From 543cf0cf96e63106c9efcb506231a22f66b5038c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 11 Nov 2019 07:41:30 +0100 Subject: [PATCH] 4.9-stable patches added patches: alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch alsa-hda-ca0132-fix-possible-workqueue-stall.patch alsa-timer-fix-incorrectly-assigned-timer-instance.patch can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch can-gs_usb-gs_can_open-prevent-memory-leak.patch can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch can-peak_usb-fix-slab-info-leak.patch can-usb_8dev-fix-use-after-free-on-disconnect.patch ceph-fix-use-after-free-in-__ceph_remove_cap.patch drm-radeon-fix-si_enable_smc_cac-failed-issue.patch dump_stack-avoid-the-livelock-of-the-dump_lock.patch iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch intel_th-pci-add-comet-lake-pch-support.patch mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch perf-tools-fix-time-sorting.patch --- ...for-focusrite-saffire-pro-i-o-series.patch | 50 ++++++ ...-ca0132-fix-possible-workqueue-stall.patch | 41 +++++ ...-incorrectly-assigned-timer-instance.patch | 61 ++++++++ ...ead-status-register-after-status-irq.patch | 93 +++++++++++ ..._usb-gs_can_open-prevent-memory-leak.patch | 32 ++++ ...l-out-of-sync-while-decoding-packets.patch | 80 ++++++++++ .../can-peak_usb-fix-slab-info-leak.patch | 39 +++++ ...dev-fix-use-after-free-on-disconnect.patch | 36 +++++ ...-use-after-free-in-__ceph_remove_cap.patch | 73 +++++++++ ...n-fix-si_enable_smc_cac-failed-issue.patch | 33 ++++ ...-avoid-the-livelock-of-the-dump_lock.patch | 47 ++++++ ...-sure-provided-frequency-is-positive.patch | 40 +++++ ...el_th-pci-add-comet-lake-pch-support.patch | 35 +++++ ...and-high-limits-after-init-completes.patch | 120 +++++++++++++++ ...hp-correctly-in-pagetranscompoundmap.patch | 145 ++++++++++++++++++ ...-proc-pagetypeinfo-from-normal-users.patch | 57 +++++++ ...x-an-error-code-in-ip_set_sockfn_get.patch | 47 ++++++ ...lign-nft_expr-private-data-to-64-bit.patch | 60 ++++++++ queue-4.9/perf-tools-fix-time-sorting.patch | 46 ++++++ queue-4.9/series | 19 +++ 20 files changed, 1154 insertions(+) create mode 100644 queue-4.9/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch create mode 100644 queue-4.9/alsa-hda-ca0132-fix-possible-workqueue-stall.patch create mode 100644 queue-4.9/alsa-timer-fix-incorrectly-assigned-timer-instance.patch create mode 100644 queue-4.9/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch create mode 100644 queue-4.9/can-gs_usb-gs_can_open-prevent-memory-leak.patch create mode 100644 queue-4.9/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch create mode 100644 queue-4.9/can-peak_usb-fix-slab-info-leak.patch create mode 100644 queue-4.9/can-usb_8dev-fix-use-after-free-on-disconnect.patch create mode 100644 queue-4.9/ceph-fix-use-after-free-in-__ceph_remove_cap.patch create mode 100644 queue-4.9/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch create mode 100644 queue-4.9/dump_stack-avoid-the-livelock-of-the-dump_lock.patch create mode 100644 queue-4.9/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch create mode 100644 queue-4.9/intel_th-pci-add-comet-lake-pch-support.patch create mode 100644 queue-4.9/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch create mode 100644 queue-4.9/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch create mode 100644 queue-4.9/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch create mode 100644 queue-4.9/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch create mode 100644 queue-4.9/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch create mode 100644 queue-4.9/perf-tools-fix-time-sorting.patch diff --git a/queue-4.9/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch b/queue-4.9/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch new file mode 100644 index 00000000000..be9b3c4bce8 --- /dev/null +++ b/queue-4.9/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch @@ -0,0 +1,50 @@ +From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 3 Nov 2019 00:09:20 +0900 +Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series + +From: Takashi Sakamoto + +commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream. + +For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents +configured source of sampling clock. The next lowest 8 bits represents +whether the configured source is actually detected or not just after +the register is changed for the source. + +Current implementation evaluates whole the register to detect configured +source. This results in failure due to the next lowest 8 bits when the +source is connected in advance. + +This commit fixes the bug. + +Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") +Cc: # v3.16+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/bebob_focusrite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/firewire/bebob/bebob_focusrite.c ++++ b/sound/firewire/bebob/bebob_focusrite.c +@@ -28,6 +28,8 @@ + #define SAFFIRE_CLOCK_SOURCE_SPDIF 1 + + /* clock sources as returned from register of Saffire Pro 10 and 26 */ ++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK 0x000000ff ++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK 0x0000ff00 + #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0 + #define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */ + #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2 +@@ -190,6 +192,7 @@ saffirepro_both_clk_src_get(struct snd_b + map = saffirepro_clk_maps[1]; + + /* In a case that this driver cannot handle the value of register. */ ++ value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK; + if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) { + err = -EIO; + goto end; diff --git a/queue-4.9/alsa-hda-ca0132-fix-possible-workqueue-stall.patch b/queue-4.9/alsa-hda-ca0132-fix-possible-workqueue-stall.patch new file mode 100644 index 00000000000..74aa1ffe96f --- /dev/null +++ b/queue-4.9/alsa-hda-ca0132-fix-possible-workqueue-stall.patch @@ -0,0 +1,41 @@ +From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 5 Nov 2019 14:43:16 +0100 +Subject: ALSA: hda/ca0132 - Fix possible workqueue stall + +From: Takashi Iwai + +commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream. + +The unsolicited event handler for the headphone jack on CA0132 codec +driver tries to reschedule the another delayed work with +cancel_delayed_work_sync(). It's no good idea, unfortunately, +especially after we changed the work queue to the standard global +one; this may lead to a stall because both works are using the same +global queue. + +Fix it by dropping the _sync but does call cancel_delayed_work() +instead. + +Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.") +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836 +Cc: +Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4440,7 +4440,7 @@ static void hp_callback(struct hda_codec + /* Delay enabling the HP amp, to let the mic-detection + * state machine run. + */ +- cancel_delayed_work_sync(&spec->unsol_hp_work); ++ cancel_delayed_work(&spec->unsol_hp_work); + schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500)); + tbl = snd_hda_jack_tbl_get(codec, cb->nid); + if (tbl) diff --git a/queue-4.9/alsa-timer-fix-incorrectly-assigned-timer-instance.patch b/queue-4.9/alsa-timer-fix-incorrectly-assigned-timer-instance.patch new file mode 100644 index 00000000000..d5d7804551a --- /dev/null +++ b/queue-4.9/alsa-timer-fix-incorrectly-assigned-timer-instance.patch @@ -0,0 +1,61 @@ +From e7af6307a8a54f0b873960b32b6a644f2d0fbd97 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 6 Nov 2019 17:55:47 +0100 +Subject: ALSA: timer: Fix incorrectly assigned timer instance + +From: Takashi Iwai + +commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream. + +The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in +snd_timer_open()") unified the error handling code paths with the +standard goto, but it introduced a subtle bug: the timer instance is +stored in snd_timer_open() incorrectly even if it returns an error. +This may eventually lead to UAF, as spotted by fuzzer. + +The culprit is the snd_timer_open() code checks the +SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri. +This variable is supposed to be the newly created instance, but we +(ab-)used it for a temporary check before the actual creation of a +timer instance. After that point, there is another check for the max +number of instances, and it bails out if over the threshold. Before +the refactoring above, it worked fine because the code returned +directly from that point. After the refactoring, however, it jumps to +the unified error path that stores the timeri variable in return -- +even if it returns an error. Unfortunately this stored value is kept +in the caller side (snd_timer_user_tselect()) in tu->timeri. This +causes inconsistency later, as if the timer was successfully +assigned. + +In this patch, we fix it by not re-using timeri variable but a +temporary variable for testing the exclusive connection, so timeri +remains NULL at that point. + +Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") +Reported-and-tested-by: Tristan Madani +Cc: +Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -297,11 +297,11 @@ int snd_timer_open(struct snd_timer_inst + goto unlock; + } + if (!list_empty(&timer->open_list_head)) { +- timeri = list_entry(timer->open_list_head.next, ++ struct snd_timer_instance *t = ++ list_entry(timer->open_list_head.next, + struct snd_timer_instance, open_list); +- if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { ++ if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { + err = -EBUSY; +- timeri = NULL; + goto unlock; + } + } diff --git a/queue-4.9/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch b/queue-4.9/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch new file mode 100644 index 00000000000..93a929ca93a --- /dev/null +++ b/queue-4.9/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch @@ -0,0 +1,93 @@ +From 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 Mon Sep 17 00:00:00 2001 +From: Kurt Van Dijck +Date: Tue, 1 Oct 2019 09:40:36 +0200 +Subject: can: c_can: c_can_poll(): only read status register after status IRQ + +From: Kurt Van Dijck + +commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream. + +When the status register is read without the status IRQ pending, the +chip may not raise the interrupt line for an upcoming status interrupt +and the driver may miss a status interrupt. + +It is critical that the BUSOFF status interrupt is forwarded to the +higher layers, since no more interrupts will follow without +intervention. + +Thanks to Wolfgang and Joe for bringing up the first idea. + +Signed-off-by: Kurt Van Dijck +Cc: Wolfgang Grandegger +Cc: Joe Burmeister +Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can.c | 25 ++++++++++++++++++++----- + drivers/net/can/c_can/c_can.h | 1 + + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -97,6 +97,9 @@ + #define BTR_TSEG2_SHIFT 12 + #define BTR_TSEG2_MASK (0x7 << BTR_TSEG2_SHIFT) + ++/* interrupt register */ ++#define INT_STS_PENDING 0x8000 ++ + /* brp extension register */ + #define BRP_EXT_BRPE_MASK 0x0f + #define BRP_EXT_BRPE_SHIFT 0 +@@ -1029,10 +1032,16 @@ static int c_can_poll(struct napi_struct + u16 curr, last = priv->last_status; + int work_done = 0; + +- priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); +- /* Ack status on C_CAN. D_CAN is self clearing */ +- if (priv->type != BOSCH_D_CAN) +- priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ /* Only read the status register if a status interrupt was pending */ ++ if (atomic_xchg(&priv->sie_pending, 0)) { ++ priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); ++ /* Ack status on C_CAN. D_CAN is self clearing */ ++ if (priv->type != BOSCH_D_CAN) ++ priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ } else { ++ /* no change detected ... */ ++ curr = last; ++ } + + /* handle state changes */ + if ((curr & STATUS_EWARN) && (!(last & STATUS_EWARN))) { +@@ -1083,10 +1092,16 @@ static irqreturn_t c_can_isr(int irq, vo + { + struct net_device *dev = (struct net_device *)dev_id; + struct c_can_priv *priv = netdev_priv(dev); ++ int reg_int; + +- if (!priv->read_reg(priv, C_CAN_INT_REG)) ++ reg_int = priv->read_reg(priv, C_CAN_INT_REG); ++ if (!reg_int) + return IRQ_NONE; + ++ /* save for later use */ ++ if (reg_int & INT_STS_PENDING) ++ atomic_set(&priv->sie_pending, 1); ++ + /* disable all interrupts and schedule the NAPI */ + c_can_irq_control(priv, false); + napi_schedule(&priv->napi); +--- a/drivers/net/can/c_can/c_can.h ++++ b/drivers/net/can/c_can/c_can.h +@@ -198,6 +198,7 @@ struct c_can_priv { + struct net_device *dev; + struct device *device; + atomic_t tx_active; ++ atomic_t sie_pending; + unsigned long tx_dir; + int last_status; + u16 (*read_reg) (const struct c_can_priv *priv, enum reg index); diff --git a/queue-4.9/can-gs_usb-gs_can_open-prevent-memory-leak.patch b/queue-4.9/can-gs_usb-gs_can_open-prevent-memory-leak.patch new file mode 100644 index 00000000000..363db0f0f66 --- /dev/null +++ b/queue-4.9/can-gs_usb-gs_can_open-prevent-memory-leak.patch @@ -0,0 +1,32 @@ +From fb5be6a7b4863ecc44963bb80ca614584b6c7817 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 21:44:38 -0500 +Subject: can: gs_usb: gs_can_open(): prevent memory leak + +From: Navid Emamdoost + +commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream. + +In gs_can_open() if usb_submit_urb() fails the allocated urb should be +released. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: linux-stable +Signed-off-by: Navid Emamdoost +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/gs_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -632,6 +632,7 @@ static int gs_can_open(struct net_device + rc); + + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + break; + } + diff --git a/queue-4.9/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch b/queue-4.9/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch new file mode 100644 index 00000000000..76eef2f97c8 --- /dev/null +++ b/queue-4.9/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch @@ -0,0 +1,80 @@ +From de280f403f2996679e2607384980703710576fed Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Tue, 8 Oct 2019 10:35:44 +0200 +Subject: can: peak_usb: fix a potential out-of-sync while decoding packets + +From: Stephane Grosjean + +commit de280f403f2996679e2607384980703710576fed upstream. + +When decoding a buffer received from PCAN-USB, the first timestamp read in +a packet is a 16-bit coded time base, and the next ones are an 8-bit +offset to this base, regardless of the type of packet read. + +This patch corrects a potential loss of synchronization by using a +timestamp index read from the buffer, rather than an index of received +data packets, to determine on the sizeof the timestamp to be read from the +packet being decoded. + +Signed-off-by: Stephane Grosjean +Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -108,7 +108,7 @@ struct pcan_usb_msg_context { + u8 *end; + u8 rec_cnt; + u8 rec_idx; +- u8 rec_data_idx; ++ u8 rec_ts_idx; + struct net_device *netdev; + struct pcan_usb *pdev; + }; +@@ -552,10 +552,15 @@ static int pcan_usb_decode_status(struct + mc->ptr += PCAN_USB_CMD_ARGS; + + if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) { +- int err = pcan_usb_decode_ts(mc, !mc->rec_idx); ++ int err = pcan_usb_decode_ts(mc, !mc->rec_ts_idx); + + if (err) + return err; ++ ++ /* Next packet in the buffer will have a timestamp on a single ++ * byte ++ */ ++ mc->rec_ts_idx++; + } + + switch (f) { +@@ -638,10 +643,13 @@ static int pcan_usb_decode_data(struct p + + cf->can_dlc = get_can_dlc(rec_len); + +- /* first data packet timestamp is a word */ +- if (pcan_usb_decode_ts(mc, !mc->rec_data_idx)) ++ /* Only first packet timestamp is a word */ ++ if (pcan_usb_decode_ts(mc, !mc->rec_ts_idx)) + goto decode_failed; + ++ /* Next packet in the buffer will have a timestamp on a single byte */ ++ mc->rec_ts_idx++; ++ + /* read data */ + memset(cf->data, 0x0, sizeof(cf->data)); + if (status_len & PCAN_USB_STATUSLEN_RTR) { +@@ -695,7 +703,6 @@ static int pcan_usb_decode_msg(struct pe + /* handle normal can frames here */ + } else { + err = pcan_usb_decode_data(&mc, sl); +- mc.rec_data_idx++; + } + } + diff --git a/queue-4.9/can-peak_usb-fix-slab-info-leak.patch b/queue-4.9/can-peak_usb-fix-slab-info-leak.patch new file mode 100644 index 00000000000..765b1d6f9c3 --- /dev/null +++ b/queue-4.9/can-peak_usb-fix-slab-info-leak.patch @@ -0,0 +1,39 @@ +From f7a1337f0d29b98733c8824e165fca3371d7d4fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Oct 2019 10:27:05 +0200 +Subject: can: peak_usb: fix slab info leak + +From: Johan Hovold + +commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream. + +Fix a small slab info leak due to a failure to clear the command buffer +at allocation. + +The first 16 bytes of the command buffer are always sent to the device +in pcan_usb_send_cmd() even though only the first two may have been +initialised in case no argument payload is provided (e.g. when waiting +for a response). + +Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") +Cc: stable # 3.4 +Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -774,7 +774,7 @@ static int peak_usb_create_dev(const str + dev = netdev_priv(netdev); + + /* allocate a buffer large enough to send commands */ +- dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); ++ dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); + if (!dev->cmd_buf) { + err = -ENOMEM; + goto lbl_free_candev; diff --git a/queue-4.9/can-usb_8dev-fix-use-after-free-on-disconnect.patch b/queue-4.9/can-usb_8dev-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..9600b85384a --- /dev/null +++ b/queue-4.9/can-usb_8dev-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,36 @@ +From 3759739426186a924675651b388d1c3963c5710e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 12:29:14 +0200 +Subject: can: usb_8dev: fix use-after-free on disconnect + +From: Johan Hovold + +commit 3759739426186a924675651b388d1c3963c5710e upstream. + +The driver was accessing its driver data after having freed it. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Cc: stable # 3.9 +Cc: Bernd Krumboeck +Cc: Wolfgang Grandegger +Signed-off-by: Johan Hovold +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/usb_8dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -1007,9 +1007,8 @@ static void usb_8dev_disconnect(struct u + netdev_info(priv->netdev, "device disconnected\n"); + + unregister_netdev(priv->netdev); +- free_candev(priv->netdev); +- + unlink_all_urbs(priv); ++ free_candev(priv->netdev); + } + + } diff --git a/queue-4.9/ceph-fix-use-after-free-in-__ceph_remove_cap.patch b/queue-4.9/ceph-fix-use-after-free-in-__ceph_remove_cap.patch new file mode 100644 index 00000000000..3444063f89e --- /dev/null +++ b/queue-4.9/ceph-fix-use-after-free-in-__ceph_remove_cap.patch @@ -0,0 +1,73 @@ +From ea60ed6fcf29eebc78f2ce91491e6309ee005a01 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 25 Oct 2019 14:05:24 +0100 +Subject: ceph: fix use-after-free in __ceph_remove_cap() + +From: Luis Henriques + +commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream. + +KASAN reports a use-after-free when running xfstest generic/531, with the +following trace: + +[ 293.903362] kasan_report+0xe/0x20 +[ 293.903365] rb_erase+0x1f/0x790 +[ 293.903370] __ceph_remove_cap+0x201/0x370 +[ 293.903375] __ceph_remove_caps+0x4b/0x70 +[ 293.903380] ceph_evict_inode+0x4e/0x360 +[ 293.903386] evict+0x169/0x290 +[ 293.903390] __dentry_kill+0x16f/0x250 +[ 293.903394] dput+0x1c6/0x440 +[ 293.903398] __fput+0x184/0x330 +[ 293.903404] task_work_run+0xb9/0xe0 +[ 293.903410] exit_to_usermode_loop+0xd3/0xe0 +[ 293.903413] do_syscall_64+0x1a0/0x1c0 +[ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This happens because __ceph_remove_cap() may queue a cap release +(__ceph_queue_cap_release) which can be scheduled before that cap is +removed from the inode list with + + rb_erase(&cap->ci_node, &ci->i_caps); + +And, when this finally happens, the use-after-free will occur. + +This can be fixed by removing the cap from the inode list before being +removed from the session list, and thus eliminating the risk of an UAF. + +Cc: stable@vger.kernel.org +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/caps.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -933,6 +933,11 @@ void __ceph_remove_cap(struct ceph_cap * + + dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode); + ++ /* remove from inode's cap rbtree, and clear auth cap */ ++ rb_erase(&cap->ci_node, &ci->i_caps); ++ if (ci->i_auth_cap == cap) ++ ci->i_auth_cap = NULL; ++ + /* remove from session list */ + spin_lock(&session->s_cap_lock); + if (session->s_cap_iterator == cap) { +@@ -968,11 +973,6 @@ void __ceph_remove_cap(struct ceph_cap * + + spin_unlock(&session->s_cap_lock); + +- /* remove from inode list */ +- rb_erase(&cap->ci_node, &ci->i_caps); +- if (ci->i_auth_cap == cap) +- ci->i_auth_cap = NULL; +- + if (removed) + ceph_put_cap(mdsc, cap); + diff --git a/queue-4.9/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch b/queue-4.9/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch new file mode 100644 index 00000000000..735e1b6f441 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch @@ -0,0 +1,33 @@ +From 2c409ba81be25516afe05ae27a4a15da01740b01 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 30 Oct 2019 10:21:28 -0400 +Subject: drm/radeon: fix si_enable_smc_cac() failed issue + +From: Alex Deucher + +commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream. + +Need to set the dte flag on this asic. + +Port the fix from amdgpu: +5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue") + +Reviewed-by: Yong Zhao +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/si_dpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -1956,6 +1956,7 @@ static void si_initialize_powertune_defa + case 0x682C: + si_pi->cac_weights = cac_weights_cape_verde_pro; + si_pi->dte_data = dte_data_sun_xt; ++ update_dte_from_pl2 = true; + break; + case 0x6825: + case 0x6827: diff --git a/queue-4.9/dump_stack-avoid-the-livelock-of-the-dump_lock.patch b/queue-4.9/dump_stack-avoid-the-livelock-of-the-dump_lock.patch new file mode 100644 index 00000000000..4136ce22404 --- /dev/null +++ b/queue-4.9/dump_stack-avoid-the-livelock-of-the-dump_lock.patch @@ -0,0 +1,47 @@ +From 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Tue, 5 Nov 2019 21:16:57 -0800 +Subject: dump_stack: avoid the livelock of the dump_lock + +From: Kevin Hao + +commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream. + +In the current code, we use the atomic_cmpxchg() to serialize the output +of the dump_stack(), but this implementation suffers the thundering herd +problem. We have observed such kind of livelock on a Marvell cn96xx +board(24 cpus) when heavily using the dump_stack() in a kprobe handler. +Actually we can let the competitors to wait for the releasing of the +lock before jumping to atomic_cmpxchg(). This will definitely mitigate +the thundering herd problem. Thanks Linus for the suggestion. + +[akpm@linux-foundation.org: fix comment] +Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com +Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()") +Signed-off-by: Kevin Hao +Suggested-by: Linus Torvalds +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/dump_stack.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/dump_stack.c ++++ b/lib/dump_stack.c +@@ -44,7 +44,12 @@ retry: + was_locked = 1; + } else { + local_irq_restore(flags); +- cpu_relax(); ++ /* ++ * Wait for the lock to release before jumping to ++ * atomic_cmpxchg() in order to mitigate the thundering herd ++ * problem. ++ */ ++ do { cpu_relax(); } while (atomic_read(&dump_lock) != -1); + goto retry; + } + diff --git a/queue-4.9/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch b/queue-4.9/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch new file mode 100644 index 00000000000..1a237156cf8 --- /dev/null +++ b/queue-4.9/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch @@ -0,0 +1,40 @@ +From 24e1eb5c0d78cfb9750b690bbe997d4d59170258 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Tue, 8 Oct 2019 17:15:37 +0300 +Subject: iio: imu: adis16480: make sure provided frequency is positive + +From: Alexandru Ardelean + +commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream. + +It could happen that either `val` or `val2` [provided from userspace] is +negative. In that case the computed frequency could get a weird value. + +Fix this by checking that neither of the 2 variables is negative, and check +that the computed result is not-zero. + +Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support") +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis16480.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -266,8 +266,11 @@ static int adis16480_set_freq(struct iio + struct adis16480 *st = iio_priv(indio_dev); + unsigned int t; + ++ if (val < 0 || val2 < 0) ++ return -EINVAL; ++ + t = val * 1000 + val2 / 1000; +- if (t <= 0) ++ if (t == 0) + return -EINVAL; + + t = 2460000 / t; diff --git a/queue-4.9/intel_th-pci-add-comet-lake-pch-support.patch b/queue-4.9/intel_th-pci-add-comet-lake-pch-support.patch new file mode 100644 index 00000000000..a78d5e643b0 --- /dev/null +++ b/queue-4.9/intel_th-pci-add-comet-lake-pch-support.patch @@ -0,0 +1,35 @@ +From 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 28 Oct 2019 09:06:50 +0200 +Subject: intel_th: pci: Add Comet Lake PCH support + +From: Alexander Shishkin + +commit 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 upstream. + +This adds support for Intel TH on Comet Lake PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191028070651.9770-7-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -96,6 +96,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)0, + }, + { ++ /* Comet Lake PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x06a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Gemini Lake */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), + .driver_data = (kernel_ulong_t)0, diff --git a/queue-4.9/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch b/queue-4.9/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch new file mode 100644 index 00000000000..e594c5c8f95 --- /dev/null +++ b/queue-4.9/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch @@ -0,0 +1,120 @@ +From 3e8fc0075e24338b1117cdff6a79477427b8dbed Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Tue, 5 Nov 2019 21:16:27 -0800 +Subject: mm, meminit: recalculate pcpu batch and high limits after init completes + +From: Mel Gorman + +commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream. + +Deferred memory initialisation updates zone->managed_pages during the +initialisation phase but before that finishes, the per-cpu page +allocator (pcpu) calculates the number of pages allocated/freed in +batches as well as the maximum number of pages allowed on a per-cpu +list. As zone->managed_pages is not up to date yet, the pcpu +initialisation calculates inappropriately low batch and high values. + +This increases zone lock contention quite severely in some cases with +the degree of severity depending on how many CPUs share a local zone and +the size of the zone. A private report indicated that kernel build +times were excessive with extremely high system CPU usage. A perf +profile indicated that a large chunk of time was lost on zone->lock +contention. + +This patch recalculates the pcpu batch and high values after deferred +initialisation completes for every populated zone in the system. It was +tested on a 2-socket AMD EPYC 2 machine using a kernel compilation +workload -- allmodconfig and all available CPUs. + +mmtests configuration: config-workload-kernbench-max Configuration was +modified to build on a fresh XFS partition. + +kernbench + 5.4.0-rc3 5.4.0-rc3 + vanilla resetpcpu-v2 +Amean user-256 13249.50 ( 0.00%) 16401.31 * -23.79%* +Amean syst-256 14760.30 ( 0.00%) 4448.39 * 69.86%* +Amean elsp-256 162.42 ( 0.00%) 119.13 * 26.65%* +Stddev user-256 42.97 ( 0.00%) 19.15 ( 55.43%) +Stddev syst-256 336.87 ( 0.00%) 6.71 ( 98.01%) +Stddev elsp-256 2.46 ( 0.00%) 0.39 ( 84.03%) + + 5.4.0-rc3 5.4.0-rc3 + vanilla resetpcpu-v2 +Duration User 39766.24 49221.79 +Duration System 44298.10 13361.67 +Duration Elapsed 519.11 388.87 + +The patch reduces system CPU usage by 69.86% and total build time by +26.65%. The variance of system CPU usage is also much reduced. + +Before, this was the breakdown of batch and high values over all zones +was: + + 256 batch: 1 + 256 batch: 63 + 512 batch: 7 + 256 high: 0 + 256 high: 378 + 512 high: 42 + +512 pcpu pagesets had a batch limit of 7 and a high limit of 42. After +the patch: + + 256 batch: 1 + 768 batch: 63 + 256 high: 0 + 768 high: 378 + +[mgorman@techsingularity.net: fix merge/linkage snafu] + Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.net +Signed-off-by: Mel Gorman +Acked-by: Michal Hocko +Acked-by: Vlastimil Babka +Acked-by: David Hildenbrand +Cc: Matt Fleming +Cc: Thomas Gleixner +Cc: Borislav Petkov +Cc: Qian Cai +Cc: [4.1+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2051,6 +2051,14 @@ static void reserve_highatomic_pageblock + unsigned long max_managed, flags; + + /* ++ * The number of managed pages has changed due to the initialisation ++ * so the pcpu batch and high limits needs to be updated or the limits ++ * will be artificially small. ++ */ ++ for_each_populated_zone(zone) ++ zone_pcp_update(zone); ++ ++ /* + * Limit the number reserved to 1 pageblock or roughly 1% of a zone. + * Check is race-prone but harmless. + */ +@@ -7385,7 +7393,6 @@ void free_contig_range(unsigned long pfn + } + #endif + +-#ifdef CONFIG_MEMORY_HOTPLUG + /* + * The zone indicated has a new number of managed_pages; batch sizes and percpu + * page high values need to be recalulated. +@@ -7399,7 +7406,6 @@ void __meminit zone_pcp_update(struct zo + per_cpu_ptr(zone->pageset, cpu)); + mutex_unlock(&pcp_batch_high_lock); + } +-#endif + + void zone_pcp_reset(struct zone *zone) + { diff --git a/queue-4.9/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch b/queue-4.9/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch new file mode 100644 index 00000000000..196fd011ada --- /dev/null +++ b/queue-4.9/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch @@ -0,0 +1,145 @@ +From 169226f7e0d275c1879551f37484ef6683579a5c Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Tue, 5 Nov 2019 21:16:30 -0800 +Subject: mm: thp: handle page cache THP correctly in PageTransCompoundMap + +From: Yang Shi + +commit 169226f7e0d275c1879551f37484ef6683579a5c upstream. + +We have a usecase to use tmpfs as QEMU memory backend and we would like +to take the advantage of THP as well. But, our test shows the EPT is +not PMD mapped even though the underlying THP are PMD mapped on host. +The number showed by /sys/kernel/debug/kvm/largepage is much less than +the number of PMD mapped shmem pages as the below: + + 7f2778200000-7f2878200000 rw-s 00000000 00:14 262232 /dev/shm/qemu_back_mem.mem.Hz2hSf (deleted) + Size: 4194304 kB + [snip] + AnonHugePages: 0 kB + ShmemPmdMapped: 579584 kB + [snip] + Locked: 0 kB + + cat /sys/kernel/debug/kvm/largepages + 12 + +And some benchmarks do worse than with anonymous THPs. + +By digging into the code we figured out that commit 127393fbe597 ("mm: +thp: kvm: fix memory corruption in KVM with THP enabled") checks if +there is a single PTE mapping on the page for anonymous THP when setting +up EPT map. But the _mapcount < 0 check doesn't work for page cache THP +since every subpage of page cache THP would get _mapcount inc'ed once it +is PMD mapped, so PageTransCompoundMap() always returns false for page +cache THP. This would prevent KVM from setting up PMD mapped EPT entry. + +So we need handle page cache THP correctly. However, when page cache +THP's PMD gets split, kernel just remove the map instead of setting up +PTE map like what anonymous THP does. Before KVM calls get_user_pages() +the subpages may get PTE mapped even though it is still a THP since the +page cache THP may be mapped by other processes at the mean time. + +Checking its _mapcount and whether the THP has PTE mapped or not. +Although this may report some false negative cases (PTE mapped by other +processes), it looks not trivial to make this accurate. + +With this fix /sys/kernel/debug/kvm/largepage would show reasonable +pages are PMD mapped by EPT as the below: + + 7fbeaee00000-7fbfaee00000 rw-s 00000000 00:14 275464 /dev/shm/qemu_back_mem.mem.SKUvat (deleted) + Size: 4194304 kB + [snip] + AnonHugePages: 0 kB + ShmemPmdMapped: 557056 kB + [snip] + Locked: 0 kB + + cat /sys/kernel/debug/kvm/largepages + 271 + +And the benchmarks are as same as anonymous THPs. + +[yang.shi@linux.alibaba.com: v4] + Link: http://lkml.kernel.org/r/1571865575-42913-1-git-send-email-yang.shi@linux.alibaba.com +Link: http://lkml.kernel.org/r/1571769577-89735-1-git-send-email-yang.shi@linux.alibaba.com +Fixes: dd78fedde4b9 ("rmap: support file thp") +Signed-off-by: Yang Shi +Reported-by: Gang Deng +Tested-by: Gang Deng +Suggested-by: Hugh Dickins +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: [4.8+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 5 ----- + include/linux/mm_types.h | 5 +++++ + include/linux/page-flags.h | 20 ++++++++++++++++++-- + 3 files changed, 23 insertions(+), 7 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -504,11 +504,6 @@ static inline int is_vmalloc_or_module_a + + extern void kvfree(const void *addr); + +-static inline atomic_t *compound_mapcount_ptr(struct page *page) +-{ +- return &page[1].compound_mapcount; +-} +- + static inline int compound_mapcount(struct page *page) + { + VM_BUG_ON_PAGE(!PageCompound(page), page); +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -262,6 +262,11 @@ struct page_frag_cache { + + typedef unsigned long vm_flags_t; + ++static inline atomic_t *compound_mapcount_ptr(struct page *page) ++{ ++ return &page[1].compound_mapcount; ++} ++ + /* + * A region containing a mapping of a non-memory backed file under NOMMU + * conditions. These are held in a global tree and are pinned by the VMAs that +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -545,12 +545,28 @@ static inline int PageTransCompound(stru + * + * Unlike PageTransCompound, this is safe to be called only while + * split_huge_pmd() cannot run from under us, like if protected by the +- * MMU notifier, otherwise it may result in page->_mapcount < 0 false ++ * MMU notifier, otherwise it may result in page->_mapcount check false + * positives. ++ * ++ * We have to treat page cache THP differently since every subpage of it ++ * would get _mapcount inc'ed once it is PMD mapped. But, it may be PTE ++ * mapped in the current process so comparing subpage's _mapcount to ++ * compound_mapcount to filter out PTE mapped case. + */ + static inline int PageTransCompoundMap(struct page *page) + { +- return PageTransCompound(page) && atomic_read(&page->_mapcount) < 0; ++ struct page *head; ++ ++ if (!PageTransCompound(page)) ++ return 0; ++ ++ if (PageAnon(page)) ++ return atomic_read(&page->_mapcount) < 0; ++ ++ head = compound_head(page); ++ /* File THP is PMD mapped and not PTE mapped */ ++ return atomic_read(&page->_mapcount) == ++ atomic_read(compound_mapcount_ptr(head)); + } + + /* diff --git a/queue-4.9/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch b/queue-4.9/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch new file mode 100644 index 00000000000..9b16f554b5d --- /dev/null +++ b/queue-4.9/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch @@ -0,0 +1,57 @@ +From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Tue, 5 Nov 2019 21:16:40 -0800 +Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users + +From: Michal Hocko + +commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream. + +/proc/pagetypeinfo is a debugging tool to examine internal page +allocator state wrt to fragmentation. It is not very useful for any +other use so normal users really do not need to read this file. + +Waiman Long has noticed that reading this file can have negative side +effects because zone->lock is necessary for gathering data and that a) +interferes with the page allocator and its users and b) can lead to hard +lockups on large machines which have very long free_list. + +Reduce both issues by simply not exporting the file to regular users. + +Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org +Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo") +Signed-off-by: Michal Hocko +Reported-by: Waiman Long +Acked-by: Mel Gorman +Acked-by: Vlastimil Babka +Acked-by: Waiman Long +Acked-by: Rafael Aquini +Acked-by: David Rientjes +Reviewed-by: Andrew Morton +Cc: David Hildenbrand +Cc: Johannes Weiner +Cc: Roman Gushchin +Cc: Konstantin Khlebnikov +Cc: Jann Horn +Cc: Song Liu +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmstat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1794,7 +1794,7 @@ static int __init setup_vmstat(void) + #endif + #ifdef CONFIG_PROC_FS + proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations); +- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops); ++ proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_ops); + proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations); + proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations); + #endif diff --git a/queue-4.9/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch b/queue-4.9/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch new file mode 100644 index 00000000000..7fc8520f8fe --- /dev/null +++ b/queue-4.9/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch @@ -0,0 +1,47 @@ +From 30b7244d79651460ff114ba8f7987ed94c86b99a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 24 Aug 2019 17:49:55 +0300 +Subject: netfilter: ipset: Fix an error code in ip_set_sockfn_get() + +From: Dan Carpenter + +commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream. + +The copy_to_user() function returns the number of bytes remaining to be +copied. In this code, that positive return is checked at the end of the +function and we return zero/success. What we should do instead is +return -EFAULT. + +Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") +Signed-off-by: Dan Carpenter +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1942,8 +1942,9 @@ ip_set_sockfn_get(struct sock *sk, int o + } + + req_version->version = IPSET_PROTOCOL; +- ret = copy_to_user(user, req_version, +- sizeof(struct ip_set_req_version)); ++ if (copy_to_user(user, req_version, ++ sizeof(struct ip_set_req_version))) ++ ret = -EFAULT; + goto done; + } + case IP_SET_OP_GET_BYNAME: { +@@ -2000,7 +2001,8 @@ ip_set_sockfn_get(struct sock *sk, int o + } /* end of switch(op) */ + + copy: +- ret = copy_to_user(user, data, copylen); ++ if (copy_to_user(user, data, copylen)) ++ ret = -EFAULT; + + done: + vfree(data); diff --git a/queue-4.9/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch b/queue-4.9/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch new file mode 100644 index 00000000000..1d2268bd101 --- /dev/null +++ b/queue-4.9/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch @@ -0,0 +1,60 @@ +From 250367c59e6ba0d79d702a059712d66edacd4a1a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 31 Oct 2019 11:06:24 +0100 +Subject: netfilter: nf_tables: Align nft_expr private data to 64-bit + +From: Lukas Wunner + +commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream. + +Invoking the following commands on a 32-bit architecture with strict +alignment requirements (such as an ARMv7-based Raspberry Pi) results +in an alignment exception: + + # nft add table ip test-ip4 + # nft add chain ip test-ip4 output { type filter hook output priority 0; } + # nft add rule ip test-ip4 output quota 1025 bytes + +Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] +Unhandled fault: alignment exception (0x001) at 0xb832e824 +Internal error: : 1 [#1] PREEMPT SMP ARM +Hardware name: BCM2835 +[<7f4473fc>] (nft_quota_do_init [nft_quota]) +[<7f447448>] (nft_quota_init [nft_quota]) +[<7f4260d0>] (nf_tables_newrule [nf_tables]) +[<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) +[<7f416bd0>] (nfnetlink_rcv [nfnetlink]) +[<8078b334>] (netlink_unicast) +[<8078b664>] (netlink_sendmsg) +[<8071b47c>] (sock_sendmsg) +[<8071bd18>] (___sys_sendmsg) +[<8071ce3c>] (__sys_sendmsg) +[<8071ce94>] (sys_sendmsg) + +The reason is that nft_quota_do_init() calls atomic64_set() on an +atomic64_t which is only aligned to 32-bit, not 64-bit, because it +succeeds struct nft_expr in memory which only contains a 32-bit pointer. +Fix by aligning the nft_expr private data to 64-bit. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netfilter/nf_tables.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -705,7 +705,8 @@ struct nft_expr_ops { + */ + struct nft_expr { + const struct nft_expr_ops *ops; +- unsigned char data[]; ++ unsigned char data[] ++ __attribute__((aligned(__alignof__(u64)))); + }; + + static inline void *nft_expr_priv(const struct nft_expr *expr) diff --git a/queue-4.9/perf-tools-fix-time-sorting.patch b/queue-4.9/perf-tools-fix-time-sorting.patch new file mode 100644 index 00000000000..67f11be3be3 --- /dev/null +++ b/queue-4.9/perf-tools-fix-time-sorting.patch @@ -0,0 +1,46 @@ +From 722ddfde366fd46205456a9c5ff9b3359dc9a75e Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 5 Nov 2019 00:27:11 +0100 +Subject: perf tools: Fix time sorting + +From: Jiri Olsa + +commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream. + +The final sort might get confused when the comparison is done over +bigger numbers than int like for -s time. + +Check the following report for longer workloads: + + $ perf report -s time -F time,overhead --stdio + +Fix hist_entry__sort() to properly return int64_t and not possible cut +int. + +Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output") +Signed-off-by: Jiri Olsa +Reviewed-by: Andi Kleen +Cc: Alexander Shishkin +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org # v3.16+ +Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/hist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -1485,7 +1485,7 @@ int hists__collapse_resort(struct hists + return 0; + } + +-static int hist_entry__sort(struct hist_entry *a, struct hist_entry *b) ++static int64_t hist_entry__sort(struct hist_entry *a, struct hist_entry *b) + { + struct hists *hists = a->hists; + struct perf_hpp_fmt *fmt; diff --git a/queue-4.9/series b/queue-4.9/series index faba69f803f..03a6a3edd90 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -6,3 +6,22 @@ nfc-fdp-fix-incorrect-free-object.patch nfc-netlink-fix-double-device-reference-drop.patch nfc-st21nfca-fix-double-free.patch qede-fix-null-pointer-deref-in-__qede_remove.patch +alsa-timer-fix-incorrectly-assigned-timer-instance.patch +alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch +alsa-hda-ca0132-fix-possible-workqueue-stall.patch +mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch +mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch +mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch +dump_stack-avoid-the-livelock-of-the-dump_lock.patch +perf-tools-fix-time-sorting.patch +drm-radeon-fix-si_enable_smc_cac-failed-issue.patch +ceph-fix-use-after-free-in-__ceph_remove_cap.patch +iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch +netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch +netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch +intel_th-pci-add-comet-lake-pch-support.patch +can-usb_8dev-fix-use-after-free-on-disconnect.patch +can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch +can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch +can-gs_usb-gs_can_open-prevent-memory-leak.patch +can-peak_usb-fix-slab-info-leak.patch -- 2.47.3