4.19-stable patches

added patches:
	arm64-avoid-premature-usercopy-failure.patch
	powerpc-bpf-fix-bpf_mod-when-imm-1.patch

diff --git a/queue-4.19/arm64-avoid-premature-usercopy-failure.patch b/queue-4.19/arm64-avoid-premature-usercopy-failure.patch
new file mode 100644 (file)
index 0000000..108afad
--- /dev/null
+++ b/queue-4.19/arm64-avoid-premature-usercopy-failure.patch
@@ -0,0 +1,203 @@
+From 295cf156231ca3f9e3a66bde7fab5e09c41835e0 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 12 Jul 2021 15:27:46 +0100
+Subject: arm64: Avoid premature usercopy failure
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 295cf156231ca3f9e3a66bde7fab5e09c41835e0 upstream.
+
+Al reminds us that the usercopy API must only return complete failure
+if absolutely nothing could be copied. Currently, if userspace does
+something silly like giving us an unaligned pointer to Device memory,
+or a size which overruns MTE tag bounds, we may fail to honour that
+requirement when faulting on a multi-byte access even though a smaller
+access could have succeeded.
+
+Add a mitigation to the fixup routines to fall back to a single-byte
+copy if we faulted on a larger access before anything has been written
+to the destination, to guarantee making *some* forward progress. We
+needn't be too concerned about the overall performance since this should
+only occur when callers are doing something a bit dodgy in the first
+place. Particularly broken userspace might still be able to trick
+generic_perform_write() into an infinite loop by targeting write() at
+an mmap() of some read-only device register where the fault-in load
+succeeds but any store synchronously aborts such that copy_to_user() is
+genuinely unable to make progress, but, well, don't do that...
+
+CC: stable@vger.kernel.org
+Reported-by: Chen Huang <chenhuang5@huawei.com>
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/dc03d5c675731a1f24a62417dba5429ad744234e.1626098433.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Chen Huang <chenhuang5@huawei.com>
+---
+ arch/arm64/lib/copy_from_user.S |   13 ++++++++++---
+ arch/arm64/lib/copy_in_user.S   |   20 ++++++++++++++------
+ arch/arm64/lib/copy_to_user.S   |   14 +++++++++++---
+ 3 files changed, 35 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/lib/copy_from_user.S
++++ b/arch/arm64/lib/copy_from_user.S
+@@ -39,7 +39,7 @@
+       .endm
+ 
+       .macro ldrh1 ptr, regB, val
+-      uao_user_alternative 9998f, ldrh, ldtrh, \ptr, \regB, \val
++      uao_user_alternative 9997f, ldrh, ldtrh, \ptr, \regB, \val
+       .endm
+ 
+       .macro strh1 ptr, regB, val
+@@ -47,7 +47,7 @@
+       .endm
+ 
+       .macro ldr1 ptr, regB, val
+-      uao_user_alternative 9998f, ldr, ldtr, \ptr, \regB, \val
++      uao_user_alternative 9997f, ldr, ldtr, \ptr, \regB, \val
+       .endm
+ 
+       .macro str1 ptr, regB, val
+@@ -55,7 +55,7 @@
+       .endm
+ 
+       .macro ldp1 ptr, regB, regC, val
+-      uao_ldp 9998f, \ptr, \regB, \regC, \val
++      uao_ldp 9997f, \ptr, \regB, \regC, \val
+       .endm
+ 
+       .macro stp1 ptr, regB, regC, val
+@@ -63,9 +63,11 @@
+       .endm
+ 
+ end   .req    x5
++srcin .req    x15
+ ENTRY(__arch_copy_from_user)
+       uaccess_enable_not_uao x3, x4, x5
+       add     end, x0, x2
++      mov     srcin, x1
+ #include "copy_template.S"
+       uaccess_disable_not_uao x3, x4
+       mov     x0, #0                          // Nothing to copy
+@@ -74,6 +76,11 @@ ENDPROC(__arch_copy_from_user)
+ 
+       .section .fixup,"ax"
+       .align  2
++9997: cmp     dst, dstin
++      b.ne    9998f
++      // Before being absolutely sure we couldn't copy anything, try harder
++USER(9998f, ldtrb tmp1w, [srcin])
++      strb    tmp1w, [dst], #1
+ 9998: sub     x0, end, dst                    // bytes not copied
+       uaccess_disable_not_uao x3, x4
+       ret
+--- a/arch/arm64/lib/copy_in_user.S
++++ b/arch/arm64/lib/copy_in_user.S
+@@ -40,34 +40,36 @@
+       .endm
+ 
+       .macro ldrh1 ptr, regB, val
+-      uao_user_alternative 9998f, ldrh, ldtrh, \ptr, \regB, \val
++      uao_user_alternative 9997f, ldrh, ldtrh, \ptr, \regB, \val
+       .endm
+ 
+       .macro strh1 ptr, regB, val
+-      uao_user_alternative 9998f, strh, sttrh, \ptr, \regB, \val
++      uao_user_alternative 9997f, strh, sttrh, \ptr, \regB, \val
+       .endm
+ 
+       .macro ldr1 ptr, regB, val
+-      uao_user_alternative 9998f, ldr, ldtr, \ptr, \regB, \val
++      uao_user_alternative 9997f, ldr, ldtr, \ptr, \regB, \val
+       .endm
+ 
+       .macro str1 ptr, regB, val
+-      uao_user_alternative 9998f, str, sttr, \ptr, \regB, \val
++      uao_user_alternative 9997f, str, sttr, \ptr, \regB, \val
+       .endm
+ 
+       .macro ldp1 ptr, regB, regC, val
+-      uao_ldp 9998f, \ptr, \regB, \regC, \val
++      uao_ldp 9997f, \ptr, \regB, \regC, \val
+       .endm
+ 
+       .macro stp1 ptr, regB, regC, val
+-      uao_stp 9998f, \ptr, \regB, \regC, \val
++      uao_stp 9997f, \ptr, \regB, \regC, \val
+       .endm
+ 
+ end   .req    x5
++srcin .req    x15
+ 
+ ENTRY(__arch_copy_in_user)
+       uaccess_enable_not_uao x3, x4, x5
+       add     end, x0, x2
++      mov     srcin, x1
+ #include "copy_template.S"
+       uaccess_disable_not_uao x3, x4
+       mov     x0, #0
+@@ -76,6 +78,12 @@ ENDPROC(__arch_copy_in_user)
+ 
+       .section .fixup,"ax"
+       .align  2
++9997: cmp     dst, dstin
++      b.ne    9998f
++      // Before being absolutely sure we couldn't copy anything, try harder
++USER(9998f, ldtrb tmp1w, [srcin])
++USER(9998f, sttrb tmp1w, [dst])
++      add     dst, dst, #1
+ 9998: sub     x0, end, dst                    // bytes not copied
+       uaccess_disable_not_uao x3, x4
+       ret
+--- a/arch/arm64/lib/copy_to_user.S
++++ b/arch/arm64/lib/copy_to_user.S
+@@ -42,7 +42,7 @@
+       .endm
+ 
+       .macro strh1 ptr, regB, val
+-      uao_user_alternative 9998f, strh, sttrh, \ptr, \regB, \val
++      uao_user_alternative 9997f, strh, sttrh, \ptr, \regB, \val
+       .endm
+ 
+       .macro ldr1 ptr, regB, val
+@@ -50,7 +50,7 @@
+       .endm
+ 
+       .macro str1 ptr, regB, val
+-      uao_user_alternative 9998f, str, sttr, \ptr, \regB, \val
++      uao_user_alternative 9997f, str, sttr, \ptr, \regB, \val
+       .endm
+ 
+       .macro ldp1 ptr, regB, regC, val
+@@ -58,13 +58,15 @@
+       .endm
+ 
+       .macro stp1 ptr, regB, regC, val
+-      uao_stp 9998f, \ptr, \regB, \regC, \val
++      uao_stp 9997f, \ptr, \regB, \regC, \val
+       .endm
+ 
+ end   .req    x5
++srcin .req    x15
+ ENTRY(__arch_copy_to_user)
+       uaccess_enable_not_uao x3, x4, x5
+       add     end, x0, x2
++      mov     srcin, x1
+ #include "copy_template.S"
+       uaccess_disable_not_uao x3, x4
+       mov     x0, #0
+@@ -73,6 +75,12 @@ ENDPROC(__arch_copy_to_user)
+ 
+       .section .fixup,"ax"
+       .align  2
++9997: cmp     dst, dstin
++      b.ne    9998f
++      // Before being absolutely sure we couldn't copy anything, try harder
++      ldrb    tmp1w, [srcin]
++USER(9998f, sttrb tmp1w, [dst])
++      add     dst, dst, #1
+ 9998: sub     x0, end, dst                    // bytes not copied
+       uaccess_disable_not_uao x3, x4
+       ret

diff --git a/queue-4.19/powerpc-bpf-fix-bpf_mod-when-imm-1.patch b/queue-4.19/powerpc-bpf-fix-bpf_mod-when-imm-1.patch
new file mode 100644 (file)
index 0000000..907077b
--- /dev/null
+++ b/queue-4.19/powerpc-bpf-fix-bpf_mod-when-imm-1.patch
@@ -0,0 +1,45 @@
+From 8bbc9d822421d9ac8ff9ed26a3713c9afc69d6c8 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Wed, 6 Oct 2021 01:55:22 +0530
+Subject: powerpc/bpf: Fix BPF_MOD when imm == 1
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit 8bbc9d822421d9ac8ff9ed26a3713c9afc69d6c8 upstream.
+
+Only ignore the operation if dividing by 1.
+
+Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/c674ca18c3046885602caebb326213731c675d06.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+[cascardo: use PPC_LI instead of EMIT(PPC_RAW_LI)]
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp64.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -385,8 +385,14 @@ static int bpf_jit_build_body(struct bpf
+               case BPF_ALU64 | BPF_DIV | BPF_K: /* dst /= imm */
+                       if (imm == 0)
+                               return -EINVAL;
+-                      else if (imm == 1)
+-                              goto bpf_alu32_trunc;
++                      if (imm == 1) {
++                              if (BPF_OP(code) == BPF_DIV) {
++                                      goto bpf_alu32_trunc;
++                              } else {
++                                      PPC_LI(dst_reg, 0);
++                                      break;
++                              }
++                      }
+ 
+                       PPC_LI32(b2p[TMP_REG_1], imm);
+                       switch (BPF_CLASS(code)) {

diff --git a/queue-4.19/series b/queue-4.19/series
index 8929742951c057fbccb752900bbf3938b64e0cbe..dc1ee6572453655a311f5547d598e2b255399bc7 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -2,3 +2,5 @@ arm-9133-1-mm-proc-macros-ensure-_tlb_fns-are-4b-aligned.patch
 arm-9134-1-remove-duplicate-memcpy-definition.patch
 arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
 arm-9141-1-only-warn-about-xip-address-when-not-compile-testing.patch
+powerpc-bpf-fix-bpf_mod-when-imm-1.patch
+arm64-avoid-premature-usercopy-failure.patch