From: Greg Kroah-Hartman Date: Mon, 18 Nov 2019 15:55:21 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.3.12~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e849ae586e04eeaaf86d646feb9dc63f3c31ca8b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ecryptfs_lookup_interpose-lower_dentry-d_inode-is-not-stable.patch ecryptfs_lookup_interpose-lower_dentry-d_parent-is-not-stable-either.patch iommu-vt-d-fix-qi_dev_iotlb_pfsid-and-qi_dev_eiotlb_pfsid-macros.patch mm-hugetlb-switch-to-css_tryget-in-hugetlb_cgroup_charge_cgroup.patch mm-memcg-switch-to-css_tryget-in-get_mem_cgroup_from_mm.patch mmc-sdhci-of-at91-fix-quirk2-overwrite.patch x86-quirks-disable-hpet-on-intel-coffe-lake-platforms.patch --- diff --git a/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_inode-is-not-stable.patch b/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_inode-is-not-stable.patch new file mode 100644 index 00000000000..049ded86476 --- /dev/null +++ b/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_inode-is-not-stable.patch @@ -0,0 +1,51 @@ +From e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 3 Nov 2019 13:45:04 -0500 +Subject: ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable + +From: Al Viro + +commit e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 upstream. + +lower_dentry can't go from positive to negative (we have it pinned), +but it *can* go from negative to positive. So fetching ->d_inode +into a local variable, doing a blocking allocation, checking that +now ->d_inode is non-NULL and feeding the value we'd fetched +earlier to a function that won't accept NULL is not a good idea. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/inode.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -330,7 +330,7 @@ static int ecryptfs_lookup_interpose(str + struct dentry *lower_dentry, + struct inode *dir_inode) + { +- struct inode *inode, *lower_inode = d_inode(lower_dentry); ++ struct inode *inode, *lower_inode; + struct ecryptfs_dentry_info *dentry_info; + struct vfsmount *lower_mnt; + int rc = 0; +@@ -352,7 +352,15 @@ static int ecryptfs_lookup_interpose(str + dentry_info->lower_path.mnt = lower_mnt; + dentry_info->lower_path.dentry = lower_dentry; + +- if (d_really_is_negative(lower_dentry)) { ++ /* ++ * negative dentry can go positive under us here - its parent is not ++ * locked. That's OK and that could happen just as we return from ++ * ecryptfs_lookup() anyway. Just need to be careful and fetch ++ * ->d_inode only once - it's not stable here. ++ */ ++ lower_inode = READ_ONCE(lower_dentry->d_inode); ++ ++ if (!lower_inode) { + /* We want to add because we couldn't find in lower */ + d_add(dentry, NULL); + return 0; diff --git a/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_parent-is-not-stable-either.patch b/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_parent-is-not-stable-either.patch new file mode 100644 index 00000000000..efd2dd31706 --- /dev/null +++ b/queue-4.4/ecryptfs_lookup_interpose-lower_dentry-d_parent-is-not-stable-either.patch @@ -0,0 +1,58 @@ +From 762c69685ff7ad5ad7fee0656671e20a0c9c864d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 3 Nov 2019 13:55:43 -0500 +Subject: ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either + +From: Al Viro + +commit 762c69685ff7ad5ad7fee0656671e20a0c9c864d upstream. + +We need to get the underlying dentry of parent; sure, absent the races +it is the parent of underlying dentry, but there's nothing to prevent +losing a timeslice to preemtion in the middle of evaluation of +lower_dentry->d_parent->d_inode, having another process move lower_dentry +around and have its (ex)parent not pinned anymore and freed on memory +pressure. Then we regain CPU and try to fetch ->d_inode from memory +that is freed by that point. + +dentry->d_parent *is* stable here - it's an argument of ->lookup() and +we are guaranteed that it won't be moved anywhere until we feed it +to d_add/d_splice_alias. So we safely go that way to get to its +underlying dentry. + +Cc: stable@vger.kernel.org # since 2009 or so +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/inode.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -330,9 +330,9 @@ static int ecryptfs_lookup_interpose(str + struct dentry *lower_dentry, + struct inode *dir_inode) + { ++ struct path *path = ecryptfs_dentry_to_lower_path(dentry->d_parent); + struct inode *inode, *lower_inode; + struct ecryptfs_dentry_info *dentry_info; +- struct vfsmount *lower_mnt; + int rc = 0; + + dentry_info = kmem_cache_alloc(ecryptfs_dentry_info_cache, GFP_KERNEL); +@@ -344,12 +344,11 @@ static int ecryptfs_lookup_interpose(str + return -ENOMEM; + } + +- lower_mnt = mntget(ecryptfs_dentry_to_lower_mnt(dentry->d_parent)); +- fsstack_copy_attr_atime(dir_inode, d_inode(lower_dentry->d_parent)); ++ fsstack_copy_attr_atime(dir_inode, d_inode(path->dentry)); + BUG_ON(!d_count(lower_dentry)); + + ecryptfs_set_dentry_private(dentry, dentry_info); +- dentry_info->lower_path.mnt = lower_mnt; ++ dentry_info->lower_path.mnt = mntget(path->mnt); + dentry_info->lower_path.dentry = lower_dentry; + + /* diff --git a/queue-4.4/iommu-vt-d-fix-qi_dev_iotlb_pfsid-and-qi_dev_eiotlb_pfsid-macros.patch b/queue-4.4/iommu-vt-d-fix-qi_dev_iotlb_pfsid-and-qi_dev_eiotlb_pfsid-macros.patch new file mode 100644 index 00000000000..f70e56a26ce --- /dev/null +++ b/queue-4.4/iommu-vt-d-fix-qi_dev_iotlb_pfsid-and-qi_dev_eiotlb_pfsid-macros.patch @@ -0,0 +1,50 @@ +From 4e7120d79edb31e4ee68e6f8421448e4603be1e9 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Fri, 8 Nov 2019 16:58:03 +0100 +Subject: iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros + +From: Eric Auger + +commit 4e7120d79edb31e4ee68e6f8421448e4603be1e9 upstream. + +For both PASID-based-Device-TLB Invalidate Descriptor and +Device-TLB Invalidate Descriptor, the Physical Function Source-ID +value is split according to this layout: + +PFSID[3:0] is set at offset 12 and PFSID[15:4] is put at offset 52. +Fix the part laid out at offset 52. + +Fixes: 0f725561e1684 ("iommu/vt-d: Add definitions for PFSID") +Signed-off-by: Eric Auger +Acked-by: Jacob Pan +Cc: stable@vger.kernel.org # v4.19+ +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/intel-iommu.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -295,7 +295,8 @@ enum { + #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32) + #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16) + #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK) +-#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) ++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ ++ ((u64)((pfsid >> 4) & 0xfff) << 52)) + #define QI_DEV_IOTLB_SIZE 1 + #define QI_DEV_IOTLB_MAX_INVS 32 + +@@ -320,7 +321,8 @@ enum { + #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) +-#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) ++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ ++ ((u64)((pfsid >> 4) & 0xfff) << 52)) + #define QI_DEV_EIOTLB_MAX_INVS 32 + + #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55) diff --git a/queue-4.4/mm-hugetlb-switch-to-css_tryget-in-hugetlb_cgroup_charge_cgroup.patch b/queue-4.4/mm-hugetlb-switch-to-css_tryget-in-hugetlb_cgroup_charge_cgroup.patch new file mode 100644 index 00000000000..3bfb07b813d --- /dev/null +++ b/queue-4.4/mm-hugetlb-switch-to-css_tryget-in-hugetlb_cgroup_charge_cgroup.patch @@ -0,0 +1,49 @@ +From 0362f326d86c645b5e96b7dbc3ee515986ed019d Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 15 Nov 2019 17:34:46 -0800 +Subject: mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() + +From: Roman Gushchin + +commit 0362f326d86c645b5e96b7dbc3ee515986ed019d upstream. + +An exiting task might belong to an offline cgroup. In this case an +attempt to grab a cgroup reference from the task can end up with an +infinite loop in hugetlb_cgroup_charge_cgroup(), because neither the +cgroup will become online, neither the task will be migrated to a live +cgroup. + +Fix this by switching over to css_tryget(). As css_tryget_online() +can't guarantee that the cgroup won't go offline, in most cases the +check doesn't make sense. In this particular case users of +hugetlb_cgroup_charge_cgroup() are not affected by this change. + +A similar problem is described by commit 18fa84a2db0e ("cgroup: Use +css_tryget() instead of css_tryget_online() in task_get_css()"). + +Link: http://lkml.kernel.org/r/20191106225131.3543616-2-guro@fb.com +Signed-off-by: Roman Gushchin +Acked-by: Johannes Weiner +Acked-by: Tejun Heo +Reviewed-by: Shakeel Butt +Cc: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb_cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hugetlb_cgroup.c ++++ b/mm/hugetlb_cgroup.c +@@ -180,7 +180,7 @@ int hugetlb_cgroup_charge_cgroup(int idx + again: + rcu_read_lock(); + h_cg = hugetlb_cgroup_from_task(current); +- if (!css_tryget_online(&h_cg->css)) { ++ if (!css_tryget(&h_cg->css)) { + rcu_read_unlock(); + goto again; + } diff --git a/queue-4.4/mm-memcg-switch-to-css_tryget-in-get_mem_cgroup_from_mm.patch b/queue-4.4/mm-memcg-switch-to-css_tryget-in-get_mem_cgroup_from_mm.patch new file mode 100644 index 00000000000..67d5f3da4b7 --- /dev/null +++ b/queue-4.4/mm-memcg-switch-to-css_tryget-in-get_mem_cgroup_from_mm.patch @@ -0,0 +1,80 @@ +From 00d484f354d85845991b40141d40ba9e5eb60faf Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 15 Nov 2019 17:34:43 -0800 +Subject: mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() + +From: Roman Gushchin + +commit 00d484f354d85845991b40141d40ba9e5eb60faf upstream. + +We've encountered a rcu stall in get_mem_cgroup_from_mm(): + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 33-....: (21000 ticks this GP) idle=6c6/1/0x4000000000000002 softirq=35441/35441 fqs=5017 + (t=21031 jiffies g=324821 q=95837) NMI backtrace for cpu 33 + <...> + RIP: 0010:get_mem_cgroup_from_mm+0x2f/0x90 + <...> + __memcg_kmem_charge+0x55/0x140 + __alloc_pages_nodemask+0x267/0x320 + pipe_write+0x1ad/0x400 + new_sync_write+0x127/0x1c0 + __kernel_write+0x4f/0xf0 + dump_emit+0x91/0xc0 + writenote+0xa0/0xc0 + elf_core_dump+0x11af/0x1430 + do_coredump+0xc65/0xee0 + get_signal+0x132/0x7c0 + do_signal+0x36/0x640 + exit_to_usermode_loop+0x61/0xd0 + do_syscall_64+0xd4/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The problem is caused by an exiting task which is associated with an +offline memcg. We're iterating over and over in the do {} while +(!css_tryget_online()) loop, but obviously the memcg won't become online +and the exiting task won't be migrated to a live memcg. + +Let's fix it by switching from css_tryget_online() to css_tryget(). + +As css_tryget_online() cannot guarantee that the memcg won't go offline, +the check is usually useless, except some rare cases when for example it +determines if something should be presented to a user. + +A similar problem is described by commit 18fa84a2db0e ("cgroup: Use +css_tryget() instead of css_tryget_online() in task_get_css()"). + +Johannes: + +: The bug aside, it doesn't matter whether the cgroup is online for the +: callers. It used to matter when offlining needed to evacuate all charges +: from the memcg, and so needed to prevent new ones from showing up, but we +: don't care now. + +Link: http://lkml.kernel.org/r/20191106225131.3543616-1-guro@fb.com +Signed-off-by: Roman Gushchin +Acked-by: Johannes Weiner +Acked-by: Tejun Heo +Reviewed-by: Shakeel Butt +Cc: Michal Hocko +Cc: Michal Koutn +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -833,7 +833,7 @@ static struct mem_cgroup *get_mem_cgroup + if (unlikely(!memcg)) + memcg = root_mem_cgroup; + } +- } while (!css_tryget_online(&memcg->css)); ++ } while (!css_tryget(&memcg->css)); + rcu_read_unlock(); + return memcg; + } diff --git a/queue-4.4/mmc-sdhci-of-at91-fix-quirk2-overwrite.patch b/queue-4.4/mmc-sdhci-of-at91-fix-quirk2-overwrite.patch new file mode 100644 index 00000000000..4fc9c645ef2 --- /dev/null +++ b/queue-4.4/mmc-sdhci-of-at91-fix-quirk2-overwrite.patch @@ -0,0 +1,35 @@ +From fed23c5829ecab4ddc712d7b0046e59610ca3ba4 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Thu, 14 Nov 2019 12:59:26 +0000 +Subject: mmc: sdhci-of-at91: fix quirk2 overwrite + +From: Eugen Hristev + +commit fed23c5829ecab4ddc712d7b0046e59610ca3ba4 upstream. + +The quirks2 are parsed and set (e.g. from DT) before the quirk for broken +HS200 is set in the driver. +The driver needs to enable just this flag, not rewrite the whole quirk set. + +Fixes: 7871aa60ae00 ("mmc: sdhci-of-at91: add quirk for broken HS200") +Signed-off-by: Eugen Hristev +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -145,7 +145,7 @@ static int sdhci_at91_probe(struct platf + sdhci_get_of_property(pdev); + + /* HS200 is broken at this moment */ +- host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200; ++ host->quirks2 |= SDHCI_QUIRK2_BROKEN_HS200; + + ret = sdhci_add_host(host); + if (ret) diff --git a/queue-4.4/series b/queue-4.4/series index 1bb1d19387b..a1c86b27a8c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,3 +3,10 @@ ax88172a-fix-information-leak-on-short-answers.patch alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch input-ff-memless-kill-timer-in-destroy.patch +x86-quirks-disable-hpet-on-intel-coffe-lake-platforms.patch +ecryptfs_lookup_interpose-lower_dentry-d_inode-is-not-stable.patch +ecryptfs_lookup_interpose-lower_dentry-d_parent-is-not-stable-either.patch +iommu-vt-d-fix-qi_dev_iotlb_pfsid-and-qi_dev_eiotlb_pfsid-macros.patch +mm-memcg-switch-to-css_tryget-in-get_mem_cgroup_from_mm.patch +mm-hugetlb-switch-to-css_tryget-in-hugetlb_cgroup_charge_cgroup.patch +mmc-sdhci-of-at91-fix-quirk2-overwrite.patch diff --git a/queue-4.4/x86-quirks-disable-hpet-on-intel-coffe-lake-platforms.patch b/queue-4.4/x86-quirks-disable-hpet-on-intel-coffe-lake-platforms.patch new file mode 100644 index 00000000000..c1ddf66bb6e --- /dev/null +++ b/queue-4.4/x86-quirks-disable-hpet-on-intel-coffe-lake-platforms.patch @@ -0,0 +1,44 @@ +From fc5db58539b49351e76f19817ed1102bf7c712d0 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 16 Oct 2019 18:38:16 +0800 +Subject: x86/quirks: Disable HPET on Intel Coffe Lake platforms + +From: Kai-Heng Feng + +commit fc5db58539b49351e76f19817ed1102bf7c712d0 upstream. + +Some Coffee Lake platforms have a skewed HPET timer once the SoCs entered +PC10, which in consequence marks TSC as unstable because HPET is used as +watchdog clocksource for TSC. + +Harry Pan tried to work around it in the clocksource watchdog code [1] +thereby creating a circular dependency between HPET and TSC. This also +ignores the fact, that HPET is not only unsuitable as watchdog clocksource +on these systems, it becomes unusable in general. + +Disable HPET on affected platforms. + +Suggested-by: Feng Tang +Signed-off-by: Kai-Heng Feng +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203183 +Link: https://lore.kernel.org/lkml/20190516090651.1396-1-harry.pan@intel.com/ [1] +Link: https://lkml.kernel.org/r/20191016103816.30650-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/early-quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/early-quirks.c ++++ b/arch/x86/kernel/early-quirks.c +@@ -699,6 +699,8 @@ static struct chipset early_qrk[] __init + */ + { PCI_VENDOR_ID_INTEL, 0x0f00, + PCI_CLASS_BRIDGE_HOST, PCI_ANY_ID, 0, force_disable_hpet}, ++ { PCI_VENDOR_ID_INTEL, 0x3ec4, ++ PCI_CLASS_BRIDGE_HOST, PCI_ANY_ID, 0, force_disable_hpet}, + { PCI_VENDOR_ID_BROADCOM, 0x4331, + PCI_CLASS_NETWORK_OTHER, PCI_ANY_ID, 0, apple_airport_reset}, + {}