From: Greg Kroah-Hartman Date: Sun, 12 Feb 2017 22:15:12 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v4.9.10~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7626fafdcd6685656361b975753a57f54222a16d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch alsa-seq-fix-race-at-creating-a-queue.patch scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch --- diff --git a/queue-4.4/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch b/queue-4.4/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch new file mode 100644 index 00000000000..aa2c1f028c5 --- /dev/null +++ b/queue-4.4/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch @@ -0,0 +1,54 @@ +From 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 6 Feb 2017 15:09:48 +0100 +Subject: ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() + +From: Takashi Iwai + +commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream. + +snd_seq_pool_done() syncs with closing of all opened threads, but it +aborts the wait loop with a timeout, and proceeds to the release +resource even if not all threads have been closed. The timeout was 5 +seconds, and if you run a crazy stuff, it can exceed easily, and may +result in the access of the invalid memory address -- this is what +syzkaller detected in a bug report. + +As a fix, let the code graduate from naiveness, simply remove the loop +timeout. + +BugLink: http://lkml.kernel.org/r/CACT4Y+YdhDV2H5LLzDTJDVF-qiYHUHhtRaW4rbb4gUhTCQB81w@mail.gmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_memory.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_poo + { + unsigned long flags; + struct snd_seq_event_cell *ptr; +- int max_count = 5 * HZ; + + if (snd_BUG_ON(!pool)) + return -EINVAL; +@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_poo + if (waitqueue_active(&pool->output_sleep)) + wake_up(&pool->output_sleep); + +- while (atomic_read(&pool->counter) > 0) { +- if (max_count == 0) { +- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter)); +- break; +- } ++ while (atomic_read(&pool->counter) > 0) + schedule_timeout_uninterruptible(1); +- max_count--; +- } + + /* release all resources */ + spin_lock_irqsave(&pool->lock, flags); diff --git a/queue-4.4/alsa-seq-fix-race-at-creating-a-queue.patch b/queue-4.4/alsa-seq-fix-race-at-creating-a-queue.patch new file mode 100644 index 00000000000..b84117d1e57 --- /dev/null +++ b/queue-4.4/alsa-seq-fix-race-at-creating-a-queue.patch @@ -0,0 +1,92 @@ +From 4842e98f26dd80be3623c4714a244ba52ea096a8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 8 Feb 2017 12:35:39 +0100 +Subject: ALSA: seq: Fix race at creating a queue + +From: Takashi Iwai + +commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream. + +When a sequencer queue is created in snd_seq_queue_alloc(),it adds the +new queue element to the public list before referencing it. Thus the +queue might be deleted before the call of snd_seq_queue_use(), and it +results in the use-after-free error, as spotted by syzkaller. + +The fix is to reference the queue object at the right time. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void) + } + } + ++static void queue_use(struct snd_seq_queue *queue, int client, int use); ++ + /* allocate a new queue - + * return queue index value or negative value for error + */ +@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int + if (q == NULL) + return -ENOMEM; + q->info_flags = info_flags; ++ queue_use(q, client, 1); + if (queue_list_add(q) < 0) { + queue_delete(q); + return -ENOMEM; + } +- snd_seq_queue_use(q->queue, client, 1); /* use this queue */ + return q->queue; + } + +@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int qu + return result; + } + +- +-/* use or unuse this queue - +- * if it is the first client, starts the timer. +- * if it is not longer used by any clients, stop the timer. +- */ +-int snd_seq_queue_use(int queueid, int client, int use) ++/* use or unuse this queue */ ++static void queue_use(struct snd_seq_queue *queue, int client, int use) + { +- struct snd_seq_queue *queue; +- +- queue = queueptr(queueid); +- if (queue == NULL) +- return -EINVAL; +- mutex_lock(&queue->timer_mutex); + if (use) { + if (!test_and_set_bit(client, queue->clients_bitmap)) + queue->clients++; +@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int c + } else { + snd_seq_timer_close(queue); + } ++} ++ ++/* use or unuse this queue - ++ * if it is the first client, starts the timer. ++ * if it is not longer used by any clients, stop the timer. ++ */ ++int snd_seq_queue_use(int queueid, int client, int use) ++{ ++ struct snd_seq_queue *queue; ++ ++ queue = queueptr(queueid); ++ if (queue == NULL) ++ return -EINVAL; ++ mutex_lock(&queue->timer_mutex); ++ queue_use(queue, client, use); + mutex_unlock(&queue->timer_mutex); + queuefree(queue); + return 0; diff --git a/queue-4.4/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch b/queue-4.4/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch new file mode 100644 index 00000000000..bd2aefb6beb --- /dev/null +++ b/queue-4.4/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch @@ -0,0 +1,44 @@ +From 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Thu, 9 Feb 2017 11:04:47 -0700 +Subject: scsi: aacraid: Fix INTx/MSI-x issue with older controllers + +From: Dave Carroll + +commit 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 upstream. + +commit 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang") + +caused a problem on older controllers which do not support MSI-x (namely +ASR3405,ASR3805). This patch conditionalizes the previous patch to +controllers which support MSI-x + +Fixes: 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang") +Reported-by: Arkadiusz Miskiewicz +Signed-off-by: Dave Carroll +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/comminit.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -50,9 +50,13 @@ struct aac_common aac_config = { + + static inline int aac_is_msix_mode(struct aac_dev *dev) + { +- u32 status; ++ u32 status = 0; + +- status = src_readl(dev, MUnit.OMR); ++ if (dev->pdev->device == PMC_DEVICE_S6 || ++ dev->pdev->device == PMC_DEVICE_S7 || ++ dev->pdev->device == PMC_DEVICE_S8) { ++ status = src_readl(dev, MUnit.OMR); ++ } + return (status & AAC_INT_MODE_MSIX); + } + diff --git a/queue-4.4/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch b/queue-4.4/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch new file mode 100644 index 00000000000..780124c5686 --- /dev/null +++ b/queue-4.4/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch @@ -0,0 +1,41 @@ +From ffdadd68af5a397b8a52289ab39d62e1acb39e63 Mon Sep 17 00:00:00 2001 +From: ojab +Date: Wed, 28 Dec 2016 11:05:24 +0000 +Subject: scsi: mpt3sas: disable ASPM for MPI2 controllers + +From: ojab + +commit ffdadd68af5a397b8a52289ab39d62e1acb39e63 upstream. + +MPI2 controllers sometimes got lost (i.e. disappear from +/sys/bus/pci/devices) if ASMP is enabled. + +Signed-off-by: Slava Kardakov +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60644 +Acked-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -8483,6 +8484,8 @@ _scsih_probe(struct pci_dev *pdev, const + + switch (hba_mpi_version) { + case MPI2_VERSION: ++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S | ++ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM); + /* Use mpt2sas driver host template for SAS 2.0 HBA's */ + shost = scsi_host_alloc(&mpt2sas_driver_template, + sizeof(struct MPT3SAS_ADAPTER)); diff --git a/queue-4.4/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch b/queue-4.4/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch new file mode 100644 index 00000000000..5bd34179caa --- /dev/null +++ b/queue-4.4/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch @@ -0,0 +1,97 @@ +From 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Wed, 8 Feb 2017 15:34:22 +0100 +Subject: scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send + +From: Steffen Maier + +commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream. + +Dan Carpenter kindly reported: + +The patch d27a7cb91960: "zfcp: trace on request for open and close of +WKA port" from Aug 10, 2016, leads to the following static checker +warning: + + drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port() + warn: 'req' was already freed. + +drivers/s390/scsi/zfcp_fsf.c + 1609 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT); + 1610 retval = zfcp_fsf_req_send(req); + 1611 if (retval) + 1612 zfcp_fsf_req_free(req); + ^^^ +Freed. + + 1613 out: + 1614 spin_unlock_irq(&qdio->req_q_lock); + 1615 if (req && !IS_ERR(req)) + 1616 zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id); + ^^^^^^^^^^^ +Use after free. + + 1617 return retval; + 1618 } + +Same thing for zfcp_fsf_close_wka_port() as well. + + +Rather than relying on req being NULL (or ERR_PTR) for all cases where +we don't want to trace or should not trace, +simply check retval which is unconditionally initialized with -EIO != 0 +and it can only become 0 on successful retval = zfcp_fsf_req_send(req). +With that we can also remove the then again unnecessary unconditional +initialization of req which was introduced with that earlier commit. + +Reported-by: Dan Carpenter +Suggested-by: Benjamin Block +Signed-off-by: Steffen Maier +Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port") +Reviewed-by: Benjamin Block +Reviewed-by: Jens Remus +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_fsf.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -1583,7 +1583,7 @@ out: + int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port) + { + struct zfcp_qdio *qdio = wka_port->adapter->qdio; +- struct zfcp_fsf_req *req = NULL; ++ struct zfcp_fsf_req *req; + int retval = -EIO; + + spin_lock_irq(&qdio->req_q_lock); +@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_f + zfcp_fsf_req_free(req); + out: + spin_unlock_irq(&qdio->req_q_lock); +- if (req && !IS_ERR(req)) ++ if (!retval) + zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id); + return retval; + } +@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_hand + int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port) + { + struct zfcp_qdio *qdio = wka_port->adapter->qdio; +- struct zfcp_fsf_req *req = NULL; ++ struct zfcp_fsf_req *req; + int retval = -EIO; + + spin_lock_irq(&qdio->req_q_lock); +@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_ + zfcp_fsf_req_free(req); + out: + spin_unlock_irq(&qdio->req_q_lock); +- if (req && !IS_ERR(req)) ++ if (!retval) + zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id); + return retval; + } diff --git a/queue-4.4/series b/queue-4.4/series index fc0a0e77a2b..d27d1f76679 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,10 @@ target-fix-compare_and_write-ref-leak-for-non-good-status.patch arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch mac80211-fix-adding-of-mesh-vendor-ies.patch netvsc-set-maximum-gso-size-in-the-right-place.patch +scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch +scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch +scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch +tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch +xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch +alsa-seq-fix-race-at-creating-a-queue.patch +alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch diff --git a/queue-4.4/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch b/queue-4.4/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch new file mode 100644 index 00000000000..7b2ec5c2ed9 --- /dev/null +++ b/queue-4.4/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch @@ -0,0 +1,56 @@ +From 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Tue, 7 Feb 2017 17:44:54 +0100 +Subject: tick/nohz: Fix possible missing clock reprog after tick soft restart + +From: Frederic Weisbecker + +commit 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 upstream. + +ts->next_tick keeps track of the next tick deadline in order to optimize +clock programmation on irq exit and avoid redundant clock device writes. + +Now if ts->next_tick missed an update, we may spuriously miss a clock +reprog later as the nohz code is fooled by an obsolete next_tick value. + +This is what happens here on a specific path: when we observe an +expired timer from the nohz update code on irq exit, we perform a soft +tick restart which simply fires the closest possible tick without +actually exiting the nohz mode and restoring a periodic state. But we +forget to update ts->next_tick accordingly. + +As a result, after the next tick resulting from such soft tick restart, +the nohz code sees a stale value on ts->next_tick which doesn't match +the clock deadline that just expired. If that obsolete ts->next_tick +value happens to collide with the actual next tick deadline to be +scheduled, we may spuriously bypass the clock reprogramming. In the +worst case, the tick may never fire again. + +Fix this with a ts->next_tick reset on soft tick restart. + +Signed-off-by: Frederic Weisbecker +Reviewed: Wanpeng Li +Acked-by: Rik van Riel +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1486485894-29173-1-git-send-email-fweisbec@gmail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/tick-sched.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -613,6 +613,11 @@ static ktime_t tick_nohz_stop_sched_tick + if (delta == 0) { + /* Tick is stopped, but required now. Enforce it */ + tick_nohz_restart(ts, now); ++ /* ++ * Make sure next tick stop doesn't get fooled by past ++ * clock deadline ++ */ ++ ts->next_tick = 0; + goto out; + } + } diff --git a/queue-4.4/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch b/queue-4.4/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch new file mode 100644 index 00000000000..82a3814f6fa --- /dev/null +++ b/queue-4.4/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch @@ -0,0 +1,42 @@ +From 74470954857c264168d2b5a113904cf0cfd27d18 Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Mon, 30 Jan 2017 12:45:46 -0500 +Subject: xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() + +From: Boris Ostrovsky + +commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream. + +rx_refill_timer should be deleted as soon as we disconnect from the +backend since otherwise it is possible for the timer to go off before +we get to xennet_destroy_queues(). If this happens we may dereference +queue->rx.sring which is set to NULL in xennet_disconnect_backend(). + +Signed-off-by: Boris Ostrovsky +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1391,6 +1391,8 @@ static void xennet_disconnect_backend(st + for (i = 0; i < num_queues && info->queues; ++i) { + struct netfront_queue *queue = &info->queues[i]; + ++ del_timer_sync(&queue->rx_refill_timer); ++ + if (queue->tx_irq && (queue->tx_irq == queue->rx_irq)) + unbind_from_irqhandler(queue->tx_irq, queue); + if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) { +@@ -1745,7 +1747,6 @@ static void xennet_destroy_queues(struct + + if (netif_running(info->netdev)) + napi_disable(&queue->napi); +- del_timer_sync(&queue->rx_refill_timer); + netif_napi_del(&queue->napi); + } +