From: Greg Kroah-Hartman Date: Mon, 22 Nov 2021 12:41:37 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.15.5~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0928d9be97015833880af4acb963b6d3bfded2a0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: hexagon-export-raw-i-o-routines-for-modules.patch ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch --- diff --git a/queue-5.4/hexagon-export-raw-i-o-routines-for-modules.patch b/queue-5.4/hexagon-export-raw-i-o-routines-for-modules.patch new file mode 100644 index 00000000000..b4c6b01bb6d --- /dev/null +++ b/queue-5.4/hexagon-export-raw-i-o-routines-for-modules.patch @@ -0,0 +1,70 @@ +From ffb92ce826fd801acb0f4e15b75e4ddf0d189bde Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 19 Nov 2021 16:43:28 -0800 +Subject: hexagon: export raw I/O routines for modules + +From: Nathan Chancellor + +commit ffb92ce826fd801acb0f4e15b75e4ddf0d189bde upstream. + +Patch series "Fixes for ARCH=hexagon allmodconfig", v2. + +This series fixes some issues noticed with ARCH=hexagon allmodconfig. + +This patch (of 3): + +When building ARCH=hexagon allmodconfig, the following errors occur: + + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/svc-i3c-master.ko] undefined! + ERROR: modpost: "__raw_writesl" [drivers/i3c/master/dw-i3c-master.ko] undefined! + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/dw-i3c-master.ko] undefined! + ERROR: modpost: "__raw_writesl" [drivers/i3c/master/i3c-master-cdns.ko] undefined! + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/i3c-master-cdns.ko] undefined! + +Export these symbols so that modules can use them without any errors. + +Link: https://lkml.kernel.org/r/20211115174250.1994179-1-nathan@kernel.org +Link: https://lkml.kernel.org/r/20211115174250.1994179-2-nathan@kernel.org +Fixes: 013bf24c3829 ("Hexagon: Provide basic implementation and/or stubs for I/O routines.") +Signed-off-by: Nathan Chancellor +Acked-by: Brian Cain +Cc: Nick Desaulniers +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/lib/io.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/hexagon/lib/io.c ++++ b/arch/hexagon/lib/io.c +@@ -27,6 +27,7 @@ void __raw_readsw(const void __iomem *ad + *dst++ = *src; + + } ++EXPORT_SYMBOL(__raw_readsw); + + /* + * __raw_writesw - read words a short at a time +@@ -47,6 +48,7 @@ void __raw_writesw(void __iomem *addr, c + + + } ++EXPORT_SYMBOL(__raw_writesw); + + /* Pretty sure len is pre-adjusted for the length of the access already */ + void __raw_readsl(const void __iomem *addr, void *data, int len) +@@ -62,6 +64,7 @@ void __raw_readsl(const void __iomem *ad + + + } ++EXPORT_SYMBOL(__raw_readsl); + + void __raw_writesl(void __iomem *addr, const void *data, int len) + { +@@ -76,3 +79,4 @@ void __raw_writesl(void __iomem *addr, c + + + } ++EXPORT_SYMBOL(__raw_writesl); diff --git a/queue-5.4/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch b/queue-5.4/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch new file mode 100644 index 00000000000..584e8cac99e --- /dev/null +++ b/queue-5.4/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch @@ -0,0 +1,115 @@ +From 126e8bee943e9926238c891e2df5b5573aee76bc Mon Sep 17 00:00:00 2001 +From: Alexander Mikhalitsyn +Date: Fri, 19 Nov 2021 16:43:18 -0800 +Subject: ipc: WARN if trying to remove ipc object which is absent + +From: Alexander Mikhalitsyn + +commit 126e8bee943e9926238c891e2df5b5573aee76bc upstream. + +Patch series "shm: shm_rmid_forced feature fixes". + +Some time ago I met kernel crash after CRIU restore procedure, +fortunately, it was CRIU restore, so, I had dump files and could do +restore many times and crash reproduced easily. After some +investigation I've constructed the minimal reproducer. It was found +that it's use-after-free and it happens only if sysctl +kernel.shm_rmid_forced = 1. + +The key of the problem is that the exit_shm() function not handles shp's +object destroy when task->sysvshm.shm_clist contains items from +different IPC namespaces. In most cases this list will contain only +items from one IPC namespace. + +How can this list contain object from different namespaces? The +exit_shm() function is designed to clean up this list always when +process leaves IPC namespace. But we made a mistake a long time ago and +did not add a exit_shm() call into the setns() syscall procedures. + +The first idea was just to add this call to setns() syscall but it +obviously changes semantics of setns() syscall and that's +userspace-visible change. So, I gave up on this idea. + +The first real attempt to address the issue was just to omit forced +destroy if we meet shp object not from current task IPC namespace [1]. +But that was not the best idea because task->sysvshm.shm_clist was +protected by rwsem which belongs to current task IPC namespace. It +means that list corruption may occur. + +Second approach is just extend exit_shm() to properly handle shp's from +different IPC namespaces [2]. This is really non-trivial thing, I've +put a lot of effort into that but not believed that it's possible to +make it fully safe, clean and clear. + +Thanks to the efforts of Manfred Spraul working an elegant solution was +designed. Thanks a lot, Manfred! + +Eric also suggested the way to address the issue in ("[RFC][PATCH] shm: +In shm_exit destroy all created and never attached segments") Eric's +idea was to maintain a list of shm_clists one per IPC namespace, use +lock-less lists. But there is some extra memory consumption-related +concerns. + +An alternative solution which was suggested by me was implemented in +("shm: reset shm_clist on setns but omit forced shm destroy"). The idea +is pretty simple, we add exit_shm() syscall to setns() but DO NOT +destroy shm segments even if sysctl kernel.shm_rmid_forced = 1, we just +clean up the task->sysvshm.shm_clist list. + +This chages semantics of setns() syscall a little bit but in comparision +to the "naive" solution when we just add exit_shm() without any special +exclusions this looks like a safer option. + +[1] https://lkml.org/lkml/2021/7/6/1108 +[2] https://lkml.org/lkml/2021/7/14/736 + +This patch (of 2): + +Let's produce a warning if we trying to remove non-existing IPC object +from IPC namespace kht/idr structures. + +This allows us to catch possible bugs when the ipc_rmid() function was +called with inconsistent struct ipc_ids*, struct kern_ipc_perm* +arguments. + +Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com +Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com +Co-developed-by: Manfred Spraul +Signed-off-by: Manfred Spraul +Signed-off-by: Alexander Mikhalitsyn +Cc: "Eric W. Biederman" +Cc: Davidlohr Bueso +Cc: Greg KH +Cc: Andrei Vagin +Cc: Pavel Tikhomirov +Cc: Vasily Averin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + ipc/util.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -446,8 +446,8 @@ static int ipcget_public(struct ipc_name + static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp) + { + if (ipcp->key != IPC_PRIVATE) +- rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode, +- ipc_kht_params); ++ WARN_ON_ONCE(rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode, ++ ipc_kht_params)); + } + + /** +@@ -462,7 +462,7 @@ void ipc_rmid(struct ipc_ids *ids, struc + { + int idx = ipcid_to_idx(ipcp->id); + +- idr_remove(&ids->ipcs_idr, idx); ++ WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp); + ipc_kht_remove(ids, ipcp); + ids->in_use--; + ipcp->deleted = true; diff --git a/queue-5.4/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch b/queue-5.4/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch new file mode 100644 index 00000000000..e89fe4244f0 --- /dev/null +++ b/queue-5.4/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch @@ -0,0 +1,51 @@ +From 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Fri, 19 Nov 2021 16:43:37 -0800 +Subject: mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag + +From: Rustam Kovhaev + +commit 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 upstream. + +When kmemleak is enabled for SLOB, system does not boot and does not +print anything to the console. At the very early stage in the boot +process we hit infinite recursion from kmemleak_init() and eventually +kernel crashes. + +kmemleak_init() specifies SLAB_NOLEAKTRACE for KMEM_CACHE(), but +kmem_cache_create_usercopy() removes it because CACHE_CREATE_MASK is not +valid for SLOB. + +Let's fix CACHE_CREATE_MASK and make kmemleak work with SLOB + +Link: https://lkml.kernel.org/r/20211115020850.3154366-1-rkovhaev@gmail.com +Fixes: d8843922fba4 ("slab: Ignore internal flags in cache creation") +Signed-off-by: Rustam Kovhaev +Acked-by: Vlastimil Babka +Reviewed-by: Muchun Song +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Catalin Marinas +Cc: Greg Kroah-Hartman +Cc: Glauber Costa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -211,7 +211,7 @@ static inline slab_flags_t kmem_cache_fl + #define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE | SLAB_RECLAIM_ACCOUNT | \ + SLAB_TEMPORARY | SLAB_ACCOUNT) + #else +-#define SLAB_CACHE_FLAGS (0) ++#define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE) + #endif + + /* Common flags available with current configuration */ diff --git a/queue-5.4/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch b/queue-5.4/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch new file mode 100644 index 00000000000..e14e44f2950 --- /dev/null +++ b/queue-5.4/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch @@ -0,0 +1,85 @@ +From 4aa9340584e37debef06fa99b56d064beb723891 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Tue, 16 Nov 2021 11:31:01 +0800 +Subject: s390/kexec: fix memory leak of ipl report buffer + +From: Baoquan He + +commit 4aa9340584e37debef06fa99b56d064beb723891 upstream. + +unreferenced object 0x38000195000 (size 4096): + comm "kexec", pid 8548, jiffies 4294953647 (age 32443.270s) + hex dump (first 32 bytes): + 00 00 00 c8 20 00 00 00 00 00 00 c0 02 80 00 00 .... ........... + 40 40 40 40 40 40 40 40 00 00 00 00 00 00 00 00 @@@@@@@@........ + backtrace: + [<0000000011a2f199>] __vmalloc_node_range+0xc0/0x140 + [<0000000081fa2752>] vzalloc+0x5a/0x70 + [<0000000063a4c92d>] ipl_report_finish+0x2c/0x180 + [<00000000553304da>] kexec_file_add_ipl_report+0xf4/0x150 + [<00000000862d033f>] kexec_file_add_components+0x124/0x160 + [<000000000d2717bb>] arch_kexec_kernel_image_load+0x62/0x90 + [<000000002e0373b6>] kimage_file_alloc_init+0x1aa/0x2e0 + [<0000000060f2d14f>] __do_sys_kexec_file_load+0x17c/0x2c0 + [<000000008c86fe5a>] __s390x_sys_kexec_file_load+0x40/0x50 + [<000000001fdb9dac>] __do_syscall+0x1bc/0x1f0 + [<000000003ee4258d>] system_call+0x78/0xa0 + +Signed-off-by: Baoquan He +Reviewed-by: Philipp Rudo +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Cc: # v5.2: 20c76e242e70: s390/kexec: fix return code handling +Cc: # v5.2 +Link: https://lore.kernel.org/r/20211116033101.GD21646@MiWiFi-R3L-srv +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/kexec.h | 6 ++++++ + arch/s390/kernel/machine_kexec_file.c | 10 ++++++++++ + 2 files changed, 16 insertions(+) + +--- a/arch/s390/include/asm/kexec.h ++++ b/arch/s390/include/asm/kexec.h +@@ -74,6 +74,12 @@ void *kexec_file_add_components(struct k + int arch_kexec_do_relocs(int r_type, void *loc, unsigned long val, + unsigned long addr); + ++#define ARCH_HAS_KIMAGE_ARCH ++ ++struct kimage_arch { ++ void *ipl_buf; ++}; ++ + extern const struct kexec_file_ops s390_kexec_image_ops; + extern const struct kexec_file_ops s390_kexec_elf_ops; + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -206,6 +207,7 @@ static int kexec_file_add_ipl_report(str + goto out; + buf.bufsz = data->report->size; + buf.memsz = buf.bufsz; ++ image->arch.ipl_buf = buf.buffer; + + data->memsz += buf.memsz; + +@@ -327,3 +329,11 @@ int arch_kexec_kernel_image_probe(struct + + return kexec_image_probe_default(image, buf, buf_len); + } ++ ++int arch_kimage_file_post_load_cleanup(struct kimage *image) ++{ ++ vfree(image->arch.ipl_buf); ++ image->arch.ipl_buf = NULL; ++ ++ return kexec_image_post_load_cleanup_default(image); ++} diff --git a/queue-5.4/series b/queue-5.4/series index 8614496bc61..67558cec1ae 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -75,3 +75,8 @@ perf-x86-intel-uncore-fix-iio-event-constraints-for-.patch s390-kexec-fix-return-code-handling.patch arm64-vdso32-suppress-error-message-for-make-mrproper.patch tun-fix-bonding-active-backup-with-arp-monitoring.patch +hexagon-export-raw-i-o-routines-for-modules.patch +ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch +mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch +x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch +s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch diff --git a/queue-5.4/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch b/queue-5.4/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch new file mode 100644 index 00000000000..f6cd1ed47ff --- /dev/null +++ b/queue-5.4/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch @@ -0,0 +1,57 @@ +From daf972118c517b91f74ff1731417feb4270625a4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 4 Nov 2021 18:22:38 +0000 +Subject: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails + +From: Sean Christopherson + +commit daf972118c517b91f74ff1731417feb4270625a4 upstream. + +Check for a valid hv_vp_index array prior to derefencing hv_vp_index when +setting Hyper-V's TSC change callback. If Hyper-V setup failed in +hyperv_init(), the kernel will still report that it's running under +Hyper-V, but will have silently disabled nearly all functionality. + + BUG: kernel NULL pointer dereference, address: 0000000000000010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP + CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 + Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 + ... + Call Trace: + kvm_arch_init+0x17c/0x280 + kvm_init+0x31/0x330 + vmx_init+0xba/0x13a + do_one_initcall+0x41/0x1c0 + kernel_init_freeable+0x1f2/0x23b + kernel_init+0x16/0x120 + ret_from_fork+0x22/0x30 + +Fixes: 93286261de1b ("x86/hyperv: Reenlightenment notifications support") +Cc: stable@vger.kernel.org +Cc: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20211104182239.1302956-2-seanjc@google.com +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/hyperv/hv_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -163,6 +163,9 @@ void set_hv_tscchange_cb(void (*cb)(void + return; + } + ++ if (!hv_vp_index) ++ return; ++ + hv_reenlightenment_cb = cb; + + /* Make sure callback is registered before we write to MSRs */