From: Greg Kroah-Hartman Date: Sat, 4 Feb 2017 10:22:24 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.48~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d2b4fdd2dc060640b588448f54461029ad06b5a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ata-sata_mv-handle-return-value-of-devm_ioremap.patch libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch libata-fix-ata-request-sense.patch nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch svcrpc-fix-oops-in-absence-of-krb5-module.patch zswap-disable-changing-params-if-init-fails.patch --- diff --git a/queue-4.4/ata-sata_mv-handle-return-value-of-devm_ioremap.patch b/queue-4.4/ata-sata_mv-handle-return-value-of-devm_ioremap.patch new file mode 100644 index 00000000000..7723d97afd5 --- /dev/null +++ b/queue-4.4/ata-sata_mv-handle-return-value-of-devm_ioremap.patch @@ -0,0 +1,34 @@ +From 064c3db9c564cc5be514ac21fb4aa26cc33db746 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav +Date: Mon, 12 Dec 2016 23:13:27 +0530 +Subject: ata: sata_mv:- Handle return value of devm_ioremap. + +From: Arvind Yadav + +commit 064c3db9c564cc5be514ac21fb4aa26cc33db746 upstream. + +Here, If devm_ioremap will fail. It will return NULL. +Then hpriv->base = NULL - 0x20000; Kernel can run into +a NULL-pointer dereference. This error check will avoid +NULL pointer dereference. + +Signed-off-by: Arvind Yadav +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_mv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -4121,6 +4121,9 @@ static int mv_platform_probe(struct plat + host->iomap = NULL; + hpriv->base = devm_ioremap(&pdev->dev, res->start, + resource_size(res)); ++ if (!hpriv->base) ++ return -ENOMEM; ++ + hpriv->base -= SATAHC0_REG_BASE; + + hpriv->clk = clk_get(&pdev->dev, NULL); diff --git a/queue-4.4/libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch b/queue-4.4/libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch new file mode 100644 index 00000000000..7a384a51e2c --- /dev/null +++ b/queue-4.4/libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch @@ -0,0 +1,38 @@ +From e0edc8c546463f268d41d064d855bcff994c52fa Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 6 Jan 2017 11:48:50 -0500 +Subject: libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tejun Heo + +commit e0edc8c546463f268d41d064d855bcff994c52fa upstream. + +Marko reports that CX1-JB512-HP shows the same timeout issues as +CX1-JB256-HP. Let's apply MAX_SEC_128 to all devices in the series. + +Signed-off-by: Tejun Heo +Reported-by: Marko Koski-Vähälä +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4139,10 +4139,10 @@ static const struct ata_blacklist_entry + { "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 }, + + /* +- * Device times out with higher max sects. ++ * These devices time out with higher max sects. + * https://bugzilla.kernel.org/show_bug.cgi?id=121671 + */ +- { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 }, ++ { "LITEON CX1-JB*-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 }, + + /* Devices we expect to fail diagnostics */ + diff --git a/queue-4.4/libata-fix-ata-request-sense.patch b/queue-4.4/libata-fix-ata-request-sense.patch new file mode 100644 index 00000000000..0a2e2aac659 --- /dev/null +++ b/queue-4.4/libata-fix-ata-request-sense.patch @@ -0,0 +1,46 @@ +From 2dae99558e86894e9e5dbf097477baaa5eb70134 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 19 Dec 2016 10:17:40 +0900 +Subject: libata: Fix ATA request sense + +From: Damien Le Moal + +commit 2dae99558e86894e9e5dbf097477baaa5eb70134 upstream. + +For an ATA device supporting the sense data reporting feature set, a +failed command will trigger the execution of ata_eh_request_sense if +the result task file of the failed command has the ATA_SENSE bit set +(sense data available bit). ata_eh_request_sense executes the REQUEST +SENSE DATA EXT command to retrieve the sense data of the failed +command. On success of REQUEST SENSE DATA EXT, the ATA_SENSE bit will +NOT be set (the command succeeded) but ata_eh_request_sense +nevertheless tests the availability of sense data by testing that bit +presence in the result tf of the REQUEST SENSE DATA EXT command. This +leads us to falsely assume that request sense data failed and to the +warning message: + +atax.xx: request sense failed stat 50 emask 0 + +Upon success of REQUEST SENSE DATA EXT, set the ATA_SENSE bit in the +result task file command so that sense data can be returned by +ata_eh_request_sense. + +Signed-off-by: Damien Le Moal +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -1692,6 +1692,8 @@ unsigned ata_exec_internal_sg(struct ata + + if (qc->err_mask & ~AC_ERR_OTHER) + qc->err_mask &= ~AC_ERR_OTHER; ++ } else if (qc->tf.command == ATA_CMD_REQ_SENSE_DATA) { ++ qc->result_tf.command |= ATA_SENSE; + } + + /* finish up */ diff --git a/queue-4.4/nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch b/queue-4.4/nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch new file mode 100644 index 00000000000..5cfca2ca350 --- /dev/null +++ b/queue-4.4/nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch @@ -0,0 +1,127 @@ +From d19fb70dd68c4e960e2ac09b0b9c79dfdeefa726 Mon Sep 17 00:00:00 2001 +From: Kinglong Mee +Date: Wed, 18 Jan 2017 19:04:42 +0800 +Subject: NFSD: Fix a null reference case in find_or_create_lock_stateid() + +From: Kinglong Mee + +commit d19fb70dd68c4e960e2ac09b0b9c79dfdeefa726 upstream. + +nfsd assigns the nfs4_free_lock_stateid to .sc_free in init_lock_stateid(). + +If nfsd doesn't go through init_lock_stateid() and put stateid at end, +there is a NULL reference to .sc_free when calling nfs4_put_stid(ns). + +This patch let the nfs4_stid.sc_free assignment to nfs4_alloc_stid(). + +Fixes: 356a95ece7aa "nfsd: clean up races in lock stateid searching..." +Signed-off-by: Kinglong Mee +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4layouts.c | 5 +++-- + fs/nfsd/nfs4state.c | 19 ++++++++----------- + fs/nfsd/state.h | 4 ++-- + 3 files changed, 13 insertions(+), 15 deletions(-) + +--- a/fs/nfsd/nfs4layouts.c ++++ b/fs/nfsd/nfs4layouts.c +@@ -189,10 +189,11 @@ nfsd4_alloc_layout_stateid(struct nfsd4_ + struct nfs4_layout_stateid *ls; + struct nfs4_stid *stp; + +- stp = nfs4_alloc_stid(cstate->clp, nfs4_layout_stateid_cache); ++ stp = nfs4_alloc_stid(cstate->clp, nfs4_layout_stateid_cache, ++ nfsd4_free_layout_stateid); + if (!stp) + return NULL; +- stp->sc_free = nfsd4_free_layout_stateid; ++ + get_nfs4_file(fp); + stp->sc_file = fp; + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -553,8 +553,8 @@ out: + return co; + } + +-struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, +- struct kmem_cache *slab) ++struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, struct kmem_cache *slab, ++ void (*sc_free)(struct nfs4_stid *)) + { + struct nfs4_stid *stid; + int new_id; +@@ -570,6 +570,8 @@ struct nfs4_stid *nfs4_alloc_stid(struct + idr_preload_end(); + if (new_id < 0) + goto out_free; ++ ++ stid->sc_free = sc_free; + stid->sc_client = cl; + stid->sc_stateid.si_opaque.so_id = new_id; + stid->sc_stateid.si_opaque.so_clid = cl->cl_clientid; +@@ -595,15 +597,12 @@ out_free: + static struct nfs4_ol_stateid * nfs4_alloc_open_stateid(struct nfs4_client *clp) + { + struct nfs4_stid *stid; +- struct nfs4_ol_stateid *stp; + +- stid = nfs4_alloc_stid(clp, stateid_slab); ++ stid = nfs4_alloc_stid(clp, stateid_slab, nfs4_free_ol_stateid); + if (!stid) + return NULL; + +- stp = openlockstateid(stid); +- stp->st_stid.sc_free = nfs4_free_ol_stateid; +- return stp; ++ return openlockstateid(stid); + } + + static void nfs4_free_deleg(struct nfs4_stid *stid) +@@ -701,11 +700,10 @@ alloc_init_deleg(struct nfs4_client *clp + goto out_dec; + if (delegation_blocked(¤t_fh->fh_handle)) + goto out_dec; +- dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab)); ++ dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab, nfs4_free_deleg)); + if (dp == NULL) + goto out_dec; + +- dp->dl_stid.sc_free = nfs4_free_deleg; + /* + * delegation seqid's are never incremented. The 4.1 special + * meaning of seqid 0 isn't meaningful, really, but let's avoid +@@ -5396,7 +5394,6 @@ init_lock_stateid(struct nfs4_ol_stateid + stp->st_stateowner = nfs4_get_stateowner(&lo->lo_owner); + get_nfs4_file(fp); + stp->st_stid.sc_file = fp; +- stp->st_stid.sc_free = nfs4_free_lock_stateid; + stp->st_access_bmap = 0; + stp->st_deny_bmap = open_stp->st_deny_bmap; + stp->st_openstp = open_stp; +@@ -5439,7 +5436,7 @@ find_or_create_lock_stateid(struct nfs4_ + lst = find_lock_stateid(lo, fi); + if (lst == NULL) { + spin_unlock(&clp->cl_lock); +- ns = nfs4_alloc_stid(clp, stateid_slab); ++ ns = nfs4_alloc_stid(clp, stateid_slab, nfs4_free_lock_stateid); + if (ns == NULL) + return NULL; + +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -583,8 +583,8 @@ extern __be32 nfs4_preprocess_stateid_op + __be32 nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate, + stateid_t *stateid, unsigned char typemask, + struct nfs4_stid **s, struct nfsd_net *nn); +-struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, +- struct kmem_cache *slab); ++struct nfs4_stid *nfs4_alloc_stid(struct nfs4_client *cl, struct kmem_cache *slab, ++ void (*sc_free)(struct nfs4_stid *)); + void nfs4_unhash_stid(struct nfs4_stid *s); + void nfs4_put_stid(struct nfs4_stid *s); + void nfs4_inc_and_copy_stateid(stateid_t *dst, struct nfs4_stid *stid); diff --git a/queue-4.4/perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch b/queue-4.4/perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch new file mode 100644 index 00000000000..8afb9598d77 --- /dev/null +++ b/queue-4.4/perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch @@ -0,0 +1,96 @@ +From 0b3589be9b98994ce3d5aeca52445d1f5627c4ba Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 26 Jan 2017 23:15:08 +0100 +Subject: perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory + +From: Peter Zijlstra + +commit 0b3589be9b98994ce3d5aeca52445d1f5627c4ba upstream. + +Andres reported that MMAP2 records for anonymous memory always have +their protection field 0. + +Turns out, someone daft put the prot/flags generation code in the file +branch, leaving them unset for anonymous memory. + +Reported-by: Andres Freund +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Don Zickus +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: acme@kernel.org +Cc: anton@ozlabs.org +Cc: namhyung@kernel.org +Fixes: f972eb63b100 ("perf: Pass protection and flags bits through mmap2 interface") +Link: http://lkml.kernel.org/r/20170126221508.GF6536@twins.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6039,6 +6039,27 @@ static void perf_event_mmap_event(struct + char *buf = NULL; + char *name; + ++ if (vma->vm_flags & VM_READ) ++ prot |= PROT_READ; ++ if (vma->vm_flags & VM_WRITE) ++ prot |= PROT_WRITE; ++ if (vma->vm_flags & VM_EXEC) ++ prot |= PROT_EXEC; ++ ++ if (vma->vm_flags & VM_MAYSHARE) ++ flags = MAP_SHARED; ++ else ++ flags = MAP_PRIVATE; ++ ++ if (vma->vm_flags & VM_DENYWRITE) ++ flags |= MAP_DENYWRITE; ++ if (vma->vm_flags & VM_MAYEXEC) ++ flags |= MAP_EXECUTABLE; ++ if (vma->vm_flags & VM_LOCKED) ++ flags |= MAP_LOCKED; ++ if (vma->vm_flags & VM_HUGETLB) ++ flags |= MAP_HUGETLB; ++ + if (file) { + struct inode *inode; + dev_t dev; +@@ -6065,27 +6086,6 @@ static void perf_event_mmap_event(struct + maj = MAJOR(dev); + min = MINOR(dev); + +- if (vma->vm_flags & VM_READ) +- prot |= PROT_READ; +- if (vma->vm_flags & VM_WRITE) +- prot |= PROT_WRITE; +- if (vma->vm_flags & VM_EXEC) +- prot |= PROT_EXEC; +- +- if (vma->vm_flags & VM_MAYSHARE) +- flags = MAP_SHARED; +- else +- flags = MAP_PRIVATE; +- +- if (vma->vm_flags & VM_DENYWRITE) +- flags |= MAP_DENYWRITE; +- if (vma->vm_flags & VM_MAYEXEC) +- flags |= MAP_EXECUTABLE; +- if (vma->vm_flags & VM_LOCKED) +- flags |= MAP_LOCKED; +- if (vma->vm_flags & VM_HUGETLB) +- flags |= MAP_HUGETLB; +- + goto got_name; + } else { + if (vma->vm_ops && vma->vm_ops->name) { diff --git a/queue-4.4/powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch b/queue-4.4/powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch new file mode 100644 index 00000000000..34ab0d69a82 --- /dev/null +++ b/queue-4.4/powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch @@ -0,0 +1,49 @@ +From af2b7fa17eb92e52b65f96604448ff7a2a89ee99 Mon Sep 17 00:00:00 2001 +From: Darren Stevens +Date: Mon, 23 Jan 2017 19:42:54 +0000 +Subject: powerpc: Add missing error check to prom_find_boot_cpu() + +From: Darren Stevens + +commit af2b7fa17eb92e52b65f96604448ff7a2a89ee99 upstream. + +prom_init.c calls 'instance-to-package' twice, but the return +is not checked during prom_find_boot_cpu(). The result is then +passed to prom_getprop(), which could be PROM_ERROR. Add a return check +to prevent this. + +This was found on a pasemi system, where CFE doesn't have a working +'instance-to package' prom call. + +Before Commit 5c0484e25ec0 ('powerpc: Endian safe trampoline') the area +around addr 0 was mostly 0's and this doesn't cause a problem. Once the +macro 'FIXUP_ENDIAN' has been added to head_64.S, the low memory area +now has non-zero values, which cause the prom_getprop() call +to hang. + +mpe: Also confirmed that under SLOF if 'instance-to-package' did fail +with PROM_ERROR we would crash in SLOF. So the bug is not specific to +CFE, it's just that other open firmwares don't trigger it because they +have a working 'instance-to-package'. + +Fixes: 5c0484e25ec0 ("powerpc: Endian safe trampoline") +Signed-off-by: Darren Stevens +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2664,6 +2664,9 @@ static void __init prom_find_boot_cpu(vo + + cpu_pkg = call_prom("instance-to-package", 1, 1, prom_cpu); + ++ if (!PHANDLE_VALID(cpu_pkg)) ++ return; ++ + prom_getprop(cpu_pkg, "reg", &rval, sizeof(rval)); + prom.cpu = be32_to_cpu(rval); + diff --git a/queue-4.4/powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch b/queue-4.4/powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch new file mode 100644 index 00000000000..f0889216ada --- /dev/null +++ b/queue-4.4/powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch @@ -0,0 +1,38 @@ +From f05fea5b3574a5926c53865eea27139bb40b2f2b Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 19 Jan 2017 10:10:16 +1100 +Subject: powerpc/eeh: Fix wrong flag passed to eeh_unfreeze_pe() + +From: Gavin Shan + +commit f05fea5b3574a5926c53865eea27139bb40b2f2b upstream. + +In __eeh_clear_pe_frozen_state(), we should pass the flag's value +instead of its address to eeh_unfreeze_pe(). The isolated flag is +cleared if no error returned from __eeh_clear_pe_frozen_state(). We +never observed the error from the function. So the isolated flag should +have been always cleared, no real issue is caused because of the misused +@flag. + +This fixes the code by passing the value of @flag to eeh_unfreeze_pe(). + +Fixes: 5cfb20b96f6 ("powerpc/eeh: Emulate EEH recovery for VFIO devices") +Signed-off-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -485,7 +485,7 @@ static void *eeh_pe_detach_dev(void *dat + static void *__eeh_clear_pe_frozen_state(void *data, void *flag) + { + struct eeh_pe *pe = (struct eeh_pe *)data; +- bool *clear_sw_state = flag; ++ bool clear_sw_state = *(bool *)flag; + int i, rc = 1; + + for (i = 0; rc && i < 3; i++) diff --git a/queue-4.4/series b/queue-4.4/series index e038dc002f6..6a44e5e2de4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -4,3 +4,12 @@ drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch +perf-core-fix-perf_record_mmap2-prot-flags-for-anonymous-memory.patch +ata-sata_mv-handle-return-value-of-devm_ioremap.patch +libata-apply-max_sec_1024-to-all-cx1-jb-hp-devices.patch +libata-fix-ata-request-sense.patch +powerpc-eeh-fix-wrong-flag-passed-to-eeh_unfreeze_pe.patch +powerpc-add-missing-error-check-to-prom_find_boot_cpu.patch +nfsd-fix-a-null-reference-case-in-find_or_create_lock_stateid.patch +svcrpc-fix-oops-in-absence-of-krb5-module.patch +zswap-disable-changing-params-if-init-fails.patch diff --git a/queue-4.4/svcrpc-fix-oops-in-absence-of-krb5-module.patch b/queue-4.4/svcrpc-fix-oops-in-absence-of-krb5-module.patch new file mode 100644 index 00000000000..09b68f7bfd6 --- /dev/null +++ b/queue-4.4/svcrpc-fix-oops-in-absence-of-krb5-module.patch @@ -0,0 +1,64 @@ +From 034dd34ff4916ec1f8f74e39ca3efb04eab2f791 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 31 Jan 2017 11:37:50 -0500 +Subject: svcrpc: fix oops in absence of krb5 module + +From: J. Bruce Fields + +commit 034dd34ff4916ec1f8f74e39ca3efb04eab2f791 upstream. + +Olga Kornievskaia says: "I ran into this oops in the nfsd (below) +(4.10-rc3 kernel). To trigger this I had a client (unsuccessfully) try +to mount the server with krb5 where the server doesn't have the +rpcsec_gss_krb5 module built." + +The problem is that rsci.cred is copied from a svc_cred structure that +gss_proxy didn't properly initialize. Fix that. + +[120408.542387] general protection fault: 0000 [#1] SMP +... +[120408.565724] CPU: 0 PID: 3601 Comm: nfsd Not tainted 4.10.0-rc3+ #16 +[120408.567037] Hardware name: VMware, Inc. VMware Virtual = +Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 +[120408.569225] task: ffff8800776f95c0 task.stack: ffffc90003d58000 +[120408.570483] RIP: 0010:gss_mech_put+0xb/0x20 [auth_rpcgss] +... +[120408.584946] ? rsc_free+0x55/0x90 [auth_rpcgss] +[120408.585901] gss_proxy_save_rsc+0xb2/0x2a0 [auth_rpcgss] +[120408.587017] svcauth_gss_proxy_init+0x3cc/0x520 [auth_rpcgss] +[120408.588257] ? __enqueue_entity+0x6c/0x70 +[120408.589101] svcauth_gss_accept+0x391/0xb90 [auth_rpcgss] +[120408.590212] ? try_to_wake_up+0x4a/0x360 +[120408.591036] ? wake_up_process+0x15/0x20 +[120408.592093] ? svc_xprt_do_enqueue+0x12e/0x2d0 [sunrpc] +[120408.593177] svc_authenticate+0xe1/0x100 [sunrpc] +[120408.594168] svc_process_common+0x203/0x710 [sunrpc] +[120408.595220] svc_process+0x105/0x1c0 [sunrpc] +[120408.596278] nfsd+0xe9/0x160 [nfsd] +[120408.597060] kthread+0x101/0x140 +[120408.597734] ? nfsd_destroy+0x60/0x60 [nfsd] +[120408.598626] ? kthread_park+0x90/0x90 +[120408.599448] ret_from_fork+0x22/0x30 + +Fixes: 1d658336b05f "SUNRPC: Add RPC based upcall mechanism for RPCGSS auth" +Cc: Simo Sorce +Reported-by: Olga Kornievskaia +Tested-by: Olga Kornievskaia +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -260,7 +260,7 @@ static int gssx_dec_option_array(struct + if (!oa->data) + return -ENOMEM; + +- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); ++ creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL); + if (!creds) { + kfree(oa->data); + return -ENOMEM; diff --git a/queue-4.4/zswap-disable-changing-params-if-init-fails.patch b/queue-4.4/zswap-disable-changing-params-if-init-fails.patch new file mode 100644 index 00000000000..8535048b653 --- /dev/null +++ b/queue-4.4/zswap-disable-changing-params-if-init-fails.patch @@ -0,0 +1,122 @@ +From d7b028f56a971a2e4d8d7887540a144eeefcd4ab Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Fri, 3 Feb 2017 13:13:09 -0800 +Subject: zswap: disable changing params if init fails + +From: Dan Streetman + +commit d7b028f56a971a2e4d8d7887540a144eeefcd4ab upstream. + +Add zswap_init_failed bool that prevents changing any of the module +params, if init_zswap() fails, and set zswap_enabled to false. Change +'enabled' param to a callback, and check zswap_init_failed before +allowing any change to 'enabled', 'zpool', or 'compressor' params. + +Any driver that is built-in to the kernel will not be unloaded if its +init function returns error, and its module params remain accessible for +users to change via sysfs. Since zswap uses param callbacks, which +assume that zswap has been initialized, changing the zswap params after +a failed initialization will result in WARNING due to the param +callbacks expecting a pool to already exist. This prevents that by +immediately exiting any of the param callbacks if initialization failed. + +This was reported here: + https://marc.info/?l=linux-mm&m=147004228125528&w=4 + +And fixes this WARNING: + [ 429.723476] WARNING: CPU: 0 PID: 5140 at mm/zswap.c:503 __zswap_pool_current+0x56/0x60 + +The warning is just noise, and not serious. However, when init fails, +zswap frees all its percpu dstmem pages and its kmem cache. The kmem +cache might be serious, if kmem_cache_alloc(NULL, gfp) has problems; but +the percpu dstmem pages are definitely a problem, as they're used as +temporary buffer for compressed pages before copying into place in the +zpool. + +If the user does get zswap enabled after an init failure, then zswap +will likely Oops on the first page it tries to compress (or worse, start +corrupting memory). + +Fixes: 90b0fc26d5db ("zswap: change zpool/compressor at runtime") +Link: http://lkml.kernel.org/r/20170124200259.16191-2-ddstreet@ieee.org +Signed-off-by: Dan Streetman +Reported-by: Marcin Miroslaw +Cc: Seth Jennings +Cc: Michal Hocko +Cc: Sergey Senozhatsky +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/zswap.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -78,7 +78,13 @@ static u64 zswap_duplicate_entry; + + /* Enable/disable zswap (disabled by default) */ + static bool zswap_enabled; +-module_param_named(enabled, zswap_enabled, bool, 0644); ++static int zswap_enabled_param_set(const char *, ++ const struct kernel_param *); ++static struct kernel_param_ops zswap_enabled_param_ops = { ++ .set = zswap_enabled_param_set, ++ .get = param_get_bool, ++}; ++module_param_cb(enabled, &zswap_enabled_param_ops, &zswap_enabled, 0644); + + /* Crypto compressor to use */ + #define ZSWAP_COMPRESSOR_DEFAULT "lzo" +@@ -176,6 +182,9 @@ static atomic_t zswap_pools_count = ATOM + /* used by param callback function */ + static bool zswap_init_started; + ++/* fatal error during init */ ++static bool zswap_init_failed; ++ + /********************************* + * helpers and fwd declarations + **********************************/ +@@ -702,6 +711,11 @@ static int __zswap_param_set(const char + char *s = strstrip((char *)val); + int ret; + ++ if (zswap_init_failed) { ++ pr_err("can't set param, initialization failed\n"); ++ return -ENODEV; ++ } ++ + /* no change required */ + if (!strcmp(s, *(char **)kp->arg)) + return 0; +@@ -781,6 +795,17 @@ static int zswap_zpool_param_set(const c + return __zswap_param_set(val, kp, NULL, zswap_compressor); + } + ++static int zswap_enabled_param_set(const char *val, ++ const struct kernel_param *kp) ++{ ++ if (zswap_init_failed) { ++ pr_err("can't enable, initialization failed\n"); ++ return -ENODEV; ++ } ++ ++ return param_set_bool(val, kp); ++} ++ + /********************************* + * writeback code + **********************************/ +@@ -1267,6 +1292,9 @@ pool_fail: + dstmem_fail: + zswap_entry_cache_destroy(); + cache_fail: ++ /* if built-in, we aren't unloaded on failure; don't allow use */ ++ zswap_init_failed = true; ++ zswap_enabled = false; + return -ENOMEM; + } + /* must be late so crypto has time to come up */