From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 08:20:23 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.6.54~118 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=931451bfdd695c722d356f82c85370a539ec3f0c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch input-goodix-use-the-new-soc_intel_is_byt-helper.patch mptcp-fix-sometimes-uninitialized-warning.patch powercap-rapl-fix-invalid-initialization-for-pl4_supported-field.patch revert-bpf-eliminate-rlimit-based-memory-accounting-for-devmap-maps.patch revert-bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch selinux-smack-don-t-bypass-permissions-check-in-inode_setsecctx-hook.patch x86-mm-switch-to-new-intel-cpu-model-defines.patch --- diff --git a/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch b/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..a7911b866d2 --- /dev/null +++ b/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,59 @@ +From stable+bounces-78114-greg=kroah.com@vger.kernel.org Fri Sep 27 15:48:44 2024 +From: Pu Lehui +Date: Fri, 27 Sep 2024 13:51:18 +0000 +Subject: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches +To: stable@vger.kernel.org, bpf@vger.kernel.org +Cc: "Greg Kroah-Hartman" , "Sasha Levin" , "Toke Høiland-Jørgensen" , "Pu Lehui" +Message-ID: <20240927135118.1432057-4-pulehui@huaweicloud.com> + +From: Toke Høiland-Jørgensen + +[ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ] + +The devmap code allocates a number hash buckets equal to the next power +of two of the max_entries value provided when creating the map. When +rounding up to the next power of two, the 32-bit variable storing the +number of buckets can overflow, and the code checks for overflow by +checking if the truncated 32-bit value is equal to 0. However, on 32-bit +arches the rounding up itself can overflow mid-way through, because it +ends up doing a left-shift of 32 bits on an unsigned long value. If the +size of an unsigned long is four bytes, this is undefined behaviour, so +there is no guarantee that we'll end up with a nice and tidy 0-value at +the end. + +Syzbot managed to turn this into a crash on arm32 by creating a +DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. +Fix this by moving the overflow check to before the rounding up +operation. + +Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") +Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com +Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Message-ID: <20240307120340.99577-2-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Pu Lehui +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/devmap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -131,10 +131,13 @@ static int dev_map_init_map(struct bpf_d + bpf_map_init_from_attr(&dtab->map, attr); + + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { +- dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); +- +- if (!dtab->n_buckets) /* Overflow check */ ++ /* hash table size must be power of 2; roundup_pow_of_two() can ++ * overflow into UB on 32-bit arches, so check that first ++ */ ++ if (dtab->map.max_entries > 1UL << 31) + return -EINVAL; ++ ++ dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); + cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; + } else { + cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); diff --git a/queue-5.10/input-goodix-use-the-new-soc_intel_is_byt-helper.patch b/queue-5.10/input-goodix-use-the-new-soc_intel_is_byt-helper.patch new file mode 100644 index 00000000000..7c0214003a0 --- /dev/null +++ b/queue-5.10/input-goodix-use-the-new-soc_intel_is_byt-helper.patch @@ -0,0 +1,64 @@ +From d176708ffc20332d1c730098d2b111e0b77ece82 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 28 Feb 2022 22:52:31 -0800 +Subject: Input: goodix - use the new soc_intel_is_byt() helper + +From: Hans de Goede + +commit d176708ffc20332d1c730098d2b111e0b77ece82 upstream. + +Use the new soc_intel_is_byt() helper from linux/platform_data/x86/soc.h. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220131143539.109142-5-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +[Ricardo: Resolved minor cherry-pick conflict. The file linux/regulator/ + consumer.h is not #included in the upstream version but it is in + v5.10.y. ] +Signed-off-by: Ricardo Neri +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -718,21 +719,6 @@ static int goodix_reset(struct goodix_ts + } + + #ifdef ACPI_GPIO_SUPPORT +-#include +-#include +- +-static const struct x86_cpu_id baytrail_cpu_ids[] = { +- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT, X86_FEATURE_ANY, }, +- {} +-}; +- +-static inline bool is_byt(void) +-{ +- const struct x86_cpu_id *id = x86_match_cpu(baytrail_cpu_ids); +- +- return !!id; +-} +- + static const struct acpi_gpio_params first_gpio = { 0, 0, false }; + static const struct acpi_gpio_params second_gpio = { 1, 0, false }; + +@@ -816,7 +802,7 @@ static int goodix_add_acpi_gpio_mappings + dev_info(dev, "Using ACPI INTI and INTO methods for IRQ pin access\n"); + ts->irq_pin_access_method = IRQ_PIN_ACCESS_ACPI_METHOD; + gpio_mapping = acpi_goodix_reset_only_gpios; +- } else if (is_byt() && ts->gpio_count == 2 && ts->gpio_int_idx == -1) { ++ } else if (soc_intel_is_byt() && ts->gpio_count == 2 && ts->gpio_int_idx == -1) { + dev_info(dev, "No ACPI GpioInt resource, assuming that the GPIO order is reset, int\n"); + ts->irq_pin_access_method = IRQ_PIN_ACCESS_ACPI_GPIO; + gpio_mapping = acpi_goodix_int_last_gpios; diff --git a/queue-5.10/mptcp-fix-sometimes-uninitialized-warning.patch b/queue-5.10/mptcp-fix-sometimes-uninitialized-warning.patch new file mode 100644 index 00000000000..2d26c2839af --- /dev/null +++ b/queue-5.10/mptcp-fix-sometimes-uninitialized-warning.patch @@ -0,0 +1,71 @@ +From matttbe@kernel.org Tue Oct 1 10:14:56 2024 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 30 Sep 2024 18:23:46 +0200 +Subject: mptcp: fix sometimes-uninitialized warning +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: MPTCP Upstream , "Matthieu Baerts (NGI0)" , Nathan Chancellor +Message-ID: <20240930162345.3938790-2-matttbe@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +Nathan reported this issue: + + $ make -skj"$(nproc)" ARCH=x86_64 LLVM=1 LLVM_IAS=1 mrproper allmodconfig net/mptcp/subflow.o + net/mptcp/subflow.c:877:6: warning: variable 'incr' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] + 877 | if (WARN_ON_ONCE(offset > skb->len)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + include/asm-generic/bug.h:101:33: note: expanded from macro 'WARN_ON_ONCE' + 101 | #define WARN_ON_ONCE(condition) ({ \ + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 102 | int __ret_warn_on = !!(condition); \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 103 | if (unlikely(__ret_warn_on)) \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 104 | __WARN_FLAGS(BUGFLAG_ONCE | \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 105 | BUGFLAG_TAINT(TAINT_WARN)); \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 106 | unlikely(__ret_warn_on); \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 107 | }) + | ~~ + net/mptcp/subflow.c:893:6: note: uninitialized use occurs here + 893 | if (incr) + | ^~~~ + net/mptcp/subflow.c:877:2: note: remove the 'if' if its condition is always false + 877 | if (WARN_ON_ONCE(offset > skb->len)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 878 | goto out; + | ~~~~~~~~ + net/mptcp/subflow.c:874:18: note: initialize the variable 'incr' to silence this warning + 874 | u32 offset, incr, avail_len; + | ^ + | = 0 + 1 warning generated. + +As mentioned by Nathan, this issue is present because 5.10 does not +include commit ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling"), +which removed the use of 'incr' in the error path added by this change. +This other commit does not really look suitable for stable, hence this +dedicated patch for 5.10. + +Fixes: e93fa44f0714 ("mptcp: fix duplicate data handling") +Reported-by: Nathan Chancellor +Closes: https://lore.kernel.org/20240928175524.GA1713144@thelio-3990X +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -871,7 +871,7 @@ static void mptcp_subflow_discard_data(s + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN; + struct tcp_sock *tp = tcp_sk(ssk); +- u32 offset, incr, avail_len; ++ u32 offset, incr = 0, avail_len; + + offset = tp->copied_seq - TCP_SKB_CB(skb)->seq; + if (WARN_ON_ONCE(offset > skb->len)) diff --git a/queue-5.10/powercap-rapl-fix-invalid-initialization-for-pl4_supported-field.patch b/queue-5.10/powercap-rapl-fix-invalid-initialization-for-pl4_supported-field.patch new file mode 100644 index 00000000000..c4101df0494 --- /dev/null +++ b/queue-5.10/powercap-rapl-fix-invalid-initialization-for-pl4_supported-field.patch @@ -0,0 +1,47 @@ +From d05b5e0baf424c8c4b4709ac11f66ab726c8deaf Mon Sep 17 00:00:00 2001 +From: Sumeet Pawnikar +Date: Thu, 8 Jun 2023 08:00:06 +0530 +Subject: powercap: RAPL: fix invalid initialization for pl4_supported field + +From: Sumeet Pawnikar + +commit d05b5e0baf424c8c4b4709ac11f66ab726c8deaf upstream. + +The current initialization of the struct x86_cpu_id via +pl4_support_ids[] is partial and wrong. It is initializing +"stepping" field with "X86_FEATURE_ANY" instead of "feature" field. + +Use X86_MATCH_INTEL_FAM6_MODEL macro instead of initializing +each field of the struct x86_cpu_id for pl4_supported list of CPUs. +This X86_MATCH_INTEL_FAM6_MODEL macro internally uses another macro +X86_MATCH_VENDOR_FAM_MODEL_FEATURE for X86 based CPU matching with +appropriate initialized values. + +Reported-by: Dave Hansen +Link: https://lore.kernel.org/lkml/28ead36b-2d9e-1a36-6f4e-04684e420260@intel.com +Fixes: eb52bc2ae5b8 ("powercap: RAPL: Add Power Limit4 support for Meteor Lake SoC") +Fixes: b08b95cf30f5 ("powercap: RAPL: Add Power Limit4 support for Alder Lake-N and Raptor Lake-P") +Fixes: 515755906921 ("powercap: RAPL: Add Power Limit4 support for RaptorLake") +Fixes: 1cc5b9a411e4 ("powercap: Add Power Limit4 support for Alder Lake SoC") +Fixes: 8365a898fe53 ("powercap: Add Power Limit4 support") +Signed-off-by: Sumeet Pawnikar +Signed-off-by: Rafael J. Wysocki +[ Ricardo: I only kept TIGERLAKE in pl4_support_ids as only this model is + enumerated before this changeset. ] +Signed-off-by: Ricardo Neri +Signed-off-by: Greg Kroah-Hartman +--- + drivers/powercap/intel_rapl_msr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/powercap/intel_rapl_msr.c ++++ b/drivers/powercap/intel_rapl_msr.c +@@ -126,7 +126,7 @@ static int rapl_msr_write_raw(int cpu, s + + /* List of verified CPUs. */ + static const struct x86_cpu_id pl4_support_ids[] = { +- { X86_VENDOR_INTEL, 6, INTEL_FAM6_TIGERLAKE_L, X86_FEATURE_ANY }, ++ X86_MATCH_INTEL_FAM6_MODEL(TIGERLAKE_L, NULL), + {} + }; + diff --git a/queue-5.10/revert-bpf-eliminate-rlimit-based-memory-accounting-for-devmap-maps.patch b/queue-5.10/revert-bpf-eliminate-rlimit-based-memory-accounting-for-devmap-maps.patch new file mode 100644 index 00000000000..c2a6ff0036d --- /dev/null +++ b/queue-5.10/revert-bpf-eliminate-rlimit-based-memory-accounting-for-devmap-maps.patch @@ -0,0 +1,77 @@ +From stable+bounces-78113-greg=kroah.com@vger.kernel.org Fri Sep 27 15:48:38 2024 +From: Pu Lehui +Date: Fri, 27 Sep 2024 13:51:17 +0000 +Subject: Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps" +To: stable@vger.kernel.org, bpf@vger.kernel.org +Cc: "Greg Kroah-Hartman" , "Sasha Levin" , "Toke Høiland-Jørgensen" , "Pu Lehui" +Message-ID: <20240927135118.1432057-3-pulehui@huaweicloud.com> + +From: Pu Lehui + +This reverts commit 70294d8bc31f3b7789e5e32f757aa9344556d964 which is +commit 844f157f6c0a905d039d2e20212ab3231f2e5eaf upstream. + +Commit 70294d8bc31f ("bpf: Eliminate rlimit-based memory accounting for +devmap maps") is part of the v5.11+ base mechanism of memcg-based memory +accounting[0]. The commit cannot be independently backported to the 5.10 +stable branch, otherwise the related memory when creating devmap will be +unrestricted. Let's roll back to rlimit-based memory accounting mode for +devmap. + +Link: https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com [0] +Signed-off-by: Pu Lehui +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/devmap.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -109,6 +109,8 @@ static inline struct hlist_head *dev_map + static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) + { + u32 valsize = attr->value_size; ++ u64 cost = 0; ++ int err; + + /* check sanity of attributes. 2 value sizes supported: + * 4 bytes: ifindex +@@ -133,13 +135,21 @@ static int dev_map_init_map(struct bpf_d + + if (!dtab->n_buckets) /* Overflow check */ + return -EINVAL; ++ cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; ++ } else { ++ cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); + } + ++ /* if map size is larger than memlock limit, reject it */ ++ err = bpf_map_charge_init(&dtab->map.memory, cost); ++ if (err) ++ return -EINVAL; ++ + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, + dtab->map.numa_node); + if (!dtab->dev_index_head) +- return -ENOMEM; ++ goto free_charge; + + spin_lock_init(&dtab->index_lock); + } else { +@@ -147,10 +157,14 @@ static int dev_map_init_map(struct bpf_d + sizeof(struct bpf_dtab_netdev *), + dtab->map.numa_node); + if (!dtab->netdev_map) +- return -ENOMEM; ++ goto free_charge; + } + + return 0; ++ ++free_charge: ++ bpf_map_charge_finish(&dtab->map.memory); ++ return -ENOMEM; + } + + static struct bpf_map *dev_map_alloc(union bpf_attr *attr) diff --git a/queue-5.10/revert-bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch b/queue-5.10/revert-bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..7b9c46830f9 --- /dev/null +++ b/queue-5.10/revert-bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,47 @@ +From stable+bounces-78115-greg=kroah.com@vger.kernel.org Fri Sep 27 15:48:43 2024 +From: Pu Lehui +Date: Fri, 27 Sep 2024 13:51:16 +0000 +Subject: Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches" +To: stable@vger.kernel.org, bpf@vger.kernel.org +Cc: "Greg Kroah-Hartman" , "Sasha Levin" , "Toke Høiland-Jørgensen" , "Pu Lehui" +Message-ID: <20240927135118.1432057-2-pulehui@huaweicloud.com> + +From: Pu Lehui + +This reverts commit 225da02acdc97af01b6bc6ce1a3e5362bf01d3fb which is +commit 281d464a34f540de166cee74b723e97ac2515ec3 upstream. + +Commit 225da02acdc9 ("bpf: fix DEVMAP_HASH overflow check on 32-bit +architectures") relies on the v5.11+ base mechanism of memcg-based +memory accounting[0], which is not yet supported on the 5.10 stable +branch, so let's revert this commit in preparation for re-adapting it. + +Link: https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com [0] +Signed-off-by: Pu Lehui +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/devmap.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -129,14 +129,13 @@ static int dev_map_init_map(struct bpf_d + bpf_map_init_from_attr(&dtab->map, attr); + + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { +- /* hash table size must be power of 2; roundup_pow_of_two() can +- * overflow into UB on 32-bit arches, so check that first +- */ +- if (dtab->map.max_entries > 1UL << 31) +- return -EINVAL; +- + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); + ++ if (!dtab->n_buckets) /* Overflow check */ ++ return -EINVAL; ++ } ++ ++ if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, + dtab->map.numa_node); + if (!dtab->dev_index_head) diff --git a/queue-5.10/selinux-smack-don-t-bypass-permissions-check-in-inode_setsecctx-hook.patch b/queue-5.10/selinux-smack-don-t-bypass-permissions-check-in-inode_setsecctx-hook.patch new file mode 100644 index 00000000000..371fbac0343 --- /dev/null +++ b/queue-5.10/selinux-smack-don-t-bypass-permissions-check-in-inode_setsecctx-hook.patch @@ -0,0 +1,72 @@ +From 76a0e79bc84f466999fa501fce5bf7a07641b8a7 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Wed, 28 Aug 2024 15:51:29 -0400 +Subject: selinux,smack: don't bypass permissions check in inode_setsecctx hook + +From: Scott Mayhew + +commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream. + +Marek Gresko reports that the root user on an NFS client is able to +change the security labels on files on an NFS filesystem that is +exported with root squashing enabled. + +The end of the kerneldoc comment for __vfs_setxattr_noperm() states: + + * This function requires the caller to lock the inode's i_mutex before it + * is executed. It also assumes that the caller will make the appropriate + * permission checks. + +nfsd_setattr() does do permissions checking via fh_verify() and +nfsd_permission(), but those don't do all the same permissions checks +that are done by security_inode_setxattr() and its related LSM hooks do. + +Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), +simplest solution appears to be to replace the call to +__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This +fixes the above issue and has the added benefit of causing nfsd to +recall conflicting delegations on a file when a client tries to change +its security label. + +Cc: stable@kernel.org +Reported-by: Marek Gresko +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 +Signed-off-by: Scott Mayhew +Tested-by: Stephen Smalley +Reviewed-by: Stephen Smalley +Reviewed-by: Chuck Lever +Reviewed-by: Jeff Layton +Acked-by: Casey Schaufler +Signed-off-by: Paul Moore +[Shivani: Modified to apply on v5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 3 ++- + security/smack/smack_lsm.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -6570,7 +6570,8 @@ static int selinux_inode_notifysecctx(st + */ + static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) + { +- return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); ++ return __vfs_setxattr_locked(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0, ++ NULL); + } + + static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4651,7 +4651,8 @@ static int smack_inode_notifysecctx(stru + + static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) + { +- return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); ++ return __vfs_setxattr_locked(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0, ++ NULL); + } + + static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/queue-5.10/series b/queue-5.10/series index d80b2bff6f7..6b9a6ac4a87 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -137,7 +137,6 @@ minmax-avoid-overly-complex-min-max-macro-arguments-.patch xen-introduce-generic-helper-checking-for-memory-map.patch xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch xen-add-capability-to-remap-non-ram-pages-to-differe.patch -xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch xen-swiotlb-add-alignment-check-for-dma-buffers.patch tpm-clean-up-tpm-space-after-command-failure.patch selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch @@ -220,3 +219,11 @@ net-qrtr-update-packets-cloning-when-broadcasting.patch netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch +input-goodix-use-the-new-soc_intel_is_byt-helper.patch +powercap-rapl-fix-invalid-initialization-for-pl4_supported-field.patch +x86-mm-switch-to-new-intel-cpu-model-defines.patch +revert-bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch +revert-bpf-eliminate-rlimit-based-memory-accounting-for-devmap-maps.patch +bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch +selinux-smack-don-t-bypass-permissions-check-in-inode_setsecctx-hook.patch +mptcp-fix-sometimes-uninitialized-warning.patch diff --git a/queue-5.10/x86-mm-switch-to-new-intel-cpu-model-defines.patch b/queue-5.10/x86-mm-switch-to-new-intel-cpu-model-defines.patch new file mode 100644 index 00000000000..6e0d2bb9f31 --- /dev/null +++ b/queue-5.10/x86-mm-switch-to-new-intel-cpu-model-defines.patch @@ -0,0 +1,57 @@ +From 2eda374e883ad297bd9fe575a16c1dc850346075 Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Wed, 24 Apr 2024 11:15:18 -0700 +Subject: x86/mm: Switch to new Intel CPU model defines + +From: Tony Luck + +commit 2eda374e883ad297bd9fe575a16c1dc850346075 upstream. + +New CPU #defines encode vendor and family as well as model. + +[ dhansen: vertically align 0's in invlpg_miss_ids[] ] + +Signed-off-by: Tony Luck +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/all/20240424181518.41946-1-tony.luck%40intel.com +[ Ricardo: I used the old match macro X86_MATCH_INTEL_FAM6_MODEL() + instead of X86_MATCH_VFM() as in the upstream commit. + I also kept the ALDERLAKE_N name instead of ATOM_GRACEMONT. Both refer + to the same CPU model. ] +Signed-off-by: Ricardo Neri +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -257,21 +257,17 @@ static void __init probe_page_size_mask( + } + } + +-#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ +- .family = 6, \ +- .model = _model, \ +- } + /* + * INVLPG may not properly flush Global entries + * on these CPUs when PCIDs are enabled. + */ + static const struct x86_cpu_id invlpg_miss_ids[] = { +- INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), +- INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), +- INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ), +- INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), +- INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), +- INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), ++ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE, 0), ++ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_L, 0), ++ X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_N, 0), ++ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE, 0), ++ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_P, 0), ++ X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_S, 0), + {} + }; + diff --git a/queue-5.10/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch b/queue-5.10/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch deleted file mode 100644 index 2561995d6d9..00000000000 --- a/queue-5.10/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 83584927ca9e4b6d4c60f20d53d54f50e793d5e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Aug 2024 20:14:22 +0200 -Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Juergen Gross - -[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] - -In order to minimize required special handling for running as Xen PV -dom0, the memory layout is modified to match that of the host. This -requires to have only RAM at the locations where Xen allocated memory -is living. Unfortunately there seem to be some machines, where ACPI -NVS is located at 64 MB, resulting in a conflict with the loaded -kernel or the initial page tables built by Xen. - -Avoid this conflict by swapping the ACPI NVS area in the memory map -with unused RAM. This is possible via modification of the dom0 P2M map. -Accesses to the ACPI NVS area are done either for saving and restoring -it across suspend operations (this will work the same way as before), -or by ACPI code when NVS memory is referenced from other ACPI tables. -The latter case is handled by a Xen specific indirection of -acpi_os_ioremap(). - -While the E820 map can (and should) be modified right away, the P2M -map can be updated only after memory allocation is working, as the P2M -map might need to be extended. - -Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") -Signed-off-by: Juergen Gross -Tested-by: Marek Marczykowski-Górecki -Reviewed-by: Jan Beulich -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin ---- - arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 91 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c -index ffe2b3918cbb2..5126b5b79383b 100644 ---- a/arch/x86/xen/setup.c -+++ b/arch/x86/xen/setup.c -@@ -539,6 +539,8 @@ void __init xen_remap_memory(void) - set_pte_mfn(buf, mfn_save, PAGE_KERNEL); - - pr_info("Remapped %ld page(s)\n", remapped); -+ -+ xen_do_remap_nonram(); - } - - static unsigned long __init xen_get_pages_limit(void) -@@ -669,14 +671,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size) - return 0; - } - -+/* -+ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages. -+ * Note that the E820 map is modified accordingly, but the P2M map isn't yet. -+ * The adaption of the P2M must be deferred until page allocation is possible. -+ */ -+static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry) -+{ -+ struct e820_entry *entry; -+ unsigned int mapcnt; -+ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages); -+ phys_addr_t swap_addr, swap_size, entry_end; -+ -+ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr); -+ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size); -+ entry = xen_e820_table.entries; -+ -+ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { -+ entry_end = entry->addr + entry->size; -+ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size && -+ entry_end - swap_size >= mem_end) { -+ /* Reduce RAM entry by needed space (whole pages). */ -+ entry->size -= swap_size; -+ -+ /* Add new entry at the end of E820 map. */ -+ entry = xen_e820_table.entries + -+ xen_e820_table.nr_entries; -+ xen_e820_table.nr_entries++; -+ -+ /* Fill new entry (keep size and page offset). */ -+ entry->type = swap_entry->type; -+ entry->addr = entry_end - swap_size + -+ swap_addr - swap_entry->addr; -+ entry->size = swap_entry->size; -+ -+ /* Convert old entry to RAM, align to pages. */ -+ swap_entry->type = E820_TYPE_RAM; -+ swap_entry->addr = swap_addr; -+ swap_entry->size = swap_size; -+ -+ /* Remember PFN<->MFN relation for P2M update. */ -+ xen_add_remap_nonram(swap_addr, entry_end - swap_size, -+ swap_size); -+ -+ /* Order E820 table and merge entries. */ -+ e820__update_table(&xen_e820_table); -+ -+ return; -+ } -+ -+ entry++; -+ } -+ -+ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n"); -+ BUG(); -+} -+ -+/* -+ * Look for non-RAM memory types in a specific guest physical area and move -+ * those away if possible (ACPI NVS only for now). -+ */ -+static void __init xen_e820_resolve_conflicts(phys_addr_t start, -+ phys_addr_t size) -+{ -+ struct e820_entry *entry; -+ unsigned int mapcnt; -+ phys_addr_t end; -+ -+ if (!size) -+ return; -+ -+ end = start + size; -+ entry = xen_e820_table.entries; -+ -+ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { -+ if (entry->addr >= end) -+ return; -+ -+ if (entry->addr + entry->size > start && -+ entry->type == E820_TYPE_NVS) -+ xen_e820_swap_entry_with_ram(entry); -+ -+ entry++; -+ } -+} -+ - /* - * Check for an area in physical memory to be usable for non-movable purposes. -- * An area is considered to usable if the used E820 map lists it to be RAM. -+ * An area is considered to usable if the used E820 map lists it to be RAM or -+ * some other type which can be moved to higher PFNs while keeping the MFNs. - * In case the area is not usable, crash the system with an error message. - */ - void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, - const char *component) - { -+ xen_e820_resolve_conflicts(start, size); -+ - if (!xen_is_e820_reserved(start, size)) - return; - --- -2.43.0 -