From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Apr 2017 14:28:15 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.61~30
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=42f170a5fbfa188ad4167c94e96b87920d0a6ee3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
	reset-treeid-to-zero-on-smb2-tree_connect.patch
	ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
---

diff --git a/queue-4.4/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch b/queue-4.4/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
new file mode 100644
index 00000000000..fb70250bdd5
--- /dev/null
+++ b/queue-4.4/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
@@ -0,0 +1,61 @@
+From 5402e97af667e35e54177af8f6575518bf251d51 Mon Sep 17 00:00:00 2001
+From: "bsegall@google.com" <bsegall@google.com>
+Date: Fri, 7 Apr 2017 16:04:51 -0700
+Subject: ptrace: fix PTRACE_LISTEN race corrupting task->state
+
+From: bsegall@google.com <bsegall@google.com>
+
+commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.
+
+In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
+__TASK_TRACED.  If this races with the ptrace_unfreeze_traced at the end
+of a PTRACE_LISTEN, this can wake the task /after/ the check against
+__TASK_TRACED, but before the reset of state to TASK_TRACED.  This
+causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
+against TRACED while the task is still on the rq wake_list, corrupting
+it.
+
+Oleg said:
+ "The kernel can crash or this can lead to other hard-to-debug problems.
+  In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
+  assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
+  contract. Obviusly it is very wrong to manipulate task->state if this
+  task is already running, or WAKING, or it sleeps again"
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
+Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
+Signed-off-by: Ben Segall <bsegall@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -151,11 +151,17 @@ static void ptrace_unfreeze_traced(struc
+ 
+ 	WARN_ON(!task->ptrace || task->parent != current);
+ 
++	/*
++	 * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely.
++	 * Recheck state under the lock to close this race.
++	 */
+ 	spin_lock_irq(&task->sighand->siglock);
+-	if (__fatal_signal_pending(task))
+-		wake_up_state(task, __TASK_TRACED);
+-	else
+-		task->state = TASK_TRACED;
++	if (task->state == __TASK_TRACED) {
++		if (__fatal_signal_pending(task))
++			wake_up_state(task, __TASK_TRACED);
++		else
++			task->state = TASK_TRACED;
++	}
+ 	spin_unlock_irq(&task->sighand->siglock);
+ }
+ 
diff --git a/queue-4.4/reset-treeid-to-zero-on-smb2-tree_connect.patch b/queue-4.4/reset-treeid-to-zero-on-smb2-tree_connect.patch
new file mode 100644
index 00000000000..10ac01984f1
--- /dev/null
+++ b/queue-4.4/reset-treeid-to-zero-on-smb2-tree_connect.patch
@@ -0,0 +1,38 @@
+From 806a28efe9b78ffae5e2757e1ee924b8e50c08ab Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Mon, 20 Feb 2017 12:25:58 +0100
+Subject: Reset TreeId to zero on SMB2 TREE_CONNECT
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.
+
+Currently the cifs module breaks the CIFS specs on reconnect as
+described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:
+
+"TreeId (4 bytes): Uniquely identifies the tree connect for the
+command. This MUST be 0 for the SMB2 TREE_CONNECT Request."
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Tested-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -952,6 +952,10 @@ SMB2_tcon(const unsigned int xid, struct
+ 		return -EINVAL;
+ 	}
+ 
++	/* SMB2 TREE_CONNECT request must be called with TreeId == 0 */
++	if (tcon)
++		tcon->tid = 0;
++
+ 	rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
+ 	if (rc) {
+ 		kfree(unc_path);
diff --git a/queue-4.4/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch b/queue-4.4/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
new file mode 100644
index 00000000000..16a93dfb332
--- /dev/null
+++ b/queue-4.4/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
@@ -0,0 +1,50 @@
+From 62277de758b155dc04b78f195a1cb5208c37b2df Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 17 Jun 2016 17:33:59 +0000
+Subject: ring-buffer: Fix return value check in test_ringbuffer()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream.
+
+In case of error, the function kthread_run() returns ERR_PTR()
+and never returns NULL. The NULL test in the return value check
+should be replaced with IS_ERR().
+
+Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
+
+Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4875,9 +4875,9 @@ static __init int test_ringbuffer(void)
+ 		rb_data[cpu].cnt = cpu;
+ 		rb_threads[cpu] = kthread_create(rb_test, &rb_data[cpu],
+ 						 "rbtester/%d", cpu);
+-		if (WARN_ON(!rb_threads[cpu])) {
++		if (WARN_ON(IS_ERR(rb_threads[cpu]))) {
+ 			pr_cont("FAILED\n");
+-			ret = -1;
++			ret = PTR_ERR(rb_threads[cpu]);
+ 			goto out_free;
+ 		}
+ 
+@@ -4887,9 +4887,9 @@ static __init int test_ringbuffer(void)
+ 
+ 	/* Now create the rb hammer! */
+ 	rb_hammer = kthread_run(rb_hammer_test, NULL, "rbhammer");
+-	if (WARN_ON(!rb_hammer)) {
++	if (WARN_ON(IS_ERR(rb_hammer))) {
+ 		pr_cont("FAILED\n");
+-		ret = -1;
++		ret = PTR_ERR(rb_hammer);
+ 		goto out_free;
+ 	}
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 2c500074610..33d6a013b19 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -9,3 +9,6 @@ staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch
 arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch
 arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch
 iio-bmg160-reset-chip-when-probing.patch
+reset-treeid-to-zero-on-smb2-tree_connect.patch
+ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
+ring-buffer-fix-return-value-check-in-test_ringbuffer.patch