--- /dev/null
+From 5402e97af667e35e54177af8f6575518bf251d51 Mon Sep 17 00:00:00 2001
+From: "bsegall@google.com" <bsegall@google.com>
+Date: Fri, 7 Apr 2017 16:04:51 -0700
+Subject: ptrace: fix PTRACE_LISTEN race corrupting task->state
+
+From: bsegall@google.com <bsegall@google.com>
+
+commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.
+
+In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
+__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end
+of a PTRACE_LISTEN, this can wake the task /after/ the check against
+__TASK_TRACED, but before the reset of state to TASK_TRACED. This
+causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
+against TRACED while the task is still on the rq wake_list, corrupting
+it.
+
+Oleg said:
+ "The kernel can crash or this can lead to other hard-to-debug problems.
+ In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
+ assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
+ contract. Obviusly it is very wrong to manipulate task->state if this
+ task is already running, or WAKING, or it sleeps again"
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
+Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
+Signed-off-by: Ben Segall <bsegall@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -151,11 +151,17 @@ static void ptrace_unfreeze_traced(struc
+
+ WARN_ON(!task->ptrace || task->parent != current);
+
++ /*
++ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely.
++ * Recheck state under the lock to close this race.
++ */
+ spin_lock_irq(&task->sighand->siglock);
+- if (__fatal_signal_pending(task))
+- wake_up_state(task, __TASK_TRACED);
+- else
+- task->state = TASK_TRACED;
++ if (task->state == __TASK_TRACED) {
++ if (__fatal_signal_pending(task))
++ wake_up_state(task, __TASK_TRACED);
++ else
++ task->state = TASK_TRACED;
++ }
+ spin_unlock_irq(&task->sighand->siglock);
+ }
+
--- /dev/null
+From 806a28efe9b78ffae5e2757e1ee924b8e50c08ab Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Mon, 20 Feb 2017 12:25:58 +0100
+Subject: Reset TreeId to zero on SMB2 TREE_CONNECT
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.
+
+Currently the cifs module breaks the CIFS specs on reconnect as
+described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:
+
+"TreeId (4 bytes): Uniquely identifies the tree connect for the
+command. This MUST be 0 for the SMB2 TREE_CONNECT Request."
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Tested-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -952,6 +952,10 @@ SMB2_tcon(const unsigned int xid, struct
+ return -EINVAL;
+ }
+
++ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */
++ if (tcon)
++ tcon->tid = 0;
++
+ rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
+ if (rc) {
+ kfree(unc_path);
--- /dev/null
+From 62277de758b155dc04b78f195a1cb5208c37b2df Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 17 Jun 2016 17:33:59 +0000
+Subject: ring-buffer: Fix return value check in test_ringbuffer()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream.
+
+In case of error, the function kthread_run() returns ERR_PTR()
+and never returns NULL. The NULL test in the return value check
+should be replaced with IS_ERR().
+
+Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
+
+Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4875,9 +4875,9 @@ static __init int test_ringbuffer(void)
+ rb_data[cpu].cnt = cpu;
+ rb_threads[cpu] = kthread_create(rb_test, &rb_data[cpu],
+ "rbtester/%d", cpu);
+- if (WARN_ON(!rb_threads[cpu])) {
++ if (WARN_ON(IS_ERR(rb_threads[cpu]))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_threads[cpu]);
+ goto out_free;
+ }
+
+@@ -4887,9 +4887,9 @@ static __init int test_ringbuffer(void)
+
+ /* Now create the rb hammer! */
+ rb_hammer = kthread_run(rb_hammer_test, NULL, "rbhammer");
+- if (WARN_ON(!rb_hammer)) {
++ if (WARN_ON(IS_ERR(rb_hammer))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_hammer);
+ goto out_free;
+ }
+
arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch
arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch
iio-bmg160-reset-chip-when-probing.patch
+reset-treeid-to-zero-on-smb2-tree_connect.patch
+ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
+ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
