From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 15 Dec 2021 13:35:52 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v5.4.167~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb363af13c51b4ba8d5ec85ed411f282e55c28fc;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch
	kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
	staging-most-dim2-use-device-release-method.patch
---

diff --git a/queue-5.10/bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch b/queue-5.10/bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch
new file mode 100644
index 00000000000..55c95223f4c
--- /dev/null
+++ b/queue-5.10/bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch
@@ -0,0 +1,60 @@
+From 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Sun, 13 Jun 2021 21:34:39 +0700
+Subject: bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 upstream.
+
+In 32-bit architecture, the result of sizeof() is a 32-bit integer so
+the expression becomes the multiplication between 2 32-bit integer which
+can potentially leads to integer overflow. As a result,
+bpf_map_area_alloc() allocates less memory than needed.
+
+Fix this by casting 1 operand to u64.
+
+Fixes: 0d2c4f964050 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps")
+Fixes: 99c51064fb06 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets")
+Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.com
+Signed-off-by: Connor O'Brien <connoro@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/devmap.c |    4 ++--
+ net/core/sock_map.c |    2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -92,7 +92,7 @@ static struct hlist_head *dev_map_create
+ 	int i;
+ 	struct hlist_head *hash;
+ 
+-	hash = bpf_map_area_alloc(entries * sizeof(*hash), numa_node);
++	hash = bpf_map_area_alloc((u64) entries * sizeof(*hash), numa_node);
+ 	if (hash != NULL)
+ 		for (i = 0; i < entries; i++)
+ 			INIT_HLIST_HEAD(&hash[i]);
+@@ -153,7 +153,7 @@ static int dev_map_init_map(struct bpf_d
+ 
+ 		spin_lock_init(&dtab->index_lock);
+ 	} else {
+-		dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
++		dtab->netdev_map = bpf_map_area_alloc((u64) dtab->map.max_entries *
+ 						      sizeof(struct bpf_dtab_netdev *),
+ 						      dtab->map.numa_node);
+ 		if (!dtab->netdev_map)
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -52,7 +52,7 @@ static struct bpf_map *sock_map_alloc(un
+ 	if (err)
+ 		goto free_stab;
+ 
+-	stab->sks = bpf_map_area_alloc(stab->map.max_entries *
++	stab->sks = bpf_map_area_alloc((u64) stab->map.max_entries *
+ 				       sizeof(struct sock *),
+ 				       stab->map.numa_node);
+ 	if (stab->sks)
diff --git a/queue-5.10/kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch b/queue-5.10/kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
new file mode 100644
index 00000000000..079d3589287
--- /dev/null
+++ b/queue-5.10/kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
@@ -0,0 +1,61 @@
+From 3244867af8c065e51969f1bffe732d3ebfd9a7d2 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 7 Dec 2021 22:09:19 +0000
+Subject: KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 3244867af8c065e51969f1bffe732d3ebfd9a7d2 upstream.
+
+Do not bail early if there are no bits set in the sparse banks for a
+non-sparse, a.k.a. "all CPUs", IPI request.  Per the Hyper-V spec, it is
+legal to have a variable length of '0', e.g. VP_SET's BankContents in
+this case, if the request can be serviced without the extra info.
+
+  It is possible that for a given invocation of a hypercall that does
+  accept variable sized input headers that all the header input fits
+  entirely within the fixed size header. In such cases the variable sized
+  input header is zero-sized and the corresponding bits in the hypercall
+  input should be set to zero.
+
+Bailing early results in KVM failing to send IPIs to all CPUs as expected
+by the guest.
+
+Fixes: 214ff83d4473 ("KVM: x86: hyperv: implement PV IPI send hypercalls")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Message-Id: <20211207220926.718794-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/hyperv.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -1641,11 +1641,13 @@ static u64 kvm_hv_send_ipi(struct kvm_vc
+ 
+ 		all_cpus = send_ipi_ex.vp_set.format == HV_GENERIC_SET_ALL;
+ 
++		if (all_cpus)
++			goto check_and_send_ipi;
++
+ 		if (!sparse_banks_len)
+ 			goto ret_success;
+ 
+-		if (!all_cpus &&
+-		    kvm_read_guest(kvm,
++		if (kvm_read_guest(kvm,
+ 				   ingpa + offsetof(struct hv_send_ipi_ex,
+ 						    vp_set.bank_contents),
+ 				   sparse_banks,
+@@ -1653,6 +1655,7 @@ static u64 kvm_hv_send_ipi(struct kvm_vc
+ 			return HV_STATUS_INVALID_HYPERCALL_INPUT;
+ 	}
+ 
++check_and_send_ipi:
+ 	if ((vector < HV_IPI_LOW_VECTOR) || (vector > HV_IPI_HIGH_VECTOR))
+ 		return HV_STATUS_INVALID_HYPERCALL_INPUT;
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index 41e2224efa7..0dbf6026bf7 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -12,3 +12,6 @@ net-netlink-af_netlink-prevent-empty-skb-by-adding-a.patch
 drm-amd-display-fix-for-the-no-audio-bug-with-tiled-.patch
 drm-amd-display-add-connector-type-check-for-crc-sou.patch
 tracing-fix-a-kmemleak-false-positive-in-tracing_map.patch
+kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
+staging-most-dim2-use-device-release-method.patch
+bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch
diff --git a/queue-5.10/staging-most-dim2-use-device-release-method.patch b/queue-5.10/staging-most-dim2-use-device-release-method.patch
new file mode 100644
index 00000000000..9fed6c914df
--- /dev/null
+++ b/queue-5.10/staging-most-dim2-use-device-release-method.patch
@@ -0,0 +1,144 @@
+From d445aa402d60014a37a199fae2bba379696b007d Mon Sep 17 00:00:00 2001
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Tue, 5 Oct 2021 17:34:50 +0300
+Subject: staging: most: dim2: use device release method
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+commit d445aa402d60014a37a199fae2bba379696b007d upstream.
+
+Commit 723de0f9171e ("staging: most: remove device from interface
+structure") moved registration of driver-provided struct device to
+the most subsystem. This updated dim2 driver as well.
+
+However, struct device passed to register_device() becomes refcounted,
+and must not be explicitly deallocated, but must provide release method
+instead. Which is incompatible with managing it via devres.
+
+This patch makes the device structure allocated without devres, adds
+device release method, and moves device destruction there.
+
+Fixes: 723de0f9171e ("staging: most: remove device from interface structure")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Link: https://lore.kernel.org/r/20211005143448.8660-2-nikita.yoush@cogentembedded.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/most/dim2/dim2.c |   55 +++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+--- a/drivers/staging/most/dim2/dim2.c
++++ b/drivers/staging/most/dim2/dim2.c
+@@ -723,6 +723,23 @@ static int get_dim2_clk_speed(const char
+ 	return -EINVAL;
+ }
+ 
++static void dim2_release(struct device *d)
++{
++	struct dim2_hdm *dev = container_of(d, struct dim2_hdm, dev);
++	unsigned long flags;
++
++	kthread_stop(dev->netinfo_task);
++
++	spin_lock_irqsave(&dim_lock, flags);
++	dim_shutdown();
++	spin_unlock_irqrestore(&dim_lock, flags);
++
++	if (dev->disable_platform)
++		dev->disable_platform(to_platform_device(d->parent));
++
++	kfree(dev);
++}
++
+ /*
+  * dim2_probe - dim2 probe handler
+  * @pdev: platform device structure
+@@ -743,7 +760,7 @@ static int dim2_probe(struct platform_de
+ 
+ 	enum { MLB_INT_IDX, AHB0_INT_IDX };
+ 
+-	dev = devm_kzalloc(&pdev->dev, sizeof(*dev), GFP_KERNEL);
++	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ 	if (!dev)
+ 		return -ENOMEM;
+ 
+@@ -755,25 +772,27 @@ static int dim2_probe(struct platform_de
+ 				      "microchip,clock-speed", &clock_speed);
+ 	if (ret) {
+ 		dev_err(&pdev->dev, "missing dt property clock-speed\n");
+-		return ret;
++		goto err_free_dev;
+ 	}
+ 
+ 	ret = get_dim2_clk_speed(clock_speed, &dev->clk_speed);
+ 	if (ret) {
+ 		dev_err(&pdev->dev, "bad dt property clock-speed\n");
+-		return ret;
++		goto err_free_dev;
+ 	}
+ 
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ 	dev->io_base = devm_ioremap_resource(&pdev->dev, res);
+-	if (IS_ERR(dev->io_base))
+-		return PTR_ERR(dev->io_base);
++	if (IS_ERR(dev->io_base)) {
++		ret = PTR_ERR(dev->io_base);
++		goto err_free_dev;
++	}
+ 
+ 	of_id = of_match_node(dim2_of_match, pdev->dev.of_node);
+ 	pdata = of_id->data;
+ 	ret = pdata && pdata->enable ? pdata->enable(pdev) : 0;
+ 	if (ret)
+-		return ret;
++		goto err_free_dev;
+ 
+ 	dev->disable_platform = pdata ? pdata->disable : NULL;
+ 
+@@ -864,24 +883,19 @@ static int dim2_probe(struct platform_de
+ 	dev->most_iface.request_netinfo = request_netinfo;
+ 	dev->most_iface.driver_dev = &pdev->dev;
+ 	dev->most_iface.dev = &dev->dev;
+-	dev->dev.init_name = "dim2_state";
++	dev->dev.init_name = dev->name;
+ 	dev->dev.parent = &pdev->dev;
++	dev->dev.release = dim2_release;
+ 
+-	ret = most_register_interface(&dev->most_iface);
+-	if (ret) {
+-		dev_err(&pdev->dev, "failed to register MOST interface\n");
+-		goto err_stop_thread;
+-	}
+-
+-	return 0;
++	return most_register_interface(&dev->most_iface);
+ 
+-err_stop_thread:
+-	kthread_stop(dev->netinfo_task);
+ err_shutdown_dim:
+ 	dim_shutdown();
+ err_disable_platform:
+ 	if (dev->disable_platform)
+ 		dev->disable_platform(pdev);
++err_free_dev:
++	kfree(dev);
+ 
+ 	return ret;
+ }
+@@ -895,17 +909,8 @@ err_disable_platform:
+ static int dim2_remove(struct platform_device *pdev)
+ {
+ 	struct dim2_hdm *dev = platform_get_drvdata(pdev);
+-	unsigned long flags;
+ 
+ 	most_deregister_interface(&dev->most_iface);
+-	kthread_stop(dev->netinfo_task);
+-
+-	spin_lock_irqsave(&dim_lock, flags);
+-	dim_shutdown();
+-	spin_unlock_irqrestore(&dim_lock, flags);
+-
+-	if (dev->disable_platform)
+-		dev->disable_platform(pdev);
+ 
+ 	return 0;
+ }