--- /dev/null
+From 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Apr 2019 15:25:00 +0200
+Subject: ALSA: info: Fix racy addition/deletion of nodes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.
+
+The ALSA proc helper manages the child nodes in a linked list, but its
+addition and deletion is done without any lock. This leads to a
+corruption if they are operated concurrently. Usually this isn't a
+problem because the proc entries are added sequentially in the driver
+probe procedure itself. But the card registrations are done often
+asynchronously, and the crash could be actually reproduced with
+syzkaller.
+
+This patch papers over it by protecting the link addition and deletion
+with the parent's mutex. There is "access" mutex that is used for the
+file access, and this can be reused for this purpose as well.
+
+Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/info.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -724,8 +724,11 @@ snd_info_create_entry(const char *name,
+ INIT_LIST_HEAD(&entry->children);
+ INIT_LIST_HEAD(&entry->list);
+ entry->parent = parent;
+- if (parent)
++ if (parent) {
++ mutex_lock(&parent->access);
+ list_add_tail(&entry->list, &parent->children);
++ mutex_unlock(&parent->access);
++ }
+ return entry;
+ }
+
+@@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info
+ list_for_each_entry_safe(p, n, &entry->children, list)
+ snd_info_free_entry(p);
+
+- list_del(&entry->list);
++ p = entry->parent;
++ if (p) {
++ mutex_lock(&p->access);
++ list_del(&entry->list);
++ mutex_unlock(&p->access);
++ }
+ kfree(entry->name);
+ if (entry->private_free)
+ entry->private_free(entry);
--- /dev/null
+From 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 Mar 2019 02:36:59 +0100
+Subject: device_cgroup: fix RCU imbalance in error case
+
+From: Jann Horn <jannh@google.com>
+
+commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.
+
+When dev_exception_add() returns an error (due to a failed memory
+allocation), make sure that we move the RCU preemption count back to where
+it was before we were called. We dropped the RCU read lock inside the loop
+body, so we can't just "break".
+
+sparse complains about this, too:
+
+$ make -s C=2 security/device_cgroup.o
+./include/linux/rcupdate.h:647:9: warning: context imbalance in
+'propagate_exception' - unexpected unlock
+
+Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/device_cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -568,7 +568,7 @@ static int propagate_exception(struct de
+ devcg->behavior == DEVCG_DEFAULT_ALLOW) {
+ rc = dev_exception_add(devcg, ex);
+ if (rc)
+- break;
++ return rc;
+ } else {
+ /*
+ * in the other possible cases:
--- /dev/null
+From e8277b3b52240ec1caad8e6df278863e4bf42eac Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Thu, 18 Apr 2019 17:50:20 -0700
+Subject: mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.
+
+Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+depends on skipping vmstat entries with empty name introduced in
+7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in
+/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
+semantics of nr_indirectly_reclaimable_bytes").
+
+So skipping no longer works and /proc/vmstat has misformatted lines " 0".
+
+This patch simply shows debug counters "nr_tlb_remote_*" for UP.
+
+Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
+Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -857,13 +857,8 @@ const char * const vmstat_text[] = {
+ #endif
+ #endif /* CONFIG_MEMORY_BALLOON */
+ #ifdef CONFIG_DEBUG_TLBFLUSH
+-#ifdef CONFIG_SMP
+ "nr_tlb_remote_flush",
+ "nr_tlb_remote_flush_received",
+-#else
+- "", /* nr_tlb_remote_flush */
+- "", /* nr_tlb_remote_flush_received */
+-#endif /* CONFIG_SMP */
+ "nr_tlb_local_flush_all",
+ "nr_tlb_local_flush_one",
+ #endif /* CONFIG_DEBUG_TLBFLUSH */
mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch
revert-kbuild-use-oz-instead-of-os-when-using-clang.patch
sched-fair-limit-sched_cfs_period_timer-loop-to-avoi.patch
+device_cgroup-fix-rcu-imbalance-in-error-case.patch
+mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
+alsa-info-fix-racy-addition-deletion-of-nodes.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
