From f70a61aa0af40684b2c4077b21341cd97fc5885e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 2 May 2021 13:12:03 +0200 Subject: [PATCH] 5.11-stable patches added patches: mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch --- ...ude-hi-and-lo-in-clobber-list-for-r6.patch | 109 ++++++++++++++++++ ...l-sysctls-readonly-in-non-init-netns.patch | 57 +++++++++ 2 files changed, 166 insertions(+) create mode 100644 queue-5.11/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch create mode 100644 queue-5.11/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-5.11/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch b/queue-5.11/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch new file mode 100644 index 00000000000..465e4ee6d2b --- /dev/null +++ b/queue-5.11/mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch @@ -0,0 +1,109 @@ +From 1d7ba0165d8206ac073f7ac3b14fc0836b66eae7 Mon Sep 17 00:00:00 2001 +From: Romain Naour +Date: Tue, 20 Apr 2021 22:12:10 +0100 +Subject: mips: Do not include hi and lo in clobber list for R6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Romain Naour + +commit 1d7ba0165d8206ac073f7ac3b14fc0836b66eae7 upstream. + +From [1] +"GCC 10 (PR 91233) won't silently allow registers that are not +architecturally available to be present in the clobber list anymore, +resulting in build failure for mips*r6 targets in form of: +... +.../sysdep.h:146:2: error: the register ‘lo’ cannot be clobbered in ‘asm’ for the current target + 146 | __asm__ volatile ( \ + | ^~~~~~~ + +This is because base R6 ISA doesn't define hi and lo registers w/o DSP +extension. This patch provides the alternative clobber list for r6 targets +that won't include those registers." + +Since kernel 5.4 and mips support for generic vDSO [2], the kernel fail to +build for mips r6 cpus with gcc 10 for the same reason as glibc. + +[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=020b2a97bb15f807c0482f0faee2184ed05bcad8 +[2] '24640f233b46 ("mips: Add support for generic vDSO")' + +Signed-off-by: Romain Naour +Signed-off-by: Sudip Mukherjee +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/vdso/gettimeofday.h | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +--- a/arch/mips/include/asm/vdso/gettimeofday.h ++++ b/arch/mips/include/asm/vdso/gettimeofday.h +@@ -20,6 +20,12 @@ + + #define VDSO_HAS_CLOCK_GETRES 1 + ++#if MIPS_ISA_REV < 6 ++#define VDSO_SYSCALL_CLOBBERS "hi", "lo", ++#else ++#define VDSO_SYSCALL_CLOBBERS ++#endif ++ + static __always_inline long gettimeofday_fallback( + struct __kernel_old_timeval *_tv, + struct timezone *_tz) +@@ -35,7 +41,9 @@ static __always_inline long gettimeofday + : "=r" (ret), "=r" (error) + : "r" (tv), "r" (tz), "r" (nr) + : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13", +- "$14", "$15", "$24", "$25", "hi", "lo", "memory"); ++ "$14", "$15", "$24", "$25", ++ VDSO_SYSCALL_CLOBBERS ++ "memory"); + + return error ? -ret : ret; + } +@@ -59,7 +67,9 @@ static __always_inline long clock_gettim + : "=r" (ret), "=r" (error) + : "r" (clkid), "r" (ts), "r" (nr) + : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13", +- "$14", "$15", "$24", "$25", "hi", "lo", "memory"); ++ "$14", "$15", "$24", "$25", ++ VDSO_SYSCALL_CLOBBERS ++ "memory"); + + return error ? -ret : ret; + } +@@ -83,7 +93,9 @@ static __always_inline int clock_getres_ + : "=r" (ret), "=r" (error) + : "r" (clkid), "r" (ts), "r" (nr) + : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13", +- "$14", "$15", "$24", "$25", "hi", "lo", "memory"); ++ "$14", "$15", "$24", "$25", ++ VDSO_SYSCALL_CLOBBERS ++ "memory"); + + return error ? -ret : ret; + } +@@ -105,7 +117,9 @@ static __always_inline long clock_gettim + : "=r" (ret), "=r" (error) + : "r" (clkid), "r" (ts), "r" (nr) + : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13", +- "$14", "$15", "$24", "$25", "hi", "lo", "memory"); ++ "$14", "$15", "$24", "$25", ++ VDSO_SYSCALL_CLOBBERS ++ "memory"); + + return error ? -ret : ret; + } +@@ -125,7 +139,9 @@ static __always_inline int clock_getres3 + : "=r" (ret), "=r" (error) + : "r" (clkid), "r" (ts), "r" (nr) + : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13", +- "$14", "$15", "$24", "$25", "hi", "lo", "memory"); ++ "$14", "$15", "$24", "$25", ++ VDSO_SYSCALL_CLOBBERS ++ "memory"); + + return error ? -ret : ret; + } diff --git a/queue-5.11/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-5.11/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch new file mode 100644 index 00000000000..090f3c0f67c --- /dev/null +++ b/queue-5.11/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch @@ -0,0 +1,57 @@ +From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001 +From: Jonathon Reinhart +Date: Mon, 12 Apr 2021 00:24:53 -0400 +Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns + +From: Jonathon Reinhart + +commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. + +These sysctls point to global variables: +- NF_SYSCTL_CT_MAX (&nf_conntrack_max) +- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) +- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) + +Because their data pointers are not updated to point to per-netns +structures, they must be marked read-only in a non-init_net ns. +Otherwise, changes in any net namespace are reflected in (leaked into) +all other net namespaces. This problem has existed since the +introduction of net namespaces. + +The current logic marks them read-only only if the net namespace is +owned by an unprivileged user (other than init_user_ns). + +Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in +unprivileged namespaces") "exposes all sysctls even if the namespace is +unpriviliged." Since we need to mark them readonly in any case, we can +forego the unprivileged user check altogether. + +Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") +Signed-off-by: Jonathon Reinhart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_standalone.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -1060,16 +1060,10 @@ static int nf_conntrack_standalone_init_ + nf_conntrack_standalone_init_dccp_sysctl(net, table); + nf_conntrack_standalone_init_gre_sysctl(net, table); + +- /* Don't allow unprivileged users to alter certain sysctls */ +- if (net->user_ns != &init_user_ns) { ++ /* Don't allow non-init_net ns to alter global sysctls */ ++ if (!net_eq(&init_net, net)) { + table[NF_SYSCTL_CT_MAX].mode = 0444; + table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; +- table[NF_SYSCTL_CT_HELPER].mode = 0444; +-#ifdef CONFIG_NF_CONNTRACK_EVENTS +- table[NF_SYSCTL_CT_EVENTS].mode = 0444; +-#endif +- table[NF_SYSCTL_CT_BUCKETS].mode = 0444; +- } else if (!net_eq(&init_net, net)) { + table[NF_SYSCTL_CT_BUCKETS].mode = 0444; + } + -- 2.47.3