From fa80e62a5a563da4d6a8299c67036cd1a44c60ad Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 6 Nov 2018 01:33:32 -0500 Subject: [PATCH] 4.4-stable patches Signed-off-by: Sasha Levin --- ...e-result-code-of-ahci_reset_controll.patch | 73 +++++++++++++++++++ ...-a-sleep-in-atomic-bug-in-shash_setk.patch | 53 ++++++++++++++ queue-4.4/series | 2 + 3 files changed, 128 insertions(+) create mode 100644 queue-4.4/ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch create mode 100644 queue-4.4/crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch diff --git a/queue-4.4/ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch b/queue-4.4/ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch new file mode 100644 index 00000000000..b01012cdd60 --- /dev/null +++ b/queue-4.4/ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch @@ -0,0 +1,73 @@ +From 76d1eb539a62b8ca5951bc3e958fdc3270acff4c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 2 Oct 2017 19:31:24 +0100 +Subject: ahci: don't ignore result code of ahci_reset_controller() + +[ Upstream commit d312fefea8387503375f728855c9a62de20c9665 ] + +ahci_pci_reset_controller() calls ahci_reset_controller(), which may +fail, but ignores the result code and always returns success. This +may result in failures like below + + ahci 0000:02:00.0: version 3.0 + ahci 0000:02:00.0: enabling device (0000 -> 0003) + ahci 0000:02:00.0: SSS flag set, parallel bus scan disabled + ahci 0000:02:00.0: controller reset failed (0xffffffff) + ahci 0000:02:00.0: failed to stop engine (-5) + ... repeated many times ... + ahci 0000:02:00.0: failed to stop engine (-5) + Unable to handle kernel paging request at virtual address ffff0000093f9018 + ... + PC is at ahci_stop_engine+0x5c/0xd8 [libahci] + LR is at ahci_deinit_port.constprop.12+0x1c/0xc0 [libahci] + ... + [] ahci_stop_engine+0x5c/0xd8 [libahci] + [] ahci_deinit_port.constprop.12+0x1c/0xc0 [libahci] + [] ahci_init_controller+0x80/0x168 [libahci] + [] ahci_pci_init_controller+0x60/0x68 [ahci] + [] ahci_init_one+0x75c/0xd88 [ahci] + [] local_pci_probe+0x3c/0xb8 + [] pci_device_probe+0x138/0x170 + [] driver_probe_device+0x2dc/0x458 + [] __driver_attach+0x114/0x118 + [] bus_for_each_dev+0x60/0xa0 + [] driver_attach+0x20/0x28 + [] bus_add_driver+0x1f0/0x2a8 + [] driver_register+0x60/0xf8 + [] __pci_register_driver+0x3c/0x48 + [] ahci_pci_driver_init+0x1c/0x1000 [ahci] + [] do_one_initcall+0x38/0x120 + +where an obvious hardware level failure results in an unnecessary 15 second +delay and a subsequent crash. + +So record the result code of ahci_reset_controller() and relay it, rather +than ignoring it. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 34fdaa6e99ba..5f1f049063dd 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -619,8 +619,11 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev, + static int ahci_pci_reset_controller(struct ata_host *host) + { + struct pci_dev *pdev = to_pci_dev(host->dev); ++ int rc; + +- ahci_reset_controller(host); ++ rc = ahci_reset_controller(host); ++ if (rc) ++ return rc; + + if (pdev->vendor == PCI_VENDOR_ID_INTEL) { + struct ahci_host_priv *hpriv = host->private_data; +-- +2.17.1 + diff --git a/queue-4.4/crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch b/queue-4.4/crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch new file mode 100644 index 00000000000..f3903f54c28 --- /dev/null +++ b/queue-4.4/crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch @@ -0,0 +1,53 @@ +From 1f62e04044332dc91fe4c528043060d9b250475f Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 3 Oct 2017 10:25:22 +0800 +Subject: crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned + +[ Upstream commit 9039f3ef446e9ffa200200c934f049add9e58426 ] + +The SCTP program may sleep under a spinlock, and the function call path is: +sctp_generate_t3_rtx_event (acquire the spinlock) + sctp_do_sm + sctp_side_effects + sctp_cmd_interpreter + sctp_make_init_ack + sctp_pack_cookie + crypto_shash_setkey + shash_setkey_unaligned + kmalloc(GFP_KERNEL) + +For the same reason, the orinoco driver may sleep in interrupt handler, +and the function call path is: +orinoco_rx_isr_tasklet + orinoco_rx + orinoco_mic + crypto_shash_setkey + shash_setkey_unaligned + kmalloc(GFP_KERNEL) + +To fix it, GFP_KERNEL is replaced with GFP_ATOMIC. +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/shash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/shash.c b/crypto/shash.c +index 5444b429e35d..4f89f78031e2 100644 +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -41,7 +41,7 @@ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, + int err; + + absize = keylen + (alignmask & ~(crypto_tfm_ctx_alignment() - 1)); +- buffer = kmalloc(absize, GFP_KERNEL); ++ buffer = kmalloc(absize, GFP_ATOMIC); + if (!buffer) + return -ENOMEM; + +-- +2.17.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 662c65cb08e..e8bfb558af1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -99,3 +99,5 @@ net-drop-skb-on-failure-in-ip_check_defrag.patch vhost-fix-spectre-v1-vulnerability.patch rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch mremap-properly-flush-tlb-before-releasing-the-page.patch +crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch +ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch -- 2.47.2