From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Sep 2021 08:44:21 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.283~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e5bf6b5cb7fdc4798efe2deb3bd31eeff54d934;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch
	bpf-track-contents-of-read-only-maps-as-scalars.patch
	vt_kdsetmode-extend-console-locking.patch
---

diff --git a/queue-5.4/bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch b/queue-5.4/bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch
new file mode 100644
index 00000000000..f1285fbefaa
--- /dev/null
+++ b/queue-5.4/bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch
@@ -0,0 +1,35 @@
+From 2dedd7d2165565bafa89718eaadfc5d1a7865f66 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Fri, 11 Oct 2019 10:20:53 -0700
+Subject: bpf: Fix cast to pointer from integer of different size warning
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 2dedd7d2165565bafa89718eaadfc5d1a7865f66 upstream.
+
+Fix "warning: cast to pointer from integer of different size" when
+casting u64 addr to void *.
+
+Fixes: a23740ec43ba ("bpf: Track contents of read-only maps as scalars")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20191011172053.2980619-1-andriin@fb.com
+Cc: Rafael David Tinoco <rafaeldtinoco@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2792,7 +2792,7 @@ static int bpf_map_direct_read(struct bp
+ 	err = map->ops->map_direct_value_addr(map, &addr, off);
+ 	if (err)
+ 		return err;
+-	ptr = (void *)addr + off;
++	ptr = (void *)(long)addr + off;
+ 
+ 	switch (size) {
+ 	case sizeof(u8):
diff --git a/queue-5.4/bpf-track-contents-of-read-only-maps-as-scalars.patch b/queue-5.4/bpf-track-contents-of-read-only-maps-as-scalars.patch
new file mode 100644
index 00000000000..fa9affcdab6
--- /dev/null
+++ b/queue-5.4/bpf-track-contents-of-read-only-maps-as-scalars.patch
@@ -0,0 +1,97 @@
+From a23740ec43ba022dbfd139d0fe3eff193216272b Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Wed, 9 Oct 2019 13:14:57 -0700
+Subject: bpf: Track contents of read-only maps as scalars
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit a23740ec43ba022dbfd139d0fe3eff193216272b upstream.
+
+Maps that are read-only both from BPF program side and user space side
+have their contents constant, so verifier can track referenced values
+precisely and use that knowledge for dead code elimination, branch
+pruning, etc. This patch teaches BPF verifier how to do this.
+
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191009201458.2679171-2-andriin@fb.com
+Signed-off-by: Rafael David Tinoco <rafaeldtinoco@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c |   57 ++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 55 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2778,6 +2778,41 @@ static void coerce_reg_to_size(struct bp
+ 	reg->smax_value = reg->umax_value;
+ }
+ 
++static bool bpf_map_is_rdonly(const struct bpf_map *map)
++{
++	return (map->map_flags & BPF_F_RDONLY_PROG) && map->frozen;
++}
++
++static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val)
++{
++	void *ptr;
++	u64 addr;
++	int err;
++
++	err = map->ops->map_direct_value_addr(map, &addr, off);
++	if (err)
++		return err;
++	ptr = (void *)addr + off;
++
++	switch (size) {
++	case sizeof(u8):
++		*val = (u64)*(u8 *)ptr;
++		break;
++	case sizeof(u16):
++		*val = (u64)*(u16 *)ptr;
++		break;
++	case sizeof(u32):
++		*val = (u64)*(u32 *)ptr;
++		break;
++	case sizeof(u64):
++		*val = *(u64 *)ptr;
++		break;
++	default:
++		return -EINVAL;
++	}
++	return 0;
++}
++
+ /* check whether memory at (regno + off) is accessible for t = (read | write)
+  * if t==write, value_regno is a register which value is stored into memory
+  * if t==read, value_regno is a register which will receive the value from memory
+@@ -2815,9 +2850,27 @@ static int check_mem_access(struct bpf_v
+ 		if (err)
+ 			return err;
+ 		err = check_map_access(env, regno, off, size, false);
+-		if (!err && t == BPF_READ && value_regno >= 0)
+-			mark_reg_unknown(env, regs, value_regno);
++		if (!err && t == BPF_READ && value_regno >= 0) {
++			struct bpf_map *map = reg->map_ptr;
+ 
++			/* if map is read-only, track its contents as scalars */
++			if (tnum_is_const(reg->var_off) &&
++			    bpf_map_is_rdonly(map) &&
++			    map->ops->map_direct_value_addr) {
++				int map_off = off + reg->var_off.value;
++				u64 val = 0;
++
++				err = bpf_map_direct_read(map, map_off, size,
++							  &val);
++				if (err)
++					return err;
++
++				regs[value_regno].type = SCALAR_VALUE;
++				__mark_reg_known(&regs[value_regno], val);
++			} else {
++				mark_reg_unknown(env, regs, value_regno);
++			}
++		}
+ 	} else if (reg->type == PTR_TO_CTX) {
+ 		enum bpf_reg_type reg_type = SCALAR_VALUE;
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index 4643b05649f..f7fa7196d18 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -35,3 +35,6 @@ drm-copy-drm_wait_vblank-to-user-before-returning.patch
 drm-nouveau-disp-power-down-unused-dp-links-during-i.patch
 net-rds-dma_map_sg-is-entitled-to-merge-entries.patch
 btrfs-fix-race-between-marking-inode-needs-to-be-logged-and-log-syncing.patch
+vt_kdsetmode-extend-console-locking.patch
+bpf-track-contents-of-read-only-maps-as-scalars.patch
+bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch
diff --git a/queue-5.4/vt_kdsetmode-extend-console-locking.patch b/queue-5.4/vt_kdsetmode-extend-console-locking.patch
new file mode 100644
index 00000000000..6ee9aee3d42
--- /dev/null
+++ b/queue-5.4/vt_kdsetmode-extend-console-locking.patch
@@ -0,0 +1,46 @@
+From 2287a51ba822384834dafc1c798453375d1107c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Aug 2021 08:55:18 -0700
+Subject: vt_kdsetmode: extend console locking
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2287a51ba822384834dafc1c798453375d1107c7 upstream.
+
+As per the long-suffering comment.
+
+Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -484,16 +484,19 @@ int vt_ioctl(struct tty_struct *tty,
+ 			ret = -EINVAL;
+ 			goto out;
+ 		}
+-		/* FIXME: this needs the console lock extending */
+-		if (vc->vc_mode == (unsigned char) arg)
++		console_lock();
++		if (vc->vc_mode == (unsigned char) arg) {
++			console_unlock();
+ 			break;
++		}
+ 		vc->vc_mode = (unsigned char) arg;
+-		if (console != fg_console)
++		if (console != fg_console) {
++			console_unlock();
+ 			break;
++		}
+ 		/*
+ 		 * explicitly blank/unblank the screen if switching modes
+ 		 */
+-		console_lock();
+ 		if (arg == KD_TEXT)
+ 			do_unblank_screen(1);
+ 		else