From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Mar 2020 10:06:10 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.217~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b5bbe59fd402cd54ad4985a535c8cab8cd5f886;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	arm-8958-1-rename-missed-uaccess-.fixup-section.patch
	mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
---

diff --git a/queue-4.14/arm-8958-1-rename-missed-uaccess-.fixup-section.patch b/queue-4.14/arm-8958-1-rename-missed-uaccess-.fixup-section.patch
new file mode 100644
index 00000000000..be1db17c6b2
--- /dev/null
+++ b/queue-4.14/arm-8958-1-rename-missed-uaccess-.fixup-section.patch
@@ -0,0 +1,43 @@
+From f87b1c49bc675da30d8e1e8f4b60b800312c7b90 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Feb 2020 02:04:17 +0100
+Subject: ARM: 8958/1: rename missed uaccess .fixup section
+
+From: Kees Cook <keescook@chromium.org>
+
+commit f87b1c49bc675da30d8e1e8f4b60b800312c7b90 upstream.
+
+When the uaccess .fixup section was renamed to .text.fixup, one case was
+missed. Under ld.bfd, the orphaned section was moved close to .text
+(since they share the "ax" bits), so things would work normally on
+uaccess faults. Under ld.lld, the orphaned section was placed outside
+the .text section, making it unreachable.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/282
+Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1020633#c44
+Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1912032147340.17114@knanqh.ubzr
+Link: https://lore.kernel.org/lkml/202002071754.F5F073F1D@keescook/
+
+Fixes: c4a84ae39b4a5 ("ARM: 8322/1: keep .text and .fixup regions closer together")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/lib/copy_from_user.S |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/lib/copy_from_user.S
++++ b/arch/arm/lib/copy_from_user.S
+@@ -100,7 +100,7 @@ ENTRY(arm_copy_from_user)
+ 
+ ENDPROC(arm_copy_from_user)
+ 
+-	.pushsection .fixup,"ax"
++	.pushsection .text.fixup,"ax"
+ 	.align 0
+ 	copy_abort_preamble
+ 	ldmfd	sp!, {r1, r2, r3}
diff --git a/queue-4.14/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch b/queue-4.14/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
new file mode 100644
index 00000000000..864366eddd2
--- /dev/null
+++ b/queue-4.14/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
@@ -0,0 +1,46 @@
+From fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 17 Mar 2020 01:28:45 +0100
+Subject: mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
+
+From: Jann Horn <jannh@google.com>
+
+commit fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 upstream.
+
+When kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu
+freelist of length M, and N > M > 0, it will first remove the M elements
+from the percpu freelist, then call ___slab_alloc() to allocate the next
+element and repopulate the percpu freelist. ___slab_alloc() can re-enable
+IRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()
+to properly commit the freelist head change.
+
+Fix it by unconditionally bumping c->tid when entering the slowpath.
+
+Cc: stable@vger.kernel.org
+Fixes: ebe909e0fdb3 ("slub: improve bulk alloc strategy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -3123,6 +3123,15 @@ int kmem_cache_alloc_bulk(struct kmem_ca
+ 
+ 		if (unlikely(!object)) {
+ 			/*
++			 * We may have removed an object from c->freelist using
++			 * the fastpath in the previous iteration; in that case,
++			 * c->tid has not been bumped yet.
++			 * Since ___slab_alloc() may reenable interrupts while
++			 * allocating memory, we should bump c->tid now.
++			 */
++			c->tid = next_tid(c->tid);
++
++			/*
+ 			 * Invoking slow path likely have side-effect
+ 			 * of re-populating per CPU c->freelist
+ 			 */
diff --git a/queue-4.14/series b/queue-4.14/series
index 7c880c1d967..732b0638f7d 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -94,3 +94,5 @@ hinic-fix-a-bug-of-setting-hw_ioctxt.patch
 net-rmnet-fix-null-pointer-dereference-in-rmnet_newl.patch
 jbd2-fix-data-races-at-struct-journal_head.patch
 arm-8957-1-vdso-match-armv8-timer-in-cntvct_functional.patch
+arm-8958-1-rename-missed-uaccess-.fixup-section.patch
+mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch