--- /dev/null
+From ea64d8d6c675c0bb712689b13810301de9d8f77a Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Tue, 21 Apr 2020 02:42:19 +0200
+Subject: netfilter: nat: never update the UDP checksum when it's 0
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit ea64d8d6c675c0bb712689b13810301de9d8f77a upstream.
+
+If the UDP header of a local VXLAN endpoint is NAT-ed, and the VXLAN
+device has disabled UDP checksums and enabled Tx checksum offloading,
+then the skb passed to udp_manip_pkt() has hdr->check == 0 (outer
+checksum disabled) and skb->ip_summed == CHECKSUM_PARTIAL (inner packet
+checksum offloaded).
+
+Because of the ->ip_summed value, udp_manip_pkt() tries to update the
+outer checksum with the new address and port, leading to an invalid
+checksum sent on the wire, as the original null checksum obviously
+didn't take the old address and port into account.
+
+So, we can't take ->ip_summed into account in udp_manip_pkt(), as it
+might not refer to the checksum we're acting on. Instead, we can base
+the decision to update the UDP checksum entirely on the value of
+hdr->check, because it's null if and only if checksum is disabled:
+
+ * A fully computed checksum can't be 0, since a 0 checksum is
+ represented by the CSUM_MANGLED_0 value instead.
+
+ * A partial checksum can't be 0, since the pseudo-header always adds
+ at least one non-zero value (the UDP protocol type 0x11) and adding
+ more values to the sum can't make it wrap to 0 as the carry is then
+ added to the wrapped number.
+
+ * A disabled checksum uses the special value 0.
+
+The problem seems to be there from day one, although it was probably
+not visible before UDP tunnels were implemented.
+
+Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_proto_udp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_nat_proto_udp.c
++++ b/net/netfilter/nf_nat_proto_udp.c
+@@ -66,15 +66,14 @@ static bool udp_manip_pkt(struct sk_buff
+ enum nf_nat_manip_type maniptype)
+ {
+ struct udphdr *hdr;
+- bool do_csum;
+
+ if (!skb_make_writable(skb, hdroff + sizeof(*hdr)))
+ return false;
+
+ hdr = (struct udphdr *)(skb->data + hdroff);
+- do_csum = hdr->check || skb->ip_summed == CHECKSUM_PARTIAL;
++ __udp_manip_pkt(skb, l3proto, iphdroff, hdr, tuple, maniptype,
++ !!hdr->check);
+
+- __udp_manip_pkt(skb, l3proto, iphdroff, hdr, tuple, maniptype, do_csum);
+ return true;
+ }
+
--- /dev/null
+From d8dd25a461e4eec7190cb9d66616aceacc5110ad Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Sat, 25 Apr 2020 05:03:00 -0500
+Subject: objtool: Fix stack offset tracking for indirect CFAs
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit d8dd25a461e4eec7190cb9d66616aceacc5110ad upstream.
+
+When the current frame address (CFA) is stored on the stack (i.e.,
+cfa->base == CFI_SP_INDIRECT), objtool neglects to adjust the stack
+offset when there are subsequent pushes or pops. This results in bad
+ORC data at the end of the ENTER_IRQ_STACK macro, when it puts the
+previous stack pointer on the stack and does a subsequent push.
+
+This fixes the following unwinder warning:
+
+ WARNING: can't dereference registers at 00000000f0a6bdba for ip interrupt_entry+0x9f/0xa0
+
+Fixes: 627fce14809b ("objtool: Add ORC unwind table generation")
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Reported-by: Dave Jones <dsj@fb.com>
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reported-by: Joe Mario <jmario@redhat.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/853d5d691b29e250333332f09b8e27410b2d9924.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/check.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -1291,7 +1291,7 @@ static int update_insn_state_regs(struct
+ struct cfi_reg *cfa = &state->cfa;
+ struct stack_op *op = &insn->stack_op;
+
+- if (cfa->base != CFI_SP)
++ if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
+ return 0;
+
+ /* push */
--- /dev/null
+From e08df079b23e2e982df15aa340bfbaf50f297504 Mon Sep 17 00:00:00 2001
+From: Ivan Delalande <colona@arista.com>
+Date: Thu, 7 May 2020 18:35:53 -0700
+Subject: scripts/decodecode: fix trapping instruction formatting
+
+From: Ivan Delalande <colona@arista.com>
+
+commit e08df079b23e2e982df15aa340bfbaf50f297504 upstream.
+
+If the trapping instruction contains a ':', for a memory access through
+segment registers for example, the sed substitution will insert the '*'
+marker in the middle of the instruction instead of the line address:
+
+ 2b: 65 48 0f c7 0f cmpxchg16b %gs:*(%rdi) <-- trapping instruction
+
+I started to think I had forgotten some quirk of the assembly syntax
+before noticing that it was actually coming from the script. Fix it to
+add the address marker at the right place for these instructions:
+
+ 28: 49 8b 06 mov (%r14),%rax
+ 2b:* 65 48 0f c7 0f cmpxchg16b %gs:(%rdi) <-- trapping instruction
+ 30: 0f 94 c0 sete %al
+
+Fixes: 18ff44b189e2 ("scripts/decodecode: make faulting insn ptr more robust")
+Signed-off-by: Ivan Delalande <colona@arista.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Link: http://lkml.kernel.org/r/20200419223653.GA31248@visor
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/decodecode | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/decodecode
++++ b/scripts/decodecode
+@@ -99,7 +99,7 @@ faultlinenum=$(( $(wc -l $T.oo | cut -d
+ faultline=`cat $T.dis | head -1 | cut -d":" -f2-`
+ faultline=`echo "$faultline" | sed -e 's/\[/\\\[/g; s/\]/\\\]/g'`
+
+-cat $T.oo | sed -e "${faultlinenum}s/^\(.*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
++cat $T.oo | sed -e "${faultlinenum}s/^\([^:]*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
+ echo
+ cat $T.aa
+ cleanup
batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch
batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch
batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch
+x86-entry-64-fix-unwind-hints-in-kernel-exit-path.patch
+x86-entry-64-fix-unwind-hints-in-rewind_stack_do_exit.patch
+x86-unwind-orc-don-t-skip-the-first-frame-for-inactive-tasks.patch
+x86-unwind-orc-prevent-unwinding-before-orc-initialization.patch
+x86-unwind-orc-fix-error-path-for-bad-orc-entry-type.patch
+netfilter-nat-never-update-the-udp-checksum-when-it-s-0.patch
+objtool-fix-stack-offset-tracking-for-indirect-cfas.patch
+scripts-decodecode-fix-trapping-instruction-formatting.patch
--- /dev/null
+From 1fb143634a38095b641a3a21220774799772dc4c Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Sat, 25 Apr 2020 05:03:02 -0500
+Subject: x86/entry/64: Fix unwind hints in kernel exit path
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 1fb143634a38095b641a3a21220774799772dc4c upstream.
+
+In swapgs_restore_regs_and_return_to_usermode, after the stack is
+switched to the trampoline stack, the existing UNWIND_HINT_REGS hint is
+no longer valid, which can result in the following ORC unwinder warning:
+
+ WARNING: can't dereference registers at 000000003aeb0cdd for ip swapgs_restore_regs_and_return_to_usermode+0x93/0xa0
+
+For full correctness, we could try to add complicated unwind hints so
+the unwinder could continue to find the registers, but when when it's
+this close to kernel exit, unwind hints aren't really needed anymore and
+it's fine to just use an empty hint which tells the unwinder to stop.
+
+For consistency, also move the UNWIND_HINT_EMPTY in
+entry_SYSCALL_64_after_hwframe to a similar location.
+
+Fixes: 3e3b9293d392 ("x86/entry/64: Return to userspace from the trampoline stack")
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Reported-by: Dave Jones <dsj@fb.com>
+Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reported-by: Joe Mario <jmario@redhat.com>
+Reported-by: Jann Horn <jannh@google.com>
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/60ea8f562987ed2d9ace2977502fe481c0d7c9a0.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -302,7 +302,6 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
+ */
+ syscall_return_via_sysret:
+ /* rcx and r11 are already restored (see code above) */
+- UNWIND_HINT_EMPTY
+ POP_REGS pop_rdi=0 skip_r11rcx=1
+
+ /*
+@@ -311,6 +310,7 @@ syscall_return_via_sysret:
+ */
+ movq %rsp, %rdi
+ movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
++ UNWIND_HINT_EMPTY
+
+ pushq RSP-RDI(%rdi) /* RSP */
+ pushq (%rdi) /* RDI */
+@@ -606,6 +606,7 @@ GLOBAL(swapgs_restore_regs_and_return_to
+ */
+ movq %rsp, %rdi
+ movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
++ UNWIND_HINT_EMPTY
+
+ /* Copy the IRET frame to the trampoline stack. */
+ pushq 6*8(%rdi) /* SS */
--- /dev/null
+From f977df7b7ca45a4ac4b66d30a8931d0434c394b1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 25 Apr 2020 05:03:04 -0500
+Subject: x86/entry/64: Fix unwind hints in rewind_stack_do_exit()
+
+From: Jann Horn <jannh@google.com>
+
+commit f977df7b7ca45a4ac4b66d30a8931d0434c394b1 upstream.
+
+The LEAQ instruction in rewind_stack_do_exit() moves the stack pointer
+directly below the pt_regs at the top of the task stack before calling
+do_exit(). Tell the unwinder to expect pt_regs.
+
+Fixes: 8c1f75587a18 ("x86/entry/64: Add unwind hint annotations")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Jones <dsj@fb.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lore.kernel.org/r/68c33e17ae5963854916a46f522624f8e1d264f2.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -1649,7 +1649,7 @@ ENTRY(rewind_stack_do_exit)
+
+ movq PER_CPU_VAR(cpu_current_top_of_stack), %rax
+ leaq -PTREGS_SIZE(%rax), %rsp
+- UNWIND_HINT_FUNC sp_offset=PTREGS_SIZE
++ UNWIND_HINT_REGS
+
+ call do_exit
+ END(rewind_stack_do_exit)
--- /dev/null
+From f1d9a2abff66aa8156fbc1493abed468db63ea48 Mon Sep 17 00:00:00 2001
+From: Miroslav Benes <mbenes@suse.cz>
+Date: Sat, 25 Apr 2020 05:03:07 -0500
+Subject: x86/unwind/orc: Don't skip the first frame for inactive tasks
+
+From: Miroslav Benes <mbenes@suse.cz>
+
+commit f1d9a2abff66aa8156fbc1493abed468db63ea48 upstream.
+
+When unwinding an inactive task, the ORC unwinder skips the first frame
+by default. If both the 'regs' and 'first_frame' parameters of
+unwind_start() are NULL, 'state->sp' and 'first_frame' are later
+initialized to the same value for an inactive task. Given there is a
+"less than or equal to" comparison used at the end of __unwind_start()
+for skipping stack frames, the first frame is skipped.
+
+Drop the equal part of the comparison and make the behavior equivalent
+to the frame pointer unwinder.
+
+Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Jones <dsj@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lore.kernel.org/r/7f08db872ab59e807016910acdbe82f744de7065.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -574,7 +574,7 @@ void __unwind_start(struct unwind_state
+ /* Otherwise, skip ahead to the user-specified starting frame: */
+ while (!unwind_done(state) &&
+ (!on_stack(&state->stack_info, first_frame, sizeof(long)) ||
+- state->sp <= (unsigned long)first_frame))
++ state->sp < (unsigned long)first_frame))
+ unwind_next_frame(state);
+
+ return;
--- /dev/null
+From a0f81bf26888048100bf017fadf438a5bdffa8d8 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Sat, 25 Apr 2020 05:06:13 -0500
+Subject: x86/unwind/orc: Fix error path for bad ORC entry type
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit a0f81bf26888048100bf017fadf438a5bdffa8d8 upstream.
+
+If the ORC entry type is unknown, nothing else can be done other than
+reporting an error. Exit the function instead of breaking out of the
+switch statement.
+
+Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Jones <dsj@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lore.kernel.org/r/a7fa668ca6eabbe81ab18b2424f15adbbfdc810a.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -457,7 +457,7 @@ bool unwind_next_frame(struct unwind_sta
+ default:
+ orc_warn("unknown .orc_unwind entry type %d for ip %pB\n",
+ orc->type, (void *)orig_ip);
+- break;
++ goto err;
+ }
+
+ /* Find BP: */
--- /dev/null
+From 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Sat, 25 Apr 2020 05:03:08 -0500
+Subject: x86/unwind/orc: Prevent unwinding before ORC initialization
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream.
+
+If the unwinder is called before the ORC data has been initialized,
+orc_find() returns NULL, and it tries to fall back to using frame
+pointers. This can cause some unexpected warnings during boot.
+
+Move the 'orc_init' check from orc_find() to __unwind_init(), so that it
+doesn't even try to unwind from an uninitialized state.
+
+Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Jones <dsj@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lore.kernel.org/r/069d1499ad606d85532eb32ce39b2441679667d5.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -90,9 +90,6 @@ static struct orc_entry null_orc_entry =
+
+ static struct orc_entry *orc_find(unsigned long ip)
+ {
+- if (!orc_init)
+- return NULL;
+-
+ if (ip == 0)
+ return &null_orc_entry;
+
+@@ -508,6 +505,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
+ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ struct pt_regs *regs, unsigned long *first_frame)
+ {
++ if (!orc_init)
++ goto done;
++
+ memset(state, 0, sizeof(*state));
+ state->task = task;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
