4.19-stable patches

added patches:
	mips-ebpf-fix-icache-flush-end-address.patch

diff --git a/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch b/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch
new file mode 100644 (file)
index 0000000..c504e1c
--- /dev/null
+++ b/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch
@@ -0,0 +1,55 @@
+From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 1 Mar 2019 22:58:09 +0000
+Subject: MIPS: eBPF: Fix icache flush end address
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.
+
+The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
+icache observes the code that we just wrote. Unfortunately it gets the
+end address calculation wrong due to some bad pointer arithmetic.
+
+The struct jit_ctx target field is of type pointer to u32, and as such
+adding one to it will increment the address being pointed to by 4 bytes.
+Therefore in order to find the address of the end of the code we simply
+need to add the number of 4 byte instructions emitted, but we mistakenly
+add the number of instructions multiplied by 4. This results in the call
+to flush_icache_range() operating on a memory region 4x larger than
+intended, which is always wasteful and can cause crashes if we overrun
+into an unmapped page.
+
+Fix this by correcting the pointer arithmetic to remove the bogus
+multiplication, and use braces to remove the need for a set of brackets
+whilst also making it obvious that the target field is a pointer.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: netdev@vger.kernel.org
+Cc: bpf@vger.kernel.org
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -1818,7 +1818,7 @@ struct bpf_prog *bpf_int_jit_compile(str
+ 
+       /* Update the icache */
+       flush_icache_range((unsigned long)ctx.target,
+-                         (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
++                         (unsigned long)&ctx.target[ctx.idx]);
+ 
+       if (bpf_jit_enable > 1)
+               /* Dump JIT code */

diff --git a/queue-4.19/series b/queue-4.19/series
index f9a9a7eb1b8096201d381e1be1e972657294cd37..2529e13aba1a2d335261747e785759b21d585178 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -74,3 +74,4 @@ drm-block-fb-changes-for-async-plane-updates.patch
 hugetlbfs-fix-races-and-page-leaks-during-migration.patch
 mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch
 mips-bcm63xx-provide-dma-masks-for-ethernet-devices.patch
+mips-ebpf-fix-icache-flush-end-address.patch