From 673f8e156b636c7c357ceda8a2fe8e7c529f0334 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 3 Aug 2017 15:44:26 -0700 Subject: [PATCH] 4.9-stable patches added patches: ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch isdn-fix-a-sleep-in-atomic-bug.patch isdn-i4l-fix-buffer-overflow.patch mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch mailbox-handle-empty-message-in-tx_tick.patch mailbox-skip-complete-wait-event-if-timer-expired.patch rdma-uverbs-fix-the-check-for-port-number.patch sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch --- ...on-wmi-tlv-when-trying-spectral-scan.patch | 76 +++++++++++++++ ...g-fix-watchdog-timeout-set-on-reboot.patch | 43 +++++++++ .../isdn-fix-a-sleep-in-atomic-bug.patch | 40 ++++++++ queue-4.9/isdn-i4l-fix-buffer-overflow.patch | 53 +++++++++++ ...ox_send_message-for-blocking-tx-mode.patch | 40 ++++++++ ...lbox-handle-empty-message-in-tx_tick.patch | 40 ++++++++ ...complete-wait-event-if-timer-expired.patch | 53 +++++++++++ ...uverbs-fix-the-check-for-port-number.patch | 39 ++++++++ ...up-back-into-css_online-to-fix-crash.patch | 94 +++++++++++++++++++ queue-4.9/series | 10 ++ ...ock-when-using-fw_no_recovery-option.patch | 53 +++++++++++ 11 files changed, 541 insertions(+) create mode 100644 queue-4.9/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch create mode 100644 queue-4.9/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch create mode 100644 queue-4.9/isdn-fix-a-sleep-in-atomic-bug.patch create mode 100644 queue-4.9/isdn-i4l-fix-buffer-overflow.patch create mode 100644 queue-4.9/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch create mode 100644 queue-4.9/mailbox-handle-empty-message-in-tx_tick.patch create mode 100644 queue-4.9/mailbox-skip-complete-wait-event-if-timer-expired.patch create mode 100644 queue-4.9/rdma-uverbs-fix-the-check-for-port-number.patch create mode 100644 queue-4.9/sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch create mode 100644 queue-4.9/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch diff --git a/queue-4.9/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch b/queue-4.9/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch new file mode 100644 index 00000000000..39f460ebec3 --- /dev/null +++ b/queue-4.9/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch @@ -0,0 +1,76 @@ +From 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 14 Nov 2016 14:25:23 +0100 +Subject: ath10k: fix null deref on wmi-tlv when trying spectral scan + +From: Michal Kazior + +commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream. + +WMI ops wrappers did not properly check for null +function pointers for spectral scan. This caused +null dereference crash with WMI-TLV based firmware +which doesn't implement spectral scan. + +The crash could be triggered with: + + ip link set dev wlan0 up + echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl + +The crash looked like this: + + [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null) + [ 168.037406] IP: [< (null)>] (null) + [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0 + [ 168.043303] Oops: 0010 [#1] SMP + [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211] + [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78 + [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 + [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000 + [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null) + ... + [ 168.100620] Call Trace: + [ 168.101910] [] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core] + [ 168.104871] [] ? filemap_fault+0xb2/0x4a0 + [ 168.106696] [] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core] + [ 168.109618] [] full_proxy_write+0x51/0x80 + [ 168.111443] [] __vfs_write+0x28/0x120 + [ 168.113090] [] ? security_file_permission+0x3d/0xc0 + [ 168.114932] [] ? percpu_down_read+0x12/0x60 + [ 168.116680] [] vfs_write+0xb8/0x1a0 + [ 168.118293] [] SyS_write+0x46/0xa0 + [ 168.119912] [] entry_SYSCALL_64_fastpath+0x1a/0xa4 + [ 168.121737] Code: Bad RIP value. + [ 168.123318] RIP [< (null)>] (null) + +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h ++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h +@@ -660,6 +660,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath + struct sk_buff *skb; + u32 cmd_id; + ++ if (!ar->wmi.ops->gen_vdev_spectral_conf) ++ return -EOPNOTSUPP; ++ + skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg); + if (IS_ERR(skb)) + return PTR_ERR(skb); +@@ -675,6 +678,9 @@ ath10k_wmi_vdev_spectral_enable(struct a + struct sk_buff *skb; + u32 cmd_id; + ++ if (!ar->wmi.ops->gen_vdev_spectral_enable) ++ return -EOPNOTSUPP; ++ + skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger, + enable); + if (IS_ERR(skb)) diff --git a/queue-4.9/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch b/queue-4.9/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch new file mode 100644 index 00000000000..fb6df6fc9bb --- /dev/null +++ b/queue-4.9/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch @@ -0,0 +1,43 @@ +From 860f01e96981a68553f3ca49f574ff14fe955e72 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Fri, 5 May 2017 21:07:33 +0200 +Subject: ipmi/watchdog: fix watchdog timeout set on reboot + +From: Valentin Vidic + +commit 860f01e96981a68553f3ca49f574ff14fe955e72 upstream. + +systemd by default starts watchdog on reboot and sets the timer to +ShutdownWatchdogSec=10min. Reboot handler in ipmi_watchdog than reduces +the timer to 120s which is not enough time to boot a Xen machine with +a lot of RAM. As a result the machine is rebooted the second time +during the long run of (XEN) Scrubbing Free RAM..... + +Fix this by setting the timer to 120s only if it was previously +set to a low value. + +Signed-off-by: Valentin Vidic +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_watchdog.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -1162,10 +1162,11 @@ static int wdog_reboot_handler(struct no + ipmi_watchdog_state = WDOG_TIMEOUT_NONE; + ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB); + } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) { +- /* Set a long timer to let the reboot happens, but +- reboot if it hangs, but only if the watchdog ++ /* Set a long timer to let the reboot happen or ++ reset if it hangs, but only if the watchdog + timer was already running. */ +- timeout = 120; ++ if (timeout < 120) ++ timeout = 120; + pretimeout = 0; + ipmi_watchdog_state = WDOG_TIMEOUT_RESET; + ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB); diff --git a/queue-4.9/isdn-fix-a-sleep-in-atomic-bug.patch b/queue-4.9/isdn-fix-a-sleep-in-atomic-bug.patch new file mode 100644 index 00000000000..307b7194c84 --- /dev/null +++ b/queue-4.9/isdn-fix-a-sleep-in-atomic-bug.patch @@ -0,0 +1,40 @@ +From e8f4ae85439f34bec3b0ab69223a41809dab28c9 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 31 May 2017 09:40:11 +0800 +Subject: isdn: Fix a sleep-in-atomic bug + +From: Jia-Ju Bai + +commit e8f4ae85439f34bec3b0ab69223a41809dab28c9 upstream. + +The driver may sleep under a spin lock, the function call path is: +isdn_ppp_mp_receive (acquire the lock) + isdn_ppp_mp_reassembly + isdn_ppp_push_higher + isdn_ppp_decompress + isdn_ppp_ccp_reset_trans + isdn_ppp_ccp_reset_alloc_state + kzalloc(GFP_KERNEL) --> may sleep + +To fixed it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC". + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_ppp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -2364,7 +2364,7 @@ static struct ippp_ccp_reset_state *isdn + id); + return NULL; + } else { +- rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_KERNEL); ++ rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_ATOMIC); + if (!rs) + return NULL; + rs->state = CCPResetIdle; diff --git a/queue-4.9/isdn-i4l-fix-buffer-overflow.patch b/queue-4.9/isdn-i4l-fix-buffer-overflow.patch new file mode 100644 index 00000000000..a7c00cc1522 --- /dev/null +++ b/queue-4.9/isdn-i4l-fix-buffer-overflow.patch @@ -0,0 +1,53 @@ +From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001 +From: Annie Cherkaev +Date: Sat, 15 Jul 2017 15:08:58 -0600 +Subject: isdn/i4l: fix buffer overflow + +From: Annie Cherkaev + +commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream. + +This fixes a potential buffer overflow in isdn_net.c caused by an +unbounded strcpy. + +[ ISDN seems to be effectively unmaintained, and the I4L driver in + particular is long deprecated, but in case somebody uses this.. + - Linus ] + +Signed-off-by: Jiten Thakkar +Signed-off-by: Annie Cherkaev +Cc: Karsten Keil +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_common.c | 1 + + drivers/isdn/i4l/isdn_net.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd, + if (arg) { + if (copy_from_user(bname, argp, sizeof(bname) - 1)) + return -EFAULT; ++ bname[sizeof(bname)-1] = 0; + } else + return -EINVAL; + ret = mutex_lock_interruptible(&dev->mtx); +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm) + char newname[10]; + + if (p) { +- /* Slave-Name MUST not be empty */ +- if (!strlen(p + 1)) ++ /* Slave-Name MUST not be empty or overflow 'newname' */ ++ if (strscpy(newname, p + 1, sizeof(newname)) <= 0) + return NULL; +- strcpy(newname, p + 1); + *p = 0; + /* Master must already exist */ + if (!(n = isdn_net_findif(parm))) diff --git a/queue-4.9/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch b/queue-4.9/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch new file mode 100644 index 00000000000..aef959b556f --- /dev/null +++ b/queue-4.9/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch @@ -0,0 +1,40 @@ +From c61b781ee084e69855477d23dd33e7e6caad652c Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:14 +0000 +Subject: mailbox: always wait in mbox_send_message for blocking Tx mode + +From: Sudeep Holla + +commit c61b781ee084e69855477d23dd33e7e6caad652c upstream. + +There exists a race when msg_submit return immediately as there was an +active request being processed which may have completed just before it's +checked again in mbox_send_message. This will result in return to the +caller without waiting in mbox_send_message even when it's blocking Tx. + +This patch fixes the issue by waiting for the completion always if Tx +is in blocking mode. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Reported-by: Alexey Klimov +Signed-off-by: Sudeep Holla +Reviewed-by: Alexey Klimov +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -261,7 +261,7 @@ int mbox_send_message(struct mbox_chan * + + msg_submit(chan); + +- if (chan->cl->tx_block && chan->active_req) { ++ if (chan->cl->tx_block) { + unsigned long wait; + int ret; + diff --git a/queue-4.9/mailbox-handle-empty-message-in-tx_tick.patch b/queue-4.9/mailbox-handle-empty-message-in-tx_tick.patch new file mode 100644 index 00000000000..3b789f37352 --- /dev/null +++ b/queue-4.9/mailbox-handle-empty-message-in-tx_tick.patch @@ -0,0 +1,40 @@ +From cb710ab1d8a23f68ff8f45aedf3e552bb90e70de Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:16 +0000 +Subject: mailbox: handle empty message in tx_tick + +From: Sudeep Holla + +commit cb710ab1d8a23f68ff8f45aedf3e552bb90e70de upstream. + +We already check if the message is empty before calling the client +tx_done callback. Calling completion on a wait event is also invalid +if the message is empty. + +This patch moves the existing empty message check earlier. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -104,8 +104,11 @@ static void tx_tick(struct mbox_chan *ch + /* Submit next message */ + msg_submit(chan); + ++ if (!mssg) ++ return; ++ + /* Notify the client */ +- if (mssg && chan->cl->tx_done) ++ if (chan->cl->tx_done) + chan->cl->tx_done(chan->cl, mssg, r); + + if (r != -ETIME && chan->cl->tx_block) diff --git a/queue-4.9/mailbox-skip-complete-wait-event-if-timer-expired.patch b/queue-4.9/mailbox-skip-complete-wait-event-if-timer-expired.patch new file mode 100644 index 00000000000..49b5532dc29 --- /dev/null +++ b/queue-4.9/mailbox-skip-complete-wait-event-if-timer-expired.patch @@ -0,0 +1,53 @@ +From cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:15 +0000 +Subject: mailbox: skip complete wait event if timer expired + +From: Sudeep Holla + +commit cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 upstream. + +If a wait_for_completion_timeout() call returns due to a timeout, +complete() can get called after returning from the wait which is +incorrect and can cause subsequent transmissions on a channel to fail. +Since the wait_for_completion_timeout() sees the completion variable +is non-zero caused by the erroneous/spurious complete() call, and +it immediately returns without waiting for the time as expected by the +client. + +This patch fixes the issue by skipping complete() call for the timer +expiry. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Reported-by: Alexey Klimov +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -108,7 +108,7 @@ static void tx_tick(struct mbox_chan *ch + if (mssg && chan->cl->tx_done) + chan->cl->tx_done(chan->cl, mssg, r); + +- if (chan->cl->tx_block) ++ if (r != -ETIME && chan->cl->tx_block) + complete(&chan->tx_complete); + } + +@@ -272,8 +272,8 @@ int mbox_send_message(struct mbox_chan * + + ret = wait_for_completion_timeout(&chan->tx_complete, wait); + if (ret == 0) { +- t = -EIO; +- tx_tick(chan, -EIO); ++ t = -ETIME; ++ tx_tick(chan, t); + } + } + diff --git a/queue-4.9/rdma-uverbs-fix-the-check-for-port-number.patch b/queue-4.9/rdma-uverbs-fix-the-check-for-port-number.patch new file mode 100644 index 00000000000..358532bbdc7 --- /dev/null +++ b/queue-4.9/rdma-uverbs-fix-the-check-for-port-number.patch @@ -0,0 +1,39 @@ +From 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 Mon Sep 17 00:00:00 2001 +From: "Ismail, Mustafa" +Date: Fri, 14 Jul 2017 09:41:30 -0500 +Subject: RDMA/uverbs: Fix the check for port number + +From: Ismail, Mustafa + +commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream. + +The port number is only valid if IB_QP_PORT is set in the mask. +So only check port number if it is valid to prevent modify_qp from +failing due to an invalid port number. + +Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") +Reviewed-by: Steve Wise +Signed-off-by: Mustafa Ismail +Tested-by: Mike Marciniszyn +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/infiniband/core/uverbs_cmd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2342,8 +2342,9 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv + if (copy_from_user(&cmd, buf, sizeof cmd)) + return -EFAULT; + +- if (cmd.port_num < rdma_start_port(ib_dev) || +- cmd.port_num > rdma_end_port(ib_dev)) ++ if ((cmd.attr_mask & IB_QP_PORT) && ++ (cmd.port_num < rdma_start_port(ib_dev) || ++ cmd.port_num > rdma_end_port(ib_dev))) + return -EINVAL; + + INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd, diff --git a/queue-4.9/sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch b/queue-4.9/sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch new file mode 100644 index 00000000000..33874eac95f --- /dev/null +++ b/queue-4.9/sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch @@ -0,0 +1,94 @@ +From 96b777452d8881480fd5be50112f791c17db4b6b Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 8 Feb 2017 14:27:27 +0300 +Subject: sched/cgroup: Move sched_online_group() back into css_online() to fix crash + +From: Konstantin Khlebnikov + +commit 96b777452d8881480fd5be50112f791c17db4b6b upstream. + +Commit: + + 2f5177f0fd7e ("sched/cgroup: Fix/cleanup cgroup teardown/init") + +.. moved sched_online_group() from css_online() to css_alloc(). +It exposes half-baked task group into global lists before initializing +generic cgroup stuff. + +LTP testcase (third in cgroup_regression_test) written for testing +similar race in kernels 2.6.26-2.6.28 easily triggers this oops: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + IP: kernfs_path_from_node_locked+0x260/0x320 + CPU: 1 PID: 30346 Comm: cat Not tainted 4.10.0-rc5-test #4 + Call Trace: + ? kernfs_path_from_node+0x4f/0x60 + kernfs_path_from_node+0x3e/0x60 + print_rt_rq+0x44/0x2b0 + print_rt_stats+0x7a/0xd0 + print_cpu+0x2fc/0xe80 + ? __might_sleep+0x4a/0x80 + sched_debug_show+0x17/0x30 + seq_read+0xf2/0x3b0 + proc_reg_read+0x42/0x70 + __vfs_read+0x28/0x130 + ? security_file_permission+0x9b/0xc0 + ? rw_verify_area+0x4e/0xb0 + vfs_read+0xa5/0x170 + SyS_read+0x46/0xa0 + entry_SYSCALL_64_fastpath+0x1e/0xad + +Here the task group is already linked into the global RCU-protected 'task_groups' +list, but the css->cgroup pointer is still NULL. + +This patch reverts this chunk and moves online back to css_online(). + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Tejun Heo +Cc: Thomas Gleixner +Fixes: 2f5177f0fd7e ("sched/cgroup: Fix/cleanup cgroup teardown/init") +Link: http://lkml.kernel.org/r/148655324740.424917.5302984537258726349.stgit@buzz +Signed-off-by: Ingo Molnar +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8376,11 +8376,20 @@ cpu_cgroup_css_alloc(struct cgroup_subsy + if (IS_ERR(tg)) + return ERR_PTR(-ENOMEM); + +- sched_online_group(tg, parent); +- + return &tg->css; + } + ++/* Expose task group only after completing cgroup initialization */ ++static int cpu_cgroup_css_online(struct cgroup_subsys_state *css) ++{ ++ struct task_group *tg = css_tg(css); ++ struct task_group *parent = css_tg(css->parent); ++ ++ if (parent) ++ sched_online_group(tg, parent); ++ return 0; ++} ++ + static void cpu_cgroup_css_released(struct cgroup_subsys_state *css) + { + struct task_group *tg = css_tg(css); +@@ -8783,6 +8792,7 @@ static struct cftype cpu_files[] = { + + struct cgroup_subsys cpu_cgrp_subsys = { + .css_alloc = cpu_cgroup_css_alloc, ++ .css_online = cpu_cgroup_css_online, + .css_released = cpu_cgroup_css_released, + .css_free = cpu_cgroup_css_free, + .fork = cpu_cgroup_fork, diff --git a/queue-4.9/series b/queue-4.9/series index 62687094b67..25ffbf7438c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -26,3 +26,13 @@ smp-hotplug-replace-bug_on-and-react-useful.patch nfc-fix-hangup-of-rc-s380-in-port100_send_ack.patch nfc-fdp-fix-null-pointer-dereference.patch net-phy-do-not-perform-software-reset-for-generic-phy.patch +isdn-fix-a-sleep-in-atomic-bug.patch +isdn-i4l-fix-buffer-overflow.patch +ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch +wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch +mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch +mailbox-skip-complete-wait-event-if-timer-expired.patch +mailbox-handle-empty-message-in-tx_tick.patch +sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch +rdma-uverbs-fix-the-check-for-port-number.patch +ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch diff --git a/queue-4.9/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch b/queue-4.9/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch new file mode 100644 index 00000000000..35cc21a8aa9 --- /dev/null +++ b/queue-4.9/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch @@ -0,0 +1,53 @@ +From dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa Mon Sep 17 00:00:00 2001 +From: Lior David +Date: Wed, 23 Nov 2016 16:06:41 +0200 +Subject: wil6210: fix deadlock when using fw_no_recovery option + +From: Lior David + +commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream. + +When FW crashes with no_fw_recovery option, driver +waits for manual recovery with wil->mutex held, this +can easily create deadlocks. +Fix the problem by moving the wait outside the lock. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/wil6210/main.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -384,18 +384,19 @@ static void wil_fw_error_worker(struct w + + wil->last_fw_recovery = jiffies; + ++ wil_info(wil, "fw error recovery requested (try %d)...\n", ++ wil->recovery_count); ++ if (!no_fw_recovery) ++ wil->recovery_state = fw_recovery_running; ++ if (wil_wait_for_recovery(wil) != 0) ++ return; ++ + mutex_lock(&wil->mutex); + switch (wdev->iftype) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: + case NL80211_IFTYPE_MONITOR: +- wil_info(wil, "fw error recovery requested (try %d)...\n", +- wil->recovery_count); +- if (!no_fw_recovery) +- wil->recovery_state = fw_recovery_running; +- if (0 != wil_wait_for_recovery(wil)) +- break; +- ++ /* silent recovery, upper layers will see disconnect */ + __wil_down(wil); + __wil_up(wil); + break; -- 2.47.3