From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 3 Dec 2018 11:01:11 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.7~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be976b9e7cdb73a680d3a8a0e262dad9baa8c1d0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ext2-fix-potential-use-after-free.patch
	function_graph-create-function_graph_enter-to-consolidate-architecture-code.patch
	function_graph-make-ftrace_push_return_trace-static.patch
---

diff --git a/queue-4.4/ext2-fix-potential-use-after-free.patch b/queue-4.4/ext2-fix-potential-use-after-free.patch
new file mode 100644
index 00000000000..576b3eff386
--- /dev/null
+++ b/queue-4.4/ext2-fix-potential-use-after-free.patch
@@ -0,0 +1,36 @@
+From ecebf55d27a11538ea84aee0be643dd953f830d5 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 25 Nov 2018 08:58:02 +0800
+Subject: ext2: fix potential use after free
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit ecebf55d27a11538ea84aee0be643dd953f830d5 upstream.
+
+The function ext2_xattr_set calls brelse(bh) to drop the reference count
+of bh. After that, bh may be freed. However, following brelse(bh),
+it reads bh->b_data via macro HDR(bh). This may result in a
+use-after-free bug. This patch moves brelse(bh) after reading field.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/xattr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext2/xattr.c
++++ b/fs/ext2/xattr.c
+@@ -605,9 +605,9 @@ skip_replace:
+ 	}
+ 
+ cleanup:
+-	brelse(bh);
+ 	if (!(bh && header == HDR(bh)))
+ 		kfree(header);
++	brelse(bh);
+ 	up_write(&EXT2_I(inode)->xattr_sem);
+ 
+ 	return error;
diff --git a/queue-4.4/function_graph-create-function_graph_enter-to-consolidate-architecture-code.patch b/queue-4.4/function_graph-create-function_graph_enter-to-consolidate-architecture-code.patch
new file mode 100644
index 00000000000..03c7bf10ba7
--- /dev/null
+++ b/queue-4.4/function_graph-create-function_graph_enter-to-consolidate-architecture-code.patch
@@ -0,0 +1,71 @@
+From 8114865ff82e200b383e46821c25cb0625b842b5 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 18 Nov 2018 17:10:15 -0500
+Subject: function_graph: Create function_graph_enter() to consolidate architecture code
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 8114865ff82e200b383e46821c25cb0625b842b5 upstream.
+
+Currently all the architectures do basically the same thing in preparing the
+function graph tracer on entry to a function. This code can be pulled into a
+generic location and then this will allow the function graph tracer to be
+fixed, as well as extended.
+
+Create a new function graph helper function_graph_enter() that will call the
+hook function (ftrace_graph_entry) and the shadow stack operation
+(ftrace_push_return_trace), and remove the need of the architecture code to
+manage the shadow stack.
+
+This is needed to prepare for a fix of a design bug on how the curr_ret_stack
+is used.
+
+Cc: stable@kernel.org
+Fixes: 03274a3ffb449 ("tracing/fgraph: Adjust fgraph depth before calling trace return callback")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ftrace.h               |    4 ++++
+ kernel/trace/trace_functions_graph.c |   16 ++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -773,6 +773,10 @@ extern int
+ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+ 			 unsigned long frame_pointer);
+ 
++extern int
++function_graph_enter(unsigned long ret, unsigned long func,
++		     unsigned long frame_pointer, unsigned long *retp);
++
+ /*
+  * Sometimes we don't want to trace a function with the function
+  * graph tracer but we want them to keep traced by the usual function
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -176,6 +176,22 @@ ftrace_push_return_trace(unsigned long r
+ 	return 0;
+ }
+ 
++int function_graph_enter(unsigned long ret, unsigned long func,
++			 unsigned long frame_pointer, unsigned long *retp)
++{
++	struct ftrace_graph_ent trace;
++
++	trace.func = func;
++	trace.depth = current->curr_ret_stack + 1;
++
++	/* Only trace if the calling function expects to */
++	if (!ftrace_graph_entry(&trace))
++		return -EBUSY;
++
++	return ftrace_push_return_trace(ret, func, &trace.depth,
++					frame_pointer, retp);
++}
++
+ /* Retrieve a function return address to the trace stack on thread info.*/
+ static void
+ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
diff --git a/queue-4.4/function_graph-make-ftrace_push_return_trace-static.patch b/queue-4.4/function_graph-make-ftrace_push_return_trace-static.patch
new file mode 100644
index 00000000000..3c0eb892866
--- /dev/null
+++ b/queue-4.4/function_graph-make-ftrace_push_return_trace-static.patch
@@ -0,0 +1,50 @@
+From d125f3f866df88da5a85df00291f88f0baa89f7c Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 19 Nov 2018 07:40:39 -0500
+Subject: function_graph: Make ftrace_push_return_trace() static
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit d125f3f866df88da5a85df00291f88f0baa89f7c upstream.
+
+As all architectures now call function_graph_enter() to do the entry work,
+no architecture should ever call ftrace_push_return_trace(). Make it static.
+
+This is needed to prepare for a fix of a design bug on how the curr_ret_stack
+is used.
+
+Cc: stable@kernel.org
+Fixes: 03274a3ffb449 ("tracing/fgraph: Adjust fgraph depth before calling trace return callback")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ftrace.h               |    4 ----
+ kernel/trace/trace_functions_graph.c |    2 +-
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -770,10 +770,6 @@ struct ftrace_ret_stack {
+ extern void return_to_handler(void);
+ 
+ extern int
+-ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+-			 unsigned long frame_pointer);
+-
+-extern int
+ function_graph_enter(unsigned long ret, unsigned long func,
+ 		     unsigned long frame_pointer, unsigned long *retp);
+ 
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -116,7 +116,7 @@ print_graph_duration(struct trace_array
+ 		     struct trace_seq *s, u32 flags);
+ 
+ /* Add a function return address to the trace stack on thread info.*/
+-int
++static int
+ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+ 			 unsigned long frame_pointer)
+ {
diff --git a/queue-4.4/series b/queue-4.4/series
index ae8f2a05e17..5d637facb4b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -11,3 +11,6 @@ alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch
 alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch
 alsa-control-fix-race-between-adding-and-removing-a-user-element.patch
 alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch
+function_graph-create-function_graph_enter-to-consolidate-architecture-code.patch
+function_graph-make-ftrace_push_return_trace-static.patch
+ext2-fix-potential-use-after-free.patch