From: Greg Kroah-Hartman Date: Sun, 4 Dec 2016 11:45:04 +0000 (+0100) Subject: 4.8-stable patches X-Git-Tag: v4.8.13~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8c960bd2fb8f5c1c25e46b7fce73d11aac0876a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.8-stable patches added patches: mm-workingset-fix-null-ptr-in-count_shadow_nodes.patch mwifiex-printk-overflow-with-32-byte-ssids.patch pci-set-read-completion-boundary-to-128-iff-root-port-supports-it-_hpx.patch --- diff --git a/queue-4.8/mm-workingset-fix-null-ptr-in-count_shadow_nodes.patch b/queue-4.8/mm-workingset-fix-null-ptr-in-count_shadow_nodes.patch new file mode 100644 index 00000000000..9698c45e063 --- /dev/null +++ b/queue-4.8/mm-workingset-fix-null-ptr-in-count_shadow_nodes.patch @@ -0,0 +1,79 @@ +From 20ab67a563f5299c09a234164c372aba5a59add8 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 2 Dec 2016 17:26:45 -0800 +Subject: mm: workingset: fix NULL ptr in count_shadow_nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Hocko + +commit 20ab67a563f5299c09a234164c372aba5a59add8 upstream. + +Commit 0a6b76dd23fa ("mm: workingset: make shadow node shrinker memcg +aware") has made the workingset shadow nodes shrinker memcg aware. The +implementation is not correct though because memcg_kmem_enabled() might +become true while we are doing a global reclaim when the sc->memcg might +be NULL which is exactly what Marek has seen: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000400 + IP: [] mem_cgroup_node_nr_lru_pages+0x20/0x40 + PGD 0 + Oops: 0000 [#1] SMP + CPU: 0 PID: 60 Comm: kswapd0 Tainted: G O 4.8.10-12.pvops.qubes.x86_64 #1 + task: ffff880011863b00 task.stack: ffff880011868000 + RIP: mem_cgroup_node_nr_lru_pages+0x20/0x40 + RSP: e02b:ffff88001186bc70 EFLAGS: 00010293 + RAX: 0000000000000000 RBX: ffff88001186bd20 RCX: 0000000000000002 + RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff88001186bc70 R08: 28f5c28f5c28f5c3 R09: 0000000000000000 + R10: 0000000000006c34 R11: 0000000000000333 R12: 00000000000001f6 + R13: ffffffff81c6f6a0 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff880013c00000(0000) knlGS:ffff880013d00000 + CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000400 CR3: 00000000122f2000 CR4: 0000000000042660 + Call Trace: + count_shadow_nodes+0x9a/0xa0 + shrink_slab.part.42+0x119/0x3e0 + shrink_node+0x22c/0x320 + kswapd+0x32c/0x700 + kthread+0xd8/0xf0 + ret_from_fork+0x1f/0x40 + Code: 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 3b 35 dd eb b1 00 55 48 89 e5 73 2c 89 d2 31 c9 31 c0 4c 63 ce 48 0f a3 ca 73 13 <4a> 8b b4 cf 00 04 00 00 41 89 c8 4a 03 84 c6 80 00 00 00 83 c1 + RIP mem_cgroup_node_nr_lru_pages+0x20/0x40 + RSP + CR2: 0000000000000400 + ---[ end trace 100494b9edbdfc4d ]--- + +This patch fixes the issue by checking sc->memcg rather than +memcg_kmem_enabled() which is sufficient because shrink_slab makes sure +that only memcg aware shrinkers will get non-NULL memcgs and only if +memcg_kmem_enabled is true. + +Fixes: 0a6b76dd23fa ("mm: workingset: make shadow node shrinker memcg aware") +Link: http://lkml.kernel.org/r/20161201132156.21450-1-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Marek Marczykowski-Górecki +Tested-by: Marek Marczykowski-Górecki +Acked-by: Vladimir Davydov +Acked-by: Johannes Weiner +Acked-by: Balbir Singh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/workingset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/workingset.c ++++ b/mm/workingset.c +@@ -348,7 +348,7 @@ static unsigned long count_shadow_nodes( + shadow_nodes = list_lru_shrink_count(&workingset_shadow_nodes, sc); + local_irq_enable(); + +- if (memcg_kmem_enabled()) { ++ if (sc->memcg) { + pages = mem_cgroup_node_nr_lru_pages(sc->memcg, sc->nid, + LRU_ALL_FILE); + } else { diff --git a/queue-4.8/mwifiex-printk-overflow-with-32-byte-ssids.patch b/queue-4.8/mwifiex-printk-overflow-with-32-byte-ssids.patch new file mode 100644 index 00000000000..9d9c30c5419 --- /dev/null +++ b/queue-4.8/mwifiex-printk-overflow-with-32-byte-ssids.patch @@ -0,0 +1,65 @@ +From fcd2042e8d36cf644bd2d69c26378d17158b17df Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 8 Nov 2016 18:28:24 -0800 +Subject: mwifiex: printk() overflow with 32-byte SSIDs + +From: Brian Norris + +commit fcd2042e8d36cf644bd2d69c26378d17158b17df upstream. + +SSIDs aren't guaranteed to be 0-terminated. Let's cap the max length +when we print them out. + +This can be easily noticed by connecting to a network with a 32-octet +SSID: + +[ 3903.502925] mwifiex_pcie 0000:01:00.0: info: trying to associate to +'0123456789abcdef0123456789abcdef ' bssid +xx:xx:xx:xx:xx:xx + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Brian Norris +Acked-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -2203,8 +2203,9 @@ done: + is_scanning_required = 1; + } else { + mwifiex_dbg(priv->adapter, MSG, +- "info: trying to associate to '%s' bssid %pM\n", +- (char *)req_ssid.ssid, bss->bssid); ++ "info: trying to associate to '%.*s' bssid %pM\n", ++ req_ssid.ssid_len, (char *)req_ssid.ssid, ++ bss->bssid); + memcpy(&priv->cfg_bssid, bss->bssid, ETH_ALEN); + break; + } +@@ -2264,8 +2265,8 @@ mwifiex_cfg80211_connect(struct wiphy *w + } + + mwifiex_dbg(adapter, INFO, +- "info: Trying to associate to %s and bssid %pM\n", +- (char *)sme->ssid, sme->bssid); ++ "info: Trying to associate to %.*s and bssid %pM\n", ++ (int)sme->ssid_len, (char *)sme->ssid, sme->bssid); + + if (!mwifiex_stop_bg_scan(priv)) + cfg80211_sched_scan_stopped_rtnl(priv->wdev.wiphy); +@@ -2398,8 +2399,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy + } + + mwifiex_dbg(priv->adapter, MSG, +- "info: trying to join to %s and bssid %pM\n", +- (char *)params->ssid, params->bssid); ++ "info: trying to join to %.*s and bssid %pM\n", ++ params->ssid_len, (char *)params->ssid, params->bssid); + + mwifiex_set_ibss_params(priv, params); + diff --git a/queue-4.8/pci-set-read-completion-boundary-to-128-iff-root-port-supports-it-_hpx.patch b/queue-4.8/pci-set-read-completion-boundary-to-128-iff-root-port-supports-it-_hpx.patch new file mode 100644 index 00000000000..496dbbaf48a --- /dev/null +++ b/queue-4.8/pci-set-read-completion-boundary-to-128-iff-root-port-supports-it-_hpx.patch @@ -0,0 +1,120 @@ +From e42010d8207f9d15a605ceb8e321bcd9648071b0 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 23 Nov 2016 10:56:28 -0600 +Subject: PCI: Set Read Completion Boundary to 128 iff Root Port supports it (_HPX) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Thumshirn + +commit e42010d8207f9d15a605ceb8e321bcd9648071b0 upstream. + +Per PCIe spec r3.0, sec 2.3.1.1, the Read Completion Boundary (RCB) +determines the naturally aligned address boundaries on which a Read Request +may be serviced with multiple Completions: + + - For a Root Complex, RCB is 64 bytes or 128 bytes + This value is reported in the Link Control Register + + Note: Bridges and Endpoints may implement a corresponding command bit + which may be set by system software to indicate the RCB value for the + Root Complex, allowing the Bridge/Endpoint to optimize its behavior + when the Root Complex’s RCB is 128 bytes. + + - For all other system elements, RCB is 128 bytes + +Per sec 7.8.7, if a Root Port only supports a 64-byte RCB, the RCB of all +downstream devices must be clear, indicating an RCB of 64 bytes. If the +Root Port supports a 128-byte RCB, we may optionally set the RCB of +downstream devices so they know they can generate larger Completions. + +Some BIOSes supply an _HPX that tells us to set RCB, even though the Root +Port doesn't have RCB set, which may lead to Malformed TLP errors if the +Endpoint generates completions larger than the Root Port can handle. + +The IBM x3850 X6 with BIOS version -[A8E120CUS-1.30]- 08/22/2016 supplies +such an _HPX and a Mellanox MT27500 ConnectX-3 device fails to initialize: + + mlx4_core 0000:41:00.0: command 0xfff timed out (go bit not cleared) + mlx4_core 0000:41:00.0: device is going to be reset + mlx4_core 0000:41:00.0: Failed to obtain HW semaphore, aborting + mlx4_core 0000:41:00.0: Fail to reset HCA + ------------[ cut here ]------------ + kernel BUG at drivers/net/ethernet/mellanox/mlx4/catas.c:193! + +After 6cd33649fa83 ("PCI: Add pci_configure_device() during enumeration") +and 7a1562d4f2d0 ("PCI: Apply _HPX Link Control settings to all devices +with a link"), we apply _HPX settings to *all* devices, not just those +hot-added after boot. + +Before 7a1562d4f2d0, we didn't touch the Mellanox RCB, and the device +worked. After 7a1562d4f2d0, we set its RCB to 128, and it failed. + +Set the RCB to 128 iff the Root Port supports a 128-byte RCB. Otherwise, +set RCB to 64 bytes. This effectively ignores what _HPX tells us about +RCB. + +Note that this change only affects _HPX handling. If we have no _HPX, this +does nothing with RCB. + +[bhelgaas: changelog, clear RCB if not set for Root Port] +Fixes: 6cd33649fa83 ("PCI: Add pci_configure_device() during enumeration") +Fixes: 7a1562d4f2d0 ("PCI: Apply _HPX Link Control settings to all devices with a link") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=187781 +Tested-by: Frank Danapfel +Signed-off-by: Johannes Thumshirn +Signed-off-by: Bjorn Helgaas +Acked-by: Myron Stowe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1439,6 +1439,21 @@ static void program_hpp_type1(struct pci + dev_warn(&dev->dev, "PCI-X settings not supported\n"); + } + ++static bool pcie_root_rcb_set(struct pci_dev *dev) ++{ ++ struct pci_dev *rp = pcie_find_root_port(dev); ++ u16 lnkctl; ++ ++ if (!rp) ++ return false; ++ ++ pcie_capability_read_word(rp, PCI_EXP_LNKCTL, &lnkctl); ++ if (lnkctl & PCI_EXP_LNKCTL_RCB) ++ return true; ++ ++ return false; ++} ++ + static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp) + { + int pos; +@@ -1468,9 +1483,20 @@ static void program_hpp_type2(struct pci + ~hpp->pci_exp_devctl_and, hpp->pci_exp_devctl_or); + + /* Initialize Link Control Register */ +- if (pcie_cap_has_lnkctl(dev)) ++ if (pcie_cap_has_lnkctl(dev)) { ++ ++ /* ++ * If the Root Port supports Read Completion Boundary of ++ * 128, set RCB to 128. Otherwise, clear it. ++ */ ++ hpp->pci_exp_lnkctl_and |= PCI_EXP_LNKCTL_RCB; ++ hpp->pci_exp_lnkctl_or &= ~PCI_EXP_LNKCTL_RCB; ++ if (pcie_root_rcb_set(dev)) ++ hpp->pci_exp_lnkctl_or |= PCI_EXP_LNKCTL_RCB; ++ + pcie_capability_clear_and_set_word(dev, PCI_EXP_LNKCTL, + ~hpp->pci_exp_lnkctl_and, hpp->pci_exp_lnkctl_or); ++ } + + /* Find Advanced Error Reporting Enhanced Capability */ + pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ERR); diff --git a/queue-4.8/series b/queue-4.8/series index c0dbb501dc6..0fa675448fc 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -12,3 +12,6 @@ ovl-fix-d_real-for-stacked-fs.patch input-change-key_data-from-0x275-to-0x277.patch input-psmouse-disable-automatic-probing-of-byd-touchpads.patch rcu-fix-soft-lockup-for-rcu_nocb_kthread.patch +mm-workingset-fix-null-ptr-in-count_shadow_nodes.patch +pci-set-read-completion-boundary-to-128-iff-root-port-supports-it-_hpx.patch +mwifiex-printk-overflow-with-32-byte-ssids.patch