From: Sasha Levin <sashal@kernel.org>
Date: Sat, 1 Aug 2020 21:58:02 +0000 (-0400)
Subject: Fixes for 4.14
X-Git-Tag: v5.7.13~33^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b606cba249d4c30efe5b3883854f31785babba9e;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.14/9p-trans_fd-abort-p9_read_work-if-req-status-changed.patch b/queue-4.14/9p-trans_fd-abort-p9_read_work-if-req-status-changed.patch
new file mode 100644
index 00000000000..1f60da524a1
--- /dev/null
+++ b/queue-4.14/9p-trans_fd-abort-p9_read_work-if-req-status-changed.patch
@@ -0,0 +1,66 @@
+From abcae50d9120f7e97d9f4bcc1003b3c421fbbc3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Oct 2018 11:18:52 +0900
+Subject: 9p/trans_fd: abort p9_read_work if req status changed
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+[ Upstream commit e4ca13f7d075e551dc158df6af18fb412a1dba0a ]
+
+p9_read_work would try to handle an errored req even if it got put to
+error state by another thread between the lookup (that worked) and the
+time it had been fully read.
+The request itself is safe to use because we hold a ref to it from the
+lookup (for m->rreq, so it was safe to read into the request data buffer
+until this point), but the req_list has been deleted at the same time
+status changed, and client_cb already has been called as well, so we
+should not do either.
+
+Link: http://lkml.kernel.org/r/1539057956-23741-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index a9c65f13b7f51..cbd8cfafb7940 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -301,7 +301,6 @@ static void p9_read_work(struct work_struct *work)
+ {
+ 	int n, err;
+ 	struct p9_conn *m;
+-	int status = REQ_STATUS_ERROR;
+ 
+ 	m = container_of(work, struct p9_conn, rq);
+ 
+@@ -381,11 +380,17 @@ static void p9_read_work(struct work_struct *work)
+ 	if ((m->req) && (m->rc.offset == m->rc.capacity)) {
+ 		p9_debug(P9_DEBUG_TRANS, "got new packet\n");
+ 		spin_lock(&m->client->lock);
+-		if (m->req->status != REQ_STATUS_ERROR)
+-			status = REQ_STATUS_RCVD;
+-		list_del(&m->req->req_list);
+-		/* update req->status while holding client->lock  */
+-		p9_client_cb(m->client, m->req, status);
++		if (m->req->status == REQ_STATUS_SENT) {
++			list_del(&m->req->req_list);
++			p9_client_cb(m->client, m->req, REQ_STATUS_RCVD);
++		} else {
++			spin_unlock(&m->client->lock);
++			p9_debug(P9_DEBUG_ERROR,
++				 "Request tag %d errored out while we were reading the reply\n",
++				 m->rc.tag);
++			err = -EIO;
++			goto error;
++		}
+ 		spin_unlock(&m->client->lock);
+ 		m->rc.sdata = NULL;
+ 		m->rc.offset = 0;
+-- 
+2.25.1
+
diff --git a/queue-4.14/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd.patch b/queue-4.14/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd.patch
new file mode 100644
index 00000000000..66cbe164f45
--- /dev/null
+++ b/queue-4.14/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd.patch
@@ -0,0 +1,69 @@
+From 32aae490f5a634ae57bb11ad173d9d91a57c6bac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 17:08:33 +0800
+Subject: 9p/trans_fd: Fix concurrency del of req_list in
+ p9_fd_cancelled/p9_read_work
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 74d6a5d5662975aed7f25952f62efbb6f6dadd29 ]
+
+p9_read_work and p9_fd_cancelled may be called concurrently.
+In some cases, req->req_list may be deleted by both p9_read_work
+and p9_fd_cancelled.
+
+We can fix it by ignoring replies associated with a cancelled
+request and ignoring cancelled request if message has been received
+before lock.
+
+Link: http://lkml.kernel.org/r/20200612090833.36149-1-wanghai38@huawei.com
+Fixes: 60ff779c4abb ("9p: client: remove unused code and any reference to "cancelled" function")
+Cc: <stable@vger.kernel.org> # v3.12+
+Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index cbd8cfafb7940..32de8afbfbf8e 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -383,6 +383,10 @@ static void p9_read_work(struct work_struct *work)
+ 		if (m->req->status == REQ_STATUS_SENT) {
+ 			list_del(&m->req->req_list);
+ 			p9_client_cb(m->client, m->req, REQ_STATUS_RCVD);
++		} else if (m->req->status == REQ_STATUS_FLSHD) {
++			/* Ignore replies associated with a cancelled request. */
++			p9_debug(P9_DEBUG_TRANS,
++				 "Ignore replies associated with a cancelled request\n");
+ 		} else {
+ 			spin_unlock(&m->client->lock);
+ 			p9_debug(P9_DEBUG_ERROR,
+@@ -717,11 +721,20 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req)
+ {
+ 	p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
+ 
++	spin_lock(&client->lock);
++	/* Ignore cancelled request if message has been received
++	 * before lock.
++	 */
++	if (req->status == REQ_STATUS_RCVD) {
++		spin_unlock(&client->lock);
++		return 0;
++	}
++
+ 	/* we haven't received a response for oldreq,
+ 	 * remove it from the list.
+ 	 */
+-	spin_lock(&client->lock);
+ 	list_del(&req->req_list);
++	req->status = REQ_STATUS_FLSHD;
+ 	spin_unlock(&client->lock);
+ 
+ 	return 0;
+-- 
+2.25.1
+
diff --git a/queue-4.14/series b/queue-4.14/series
index 32ba9f8120f..bcf7c05b1ee 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -15,3 +15,7 @@ drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
 drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
 f2fs-check-memory-boundary-by-insane-namelen.patch
 f2fs-check-if-file-namelen-exceeds-max-value.patch
+9p-trans_fd-abort-p9_read_work-if-req-status-changed.patch
+9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd.patch
+x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch
+x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch
diff --git a/queue-4.14/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch b/queue-4.14/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch
new file mode 100644
index 00000000000..dbe10b01a37
--- /dev/null
+++ b/queue-4.14/x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch
@@ -0,0 +1,54 @@
+From c96671a93a266c25551521267c949137d11d54ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2019 09:49:56 -0700
+Subject: x86/build/lto: Fix truncated .bss with -fdata-sections
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit 6a03469a1edc94da52b65478f1e00837add869a3 ]
+
+With CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y, we compile the kernel with
+-fdata-sections, which also splits the .bss section.
+
+The new section, with a new .bss.* name, which pattern gets missed by the
+main x86 linker script which only expects the '.bss' name. This results
+in the discarding of the second part and a too small, truncated .bss
+section and an unhappy, non-working kernel.
+
+Use the common BSS_MAIN macro in the linker script to properly capture
+and merge all the generated BSS sections.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190415164956.124067-1-samitolvanen@google.com
+[ Extended the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index 8d8e33b720b4e..f9f33a168a002 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -352,7 +352,7 @@ SECTIONS
+ 	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {
+ 		__bss_start = .;
+ 		*(.bss..page_aligned)
+-		*(.bss)
++		*(BSS_MAIN)
+ 		. = ALIGN(PAGE_SIZE);
+ 		__bss_stop = .;
+ 	}
+-- 
+2.25.1
+
diff --git a/queue-4.14/x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch b/queue-4.14/x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch
new file mode 100644
index 00000000000..8dac72d24be
--- /dev/null
+++ b/queue-4.14/x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch
@@ -0,0 +1,84 @@
+From 40ad7fd4a0054654dc531efa8e1d42f6ca45fd4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 11:34:48 +0200
+Subject: x86, vmlinux.lds: Page-align end of ..page_aligned sections
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit de2b41be8fcccb2f5b6c480d35df590476344201 ]
+
+On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is
+page-aligned, but the end of the .bss..page_aligned section is not
+guaranteed to be page-aligned.
+
+As a result, objects from other .bss sections may end up on the same 4k
+page as the idt_table, and will accidentially get mapped read-only during
+boot, causing unexpected page-faults when the kernel writes to them.
+
+This could be worked around by making the objects in the page aligned
+sections page sized, but that's wrong.
+
+Explicit sections which store only page aligned objects have an implicit
+guarantee that the object is alone in the page in which it is placed. That
+works for all objects except the last one. That's inconsistent.
+
+Enforcing page sized objects for these sections would wreckage memory
+sanitizers, because the object becomes artificially larger than it should
+be and out of bound access becomes legit.
+
+Align the end of the .bss..page_aligned and .data..page_aligned section on
+page-size so all objects places in these sections are guaranteed to have
+their own page.
+
+[ tglx: Amended changelog ]
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S     | 1 +
+ include/asm-generic/vmlinux.lds.h | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index f9f33a168a002..d3dc8bc6b3adf 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -352,6 +352,7 @@ SECTIONS
+ 	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {
+ 		__bss_start = .;
+ 		*(.bss..page_aligned)
++		. = ALIGN(PAGE_SIZE);
+ 		*(BSS_MAIN)
+ 		. = ALIGN(PAGE_SIZE);
+ 		__bss_stop = .;
+diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
+index c229ffbed6d4c..48e618b20d34b 100644
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -251,7 +251,8 @@
+ 
+ #define PAGE_ALIGNED_DATA(page_align)					\
+ 	. = ALIGN(page_align);						\
+-	*(.data..page_aligned)
++	*(.data..page_aligned)						\
++	. = ALIGN(page_align);
+ 
+ #define READ_MOSTLY_DATA(align)						\
+ 	. = ALIGN(align);						\
+@@ -619,7 +620,9 @@
+ 	. = ALIGN(bss_align);						\
+ 	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {				\
+ 		BSS_FIRST_SECTIONS					\
++		. = ALIGN(PAGE_SIZE);					\
+ 		*(.bss..page_aligned)					\
++		. = ALIGN(PAGE_SIZE);					\
+ 		*(.dynbss)						\
+ 		*(BSS_MAIN)						\
+ 		*(COMMON)						\
+-- 
+2.25.1
+