From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 May 2020 15:33:06 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.225~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5064ad8362a968207935f0f543989023b9eeb3b9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
	x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
---

diff --git a/queue-4.19/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch b/queue-4.19/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
new file mode 100644
index 00000000000..c981e0d63ae
--- /dev/null
+++ b/queue-4.19/rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
@@ -0,0 +1,42 @@
+From f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 13:45:18 -0500
+Subject: rxrpc: Fix a memory leak in rxkad_verify_response()
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f upstream.
+
+A ticket was not released after a call of the function
+"rxkad_decrypt_ticket" failed. Thus replace the jump target
+"temporary_error_free_resp" by "temporary_error_free_ticket".
+
+Fixes: 8c2f826dc3631 ("rxrpc: Don't put crypto buffers on the stack")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Markus Elfring <Markus.Elfring@web.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/rxkad.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -1118,7 +1118,7 @@ static int rxkad_verify_response(struct
+ 	ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
+ 				   &expiry, _abort_code);
+ 	if (ret < 0)
+-		goto temporary_error_free_resp;
++		goto temporary_error_free_ticket;
+ 
+ 	/* use the session key from inside the ticket to decrypt the
+ 	 * response */
+@@ -1200,7 +1200,6 @@ protocol_error:
+ 
+ temporary_error_free_ticket:
+ 	kfree(ticket);
+-temporary_error_free_resp:
+ 	kfree(response);
+ temporary_error:
+ 	/* Ignore the response packet if we got a temporary error such as
diff --git a/queue-4.19/series b/queue-4.19/series
index ff986a0cbc5..0d2d2bf0956 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -72,3 +72,5 @@ misc-rtsx-add-short-delay-after-exit-from-aspm.patch
 mei-release-me_cl-object-reference.patch
 ipack-tpci200-fix-error-return-code-in-tpci200_register.patch
 rapidio-fix-an-error-in-get_user_pages_fast-error-handling.patch
+rxrpc-fix-a-memory-leak-in-rxkad_verify_response.patch
+x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
diff --git a/queue-4.19/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch b/queue-4.19/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
new file mode 100644
index 00000000000..4404dbe2106
--- /dev/null
+++ b/queue-4.19/x86-unwind-orc-fix-unwind_get_return_address_ptr-for-inactive-tasks.patch
@@ -0,0 +1,70 @@
+From 187b96db5ca79423618dfa29a05c438c34f9e1f0 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 22 May 2020 08:54:35 -0500
+Subject: x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 187b96db5ca79423618dfa29a05c438c34f9e1f0 upstream.
+
+Normally, show_trace_log_lvl() scans the stack, looking for text
+addresses to print.  In parallel, it unwinds the stack with
+unwind_next_frame().  If the stack address matches the pointer returned
+by unwind_get_return_address_ptr() for the current frame, the text
+address is printed normally without a question mark.  Otherwise it's
+considered a breadcrumb (potentially from a previous call path) and it's
+printed with a question mark to indicate that the address is unreliable
+and typically can be ignored.
+
+Since the following commit:
+
+  f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+
+... for inactive tasks, show_trace_log_lvl() prints *only* unreliable
+addresses (prepended with '?').
+
+That happens because, for the first frame of an inactive task,
+unwind_get_return_address_ptr() returns the wrong return address
+pointer: one word *below* the task stack pointer.  show_trace_log_lvl()
+starts scanning at the stack pointer itself, so it never finds the first
+'reliable' address, causing only guesses to being printed.
+
+The first frame of an inactive task isn't a normal stack frame.  It's
+actually just an instance of 'struct inactive_task_frame' which is left
+behind by __switch_to_asm().  Now that this inactive frame is actually
+exposed to callers, fix unwind_get_return_address_ptr() to interpret it
+properly.
+
+Fixes: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200522135435.vbxs7umku5pyrdbk@treble
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -300,12 +300,19 @@ EXPORT_SYMBOL_GPL(unwind_get_return_addr
+ 
+ unsigned long *unwind_get_return_address_ptr(struct unwind_state *state)
+ {
++	struct task_struct *task = state->task;
++
+ 	if (unwind_done(state))
+ 		return NULL;
+ 
+ 	if (state->regs)
+ 		return &state->regs->ip;
+ 
++	if (task != current && state->sp == task->thread.sp) {
++		struct inactive_task_frame *frame = (void *)task->thread.sp;
++		return &frame->ret_addr;
++	}
++
+ 	if (state->sp)
+ 		return (unsigned long *)state->sp - 1;
+