4.4-stable patches

added patches:
	tracing-fix-race-in-trace_open-and-buffer-resize-call.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index a0e01ba2365bffa457a5bb858bd7eee48d907853..1725c86392b6b2f3f6972a9e5728baee5b5920ca 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -19,3 +19,4 @@ skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch
 ipv6-create-multicast-route-with-rtprot_kernel.patch
 net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch
 revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
+tracing-fix-race-in-trace_open-and-buffer-resize-call.patch

diff --git a/queue-4.4/tracing-fix-race-in-trace_open-and-buffer-resize-call.patch b/queue-4.4/tracing-fix-race-in-trace_open-and-buffer-resize-call.patch
new file mode 100644 (file)
index 0000000..3524fc4
--- /dev/null
+++ b/queue-4.4/tracing-fix-race-in-trace_open-and-buffer-resize-call.patch
@@ -0,0 +1,61 @@
+From bbeb97464eefc65f506084fd9f18f21653e01137 Mon Sep 17 00:00:00 2001
+From: Gaurav Kohli <gkohli@codeaurora.org>
+Date: Tue, 6 Oct 2020 15:03:53 +0530
+Subject: tracing: Fix race in trace_open and buffer resize call
+
+From: Gaurav Kohli <gkohli@codeaurora.org>
+
+commit bbeb97464eefc65f506084fd9f18f21653e01137 upstream.
+
+Below race can come, if trace_open and resize of
+cpu buffer is running parallely on different cpus
+CPUX                                CPUY
+                                   ring_buffer_resize
+                                   atomic_read(&buffer->resize_disabled)
+tracing_open
+tracing_reset_online_cpus
+ring_buffer_reset_cpu
+rb_reset_cpu
+                                   rb_update_pages
+                                   remove/insert pages
+resetting pointer
+
+This race can cause data abort or some times infinte loop in
+rb_remove_pages and rb_insert_pages while checking pages
+for sanity.
+
+Take buffer lock to fix this.
+
+Link: https://lkml.kernel.org/r/1601976833-24377-1-git-send-email-gkohli@codeaurora.org
+
+Cc: stable@vger.kernel.org
+Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
+Reported-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4294,6 +4294,8 @@ void ring_buffer_reset_cpu(struct ring_b
+ 
+       if (!cpumask_test_cpu(cpu, buffer->cpumask))
+               return;
++      /* prevent another thread from changing buffer sizes */
++      mutex_lock(&buffer->mutex);
+ 
+       atomic_inc(&buffer->resize_disabled);
+       atomic_inc(&cpu_buffer->record_disabled);
+@@ -4317,6 +4319,8 @@ void ring_buffer_reset_cpu(struct ring_b
+ 
+       atomic_dec(&cpu_buffer->record_disabled);
+       atomic_dec(&buffer->resize_disabled);
++
++      mutex_unlock(&buffer->mutex);
+ }
+ EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu);
+