5.12-stable patches

added patches:
	mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
	netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch

diff --git a/queue-5.12/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch b/queue-5.12/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
new file mode 100644 (file)
index 0000000..465e4ee
--- /dev/null
+++ b/queue-5.12/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
@@ -0,0 +1,109 @@
+From 1d7ba0165d8206ac073f7ac3b14fc0836b66eae7 Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@gmail.com>
+Date: Tue, 20 Apr 2021 22:12:10 +0100
+Subject: mips: Do not include hi and lo in clobber list for R6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Romain Naour <romain.naour@gmail.com>
+
+commit 1d7ba0165d8206ac073f7ac3b14fc0836b66eae7 upstream.
+
+From [1]
+"GCC 10 (PR 91233) won't silently allow registers that are not
+architecturally available to be present in the clobber list anymore,
+resulting in build failure for mips*r6 targets in form of:
+...
+.../sysdep.h:146:2: error: the register ‘lo’ cannot be clobbered in ‘asm’ for the current target
+  146 |  __asm__ volatile (      \
+      |  ^~~~~~~
+
+This is because base R6 ISA doesn't define hi and lo registers w/o DSP
+extension. This patch provides the alternative clobber list for r6 targets
+that won't include those registers."
+
+Since kernel 5.4 and mips support for generic vDSO [2], the kernel fail to
+build for mips r6 cpus with gcc 10 for the same reason as glibc.
+
+[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=020b2a97bb15f807c0482f0faee2184ed05bcad8
+[2] '24640f233b46 ("mips: Add support for generic vDSO")'
+
+Signed-off-by: Romain Naour <romain.naour@gmail.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/vdso/gettimeofday.h |   26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+--- a/arch/mips/include/asm/vdso/gettimeofday.h
++++ b/arch/mips/include/asm/vdso/gettimeofday.h
+@@ -20,6 +20,12 @@
+ 
+ #define VDSO_HAS_CLOCK_GETRES         1
+ 
++#if MIPS_ISA_REV < 6
++#define VDSO_SYSCALL_CLOBBERS "hi", "lo",
++#else
++#define VDSO_SYSCALL_CLOBBERS
++#endif
++
+ static __always_inline long gettimeofday_fallback(
+                               struct __kernel_old_timeval *_tv,
+                               struct timezone *_tz)
+@@ -35,7 +41,9 @@ static __always_inline long gettimeofday
+       : "=r" (ret), "=r" (error)
+       : "r" (tv), "r" (tz), "r" (nr)
+       : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
+-        "$14", "$15", "$24", "$25", "hi", "lo", "memory");
++        "$14", "$15", "$24", "$25",
++        VDSO_SYSCALL_CLOBBERS
++        "memory");
+ 
+       return error ? -ret : ret;
+ }
+@@ -59,7 +67,9 @@ static __always_inline long clock_gettim
+       : "=r" (ret), "=r" (error)
+       : "r" (clkid), "r" (ts), "r" (nr)
+       : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
+-        "$14", "$15", "$24", "$25", "hi", "lo", "memory");
++        "$14", "$15", "$24", "$25",
++        VDSO_SYSCALL_CLOBBERS
++        "memory");
+ 
+       return error ? -ret : ret;
+ }
+@@ -83,7 +93,9 @@ static __always_inline int clock_getres_
+       : "=r" (ret), "=r" (error)
+       : "r" (clkid), "r" (ts), "r" (nr)
+       : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
+-        "$14", "$15", "$24", "$25", "hi", "lo", "memory");
++        "$14", "$15", "$24", "$25",
++        VDSO_SYSCALL_CLOBBERS
++        "memory");
+ 
+       return error ? -ret : ret;
+ }
+@@ -105,7 +117,9 @@ static __always_inline long clock_gettim
+       : "=r" (ret), "=r" (error)
+       : "r" (clkid), "r" (ts), "r" (nr)
+       : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
+-        "$14", "$15", "$24", "$25", "hi", "lo", "memory");
++        "$14", "$15", "$24", "$25",
++        VDSO_SYSCALL_CLOBBERS
++        "memory");
+ 
+       return error ? -ret : ret;
+ }
+@@ -125,7 +139,9 @@ static __always_inline int clock_getres3
+       : "=r" (ret), "=r" (error)
+       : "r" (clkid), "r" (ts), "r" (nr)
+       : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
+-        "$14", "$15", "$24", "$25", "hi", "lo", "memory");
++        "$14", "$15", "$24", "$25",
++        VDSO_SYSCALL_CLOBBERS
++        "memory");
+ 
+       return error ? -ret : ret;
+ }

diff --git a/queue-5.12/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-5.12/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
new file mode 100644 (file)
index 0000000..090f3c0
--- /dev/null
+++ b/queue-5.12/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
@@ -0,0 +1,57 @@
+From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+Date: Mon, 12 Apr 2021 00:24:53 -0400
+Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns
+
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+
+commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream.
+
+These sysctls point to global variables:
+- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
+- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
+- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)
+
+Because their data pointers are not updated to point to per-netns
+structures, they must be marked read-only in a non-init_net ns.
+Otherwise, changes in any net namespace are reflected in (leaked into)
+all other net namespaces. This problem has existed since the
+introduction of net namespaces.
+
+The current logic marks them read-only only if the net namespace is
+owned by an unprivileged user (other than init_user_ns).
+
+Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
+unprivileged namespaces") "exposes all sysctls even if the namespace is
+unpriviliged." Since we need to mark them readonly in any case, we can
+forego the unprivileged user check altogether.
+
+Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces")
+Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_standalone.c |   10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -1060,16 +1060,10 @@ static int nf_conntrack_standalone_init_
+       nf_conntrack_standalone_init_dccp_sysctl(net, table);
+       nf_conntrack_standalone_init_gre_sysctl(net, table);
+ 
+-      /* Don't allow unprivileged users to alter certain sysctls */
+-      if (net->user_ns != &init_user_ns) {
++      /* Don't allow non-init_net ns to alter global sysctls */
++      if (!net_eq(&init_net, net)) {
+               table[NF_SYSCTL_CT_MAX].mode = 0444;
+               table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
+-              table[NF_SYSCTL_CT_HELPER].mode = 0444;
+-#ifdef CONFIG_NF_CONNTRACK_EVENTS
+-              table[NF_SYSCTL_CT_EVENTS].mode = 0444;
+-#endif
+-              table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
+-      } else if (!net_eq(&init_net, net)) {
+               table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
+       }
+