From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 10 Jun 2021 22:19:31 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.273~64
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=66e616905762b7a0b203cb0deb1c0a2c36a164c4;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	perf-core-fix-endless-multiplex-timer.patch
	proc-track-proc-pid-attr-opener-mm_struct.patch
---

diff --git a/queue-4.19/perf-core-fix-endless-multiplex-timer.patch b/queue-4.19/perf-core-fix-endless-multiplex-timer.patch
new file mode 100644
index 00000000000..54b78b61fe6
--- /dev/null
+++ b/queue-4.19/perf-core-fix-endless-multiplex-timer.patch
@@ -0,0 +1,74 @@
+From 90c91dfb86d0ff545bd329d3ddd72c147e2ae198 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 5 Mar 2020 13:38:51 +0100
+Subject: perf/core: Fix endless multiplex timer
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 90c91dfb86d0ff545bd329d3ddd72c147e2ae198 upstream.
+
+Kan and Andi reported that we fail to kill rotation when the flexible
+events go empty, but the context does not. XXX moar
+
+Fixes: fd7d55172d1e ("perf/cgroups: Don't rotate events for cgroups unnecessarily")
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Reported-by: Kan Liang <kan.liang@linux.intel.com>
+Tested-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Wen Yang <wenyang@linux.alibaba.com>
+Link: https://lkml.kernel.org/r/20200305123851.GX2596@hirez.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c |   20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2086,6 +2086,7 @@ __perf_remove_from_context(struct perf_e
+ 
+ 	if (!ctx->nr_events && ctx->is_active) {
+ 		ctx->is_active = 0;
++		ctx->rotate_necessary = 0;
+ 		if (ctx->task) {
+ 			WARN_ON_ONCE(cpuctx->task_ctx != ctx);
+ 			cpuctx->task_ctx = NULL;
+@@ -2952,12 +2953,6 @@ static void ctx_sched_out(struct perf_ev
+ 	if (!ctx->nr_active || !(is_active & EVENT_ALL))
+ 		return;
+ 
+-	/*
+-	 * If we had been multiplexing, no rotations are necessary, now no events
+-	 * are active.
+-	 */
+-	ctx->rotate_necessary = 0;
+-
+ 	perf_pmu_disable(ctx->pmu);
+ 	if (is_active & EVENT_PINNED) {
+ 		list_for_each_entry_safe(event, tmp, &ctx->pinned_active, active_list)
+@@ -2967,6 +2962,13 @@ static void ctx_sched_out(struct perf_ev
+ 	if (is_active & EVENT_FLEXIBLE) {
+ 		list_for_each_entry_safe(event, tmp, &ctx->flexible_active, active_list)
+ 			group_sched_out(event, cpuctx, ctx);
++
++		/*
++		 * Since we cleared EVENT_FLEXIBLE, also clear
++		 * rotate_necessary, is will be reset by
++		 * ctx_flexible_sched_in() when needed.
++		 */
++		ctx->rotate_necessary = 0;
+ 	}
+ 	perf_pmu_enable(ctx->pmu);
+ }
+@@ -3705,6 +3707,12 @@ ctx_event_to_rotate(struct perf_event_co
+ 				      typeof(*event), group_node);
+ 	}
+ 
++	/*
++	 * Unconditionally clear rotate_necessary; if ctx_flexible_sched_in()
++	 * finds there are unschedulable events, it will set it again.
++	 */
++	ctx->rotate_necessary = 0;
++
+ 	return event;
+ }
+ 
diff --git a/queue-4.19/proc-track-proc-pid-attr-opener-mm_struct.patch b/queue-4.19/proc-track-proc-pid-attr-opener-mm_struct.patch
new file mode 100644
index 00000000000..3b5271af3fb
--- /dev/null
+++ b/queue-4.19/proc-track-proc-pid-attr-opener-mm_struct.patch
@@ -0,0 +1,65 @@
+From 591a22c14d3f45cc38bd1931c593c221df2f1881 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 8 Jun 2021 10:12:21 -0700
+Subject: proc: Track /proc/$pid/attr/ opener mm_struct
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 591a22c14d3f45cc38bd1931c593c221df2f1881 upstream.
+
+Commit bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
+tried to make sure that there could not be a confusion between the opener of
+a /proc/$pid/attr/ file and the writer. It used struct cred to make sure
+the privileges didn't change. However, there were existing cases where a more
+privileged thread was passing the opened fd to a differently privileged thread
+(during container setup). Instead, use mm_struct to track whether the opener
+and writer are still the same process. (This is what several other proc files
+already do, though for different reasons.)
+
+Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
+Reported-by: Andrea Righi <andrea.righi@canonical.com>
+Tested-by: Andrea Righi <andrea.righi@canonical.com>
+Fixes: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/base.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2535,6 +2535,11 @@ out:
+ }
+ 
+ #ifdef CONFIG_SECURITY
++static int proc_pid_attr_open(struct inode *inode, struct file *file)
++{
++	return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
++}
++
+ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
+ 				  size_t count, loff_t *ppos)
+ {
+@@ -2565,7 +2570,7 @@ static ssize_t proc_pid_attr_write(struc
+ 	int rv;
+ 
+ 	/* A task may only write when it was the opener. */
+-	if (file->f_cred != current_real_cred())
++	if (file->private_data != current->mm)
+ 		return -EPERM;
+ 
+ 	rcu_read_lock();
+@@ -2613,9 +2618,11 @@ out:
+ }
+ 
+ static const struct file_operations proc_pid_attr_operations = {
++	.open		= proc_pid_attr_open,
+ 	.read		= proc_pid_attr_read,
+ 	.write		= proc_pid_attr_write,
+ 	.llseek		= generic_file_llseek,
++	.release	= mem_release,
+ };
+ 
+ static const struct pid_entry attr_dir_stuff[] = {