From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Aug 2018 13:38:53 +0000 (-0700)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.121~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f38751b2cf7a8dce713467f5ed301c73d4c53bbf;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	bpf-arm32-fix-stack-var-offset-in-jit.patch
---

diff --git a/queue-4.9/bpf-arm32-fix-stack-var-offset-in-jit.patch b/queue-4.9/bpf-arm32-fix-stack-var-offset-in-jit.patch
new file mode 100644
index 00000000000..637c80963fd
--- /dev/null
+++ b/queue-4.9/bpf-arm32-fix-stack-var-offset-in-jit.patch
@@ -0,0 +1,51 @@
+From daniel@iogearbox.net  Thu Aug 30 05:13:02 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Sat, 18 Aug 2018 00:21:34 +0200
+Subject: bpf, arm32: fix stack var offset in jit
+To: gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, pbrobinson@gmail.com, mh+netdev@zugschlus.de, stefan.wahren@i2se.com, rmk+kernel@armlinux.org.uk, ast@kernel.org, daniel@iogearbox.net
+Message-ID: <2006e3ef8d4e30f2c901a39423655df9acaf1ce2.1534544005.git.daniel@iogearbox.net>
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+Commit 38ca93060163 ("bpf, arm32: save 4 bytes of unneeded stack
+space") messed up STACK_VAR() by 4 bytes presuming it was related
+to skb scratch buffer space, but it clearly isn't as this refers
+to the top word in stack, therefore restore it. This fixes a NULL
+pointer dereference seen during bootup when JIT is enabled and BPF
+program run in sk_filter_trim_cap() triggered by systemd-udevd.
+
+JIT rework in 1c35ba122d4a ("ARM: net: bpf: use negative numbers
+for stacked registers") and 96cced4e774a ("ARM: net: bpf: access
+eBPF scratch space using ARM FP register") removed the affected
+parts, so only needed in 4.18 stable.
+
+Fixes: 38ca93060163 ("bpf, arm32: save 4 bytes of unneeded stack space")
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Reported-by: Marc Haber <mh+netdev@zugschlus.de>
+Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+---
+ arch/arm/net/bpf_jit_32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index f6a62ae..c864f6b 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -238,7 +238,7 @@ static void jit_fill_hole(void *area, unsigned int size)
+ #define STACK_SIZE	ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
+ 
+ /* Get the offset of eBPF REGISTERs stored on scratch space. */
+-#define STACK_VAR(off) (STACK_SIZE - off)
++#define STACK_VAR(off) (STACK_SIZE - off - 4)
+ 
+ #if __LINUX_ARM_ARCH__ < 7
+ 
+-- 
+2.9.5
+
diff --git a/queue-4.9/series b/queue-4.9/series
index e058f2180dd..7f14ed79843 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -56,3 +56,4 @@ smb3-do-not-send-smb3-set_info-if-nothing-changed.patch
 smb3-don-t-request-leases-in-symlink-creation-and-query.patch
 smb3-fill-in-statfs-fsid-and-correct-namelen.patch
 btrfs-don-t-leak-ret-from-do_chunk_alloc.patch
+bpf-arm32-fix-stack-var-offset-in-jit.patch