From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Mar 2019 08:18:25 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.9.162~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e793be79fc99b5095478cbb65bfb67fb8b122ab3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	mips-ebpf-fix-icache-flush-end-address.patch
---

diff --git a/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch b/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch
new file mode 100644
index 00000000000..c504e1cce40
--- /dev/null
+++ b/queue-4.19/mips-ebpf-fix-icache-flush-end-address.patch
@@ -0,0 +1,55 @@
+From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 1 Mar 2019 22:58:09 +0000
+Subject: MIPS: eBPF: Fix icache flush end address
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.
+
+The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
+icache observes the code that we just wrote. Unfortunately it gets the
+end address calculation wrong due to some bad pointer arithmetic.
+
+The struct jit_ctx target field is of type pointer to u32, and as such
+adding one to it will increment the address being pointed to by 4 bytes.
+Therefore in order to find the address of the end of the code we simply
+need to add the number of 4 byte instructions emitted, but we mistakenly
+add the number of instructions multiplied by 4. This results in the call
+to flush_icache_range() operating on a memory region 4x larger than
+intended, which is always wasteful and can cause crashes if we overrun
+into an unmapped page.
+
+Fix this by correcting the pointer arithmetic to remove the bogus
+multiplication, and use braces to remove the need for a set of brackets
+whilst also making it obvious that the target field is a pointer.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: netdev@vger.kernel.org
+Cc: bpf@vger.kernel.org
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -1818,7 +1818,7 @@ struct bpf_prog *bpf_int_jit_compile(str
+ 
+ 	/* Update the icache */
+ 	flush_icache_range((unsigned long)ctx.target,
+-			   (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
++			   (unsigned long)&ctx.target[ctx.idx]);
+ 
+ 	if (bpf_jit_enable > 1)
+ 		/* Dump JIT code */
diff --git a/queue-4.19/series b/queue-4.19/series
index f9a9a7eb1b8..2529e13aba1 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -74,3 +74,4 @@ drm-block-fb-changes-for-async-plane-updates.patch
 hugetlbfs-fix-races-and-page-leaks-during-migration.patch
 mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch
 mips-bcm63xx-provide-dma-masks-for-ethernet-devices.patch
+mips-ebpf-fix-icache-flush-end-address.patch