5.4-stable patches

added patches:
	dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch
	dm-raid-fix-kasan-warning-in-raid5_add_disks.patch
	ipv6-take-care-of-disable_policy-when-restoring-routes.patch
	nvdimm-fix-badblocks-clear-off-by-one-error.patch
	powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch
	powerpc-prom_init-fix-kernel-config-grep.patch

diff --git a/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch b/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch
new file mode 100644 (file)
index 0000000..8579ba2
--- /dev/null
+++ b/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch
@@ -0,0 +1,118 @@
+From 332bd0778775d0cf105c4b9e03e460b590749916 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Tue, 28 Jun 2022 00:37:22 +0200
+Subject: dm raid: fix accesses beyond end of raid member array
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit 332bd0778775d0cf105c4b9e03e460b590749916 upstream.
+
+On dm-raid table load (using raid_ctr), dm-raid allocates an array
+rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
+is defined by the number of raid metadata and image tupples passed
+into the target's constructor.
+
+In the case of RAID layout changes being requested, that number can be
+different from the current number of members for existing raid sets as
+defined in their superblocks. Example RAID layout changes include:
+- raid1 legs being added/removed
+- raid4/5/6/10 number of stripes changed (stripe reshaping)
+- takeover to higher raid level (e.g. raid5 -> raid6)
+
+When accessing array members, rs->raid_disks must be used in control
+loops instead of the potentially larger value in rs->md.raid_disks.
+Otherwise it will cause memory access beyond the end of the rs->devs
+array.
+
+Fix this by changing code that is prone to out-of-bounds access.
+Also fix validate_raid_redundancy() to validate all devices that are
+added. Also, use braces to help clean up raid_iterate_devices().
+
+The out-of-bounds memory accesses was discovered using KASAN.
+
+This commit was verified to pass all LVM2 RAID tests (with KASAN
+enabled).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c |   34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -998,12 +998,13 @@ static int validate_region_size(struct r
+ static int validate_raid_redundancy(struct raid_set *rs)
+ {
+       unsigned int i, rebuild_cnt = 0;
+-      unsigned int rebuilds_per_group = 0, copies;
++      unsigned int rebuilds_per_group = 0, copies, raid_disks;
+       unsigned int group_size, last_group_start;
+ 
+-      for (i = 0; i < rs->md.raid_disks; i++)
+-              if (!test_bit(In_sync, &rs->dev[i].rdev.flags) ||
+-                  !rs->dev[i].rdev.sb_page)
++      for (i = 0; i < rs->raid_disks; i++)
++              if (!test_bit(FirstUse, &rs->dev[i].rdev.flags) &&
++                  ((!test_bit(In_sync, &rs->dev[i].rdev.flags) ||
++                    !rs->dev[i].rdev.sb_page)))
+                       rebuild_cnt++;
+ 
+       switch (rs->md.level) {
+@@ -1043,8 +1044,9 @@ static int validate_raid_redundancy(stru
+                *          A    A    B    B    C
+                *          C    D    D    E    E
+                */
++              raid_disks = min(rs->raid_disks, rs->md.raid_disks);
+               if (__is_raid10_near(rs->md.new_layout)) {
+-                      for (i = 0; i < rs->md.raid_disks; i++) {
++                      for (i = 0; i < raid_disks; i++) {
+                               if (!(i % copies))
+                                       rebuilds_per_group = 0;
+                               if ((!rs->dev[i].rdev.sb_page ||
+@@ -1067,10 +1069,10 @@ static int validate_raid_redundancy(stru
+                * results in the need to treat the last (potentially larger)
+                * set differently.
+                */
+-              group_size = (rs->md.raid_disks / copies);
+-              last_group_start = (rs->md.raid_disks / group_size) - 1;
++              group_size = (raid_disks / copies);
++              last_group_start = (raid_disks / group_size) - 1;
+               last_group_start *= group_size;
+-              for (i = 0; i < rs->md.raid_disks; i++) {
++              for (i = 0; i < raid_disks; i++) {
+                       if (!(i % copies) && !(i > last_group_start))
+                               rebuilds_per_group = 0;
+                       if ((!rs->dev[i].rdev.sb_page ||
+@@ -1585,7 +1587,7 @@ static sector_t __rdev_sectors(struct ra
+ {
+       int i;
+ 
+-      for (i = 0; i < rs->md.raid_disks; i++) {
++      for (i = 0; i < rs->raid_disks; i++) {
+               struct md_rdev *rdev = &rs->dev[i].rdev;
+ 
+               if (!test_bit(Journal, &rdev->flags) &&
+@@ -3746,13 +3748,13 @@ static int raid_iterate_devices(struct d
+       unsigned int i;
+       int r = 0;
+ 
+-      for (i = 0; !r && i < rs->md.raid_disks; i++)
+-              if (rs->dev[i].data_dev)
+-                      r = fn(ti,
+-                               rs->dev[i].data_dev,
+-                               0, /* No offset on data devs */
+-                               rs->md.dev_sectors,
+-                               data);
++      for (i = 0; !r && i < rs->raid_disks; i++) {
++              if (rs->dev[i].data_dev) {
++                      r = fn(ti, rs->dev[i].data_dev,
++                             0, /* No offset on data devs */
++                             rs->md.dev_sectors, data);
++              }
++      }
+ 
+       return r;
+ }

diff --git a/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch b/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch
new file mode 100644 (file)
index 0000000..11a8ae1
--- /dev/null
+++ b/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch
@@ -0,0 +1,32 @@
+From 617b365872a247480e9dcd50a32c8d1806b21861 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 29 Jun 2022 13:40:57 -0400
+Subject: dm raid: fix KASAN warning in raid5_add_disks
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 617b365872a247480e9dcd50a32c8d1806b21861 upstream.
+
+There's a KASAN warning in raid5_add_disk when running the LVM testsuite.
+The warning happens in the test
+lvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning
+by verifying that rdev->saved_raid_disk is within limits.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -7722,6 +7722,7 @@ static int raid5_add_disk(struct mddev *
+        */
+       if (rdev->saved_raid_disk >= 0 &&
+           rdev->saved_raid_disk >= first &&
++          rdev->saved_raid_disk <= last &&
+           conf->disks[rdev->saved_raid_disk].rdev == NULL)
+               first = rdev->saved_raid_disk;
+ 

diff --git a/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch b/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch
new file mode 100644 (file)
index 0000000..69ec2cb
--- /dev/null
+++ b/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch
@@ -0,0 +1,63 @@
+From 3b0dc529f56b5f2328244130683210be98f16f7f Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 23 Jun 2022 14:00:15 +0200
+Subject: ipv6: take care of disable_policy when restoring routes
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+commit 3b0dc529f56b5f2328244130683210be98f16f7f upstream.
+
+When routes corresponding to addresses are restored by
+fixup_permanent_addr(), the dst_nopolicy parameter was not set.
+The typical use case is a user that configures an address on a down
+interface and then put this interface up.
+
+Let's take care of this flag in addrconf_f6i_alloc(), so that every callers
+benefit ont it.
+
+CC: stable@kernel.org
+CC: David Forster <dforster@brocade.com>
+Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
+Reported-by: Siwar Zitouni <siwar.zitouni@6wind.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20220623120015.32640-1-nicolas.dichtel@6wind.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c |    4 ----
+ net/ipv6/route.c    |    9 ++++++++-
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1102,10 +1102,6 @@ ipv6_add_addr(struct inet6_dev *idev, st
+               goto out;
+       }
+ 
+-      if (net->ipv6.devconf_all->disable_policy ||
+-          idev->cnf.disable_policy)
+-              f6i->dst_nopolicy = true;
+-
+       neigh_parms_data_state_setall(idev->nd_parms);
+ 
+       ifa->addr = *cfg->pfx;
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -4483,8 +4483,15 @@ struct fib6_info *addrconf_f6i_alloc(str
+       }
+ 
+       f6i = ip6_route_info_create(&cfg, gfp_flags, NULL);
+-      if (!IS_ERR(f6i))
++      if (!IS_ERR(f6i)) {
+               f6i->dst_nocount = true;
++
++              if (!anycast &&
++                  (net->ipv6.devconf_all->disable_policy ||
++                   idev->cnf.disable_policy))
++                      f6i->dst_nopolicy = true;
++      }
++
+       return f6i;
+ }
+ 

diff --git a/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch b/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch
new file mode 100644 (file)
index 0000000..e49092c
--- /dev/null
+++ b/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch
@@ -0,0 +1,38 @@
+From ef9102004a87cb3f8b26e000a095a261fc0467d3 Mon Sep 17 00:00:00 2001
+From: Chris Ye <chris.ye@intel.com>
+Date: Tue, 31 May 2022 17:09:54 -0700
+Subject: nvdimm: Fix badblocks clear off-by-one error
+
+From: Chris Ye <chris.ye@intel.com>
+
+commit ef9102004a87cb3f8b26e000a095a261fc0467d3 upstream.
+
+nvdimm_clear_badblocks_region() validates badblock clearing requests
+against the span of the region, however it compares the inclusive
+badblock request range to the exclusive region range. Fix up the
+off-by-one error.
+
+Fixes: 23f498448362 ("libnvdimm: rework region badblocks clearing")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chris Ye <chris.ye@intel.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Link: https://lore.kernel.org/r/165404219489.2445897.9792886413715690399.stgit@dwillia2-xfh
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvdimm/bus.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -187,8 +187,8 @@ static int nvdimm_clear_badblocks_region
+       ndr_end = nd_region->ndr_start + nd_region->ndr_size - 1;
+ 
+       /* make sure we are in the region */
+-      if (ctx->phys < nd_region->ndr_start
+-                      || (ctx->phys + ctx->cleared) > ndr_end)
++      if (ctx->phys < nd_region->ndr_start ||
++          (ctx->phys + ctx->cleared - 1) > ndr_end)
+               return 0;
+ 
+       sector = (ctx->phys - nd_region->ndr_start) / 512;

diff --git a/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch b/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch
new file mode 100644 (file)
index 0000000..49c65db
--- /dev/null
+++ b/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch
@@ -0,0 +1,81 @@
+From b21bd5a4b130f8370861478d2880985daace5913 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Tue, 28 Jun 2022 00:41:19 +0530
+Subject: powerpc/bpf: Fix use of user_pt_regs in uapi
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit b21bd5a4b130f8370861478d2880985daace5913 upstream.
+
+Trying to build a .c file that includes <linux/bpf_perf_event.h>:
+  $ cat test_bpf_headers.c
+  #include <linux/bpf_perf_event.h>
+
+throws the below error:
+  /usr/include/linux/bpf_perf_event.h:14:28: error: field ‘regs’ has incomplete type
+     14 |         bpf_user_pt_regs_t regs;
+       |                            ^~~~
+
+This is because we typedef bpf_user_pt_regs_t to 'struct user_pt_regs'
+in arch/powerpc/include/uaps/asm/bpf_perf_event.h, but 'struct
+user_pt_regs' is not exposed to userspace.
+
+Powerpc has both pt_regs and user_pt_regs structures. However, unlike
+arm64 and s390, we expose user_pt_regs to userspace as just 'pt_regs'.
+As such, we should typedef bpf_user_pt_regs_t to 'struct pt_regs' for
+userspace.
+
+Within the kernel though, we want to typedef bpf_user_pt_regs_t to
+'struct user_pt_regs'.
+
+Remove arch/powerpc/include/uapi/asm/bpf_perf_event.h so that the
+uapi/asm-generic version of the header is exposed to userspace.
+Introduce arch/powerpc/include/asm/bpf_perf_event.h so that we can
+typedef bpf_user_pt_regs_t to 'struct user_pt_regs' for use within the
+kernel.
+
+Note that this was not showing up with the bpf selftest build since
+tools/include/uapi/asm/bpf_perf_event.h didn't include the powerpc
+variant.
+
+Fixes: a6460b03f945ee ("powerpc/bpf: Fix broken uapi for BPF_PROG_TYPE_PERF_EVENT")
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+[mpe: Use typical naming for header include guard]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220627191119.142867-1-naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/bpf_perf_event.h      |    9 +++++++++
+ arch/powerpc/include/uapi/asm/bpf_perf_event.h |    9 ---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+ create mode 100644 arch/powerpc/include/asm/bpf_perf_event.h
+ delete mode 100644 arch/powerpc/include/uapi/asm/bpf_perf_event.h
+
+--- /dev/null
++++ b/arch/powerpc/include/asm/bpf_perf_event.h
+@@ -0,0 +1,9 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _ASM_POWERPC_BPF_PERF_EVENT_H
++#define _ASM_POWERPC_BPF_PERF_EVENT_H
++
++#include <asm/ptrace.h>
++
++typedef struct user_pt_regs bpf_user_pt_regs_t;
++
++#endif /* _ASM_POWERPC_BPF_PERF_EVENT_H */
+--- a/arch/powerpc/include/uapi/asm/bpf_perf_event.h
++++ /dev/null
+@@ -1,9 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+-#ifndef _UAPI__ASM_BPF_PERF_EVENT_H__
+-#define _UAPI__ASM_BPF_PERF_EVENT_H__
+-
+-#include <asm/ptrace.h>
+-
+-typedef struct user_pt_regs bpf_user_pt_regs_t;
+-
+-#endif /* _UAPI__ASM_BPF_PERF_EVENT_H__ */

diff --git a/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch b/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch
new file mode 100644 (file)
index 0000000..636dbe1
--- /dev/null
+++ b/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch
@@ -0,0 +1,33 @@
+From 6886da5f49e6d86aad76807a93f3eef5e4f01b10 Mon Sep 17 00:00:00 2001
+From: Liam Howlett <liam.howlett@oracle.com>
+Date: Fri, 24 Jun 2022 01:17:58 +0000
+Subject: powerpc/prom_init: Fix kernel config grep
+
+From: Liam Howlett <liam.howlett@oracle.com>
+
+commit 6886da5f49e6d86aad76807a93f3eef5e4f01b10 upstream.
+
+When searching for config options, use the KCONFIG_CONFIG shell variable
+so that builds using non-standard config locations work.
+
+Fixes: 26deb04342e3 ("powerpc: prepare string/mem functions for KASAN")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220624011745.4060795-1-Liam.Howlett@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/prom_init_check.sh |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/prom_init_check.sh
++++ b/arch/powerpc/kernel/prom_init_check.sh
+@@ -13,7 +13,7 @@
+ # If you really need to reference something from prom_init.o add
+ # it to the list below:
+ 
+-grep "^CONFIG_KASAN=y$" .config >/dev/null
++grep "^CONFIG_KASAN=y$" ${KCONFIG_CONFIG} >/dev/null
+ if [ $? -eq 0 ]
+ then
+       MEM_FUNCS="__memcpy __memset"

diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644 (file)
index 0000000..574e6b7
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1,6 @@
+ipv6-take-care-of-disable_policy-when-restoring-routes.patch
+nvdimm-fix-badblocks-clear-off-by-one-error.patch
+powerpc-prom_init-fix-kernel-config-grep.patch
+powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch
+dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch
+dm-raid-fix-kasan-warning-in-raid5_add_disks.patch