4.14-stable patches

added patches:
	rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
	x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch

diff --git a/queue-4.14/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch b/queue-4.14/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
new file mode 100644 (file)
index 0000000..3cf5446
--- /dev/null
+++ b/queue-4.14/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
@@ -0,0 +1,42 @@
+From f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 13:45:18 -0500
+Subject: rxrpc: Fix a memory leak in rxkad_verify_response()
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f upstream.
+
+A ticket was not released after a call of the function
+"rxkad_decrypt_ticket" failed. Thus replace the jump target
+"temporary_error_free_resp" by "temporary_error_free_ticket".
+
+Fixes: 8c2f826dc3631 ("rxrpc: Don't put crypto buffers on the stack")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Markus Elfring <Markus.Elfring@web.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/rxkad.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -1111,7 +1111,7 @@ static int rxkad_verify_response(struct
+       ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
+                                  &expiry, _abort_code);
+       if (ret < 0)
+-              goto temporary_error_free_resp;
++              goto temporary_error_free_ticket;
+ 
+       /* use the session key from inside the ticket to decrypt the
+        * response */
+@@ -1193,7 +1193,6 @@ protocol_error:
+ 
+ temporary_error_free_ticket:
+       kfree(ticket);
+-temporary_error_free_resp:
+       kfree(response);
+ temporary_error:
+       /* Ignore the response packet if we got a temporary error such as

diff --git a/queue-4.14/series b/queue-4.14/series
index 349b9aed7b1b2f4994304aafabad44d9476308d9..cede6c1680bc3617bf3d787c65aa39005a1a6293 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -54,3 +54,5 @@ iio-sca3000-remove-an-erroneous-get_device.patch
 iio-dac-vf610-fix-an-error-handling-path-in-vf610_dac_probe.patch
 mei-release-me_cl-object-reference.patch
 rapidio-fix-an-error-in-get_user_pages_fast-error-handling.patch
+rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
+x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch

diff --git a/queue-4.14/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch b/queue-4.14/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
new file mode 100644 (file)
index 0000000..b76ef6b
--- /dev/null
+++ b/queue-4.14/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
@@ -0,0 +1,70 @@
+From 187b96db5ca79423618dfa29a05c438c34f9e1f0 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 22 May 2020 08:54:35 -0500
+Subject: x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 187b96db5ca79423618dfa29a05c438c34f9e1f0 upstream.
+
+Normally, show_trace_log_lvl() scans the stack, looking for text
+addresses to print.  In parallel, it unwinds the stack with
+unwind_next_frame().  If the stack address matches the pointer returned
+by unwind_get_return_address_ptr() for the current frame, the text
+address is printed normally without a question mark.  Otherwise it's
+considered a breadcrumb (potentially from a previous call path) and it's
+printed with a question mark to indicate that the address is unreliable
+and typically can be ignored.
+
+Since the following commit:
+
+  f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+
+... for inactive tasks, show_trace_log_lvl() prints *only* unreliable
+addresses (prepended with '?').
+
+That happens because, for the first frame of an inactive task,
+unwind_get_return_address_ptr() returns the wrong return address
+pointer: one word *below* the task stack pointer.  show_trace_log_lvl()
+starts scanning at the stack pointer itself, so it never finds the first
+'reliable' address, causing only guesses to being printed.
+
+The first frame of an inactive task isn't a normal stack frame.  It's
+actually just an instance of 'struct inactive_task_frame' which is left
+behind by __switch_to_asm().  Now that this inactive frame is actually
+exposed to callers, fix unwind_get_return_address_ptr() to interpret it
+properly.
+
+Fixes: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200522135435.vbxs7umku5pyrdbk@treble
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -255,12 +255,19 @@ EXPORT_SYMBOL_GPL(unwind_get_return_addr
+ 
+ unsigned long *unwind_get_return_address_ptr(struct unwind_state *state)
+ {
++      struct task_struct *task = state->task;
++
+       if (unwind_done(state))
+               return NULL;
+ 
+       if (state->regs)
+               return &state->regs->ip;
+ 
++      if (task != current && state->sp == task->thread.sp) {
++              struct inactive_task_frame *frame = (void *)task->thread.sp;
++              return &frame->ret_addr;
++      }
++
+       if (state->sp)
+               return (unsigned long *)state->sp - 1;
+