From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 18 Jun 2017 10:57:58 +0000 (+0800)
Subject: 4.11-stable patches
X-Git-Tag: v4.11.7~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8ccd45073c0429ae854965fdd38d0420d9161e22;p=thirdparty%2Fkernel%2Fstable-queue.git

4.11-stable patches

added patches:
	alarmtimer-prevent-overflow-of-relative-timers.patch
	genirq-release-resources-in-__setup_irq-error-path.patch
	sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
---

diff --git a/queue-4.11/alarmtimer-prevent-overflow-of-relative-timers.patch b/queue-4.11/alarmtimer-prevent-overflow-of-relative-timers.patch
new file mode 100644
index 00000000000..6be20600aff
--- /dev/null
+++ b/queue-4.11/alarmtimer-prevent-overflow-of-relative-timers.patch
@@ -0,0 +1,65 @@
+From f4781e76f90df7aec400635d73ea4c35ee1d4765 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 30 May 2017 23:15:34 +0200
+Subject: alarmtimer: Prevent overflow of relative timers
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f4781e76f90df7aec400635d73ea4c35ee1d4765 upstream.
+
+Andrey reported a alartimer related RCU stall while fuzzing the kernel with
+syzkaller.
+
+The reason for this is an overflow in ktime_add() which brings the
+resulting time into negative space and causes immediate expiry of the
+timer. The following rearm with a small interval does not bring the timer
+back into positive space due to the same issue.
+
+This results in a permanent firing alarmtimer which hogs the CPU.
+
+Use ktime_add_safe() instead which detects the overflow and clamps the
+result to KTIME_SEC_MAX.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170530211655.802921648@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/alarmtimer.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -387,7 +387,7 @@ void alarm_start_relative(struct alarm *
+ {
+ 	struct alarm_base *base = &alarm_bases[alarm->type];
+ 
+-	start = ktime_add(start, base->gettime());
++	start = ktime_add_safe(start, base->gettime());
+ 	alarm_start(alarm, start);
+ }
+ EXPORT_SYMBOL_GPL(alarm_start_relative);
+@@ -475,7 +475,7 @@ u64 alarm_forward(struct alarm *alarm, k
+ 		overrun++;
+ 	}
+ 
+-	alarm->node.expires = ktime_add(alarm->node.expires, interval);
++	alarm->node.expires = ktime_add_safe(alarm->node.expires, interval);
+ 	return overrun;
+ }
+ EXPORT_SYMBOL_GPL(alarm_forward);
+@@ -666,7 +666,7 @@ static int alarm_timer_set(struct k_itim
+ 		ktime_t now;
+ 
+ 		now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime();
+-		exp = ktime_add(now, exp);
++		exp = ktime_add_safe(now, exp);
+ 	}
+ 
+ 	alarm_start(&timr->it.alarm.alarmtimer, exp);
diff --git a/queue-4.11/genirq-release-resources-in-__setup_irq-error-path.patch b/queue-4.11/genirq-release-resources-in-__setup_irq-error-path.patch
new file mode 100644
index 00000000000..e4251748f31
--- /dev/null
+++ b/queue-4.11/genirq-release-resources-in-__setup_irq-error-path.patch
@@ -0,0 +1,38 @@
+From fa07ab72cbb0d843429e61bf179308aed6cbe0dd Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sun, 11 Jun 2017 00:38:36 +0200
+Subject: genirq: Release resources in __setup_irq() error path
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit fa07ab72cbb0d843429e61bf179308aed6cbe0dd upstream.
+
+In case __irq_set_trigger() fails the resources requested via
+irq_request_resources() are not released.
+
+Add the missing release call into the error handling path.
+
+Fixes: c1bacbae8192 ("genirq: Provide irq_request/release_resources chip callbacks")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/655538f5-cb20-a892-ff15-fbd2dd1fa4ec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1310,8 +1310,10 @@ __setup_irq(unsigned int irq, struct irq
+ 			ret = __irq_set_trigger(desc,
+ 						new->flags & IRQF_TRIGGER_MASK);
+ 
+-			if (ret)
++			if (ret) {
++				irq_release_resources(desc);
+ 				goto out_mask;
++			}
+ 		}
+ 
+ 		desc->istate &= ~(IRQS_AUTODETECT | IRQS_SPURIOUS_DISABLED | \
diff --git a/queue-4.11/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch b/queue-4.11/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
new file mode 100644
index 00000000000..1d7cfdd362e
--- /dev/null
+++ b/queue-4.11/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
@@ -0,0 +1,43 @@
+From 252d2a4117bc181b287eeddf848863788da733ae Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 9 Jun 2017 11:49:15 -0700
+Subject: sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 252d2a4117bc181b287eeddf848863788da733ae upstream.
+
+idle_task_exit() can be called with IRQs on x86 on and therefore
+should use switch_mm(), not switch_mm_irqs_off().
+
+This doesn't seem to cause any problems right now, but it will
+confuse my upcoming TLB flush changes.  Nonetheless, I think it
+should be backported because it's trivial.  There won't be any
+meaningful performance impact because idle_task_exit() is only
+used when offlining a CPU.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler")
+Link: http://lkml.kernel.org/r/ca3d1a9fa93a0b49f5a8ff729eda3640fb6abdf9.1497034141.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5533,7 +5533,7 @@ void idle_task_exit(void)
+ 	BUG_ON(cpu_online(smp_processor_id()));
+ 
+ 	if (mm != &init_mm) {
+-		switch_mm_irqs_off(mm, &init_mm, current);
++		switch_mm(mm, &init_mm, current);
+ 		finish_arch_post_lock_switch();
+ 	}
+ 	mmdrop(mm);
diff --git a/queue-4.11/series b/queue-4.11/series
index 4220d597acb..e2f993de76c 100644
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -65,3 +65,6 @@ userfaultfd-shmem-handle-coredumping-in-handle_userfault.patch
 iio-imu-inv_mpu6050-add-accel-lpf-setting-for-chip-mpu6500.patch
 staging-iio-ad7152-fix-deadlock-in-ad7152_write_raw_samp_freq.patch
 iio-adc-meson-saradc-fix-potential-crash-in-meson_sar_adc_clear_fifo.patch
+sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
+genirq-release-resources-in-__setup_irq-error-path.patch
+alarmtimer-prevent-overflow-of-relative-timers.patch