From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Apr 2018 07:01:05 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.95~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6717b19894622507f810559abcf51b7708c24e0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	arm64-futex-mask-__user-pointers-prior-to-dereference.patch
---

diff --git a/queue-4.9/arm64-futex-mask-__user-pointers-prior-to-dereference.patch b/queue-4.9/arm64-futex-mask-__user-pointers-prior-to-dereference.patch
new file mode 100644
index 00000000000..8108fd420fc
--- /dev/null
+++ b/queue-4.9/arm64-futex-mask-__user-pointers-prior-to-dereference.patch
@@ -0,0 +1,61 @@
+From 91b2d3442f6a44dce875670d702af22737ad5eff Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 5 Feb 2018 15:34:24 +0000
+Subject: arm64: futex: Mask __user pointers prior to dereference
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 91b2d3442f6a44dce875670d702af22737ad5eff upstream.
+
+The arm64 futex code has some explicit dereferencing of user pointers
+where performing atomic operations in response to a futex command. This
+patch uses masking to limit any speculative futex operations to within
+the user address space.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/futex.h |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -51,13 +51,14 @@
+ 	: "memory")
+ 
+ static inline int
+-futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *_uaddr)
+ {
+ 	int op = (encoded_op >> 28) & 7;
+ 	int cmp = (encoded_op >> 24) & 15;
+ 	int oparg = (int)(encoded_op << 8) >> 20;
+ 	int cmparg = (int)(encoded_op << 20) >> 20;
+ 	int oldval = 0, ret, tmp;
++	u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
+ 
+ 	if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
+ 		oparg = 1U << (oparg & 0x1f);
+@@ -109,15 +110,17 @@ futex_atomic_op_inuser(unsigned int enco
+ }
+ 
+ static inline int
+-futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
++futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr,
+ 			      u32 oldval, u32 newval)
+ {
+ 	int ret = 0;
+ 	u32 val, tmp;
++	u32 __user *uaddr;
+ 
+-	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
++	if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32)))
+ 		return -EFAULT;
+ 
++	uaddr = __uaccess_mask_ptr(_uaddr);
+ 	asm volatile("// futex_atomic_cmpxchg_inatomic\n"
+ ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
+ "	prfm	pstl1strm, %2\n"
diff --git a/queue-4.9/series b/queue-4.9/series
index 894789cec6b..7c75239caa1 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -64,3 +64,4 @@ rds-mp-rds-may-use-an-invalid-c_path.patch
 slip-check-if-rstate-is-initialized-before-uncompressing.patch
 vhost-fix-vhost_vq_access_ok-log-check.patch
 lan78xx-correctly-indicate-invalid-otp.patch
+arm64-futex-mask-__user-pointers-prior-to-dereference.patch