From: Greg Kroah-Hartman Date: Sat, 23 Jul 2022 14:02:16 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.133~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d610df57dc7eec1536e4e8e49b264d781a8e2d3f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-use-original-task-for-req-identity-in-io_identity_cow.patch lockdown-fix-kexec-lockdown-bypass-with-ima-policy.patch mlxsw-spectrum_router-fix-ipv4-nexthop-gateway-indication.patch pinctrl-stm32-fix-optional-irq-support-to-gpios.patch riscv-add-as-options-for-modules-with-assembly-compontents.patch --- diff --git a/queue-5.10/io_uring-use-original-task-for-req-identity-in-io_identity_cow.patch b/queue-5.10/io_uring-use-original-task-for-req-identity-in-io_identity_cow.patch new file mode 100644 index 00000000000..c78908a920b --- /dev/null +++ b/queue-5.10/io_uring-use-original-task-for-req-identity-in-io_identity_cow.patch @@ -0,0 +1,48 @@ +From lee@kernel.org Sat Jul 23 15:54:25 2022 +From: Lee Jones +Date: Tue, 19 Jul 2022 12:52:51 +0100 +Subject: io_uring: Use original task for req identity in io_identity_cow() +To: lee@kernel.org +Cc: stable@vger.kernel.org, Jens Axboe , Pavel Begunkov , Alexander Viro , io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org +Message-ID: <20220719115251.441526-1-lee@kernel.org> + +From: Lee Jones + +This issue is conceptually identical to the one fixed in 29f077d07051 +("io_uring: always use original task when preparing req identity"), so +rather than reinvent the wheel, I'm shamelessly quoting the commit +message from that patch - thanks Jens: + + "If the ring is setup with IORING_SETUP_IOPOLL and we have more than + one task doing submissions on a ring, we can up in a situation where + we assign the context from the current task rather than the request + originator. + + Always use req->task rather than assume it's the same as current. + + No upstream patch exists for this issue, as only older kernels with + the non-native workers have this problem." + +Cc: Jens Axboe +Cc: Pavel Begunkov +Cc: Alexander Viro +Cc: io-uring@vger.kernel.org +Cc: linux-fsdevel@vger.kernel.org +Fixes: 5c3462cfd123b ("io_uring: store io_identity in io_uring_task") +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1325,7 +1325,7 @@ static void io_req_clean_work(struct io_ + */ + static bool io_identity_cow(struct io_kiocb *req) + { +- struct io_uring_task *tctx = current->io_uring; ++ struct io_uring_task *tctx = req->task->io_uring; + const struct cred *creds = NULL; + struct io_identity *id; + diff --git a/queue-5.10/lockdown-fix-kexec-lockdown-bypass-with-ima-policy.patch b/queue-5.10/lockdown-fix-kexec-lockdown-bypass-with-ima-policy.patch new file mode 100644 index 00000000000..d513bfd2cd1 --- /dev/null +++ b/queue-5.10/lockdown-fix-kexec-lockdown-bypass-with-ima-policy.patch @@ -0,0 +1,57 @@ +From 543ce63b664e2c2f9533d089a4664b559c3e6b5b Mon Sep 17 00:00:00 2001 +From: Eric Snowberg +Date: Wed, 20 Jul 2022 12:40:27 -0400 +Subject: lockdown: Fix kexec lockdown bypass with ima policy + +From: Eric Snowberg + +commit 543ce63b664e2c2f9533d089a4664b559c3e6b5b upstream. + +The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. +This LSM may also be used on machines without UEFI. It can also be +enabled when UEFI Secure Boot is disabled. One of lockdown's features +is to prevent kexec from loading untrusted kernels. Lockdown can be +enabled through a bootparam or after the kernel has booted through +securityfs. + +If IMA appraisal is used with the "ima_appraise=log" boot param, +lockdown can be defeated with kexec on any machine when Secure Boot is +disabled or unavailable. IMA prevents setting "ima_appraise=log" from +the boot param when Secure Boot is enabled, but this does not cover +cases where lockdown is used without Secure Boot. + +To defeat lockdown, boot without Secure Boot and add ima_appraise=log to +the kernel command line; then: + + $ echo "integrity" > /sys/kernel/security/lockdown + $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \ + /sys/kernel/security/ima/policy + $ kexec -ls unsigned-kernel + +Add a call to verify ima appraisal is set to "enforce" whenever lockdown +is enabled. This fixes CVE-2022-21505. + +Cc: stable@vger.kernel.org +Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") +Signed-off-by: Eric Snowberg +Acked-by: Mimi Zohar +Reviewed-by: John Haxby +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_policy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1805,6 +1805,10 @@ bool ima_appraise_signature(enum kernel_ + if (id >= READING_MAX_ID) + return false; + ++ if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) ++ && security_locked_down(LOCKDOWN_KEXEC)) ++ return false; ++ + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); diff --git a/queue-5.10/mlxsw-spectrum_router-fix-ipv4-nexthop-gateway-indication.patch b/queue-5.10/mlxsw-spectrum_router-fix-ipv4-nexthop-gateway-indication.patch new file mode 100644 index 00000000000..081c7ea7ca5 --- /dev/null +++ b/queue-5.10/mlxsw-spectrum_router-fix-ipv4-nexthop-gateway-indication.patch @@ -0,0 +1,44 @@ +From e5ec6a2513383fe2ecc2ee3b5f51d97acbbcd4d8 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 19 Jul 2022 15:26:26 +0300 +Subject: mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication + +From: Ido Schimmel + +commit e5ec6a2513383fe2ecc2ee3b5f51d97acbbcd4d8 upstream. + +mlxsw needs to distinguish nexthops with a gateway from connected +nexthops in order to write the former to the adjacency table of the +device. The check used to rely on the fact that nexthops with a gateway +have a 'link' scope whereas connected nexthops have a 'host' scope. This +is no longer correct after commit 747c14307214 ("ip: fix dflt addr +selection for connected nexthop"). + +Fix that by instead checking the address family of the gateway IP. This +is a more direct way and also consistent with the IPv6 counterpart in +mlxsw_sp_rt6_is_gateway(). + +Cc: stable@vger.kernel.org +Fixes: 747c14307214 ("ip: fix dflt addr selection for connected nexthop") +Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Reviewed-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -4003,7 +4003,7 @@ static bool mlxsw_sp_fi_is_gateway(const + { + const struct fib_nh *nh = fib_info_nh(fi, 0); + +- return nh->fib_nh_scope == RT_SCOPE_LINK || ++ return nh->fib_nh_gw_family || + mlxsw_sp_nexthop4_ipip_type(mlxsw_sp, nh, NULL); + } + diff --git a/queue-5.10/pinctrl-stm32-fix-optional-irq-support-to-gpios.patch b/queue-5.10/pinctrl-stm32-fix-optional-irq-support-to-gpios.patch new file mode 100644 index 00000000000..6d51f89a63a --- /dev/null +++ b/queue-5.10/pinctrl-stm32-fix-optional-irq-support-to-gpios.patch @@ -0,0 +1,63 @@ +From a1d4ef1adf8bbd302067534ead671a94759687ed Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Mon, 27 Jun 2022 16:23:50 +0200 +Subject: pinctrl: stm32: fix optional IRQ support to gpios + +From: Fabien Dessenne + +commit a1d4ef1adf8bbd302067534ead671a94759687ed upstream. + +To act as an interrupt controller, a gpio bank relies on the +"interrupt-parent" of the pin controller. +When this optional "interrupt-parent" misses, do not create any IRQ domain. + +This fixes a "NULL pointer in stm32_gpio_domain_alloc()" kernel crash when +the interrupt-parent = property is not declared in the Device Tree. + +Fixes: 0eb9f683336d ("pinctrl: Add IRQ support to STM32 gpios") +Signed-off-by: Fabien Dessenne +Link: https://lore.kernel.org/r/20220627142350.742973-1-fabien.dessenne@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + + +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1303,15 +1303,17 @@ static int stm32_gpiolib_register_bank(s + bank->bank_ioport_nr = bank_ioport_nr; + spin_lock_init(&bank->lock); + +- /* create irq hierarchical domain */ +- bank->fwnode = of_node_to_fwnode(np); ++ if (pctl->domain) { ++ /* create irq hierarchical domain */ ++ bank->fwnode = of_node_to_fwnode(np); ++ ++ bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, STM32_GPIO_IRQ_LINE, ++ bank->fwnode, &stm32_gpio_domain_ops, ++ bank); + +- bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, +- STM32_GPIO_IRQ_LINE, bank->fwnode, +- &stm32_gpio_domain_ops, bank); +- +- if (!bank->domain) +- return -ENODEV; ++ if (!bank->domain) ++ return -ENODEV; ++ } + + err = gpiochip_add_data(&bank->gpio_chip, bank); + if (err) { +@@ -1481,6 +1483,8 @@ int stm32_pctl_probe(struct platform_dev + pctl->domain = stm32_pctrl_get_irq_domain(np); + if (IS_ERR(pctl->domain)) + return PTR_ERR(pctl->domain); ++ if (!pctl->domain) ++ dev_warn(dev, "pinctrl without interrupt support\n"); + + /* hwspinlock is optional */ + hwlock_id = of_hwspin_lock_get_id(pdev->dev.of_node, 0); diff --git a/queue-5.10/riscv-add-as-options-for-modules-with-assembly-compontents.patch b/queue-5.10/riscv-add-as-options-for-modules-with-assembly-compontents.patch new file mode 100644 index 00000000000..49c015af8c9 --- /dev/null +++ b/queue-5.10/riscv-add-as-options-for-modules-with-assembly-compontents.patch @@ -0,0 +1,48 @@ +From c1f6eff304e4dfa4558b6a8c6b2d26a91db6c998 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Sun, 29 May 2022 16:22:00 +0100 +Subject: riscv: add as-options for modules with assembly compontents + +From: Ben Dooks + +commit c1f6eff304e4dfa4558b6a8c6b2d26a91db6c998 upstream. + +When trying to load modules built for RISC-V which include assembly files +the kernel loader errors with "unexpected relocation type 'R_RISCV_ALIGN'" +due to R_RISCV_ALIGN relocations being generated by the assembler. + +The R_RISCV_ALIGN relocations can be removed at the expense of code space +by adding -mno-relax to gcc and as. In commit 7a8e7da42250138 +("RISC-V: Fixes to module loading") -mno-relax is added to the build +variable KBUILD_CFLAGS_MODULE. See [1] for more info. + +The issue is that when kbuild builds a .S file, it invokes gcc with +the -mno-relax flag, but this is not being passed through to the +assembler. Adding -Wa,-mno-relax to KBUILD_AFLAGS_MODULE ensures that +the assembler is invoked correctly. This may have now been fixed in +gcc[2] and this addition should not stop newer gcc and as from working. + +[1] https://github.com/riscv/riscv-elf-psabi-doc/issues/183 +[2] https://github.com/gcc-mirror/gcc/commit/3b0a7d624e64eeb81e4d5e8c62c46d86ef521857 + +Signed-off-by: Ben Dooks +Reviewed-by: Bin Meng +Link: https://lore.kernel.org/r/20220529152200.609809-1-ben.dooks@codethink.co.uk +Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/riscv/Makefile ++++ b/arch/riscv/Makefile +@@ -73,6 +73,7 @@ ifeq ($(CONFIG_PERF_EVENTS),y) + endif + + KBUILD_CFLAGS_MODULE += $(call cc-option,-mno-relax) ++KBUILD_AFLAGS_MODULE += $(call as-option,-Wa$(comma)-mno-relax) + + # GCC versions that support the "-mstrict-align" option default to allowing + # unaligned accesses. While unaligned accesses are explicitly allowed in the