From 19006356e71032f16bf5662751ee21f212653c74 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Thu, 25 Jul 2019 00:19:11 -0400
Subject: [PATCH] fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...r.h-add-read_word_at_a_time-function.patch | 51 +++++++++++++++++
 ...-avoid-duplicating-__read_once_size_.patch | 55 +++++++++++++++++++
 ...-up-kasan-false-positives-in-strscpy.patch | 47 ++++++++++++++++
 queue-4.14/series                             |  3 +
 4 files changed, 156 insertions(+)
 create mode 100644 queue-4.14/compiler.h-add-read_word_at_a_time-function.patch
 create mode 100644 queue-4.14/compiler.h-kasan-avoid-duplicating-__read_once_size_.patch
 create mode 100644 queue-4.14/lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch

diff --git a/queue-4.14/compiler.h-add-read_word_at_a_time-function.patch b/queue-4.14/compiler.h-add-read_word_at_a_time-function.patch
new file mode 100644
index 00000000000..3ba261bf1bd
--- /dev/null
+++ b/queue-4.14/compiler.h-add-read_word_at_a_time-function.patch
@@ -0,0 +1,51 @@
+From cbacea6e6ec4db7ba8567077ee52a5532780425d Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 1 Feb 2018 21:00:49 +0300
+Subject: compiler.h: Add read_word_at_a_time() function.
+
+[ Upstream commit 7f1e541fc8d57a143dd5df1d0a1276046e08c083 ]
+
+Sometimes we know that it's safe to do potentially out-of-bounds access
+because we know it won't cross a page boundary.  Still, KASAN will
+report this as a bug.
+
+Add read_word_at_a_time() function which is supposed to be used in such
+cases.  In read_word_at_a_time() KASAN performs relaxed check - only the
+first byte of access is validated.
+
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index f490d8d93ec3..f84d332085c3 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -238,6 +238,7 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+  * required ordering.
+  */
+ #include <asm/barrier.h>
++#include <linux/kasan-checks.h>
+ 
+ #define __READ_ONCE(x, check)						\
+ ({									\
+@@ -257,6 +258,13 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+  */
+ #define READ_ONCE_NOCHECK(x) __READ_ONCE(x, 0)
+ 
++static __no_kasan_or_inline
++unsigned long read_word_at_a_time(const void *addr)
++{
++	kasan_check_read(addr, 1);
++	return *(unsigned long *)addr;
++}
++
+ #define WRITE_ONCE(x, val) \
+ ({							\
+ 	union { typeof(x) __val; char __c[1]; } __u =	\
+-- 
+2.20.1
+
diff --git a/queue-4.14/compiler.h-kasan-avoid-duplicating-__read_once_size_.patch b/queue-4.14/compiler.h-kasan-avoid-duplicating-__read_once_size_.patch
new file mode 100644
index 00000000000..890d779ab72
--- /dev/null
+++ b/queue-4.14/compiler.h-kasan-avoid-duplicating-__read_once_size_.patch
@@ -0,0 +1,55 @@
+From 70f2f9bd8a7c3591180bc4d37e27a629fc142dc6 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 1 Feb 2018 21:00:48 +0300
+Subject: compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
+
+[ Upstream commit bdb5ac801af3d81d36732c2f640d6a1d3df83826 ]
+
+Instead of having two identical __read_once_size_nocheck() functions
+with different attributes, consolidate all the difference in new macro
+__no_kasan_or_inline and use it. No functional changes.
+
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index a704d032713b..f490d8d93ec3 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -185,23 +185,21 @@ void __read_once_size(const volatile void *p, void *res, int size)
+ 
+ #ifdef CONFIG_KASAN
+ /*
+- * This function is not 'inline' because __no_sanitize_address confilcts
++ * We can't declare function 'inline' because __no_sanitize_address confilcts
+  * with inlining. Attempt to inline it may cause a build failure.
+  * 	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368
+  * '__maybe_unused' allows us to avoid defined-but-not-used warnings.
+  */
+-static __no_sanitize_address __maybe_unused
+-void __read_once_size_nocheck(const volatile void *p, void *res, int size)
+-{
+-	__READ_ONCE_SIZE;
+-}
++# define __no_kasan_or_inline __no_sanitize_address __maybe_unused
+ #else
+-static __always_inline
++# define __no_kasan_or_inline __always_inline
++#endif
++
++static __no_kasan_or_inline
+ void __read_once_size_nocheck(const volatile void *p, void *res, int size)
+ {
+ 	__READ_ONCE_SIZE;
+ }
+-#endif
+ 
+ static __always_inline void __write_once_size(volatile void *p, void *res, int size)
+ {
+-- 
+2.20.1
+
diff --git a/queue-4.14/lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch b/queue-4.14/lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch
new file mode 100644
index 00000000000..7dd5d42fa92
--- /dev/null
+++ b/queue-4.14/lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch
@@ -0,0 +1,47 @@
+From e2c336969a279c72c0a653a203c06ec42d884d7f Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 1 Feb 2018 21:00:50 +0300
+Subject: lib/strscpy: Shut up KASAN false-positives in strscpy()
+
+[ Upstream commit 1a3241ff10d038ecd096d03380327f2a0b5840a6 ]
+
+strscpy() performs the word-at-a-time optimistic reads.  So it may may
+access the memory past the end of the object, which is perfectly fine
+since strscpy() doesn't use that (past-the-end) data and makes sure the
+optimistic read won't cross a page boundary.
+
+Use new read_word_at_a_time() to shut up the KASAN.
+
+Note that this potentially could hide some bugs.  In example bellow,
+stscpy() will copy more than we should (1-3 extra uninitialized bytes):
+
+        char dst[8];
+        char *src;
+
+        src = kmalloc(5, GFP_KERNEL);
+        memset(src, 0xff, 5);
+        strscpy(dst, src, 8);
+
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/string.c b/lib/string.c
+index 1530643edf00..33befc6ba3fa 100644
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -203,7 +203,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
+ 	while (max >= sizeof(unsigned long)) {
+ 		unsigned long c, data;
+ 
+-		c = *(unsigned long *)(src+res);
++		c = read_word_at_a_time(src+res);
+ 		if (has_zero(c, &data, &constants)) {
+ 			data = prep_zero_mask(c, data, &constants);
+ 			data = create_zero_mask(data);
+-- 
+2.20.1
+
diff --git a/queue-4.14/series b/queue-4.14/series
index 9673d8584ab..d9bdb839fec 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -176,3 +176,6 @@ usb-handle-usb3-remote-wakeup-for-lpm-enabled-devices-correctly.patch
 net-mvmdio-allow-up-to-four-clocks-to-be-specified-for-orion-mdio.patch
 dt-bindings-allow-up-to-four-clocks-for-orion-mdio.patch
 dm-bufio-fix-deadlock-with-loop-device.patch
+compiler.h-kasan-avoid-duplicating-__read_once_size_.patch
+compiler.h-add-read_word_at_a_time-function.patch
+lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch
-- 
2.47.3