From: Greg Kroah-Hartman Date: Sat, 4 Feb 2017 13:12:37 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.48~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b51776fbd8bbd62ebb03197f5a5e132794dab9f9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: can-bcm-fix-hrtimer-tasklet-termination-in-bcm-op-removal.patch mmc-sdhci-ignore-unexpected-card_int-interrupts.patch percpu-refcount-fix-reference-leak-during-percpu-atomic-transition.patch --- diff --git a/queue-4.4/can-bcm-fix-hrtimer-tasklet-termination-in-bcm-op-removal.patch b/queue-4.4/can-bcm-fix-hrtimer-tasklet-termination-in-bcm-op-removal.patch new file mode 100644 index 00000000000..5259dfb62fe --- /dev/null +++ b/queue-4.4/can-bcm-fix-hrtimer-tasklet-termination-in-bcm-op-removal.patch @@ -0,0 +1,56 @@ +From a06393ed03167771246c4c43192d9c264bc48412 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 18 Jan 2017 21:30:51 +0100 +Subject: can: bcm: fix hrtimer/tasklet termination in bcm op removal + +From: Oliver Hartkopp + +commit a06393ed03167771246c4c43192d9c264bc48412 upstream. + +When removing a bcm tx operation either a hrtimer or a tasklet might run. +As the hrtimer triggers its associated tasklet and vice versa we need to +take care to mutually terminate both handlers. + +Reported-by: Michael Josenhans +Signed-off-by: Oliver Hartkopp +Tested-by: Michael Josenhans +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/bcm.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -710,14 +710,23 @@ static struct bcm_op *bcm_find_op(struct + + static void bcm_remove_op(struct bcm_op *op) + { +- hrtimer_cancel(&op->timer); +- hrtimer_cancel(&op->thrtimer); ++ if (op->tsklet.func) { ++ while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) || ++ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) || ++ hrtimer_active(&op->timer)) { ++ hrtimer_cancel(&op->timer); ++ tasklet_kill(&op->tsklet); ++ } ++ } + +- if (op->tsklet.func) +- tasklet_kill(&op->tsklet); +- +- if (op->thrtsklet.func) +- tasklet_kill(&op->thrtsklet); ++ if (op->thrtsklet.func) { ++ while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) || ++ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) || ++ hrtimer_active(&op->thrtimer)) { ++ hrtimer_cancel(&op->thrtimer); ++ tasklet_kill(&op->thrtsklet); ++ } ++ } + + if ((op->frames) && (op->frames != &op->sframe)) + kfree(op->frames); diff --git a/queue-4.4/mmc-sdhci-ignore-unexpected-card_int-interrupts.patch b/queue-4.4/mmc-sdhci-ignore-unexpected-card_int-interrupts.patch new file mode 100644 index 00000000000..3b68b77581f --- /dev/null +++ b/queue-4.4/mmc-sdhci-ignore-unexpected-card_int-interrupts.patch @@ -0,0 +1,41 @@ +From 161e6d44a5e2d3f85365cb717d60e363171b39e6 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Mon, 16 Jan 2017 12:23:42 -0200 +Subject: mmc: sdhci: Ignore unexpected CARD_INT interrupts + +From: Gabriel Krisman Bertazi + +commit 161e6d44a5e2d3f85365cb717d60e363171b39e6 upstream. + +One of our kernelCI boxes hanged at boot because a faulty eSDHC device +was triggering spurious CARD_INT interrupts for SD cards, causing CMD52 +reads, which are not allowed for SD devices. This adds a sanity check +to the interruption path, preventing that illegal command from getting +sent if the CARD_INT interruption should be disabled. + +This quirk allows that particular machine to resume boot despite the +faulty hardware, instead of getting hung dealing with thousands of +mishandled interrupts. + +Suggested-by: Adrian Hunter +Signed-off-by: Gabriel Krisman Bertazi +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2629,7 +2629,8 @@ static irqreturn_t sdhci_irq(int irq, vo + pr_err("%s: Card is consuming too much power!\n", + mmc_hostname(host->mmc)); + +- if (intmask & SDHCI_INT_CARD_INT) { ++ if ((intmask & SDHCI_INT_CARD_INT) && ++ (host->ier & SDHCI_INT_CARD_INT)) { + sdhci_enable_sdio_irq_nolock(host, false); + host->thread_isr |= SDHCI_INT_CARD_INT; + result = IRQ_WAKE_THREAD; diff --git a/queue-4.4/percpu-refcount-fix-reference-leak-during-percpu-atomic-transition.patch b/queue-4.4/percpu-refcount-fix-reference-leak-during-percpu-atomic-transition.patch new file mode 100644 index 00000000000..b466ae88339 --- /dev/null +++ b/queue-4.4/percpu-refcount-fix-reference-leak-during-percpu-atomic-transition.patch @@ -0,0 +1,83 @@ +From 966d2b04e070bc040319aaebfec09e0144dc3341 Mon Sep 17 00:00:00 2001 +From: Douglas Miller +Date: Sat, 28 Jan 2017 06:42:20 -0600 +Subject: percpu-refcount: fix reference leak during percpu-atomic transition + +From: Douglas Miller + +commit 966d2b04e070bc040319aaebfec09e0144dc3341 upstream. + +percpu_ref_tryget() and percpu_ref_tryget_live() should return +"true" IFF they acquire a reference. But the return value from +atomic_long_inc_not_zero() is a long and may have high bits set, +e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines +is bool so the reference may actually be acquired but the routines +return "false" which results in a reference leak since the caller +assumes it does not need to do a corresponding percpu_ref_put(). + +This was seen when performing CPU hotplug during I/O, as hangs in +blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) +raced with percpu_ref_tryget (blk_mq_timeout_work). +Sample stack trace: + +__switch_to+0x2c0/0x450 +__schedule+0x2f8/0x970 +schedule+0x48/0xc0 +blk_mq_freeze_queue_wait+0x94/0x120 +blk_mq_queue_reinit_work+0xb8/0x180 +blk_mq_queue_reinit_prepare+0x84/0xa0 +cpuhp_invoke_callback+0x17c/0x600 +cpuhp_up_callbacks+0x58/0x150 +_cpu_up+0xf0/0x1c0 +do_cpu_up+0x120/0x150 +cpu_subsys_online+0x64/0xe0 +device_online+0xb4/0x120 +online_store+0xb4/0xc0 +dev_attr_store+0x68/0xa0 +sysfs_kf_write+0x80/0xb0 +kernfs_fop_write+0x17c/0x250 +__vfs_write+0x6c/0x1e0 +vfs_write+0xd0/0x270 +SyS_write+0x6c/0x110 +system_call+0x38/0xe0 + +Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, +and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. +However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 +and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. + +The fix is to make the tryget routines use an actual boolean internally instead +of the atomic long result truncated to a int. + +Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints +Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 +Signed-off-by: Douglas Miller +Reviewed-by: Jens Axboe +Signed-off-by: Tejun Heo +Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/percpu-refcount.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/percpu-refcount.h ++++ b/include/linux/percpu-refcount.h +@@ -206,7 +206,7 @@ static inline void percpu_ref_get(struct + static inline bool percpu_ref_tryget(struct percpu_ref *ref) + { + unsigned long __percpu *percpu_count; +- int ret; ++ bool ret; + + rcu_read_lock_sched(); + +@@ -240,7 +240,7 @@ static inline bool percpu_ref_tryget(str + static inline bool percpu_ref_tryget_live(struct percpu_ref *ref) + { + unsigned long __percpu *percpu_count; +- int ret = false; ++ bool ret = false; + + rcu_read_lock_sched(); + diff --git a/queue-4.4/series b/queue-4.4/series index 419fec930d1..a1db7422403 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -16,3 +16,6 @@ zswap-disable-changing-params-if-init-fails.patch cifs-initialize-file_info_lock.patch mm-memory_hotplug.c-check-start_pfn-in-test_pages_in_a_zone.patch mm-fs-check-for-fatal-signals-in-do_generic_file_read.patch +can-bcm-fix-hrtimer-tasklet-termination-in-bcm-op-removal.patch +mmc-sdhci-ignore-unexpected-card_int-interrupts.patch +percpu-refcount-fix-reference-leak-during-percpu-atomic-transition.patch