From d9d3263539ece708a0b9fcb3949b3df5fd7bb7ff Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 10 Mar 2023 12:59:47 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch
	s390-maccess-add-no-dat-mode-to-kernel_write.patch
	s390-setup-init-jump-labels-before-command-line-parsing.patch
---
 ...cket-queues-in-the-destruct-callback.patch | 60 +++++++++++++++++++
 ...cess-add-no-dat-mode-to-kernel_write.patch | 48 +++++++++++++++
 ...p-labels-before-command-line-parsing.patch | 41 +++++++++++++
 3 files changed, 149 insertions(+)
 create mode 100644 queue-4.14/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch
 create mode 100644 queue-4.14/s390-maccess-add-no-dat-mode-to-kernel_write.patch
 create mode 100644 queue-4.14/s390-setup-init-jump-labels-before-command-line-parsing.patch

diff --git a/queue-4.14/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch b/queue-4.14/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch
new file mode 100644
index 00000000000..21a905ccb80
--- /dev/null
+++ b/queue-4.14/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch
@@ -0,0 +1,60 @@
+From 709fca500067524381e28a5f481882930eebac88 Mon Sep 17 00:00:00 2001
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+Date: Fri, 8 Oct 2021 03:04:24 +0800
+Subject: Bluetooth: hci_sock: purge socket queues in the destruct() callback
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+commit 709fca500067524381e28a5f481882930eebac88 upstream.
+
+The receive path may take the socket right before hci_sock_release(),
+but it may enqueue the packets to the socket queues after the call to
+skb_queue_purge(), therefore the socket can be destroyed without clear
+its queues completely.
+
+Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
+issue, because nothing is referencing the socket at this point.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -876,10 +876,6 @@ static int hci_sock_release(struct socke
+ 	}
+ 
+ 	sock_orphan(sk);
+-
+-	skb_queue_purge(&sk->sk_receive_queue);
+-	skb_queue_purge(&sk->sk_write_queue);
+-
+ 	release_sock(sk);
+ 	sock_put(sk);
+ 	return 0;
+@@ -1980,6 +1976,12 @@ done:
+ 	return err;
+ }
+ 
++static void hci_sock_destruct(struct sock *sk)
++{
++	skb_queue_purge(&sk->sk_receive_queue);
++	skb_queue_purge(&sk->sk_write_queue);
++}
++
+ static const struct proto_ops hci_sock_ops = {
+ 	.family		= PF_BLUETOOTH,
+ 	.owner		= THIS_MODULE,
+@@ -2030,6 +2032,7 @@ static int hci_sock_create(struct net *n
+ 
+ 	sock->state = SS_UNCONNECTED;
+ 	sk->sk_state = BT_OPEN;
++	sk->sk_destruct = hci_sock_destruct;
+ 
+ 	bt_sock_link(&hci_sk_list, sk);
+ 	return 0;
diff --git a/queue-4.14/s390-maccess-add-no-dat-mode-to-kernel_write.patch b/queue-4.14/s390-maccess-add-no-dat-mode-to-kernel_write.patch
new file mode 100644
index 00000000000..4b80daa5bb9
--- /dev/null
+++ b/queue-4.14/s390-maccess-add-no-dat-mode-to-kernel_write.patch
@@ -0,0 +1,48 @@
+From d6df52e9996dcc2062c3d9c9123288468bb95b52 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Wed, 24 Jun 2020 17:39:14 +0200
+Subject: s390/maccess: add no DAT mode to kernel_write
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit d6df52e9996dcc2062c3d9c9123288468bb95b52 upstream.
+
+To be able to patch kernel code before paging is initialized do plain
+memcpy if DAT is off. This is required to enable early jump label
+initialization.
+
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/maccess.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/mm/maccess.c
++++ b/arch/s390/mm/maccess.c
+@@ -58,13 +58,19 @@ static notrace long s390_kernel_write_od
+  */
+ void notrace s390_kernel_write(void *dst, const void *src, size_t size)
+ {
++	unsigned long flags;
+ 	long copied;
+ 
+-	while (size) {
+-		copied = s390_kernel_write_odd(dst, src, size);
+-		dst += copied;
+-		src += copied;
+-		size -= copied;
++	flags = arch_local_save_flags();
++	if (!(flags & PSW_MASK_DAT)) {
++		memcpy(dst, src, size);
++	} else {
++		while (size) {
++			copied = s390_kernel_write_odd(dst, src, size);
++			dst += copied;
++			src += copied;
++			size -= copied;
++		}
+ 	}
+ }
+ 
diff --git a/queue-4.14/s390-setup-init-jump-labels-before-command-line-parsing.patch b/queue-4.14/s390-setup-init-jump-labels-before-command-line-parsing.patch
new file mode 100644
index 00000000000..26203032869
--- /dev/null
+++ b/queue-4.14/s390-setup-init-jump-labels-before-command-line-parsing.patch
@@ -0,0 +1,41 @@
+From 95e61b1b5d6394b53d147c0fcbe2ae70fbe09446 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 18 Jun 2020 17:17:19 +0200
+Subject: s390/setup: init jump labels before command line parsing
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 95e61b1b5d6394b53d147c0fcbe2ae70fbe09446 upstream.
+
+Command line parameters might set static keys. This is true for s390 at
+least since commit 6471384af2a6 ("mm: security: introduce init_on_alloc=1
+and init_on_free=1 boot options"). To avoid the following WARN:
+
+static_key_enable_cpuslocked(): static key 'init_on_alloc+0x0/0x40' used
+before call to jump_label_init()
+
+call jump_label_init() just before parse_early_param().
+jump_label_init() is safe to call multiple times (x86 does that), doesn't
+do any memory allocations and hence should be safe to call that early.
+
+Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options")
+Cc: <stable@vger.kernel.org> # 5.3: d6df52e9996d: s390/maccess: add no DAT mode to kernel_write
+Cc: <stable@vger.kernel.org> # 5.3
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/setup.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -911,6 +911,7 @@ void __init setup_arch(char **cmdline_p)
+ 	if (IS_ENABLED(CONFIG_EXPOLINE_AUTO))
+ 		nospec_auto_detect();
+ 
++	jump_label_init();
+ 	parse_early_param();
+ #ifdef CONFIG_CRASH_DUMP
+ 	/* Deactivate elfcorehdr= kernel parameter */
-- 
2.47.3