--- /dev/null
+From f87b1c49bc675da30d8e1e8f4b60b800312c7b90 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Feb 2020 02:04:17 +0100
+Subject: ARM: 8958/1: rename missed uaccess .fixup section
+
+From: Kees Cook <keescook@chromium.org>
+
+commit f87b1c49bc675da30d8e1e8f4b60b800312c7b90 upstream.
+
+When the uaccess .fixup section was renamed to .text.fixup, one case was
+missed. Under ld.bfd, the orphaned section was moved close to .text
+(since they share the "ax" bits), so things would work normally on
+uaccess faults. Under ld.lld, the orphaned section was placed outside
+the .text section, making it unreachable.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/282
+Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1020633#c44
+Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1912032147340.17114@knanqh.ubzr
+Link: https://lore.kernel.org/lkml/202002071754.F5F073F1D@keescook/
+
+Fixes: c4a84ae39b4a5 ("ARM: 8322/1: keep .text and .fixup regions closer together")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/lib/copy_from_user.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/lib/copy_from_user.S
++++ b/arch/arm/lib/copy_from_user.S
+@@ -100,7 +100,7 @@ ENTRY(arm_copy_from_user)
+
+ ENDPROC(arm_copy_from_user)
+
+- .pushsection .fixup,"ax"
++ .pushsection .text.fixup,"ax"
+ .align 0
+ copy_abort_preamble
+ ldmfd sp!, {r1, r2, r3}
--- /dev/null
+From fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 17 Mar 2020 01:28:45 +0100
+Subject: mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
+
+From: Jann Horn <jannh@google.com>
+
+commit fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 upstream.
+
+When kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu
+freelist of length M, and N > M > 0, it will first remove the M elements
+from the percpu freelist, then call ___slab_alloc() to allocate the next
+element and repopulate the percpu freelist. ___slab_alloc() can re-enable
+IRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()
+to properly commit the freelist head change.
+
+Fix it by unconditionally bumping c->tid when entering the slowpath.
+
+Cc: stable@vger.kernel.org
+Fixes: ebe909e0fdb3 ("slub: improve bulk alloc strategy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -3123,6 +3123,15 @@ int kmem_cache_alloc_bulk(struct kmem_ca
+
+ if (unlikely(!object)) {
+ /*
++ * We may have removed an object from c->freelist using
++ * the fastpath in the previous iteration; in that case,
++ * c->tid has not been bumped yet.
++ * Since ___slab_alloc() may reenable interrupts while
++ * allocating memory, we should bump c->tid now.
++ */
++ c->tid = next_tid(c->tid);
++
++ /*
+ * Invoking slow path likely have side-effect
+ * of re-populating per CPU c->freelist
+ */
net-rmnet-fix-null-pointer-dereference-in-rmnet_newl.patch
jbd2-fix-data-races-at-struct-journal_head.patch
arm-8957-1-vdso-match-armv8-timer-in-cntvct_functional.patch
+arm-8958-1-rename-missed-uaccess-.fixup-section.patch
+mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
