From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 07:45:12 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.322~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfc29a4aa7766bfc43ce105587a7109db3afec5c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch dm-raid-fix-kasan-warning-in-raid5_add_disks.patch ipv6-take-care-of-disable_policy-when-restoring-routes.patch nvdimm-fix-badblocks-clear-off-by-one-error.patch powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch powerpc-prom_init-fix-kernel-config-grep.patch --- diff --git a/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch b/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch new file mode 100644 index 00000000000..8579ba20fd3 --- /dev/null +++ b/queue-5.4/dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch @@ -0,0 +1,118 @@ +From 332bd0778775d0cf105c4b9e03e460b590749916 Mon Sep 17 00:00:00 2001 +From: Heinz Mauelshagen +Date: Tue, 28 Jun 2022 00:37:22 +0200 +Subject: dm raid: fix accesses beyond end of raid member array + +From: Heinz Mauelshagen + +commit 332bd0778775d0cf105c4b9e03e460b590749916 upstream. + +On dm-raid table load (using raid_ctr), dm-raid allocates an array +rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks +is defined by the number of raid metadata and image tupples passed +into the target's constructor. + +In the case of RAID layout changes being requested, that number can be +different from the current number of members for existing raid sets as +defined in their superblocks. Example RAID layout changes include: +- raid1 legs being added/removed +- raid4/5/6/10 number of stripes changed (stripe reshaping) +- takeover to higher raid level (e.g. raid5 -> raid6) + +When accessing array members, rs->raid_disks must be used in control +loops instead of the potentially larger value in rs->md.raid_disks. +Otherwise it will cause memory access beyond the end of the rs->devs +array. + +Fix this by changing code that is prone to out-of-bounds access. +Also fix validate_raid_redundancy() to validate all devices that are +added. Also, use braces to help clean up raid_iterate_devices(). + +The out-of-bounds memory accesses was discovered using KASAN. + +This commit was verified to pass all LVM2 RAID tests (with KASAN +enabled). + +Cc: stable@vger.kernel.org +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -998,12 +998,13 @@ static int validate_region_size(struct r + static int validate_raid_redundancy(struct raid_set *rs) + { + unsigned int i, rebuild_cnt = 0; +- unsigned int rebuilds_per_group = 0, copies; ++ unsigned int rebuilds_per_group = 0, copies, raid_disks; + unsigned int group_size, last_group_start; + +- for (i = 0; i < rs->md.raid_disks; i++) +- if (!test_bit(In_sync, &rs->dev[i].rdev.flags) || +- !rs->dev[i].rdev.sb_page) ++ for (i = 0; i < rs->raid_disks; i++) ++ if (!test_bit(FirstUse, &rs->dev[i].rdev.flags) && ++ ((!test_bit(In_sync, &rs->dev[i].rdev.flags) || ++ !rs->dev[i].rdev.sb_page))) + rebuild_cnt++; + + switch (rs->md.level) { +@@ -1043,8 +1044,9 @@ static int validate_raid_redundancy(stru + * A A B B C + * C D D E E + */ ++ raid_disks = min(rs->raid_disks, rs->md.raid_disks); + if (__is_raid10_near(rs->md.new_layout)) { +- for (i = 0; i < rs->md.raid_disks; i++) { ++ for (i = 0; i < raid_disks; i++) { + if (!(i % copies)) + rebuilds_per_group = 0; + if ((!rs->dev[i].rdev.sb_page || +@@ -1067,10 +1069,10 @@ static int validate_raid_redundancy(stru + * results in the need to treat the last (potentially larger) + * set differently. + */ +- group_size = (rs->md.raid_disks / copies); +- last_group_start = (rs->md.raid_disks / group_size) - 1; ++ group_size = (raid_disks / copies); ++ last_group_start = (raid_disks / group_size) - 1; + last_group_start *= group_size; +- for (i = 0; i < rs->md.raid_disks; i++) { ++ for (i = 0; i < raid_disks; i++) { + if (!(i % copies) && !(i > last_group_start)) + rebuilds_per_group = 0; + if ((!rs->dev[i].rdev.sb_page || +@@ -1585,7 +1587,7 @@ static sector_t __rdev_sectors(struct ra + { + int i; + +- for (i = 0; i < rs->md.raid_disks; i++) { ++ for (i = 0; i < rs->raid_disks; i++) { + struct md_rdev *rdev = &rs->dev[i].rdev; + + if (!test_bit(Journal, &rdev->flags) && +@@ -3746,13 +3748,13 @@ static int raid_iterate_devices(struct d + unsigned int i; + int r = 0; + +- for (i = 0; !r && i < rs->md.raid_disks; i++) +- if (rs->dev[i].data_dev) +- r = fn(ti, +- rs->dev[i].data_dev, +- 0, /* No offset on data devs */ +- rs->md.dev_sectors, +- data); ++ for (i = 0; !r && i < rs->raid_disks; i++) { ++ if (rs->dev[i].data_dev) { ++ r = fn(ti, rs->dev[i].data_dev, ++ 0, /* No offset on data devs */ ++ rs->md.dev_sectors, data); ++ } ++ } + + return r; + } diff --git a/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch b/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch new file mode 100644 index 00000000000..11a8ae1dd46 --- /dev/null +++ b/queue-5.4/dm-raid-fix-kasan-warning-in-raid5_add_disks.patch @@ -0,0 +1,32 @@ +From 617b365872a247480e9dcd50a32c8d1806b21861 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 29 Jun 2022 13:40:57 -0400 +Subject: dm raid: fix KASAN warning in raid5_add_disks + +From: Mikulas Patocka + +commit 617b365872a247480e9dcd50a32c8d1806b21861 upstream. + +There's a KASAN warning in raid5_add_disk when running the LVM testsuite. +The warning happens in the test +lvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning +by verifying that rdev->saved_raid_disk is within limits. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7722,6 +7722,7 @@ static int raid5_add_disk(struct mddev * + */ + if (rdev->saved_raid_disk >= 0 && + rdev->saved_raid_disk >= first && ++ rdev->saved_raid_disk <= last && + conf->disks[rdev->saved_raid_disk].rdev == NULL) + first = rdev->saved_raid_disk; + diff --git a/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch b/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch new file mode 100644 index 00000000000..69ec2cba0ce --- /dev/null +++ b/queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch @@ -0,0 +1,63 @@ +From 3b0dc529f56b5f2328244130683210be98f16f7f Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Thu, 23 Jun 2022 14:00:15 +0200 +Subject: ipv6: take care of disable_policy when restoring routes + +From: Nicolas Dichtel + +commit 3b0dc529f56b5f2328244130683210be98f16f7f upstream. + +When routes corresponding to addresses are restored by +fixup_permanent_addr(), the dst_nopolicy parameter was not set. +The typical use case is a user that configures an address on a down +interface and then put this interface up. + +Let's take care of this flag in addrconf_f6i_alloc(), so that every callers +benefit ont it. + +CC: stable@kernel.org +CC: David Forster +Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") +Reported-by: Siwar Zitouni +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220623120015.32640-1-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ---- + net/ipv6/route.c | 9 ++++++++- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1102,10 +1102,6 @@ ipv6_add_addr(struct inet6_dev *idev, st + goto out; + } + +- if (net->ipv6.devconf_all->disable_policy || +- idev->cnf.disable_policy) +- f6i->dst_nopolicy = true; +- + neigh_parms_data_state_setall(idev->nd_parms); + + ifa->addr = *cfg->pfx; +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4483,8 +4483,15 @@ struct fib6_info *addrconf_f6i_alloc(str + } + + f6i = ip6_route_info_create(&cfg, gfp_flags, NULL); +- if (!IS_ERR(f6i)) ++ if (!IS_ERR(f6i)) { + f6i->dst_nocount = true; ++ ++ if (!anycast && ++ (net->ipv6.devconf_all->disable_policy || ++ idev->cnf.disable_policy)) ++ f6i->dst_nopolicy = true; ++ } ++ + return f6i; + } + diff --git a/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch b/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch new file mode 100644 index 00000000000..e49092c5a13 --- /dev/null +++ b/queue-5.4/nvdimm-fix-badblocks-clear-off-by-one-error.patch @@ -0,0 +1,38 @@ +From ef9102004a87cb3f8b26e000a095a261fc0467d3 Mon Sep 17 00:00:00 2001 +From: Chris Ye +Date: Tue, 31 May 2022 17:09:54 -0700 +Subject: nvdimm: Fix badblocks clear off-by-one error + +From: Chris Ye + +commit ef9102004a87cb3f8b26e000a095a261fc0467d3 upstream. + +nvdimm_clear_badblocks_region() validates badblock clearing requests +against the span of the region, however it compares the inclusive +badblock request range to the exclusive region range. Fix up the +off-by-one error. + +Fixes: 23f498448362 ("libnvdimm: rework region badblocks clearing") +Cc: +Signed-off-by: Chris Ye +Reviewed-by: Vishal Verma +Link: https://lore.kernel.org/r/165404219489.2445897.9792886413715690399.stgit@dwillia2-xfh +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvdimm/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -187,8 +187,8 @@ static int nvdimm_clear_badblocks_region + ndr_end = nd_region->ndr_start + nd_region->ndr_size - 1; + + /* make sure we are in the region */ +- if (ctx->phys < nd_region->ndr_start +- || (ctx->phys + ctx->cleared) > ndr_end) ++ if (ctx->phys < nd_region->ndr_start || ++ (ctx->phys + ctx->cleared - 1) > ndr_end) + return 0; + + sector = (ctx->phys - nd_region->ndr_start) / 512; diff --git a/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch b/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch new file mode 100644 index 00000000000..49c65db9f6c --- /dev/null +++ b/queue-5.4/powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch @@ -0,0 +1,81 @@ +From b21bd5a4b130f8370861478d2880985daace5913 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Tue, 28 Jun 2022 00:41:19 +0530 +Subject: powerpc/bpf: Fix use of user_pt_regs in uapi +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Naveen N. Rao + +commit b21bd5a4b130f8370861478d2880985daace5913 upstream. + +Trying to build a .c file that includes : + $ cat test_bpf_headers.c + #include + +throws the below error: + /usr/include/linux/bpf_perf_event.h:14:28: error: field ‘regs’ has incomplete type + 14 | bpf_user_pt_regs_t regs; + | ^~~~ + +This is because we typedef bpf_user_pt_regs_t to 'struct user_pt_regs' +in arch/powerpc/include/uaps/asm/bpf_perf_event.h, but 'struct +user_pt_regs' is not exposed to userspace. + +Powerpc has both pt_regs and user_pt_regs structures. However, unlike +arm64 and s390, we expose user_pt_regs to userspace as just 'pt_regs'. +As such, we should typedef bpf_user_pt_regs_t to 'struct pt_regs' for +userspace. + +Within the kernel though, we want to typedef bpf_user_pt_regs_t to +'struct user_pt_regs'. + +Remove arch/powerpc/include/uapi/asm/bpf_perf_event.h so that the +uapi/asm-generic version of the header is exposed to userspace. +Introduce arch/powerpc/include/asm/bpf_perf_event.h so that we can +typedef bpf_user_pt_regs_t to 'struct user_pt_regs' for use within the +kernel. + +Note that this was not showing up with the bpf selftest build since +tools/include/uapi/asm/bpf_perf_event.h didn't include the powerpc +variant. + +Fixes: a6460b03f945ee ("powerpc/bpf: Fix broken uapi for BPF_PROG_TYPE_PERF_EVENT") +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Naveen N. Rao +[mpe: Use typical naming for header include guard] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220627191119.142867-1-naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/bpf_perf_event.h | 9 +++++++++ + arch/powerpc/include/uapi/asm/bpf_perf_event.h | 9 --------- + 2 files changed, 9 insertions(+), 9 deletions(-) + create mode 100644 arch/powerpc/include/asm/bpf_perf_event.h + delete mode 100644 arch/powerpc/include/uapi/asm/bpf_perf_event.h + +--- /dev/null ++++ b/arch/powerpc/include/asm/bpf_perf_event.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_POWERPC_BPF_PERF_EVENT_H ++#define _ASM_POWERPC_BPF_PERF_EVENT_H ++ ++#include ++ ++typedef struct user_pt_regs bpf_user_pt_regs_t; ++ ++#endif /* _ASM_POWERPC_BPF_PERF_EVENT_H */ +--- a/arch/powerpc/include/uapi/asm/bpf_perf_event.h ++++ /dev/null +@@ -1,9 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +-#ifndef _UAPI__ASM_BPF_PERF_EVENT_H__ +-#define _UAPI__ASM_BPF_PERF_EVENT_H__ +- +-#include +- +-typedef struct user_pt_regs bpf_user_pt_regs_t; +- +-#endif /* _UAPI__ASM_BPF_PERF_EVENT_H__ */ diff --git a/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch b/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch new file mode 100644 index 00000000000..636dbe10604 --- /dev/null +++ b/queue-5.4/powerpc-prom_init-fix-kernel-config-grep.patch @@ -0,0 +1,33 @@ +From 6886da5f49e6d86aad76807a93f3eef5e4f01b10 Mon Sep 17 00:00:00 2001 +From: Liam Howlett +Date: Fri, 24 Jun 2022 01:17:58 +0000 +Subject: powerpc/prom_init: Fix kernel config grep + +From: Liam Howlett + +commit 6886da5f49e6d86aad76807a93f3eef5e4f01b10 upstream. + +When searching for config options, use the KCONFIG_CONFIG shell variable +so that builds using non-standard config locations work. + +Fixes: 26deb04342e3 ("powerpc: prepare string/mem functions for KASAN") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Liam R. Howlett +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220624011745.4060795-1-Liam.Howlett@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/prom_init_check.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/prom_init_check.sh ++++ b/arch/powerpc/kernel/prom_init_check.sh +@@ -13,7 +13,7 @@ + # If you really need to reference something from prom_init.o add + # it to the list below: + +-grep "^CONFIG_KASAN=y$" .config >/dev/null ++grep "^CONFIG_KASAN=y$" ${KCONFIG_CONFIG} >/dev/null + if [ $? -eq 0 ] + then + MEM_FUNCS="__memcpy __memset" diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..574e6b7f702 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,6 @@ +ipv6-take-care-of-disable_policy-when-restoring-routes.patch +nvdimm-fix-badblocks-clear-off-by-one-error.patch +powerpc-prom_init-fix-kernel-config-grep.patch +powerpc-bpf-fix-use-of-user_pt_regs-in-uapi.patch +dm-raid-fix-accesses-beyond-end-of-raid-member-array.patch +dm-raid-fix-kasan-warning-in-raid5_add_disks.patch