From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Apr 2019 13:52:53 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.139~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4408563cb211718f03b6fa05112caae881e1c584;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	alsa-info-fix-racy-addition-deletion-of-nodes.patch
	device_cgroup-fix-rcu-imbalance-in-error-case.patch
	mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
---

diff --git a/queue-4.4/alsa-info-fix-racy-addition-deletion-of-nodes.patch b/queue-4.4/alsa-info-fix-racy-addition-deletion-of-nodes.patch
new file mode 100644
index 00000000000..2376752fac4
--- /dev/null
+++ b/queue-4.4/alsa-info-fix-racy-addition-deletion-of-nodes.patch
@@ -0,0 +1,59 @@
+From 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Apr 2019 15:25:00 +0200
+Subject: ALSA: info: Fix racy addition/deletion of nodes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.
+
+The ALSA proc helper manages the child nodes in a linked list, but its
+addition and deletion is done without any lock.  This leads to a
+corruption if they are operated concurrently.  Usually this isn't a
+problem because the proc entries are added sequentially in the driver
+probe procedure itself.  But the card registrations are done often
+asynchronously, and the crash could be actually reproduced with
+syzkaller.
+
+This patch papers over it by protecting the link addition and deletion
+with the parent's mutex.  There is "access" mutex that is used for the
+file access, and this can be reused for this purpose as well.
+
+Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/info.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -724,8 +724,11 @@ snd_info_create_entry(const char *name,
+ 	INIT_LIST_HEAD(&entry->children);
+ 	INIT_LIST_HEAD(&entry->list);
+ 	entry->parent = parent;
+-	if (parent)
++	if (parent) {
++		mutex_lock(&parent->access);
+ 		list_add_tail(&entry->list, &parent->children);
++		mutex_unlock(&parent->access);
++	}
+ 	return entry;
+ }
+ 
+@@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info
+ 	list_for_each_entry_safe(p, n, &entry->children, list)
+ 		snd_info_free_entry(p);
+ 
+-	list_del(&entry->list);
++	p = entry->parent;
++	if (p) {
++		mutex_lock(&p->access);
++		list_del(&entry->list);
++		mutex_unlock(&p->access);
++	}
+ 	kfree(entry->name);
+ 	if (entry->private_free)
+ 		entry->private_free(entry);
diff --git a/queue-4.4/device_cgroup-fix-rcu-imbalance-in-error-case.patch b/queue-4.4/device_cgroup-fix-rcu-imbalance-in-error-case.patch
new file mode 100644
index 00000000000..90c833ea22e
--- /dev/null
+++ b/queue-4.4/device_cgroup-fix-rcu-imbalance-in-error-case.patch
@@ -0,0 +1,42 @@
+From 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 Mar 2019 02:36:59 +0100
+Subject: device_cgroup: fix RCU imbalance in error case
+
+From: Jann Horn <jannh@google.com>
+
+commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.
+
+When dev_exception_add() returns an error (due to a failed memory
+allocation), make sure that we move the RCU preemption count back to where
+it was before we were called. We dropped the RCU read lock inside the loop
+body, so we can't just "break".
+
+sparse complains about this, too:
+
+$ make -s C=2 security/device_cgroup.o
+./include/linux/rcupdate.h:647:9: warning: context imbalance in
+'propagate_exception' - unexpected unlock
+
+Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/device_cgroup.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -568,7 +568,7 @@ static int propagate_exception(struct de
+ 		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
+ 			rc = dev_exception_add(devcg, ex);
+ 			if (rc)
+-				break;
++				return rc;
+ 		} else {
+ 			/*
+ 			 * in the other possible cases:
diff --git a/queue-4.4/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch b/queue-4.4/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
new file mode 100644
index 00000000000..3517950f4b3
--- /dev/null
+++ b/queue-4.4/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
@@ -0,0 +1,50 @@
+From e8277b3b52240ec1caad8e6df278863e4bf42eac Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Thu, 18 Apr 2019 17:50:20 -0700
+Subject: mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.
+
+Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+depends on skipping vmstat entries with empty name introduced in
+7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in
+/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
+semantics of nr_indirectly_reclaimable_bytes").
+
+So skipping no longer works and /proc/vmstat has misformatted lines " 0".
+
+This patch simply shows debug counters "nr_tlb_remote_*" for UP.
+
+Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
+Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -857,13 +857,8 @@ const char * const vmstat_text[] = {
+ #endif
+ #endif /* CONFIG_MEMORY_BALLOON */
+ #ifdef CONFIG_DEBUG_TLBFLUSH
+-#ifdef CONFIG_SMP
+ 	"nr_tlb_remote_flush",
+ 	"nr_tlb_remote_flush_received",
+-#else
+-	"", /* nr_tlb_remote_flush */
+-	"", /* nr_tlb_remote_flush_received */
+-#endif /* CONFIG_SMP */
+ 	"nr_tlb_local_flush_all",
+ 	"nr_tlb_local_flush_one",
+ #endif /* CONFIG_DEBUG_TLBFLUSH */
diff --git a/queue-4.4/series b/queue-4.4/series
index 8266f6576aa..9107869a550 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -163,3 +163,6 @@ kprobes-fix-error-check-when-reusing-optimized-probes.patch
 mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch
 revert-kbuild-use-oz-instead-of-os-when-using-clang.patch
 sched-fair-limit-sched_cfs_period_timer-loop-to-avoi.patch
+device_cgroup-fix-rcu-imbalance-in-error-case.patch
+mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y-config_smp-n.patch
+alsa-info-fix-racy-addition-deletion-of-nodes.patch