From: Greg Kroah-Hartman Date: Fri, 17 Dec 2021 15:08:50 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.296~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f64e7d74fc18a9fc029bc05a56ee105ea233ea7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch audit-improve-robustness-of-the-audit-queue-handling.patch bpf-fix-signed-bounds-propagation-after-mov32.patch bpf-make-32-64-bounds-propagation-slightly-more-robust.patch bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch dm-btree-remove-fix-use-after-free-in-rebalance_children.patch recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch vdpa-check-that-offsets-are-within-bounds.patch virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch --- diff --git a/queue-5.10/arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch b/queue-5.10/arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch new file mode 100644 index 00000000000..3308a418a6e --- /dev/null +++ b/queue-5.10/arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch @@ -0,0 +1,76 @@ +From 70eacf42a93aff6589a8b91279bbfe5f73c4ca3d Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Sat, 16 Jan 2021 16:44:28 +0800 +Subject: arm64: dts: imx8m: correct assigned clocks for FEC + +From: Joakim Zhang + +commit 70eacf42a93aff6589a8b91279bbfe5f73c4ca3d upstream. + +CLK_ENET_TIMER assigned clocks twice, should be a typo, correct to +CLK_ENET_PHY_REF clock. + +Signed-off-by: Joakim Zhang +Signed-off-by: Shawn Guo +Cc: Rasmus Villemoes +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm.dtsi | 7 ++++--- + arch/arm64/boot/dts/freescale/imx8mn.dtsi | 7 ++++--- + arch/arm64/boot/dts/freescale/imx8mp.dtsi | 7 ++++--- + 3 files changed, 12 insertions(+), 9 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi +@@ -866,11 +866,12 @@ + assigned-clocks = <&clk IMX8MM_CLK_ENET_AXI>, + <&clk IMX8MM_CLK_ENET_TIMER>, + <&clk IMX8MM_CLK_ENET_REF>, +- <&clk IMX8MM_CLK_ENET_TIMER>; ++ <&clk IMX8MM_CLK_ENET_PHY_REF>; + assigned-clock-parents = <&clk IMX8MM_SYS_PLL1_266M>, + <&clk IMX8MM_SYS_PLL2_100M>, +- <&clk IMX8MM_SYS_PLL2_125M>; +- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>; ++ <&clk IMX8MM_SYS_PLL2_125M>, ++ <&clk IMX8MM_SYS_PLL2_50M>; ++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>; + fsl,num-tx-queues = <3>; + fsl,num-rx-queues = <3>; + status = "disabled"; +--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi +@@ -753,11 +753,12 @@ + assigned-clocks = <&clk IMX8MN_CLK_ENET_AXI>, + <&clk IMX8MN_CLK_ENET_TIMER>, + <&clk IMX8MN_CLK_ENET_REF>, +- <&clk IMX8MN_CLK_ENET_TIMER>; ++ <&clk IMX8MN_CLK_ENET_PHY_REF>; + assigned-clock-parents = <&clk IMX8MN_SYS_PLL1_266M>, + <&clk IMX8MN_SYS_PLL2_100M>, +- <&clk IMX8MN_SYS_PLL2_125M>; +- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>; ++ <&clk IMX8MN_SYS_PLL2_125M>, ++ <&clk IMX8MN_SYS_PLL2_50M>; ++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>; + fsl,num-tx-queues = <3>; + fsl,num-rx-queues = <3>; + status = "disabled"; +--- a/arch/arm64/boot/dts/freescale/imx8mp.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp.dtsi +@@ -725,11 +725,12 @@ + assigned-clocks = <&clk IMX8MP_CLK_ENET_AXI>, + <&clk IMX8MP_CLK_ENET_TIMER>, + <&clk IMX8MP_CLK_ENET_REF>, +- <&clk IMX8MP_CLK_ENET_TIMER>; ++ <&clk IMX8MP_CLK_ENET_PHY_REF>; + assigned-clock-parents = <&clk IMX8MP_SYS_PLL1_266M>, + <&clk IMX8MP_SYS_PLL2_100M>, +- <&clk IMX8MP_SYS_PLL2_125M>; +- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>; ++ <&clk IMX8MP_SYS_PLL2_125M>, ++ <&clk IMX8MP_SYS_PLL2_50M>; ++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>; + fsl,num-tx-queues = <3>; + fsl,num-rx-queues = <3>; + status = "disabled"; diff --git a/queue-5.10/arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch b/queue-5.10/arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch new file mode 100644 index 00000000000..3d78b5acc18 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch @@ -0,0 +1,36 @@ +From 798a1807ab13a38e21c6fecd8d22a513d6786e2d Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 18 Mar 2021 08:13:30 -0300 +Subject: arm64: dts: imx8mp-evk: Improve the Ethernet PHY description + +From: Fabio Estevam + +commit 798a1807ab13a38e21c6fecd8d22a513d6786e2d upstream. + +According to the datasheet RTL8211, it must be asserted low for at least +10ms and at least 72ms "for internal circuits settling time" before +accessing the PHY registers. + +Add properties to describe such requirements. + +Reported-by: Joakim Zhang +Signed-off-by: Fabio Estevam +Tested-by: Joakim Zhang +Signed-off-by: Shawn Guo +Cc: Rasmus Villemoes +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts +@@ -62,6 +62,8 @@ + reg = <1>; + eee-broken-1000t; + reset-gpios = <&gpio4 2 GPIO_ACTIVE_LOW>; ++ reset-assert-us = <10000>; ++ reset-deassert-us = <80000>; + }; + }; + }; diff --git a/queue-5.10/audit-improve-robustness-of-the-audit-queue-handling.patch b/queue-5.10/audit-improve-robustness-of-the-audit-queue-handling.patch new file mode 100644 index 00000000000..7901c45fa2e --- /dev/null +++ b/queue-5.10/audit-improve-robustness-of-the-audit-queue-handling.patch @@ -0,0 +1,109 @@ +From f4b3ee3c85551d2d343a3ba159304066523f730f Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 9 Dec 2021 11:46:07 -0500 +Subject: audit: improve robustness of the audit queue handling + +From: Paul Moore + +commit f4b3ee3c85551d2d343a3ba159304066523f730f upstream. + +If the audit daemon were ever to get stuck in a stopped state the +kernel's kauditd_thread() could get blocked attempting to send audit +records to the userspace audit daemon. With the kernel thread +blocked it is possible that the audit queue could grow unbounded as +certain audit record generating events must be exempt from the queue +limits else the system enter a deadlock state. + +This patch resolves this problem by lowering the kernel thread's +socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks +the kauditd_send_queue() function to better manage the various audit +queues when connection problems occur between the kernel and the +audit daemon. With this patch, the backlog may temporarily grow +beyond the defined limits when the audit daemon is stopped and the +system is under heavy audit pressure, but kauditd_thread() will +continue to make progress and drain the queues as it would for other +connection problems. For example, with the audit daemon put into a +stopped state and the system configured to audit every syscall it +was still possible to shutdown the system without a kernel panic, +deadlock, etc.; granted, the system was slow to shutdown but that is +to be expected given the extreme pressure of recording every syscall. + +The timeout value of HZ/10 was chosen primarily through +experimentation and this developer's "gut feeling". There is likely +no one perfect value, but as this scenario is limited in scope (root +privileges would be needed to send SIGSTOP to the audit daemon), it +is likely not worth exposing this as a tunable at present. This can +always be done at a later date if it proves necessary. + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -718,7 +718,7 @@ static int kauditd_send_queue(struct soc + { + int rc = 0; + struct sk_buff *skb; +- static unsigned int failed = 0; ++ unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ +@@ -735,32 +735,30 @@ static int kauditd_send_queue(struct soc + continue; + } + ++retry: + /* grab an extra skb reference in case of error */ + skb_get(skb); + rc = netlink_unicast(sk, skb, portid, 0); + if (rc < 0) { +- /* fatal failure for our queue flush attempt? */ ++ /* send failed - try a few times unless fatal error */ + if (++failed >= retry_limit || + rc == -ECONNREFUSED || rc == -EPERM) { +- /* yes - error processing for the queue */ + sk = NULL; + if (err_hook) + (*err_hook)(skb); +- if (!skb_hook) +- goto out; +- /* keep processing with the skb_hook */ ++ if (rc == -EAGAIN) ++ rc = 0; ++ /* continue to drain the queue */ + continue; + } else +- /* no - requeue to preserve ordering */ +- skb_queue_head(queue, skb); ++ goto retry; + } else { +- /* it worked - drop the extra reference and continue */ ++ /* skb sent - drop the extra reference and continue */ + consume_skb(skb); + failed = 0; + } + } + +-out: + return (rc >= 0 ? 0 : rc); + } + +@@ -1609,7 +1607,8 @@ static int __net_init audit_net_init(str + audit_panic("cannot initialize netlink socket in namespace"); + return -ENOMEM; + } +- aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; ++ /* limit the timeout in case auditd is blocked/stopped */ ++ aunet->sk->sk_sndtimeo = HZ / 10; + + return 0; + } diff --git a/queue-5.10/bpf-fix-signed-bounds-propagation-after-mov32.patch b/queue-5.10/bpf-fix-signed-bounds-propagation-after-mov32.patch new file mode 100644 index 00000000000..d856e71421e --- /dev/null +++ b/queue-5.10/bpf-fix-signed-bounds-propagation-after-mov32.patch @@ -0,0 +1,97 @@ +From 3cf2b61eb06765e27fec6799292d9fb46d0b7e60 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 15 Dec 2021 22:02:19 +0000 +Subject: bpf: Fix signed bounds propagation after mov32 + +From: Daniel Borkmann + +commit 3cf2b61eb06765e27fec6799292d9fb46d0b7e60 upstream. + +For the case where both s32_{min,max}_value bounds are positive, the +__reg_assign_32_into_64() directly propagates them to their 64 bit +counterparts, otherwise it pessimises them into [0,u32_max] universe and +tries to refine them later on by learning through the tnum as per comment +in mentioned function. However, that does not always happen, for example, +in mov32 operation we call zext_32_to_64(dst_reg) which invokes the +__reg_assign_32_into_64() as is without subsequent bounds update as +elsewhere thus no refinement based on tnum takes place. + +Thus, not calling into the __update_reg_bounds() / __reg_deduce_bounds() / +__reg_bound_offset() triplet as we do, for example, in case of ALU ops via +adjust_scalar_min_max_vals(), will lead to more pessimistic bounds when +dumping the full register state: + +Before fix: + + 0: (b4) w0 = -1 + 1: R0_w=invP4294967295 + (id=0,imm=ffffffff, + smin_value=4294967295,smax_value=4294967295, + umin_value=4294967295,umax_value=4294967295, + var_off=(0xffffffff; 0x0), + s32_min_value=-1,s32_max_value=-1, + u32_min_value=-1,u32_max_value=-1) + + 1: (bc) w0 = w0 + 2: R0_w=invP4294967295 + (id=0,imm=ffffffff, + smin_value=0,smax_value=4294967295, + umin_value=4294967295,umax_value=4294967295, + var_off=(0xffffffff; 0x0), + s32_min_value=-1,s32_max_value=-1, + u32_min_value=-1,u32_max_value=-1) + +Technically, the smin_value=0 and smax_value=4294967295 bounds are not +incorrect, but given the register is still a constant, they break assumptions +about const scalars that smin_value == smax_value and umin_value == umax_value. + +After fix: + + 0: (b4) w0 = -1 + 1: R0_w=invP4294967295 + (id=0,imm=ffffffff, + smin_value=4294967295,smax_value=4294967295, + umin_value=4294967295,umax_value=4294967295, + var_off=(0xffffffff; 0x0), + s32_min_value=-1,s32_max_value=-1, + u32_min_value=-1,u32_max_value=-1) + + 1: (bc) w0 = w0 + 2: R0_w=invP4294967295 + (id=0,imm=ffffffff, + smin_value=4294967295,smax_value=4294967295, + umin_value=4294967295,umax_value=4294967295, + var_off=(0xffffffff; 0x0), + s32_min_value=-1,s32_max_value=-1, + u32_min_value=-1,u32_max_value=-1) + +Without the smin_value == smax_value and umin_value == umax_value invariant +being intact for const scalars, it is possible to leak out kernel pointers +from unprivileged user space if the latter is enabled. For example, when such +registers are involved in pointer arithmtics, then adjust_ptr_min_max_vals() +will taint the destination register into an unknown scalar, and the latter +can be exported and stored e.g. into a BPF map value. + +Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") +Reported-by: Kuee K1r0a +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7125,6 +7125,10 @@ static int check_alu_op(struct bpf_verif + insn->dst_reg); + } + zext_32_to_64(dst_reg); ++ ++ __update_reg_bounds(dst_reg); ++ __reg_deduce_bounds(dst_reg); ++ __reg_bound_offset(dst_reg); + } + } else { + /* case: R = imm diff --git a/queue-5.10/bpf-make-32-64-bounds-propagation-slightly-more-robust.patch b/queue-5.10/bpf-make-32-64-bounds-propagation-slightly-more-robust.patch new file mode 100644 index 00000000000..a5a5a2e0d98 --- /dev/null +++ b/queue-5.10/bpf-make-32-64-bounds-propagation-slightly-more-robust.patch @@ -0,0 +1,62 @@ +From e572ff80f05c33cd0cb4860f864f5c9c044280b6 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 15 Dec 2021 22:28:48 +0000 +Subject: bpf: Make 32->64 bounds propagation slightly more robust + +From: Daniel Borkmann + +commit e572ff80f05c33cd0cb4860f864f5c9c044280b6 upstream. + +Make the bounds propagation in __reg_assign_32_into_64() slightly more +robust and readable by aligning it similarly as we did back in the +__reg_combine_64_into_32() counterpart. Meaning, only propagate or +pessimize them as a smin/smax pair. + +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1249,22 +1249,28 @@ static void __reg_bound_offset(struct bp + reg->var_off = tnum_or(tnum_clear_subreg(var64_off), var32_off); + } + ++static bool __reg32_bound_s64(s32 a) ++{ ++ return a >= 0 && a <= S32_MAX; ++} ++ + static void __reg_assign_32_into_64(struct bpf_reg_state *reg) + { + reg->umin_value = reg->u32_min_value; + reg->umax_value = reg->u32_max_value; +- /* Attempt to pull 32-bit signed bounds into 64-bit bounds +- * but must be positive otherwise set to worse case bounds +- * and refine later from tnum. ++ ++ /* Attempt to pull 32-bit signed bounds into 64-bit bounds but must ++ * be positive otherwise set to worse case bounds and refine later ++ * from tnum. + */ +- if (reg->s32_min_value >= 0 && reg->s32_max_value >= 0) +- reg->smax_value = reg->s32_max_value; +- else +- reg->smax_value = U32_MAX; +- if (reg->s32_min_value >= 0) ++ if (__reg32_bound_s64(reg->s32_min_value) && ++ __reg32_bound_s64(reg->s32_max_value)) { + reg->smin_value = reg->s32_min_value; +- else ++ reg->smax_value = reg->s32_max_value; ++ } else { + reg->smin_value = 0; ++ reg->smax_value = U32_MAX; ++ } + } + + static void __reg_combine_32_into_64(struct bpf_reg_state *reg) diff --git a/queue-5.10/bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch b/queue-5.10/bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch new file mode 100644 index 00000000000..9c2ba3eada4 --- /dev/null +++ b/queue-5.10/bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch @@ -0,0 +1,74 @@ +From b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 15 Dec 2021 23:48:54 +0000 +Subject: bpf, selftests: Add test case trying to taint map value pointer + +From: Daniel Borkmann + +commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream. + +Add a test case which tries to taint map value pointer arithmetic into a +unknown scalar with subsequent export through the map. + +Before fix: + + # ./test_verifier 1186 + #1186/u map access: trying to leak tained dst reg FAIL + Unexpected success to load! + verification time 24 usec + stack depth 8 + processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 + #1186/p map access: trying to leak tained dst reg FAIL + Unexpected success to load! + verification time 8 usec + stack depth 8 + processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 + Summary: 0 PASSED, 0 SKIPPED, 2 FAILED + +After fix: + + # ./test_verifier 1186 + #1186/u map access: trying to leak tained dst reg OK + #1186/p map access: trying to leak tained dst reg OK + Summary: 2 PASSED, 0 SKIPPED, 0 FAILED + +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c ++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +@@ -849,6 +849,29 @@ + .errstr_unpriv = "R0 pointer -= pointer prohibited", + }, + { ++ "map access: trying to leak tained dst reg", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), ++ BPF_EXIT_INSN(), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), ++ BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF), ++ BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1), ++ BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .fixup_map_array_48b = { 4 }, ++ .result = REJECT, ++ .errstr = "math between map_value pointer and 4294967295 is not allowed", ++}, ++{ + "32bit pkt_ptr -= scalar", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, diff --git a/queue-5.10/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch b/queue-5.10/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch new file mode 100644 index 00000000000..f2a9f377284 --- /dev/null +++ b/queue-5.10/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch @@ -0,0 +1,32 @@ +From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 24 Nov 2021 12:07:39 -0500 +Subject: dm btree remove: fix use after free in rebalance_children() + +From: Joe Thornber + +commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream. + +Move dm_tm_unlock() after dm_tm_dec(). + +Cc: stable@vger.kernel.org +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/persistent-data/dm-btree-remove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -423,9 +423,9 @@ static int rebalance_children(struct sha + + memcpy(n, dm_block_data(child), + dm_bm_block_size(dm_tm_get_bm(info->tm))); +- dm_tm_unlock(info->tm, child); + + dm_tm_dec(info->tm, dm_block_location(child)); ++ dm_tm_unlock(info->tm, child); + return 0; + } + diff --git a/queue-5.10/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch b/queue-5.10/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch new file mode 100644 index 00000000000..425644c9e38 --- /dev/null +++ b/queue-5.10/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch @@ -0,0 +1,36 @@ +From 85bf17b28f97ca2749968d8786dc423db320d9c2 Mon Sep 17 00:00:00 2001 +From: Jerome Marchand +Date: Fri, 10 Dec 2021 10:38:27 +0100 +Subject: recordmcount.pl: look for jgnop instruction as well as bcrl on s390 + +From: Jerome Marchand + +commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream. + +On s390, recordmcount.pl is looking for "bcrl 0," instructions in +the objdump -d outpout. However since binutils 2.37, objdump -d +display "jgnop " for the same instruction. Update the +mcount_regex so that it accepts both. + +Signed-off-by: Jerome Marchand +Reviewed-by: Miroslav Benes +Acked-by: Steven Rostedt (VMware) +Cc: +Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + scripts/recordmcount.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/recordmcount.pl ++++ b/scripts/recordmcount.pl +@@ -252,7 +252,7 @@ if ($arch eq "x86_64") { + + } elsif ($arch eq "s390" && $bits == 64) { + if ($cc =~ /-DCC_USING_HOTPATCH/) { +- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$"; ++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$"; + $mcount_adjust = 0; + } else { + $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$"; diff --git a/queue-5.10/series b/queue-5.10/series index fc72a9b7cd5..4a46d741678 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -5,3 +5,13 @@ mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch mac80211-validate-extended-element-id-is-present.patch firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch +bpf-fix-signed-bounds-propagation-after-mov32.patch +bpf-make-32-64-bounds-propagation-slightly-more-robust.patch +bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch +virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch +vdpa-check-that-offsets-are-within-bounds.patch +recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch +dm-btree-remove-fix-use-after-free-in-rebalance_children.patch +audit-improve-robustness-of-the-audit-queue-handling.patch +arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch +arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch diff --git a/queue-5.10/vdpa-check-that-offsets-are-within-bounds.patch b/queue-5.10/vdpa-check-that-offsets-are-within-bounds.patch new file mode 100644 index 00000000000..4445d34ffb8 --- /dev/null +++ b/queue-5.10/vdpa-check-that-offsets-are-within-bounds.patch @@ -0,0 +1,37 @@ +From 3ed21c1451a14d139e1ceb18f2fa70865ce3195a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Dec 2021 13:33:37 +0300 +Subject: vdpa: check that offsets are within bounds + +From: Dan Carpenter + +commit 3ed21c1451a14d139e1ceb18f2fa70865ce3195a upstream. + +In this function "c->off" is a u32 and "size" is a long. On 64bit systems +if "c->off" is greater than "size" then "size - c->off" is a negative and +we always return -E2BIG. But on 32bit systems the subtraction is type +promoted to a high positive u32 value and basically any "c->len" is +accepted. + +Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend") +Reported-by: Xie Yongji +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211208103337.GA4047@kili +Signed-off-by: Michael S. Tsirkin +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -196,7 +196,7 @@ static int vhost_vdpa_config_validate(st + break; + } + +- if (c->len == 0) ++ if (c->len == 0 || c->off > size) + return -EINVAL; + + if (c->len > size - c->off) diff --git a/queue-5.10/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch b/queue-5.10/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch new file mode 100644 index 00000000000..c21aac71ace --- /dev/null +++ b/queue-5.10/virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch @@ -0,0 +1,56 @@ +From 817fc978b5a29b039db0418a91072b31c9aab152 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 1 Dec 2021 11:20:18 +0000 +Subject: virtio_ring: Fix querying of maximum DMA mapping size for virtio device + +From: Will Deacon + +commit 817fc978b5a29b039db0418a91072b31c9aab152 upstream. + +virtio_max_dma_size() returns the maximum DMA mapping size of the virtio +device by querying dma_max_mapping_size() for the device when the DMA +API is in use for the vring. Unfortunately, the device passed is +initialised by register_virtio_device() and does not inherit the DMA +configuration from its parent, resulting in SWIOTLB errors when bouncing +is enabled and the default 256K mapping limit (IO_TLB_SEGSIZE) is not +respected: + + | virtio-pci 0000:00:01.0: swiotlb buffer is full (sz: 294912 bytes), total 1024 (slots), used 725 (slots) + +Follow the pattern used elsewhere in the virtio_ring code when calling +into the DMA layer and pass the parent device to dma_max_mapping_size() +instead. + +Cc: Marc Zyngier +Cc: Quentin Perret +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20211201112018.25276-1-will@kernel.org +Acked-by: Jason Wang +Tested-by: Suzuki K Poulose +Fixes: e6d6dd6c875e ("virtio: Introduce virtio_max_dma_size()") +Cc: Joerg Roedel +Cc: Konrad Rzeszutek Wilk +Cc: Christoph Hellwig +Cc: Robin Murphy +Signed-off-by: Steven Price +Signed-off-by: Suzuki K Poulose +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -263,7 +263,7 @@ size_t virtio_max_dma_size(struct virtio + size_t max_segment_size = SIZE_MAX; + + if (vring_use_dma_api(vdev)) +- max_segment_size = dma_max_mapping_size(&vdev->dev); ++ max_segment_size = dma_max_mapping_size(vdev->dev.parent); + + return max_segment_size; + }