpuset_wait_for_hotplug(void) ++{ ++ flush_work(&cpuset_hotplug_work); ++} ++ + /* + * Keep top_cpuset.mems_allowed tracking node_states[N_MEMORY]. + * Call this routine anytime after node_states[N_MEMORY] changes. +--- a/kernel/power/process.c ++++ b/kernel/power/process.c +@@ -18,8 +18,9 @@ + #include + #include + #include ++#include + +-/* ++/* + * Timeout for stopping processes + */ + unsigned int __read_mostly freeze_timeout_msecs = 20 * MSEC_PER_SEC; +@@ -198,6 +199,8 @@ void thaw_processes(void) + __usermodehelper_set_disable_depth(UMH_FREEZING); + thaw_workqueues(); + ++ cpuset_wait_for_hotplug(); ++ + read_lock(&tasklist_lock); + for_each_process_thread(g, p) { + /* No other threads should have PF_SUSPEND_TASK set */ +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7286,17 +7286,16 @@ static int cpuset_cpu_active(struct noti + * operation in the resume sequence, just build a single sched + * domain, ignoring cpusets. + */ +- num_cpus_frozen--; +- if (likely(num_cpus_frozen)) { +- partition_sched_domains(1, NULL, NULL); ++ partition_sched_domains(1, NULL, NULL); ++ if (--num_cpus_frozen) + break; +- } + + /* + * This is the last CPU online operation. So fall through and + * restore the original sched domains by considering the + * cpuset configurations. + */ ++ cpuset_force_rebuild(); + + case CPU_ONLINE: + cpuset_update_active_cpus(true); diff --git a/queue-4.4/series b/queue-4.4/series index d01d017f946..da7c060e308 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -38,3 +38,12 @@ iio-adc-mcp320x-fix-readout-of-negative-voltages.patch iio-adc-mcp320x-fix-oops-on-module-unload.patch uwb-properly-check-kthread_run-return-value.patch uwb-ensure-that-endpoint-is-interrupt.patch +brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch +brcmfmac-setup-passive-scan-if-requested-by-user-space.patch +drm-i915-bios-ignore-hdmi-on-port-a.patch +nvme-protect-against-simultaneous-shutdown-invocations.patch +sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch +ext4-fix-data-corruption-for-mmap-writes.patch +ext4-don-t-clear-sgid-when-inheriting-acls.patch +ext4-don-t-allow-encrypted-operations-without-keys.patch +f2fs-don-t-allow-encrypted-operations-without-keys.patch