From: Greg Kroah-Hartman Date: Thu, 19 Jul 2018 16:41:08 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.116~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2989a0319c035899e8d555866adcb8f4f5f358c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: mips-call-dump_stack-from-show_regs.patch mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch net-cxgb3_main-fix-potential-spectre-v1.patch rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch --- diff --git a/queue-4.4/mips-call-dump_stack-from-show_regs.patch b/queue-4.4/mips-call-dump_stack-from-show_regs.patch new file mode 100644 index 00000000000..c873922e285 --- /dev/null +++ b/queue-4.4/mips-call-dump_stack-from-show_regs.patch @@ -0,0 +1,72 @@ +From 5a267832c2ec47b2dad0fdb291a96bb5b8869315 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 22 Jun 2018 10:55:45 -0700 +Subject: MIPS: Call dump_stack() from show_regs() + +From: Paul Burton + +commit 5a267832c2ec47b2dad0fdb291a96bb5b8869315 upstream. + +The generic nmi_cpu_backtrace() function calls show_regs() when a struct +pt_regs is available, and dump_stack() otherwise. If we were to make use +of the generic nmi_cpu_backtrace() with MIPS' current implementation of +show_regs() this would mean that we see only register data with no +accompanying stack information, in contrast with our current +implementation which calls dump_stack() regardless of whether register +state is available. + +In preparation for making use of the generic nmi_cpu_backtrace() to +implement arch_trigger_cpumask_backtrace(), have our implementation of +show_regs() call dump_stack() and drop the explicit dump_stack() call in +arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace(). + +This will allow the output we produce to remain the same after a later +patch switches to using nmi_cpu_backtrace(). It may mean that we produce +extra stack output in other uses of show_regs(), but this: + + 1) Seems harmless. + 2) Is good for consistency between arch_trigger_cpumask_backtrace() + and other users of show_regs(). + 3) Matches the behaviour of the ARM & PowerPC architectures. + +Marked for stable back to v4.9 as a prerequisite of the following patch +"MIPS: Call dump_stack() from show_regs()". + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19596/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 4 ++-- + arch/mips/kernel/traps.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -637,8 +637,8 @@ static void arch_dump_stack(void *info) + + if (regs) + show_regs(regs); +- +- dump_stack(); ++ else ++ dump_stack(); + } + + void arch_trigger_all_cpu_backtrace(bool include_self) +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -344,6 +344,7 @@ static void __show_regs(const struct pt_ + void show_regs(struct pt_regs *regs) + { + __show_regs((struct pt_regs *)regs); ++ dump_stack(); + } + + void show_registers(struct pt_regs *regs) diff --git a/queue-4.4/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch b/queue-4.4/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch new file mode 100644 index 00000000000..d23591abc61 --- /dev/null +++ b/queue-4.4/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch @@ -0,0 +1,165 @@ +From b63e132b6433a41cf311e8bc382d33fd2b73b505 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 22 Jun 2018 10:55:46 -0700 +Subject: MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() + +From: Paul Burton + +commit b63e132b6433a41cf311e8bc382d33fd2b73b505 upstream. + +The current MIPS implementation of arch_trigger_cpumask_backtrace() is +broken because it attempts to use synchronous IPIs despite the fact that +it may be run with interrupts disabled. + +This means that when arch_trigger_cpumask_backtrace() is invoked, for +example by the RCU CPU stall watchdog, we may: + + - Deadlock due to use of synchronous IPIs with interrupts disabled, + causing the CPU that's attempting to generate the backtrace output + to hang itself. + + - Not succeed in generating the desired output from remote CPUs. + + - Produce warnings about this from smp_call_function_many(), for + example: + + [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks: + [42760.535755] 0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0 + [42760.547874] 1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0 + [42760.559869] (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33) + [42760.568927] ------------[ cut here ]------------ + [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c + [42760.587839] Modules linked in: + [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2 + [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8 + [42760.616937] 95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000 + [42760.630095] 00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0 + [42760.643169] 00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0 + [42760.656282] 8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca + [42760.669424] ... + [42760.673919] Call Trace: + [42760.678672] [<27fde568>] show_stack+0x70/0xf0 + [42760.685417] [<84751641>] dump_stack+0xaa/0xd0 + [42760.692188] [<699d671c>] __warn+0x80/0x92 + [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36 + [42760.705912] [] smp_call_function_many+0x88/0x20c + [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a + [42760.722216] [] rcu_dump_cpu_stacks+0x6a/0x98 + [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac + [42760.737476] [<059b3b43>] update_process_times+0x18/0x34 + [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38 + [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50 + [42760.759882] [] __hrtimer_run_queues+0xc6/0x226 + [42760.767418] [] hrtimer_interrupt+0x88/0x19a + [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a + [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168 + [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c + [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86 + [42760.805545] [] gic_irq_dispatch+0xa/0x14 + [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c + [42760.820086] [] do_IRQ+0x16/0x20 + [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94 + [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78 + [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c + [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c + [42760.855693] [] flush_tlb_mm+0x2a/0x98 + [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44 + [42760.869628] [] arch_tlb_finish_mmu+0x26/0x3e + [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66 + [42760.883907] [] exit_mmap+0x76/0xea + [42760.890428] [] mmput+0x80/0x11a + [42760.896632] [] do_exit+0x1f4/0x80c + [42760.903158] [] do_group_exit+0x20/0x7e + [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e + [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c + [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c + [42760.931765] ---[ end trace 02aa09da9dc52a60 ]--- + [42760.938342] ------------[ cut here ]------------ + [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8 + ... + +This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async +IPIs & smp_call_function_single_async() in order to resolve this +problem. We ensure use of the pre-allocated call_single_data_t +structures is serialized by maintaining a cpumask indicating that +they're busy, and refusing to attempt to send an IPI when a CPU's bit is +set in this mask. This should only happen if a CPU hasn't responded to a +previous backtrace IPI - ie. if it's hung - and we print a warning to +the console in this case. + +I've marked this for stable branches as far back as v4.9, to which it +applies cleanly. Strictly speaking the faulty MIPS implementation can be +traced further back to commit 856839b76836 ("MIPS: Add +arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel +versions v3.19 through v4.8 will require further work to backport due to +the rework performed in commit 9a01c3ed5cdb ("nmi_backtrace: add more +trigger_*_cpu_backtrace() methods"). + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19597/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 856839b76836 ("MIPS: Add arch_trigger_all_cpu_backtrace() function") +Fixes: 9a01c3ed5cdb ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods") +[ Huacai: backported to 4.4: Restruction since generic NMI solution is unavailable ] +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/process.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -629,21 +629,48 @@ unsigned long arch_align_stack(unsigned + return sp & ALMASK; + } + ++static DEFINE_PER_CPU(struct call_single_data, backtrace_csd); ++static struct cpumask backtrace_csd_busy; ++ + static void arch_dump_stack(void *info) + { + struct pt_regs *regs; ++ static arch_spinlock_t lock = __ARCH_SPIN_LOCK_UNLOCKED; + ++ arch_spin_lock(&lock); + regs = get_irq_regs(); + + if (regs) + show_regs(regs); + else + dump_stack(); ++ arch_spin_unlock(&lock); ++ ++ cpumask_clear_cpu(smp_processor_id(), &backtrace_csd_busy); + } + + void arch_trigger_all_cpu_backtrace(bool include_self) + { +- smp_call_function(arch_dump_stack, NULL, 1); ++ struct call_single_data *csd; ++ int cpu; ++ ++ for_each_cpu(cpu, cpu_online_mask) { ++ /* ++ * If we previously sent an IPI to the target CPU & it hasn't ++ * cleared its bit in the busy cpumask then it didn't handle ++ * our previous IPI & it's not safe for us to reuse the ++ * call_single_data_t. ++ */ ++ if (cpumask_test_and_set_cpu(cpu, &backtrace_csd_busy)) { ++ pr_warn("Unable to send backtrace IPI to CPU%u - perhaps it hung?\n", ++ cpu); ++ continue; ++ } ++ ++ csd = &per_cpu(backtrace_csd, cpu); ++ csd->func = arch_dump_stack; ++ smp_call_function_single_async(cpu, csd); ++ } + } + + int mips_get_process_fp_mode(struct task_struct *task) diff --git a/queue-4.4/net-cxgb3_main-fix-potential-spectre-v1.patch b/queue-4.4/net-cxgb3_main-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..d9fda96e059 --- /dev/null +++ b/queue-4.4/net-cxgb3_main-fix-potential-spectre-v1.patch @@ -0,0 +1,53 @@ +From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Jul 2018 20:59:58 -0500 +Subject: net: cxgb3_main: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream. + +t.qset_idx can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl() +warn: potential spectre issue 'adapter->msix_info' + +Fix this by sanitizing t.qset_idx before using it to index +adapter->msix_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + #include + + #include "common.h" +@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct n + + if (t.qset_idx >= nqsets) + return -EINVAL; ++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets); + + q = &adapter->params.sge.qset[q1 + t.qset_idx]; + t.rspq_size = q->rspq_size; diff --git a/queue-4.4/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch b/queue-4.4/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch new file mode 100644 index 00000000000..2dc4f5ca468 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch @@ -0,0 +1,41 @@ +From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 28 Jun 2018 10:02:27 +0800 +Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run + +From: Ping-Ke Shih + +commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream. + +Without this patch, firmware will not run properly on rtl8821ae, and it +causes bad user experience. For example, bad connection performance with +low rate, higher power consumption, and so on. + +rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and +each firmware has firmware data buffer and size individually. Original +code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and +this mismatch causes firmware checksum error, then firmware can't start. + +In this situation, driver gives message "Firmware is not ready to run!". + +Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware") +Signed-off-by: Ping-Ke Shih +Cc: Stable # 4.0+ +Reviewed-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -135,7 +135,6 @@ found_alt: + firmware->size); + rtlpriv->rtlhal.wowlan_fwsize = firmware->size; + } +- rtlpriv->rtlhal.fwsize = firmware->size; + release_firmware(firmware); + } + diff --git a/queue-4.4/series b/queue-4.4/series index 27158f11485..102f7444593 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -21,3 +21,7 @@ tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch vhost_net-validate-sock-before-trying-to-put-its-fd.patch net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch net-mlx5-fix-command-interface-race-in-polling-mode.patch +net-cxgb3_main-fix-potential-spectre-v1.patch +rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch +mips-call-dump_stack-from-show_regs.patch +mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch