From b13fc71d7effb8e9c51aaf2735c247c00a925473 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 12 Aug 2015 17:34:12 +0200
Subject: [PATCH] perf: Fix double-free of the AUX buffer

---
 debian/changelog                              |  1 +
 ...rf-fix-double-free-of-the-aux-buffer.patch | 44 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 debian/patches/bugfix/all/perf-fix-double-free-of-the-aux-buffer.patch

diff --git a/debian/changelog b/debian/changelog
index 435d09fd2..56c4fdcc1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -226,6 +226,7 @@ linux (4.1.5-1) UNRELEASED; urgency=medium
   * Bump ABI to 2
   * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)
   * ovl: Add support for NFS as lower filesystem (Closes: #786925)
+  * perf: Fix double-free of the AUX buffer
 
  -- Ian Campbell <ijc@debian.org>  Tue, 04 Aug 2015 19:31:45 +0100
 
diff --git a/debian/patches/bugfix/all/perf-fix-double-free-of-the-aux-buffer.patch b/debian/patches/bugfix/all/perf-fix-double-free-of-the-aux-buffer.patch
new file mode 100644
index 000000000..32125aea6
--- /dev/null
+++ b/debian/patches/bugfix/all/perf-fix-double-free-of-the-aux-buffer.patch
@@ -0,0 +1,44 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 27 Jul 2015 00:31:08 +0100
+Subject: perf: Fix double-free of the AUX buffer
+Origin: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit?id=ee9397a6fb9bc4e52677f5e33eed4abee0f515e6
+
+If rb->aux_refcount is decremented to zero before rb->refcount,
+__rb_free_aux() may be called twice resulting in a double free of
+rb->aux_pages.  Fix this by adding a check to __rb_free_aux().
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting")
+Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ kernel/events/ring_buffer.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -547,11 +547,13 @@ static void __rb_free_aux(struct ring_bu
+ 		rb->aux_priv = NULL;
+ 	}
+ 
+-	for (pg = 0; pg < rb->aux_nr_pages; pg++)
+-		rb_free_aux_page(rb, pg);
++	if (rb->aux_nr_pages) {
++		for (pg = 0; pg < rb->aux_nr_pages; pg++)
++			rb_free_aux_page(rb, pg);
+ 
+-	kfree(rb->aux_pages);
+-	rb->aux_nr_pages = 0;
++		kfree(rb->aux_pages);
++		rb->aux_nr_pages = 0;
++	}
+ }
+ 
+ void rb_free_aux(struct ring_buffer *rb)
diff --git a/debian/patches/series b/debian/patches/series
index 98e0e4a72..1f216234d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,3 +100,4 @@ bugfix/all/virtio-net-drop-netif_f_fraglist.patch
 bugfix/all/-ovl-don-t-traverse-automount-points.patch
 bugfix/all/ovl-allow-distributed-fs-as-lower-layer.patch
 bugfix/all/fix-a-braino-in-ovl_d_select_inode.patch
+bugfix/all/perf-fix-double-free-of-the-aux-buffer.patch