From: Greg Kroah-Hartman Date: Mon, 15 Nov 2021 15:05:21 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.160~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=deabd3c3a89ab3add479beda8c9d341bcea1bc96;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: backlight-gpio-backlight-correct-initial-power-state-handling.patch mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch powerpc-bpf-validate-branch-ranges.patch powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch powerpc-security-add-a-helper-to-query-stf_barrier-type.patch s390-cio-check-the-subchannel-validity-for-dev_busid.patch s390-tape-fix-timer-initialization-in-tape_std_assign.patch video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch --- diff --git a/queue-4.19/backlight-gpio-backlight-correct-initial-power-state-handling.patch b/queue-4.19/backlight-gpio-backlight-correct-initial-power-state-handling.patch new file mode 100644 index 00000000000..dd691cf4a5d --- /dev/null +++ b/queue-4.19/backlight-gpio-backlight-correct-initial-power-state-handling.patch @@ -0,0 +1,89 @@ +From ec665b756e6f79c60078b00dbdabea3aa8a4b787 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 31 Jul 2019 11:40:18 +0300 +Subject: backlight: gpio-backlight: Correct initial power state handling + +From: Peter Ujfalusi + +commit ec665b756e6f79c60078b00dbdabea3aa8a4b787 upstream. + +The default-on property - or the def_value via legacy pdata) should be +handled as: +if it is 1, the backlight must be enabled (kept enabled) +if it is 0, the backlight must be disabled (kept disabled) + +This only works for the case when default-on is set. If it is not set then +the brightness of the backlight is set to 0. Now if the backlight is +enabled by external driver (graphics) the backlight will stay disabled since +the brightness is configured as 0. The backlight will not turn on. + +In order to minimize screen flickering during device boot: + +The initial brightness should be set to 1. + +If booted in non DT mode or no phandle link to the backlight node: +follow the def_value/default-on to select UNBLANK or POWERDOWN + +If in DT boot we have phandle link then leave the GPIO in a state which the +bootloader left it and let the user of the backlight to configure it +further. + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/backlight/gpio_backlight.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/video/backlight/gpio_backlight.c ++++ b/drivers/video/backlight/gpio_backlight.c +@@ -62,13 +62,11 @@ static int gpio_backlight_probe_dt(struc + { + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; +- enum gpiod_flags flags; + int ret; + + gbl->def_value = of_property_read_bool(np, "default-on"); +- flags = gbl->def_value ? GPIOD_OUT_HIGH : GPIOD_OUT_LOW; + +- gbl->gpiod = devm_gpiod_get(dev, NULL, flags); ++ gbl->gpiod = devm_gpiod_get(dev, NULL, GPIOD_ASIS); + if (IS_ERR(gbl->gpiod)) { + ret = PTR_ERR(gbl->gpiod); + +@@ -82,6 +80,22 @@ static int gpio_backlight_probe_dt(struc + return 0; + } + ++static int gpio_backlight_initial_power_state(struct gpio_backlight *gbl) ++{ ++ struct device_node *node = gbl->dev->of_node; ++ ++ /* Not booted with device tree or no phandle link to the node */ ++ if (!node || !node->phandle) ++ return gbl->def_value ? FB_BLANK_UNBLANK : FB_BLANK_POWERDOWN; ++ ++ /* if the enable GPIO is disabled, do not enable the backlight */ ++ if (gpiod_get_value_cansleep(gbl->gpiod) == 0) ++ return FB_BLANK_POWERDOWN; ++ ++ return FB_BLANK_UNBLANK; ++} ++ ++ + static int gpio_backlight_probe(struct platform_device *pdev) + { + struct gpio_backlight_platform_data *pdata = +@@ -142,7 +156,9 @@ static int gpio_backlight_probe(struct p + return PTR_ERR(bl); + } + +- bl->props.brightness = gbl->def_value; ++ bl->props.power = gpio_backlight_initial_power_state(gbl); ++ bl->props.brightness = 1; ++ + backlight_update_status(bl); + + platform_set_drvdata(pdev, bl); diff --git a/queue-4.19/mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch b/queue-4.19/mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch new file mode 100644 index 00000000000..e0453c18baa --- /dev/null +++ b/queue-4.19/mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch @@ -0,0 +1,102 @@ +From 60e2793d440a3ec95abb5d6d4fc034a4b480472d Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 5 Nov 2021 13:38:06 -0700 +Subject: mm, oom: do not trigger out_of_memory from the #PF + +From: Michal Hocko + +commit 60e2793d440a3ec95abb5d6d4fc034a4b480472d upstream. + +Any allocation failure during the #PF path will return with VM_FAULT_OOM +which in turn results in pagefault_out_of_memory. This can happen for 2 +different reasons. a) Memcg is out of memory and we rely on +mem_cgroup_oom_synchronize to perform the memcg OOM handling or b) +normal allocation fails. + +The latter is quite problematic because allocation paths already trigger +out_of_memory and the page allocator tries really hard to not fail +allocations. Anyway, if the OOM killer has been already invoked there +is no reason to invoke it again from the #PF path. Especially when the +OOM condition might be gone by that time and we have no way to find out +other than allocate. + +Moreover if the allocation failed and the OOM killer hasn't been invoked +then we are unlikely to do the right thing from the #PF context because +we have already lost the allocation context and restictions and +therefore might oom kill a task from a different NUMA domain. + +This all suggests that there is no legitimate reason to trigger +out_of_memory from pagefault_out_of_memory so drop it. Just to be sure +that no #PF path returns with VM_FAULT_OOM without allocation print a +warning that this is happening before we restart the #PF. + +[VvS: #PF allocation can hit into limit of cgroup v1 kmem controller. +This is a local problem related to memcg, however, it causes unnecessary +global OOM kills that are repeated over and over again and escalate into a +real disaster. This has been broken since kmem accounting has been +introduced for cgroup v1 (3.8). There was no kmem specific reclaim for +the separate limit so the only way to handle kmem hard limit was to return +with ENOMEM. In upstream the problem will be fixed by removing the +outdated kmem limit, however stable and LTS kernels cannot do it and are +still affected. This patch fixes the problem and should be backported +into stable/LTS.] + +Link: https://lkml.kernel.org/r/f5fd8dd8-0ad4-c524-5f65-920b01972a42@virtuozzo.com +Signed-off-by: Michal Hocko +Signed-off-by: Vasily Averin +Acked-by: Michal Hocko +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Roman Gushchin +Cc: Shakeel Butt +Cc: Tetsuo Handa +Cc: Uladzislau Rezki +Cc: Vladimir Davydov +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/oom_kill.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -1135,19 +1135,15 @@ bool out_of_memory(struct oom_control *o + } + + /* +- * The pagefault handler calls here because it is out of memory, so kill a +- * memory-hogging task. If oom_lock is held by somebody else, a parallel oom +- * killing is already in progress so do nothing. ++ * The pagefault handler calls here because some allocation has failed. We have ++ * to take care of the memcg OOM here because this is the only safe context without ++ * any locks held but let the oom killer triggered from the allocation context care ++ * about the global OOM. + */ + void pagefault_out_of_memory(void) + { +- struct oom_control oc = { +- .zonelist = NULL, +- .nodemask = NULL, +- .memcg = NULL, +- .gfp_mask = 0, +- .order = 0, +- }; ++ static DEFINE_RATELIMIT_STATE(pfoom_rs, DEFAULT_RATELIMIT_INTERVAL, ++ DEFAULT_RATELIMIT_BURST); + + if (mem_cgroup_oom_synchronize(true)) + return; +@@ -1155,8 +1151,6 @@ void pagefault_out_of_memory(void) + if (fatal_signal_pending(current)) + return; + +- if (!mutex_trylock(&oom_lock)) +- return; +- out_of_memory(&oc); +- mutex_unlock(&oom_lock); ++ if (__ratelimit(&pfoom_rs)) ++ pr_warn("Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF\n"); + } diff --git a/queue-4.19/mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch b/queue-4.19/mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch new file mode 100644 index 00000000000..69b4bb9fff9 --- /dev/null +++ b/queue-4.19/mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch @@ -0,0 +1,74 @@ +From 0b28179a6138a5edd9d82ad2687c05b3773c387b Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 5 Nov 2021 13:38:02 -0700 +Subject: mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks + +From: Vasily Averin + +commit 0b28179a6138a5edd9d82ad2687c05b3773c387b upstream. + +Patch series "memcg: prohibit unconditional exceeding the limit of dying tasks", v3. + +Memory cgroup charging allows killed or exiting tasks to exceed the hard +limit. It can be misused and allowed to trigger global OOM from inside +a memcg-limited container. On the other hand if memcg fails allocation, +called from inside #PF handler it triggers global OOM from inside +pagefault_out_of_memory(). + +To prevent these problems this patchset: + (a) removes execution of out_of_memory() from + pagefault_out_of_memory(), becasue nobody can explain why it is + necessary. + (b) allow memcg to fail allocation of dying/killed tasks. + +This patch (of 3): + +Any allocation failure during the #PF path will return with VM_FAULT_OOM +which in turn results in pagefault_out_of_memory which in turn executes +out_out_memory() and can kill a random task. + +An allocation might fail when the current task is the oom victim and +there are no memory reserves left. The OOM killer is already handled at +the page allocator level for the global OOM and at the charging level +for the memcg one. Both have much more information about the scope of +allocation/charge request. This means that either the OOM killer has +been invoked properly and didn't lead to the allocation success or it +has been skipped because it couldn't have been invoked. In both cases +triggering it from here is pointless and even harmful. + +It makes much more sense to let the killed task die rather than to wake +up an eternally hungry oom-killer and send him to choose a fatter victim +for breakfast. + +Link: https://lkml.kernel.org/r/0828a149-786e-7c06-b70a-52d086818ea3@virtuozzo.com +Signed-off-by: Vasily Averin +Suggested-by: Michal Hocko +Acked-by: Michal Hocko +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Roman Gushchin +Cc: Shakeel Butt +Cc: Tetsuo Handa +Cc: Uladzislau Rezki +Cc: Vladimir Davydov +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/oom_kill.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -1152,6 +1152,9 @@ void pagefault_out_of_memory(void) + if (mem_cgroup_oom_synchronize(true)) + return; + ++ if (fatal_signal_pending(current)) ++ return; ++ + if (!mutex_trylock(&oom_lock)) + return; + out_of_memory(&oc); diff --git a/queue-4.19/powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch b/queue-4.19/powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch new file mode 100644 index 00000000000..733a2347d78 --- /dev/null +++ b/queue-4.19/powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch @@ -0,0 +1,161 @@ +From foo@baz Mon Nov 15 03:31:22 PM CET 2021 +From: "Naveen N. Rao" +Date: Mon, 15 Nov 2021 16:35:32 +0530 +Subject: powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC +To: +Cc: Michael Ellerman , Daniel Borkmann +Message-ID: <0c1116e0f065c749de2f6188c7fdbfb4521743d1.1636968020.git.naveen.n.rao@linux.vnet.ibm.com> + +From: "Naveen N. Rao" + +upstream commit b7540d62509453263604a155bf2d5f0ed450cba2 + +Emit similar instruction sequences to commit a048a07d7f4535 +("powerpc/64s: Add support for a store forwarding barrier at kernel +entry/exit") when encountering BPF_NOSPEC. + +Mitigations are enabled depending on what the firmware advertises. In +particular, we do not gate these mitigations based on current settings, +just like in x86. Due to this, we don't need to take any action if +mitigations are enabled or disabled at runtime. + +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/956570cbc191cd41f8274bed48ee757a86dac62a.1633464148.git.naveen.n.rao@linux.vnet.ibm.com +[adjust macros to account for commits 0654186510a40e, 3a181237916310 and ef909ba954145e. +adjust security feature checks to account for commit 84ed26fd00c514] +Signed-off-by: Naveen N. Rao +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit64.h | 8 ++--- + arch/powerpc/net/bpf_jit_comp64.c | 56 +++++++++++++++++++++++++++++++++++--- + 2 files changed, 56 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/net/bpf_jit64.h ++++ b/arch/powerpc/net/bpf_jit64.h +@@ -20,18 +20,18 @@ + * with our redzone usage. + * + * [ prev sp ] <------------- +- * [ nv gpr save area ] 6*8 | ++ * [ nv gpr save area ] 5*8 | + * [ tail_call_cnt ] 8 | +- * [ local_tmp_var ] 8 | ++ * [ local_tmp_var ] 16 | + * fp (r31) --> [ ebpf stack space ] upto 512 | + * [ frame header ] 32/112 | + * sp (r1) ---> [ stack pointer ] -------------- + */ + + /* for gpr non volatile registers BPG_REG_6 to 10 */ +-#define BPF_PPC_STACK_SAVE (6*8) ++#define BPF_PPC_STACK_SAVE (5*8) + /* for bpf JIT code internal usage */ +-#define BPF_PPC_STACK_LOCALS 16 ++#define BPF_PPC_STACK_LOCALS 24 + /* stack frame excluding BPF stack, ensure this is quadword aligned */ + #define BPF_PPC_STACKFRAME (STACK_FRAME_MIN_SIZE + \ + BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE) +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include "bpf_jit64.h" + +@@ -60,9 +61,9 @@ static inline bool bpf_has_stack_frame(s + * [ prev sp ] <------------- + * [ ... ] | + * sp (r1) ---> [ stack pointer ] -------------- +- * [ nv gpr save area ] 6*8 ++ * [ nv gpr save area ] 5*8 + * [ tail_call_cnt ] 8 +- * [ local_tmp_var ] 8 ++ * [ local_tmp_var ] 16 + * [ unused red zone ] 208 bytes protected + */ + static int bpf_jit_stack_local(struct codegen_context *ctx) +@@ -70,12 +71,12 @@ static int bpf_jit_stack_local(struct co + if (bpf_has_stack_frame(ctx)) + return STACK_FRAME_MIN_SIZE + ctx->stack_size; + else +- return -(BPF_PPC_STACK_SAVE + 16); ++ return -(BPF_PPC_STACK_SAVE + 24); + } + + static int bpf_jit_stack_tailcallcnt(struct codegen_context *ctx) + { +- return bpf_jit_stack_local(ctx) + 8; ++ return bpf_jit_stack_local(ctx) + 16; + } + + static int bpf_jit_stack_offsetof(struct codegen_context *ctx, int reg) +@@ -268,11 +269,34 @@ static int bpf_jit_emit_tail_call(u32 *i + return 0; + } + ++/* ++ * We spill into the redzone always, even if the bpf program has its own stackframe. ++ * Offsets hardcoded based on BPF_PPC_STACK_SAVE -- see bpf_jit_stack_local() ++ */ ++void bpf_stf_barrier(void); ++ ++asm ( ++" .global bpf_stf_barrier ;" ++" bpf_stf_barrier: ;" ++" std 21,-64(1) ;" ++" std 22,-56(1) ;" ++" sync ;" ++" ld 21,-64(1) ;" ++" ld 22,-56(1) ;" ++" ori 31,31,0 ;" ++" .rept 14 ;" ++" b 1f ;" ++" 1: ;" ++" .endr ;" ++" blr ;" ++); ++ + /* Assemble the body code between the prologue & epilogue */ + static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, + struct codegen_context *ctx, + u32 *addrs, bool extra_pass) + { ++ enum stf_barrier_type stf_barrier = stf_barrier_type_get(); + const struct bpf_insn *insn = fp->insnsi; + int flen = fp->len; + int i, ret; +@@ -615,6 +639,30 @@ emit_clear: + * BPF_ST NOSPEC (speculation barrier) + */ + case BPF_ST | BPF_NOSPEC: ++ if (!security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) || ++ (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) && ++ (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) || !cpu_has_feature(CPU_FTR_HVMODE)))) ++ break; ++ ++ switch (stf_barrier) { ++ case STF_BARRIER_EIEIO: ++ EMIT(0x7c0006ac | 0x02000000); ++ break; ++ case STF_BARRIER_SYNC_ORI: ++ EMIT(PPC_INST_SYNC); ++ PPC_LD(b2p[TMP_REG_1], 13, 0); ++ PPC_ORI(31, 31, 0); ++ break; ++ case STF_BARRIER_FALLBACK: ++ EMIT(PPC_INST_MFLR | ___PPC_RT(b2p[TMP_REG_1])); ++ PPC_LI64(12, dereference_kernel_function_descriptor(bpf_stf_barrier)); ++ PPC_MTCTR(12); ++ EMIT(PPC_INST_BCTR | 0x1); ++ PPC_MTLR(b2p[TMP_REG_1]); ++ break; ++ case STF_BARRIER_NONE: ++ break; ++ } + break; + + /* diff --git a/queue-4.19/powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch b/queue-4.19/powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch new file mode 100644 index 00000000000..fb61bae3b53 --- /dev/null +++ b/queue-4.19/powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Nov 15 03:31:22 PM CET 2021 +From: "Naveen N. Rao" +Date: Mon, 15 Nov 2021 16:35:30 +0530 +Subject: powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 +To: +Cc: Michael Ellerman , Daniel Borkmann +Message-ID: <5e5c7b933e9da0cb509a1172b7a2c2d17796e952.1636968020.git.naveen.n.rao@linux.vnet.ibm.com> + +From: "Naveen N. Rao" + +upstream commit 5855c4c1f415ca3ba1046e77c0b3d3dfc96c9025 + +We aren't handling subtraction involving an immediate value of +0x80000000 properly. Fix the same. + +Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") +Signed-off-by: Naveen N. Rao +Reviewed-by: Christophe Leroy +[mpe: Fold in fix from Naveen to use imm <= 32768] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/fc4b1276eb10761fd7ce0814c8dd089da2815251.1633464148.git.naveen.n.rao@linux.vnet.ibm.com +[adjust macros to account for commits 0654186510a40e and 3a181237916310] +Signed-off-by: Naveen N. Rao +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp64.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -326,18 +326,25 @@ static int bpf_jit_build_body(struct bpf + PPC_SUB(dst_reg, dst_reg, src_reg); + goto bpf_alu32_trunc; + case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */ +- case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */ + case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */ ++ if (!imm) { ++ goto bpf_alu32_trunc; ++ } else if (imm >= -32768 && imm < 32768) { ++ PPC_ADDI(dst_reg, dst_reg, IMM_L(imm)); ++ } else { ++ PPC_LI32(b2p[TMP_REG_1], imm); ++ PPC_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]); ++ } ++ goto bpf_alu32_trunc; ++ case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */ + case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */ +- if (BPF_OP(code) == BPF_SUB) +- imm = -imm; +- if (imm) { +- if (imm >= -32768 && imm < 32768) +- PPC_ADDI(dst_reg, dst_reg, IMM_L(imm)); +- else { +- PPC_LI32(b2p[TMP_REG_1], imm); +- PPC_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]); +- } ++ if (!imm) { ++ goto bpf_alu32_trunc; ++ } else if (imm > -32768 && imm <= 32768) { ++ PPC_ADDI(dst_reg, dst_reg, IMM_L(-imm)); ++ } else { ++ PPC_LI32(b2p[TMP_REG_1], imm); ++ PPC_SUB(dst_reg, dst_reg, b2p[TMP_REG_1]); + } + goto bpf_alu32_trunc; + case BPF_ALU | BPF_MUL | BPF_X: /* (u32) dst *= (u32) src */ diff --git a/queue-4.19/powerpc-bpf-validate-branch-ranges.patch b/queue-4.19/powerpc-bpf-validate-branch-ranges.patch new file mode 100644 index 00000000000..5596047062a --- /dev/null +++ b/queue-4.19/powerpc-bpf-validate-branch-ranges.patch @@ -0,0 +1,115 @@ +From foo@baz Mon Nov 15 03:31:22 PM CET 2021 +From: "Naveen N. Rao" +Date: Mon, 15 Nov 2021 16:35:29 +0530 +Subject: powerpc/bpf: Validate branch ranges +To: +Cc: Michael Ellerman , Daniel Borkmann +Message-ID: + +From: "Naveen N. Rao" + +upstream commit 3832ba4e283d7052b783dab8311df7e3590fed93 + +Add checks to ensure that we never emit branch instructions with +truncated branch offsets. + +Suggested-by: Michael Ellerman +Signed-off-by: Naveen N. Rao +Tested-by: Johan Almbladh +Reviewed-by: Christophe Leroy +Acked-by: Song Liu +Acked-by: Johan Almbladh +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/71d33a6b7603ec1013c9734dd8bdd4ff5e929142.1633464148.git.naveen.n.rao@linux.vnet.ibm.com +[include header, drop ppc32 changes] +Signed-off-by: Naveen N. Rao +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit.h | 26 ++++++++++++++++++++------ + arch/powerpc/net/bpf_jit_comp64.c | 10 +++++++--- + 2 files changed, 27 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/net/bpf_jit.h ++++ b/arch/powerpc/net/bpf_jit.h +@@ -15,6 +15,7 @@ + #ifndef __ASSEMBLY__ + + #include ++#include + + #ifdef PPC64_ELF_ABI_v1 + #define FUNCTION_DESCR_SIZE 24 +@@ -176,13 +177,26 @@ + #define PPC_NEG(d, a) EMIT(PPC_INST_NEG | ___PPC_RT(d) | ___PPC_RA(a)) + + /* Long jump; (unconditional 'branch') */ +-#define PPC_JMP(dest) EMIT(PPC_INST_BRANCH | \ +- (((dest) - (ctx->idx * 4)) & 0x03fffffc)) ++#define PPC_JMP(dest) \ ++ do { \ ++ long offset = (long)(dest) - (ctx->idx * 4); \ ++ if (!is_offset_in_branch_range(offset)) { \ ++ pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx); \ ++ return -ERANGE; \ ++ } \ ++ EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc)); \ ++ } while (0) + /* "cond" here covers BO:BI fields. */ +-#define PPC_BCC_SHORT(cond, dest) EMIT(PPC_INST_BRANCH_COND | \ +- (((cond) & 0x3ff) << 16) | \ +- (((dest) - (ctx->idx * 4)) & \ +- 0xfffc)) ++#define PPC_BCC_SHORT(cond, dest) \ ++ do { \ ++ long offset = (long)(dest) - (ctx->idx * 4); \ ++ if (!is_offset_in_cond_branch_range(offset)) { \ ++ pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx); \ ++ return -ERANGE; \ ++ } \ ++ EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc)); \ ++ } while (0) ++ + /* Sign-extended 32-bit immediate load */ + #define PPC_LI32(d, i) do { \ + if ((int)(uintptr_t)(i) >= -32768 && \ +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -202,7 +202,7 @@ static void bpf_jit_emit_func_call(u32 * + PPC_BLRL(); + } + +-static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out) ++static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out) + { + /* + * By now, the eBPF program has already setup parameters in r3, r4 and r5 +@@ -263,7 +263,9 @@ static void bpf_jit_emit_tail_call(u32 * + bpf_jit_emit_common_epilogue(image, ctx); + + PPC_BCTR(); ++ + /* out: */ ++ return 0; + } + + /* Assemble the body code between the prologue & epilogue */ +@@ -273,7 +275,7 @@ static int bpf_jit_build_body(struct bpf + { + const struct bpf_insn *insn = fp->insnsi; + int flen = fp->len; +- int i; ++ int i, ret; + + /* Start of epilogue code - will only be valid 2nd pass onwards */ + u32 exit_addr = addrs[flen]; +@@ -863,7 +865,9 @@ cond_branch: + */ + case BPF_JMP | BPF_TAIL_CALL: + ctx->seen |= SEEN_TAILCALL; +- bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]); ++ ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]); ++ if (ret < 0) ++ return ret; + break; + + default: diff --git a/queue-4.19/powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch b/queue-4.19/powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch new file mode 100644 index 00000000000..d74bc3fab62 --- /dev/null +++ b/queue-4.19/powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch @@ -0,0 +1,85 @@ +From foo@baz Mon Nov 15 03:31:22 PM CET 2021 +From: "Naveen N. Rao" +Date: Mon, 15 Nov 2021 16:35:28 +0530 +Subject: powerpc/lib: Add helper to check if offset is within conditional branch range +To: +Cc: Michael Ellerman , Daniel Borkmann +Message-ID: <7b757e056b85dc60a0ab84dafb6b648d017a02ea.1636968020.git.naveen.n.rao@linux.vnet.ibm.com> + +From: "Naveen N. Rao" + +upstream commit 4549c3ea3160fa8b3f37dfe2f957657bb265eda9 + +Add a helper to check if a given offset is within the branch range for a +powerpc conditional branch instruction, and update some sites to use the +new helper. + +Signed-off-by: Naveen N. Rao +Reviewed-by: Christophe Leroy +Acked-by: Song Liu +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/442b69a34ced32ca346a0d9a855f3f6cfdbbbd41.1633464148.git.naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Naveen N. Rao +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/code-patching.h | 1 + + arch/powerpc/lib/code-patching.c | 7 ++++++- + arch/powerpc/net/bpf_jit.h | 7 +------ + 3 files changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/include/asm/code-patching.h ++++ b/arch/powerpc/include/asm/code-patching.h +@@ -26,6 +26,7 @@ + #define BRANCH_ABSOLUTE 0x2 + + bool is_offset_in_branch_range(long offset); ++bool is_offset_in_cond_branch_range(long offset); + unsigned int create_branch(const unsigned int *addr, + unsigned long target, int flags); + unsigned int create_cond_branch(const unsigned int *addr, +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -243,6 +243,11 @@ bool is_offset_in_branch_range(long offs + return (offset >= -0x2000000 && offset <= 0x1fffffc && !(offset & 0x3)); + } + ++bool is_offset_in_cond_branch_range(long offset) ++{ ++ return offset >= -0x8000 && offset <= 0x7fff && !(offset & 0x3); ++} ++ + /* + * Helper to check if a given instruction is a conditional branch + * Derived from the conditional checks in analyse_instr() +@@ -296,7 +301,7 @@ unsigned int create_cond_branch(const un + offset = offset - (unsigned long)addr; + + /* Check we can represent the target in the instruction format */ +- if (offset < -0x8000 || offset > 0x7FFF || offset & 0x3) ++ if (!is_offset_in_cond_branch_range(offset)) + return 0; + + /* Mask out the flags and target, so they don't step on each other. */ +--- a/arch/powerpc/net/bpf_jit.h ++++ b/arch/powerpc/net/bpf_jit.h +@@ -221,11 +221,6 @@ + #define PPC_FUNC_ADDR(d,i) do { PPC_LI32(d, i); } while(0) + #endif + +-static inline bool is_nearbranch(int offset) +-{ +- return (offset < 32768) && (offset >= -32768); +-} +- + /* + * The fly in the ointment of code size changing from pass to pass is + * avoided by padding the short branch case with a NOP. If code size differs +@@ -234,7 +229,7 @@ static inline bool is_nearbranch(int off + * state. + */ + #define PPC_BCC(cond, dest) do { \ +- if (is_nearbranch((dest) - (ctx->idx * 4))) { \ ++ if (is_offset_in_cond_branch_range((long)(dest) - (ctx->idx * 4))) { \ + PPC_BCC_SHORT(cond, dest); \ + PPC_NOP(); \ + } else { \ diff --git a/queue-4.19/powerpc-security-add-a-helper-to-query-stf_barrier-type.patch b/queue-4.19/powerpc-security-add-a-helper-to-query-stf_barrier-type.patch new file mode 100644 index 00000000000..6fea5e3c12e --- /dev/null +++ b/queue-4.19/powerpc-security-add-a-helper-to-query-stf_barrier-type.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Nov 15 03:31:22 PM CET 2021 +From: "Naveen N. Rao" +Date: Mon, 15 Nov 2021 16:35:31 +0530 +Subject: powerpc/security: Add a helper to query stf_barrier type +To: +Cc: Michael Ellerman , Daniel Borkmann +Message-ID: <962f76e4e51c5e97c26188195a9e8c2bde8f9ba9.1636968020.git.naveen.n.rao@linux.vnet.ibm.com> + +From: "Naveen N. Rao" + +upstream commit 030905920f32e91a52794937f67434ac0b3ea41a + +Add a helper to return the stf_barrier type for the current processor. + +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/3bd5d7f96ea1547991ac2ce3137dc2b220bae285.1633464148.git.naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Naveen N. Rao +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/security_features.h | 5 +++++ + arch/powerpc/kernel/security.c | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/arch/powerpc/include/asm/security_features.h ++++ b/arch/powerpc/include/asm/security_features.h +@@ -39,6 +39,11 @@ static inline bool security_ftr_enabled( + return !!(powerpc_security_features & feature); + } + ++#ifdef CONFIG_PPC_BOOK3S_64 ++enum stf_barrier_type stf_barrier_type_get(void); ++#else ++static inline enum stf_barrier_type stf_barrier_type_get(void) { return STF_BARRIER_NONE; } ++#endif + + // Features indicating support for Spectre/Meltdown mitigations + +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -248,6 +248,11 @@ static int __init handle_no_stf_barrier( + + early_param("no_stf_barrier", handle_no_stf_barrier); + ++enum stf_barrier_type stf_barrier_type_get(void) ++{ ++ return stf_enabled_flush_types; ++} ++ + /* This is the generic flag used by other architectures */ + static int __init handle_ssbd(char *p) + { diff --git a/queue-4.19/s390-cio-check-the-subchannel-validity-for-dev_busid.patch b/queue-4.19/s390-cio-check-the-subchannel-validity-for-dev_busid.patch new file mode 100644 index 00000000000..a1ea1f930c0 --- /dev/null +++ b/queue-4.19/s390-cio-check-the-subchannel-validity-for-dev_busid.patch @@ -0,0 +1,37 @@ +From a4751f157c194431fae9e9c493f456df8272b871 Mon Sep 17 00:00:00 2001 +From: Vineeth Vijayan +Date: Fri, 5 Nov 2021 16:44:51 +0100 +Subject: s390/cio: check the subchannel validity for dev_busid + +From: Vineeth Vijayan + +commit a4751f157c194431fae9e9c493f456df8272b871 upstream. + +Check the validity of subchanel before reading other fields in +the schib. + +Fixes: d3683c055212 ("s390/cio: add dev_busid sysfs entry for each subchannel") +CC: +Reported-by: Cornelia Huck +Signed-off-by: Vineeth Vijayan +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20211105154451.847288-1-vneethv@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/css.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/css.c ++++ b/drivers/s390/cio/css.c +@@ -371,8 +371,8 @@ static ssize_t dev_busid_show(struct dev + struct subchannel *sch = to_subchannel(dev); + struct pmcw *pmcw = &sch->schib.pmcw; + +- if ((pmcw->st == SUBCHANNEL_TYPE_IO || +- pmcw->st == SUBCHANNEL_TYPE_MSG) && pmcw->dnv) ++ if ((pmcw->st == SUBCHANNEL_TYPE_IO && pmcw->dnv) || ++ (pmcw->st == SUBCHANNEL_TYPE_MSG && pmcw->w)) + return sysfs_emit(buf, "0.%x.%04x\n", sch->schid.ssid, + pmcw->dev); + else diff --git a/queue-4.19/s390-tape-fix-timer-initialization-in-tape_std_assign.patch b/queue-4.19/s390-tape-fix-timer-initialization-in-tape_std_assign.patch new file mode 100644 index 00000000000..5e1a4446959 --- /dev/null +++ b/queue-4.19/s390-tape-fix-timer-initialization-in-tape_std_assign.patch @@ -0,0 +1,44 @@ +From 213fca9e23b59581c573d558aa477556f00b8198 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 2 Nov 2021 10:55:30 +0100 +Subject: s390/tape: fix timer initialization in tape_std_assign() + +From: Sven Schnelle + +commit 213fca9e23b59581c573d558aa477556f00b8198 upstream. + +commit 9c6c273aa424 ("timer: Remove init_timer_on_stack() in favor +of timer_setup_on_stack()") changed the timer setup from +init_timer_on_stack(() to timer_setup(), but missed to change the +mod_timer() call. And while at it, use msecs_to_jiffies() instead +of the open coded timeout calculation. + +Cc: stable@vger.kernel.org +Fixes: 9c6c273aa424 ("timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack()") +Signed-off-by: Sven Schnelle +Reviewed-by: Vasily Gorbik +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/char/tape_std.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/s390/char/tape_std.c ++++ b/drivers/s390/char/tape_std.c +@@ -53,7 +53,6 @@ int + tape_std_assign(struct tape_device *device) + { + int rc; +- struct timer_list timeout; + struct tape_request *request; + + request = tape_alloc_request(2, 11); +@@ -70,7 +69,7 @@ tape_std_assign(struct tape_device *devi + * So we set up a timeout for this call. + */ + timer_setup(&request->timer, tape_std_assign_timeout, 0); +- mod_timer(&timeout, jiffies + 2 * HZ); ++ mod_timer(&request->timer, jiffies + msecs_to_jiffies(2000)); + + rc = tape_do_io_interruptible(device, request); + diff --git a/queue-4.19/series b/queue-4.19/series index 26088f621d5..90188fe6f32 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -236,3 +236,14 @@ arm-9155-1-fix-early-early_iounmap.patch arm-9156-1-drop-cc-option-fallbacks-for-architecture-selection.patch f2fs-should-use-gfp_nofs-for-directory-inodes.patch 9p-net-fix-missing-error-check-in-p9_check_errors.patch +powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch +powerpc-bpf-validate-branch-ranges.patch +powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch +powerpc-security-add-a-helper-to-query-stf_barrier-type.patch +powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch +mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch +mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch +backlight-gpio-backlight-correct-initial-power-state-handling.patch +video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch +s390-cio-check-the-subchannel-validity-for-dev_busid.patch +s390-tape-fix-timer-initialization-in-tape_std_assign.patch diff --git a/queue-4.19/video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch b/queue-4.19/video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch new file mode 100644 index 00000000000..742575cfc99 --- /dev/null +++ b/queue-4.19/video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch @@ -0,0 +1,49 @@ +From 33a5471f8da976bf271a1ebbd6b9d163cb0cb6aa Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Tue, 21 Sep 2021 19:35:06 +0200 +Subject: video: backlight: Drop maximum brightness override for brightness zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +commit 33a5471f8da976bf271a1ebbd6b9d163cb0cb6aa upstream. + +The note in c2adda27d202f ("video: backlight: Add of_find_backlight helper +in backlight.c") says that gpio-backlight uses brightness as power state. +This has been fixed since in ec665b756e6f7 ("backlight: gpio-backlight: +Correct initial power state handling") and other backlight drivers do not +require this workaround. Drop the workaround. + +This fixes the case where e.g. pwm-backlight can perfectly well be set to +brightness 0 on boot in DT, which without this patch leads to the display +brightness to be max instead of off. + +Fixes: c2adda27d202f ("video: backlight: Add of_find_backlight helper in backlight.c") +Cc: # 5.4+ +Cc: # 4.19.x: ec665b756e6f7: backlight: gpio-backlight: Correct initial power state handling +Signed-off-by: Marek Vasut +Acked-by: Noralf Trønnes +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/backlight/backlight.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/video/backlight/backlight.c ++++ b/drivers/video/backlight/backlight.c +@@ -610,12 +610,6 @@ struct backlight_device *of_find_backlig + of_node_put(np); + if (!bd) + return ERR_PTR(-EPROBE_DEFER); +- /* +- * Note: gpio_backlight uses brightness as +- * power state during probe +- */ +- if (!bd->props.brightness) +- bd->props.brightness = bd->props.max_brightness; + } + } +