From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Mar 2019 08:18:05 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.9.162~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=60990c266f116dd420e8b58933def644c6ed4c5c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	mips-ebpf-fix-icache-flush-end-address.patch
---

diff --git a/queue-4.14/mips-ebpf-fix-icache-flush-end-address.patch b/queue-4.14/mips-ebpf-fix-icache-flush-end-address.patch
new file mode 100644
index 00000000000..00a8e845b15
--- /dev/null
+++ b/queue-4.14/mips-ebpf-fix-icache-flush-end-address.patch
@@ -0,0 +1,55 @@
+From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 1 Mar 2019 22:58:09 +0000
+Subject: MIPS: eBPF: Fix icache flush end address
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.
+
+The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
+icache observes the code that we just wrote. Unfortunately it gets the
+end address calculation wrong due to some bad pointer arithmetic.
+
+The struct jit_ctx target field is of type pointer to u32, and as such
+adding one to it will increment the address being pointed to by 4 bytes.
+Therefore in order to find the address of the end of the code we simply
+need to add the number of 4 byte instructions emitted, but we mistakenly
+add the number of instructions multiplied by 4. This results in the call
+to flush_icache_range() operating on a memory region 4x larger than
+intended, which is always wasteful and can cause crashes if we overrun
+into an unmapped page.
+
+Fix this by correcting the pointer arithmetic to remove the bogus
+multiplication, and use braces to remove the need for a set of brackets
+whilst also making it obvious that the target field is a pointer.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: netdev@vger.kernel.org
+Cc: bpf@vger.kernel.org
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -1971,7 +1971,7 @@ struct bpf_prog *bpf_int_jit_compile(str
+ 
+ 	/* Update the icache */
+ 	flush_icache_range((unsigned long)ctx.target,
+-			   (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
++			   (unsigned long)&ctx.target[ctx.idx]);
+ 
+ 	if (bpf_jit_enable > 1)
+ 		/* Dump JIT code */
diff --git a/queue-4.14/series b/queue-4.14/series
index 9cf1d311499..1bd854abc85 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -48,3 +48,4 @@ mmc-tmio-fix-access-width-of-block-count-register.patch
 mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch
 mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
 mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch
+mips-ebpf-fix-icache-flush-end-address.patch