From: Sasha Levin <sashal@kernel.org>
Date: Mon, 17 Aug 2020 02:05:29 +0000 (-0400)
Subject: Fixes for 5.8
X-Git-Tag: v4.19.140~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=861ef8179d24d833330bbd2e38277413633e4c21;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.8

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.8/crypto-aesni-add-compatibility-with-ias.patch b/queue-5.8/crypto-aesni-add-compatibility-with-ias.patch
new file mode 100644
index 00000000000..e6f0858faf9
--- /dev/null
+++ b/queue-5.8/crypto-aesni-add-compatibility-with-ias.patch
@@ -0,0 +1,78 @@
+From e5d099503c6aa0c43fa0962084d92fb15c0fd941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jun 2020 16:24:33 -0700
+Subject: crypto: aesni - add compatibility with IAS
+
+From: Jian Cai <caij2003@gmail.com>
+
+[ Upstream commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc ]
+
+Clang's integrated assembler complains "invalid reassignment of
+non-absolute variable 'var_ddq_add'" while assembling
+arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was
+reassigned with non-absolute values several times, which IAS did not
+support. We can avoid the reassignment by replacing the uses of
+var_ddq_add with its definitions accordingly to have compatilibility
+with IAS.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1008
+Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
+Reported-by: Fangrui Song <maskray@google.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # build+boot Linux v5.7.5; clang v11.0.0-git
+Signed-off-by: Jian Cai <caij2003@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S
+index ec437db1fa547..494a3bda84870 100644
+--- a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S
++++ b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S
+@@ -127,10 +127,6 @@ ddq_add_8:
+ 
+ /* generate a unique variable for ddq_add_x */
+ 
+-.macro setddq n
+-	var_ddq_add = ddq_add_\n
+-.endm
+-
+ /* generate a unique variable for xmm register */
+ .macro setxdata n
+ 	var_xdata = %xmm\n
+@@ -140,9 +136,7 @@ ddq_add_8:
+ 
+ .macro club name, id
+ .altmacro
+-	.if \name == DDQ_DATA
+-		setddq %\id
+-	.elseif \name == XDATA
++	.if \name == XDATA
+ 		setxdata %\id
+ 	.endif
+ .noaltmacro
+@@ -165,9 +159,8 @@ ddq_add_8:
+ 
+ 	.set i, 1
+ 	.rept (by - 1)
+-		club DDQ_DATA, i
+ 		club XDATA, i
+-		vpaddq	var_ddq_add(%rip), xcounter, var_xdata
++		vpaddq	(ddq_add_1 + 16 * (i - 1))(%rip), xcounter, var_xdata
+ 		vptest	ddq_low_msk(%rip), var_xdata
+ 		jnz 1f
+ 		vpaddq	ddq_high_add_1(%rip), var_xdata, var_xdata
+@@ -180,8 +173,7 @@ ddq_add_8:
+ 	vmovdqa	1*16(p_keys), xkeyA
+ 
+ 	vpxor	xkey0, xdata0, xdata0
+-	club DDQ_DATA, by
+-	vpaddq	var_ddq_add(%rip), xcounter, xcounter
++	vpaddq	(ddq_add_1 + 16 * (by - 1))(%rip), xcounter, xcounter
+ 	vptest	ddq_low_msk(%rip), xcounter
+ 	jnz	1f
+ 	vpaddq	ddq_high_add_1(%rip), xcounter, xcounter
+-- 
+2.25.1
+
diff --git a/queue-5.8/series b/queue-5.8/series
index 5a456c71bb3..a8ff78fe2f1 100644
--- a/queue-5.8/series
+++ b/queue-5.8/series
@@ -378,3 +378,5 @@ mtd-rawnand-brcmnand-don-t-default-to-edu-transfer.patch
 svcrdma-fix-page-leak-in-svc_rdma_recv_read_chunk.patch
 nfsd-avoid-a-null-dereference-in-__cld_pipe_upcall.patch
 sunrpc-fix-sunrpc-add-len-parameter-to-gss_unwrap.patch
+x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch
+crypto-aesni-add-compatibility-with-ias.patch
diff --git a/queue-5.8/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch b/queue-5.8/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch
new file mode 100644
index 00000000000..62d6bcdfcd7
--- /dev/null
+++ b/queue-5.8/x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch
@@ -0,0 +1,75 @@
+From 910636bba33431e2f4113a6ebd4bc3c138486c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 11:16:17 -0700
+Subject: x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 ]
+
+syzbot found its way in 86_fsgsbase_read_task() and triggered this oops:
+
+   KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+   CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0
+   RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393
+   Call Trace:
+     putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876
+     genregs32_set arch/x86/kernel/ptrace.c:1026 [inline]
+     genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006
+     copy_regset_from_user include/linux/regset.h:326 [inline]
+     ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline]
+     compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198
+     __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline]
+     __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline]
+     __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389
+     do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
+     __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
+     do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
+     entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+This can happen if ptrace() or sigreturn() pokes an LDT selector into FS
+or GS for a task with no LDT and something tries to read the base before
+a return to usermode notices the bad selector and fixes it.
+
+The fix is to make sure ldt pointer is not NULL.
+
+Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately")
+Co-developed-by: Jann Horn <jannh@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: Chang S. Bae <chang.seok.bae@intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Markus T Metzger <markus.t.metzger@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index 9a97415b21394..3ebc70bd01e83 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -314,7 +314,7 @@ static unsigned long x86_fsgsbase_read_task(struct task_struct *task,
+ 		 */
+ 		mutex_lock(&task->mm->context.lock);
+ 		ldt = task->mm->context.ldt;
+-		if (unlikely(idx >= ldt->nr_entries))
++		if (unlikely(!ldt || idx >= ldt->nr_entries))
+ 			base = 0;
+ 		else
+ 			base = get_desc_base(ldt->entries + idx);
+-- 
+2.25.1
+