From: Greg Kroah-Hartman Date: Mon, 14 Jan 2019 14:31:00 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.20.3~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f241b951c04b92678eba9b545a3d932902b36065;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cifs-do-not-hide-eintr-after-sending-network-packets.patch cifs-fix-potential-oob-access-of-lock-element-array.patch mm-memcg-fix-reclaim-deadlock-with-writeback.patch slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch usb-cdc-acm-send-zlp-for-telit-3g-intel-based-modems.patch usb-storage-add-quirk-for-smi-sm3350.patch usb-storage-don-t-insert-sane-sense-for-spc3-when-bad-sense-specified.patch --- diff --git a/queue-3.18/cifs-do-not-hide-eintr-after-sending-network-packets.patch b/queue-3.18/cifs-do-not-hide-eintr-after-sending-network-packets.patch new file mode 100644 index 00000000000..c8479ccbeba --- /dev/null +++ b/queue-3.18/cifs-do-not-hide-eintr-after-sending-network-packets.patch @@ -0,0 +1,35 @@ +From ee13919c2e8d1f904e035ad4b4239029a8994131 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 10 Jan 2019 11:27:28 -0800 +Subject: CIFS: Do not hide EINTR after sending network packets + +From: Pavel Shilovsky + +commit ee13919c2e8d1f904e035ad4b4239029a8994131 upstream. + +Currently we hide EINTR code returned from sock_sendmsg() +and return 0 instead. This makes a caller think that we +successfully completed the network operation which is not +true. Fix this by properly returning EINTR to callers. + +Cc: +Signed-off-by: Pavel Shilovsky +Reviewed-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -360,7 +360,7 @@ uncork: + if (rc < 0 && rc != -EINTR) + cifs_dbg(VFS, "Error %d sending data on socket to server\n", + rc); +- else ++ else if (rc > 0) + rc = 0; + + return rc; diff --git a/queue-3.18/cifs-fix-potential-oob-access-of-lock-element-array.patch b/queue-3.18/cifs-fix-potential-oob-access-of-lock-element-array.patch new file mode 100644 index 00000000000..005e694226d --- /dev/null +++ b/queue-3.18/cifs-fix-potential-oob-access-of-lock-element-array.patch @@ -0,0 +1,65 @@ +From b9a74cde94957d82003fb9f7ab4777938ca851cd Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Tue, 8 Jan 2019 18:30:57 +0000 +Subject: cifs: Fix potential OOB access of lock element array + +From: Ross Lagerwall + +commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream. + +If maxBuf is small but non-zero, it could result in a zero sized lock +element array which we would then try and access OOB. + +Signed-off-by: Ross Lagerwall +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 8 ++++---- + fs/cifs/smb2file.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1067,10 +1067,10 @@ cifs_push_mandatory_locks(struct cifsFil + + /* + * Accessing maxBuf is racy with cifs_reconnect - need to store value +- * and check it for zero before using. ++ * and check it before using. + */ + max_buf = tcon->ses->server->maxBuf; +- if (!max_buf) { ++ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) { + free_xid(xid); + return -EINVAL; + } +@@ -1404,10 +1404,10 @@ cifs_unlock_range(struct cifsFileInfo *c + + /* + * Accessing maxBuf is racy with cifs_reconnect - need to store value +- * and check it for zero before using. ++ * and check it before using. + */ + max_buf = tcon->ses->server->maxBuf; +- if (!max_buf) ++ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) + return -EINVAL; + + max_num = (max_buf - sizeof(struct smb_hdr)) / +--- a/fs/cifs/smb2file.c ++++ b/fs/cifs/smb2file.c +@@ -104,10 +104,10 @@ smb2_unlock_range(struct cifsFileInfo *c + + /* + * Accessing maxBuf is racy with cifs_reconnect - need to store value +- * and check it for zero before using. ++ * and check it before using. + */ + max_buf = tcon->ses->server->maxBuf; +- if (!max_buf) ++ if (max_buf < sizeof(struct smb2_lock_element)) + return -EINVAL; + + max_num = max_buf / sizeof(struct smb2_lock_element); diff --git a/queue-3.18/mm-memcg-fix-reclaim-deadlock-with-writeback.patch b/queue-3.18/mm-memcg-fix-reclaim-deadlock-with-writeback.patch new file mode 100644 index 00000000000..80567f4c827 --- /dev/null +++ b/queue-3.18/mm-memcg-fix-reclaim-deadlock-with-writeback.patch @@ -0,0 +1,146 @@ +From 63f3655f950186752236bb88a22f8252c11ce394 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Tue, 8 Jan 2019 15:23:07 -0800 +Subject: mm, memcg: fix reclaim deadlock with writeback + +From: Michal Hocko + +commit 63f3655f950186752236bb88a22f8252c11ce394 upstream. + +Liu Bo has experienced a deadlock between memcg (legacy) reclaim and the +ext4 writeback + + task1: + wait_on_page_bit+0x82/0xa0 + shrink_page_list+0x907/0x960 + shrink_inactive_list+0x2c7/0x680 + shrink_node_memcg+0x404/0x830 + shrink_node+0xd8/0x300 + do_try_to_free_pages+0x10d/0x330 + try_to_free_mem_cgroup_pages+0xd5/0x1b0 + try_charge+0x14d/0x720 + memcg_kmem_charge_memcg+0x3c/0xa0 + memcg_kmem_charge+0x7e/0xd0 + __alloc_pages_nodemask+0x178/0x260 + alloc_pages_current+0x95/0x140 + pte_alloc_one+0x17/0x40 + __pte_alloc+0x1e/0x110 + alloc_set_pte+0x5fe/0xc20 + do_fault+0x103/0x970 + handle_mm_fault+0x61e/0xd10 + __do_page_fault+0x252/0x4d0 + do_page_fault+0x30/0x80 + page_fault+0x28/0x30 + + task2: + __lock_page+0x86/0xa0 + mpage_prepare_extent_to_map+0x2e7/0x310 [ext4] + ext4_writepages+0x479/0xd60 + do_writepages+0x1e/0x30 + __writeback_single_inode+0x45/0x320 + writeback_sb_inodes+0x272/0x600 + __writeback_inodes_wb+0x92/0xc0 + wb_writeback+0x268/0x300 + wb_workfn+0xb4/0x390 + process_one_work+0x189/0x420 + worker_thread+0x4e/0x4b0 + kthread+0xe6/0x100 + ret_from_fork+0x41/0x50 + +He adds + "task1 is waiting for the PageWriteback bit of the page that task2 has + collected in mpd->io_submit->io_bio, and tasks2 is waiting for the + LOCKED bit the page which tasks1 has locked" + +More precisely task1 is handling a page fault and it has a page locked +while it charges a new page table to a memcg. That in turn hits a +memory limit reclaim and the memcg reclaim for legacy controller is +waiting on the writeback but that is never going to finish because the +writeback itself is waiting for the page locked in the #PF path. So +this is essentially ABBA deadlock: + + lock_page(A) + SetPageWriteback(A) + unlock_page(A) + lock_page(B) + lock_page(B) + pte_alloc_pne + shrink_page_list + wait_on_page_writeback(A) + SetPageWriteback(B) + unlock_page(B) + + # flush A, B to clear the writeback + +This accumulating of more pages to flush is used by several filesystems +to generate a more optimal IO patterns. + +Waiting for the writeback in legacy memcg controller is a workaround for +pre-mature OOM killer invocations because there is no dirty IO +throttling available for the controller. There is no easy way around +that unfortunately. Therefore fix this specific issue by pre-allocating +the page table outside of the page lock. We have that handy +infrastructure for that already so simply reuse the fault-around pattern +which already does this. + +There are probably other hidden __GFP_ACCOUNT | GFP_KERNEL allocations +from under a fs page locked but they should be really rare. I am not +aware of a better solution unfortunately. + +[akpm@linux-foundation.org: fix mm/memory.c:__do_fault()] +[akpm@linux-foundation.org: coding-style fixes] +[mhocko@kernel.org: enhance comment, per Johannes] + Link: http://lkml.kernel.org/r/20181214084948.GA5624@dhcp22.suse.cz +Link: http://lkml.kernel.org/r/20181213092221.27270-1-mhocko@kernel.org +Fixes: c3b94f44fcb0 ("memcg: further prevent OOM with too many dirty pages") +Signed-off-by: Michal Hocko +Reported-by: Liu Bo +Debugged-by: Liu Bo +Acked-by: Kirill A. Shutemov +Acked-by: Johannes Weiner +Reviewed-by: Liu Bo +Cc: Jan Kara +Cc: Dave Chinner +Cc: Theodore Ts'o +Cc: Vladimir Davydov +Cc: Shakeel Butt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2657,6 +2657,28 @@ static int __do_fault(struct vm_area_str + struct vm_fault vmf; + int ret; + ++ /* ++ * Preallocate pte before we take page_lock because this might lead to ++ * deadlocks for memcg reclaim which waits for pages under writeback: ++ * lock_page(A) ++ * SetPageWriteback(A) ++ * unlock_page(A) ++ * lock_page(B) ++ * lock_page(B) ++ * pte_alloc_pne ++ * shrink_page_list ++ * wait_on_page_writeback(A) ++ * SetPageWriteback(B) ++ * unlock_page(B) ++ * # flush A, B to clear the writeback ++ */ ++ if (pmd_none(*vmf->pmd) && !vmf->prealloc_pte) { ++ vmf->prealloc_pte = pte_alloc_one(vmf->vma->vm_mm); ++ if (!vmf->prealloc_pte) ++ return VM_FAULT_OOM; ++ smp_wmb(); /* See comment in __pte_alloc() */ ++ } ++ + vmf.virtual_address = (void __user *)(address & PAGE_MASK); + vmf.pgoff = pgoff; + vmf.flags = flags; diff --git a/queue-3.18/series b/queue-3.18/series index 51ab04fd533..1e58b14f492 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1 +1,8 @@ sparc32-fix-inverted-invalid_frame_pointer-checks-on-sigreturns.patch +cifs-do-not-hide-eintr-after-sending-network-packets.patch +cifs-fix-potential-oob-access-of-lock-element-array.patch +usb-cdc-acm-send-zlp-for-telit-3g-intel-based-modems.patch +usb-storage-don-t-insert-sane-sense-for-spc3-when-bad-sense-specified.patch +usb-storage-add-quirk-for-smi-sm3350.patch +slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch +mm-memcg-fix-reclaim-deadlock-with-writeback.patch diff --git a/queue-3.18/slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch b/queue-3.18/slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch new file mode 100644 index 00000000000..47d918d2821 --- /dev/null +++ b/queue-3.18/slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch @@ -0,0 +1,46 @@ +From 09c2e76ed734a1d36470d257a778aaba28e86531 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Tue, 8 Jan 2019 15:23:00 -0800 +Subject: slab: alien caches must not be initialized if the allocation of the alien cache failed + +From: Christoph Lameter + +commit 09c2e76ed734a1d36470d257a778aaba28e86531 upstream. + +Callers of __alloc_alien() check for NULL. We must do the same check in +__alloc_alien_cache to avoid NULL pointer dereferences on allocation +failures. + +Link: http://lkml.kernel.org/r/010001680f42f192-82b4e12e-1565-4ee0-ae1f-1e98974906aa-000000@email.amazonses.com +Fixes: 49dfc304ba241 ("slab: use the lock on alien_cache, instead of the lock on array_cache") +Fixes: c8522a3a5832b ("Slab: introduce alloc_alien") +Signed-off-by: Christoph Lameter +Reported-by: syzbot+d6ed4ec679652b4fd4e4@syzkaller.appspotmail.com +Reviewed-by: Andrew Morton +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -869,8 +869,10 @@ static struct alien_cache *__alloc_alien + struct alien_cache *alc = NULL; + + alc = kmalloc_node(memsize, gfp, node); +- init_arraycache(&alc->ac, entries, batch); +- spin_lock_init(&alc->lock); ++ if (alc) { ++ init_arraycache(&alc->ac, entries, batch); ++ spin_lock_init(&alc->lock); ++ } + return alc; + } + diff --git a/queue-3.18/usb-cdc-acm-send-zlp-for-telit-3g-intel-based-modems.patch b/queue-3.18/usb-cdc-acm-send-zlp-for-telit-3g-intel-based-modems.patch new file mode 100644 index 00000000000..6e39fc54c56 --- /dev/null +++ b/queue-3.18/usb-cdc-acm-send-zlp-for-telit-3g-intel-based-modems.patch @@ -0,0 +1,36 @@ +From 34aabf918717dd14e05051896aaecd3b16b53d95 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Fri, 28 Dec 2018 16:15:41 +0100 +Subject: usb: cdc-acm: send ZLP for Telit 3G Intel based modems + +From: Daniele Palmas + +commit 34aabf918717dd14e05051896aaecd3b16b53d95 upstream. + +Telit 3G Intel based modems require zero packet to be sent if +out data size is equal to the endpoint max packet size. + +Signed-off-by: Daniele Palmas +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1904,6 +1904,13 @@ static const struct usb_device_id acm_id + .driver_info = IGNORE_DEVICE, + }, + ++ { USB_DEVICE(0x1bc7, 0x0021), /* Telit 3G ACM only composition */ ++ .driver_info = SEND_ZERO_PACKET, ++ }, ++ { USB_DEVICE(0x1bc7, 0x0023), /* Telit 3G ACM + ECM composition */ ++ .driver_info = SEND_ZERO_PACKET, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, diff --git a/queue-3.18/usb-storage-add-quirk-for-smi-sm3350.patch b/queue-3.18/usb-storage-add-quirk-for-smi-sm3350.patch new file mode 100644 index 00000000000..dc8244e7657 --- /dev/null +++ b/queue-3.18/usb-storage-add-quirk-for-smi-sm3350.patch @@ -0,0 +1,45 @@ +From 0a99cc4b8ee83885ab9f097a3737d1ab28455ac0 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Thu, 3 Jan 2019 11:26:18 +0800 +Subject: USB: storage: add quirk for SMI SM3350 + +From: Icenowy Zheng + +commit 0a99cc4b8ee83885ab9f097a3737d1ab28455ac0 upstream. + +The SMI SM3350 USB-UFS bridge controller cannot handle long sense request +correctly and will make the chip refuse to do read/write when requested +long sense. + +Add a bad sense quirk for it. + +Signed-off-by: Icenowy Zheng +Cc: stable +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1393,6 +1393,18 @@ UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x + US_FL_SANE_SENSE), + + /* ++ * Reported by Icenowy Zheng ++ * The SMI SM3350 USB-UFS bridge controller will enter a wrong state ++ * that do not process read/write command if a long sense is requested, ++ * so force to use 18-byte sense. ++ */ ++UNUSUAL_DEV( 0x090c, 0x3350, 0x0000, 0xffff, ++ "SMI", ++ "SM3350 UFS-to-USB-Mass-Storage bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BAD_SENSE ), ++ ++/* + * Pete Zaitcev , bz#164688. + * The device blatantly ignores LUN and returns 1 in GetMaxLUN. + */ diff --git a/queue-3.18/usb-storage-don-t-insert-sane-sense-for-spc3-when-bad-sense-specified.patch b/queue-3.18/usb-storage-don-t-insert-sane-sense-for-spc3-when-bad-sense-specified.patch new file mode 100644 index 00000000000..de61455936c --- /dev/null +++ b/queue-3.18/usb-storage-don-t-insert-sane-sense-for-spc3-when-bad-sense-specified.patch @@ -0,0 +1,44 @@ +From c5603d2fdb424849360fe7e3f8c1befc97571b8c Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Thu, 3 Jan 2019 11:26:17 +0800 +Subject: USB: storage: don't insert sane sense for SPC3+ when bad sense specified + +From: Icenowy Zheng + +commit c5603d2fdb424849360fe7e3f8c1befc97571b8c upstream. + +Currently the code will set US_FL_SANE_SENSE flag unconditionally if +device claims SPC3+, however we should allow US_FL_BAD_SENSE flag to +prevent this behavior, because SMI SM3350 UFS-USB bridge controller, +which claims SPC4, will show strange behavior with 96-byte sense +(put the chip into a wrong state that cannot read/write anything). + +Check the presence of US_FL_BAD_SENSE when assuming US_FL_SANE_SENSE on +SPC4+ devices. + +Signed-off-by: Icenowy Zheng +Cc: stable +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/scsiglue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -223,8 +223,12 @@ static int slave_configure(struct scsi_d + if (!(us->fflags & US_FL_NEEDS_CAP16)) + sdev->try_rc_10_first = 1; + +- /* assume SPC3 or latter devices support sense size > 18 */ +- if (sdev->scsi_level > SCSI_SPC_2) ++ /* ++ * assume SPC3 or latter devices support sense size > 18 ++ * unless US_FL_BAD_SENSE quirk is specified. ++ */ ++ if (sdev->scsi_level > SCSI_SPC_2 && ++ !(us->fflags & US_FL_BAD_SENSE)) + us->fflags |= US_FL_SANE_SENSE; + + /* USB-IDE bridges tend to report SK = 0x04 (Non-recoverable