From: Greg Kroah-Hartman Date: Mon, 22 Nov 2021 12:41:56 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.5~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7212faa410ef56bd1a17abcecffe1e37ddaec1c6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: block-check-admin-before-nice-for-ioprio_class_rt.patch hexagon-clean-up-timer-regs.h.patch hexagon-export-raw-i-o-routines-for-modules.patch ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch powerpc-8xx-fix-pinned-tlbs-with-config_strict_kernel_rwx.patch s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch scsi-qla2xxx-fix-mailbox-direction-flags-in-qla2xxx_get_adapter_id.patch tipc-check-for-null-after-calling-kmemdup.patch x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch --- diff --git a/queue-5.10/block-check-admin-before-nice-for-ioprio_class_rt.patch b/queue-5.10/block-check-admin-before-nice-for-ioprio_class_rt.patch new file mode 100644 index 00000000000..646af9341d2 --- /dev/null +++ b/queue-5.10/block-check-admin-before-nice-for-ioprio_class_rt.patch @@ -0,0 +1,58 @@ +From 94c4b4fd25e6c3763941bdec3ad54f2204afa992 Mon Sep 17 00:00:00 2001 +From: Alistair Delva +Date: Mon, 15 Nov 2021 18:16:55 +0000 +Subject: block: Check ADMIN before NICE for IOPRIO_CLASS_RT + +From: Alistair Delva + +commit 94c4b4fd25e6c3763941bdec3ad54f2204afa992 upstream. + +Booting to Android userspace on 5.14 or newer triggers the following +SELinux denial: + +avc: denied { sys_nice } for comm="init" capability=23 + scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability + permissive=0 + +Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For +better compatibility with older SEPolicy, check ADMIN before NICE. + +Fixes: 9d3a39a5f1e4 ("block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE") +Signed-off-by: Alistair Delva +Cc: Khazhismel Kumykov +Cc: Bart Van Assche +Cc: Serge Hallyn +Cc: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Paul Moore +Cc: selinux@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Cc: kernel-team@android.com +Cc: stable@vger.kernel.org # v5.14+ +Reviewed-by: Bart Van Assche +Acked-by: Serge Hallyn +Link: https://lore.kernel.org/r/20211115181655.3608659-1-adelva@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/ioprio.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/block/ioprio.c ++++ b/block/ioprio.c +@@ -69,7 +69,14 @@ int ioprio_check_cap(int ioprio) + + switch (class) { + case IOPRIO_CLASS_RT: +- if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN)) ++ /* ++ * Originally this only checked for CAP_SYS_ADMIN, ++ * which was implicitly allowed for pid 0 by security ++ * modules such as SELinux. Make sure we check ++ * CAP_SYS_ADMIN first to avoid a denial/avc for ++ * possibly missing CAP_SYS_NICE permission. ++ */ ++ if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE)) + return -EPERM; + fallthrough; + /* rt has prio field too */ diff --git a/queue-5.10/hexagon-clean-up-timer-regs.h.patch b/queue-5.10/hexagon-clean-up-timer-regs.h.patch new file mode 100644 index 00000000000..567bb462c83 --- /dev/null +++ b/queue-5.10/hexagon-clean-up-timer-regs.h.patch @@ -0,0 +1,132 @@ +From 51f2ec593441d3d1ebc0d478fac3ea329c7c93ac Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 19 Nov 2021 16:43:31 -0800 +Subject: hexagon: clean up timer-regs.h + +From: Nathan Chancellor + +commit 51f2ec593441d3d1ebc0d478fac3ea329c7c93ac upstream. + +When building allmodconfig, there is a warning about TIMER_ENABLE being +redefined: + + drivers/clocksource/timer-oxnas-rps.c:39:9: error: 'TIMER_ENABLE' macro redefined [-Werror,-Wmacro-redefined] + #define TIMER_ENABLE BIT(7) + ^ + arch/hexagon/include/asm/timer-regs.h:13:9: note: previous definition is here + #define TIMER_ENABLE 0 + ^ + 1 error generated. + +The values in this header are only used in one file each, if they are +used at all. Remove the header and sink all of the constants into their +respective files. + +TCX0_CLK_RATE is only used in arch/hexagon/include/asm/timex.h + +TIMER_ENABLE, RTOS_TIMER_INT, RTOS_TIMER_REGS_ADDR are only used in +arch/hexagon/kernel/time.c. + +SLEEP_CLK_RATE and TIMER_CLR_ON_MATCH have both been unused since the +file's introduction in commit 71e4a47f32f4 ("Hexagon: Add time and timer +functions"). + +TIMER_ENABLE is redefined as BIT(0) so the shift is moved into the +definition, rather than its use. + +Link: https://lkml.kernel.org/r/20211115174250.1994179-3-nathan@kernel.org +Signed-off-by: Nathan Chancellor +Acked-by: Brian Cain +Cc: Nick Desaulniers +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/timer-regs.h | 26 -------------------------- + arch/hexagon/include/asm/timex.h | 3 +-- + arch/hexagon/kernel/time.c | 12 ++++++++++-- + 3 files changed, 11 insertions(+), 30 deletions(-) + delete mode 100644 arch/hexagon/include/asm/timer-regs.h + +--- a/arch/hexagon/include/asm/timer-regs.h ++++ /dev/null +@@ -1,26 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0-only */ +-/* +- * Timer support for Hexagon +- * +- * Copyright (c) 2010-2011, The Linux Foundation. All rights reserved. +- */ +- +-#ifndef _ASM_TIMER_REGS_H +-#define _ASM_TIMER_REGS_H +- +-/* This stuff should go into a platform specific file */ +-#define TCX0_CLK_RATE 19200 +-#define TIMER_ENABLE 0 +-#define TIMER_CLR_ON_MATCH 1 +- +-/* +- * 8x50 HDD Specs 5-8. Simulator co-sim not fixed until +- * release 1.1, and then it's "adjustable" and probably not defaulted. +- */ +-#define RTOS_TIMER_INT 3 +-#ifdef CONFIG_HEXAGON_COMET +-#define RTOS_TIMER_REGS_ADDR 0xAB000000UL +-#endif +-#define SLEEP_CLK_RATE 32000 +- +-#endif +--- a/arch/hexagon/include/asm/timex.h ++++ b/arch/hexagon/include/asm/timex.h +@@ -7,11 +7,10 @@ + #define _ASM_TIMEX_H + + #include +-#include + #include + + /* Using TCX0 as our clock. CLOCK_TICK_RATE scheduled to be removed. */ +-#define CLOCK_TICK_RATE TCX0_CLK_RATE ++#define CLOCK_TICK_RATE 19200 + + #define ARCH_HAS_READ_CURRENT_TIMER + +--- a/arch/hexagon/kernel/time.c ++++ b/arch/hexagon/kernel/time.c +@@ -17,9 +17,10 @@ + #include + #include + +-#include + #include + ++#define TIMER_ENABLE BIT(0) ++ + /* + * For the clocksource we need: + * pcycle frequency (600MHz) +@@ -33,6 +34,13 @@ cycles_t pcycle_freq_mhz; + cycles_t thread_freq_mhz; + cycles_t sleep_clk_freq; + ++/* ++ * 8x50 HDD Specs 5-8. Simulator co-sim not fixed until ++ * release 1.1, and then it's "adjustable" and probably not defaulted. ++ */ ++#define RTOS_TIMER_INT 3 ++#define RTOS_TIMER_REGS_ADDR 0xAB000000UL ++ + static struct resource rtos_timer_resources[] = { + { + .start = RTOS_TIMER_REGS_ADDR, +@@ -80,7 +88,7 @@ static int set_next_event(unsigned long + iowrite32(0, &rtos_timer->clear); + + iowrite32(delta, &rtos_timer->match); +- iowrite32(1 << TIMER_ENABLE, &rtos_timer->enable); ++ iowrite32(TIMER_ENABLE, &rtos_timer->enable); + return 0; + } + diff --git a/queue-5.10/hexagon-export-raw-i-o-routines-for-modules.patch b/queue-5.10/hexagon-export-raw-i-o-routines-for-modules.patch new file mode 100644 index 00000000000..b4c6b01bb6d --- /dev/null +++ b/queue-5.10/hexagon-export-raw-i-o-routines-for-modules.patch @@ -0,0 +1,70 @@ +From ffb92ce826fd801acb0f4e15b75e4ddf0d189bde Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 19 Nov 2021 16:43:28 -0800 +Subject: hexagon: export raw I/O routines for modules + +From: Nathan Chancellor + +commit ffb92ce826fd801acb0f4e15b75e4ddf0d189bde upstream. + +Patch series "Fixes for ARCH=hexagon allmodconfig", v2. + +This series fixes some issues noticed with ARCH=hexagon allmodconfig. + +This patch (of 3): + +When building ARCH=hexagon allmodconfig, the following errors occur: + + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/svc-i3c-master.ko] undefined! + ERROR: modpost: "__raw_writesl" [drivers/i3c/master/dw-i3c-master.ko] undefined! + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/dw-i3c-master.ko] undefined! + ERROR: modpost: "__raw_writesl" [drivers/i3c/master/i3c-master-cdns.ko] undefined! + ERROR: modpost: "__raw_readsl" [drivers/i3c/master/i3c-master-cdns.ko] undefined! + +Export these symbols so that modules can use them without any errors. + +Link: https://lkml.kernel.org/r/20211115174250.1994179-1-nathan@kernel.org +Link: https://lkml.kernel.org/r/20211115174250.1994179-2-nathan@kernel.org +Fixes: 013bf24c3829 ("Hexagon: Provide basic implementation and/or stubs for I/O routines.") +Signed-off-by: Nathan Chancellor +Acked-by: Brian Cain +Cc: Nick Desaulniers +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/lib/io.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/hexagon/lib/io.c ++++ b/arch/hexagon/lib/io.c +@@ -27,6 +27,7 @@ void __raw_readsw(const void __iomem *ad + *dst++ = *src; + + } ++EXPORT_SYMBOL(__raw_readsw); + + /* + * __raw_writesw - read words a short at a time +@@ -47,6 +48,7 @@ void __raw_writesw(void __iomem *addr, c + + + } ++EXPORT_SYMBOL(__raw_writesw); + + /* Pretty sure len is pre-adjusted for the length of the access already */ + void __raw_readsl(const void __iomem *addr, void *data, int len) +@@ -62,6 +64,7 @@ void __raw_readsl(const void __iomem *ad + + + } ++EXPORT_SYMBOL(__raw_readsl); + + void __raw_writesl(void __iomem *addr, const void *data, int len) + { +@@ -76,3 +79,4 @@ void __raw_writesl(void __iomem *addr, c + + + } ++EXPORT_SYMBOL(__raw_writesl); diff --git a/queue-5.10/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch b/queue-5.10/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch new file mode 100644 index 00000000000..584e8cac99e --- /dev/null +++ b/queue-5.10/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch @@ -0,0 +1,115 @@ +From 126e8bee943e9926238c891e2df5b5573aee76bc Mon Sep 17 00:00:00 2001 +From: Alexander Mikhalitsyn +Date: Fri, 19 Nov 2021 16:43:18 -0800 +Subject: ipc: WARN if trying to remove ipc object which is absent + +From: Alexander Mikhalitsyn + +commit 126e8bee943e9926238c891e2df5b5573aee76bc upstream. + +Patch series "shm: shm_rmid_forced feature fixes". + +Some time ago I met kernel crash after CRIU restore procedure, +fortunately, it was CRIU restore, so, I had dump files and could do +restore many times and crash reproduced easily. After some +investigation I've constructed the minimal reproducer. It was found +that it's use-after-free and it happens only if sysctl +kernel.shm_rmid_forced = 1. + +The key of the problem is that the exit_shm() function not handles shp's +object destroy when task->sysvshm.shm_clist contains items from +different IPC namespaces. In most cases this list will contain only +items from one IPC namespace. + +How can this list contain object from different namespaces? The +exit_shm() function is designed to clean up this list always when +process leaves IPC namespace. But we made a mistake a long time ago and +did not add a exit_shm() call into the setns() syscall procedures. + +The first idea was just to add this call to setns() syscall but it +obviously changes semantics of setns() syscall and that's +userspace-visible change. So, I gave up on this idea. + +The first real attempt to address the issue was just to omit forced +destroy if we meet shp object not from current task IPC namespace [1]. +But that was not the best idea because task->sysvshm.shm_clist was +protected by rwsem which belongs to current task IPC namespace. It +means that list corruption may occur. + +Second approach is just extend exit_shm() to properly handle shp's from +different IPC namespaces [2]. This is really non-trivial thing, I've +put a lot of effort into that but not believed that it's possible to +make it fully safe, clean and clear. + +Thanks to the efforts of Manfred Spraul working an elegant solution was +designed. Thanks a lot, Manfred! + +Eric also suggested the way to address the issue in ("[RFC][PATCH] shm: +In shm_exit destroy all created and never attached segments") Eric's +idea was to maintain a list of shm_clists one per IPC namespace, use +lock-less lists. But there is some extra memory consumption-related +concerns. + +An alternative solution which was suggested by me was implemented in +("shm: reset shm_clist on setns but omit forced shm destroy"). The idea +is pretty simple, we add exit_shm() syscall to setns() but DO NOT +destroy shm segments even if sysctl kernel.shm_rmid_forced = 1, we just +clean up the task->sysvshm.shm_clist list. + +This chages semantics of setns() syscall a little bit but in comparision +to the "naive" solution when we just add exit_shm() without any special +exclusions this looks like a safer option. + +[1] https://lkml.org/lkml/2021/7/6/1108 +[2] https://lkml.org/lkml/2021/7/14/736 + +This patch (of 2): + +Let's produce a warning if we trying to remove non-existing IPC object +from IPC namespace kht/idr structures. + +This allows us to catch possible bugs when the ipc_rmid() function was +called with inconsistent struct ipc_ids*, struct kern_ipc_perm* +arguments. + +Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com +Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com +Co-developed-by: Manfred Spraul +Signed-off-by: Manfred Spraul +Signed-off-by: Alexander Mikhalitsyn +Cc: "Eric W. Biederman" +Cc: Davidlohr Bueso +Cc: Greg KH +Cc: Andrei Vagin +Cc: Pavel Tikhomirov +Cc: Vasily Averin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + ipc/util.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -446,8 +446,8 @@ static int ipcget_public(struct ipc_name + static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp) + { + if (ipcp->key != IPC_PRIVATE) +- rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode, +- ipc_kht_params); ++ WARN_ON_ONCE(rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode, ++ ipc_kht_params)); + } + + /** +@@ -462,7 +462,7 @@ void ipc_rmid(struct ipc_ids *ids, struc + { + int idx = ipcid_to_idx(ipcp->id); + +- idr_remove(&ids->ipcs_idr, idx); ++ WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp); + ipc_kht_remove(ids, ipcp); + ids->in_use--; + ipcp->deleted = true; diff --git a/queue-5.10/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch b/queue-5.10/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch new file mode 100644 index 00000000000..ce7154046af --- /dev/null +++ b/queue-5.10/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch @@ -0,0 +1,51 @@ +From 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Fri, 19 Nov 2021 16:43:37 -0800 +Subject: mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag + +From: Rustam Kovhaev + +commit 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 upstream. + +When kmemleak is enabled for SLOB, system does not boot and does not +print anything to the console. At the very early stage in the boot +process we hit infinite recursion from kmemleak_init() and eventually +kernel crashes. + +kmemleak_init() specifies SLAB_NOLEAKTRACE for KMEM_CACHE(), but +kmem_cache_create_usercopy() removes it because CACHE_CREATE_MASK is not +valid for SLOB. + +Let's fix CACHE_CREATE_MASK and make kmemleak work with SLOB + +Link: https://lkml.kernel.org/r/20211115020850.3154366-1-rkovhaev@gmail.com +Fixes: d8843922fba4 ("slab: Ignore internal flags in cache creation") +Signed-off-by: Rustam Kovhaev +Acked-by: Vlastimil Babka +Reviewed-by: Muchun Song +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Catalin Marinas +Cc: Greg Kroah-Hartman +Cc: Glauber Costa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -147,7 +147,7 @@ static inline slab_flags_t kmem_cache_fl + #define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE | SLAB_RECLAIM_ACCOUNT | \ + SLAB_TEMPORARY | SLAB_ACCOUNT) + #else +-#define SLAB_CACHE_FLAGS (0) ++#define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE) + #endif + + /* Common flags available with current configuration */ diff --git a/queue-5.10/powerpc-8xx-fix-pinned-tlbs-with-config_strict_kernel_rwx.patch b/queue-5.10/powerpc-8xx-fix-pinned-tlbs-with-config_strict_kernel_rwx.patch new file mode 100644 index 00000000000..9e668d06f0a --- /dev/null +++ b/queue-5.10/powerpc-8xx-fix-pinned-tlbs-with-config_strict_kernel_rwx.patch @@ -0,0 +1,90 @@ +From 1e35eba4055149c578baf0318d2f2f89ea3c44a0 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 15 Nov 2021 09:08:36 +0100 +Subject: powerpc/8xx: Fix pinned TLBs with CONFIG_STRICT_KERNEL_RWX + +From: Christophe Leroy + +commit 1e35eba4055149c578baf0318d2f2f89ea3c44a0 upstream. + +As spotted and explained in commit c12ab8dbc492 ("powerpc/8xx: Fix +Oops with STRICT_KERNEL_RWX without DEBUG_RODATA_TEST"), the selection +of STRICT_KERNEL_RWX without selecting DEBUG_RODATA_TEST has spotted +the lack of the DIRTY bit in the pinned kernel data TLBs. + +This problem should have been detected a lot earlier if things had +been working as expected. But due to an incredible level of chance or +mishap, this went undetected because of a set of bugs: In fact the +DTLBs were not pinned, because instead of setting the reserve bit +in MD_CTR, it was set in MI_CTR that is the register for ITLBs. + +But then, another huge bug was there: the physical address was +reset to 0 at the boundary between RO and RW areas, leading to the +same physical space being mapped at both 0xc0000000 and 0xc8000000. +This had by miracle no consequence until now because the entry was +not really pinned so it was overwritten soon enough to go undetected. + +Of course, now that we really pin the DTLBs, it must be fixed as well. + +Fixes: f76c8f6d257c ("powerpc/8xx: Add function to set pinned TLBs") +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Christophe Leroy +Depends-on: c12ab8dbc492 ("powerpc/8xx: Fix Oops with STRICT_KERNEL_RWX without DEBUG_RODATA_TEST") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/a21e9a057fe2d247a535aff0d157a54eefee017a.1636963688.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_8xx.S | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -766,6 +766,7 @@ _GLOBAL(mmu_pin_tlb) + #ifdef CONFIG_PIN_TLB_DATA + LOAD_REG_IMMEDIATE(r6, PAGE_OFFSET) + LOAD_REG_IMMEDIATE(r7, MI_SVALID | MI_PS8MEG | _PMD_ACCESSED) ++ li r8, 0 + #ifdef CONFIG_PIN_TLB_IMMR + li r0, 3 + #else +@@ -774,26 +775,26 @@ _GLOBAL(mmu_pin_tlb) + mtctr r0 + cmpwi r4, 0 + beq 4f +- LOAD_REG_IMMEDIATE(r8, 0xf0 | _PAGE_RO | _PAGE_SPS | _PAGE_SH | _PAGE_PRESENT) + LOAD_REG_ADDR(r9, _sinittext) + + 2: ori r0, r6, MD_EVALID ++ ori r12, r8, 0xf0 | _PAGE_RO | _PAGE_SPS | _PAGE_SH | _PAGE_PRESENT + mtspr SPRN_MD_CTR, r5 + mtspr SPRN_MD_EPN, r0 + mtspr SPRN_MD_TWC, r7 +- mtspr SPRN_MD_RPN, r8 ++ mtspr SPRN_MD_RPN, r12 + addi r5, r5, 0x100 + addis r6, r6, SZ_8M@h + addis r8, r8, SZ_8M@h + cmplw r6, r9 + bdnzt lt, 2b +- +-4: LOAD_REG_IMMEDIATE(r8, 0xf0 | _PAGE_DIRTY | _PAGE_SPS | _PAGE_SH | _PAGE_PRESENT) ++4: + 2: ori r0, r6, MD_EVALID ++ ori r12, r8, 0xf0 | _PAGE_DIRTY | _PAGE_SPS | _PAGE_SH | _PAGE_PRESENT + mtspr SPRN_MD_CTR, r5 + mtspr SPRN_MD_EPN, r0 + mtspr SPRN_MD_TWC, r7 +- mtspr SPRN_MD_RPN, r8 ++ mtspr SPRN_MD_RPN, r12 + addi r5, r5, 0x100 + addis r6, r6, SZ_8M@h + addis r8, r8, SZ_8M@h +@@ -814,7 +815,7 @@ _GLOBAL(mmu_pin_tlb) + #endif + #if defined(CONFIG_PIN_TLB_IMMR) || defined(CONFIG_PIN_TLB_DATA) + lis r0, (MD_RSV4I | MD_TWAM)@h +- mtspr SPRN_MI_CTR, r0 ++ mtspr SPRN_MD_CTR, r0 + #endif + mtspr SPRN_SRR1, r10 + mtspr SPRN_SRR0, r11 diff --git a/queue-5.10/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch b/queue-5.10/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch new file mode 100644 index 00000000000..e14e44f2950 --- /dev/null +++ b/queue-5.10/s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch @@ -0,0 +1,85 @@ +From 4aa9340584e37debef06fa99b56d064beb723891 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Tue, 16 Nov 2021 11:31:01 +0800 +Subject: s390/kexec: fix memory leak of ipl report buffer + +From: Baoquan He + +commit 4aa9340584e37debef06fa99b56d064beb723891 upstream. + +unreferenced object 0x38000195000 (size 4096): + comm "kexec", pid 8548, jiffies 4294953647 (age 32443.270s) + hex dump (first 32 bytes): + 00 00 00 c8 20 00 00 00 00 00 00 c0 02 80 00 00 .... ........... + 40 40 40 40 40 40 40 40 00 00 00 00 00 00 00 00 @@@@@@@@........ + backtrace: + [<0000000011a2f199>] __vmalloc_node_range+0xc0/0x140 + [<0000000081fa2752>] vzalloc+0x5a/0x70 + [<0000000063a4c92d>] ipl_report_finish+0x2c/0x180 + [<00000000553304da>] kexec_file_add_ipl_report+0xf4/0x150 + [<00000000862d033f>] kexec_file_add_components+0x124/0x160 + [<000000000d2717bb>] arch_kexec_kernel_image_load+0x62/0x90 + [<000000002e0373b6>] kimage_file_alloc_init+0x1aa/0x2e0 + [<0000000060f2d14f>] __do_sys_kexec_file_load+0x17c/0x2c0 + [<000000008c86fe5a>] __s390x_sys_kexec_file_load+0x40/0x50 + [<000000001fdb9dac>] __do_syscall+0x1bc/0x1f0 + [<000000003ee4258d>] system_call+0x78/0xa0 + +Signed-off-by: Baoquan He +Reviewed-by: Philipp Rudo +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Cc: # v5.2: 20c76e242e70: s390/kexec: fix return code handling +Cc: # v5.2 +Link: https://lore.kernel.org/r/20211116033101.GD21646@MiWiFi-R3L-srv +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/kexec.h | 6 ++++++ + arch/s390/kernel/machine_kexec_file.c | 10 ++++++++++ + 2 files changed, 16 insertions(+) + +--- a/arch/s390/include/asm/kexec.h ++++ b/arch/s390/include/asm/kexec.h +@@ -74,6 +74,12 @@ void *kexec_file_add_components(struct k + int arch_kexec_do_relocs(int r_type, void *loc, unsigned long val, + unsigned long addr); + ++#define ARCH_HAS_KIMAGE_ARCH ++ ++struct kimage_arch { ++ void *ipl_buf; ++}; ++ + extern const struct kexec_file_ops s390_kexec_image_ops; + extern const struct kexec_file_ops s390_kexec_elf_ops; + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -206,6 +207,7 @@ static int kexec_file_add_ipl_report(str + goto out; + buf.bufsz = data->report->size; + buf.memsz = buf.bufsz; ++ image->arch.ipl_buf = buf.buffer; + + data->memsz += buf.memsz; + +@@ -327,3 +329,11 @@ int arch_kexec_kernel_image_probe(struct + + return kexec_image_probe_default(image, buf, buf_len); + } ++ ++int arch_kimage_file_post_load_cleanup(struct kimage *image) ++{ ++ vfree(image->arch.ipl_buf); ++ image->arch.ipl_buf = NULL; ++ ++ return kexec_image_post_load_cleanup_default(image); ++} diff --git a/queue-5.10/scsi-qla2xxx-fix-mailbox-direction-flags-in-qla2xxx_get_adapter_id.patch b/queue-5.10/scsi-qla2xxx-fix-mailbox-direction-flags-in-qla2xxx_get_adapter_id.patch new file mode 100644 index 00000000000..2e89073f4bd --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-mailbox-direction-flags-in-qla2xxx_get_adapter_id.patch @@ -0,0 +1,39 @@ +From 392006871bb26166bcfafa56faf49431c2cfaaa8 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Mon, 8 Nov 2021 13:30:12 -0500 +Subject: scsi: qla2xxx: Fix mailbox direction flags in qla2xxx_get_adapter_id() + +From: Ewan D. Milne + +commit 392006871bb26166bcfafa56faf49431c2cfaaa8 upstream. + +The SCM changes set the flags in mcp->out_mb instead of mcp->in_mb so the +data was not actually being read into the mcp->mb[] array from the adapter. + +Link: https://lore.kernel.org/r/20211108183012.13895-1-emilne@redhat.com +Fixes: 9f2475fe7406 ("scsi: qla2xxx: SAN congestion management implementation") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Reviewed-by: Arun Easi +Signed-off-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_mbx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -1650,10 +1650,8 @@ qla2x00_get_adapter_id(scsi_qla_host_t * + mcp->in_mb |= MBX_13|MBX_12|MBX_11|MBX_10; + if (IS_FWI2_CAPABLE(vha->hw)) + mcp->in_mb |= MBX_19|MBX_18|MBX_17|MBX_16; +- if (IS_QLA27XX(vha->hw) || IS_QLA28XX(vha->hw)) { +- mcp->in_mb |= MBX_15; +- mcp->out_mb |= MBX_7|MBX_21|MBX_22|MBX_23; +- } ++ if (IS_QLA27XX(vha->hw) || IS_QLA28XX(vha->hw)) ++ mcp->in_mb |= MBX_15|MBX_21|MBX_22|MBX_23; + + mcp->tov = MBX_TOV_SECONDS; + mcp->flags = 0; diff --git a/queue-5.10/series b/queue-5.10/series index 3cf300017eb..56129e7d530 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -120,3 +120,13 @@ s390-kexec-fix-return-code-handling.patch net-stmmac-dwmac-rk-fix-ethernet-on-rk3399-based-devices.patch arm64-vdso32-suppress-error-message-for-make-mrproper.patch tun-fix-bonding-active-backup-with-arp-monitoring.patch +hexagon-export-raw-i-o-routines-for-modules.patch +hexagon-clean-up-timer-regs.h.patch +tipc-check-for-null-after-calling-kmemdup.patch +ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch +mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch +x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch +powerpc-8xx-fix-pinned-tlbs-with-config_strict_kernel_rwx.patch +scsi-qla2xxx-fix-mailbox-direction-flags-in-qla2xxx_get_adapter_id.patch +s390-kexec-fix-memory-leak-of-ipl-report-buffer.patch +block-check-admin-before-nice-for-ioprio_class_rt.patch diff --git a/queue-5.10/tipc-check-for-null-after-calling-kmemdup.patch b/queue-5.10/tipc-check-for-null-after-calling-kmemdup.patch new file mode 100644 index 00000000000..cde52c492b5 --- /dev/null +++ b/queue-5.10/tipc-check-for-null-after-calling-kmemdup.patch @@ -0,0 +1,42 @@ +From 3e6db079751afd527bf3db32314ae938dc571916 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Mon, 15 Nov 2021 08:01:43 -0800 +Subject: tipc: check for null after calling kmemdup + +From: Tadeusz Struk + +commit 3e6db079751afd527bf3db32314ae938dc571916 upstream. + +kmemdup can return a null pointer so need to check for it, otherwise +the null key will be dereferenced later in tipc_crypto_key_xmit as +can be seen in the trace [1]. + +Cc: tipc-discussion@lists.sourceforge.net +Cc: stable@vger.kernel.org # 5.15, 5.14, 5.10 + +[1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58 + +Reported-by: Dmitry Vyukov +Signed-off-by: Tadeusz Struk +Acked-by: Ying Xue +Acked-by: Jon Maloy +Link: https://lore.kernel.org/r/20211115160143.5099-1-tadeusz.struk@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/crypto.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -590,6 +590,10 @@ static int tipc_aead_init(struct tipc_ae + tmp->cloned = NULL; + tmp->authsize = TIPC_AES_GCM_TAG_SIZE; + tmp->key = kmemdup(ukey, tipc_aead_key_size(ukey), GFP_KERNEL); ++ if (!tmp->key) { ++ tipc_aead_free(&tmp->rcu); ++ return -ENOMEM; ++ } + memcpy(&tmp->salt, ukey->key + keylen, TIPC_AES_GCM_SALT_SIZE); + atomic_set(&tmp->users, 0); + atomic64_set(&tmp->seqno, 0); diff --git a/queue-5.10/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch b/queue-5.10/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch new file mode 100644 index 00000000000..b37ce68c7dc --- /dev/null +++ b/queue-5.10/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch @@ -0,0 +1,57 @@ +From daf972118c517b91f74ff1731417feb4270625a4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 4 Nov 2021 18:22:38 +0000 +Subject: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails + +From: Sean Christopherson + +commit daf972118c517b91f74ff1731417feb4270625a4 upstream. + +Check for a valid hv_vp_index array prior to derefencing hv_vp_index when +setting Hyper-V's TSC change callback. If Hyper-V setup failed in +hyperv_init(), the kernel will still report that it's running under +Hyper-V, but will have silently disabled nearly all functionality. + + BUG: kernel NULL pointer dereference, address: 0000000000000010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP + CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 + Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 + ... + Call Trace: + kvm_arch_init+0x17c/0x280 + kvm_init+0x31/0x330 + vmx_init+0xba/0x13a + do_one_initcall+0x41/0x1c0 + kernel_init_freeable+0x1f2/0x23b + kernel_init+0x16/0x120 + ret_from_fork+0x22/0x30 + +Fixes: 93286261de1b ("x86/hyperv: Reenlightenment notifications support") +Cc: stable@vger.kernel.org +Cc: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20211104182239.1302956-2-seanjc@google.com +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/hyperv/hv_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -176,6 +176,9 @@ void set_hv_tscchange_cb(void (*cb)(void + return; + } + ++ if (!hv_vp_index) ++ return; ++ + hv_reenlightenment_cb = cb; + + /* Make sure callback is registered before we write to MSRs */