From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Apr 2022 13:36:18 +0000 (+0200)
Subject: 5.16-stable patches
X-Git-Tag: v4.9.310~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19202c05864afa8fc0743e7c71399cab5b42f333;p=thirdparty%2Fkernel%2Fstable-queue.git

5.16-stable patches

added patches:
	ubsan-remove-config_ubsan_object_size.patch
	x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
---

diff --git a/queue-5.16/series b/queue-5.16/series
index 8648f3f8141..42242881cb7 100644
--- a/queue-5.16/series
+++ b/queue-5.16/series
@@ -270,3 +270,5 @@ tools-build-filter-out-options-and-warnings-not-supported-by-clang.patch
 tools-build-use-shell-instead-of-to-get-embedded-libperl-s-ccopts.patch
 dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
 kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch
+ubsan-remove-config_ubsan_object_size.patch
+x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
diff --git a/queue-5.16/ubsan-remove-config_ubsan_object_size.patch b/queue-5.16/ubsan-remove-config_ubsan_object_size.patch
new file mode 100644
index 00000000000..f06c89a9c7a
--- /dev/null
+++ b/queue-5.16/ubsan-remove-config_ubsan_object_size.patch
@@ -0,0 +1,120 @@
+From 69d0db01e210e07fe915e5da91b54a867cda040f Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 19 Jan 2022 18:10:35 -0800
+Subject: ubsan: remove CONFIG_UBSAN_OBJECT_SIZE
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 69d0db01e210e07fe915e5da91b54a867cda040f upstream.
+
+The object-size sanitizer is redundant to -Warray-bounds, and
+inappropriately performs its checks at run-time when all information
+needed for the evaluation is available at compile-time, making it quite
+difficult to use:
+
+  https://bugzilla.kernel.org/show_bug.cgi?id=214861
+
+With -Warray-bounds almost enabled globally, it doesn't make sense to
+keep this around.
+
+Link: https://lkml.kernel.org/r/20211203235346.110809-1-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Marco Elver <elver@google.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Michal Marek <michal.lkml@markovi.net>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/Kconfig.ubsan      |   13 -------------
+ lib/test_ubsan.c       |   22 ----------------------
+ scripts/Makefile.ubsan |    1 -
+ 3 files changed, 36 deletions(-)
+
+--- a/lib/Kconfig.ubsan
++++ b/lib/Kconfig.ubsan
+@@ -112,19 +112,6 @@ config UBSAN_UNREACHABLE
+ 	  This option enables -fsanitize=unreachable which checks for control
+ 	  flow reaching an expected-to-be-unreachable position.
+ 
+-config UBSAN_OBJECT_SIZE
+-	bool "Perform checking for accesses beyond the end of objects"
+-	default UBSAN
+-	# gcc hugely expands stack usage with -fsanitize=object-size
+-	# https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
+-	depends on !CC_IS_GCC
+-	depends on $(cc-option,-fsanitize=object-size)
+-	help
+-	  This option enables -fsanitize=object-size which checks for accesses
+-	  beyond the end of objects where the optimizer can determine both the
+-	  object being operated on and its size, usually seen with bad downcasts,
+-	  or access to struct members from NULL pointers.
+-
+ config UBSAN_BOOL
+ 	bool "Perform checking for non-boolean values used as boolean"
+ 	default UBSAN
+--- a/lib/test_ubsan.c
++++ b/lib/test_ubsan.c
+@@ -79,15 +79,6 @@ static void test_ubsan_load_invalid_valu
+ 	eval2 = eval;
+ }
+ 
+-static void test_ubsan_null_ptr_deref(void)
+-{
+-	volatile int *ptr = NULL;
+-	int val;
+-
+-	UBSAN_TEST(CONFIG_UBSAN_OBJECT_SIZE);
+-	val = *ptr;
+-}
+-
+ static void test_ubsan_misaligned_access(void)
+ {
+ 	volatile char arr[5] __aligned(4) = {1, 2, 3, 4, 5};
+@@ -98,29 +89,16 @@ static void test_ubsan_misaligned_access
+ 	*ptr = val;
+ }
+ 
+-static void test_ubsan_object_size_mismatch(void)
+-{
+-	/* "((aligned(8)))" helps this not into be misaligned for ptr-access. */
+-	volatile int val __aligned(8) = 4;
+-	volatile long long *ptr, val2;
+-
+-	UBSAN_TEST(CONFIG_UBSAN_OBJECT_SIZE);
+-	ptr = (long long *)&val;
+-	val2 = *ptr;
+-}
+-
+ static const test_ubsan_fp test_ubsan_array[] = {
+ 	test_ubsan_shift_out_of_bounds,
+ 	test_ubsan_out_of_bounds,
+ 	test_ubsan_load_invalid_value,
+ 	test_ubsan_misaligned_access,
+-	test_ubsan_object_size_mismatch,
+ };
+ 
+ /* Excluded because they Oops the module. */
+ static const test_ubsan_fp skip_ubsan_array[] = {
+ 	test_ubsan_divrem_overflow,
+-	test_ubsan_null_ptr_deref,
+ };
+ 
+ static int __init test_ubsan_init(void)
+--- a/scripts/Makefile.ubsan
++++ b/scripts/Makefile.ubsan
+@@ -8,7 +8,6 @@ ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS
+ ubsan-cflags-$(CONFIG_UBSAN_SHIFT)		+= -fsanitize=shift
+ ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO)		+= -fsanitize=integer-divide-by-zero
+ ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE)	+= -fsanitize=unreachable
+-ubsan-cflags-$(CONFIG_UBSAN_OBJECT_SIZE)	+= -fsanitize=object-size
+ ubsan-cflags-$(CONFIG_UBSAN_BOOL)		+= -fsanitize=bool
+ ubsan-cflags-$(CONFIG_UBSAN_ENUM)		+= -fsanitize=enum
+ ubsan-cflags-$(CONFIG_UBSAN_TRAP)		+= -fsanitize-undefined-trap-on-error
diff --git a/queue-5.16/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch b/queue-5.16/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
new file mode 100644
index 00000000000..034a7ad8bb9
--- /dev/null
+++ b/queue-5.16/x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
@@ -0,0 +1,40 @@
+From 063452fd94d153d4eb38ad58f210f3d37a09cca4 Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Sat, 29 Jan 2022 09:36:46 -0800
+Subject: x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation
+
+From: Yang Zhong <yang.zhong@intel.com>
+
+commit 063452fd94d153d4eb38ad58f210f3d37a09cca4 upstream.
+
+ARCH_REQ_XCOMP_PERM is supposed to add the requested feature to the
+permission bitmap of thread_group_leader()->fpu. But the code overwrites
+the bitmap with the requested feature bit only rather than adding it.
+
+Fix the code to add the requested feature bit to the master bitmask.
+
+Fixes: db8268df0983 ("x86/arch_prctl: Add controls for dynamic XSTATE components")
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Paolo Bonzini <bonzini@gnu.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220129173647.27981-2-chang.seok.bae@intel.com
+[chang: Backport for 5.16]
+Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/fpu/xstate.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/fpu/xstate.c
++++ b/arch/x86/kernel/fpu/xstate.c
+@@ -1626,7 +1626,7 @@ static int __xstate_request_perm(u64 per
+ 		return ret;
+ 
+ 	/* Pairs with the READ_ONCE() in xstate_get_group_perm() */
+-	WRITE_ONCE(fpu->perm.__state_perm, requested);
++	WRITE_ONCE(fpu->perm.__state_perm, mask);
+ 	/* Protected by sighand lock */
+ 	fpu->perm.__state_size = ksize;
+ 	fpu->perm.__user_state_size = usize;