From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 13 May 2022 09:05:29 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.314~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a75a5a2b4a411caaac226c1d0127e911ac1920f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch
---

diff --git a/queue-4.9/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch b/queue-4.9/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch
new file mode 100644
index 00000000000..a19e22281c5
--- /dev/null
+++ b/queue-4.9/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch
@@ -0,0 +1,55 @@
+From 7c25a0b89a487878b0691e6524fb5a8827322194 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 22 Mar 2022 14:42:08 -0700
+Subject: mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 7c25a0b89a487878b0691e6524fb5a8827322194 upstream.
+
+userfaultfd calls mcopy_atomic_pte() and __mcopy_atomic() which do not
+do any cache flushing for the target page.  Then the target page will be
+mapped to the user space with a different address (user address), which
+might have an alias issue with the kernel address used to copy the data
+from the user to.  Fix this by insert flush_dcache_page() after
+copy_from_user() succeeds.
+
+Link: https://lkml.kernel.org/r/20220210123058.79206-7-songmuchun@bytedance.com
+Fixes: b6ebaedb4cb1 ("userfaultfd: avoid mmap_sem read recursion in mcopy_atomic")
+Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Fam Zheng <fam.zheng@bytedance.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Lars Persson <lars.persson@axis.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Xiongchun Duan <duanxiongchun@bytedance.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/userfaultfd.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -50,6 +50,8 @@ static int mcopy_atomic_pte(struct mm_st
+ 			/* don't free the page */
+ 			goto out;
+ 		}
++
++		flush_dcache_page(page);
+ 	} else {
+ 		page = *pagep;
+ 		*pagep = NULL;
+@@ -267,6 +269,7 @@ retry:
+ 				err = -EFAULT;
+ 				goto out;
+ 			}
++			flush_dcache_page(page);
+ 			goto retry;
+ 		} else
+ 			BUG_ON(page);
diff --git a/queue-4.9/series b/queue-4.9/series
index 299b200b5aa..d9c3030950f 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -4,3 +4,4 @@ can-grcan-grcan_probe-fix-broken-system-id-check-for-errata-workaround-needs.pat
 can-grcan-only-use-the-napi-poll-budget-for-rx.patch
 bluetooth-fix-the-creation-of-hdev-name.patch
 mmc-rtsx-add-74-clocks-in-power-on-flow.patch
+mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch