From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Nov 2021 12:41:17 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v5.15.5~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5fbf3c0777647673467ff8eb07cefe9480fc5c1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	hexagon-export-raw-i-o-routines-for-modules.patch
	ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch
	mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch
	x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch
---

diff --git a/queue-4.19/hexagon-export-raw-i-o-routines-for-modules.patch b/queue-4.19/hexagon-export-raw-i-o-routines-for-modules.patch
new file mode 100644
index 00000000000..0a417c4515a
--- /dev/null
+++ b/queue-4.19/hexagon-export-raw-i-o-routines-for-modules.patch
@@ -0,0 +1,70 @@
+From ffb92ce826fd801acb0f4e15b75e4ddf0d189bde Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Fri, 19 Nov 2021 16:43:28 -0800
+Subject: hexagon: export raw I/O routines for modules
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit ffb92ce826fd801acb0f4e15b75e4ddf0d189bde upstream.
+
+Patch series "Fixes for ARCH=hexagon allmodconfig", v2.
+
+This series fixes some issues noticed with ARCH=hexagon allmodconfig.
+
+This patch (of 3):
+
+When building ARCH=hexagon allmodconfig, the following errors occur:
+
+  ERROR: modpost: "__raw_readsl" [drivers/i3c/master/svc-i3c-master.ko] undefined!
+  ERROR: modpost: "__raw_writesl" [drivers/i3c/master/dw-i3c-master.ko] undefined!
+  ERROR: modpost: "__raw_readsl" [drivers/i3c/master/dw-i3c-master.ko] undefined!
+  ERROR: modpost: "__raw_writesl" [drivers/i3c/master/i3c-master-cdns.ko] undefined!
+  ERROR: modpost: "__raw_readsl" [drivers/i3c/master/i3c-master-cdns.ko] undefined!
+
+Export these symbols so that modules can use them without any errors.
+
+Link: https://lkml.kernel.org/r/20211115174250.1994179-1-nathan@kernel.org
+Link: https://lkml.kernel.org/r/20211115174250.1994179-2-nathan@kernel.org
+Fixes: 013bf24c3829 ("Hexagon: Provide basic implementation and/or stubs for I/O routines.")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Brian Cain <bcain@codeaurora.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/lib/io.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/hexagon/lib/io.c
++++ b/arch/hexagon/lib/io.c
+@@ -40,6 +40,7 @@ void __raw_readsw(const void __iomem *ad
+ 		*dst++ = *src;
+ 
+ }
++EXPORT_SYMBOL(__raw_readsw);
+ 
+ /*
+  * __raw_writesw - read words a short at a time
+@@ -60,6 +61,7 @@ void __raw_writesw(void __iomem *addr, c
+ 
+ 
+ }
++EXPORT_SYMBOL(__raw_writesw);
+ 
+ /*  Pretty sure len is pre-adjusted for the length of the access already */
+ void __raw_readsl(const void __iomem *addr, void *data, int len)
+@@ -75,6 +77,7 @@ void __raw_readsl(const void __iomem *ad
+ 
+ 
+ }
++EXPORT_SYMBOL(__raw_readsl);
+ 
+ void __raw_writesl(void __iomem *addr, const void *data, int len)
+ {
+@@ -89,3 +92,4 @@ void __raw_writesl(void __iomem *addr, c
+ 
+ 
+ }
++EXPORT_SYMBOL(__raw_writesl);
diff --git a/queue-4.19/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch b/queue-4.19/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch
new file mode 100644
index 00000000000..975fb28c66b
--- /dev/null
+++ b/queue-4.19/ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch
@@ -0,0 +1,115 @@
+From 126e8bee943e9926238c891e2df5b5573aee76bc Mon Sep 17 00:00:00 2001
+From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
+Date: Fri, 19 Nov 2021 16:43:18 -0800
+Subject: ipc: WARN if trying to remove ipc object which is absent
+
+From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
+
+commit 126e8bee943e9926238c891e2df5b5573aee76bc upstream.
+
+Patch series "shm: shm_rmid_forced feature fixes".
+
+Some time ago I met kernel crash after CRIU restore procedure,
+fortunately, it was CRIU restore, so, I had dump files and could do
+restore many times and crash reproduced easily.  After some
+investigation I've constructed the minimal reproducer.  It was found
+that it's use-after-free and it happens only if sysctl
+kernel.shm_rmid_forced = 1.
+
+The key of the problem is that the exit_shm() function not handles shp's
+object destroy when task->sysvshm.shm_clist contains items from
+different IPC namespaces.  In most cases this list will contain only
+items from one IPC namespace.
+
+How can this list contain object from different namespaces? The
+exit_shm() function is designed to clean up this list always when
+process leaves IPC namespace.  But we made a mistake a long time ago and
+did not add a exit_shm() call into the setns() syscall procedures.
+
+The first idea was just to add this call to setns() syscall but it
+obviously changes semantics of setns() syscall and that's
+userspace-visible change.  So, I gave up on this idea.
+
+The first real attempt to address the issue was just to omit forced
+destroy if we meet shp object not from current task IPC namespace [1].
+But that was not the best idea because task->sysvshm.shm_clist was
+protected by rwsem which belongs to current task IPC namespace.  It
+means that list corruption may occur.
+
+Second approach is just extend exit_shm() to properly handle shp's from
+different IPC namespaces [2].  This is really non-trivial thing, I've
+put a lot of effort into that but not believed that it's possible to
+make it fully safe, clean and clear.
+
+Thanks to the efforts of Manfred Spraul working an elegant solution was
+designed.  Thanks a lot, Manfred!
+
+Eric also suggested the way to address the issue in ("[RFC][PATCH] shm:
+In shm_exit destroy all created and never attached segments") Eric's
+idea was to maintain a list of shm_clists one per IPC namespace, use
+lock-less lists.  But there is some extra memory consumption-related
+concerns.
+
+An alternative solution which was suggested by me was implemented in
+("shm: reset shm_clist on setns but omit forced shm destroy").  The idea
+is pretty simple, we add exit_shm() syscall to setns() but DO NOT
+destroy shm segments even if sysctl kernel.shm_rmid_forced = 1, we just
+clean up the task->sysvshm.shm_clist list.
+
+This chages semantics of setns() syscall a little bit but in comparision
+to the "naive" solution when we just add exit_shm() without any special
+exclusions this looks like a safer option.
+
+[1] https://lkml.org/lkml/2021/7/6/1108
+[2] https://lkml.org/lkml/2021/7/14/736
+
+This patch (of 2):
+
+Let's produce a warning if we trying to remove non-existing IPC object
+from IPC namespace kht/idr structures.
+
+This allows us to catch possible bugs when the ipc_rmid() function was
+called with inconsistent struct ipc_ids*, struct kern_ipc_perm*
+arguments.
+
+Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com
+Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com
+Co-developed-by: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Cc: Vasily Averin <vvs@virtuozzo.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/util.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -417,8 +417,8 @@ static int ipcget_public(struct ipc_name
+ static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
+ {
+ 	if (ipcp->key != IPC_PRIVATE)
+-		rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode,
+-				       ipc_kht_params);
++		WARN_ON_ONCE(rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode,
++				       ipc_kht_params));
+ }
+ 
+ /**
+@@ -433,7 +433,7 @@ void ipc_rmid(struct ipc_ids *ids, struc
+ {
+ 	int idx = ipcid_to_idx(ipcp->id);
+ 
+-	idr_remove(&ids->ipcs_idr, idx);
++	WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp);
+ 	ipc_kht_remove(ids, ipcp);
+ 	ids->in_use--;
+ 	ipcp->deleted = true;
diff --git a/queue-4.19/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch b/queue-4.19/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch
new file mode 100644
index 00000000000..e03bfb414aa
--- /dev/null
+++ b/queue-4.19/mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch
@@ -0,0 +1,51 @@
+From 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Fri, 19 Nov 2021 16:43:37 -0800
+Subject: mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit 34dbc3aaf5d9e89ba6cc5e24add9458c21ab1950 upstream.
+
+When kmemleak is enabled for SLOB, system does not boot and does not
+print anything to the console.  At the very early stage in the boot
+process we hit infinite recursion from kmemleak_init() and eventually
+kernel crashes.
+
+kmemleak_init() specifies SLAB_NOLEAKTRACE for KMEM_CACHE(), but
+kmem_cache_create_usercopy() removes it because CACHE_CREATE_MASK is not
+valid for SLOB.
+
+Let's fix CACHE_CREATE_MASK and make kmemleak work with SLOB
+
+Link: https://lkml.kernel.org/r/20211115020850.3154366-1-rkovhaev@gmail.com
+Fixes: d8843922fba4 ("slab: Ignore internal flags in cache creation")
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Glauber Costa <glommer@parallels.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab.h
++++ b/mm/slab.h
+@@ -148,7 +148,7 @@ static inline slab_flags_t kmem_cache_fl
+ #define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE | SLAB_RECLAIM_ACCOUNT | \
+ 			  SLAB_TEMPORARY | SLAB_ACCOUNT)
+ #else
+-#define SLAB_CACHE_FLAGS (0)
++#define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE)
+ #endif
+ 
+ /* Common flags available with current configuration */
diff --git a/queue-4.19/series b/queue-4.19/series
index 29031cb74df..d309ff087c2 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -302,3 +302,7 @@ perf-bench-fix-two-memory-leaks-detected-with-asan.patch
 perf-x86-intel-uncore-fix-filter_tid-mask-for-cha-ev.patch
 perf-x86-intel-uncore-fix-iio-event-constraints-for-.patch
 tun-fix-bonding-active-backup-with-arp-monitoring.patch
+hexagon-export-raw-i-o-routines-for-modules.patch
+ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch
+mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch
+x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch
diff --git a/queue-4.19/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch b/queue-4.19/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch
new file mode 100644
index 00000000000..3add6d02f14
--- /dev/null
+++ b/queue-4.19/x86-hyperv-fix-null-deref-in-set_hv_tscchange_cb-if-hyper-v-setup-fails.patch
@@ -0,0 +1,57 @@
+From daf972118c517b91f74ff1731417feb4270625a4 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 4 Nov 2021 18:22:38 +0000
+Subject: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit daf972118c517b91f74ff1731417feb4270625a4 upstream.
+
+Check for a valid hv_vp_index array prior to derefencing hv_vp_index when
+setting Hyper-V's TSC change callback.  If Hyper-V setup failed in
+hyperv_init(), the kernel will still report that it's running under
+Hyper-V, but will have silently disabled nearly all functionality.
+
+  BUG: kernel NULL pointer dereference, address: 0000000000000010
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 0 P4D 0
+  Oops: 0000 [#1] SMP
+  CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75
+  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+  RIP: 0010:set_hv_tscchange_cb+0x15/0xa0
+  Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08
+  ...
+  Call Trace:
+   kvm_arch_init+0x17c/0x280
+   kvm_init+0x31/0x330
+   vmx_init+0xba/0x13a
+   do_one_initcall+0x41/0x1c0
+   kernel_init_freeable+0x1f2/0x23b
+   kernel_init+0x16/0x120
+   ret_from_fork+0x22/0x30
+
+Fixes: 93286261de1b ("x86/hyperv: Reenlightenment notifications support")
+Cc: stable@vger.kernel.org
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/20211104182239.1302956-2-seanjc@google.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/hyperv/hv_init.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -200,6 +200,9 @@ void set_hv_tscchange_cb(void (*cb)(void
+ 		return;
+ 	}
+ 
++	if (!hv_vp_index)
++		return;
++
+ 	hv_reenlightenment_cb = cb;
+ 
+ 	/* Make sure callback is registered before we write to MSRs */