From: Greg Kroah-Hartman Date: Sun, 18 Jun 2017 10:59:21 +0000 (+0800) Subject: 4.9-stable patches X-Git-Tag: v4.11.7~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cab9587b100484ccf5e486aebfa4d08f62c4ee83;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alarmtimer-prevent-overflow-of-relative-timers.patch genirq-release-resources-in-__setup_irq-error-path.patch sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch usb-gadget-composite-fix-function-used-to-free-memory.patch --- diff --git a/queue-4.9/alarmtimer-prevent-overflow-of-relative-timers.patch b/queue-4.9/alarmtimer-prevent-overflow-of-relative-timers.patch new file mode 100644 index 00000000000..e5c17ff3210 --- /dev/null +++ b/queue-4.9/alarmtimer-prevent-overflow-of-relative-timers.patch @@ -0,0 +1,65 @@ +From f4781e76f90df7aec400635d73ea4c35ee1d4765 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 30 May 2017 23:15:34 +0200 +Subject: alarmtimer: Prevent overflow of relative timers + +From: Thomas Gleixner + +commit f4781e76f90df7aec400635d73ea4c35ee1d4765 upstream. + +Andrey reported a alartimer related RCU stall while fuzzing the kernel with +syzkaller. + +The reason for this is an overflow in ktime_add() which brings the +resulting time into negative space and causes immediate expiry of the +timer. The following rearm with a small interval does not bring the timer +back into positive space due to the same issue. + +This results in a permanent firing alarmtimer which hogs the CPU. + +Use ktime_add_safe() instead which detects the overflow and clamps the +result to KTIME_SEC_MAX. + +Reported-by: Andrey Konovalov +Signed-off-by: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Kostya Serebryany +Cc: syzkaller +Cc: John Stultz +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/20170530211655.802921648@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/alarmtimer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -354,7 +354,7 @@ void alarm_start_relative(struct alarm * + { + struct alarm_base *base = &alarm_bases[alarm->type]; + +- start = ktime_add(start, base->gettime()); ++ start = ktime_add_safe(start, base->gettime()); + alarm_start(alarm, start); + } + EXPORT_SYMBOL_GPL(alarm_start_relative); +@@ -440,7 +440,7 @@ u64 alarm_forward(struct alarm *alarm, k + overrun++; + } + +- alarm->node.expires = ktime_add(alarm->node.expires, interval); ++ alarm->node.expires = ktime_add_safe(alarm->node.expires, interval); + return overrun; + } + EXPORT_SYMBOL_GPL(alarm_forward); +@@ -630,7 +630,7 @@ static int alarm_timer_set(struct k_itim + ktime_t now; + + now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime(); +- exp = ktime_add(now, exp); ++ exp = ktime_add_safe(now, exp); + } + + alarm_start(&timr->it.alarm.alarmtimer, exp); diff --git a/queue-4.9/genirq-release-resources-in-__setup_irq-error-path.patch b/queue-4.9/genirq-release-resources-in-__setup_irq-error-path.patch new file mode 100644 index 00000000000..576d0ad9e5d --- /dev/null +++ b/queue-4.9/genirq-release-resources-in-__setup_irq-error-path.patch @@ -0,0 +1,38 @@ +From fa07ab72cbb0d843429e61bf179308aed6cbe0dd Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sun, 11 Jun 2017 00:38:36 +0200 +Subject: genirq: Release resources in __setup_irq() error path + +From: Heiner Kallweit + +commit fa07ab72cbb0d843429e61bf179308aed6cbe0dd upstream. + +In case __irq_set_trigger() fails the resources requested via +irq_request_resources() are not released. + +Add the missing release call into the error handling path. + +Fixes: c1bacbae8192 ("genirq: Provide irq_request/release_resources chip callbacks") +Signed-off-by: Heiner Kallweit +Signed-off-by: Thomas Gleixner +Link: http://lkml.kernel.org/r/655538f5-cb20-a892-ff15-fbd2dd1fa4ec@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1308,8 +1308,10 @@ __setup_irq(unsigned int irq, struct irq + ret = __irq_set_trigger(desc, + new->flags & IRQF_TRIGGER_MASK); + +- if (ret) ++ if (ret) { ++ irq_release_resources(desc); + goto out_mask; ++ } + } + + desc->istate &= ~(IRQS_AUTODETECT | IRQS_SPURIOUS_DISABLED | \ diff --git a/queue-4.9/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch b/queue-4.9/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch new file mode 100644 index 00000000000..b66b3cf36a9 --- /dev/null +++ b/queue-4.9/sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch @@ -0,0 +1,43 @@ +From 252d2a4117bc181b287eeddf848863788da733ae Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 9 Jun 2017 11:49:15 -0700 +Subject: sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() + +From: Andy Lutomirski + +commit 252d2a4117bc181b287eeddf848863788da733ae upstream. + +idle_task_exit() can be called with IRQs on x86 on and therefore +should use switch_mm(), not switch_mm_irqs_off(). + +This doesn't seem to cause any problems right now, but it will +confuse my upcoming TLB flush changes. Nonetheless, I think it +should be backported because it's trivial. There won't be any +meaningful performance impact because idle_task_exit() is only +used when offlining a CPU. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler") +Link: http://lkml.kernel.org/r/ca3d1a9fa93a0b49f5a8ff729eda3640fb6abdf9.1497034141.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5469,7 +5469,7 @@ void idle_task_exit(void) + BUG_ON(cpu_online(smp_processor_id())); + + if (mm != &init_mm) { +- switch_mm_irqs_off(mm, &init_mm, current); ++ switch_mm(mm, &init_mm, current); + finish_arch_post_lock_switch(); + } + mmdrop(mm); diff --git a/queue-4.9/series b/queue-4.9/series index 3ad202691db..24900ed9a48 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -47,3 +47,8 @@ usb-gadgetfs-dummy-hcd-net2280-fix-locking-for-callbacks.patch mm-memory-failure.c-use-compound_head-flags-for-huge-pages.patch swap-cond_resched-in-swap_cgroup_prepare.patch iio-imu-inv_mpu6050-add-accel-lpf-setting-for-chip-mpu6500.patch +sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch +genirq-release-resources-in-__setup_irq-error-path.patch +alarmtimer-prevent-overflow-of-relative-timers.patch +usb-gadget-composite-fix-function-used-to-free-memory.patch +usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch diff --git a/queue-4.9/usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch b/queue-4.9/usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch new file mode 100644 index 00000000000..00ac32b4350 --- /dev/null +++ b/queue-4.9/usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch @@ -0,0 +1,42 @@ +From 8ae584d1951f241efd45499f8774fd7066f22823 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Tue, 10 Jan 2017 16:05:28 -0700 +Subject: usb: dwc3: exynos fix axius clock error path to do cleanup + +From: Shuah Khan + +commit 8ae584d1951f241efd45499f8774fd7066f22823 upstream. + +Axius clock error path returns without disabling clock and suspend clock. +Fix it to disable them before returning error. + +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Shuah Khan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-exynos.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -148,7 +148,8 @@ static int dwc3_exynos_probe(struct plat + exynos->axius_clk = devm_clk_get(dev, "usbdrd30_axius_clk"); + if (IS_ERR(exynos->axius_clk)) { + dev_err(dev, "no AXI UpScaler clk specified\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto axius_clk_err; + } + clk_prepare_enable(exynos->axius_clk); + } else { +@@ -206,6 +207,7 @@ err3: + regulator_disable(exynos->vdd33); + err2: + clk_disable_unprepare(exynos->axius_clk); ++axius_clk_err: + clk_disable_unprepare(exynos->susp_clk); + clk_disable_unprepare(exynos->clk); + return ret; diff --git a/queue-4.9/usb-gadget-composite-fix-function-used-to-free-memory.patch b/queue-4.9/usb-gadget-composite-fix-function-used-to-free-memory.patch new file mode 100644 index 00000000000..19baae4d831 --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-function-used-to-free-memory.patch @@ -0,0 +1,32 @@ +From 990758c53eafe5a220a780ed12e7b4d51b3df032 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 4 Jan 2017 06:30:16 +0100 +Subject: usb: gadget: composite: Fix function used to free memory + +From: Christophe JAILLET + +commit 990758c53eafe5a220a780ed12e7b4d51b3df032 upstream. + +'cdev->os_desc_req' has been allocated with 'usb_ep_alloc_request()' so +'usb_ep_free_request()' should be used to free it. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2147,7 +2147,7 @@ int composite_os_desc_req_prepare(struct + cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; +- kfree(cdev->os_desc_req); ++ usb_ep_free_request(ep0, cdev->os_desc_req); + goto end; + } + cdev->os_desc_req->context = cdev;