From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 10 Sep 2017 11:37:30 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.71~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1ee3ab8cb306eb693f34ff8786f9e1aff3c54e9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	alsa-msnd-optimize-harden-dsp-and-midi-loops.patch
	btrfs-resume-qgroup-rescan-on-rw-remount.patch
	locktorture-fix-potential-memory-leak-with-rw-lock-test.patch
---

diff --git a/queue-4.4/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch b/queue-4.4/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch
new file mode 100644
index 00000000000..abc8b2bece7
--- /dev/null
+++ b/queue-4.4/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch
@@ -0,0 +1,106 @@
+From 20e2b791796bd68816fa115f12be5320de2b8021 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 6 Jul 2017 12:34:40 +0200
+Subject: ALSA: msnd: Optimize / harden DSP and MIDI loops
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 20e2b791796bd68816fa115f12be5320de2b8021 upstream.
+
+The ISA msnd drivers have loops fetching the ring-buffer head, tail
+and size values inside the loops.  Such codes are inefficient and
+fragile.
+
+This patch optimizes it, and also adds the sanity check to avoid the
+endless loops.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/isa/msnd/msnd_midi.c     |   28 ++++++++++++++--------------
+ sound/isa/msnd/msnd_pinnacle.c |   23 ++++++++++++-----------
+ 2 files changed, 26 insertions(+), 25 deletions(-)
+
+--- a/sound/isa/msnd/msnd_midi.c
++++ b/sound/isa/msnd/msnd_midi.c
+@@ -120,24 +120,24 @@ void snd_msndmidi_input_read(void *mpuv)
+ 	unsigned long flags;
+ 	struct snd_msndmidi *mpu = mpuv;
+ 	void *pwMIDQData = mpu->dev->mappedbase + MIDQ_DATA_BUFF;
++	u16 head, tail, size;
+ 
+ 	spin_lock_irqsave(&mpu->input_lock, flags);
+-	while (readw(mpu->dev->MIDQ + JQS_wTail) !=
+-	       readw(mpu->dev->MIDQ + JQS_wHead)) {
+-		u16 wTmp, val;
+-		val = readw(pwMIDQData + 2 * readw(mpu->dev->MIDQ + JQS_wHead));
++	head = readw(mpu->dev->MIDQ + JQS_wHead);
++	tail = readw(mpu->dev->MIDQ + JQS_wTail);
++	size = readw(mpu->dev->MIDQ + JQS_wSize);
++	if (head > size || tail > size)
++		goto out;
++	while (head != tail) {
++		unsigned char val = readw(pwMIDQData + 2 * head);
+ 
+-			if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER,
+-				     &mpu->mode))
+-				snd_rawmidi_receive(mpu->substream_input,
+-						    (unsigned char *)&val, 1);
+-
+-		wTmp = readw(mpu->dev->MIDQ + JQS_wHead) + 1;
+-		if (wTmp > readw(mpu->dev->MIDQ + JQS_wSize))
+-			writew(0,  mpu->dev->MIDQ + JQS_wHead);
+-		else
+-			writew(wTmp,  mpu->dev->MIDQ + JQS_wHead);
++		if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, &mpu->mode))
++			snd_rawmidi_receive(mpu->substream_input, &val, 1);
++		if (++head > size)
++			head = 0;
++		writew(head, mpu->dev->MIDQ + JQS_wHead);
+ 	}
++ out:
+ 	spin_unlock_irqrestore(&mpu->input_lock, flags);
+ }
+ EXPORT_SYMBOL(snd_msndmidi_input_read);
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -170,23 +170,24 @@ static irqreturn_t snd_msnd_interrupt(in
+ {
+ 	struct snd_msnd *chip = dev_id;
+ 	void *pwDSPQData = chip->mappedbase + DSPQ_DATA_BUFF;
++	u16 head, tail, size;
+ 
+ 	/* Send ack to DSP */
+ 	/* inb(chip->io + HP_RXL); */
+ 
+ 	/* Evaluate queued DSP messages */
+-	while (readw(chip->DSPQ + JQS_wTail) != readw(chip->DSPQ + JQS_wHead)) {
+-		u16 wTmp;
+-
+-		snd_msnd_eval_dsp_msg(chip,
+-			readw(pwDSPQData + 2 * readw(chip->DSPQ + JQS_wHead)));
+-
+-		wTmp = readw(chip->DSPQ + JQS_wHead) + 1;
+-		if (wTmp > readw(chip->DSPQ + JQS_wSize))
+-			writew(0, chip->DSPQ + JQS_wHead);
+-		else
+-			writew(wTmp, chip->DSPQ + JQS_wHead);
++	head = readw(chip->DSPQ + JQS_wHead);
++	tail = readw(chip->DSPQ + JQS_wTail);
++	size = readw(chip->DSPQ + JQS_wSize);
++	if (head > size || tail > size)
++		goto out;
++	while (head != tail) {
++		snd_msnd_eval_dsp_msg(chip, readw(pwDSPQData + 2 * head));
++		if (++head > size)
++			head = 0;
++		writew(head, chip->DSPQ + JQS_wHead);
+ 	}
++ out:
+ 	/* Send ack to DSP */
+ 	inb(chip->io + HP_RXL);
+ 	return IRQ_HANDLED;
diff --git a/queue-4.4/btrfs-resume-qgroup-rescan-on-rw-remount.patch b/queue-4.4/btrfs-resume-qgroup-rescan-on-rw-remount.patch
new file mode 100644
index 00000000000..9f941e8cbd7
--- /dev/null
+++ b/queue-4.4/btrfs-resume-qgroup-rescan-on-rw-remount.patch
@@ -0,0 +1,43 @@
+From 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Tue, 4 Jul 2017 21:49:06 +1000
+Subject: btrfs: resume qgroup rescan on rw remount
+
+From: Aleksa Sarai <asarai@suse.de>
+
+commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream.
+
+Several distributions mount the "proper root" as ro during initrd and
+then remount it as rw before pivot_root(2). Thus, if a rescan had been
+aborted by a previous shutdown, the rescan would never be resumed.
+
+This issue would manifest itself as several btrfs ioctl(2)s causing the
+entire machine to hang when btrfs_qgroup_wait_for_completion was hit
+(due to the fs_info->qgroup_rescan_running flag being set but the rescan
+itself not being resumed). Notably, Docker's btrfs storage driver makes
+regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT
+(causing this problem to be manifested on boot for some machines).
+
+Cc: Jeff Mahoney <jeffm@suse.com>
+Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount")
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/super.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1727,6 +1727,8 @@ static int btrfs_remount(struct super_bl
+ 			goto restore;
+ 		}
+ 
++		btrfs_qgroup_rescan_resume(fs_info);
++
+ 		if (!fs_info->uuid_root) {
+ 			btrfs_info(fs_info, "creating UUID tree");
+ 			ret = btrfs_create_uuid_tree(fs_info);
diff --git a/queue-4.4/locktorture-fix-potential-memory-leak-with-rw-lock-test.patch b/queue-4.4/locktorture-fix-potential-memory-leak-with-rw-lock-test.patch
new file mode 100644
index 00000000000..5eb331c1158
--- /dev/null
+++ b/queue-4.4/locktorture-fix-potential-memory-leak-with-rw-lock-test.patch
@@ -0,0 +1,86 @@
+From f4dbba591945dc301c302672adefba9e2ec08dc5 Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linaro.org>
+Date: Thu, 10 Nov 2016 13:06:39 -0800
+Subject: locktorture: Fix potential memory leak with rw lock test
+
+From: Yang Shi <yang.shi@linaro.org>
+
+commit f4dbba591945dc301c302672adefba9e2ec08dc5 upstream.
+
+When running locktorture module with the below commands with kmemleak enabled:
+
+$ modprobe locktorture torture_type=rw_lock_irq
+$ rmmod locktorture
+
+The below kmemleak got caught:
+
+root@10:~# echo scan > /sys/kernel/debug/kmemleak
+[  323.197029] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+root@10:~# cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffffffc07592d500 (size 128):
+  comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 c3 7b 02 00 00 00 00 00  .........{......
+    00 00 00 00 00 00 00 00 d7 9b 02 00 00 00 00 00  ................
+  backtrace:
+    [<ffffff80081e5a88>] create_object+0x110/0x288
+    [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
+    [<ffffff80081d5acc>] __kmalloc+0x234/0x318
+    [<ffffff80006fa130>] 0xffffff80006fa130
+    [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
+    [<ffffff800817e28c>] do_init_module+0x68/0x1cc
+    [<ffffff800811c848>] load_module+0x1a68/0x22e0
+    [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
+    [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
+    [<ffffffffffffffff>] 0xffffffffffffffff
+unreferenced object 0xffffffc07592d480 (size 128):
+  comm "modprobe", pid 368, jiffies 4294924118 (age 205.824s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 3b 6f 01 00 00 00 00 00  ........;o......
+    00 00 00 00 00 00 00 00 23 6a 01 00 00 00 00 00  ........#j......
+  backtrace:
+    [<ffffff80081e5a88>] create_object+0x110/0x288
+    [<ffffff80086c6078>] kmemleak_alloc+0x58/0xa0
+    [<ffffff80081d5acc>] __kmalloc+0x234/0x318
+    [<ffffff80006fa22c>] 0xffffff80006fa22c
+    [<ffffff8008083ae4>] do_one_initcall+0x44/0x138
+    [<ffffff800817e28c>] do_init_module+0x68/0x1cc
+    [<ffffff800811c848>] load_module+0x1a68/0x22e0
+    [<ffffff800811d340>] SyS_finit_module+0xe0/0xf0
+    [<ffffff80080836f0>] el0_svc_naked+0x24/0x28
+    [<ffffffffffffffff>] 0xffffffffffffffff
+
+It is because cxt.lwsa and cxt.lrsa don't get freed in module_exit, so free
+them in lock_torture_cleanup() and free writer_tasks if reader_tasks is
+failed at memory allocation.
+
+Signed-off-by: Yang Shi <yang.shi@linaro.org>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Reviewed-by: Josh Triplett <josh@joshtriplett.org>
+Cc: 石洋 <yang.s@alibaba-inc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/locktorture.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/locking/locktorture.c
++++ b/kernel/locking/locktorture.c
+@@ -776,6 +776,8 @@ static void lock_torture_cleanup(void)
+ 	else
+ 		lock_torture_print_module_parms(cxt.cur_ops,
+ 						"End of test: SUCCESS");
++	kfree(cxt.lwsa);
++	kfree(cxt.lrsa);
+ 	torture_cleanup_end();
+ }
+ 
+@@ -917,6 +919,8 @@ static int __init lock_torture_init(void
+ 				       GFP_KERNEL);
+ 		if (reader_tasks == NULL) {
+ 			VERBOSE_TOROUT_ERRSTRING("reader_tasks: Out of memory");
++			kfree(writer_tasks);
++			writer_tasks = NULL;
+ 			firsterr = -ENOMEM;
+ 			goto unwind;
+ 		}