Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.10.60 2021-08-18T06:59:18Z 2021-08-18T06:59:18Z Nathan Chancellor nathan@kernel.org 2021-07-31T02:31:08Z urn:sha1:b5f05bdfda28847305e80839477a1160ddb68b94 commit 848378812e40152abe9b9baf58ce2004f76fb988 upstream. A recent change in LLVM causes module_{c,d}tor sections to appear when CONFIG_K{A,C}SAN are enabled, which results in orphan section warnings because these are not handled anywhere: ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_ctor) is being placed in '.text.asan.module_ctor' ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_dtor) is being placed in '.text.asan.module_dtor' ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.tsan.module_ctor) is being placed in '.text.tsan.module_ctor' Fangrui explains: "the function asan.module_ctor has the SHF_GNU_RETAIN flag, so it is in a separate section even with -fno-function-sections (default)". Place them in the TEXT_TEXT section so that these technologies continue to work with the newer compiler versions. All of the KASAN and KCSAN KUnit tests continue to pass after this change. Cc: stable@vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1432 Link: https://github.com/llvm/llvm-project/commit/7b789562244ee941b7bf2cefeb3fc08a59a01865 Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Fangrui Song <maskray@google.com> Acked-by: Marco Elver <elver@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210731023107.1932981-1-nathan@kernel.org [nc: Resolve conflict due to lack of cf68fffb66d60] Signed-off-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-08-18T06:59:17Z Thomas Gleixner tglx@linutronix.de 2021-07-29T21:51:47Z urn:sha1:312730cd15e097c11c4d0a0b8583a89a9ffd3d96 commit 77e89afc25f30abd56e76a809ee2884d7c1b63ce upstream. Multi-MSI uses a single MSI descriptor and there is a single mask register when the device supports per vector masking. To avoid reading back the mask register the value is cached in the MSI descriptor and updates are done by clearing and setting bits in the cache and writing it to the device. But nothing protects msi_desc::masked and the mask register from being modified concurrently on two different CPUs for two different Linux interrupts which belong to the same multi-MSI descriptor. Add a lock to struct device and protect any operation on the mask and the mask register with it. This makes the update of msi_desc::masked unconditional, but there is no place which requires a modification of the hardware register without updating the masked cache. msi_mask_irq() is now an empty wrapper which will be cleaned up in follow up changes. The problem goes way back to the initial support of multi-MSI, but picking the commit which introduced the mask cache is a valid cut off point (2.6.30). Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.726833414@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-08-18T06:59:15Z Thomas Gleixner tglx@linutronix.de 2021-07-29T21:51:48Z urn:sha1:4e52a4fe6f445a59a88c7ba60dd253a3643f0589 commit 826da771291fc25a428e871f9e7fb465e390f852 upstream. X86 IO/APIC and MSI interrupts (when used without interrupts remapping) require that the affinity setup on startup is done before the interrupt is enabled for the first time as the non-remapped operation mode cannot safely migrate enabled interrupts from arbitrary contexts. Provide a new irq chip flag which allows affected hardware to request this. This has to be opt-in because there have been reports in the past that some interrupt chips cannot handle affinity setting before startup. Fixes: 18404756765c ("genirq: Expose default irq affinity mask (take 3)") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.779791738@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-08-18T06:59:13Z Eric Dumazet edumazet@google.com 2021-08-11T19:57:15Z urn:sha1:4344440d91b347bd2b1c7367a7a523e1d2afd8ba [ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ] Some arches support cmpxchg() on 4-byte and 8-byte only. Increase mr_ifc_count width to 32bit to fix this problem. Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Guenter Roeck <linux@roeck-us.net> Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-18T06:59:13Z Nikolay Aleksandrov nikolay@nvidia.com 2021-08-10T11:00:10Z urn:sha1:f333a5ca71c3054a2420545a200a3c80983190b8 [ Upstream commit 45a687879b31caae4032abd1c2402e289d2b8083 ] Ignore fdb flags when adding port extern learn entries and always set BR_FDB_LOCAL flag when adding bridge extern learn entries. This is closest to the behaviour we had before and avoids breaking any use cases which were allowed. This patch fixes iproute2 calls which assume NUD_PERMANENT and were allowed before, example: $ bridge fdb add 00:11:22:33:44:55 dev swp1 extern_learn Extern learn entries are allowed to roam, but do not expire, so static or dynamic flags make no sense for them. Also add a comment for future reference. Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space") Fixes: 0541a6293298 ("net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry") Reviewed-by: Ido Schimmel <idosch@nvidia.com> Tested-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> Link: https://lore.kernel.org/r/20210810110010.43859-1-razor@blackwall.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-18T06:59:11Z Shay Drory shayd@nvidia.com 2021-04-11T12:32:55Z urn:sha1:303ba011f5e1ca6a66be8bc16ff1c4aaaeafa96f [ Upstream commit 563476ae0c5e48a028cbfa38fa9d2fc0418eb88f ] The CQ destroy is performed based on the IRQ number that is stored in cq->irqn. That number wasn't set explicitly during CQ creation and as expected some of the API users of mlx5_core_create_cq() forgot to update it. This caused to wrong synchronization call of the wrong IRQ with a number 0 instead of the real one. As a fix, set the IRQ number directly in the mlx5_core_create_cq() and update all users accordingly. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Fixes: ef1659ade359 ("IB/mlx5: Add DEVX support for CQ events") Signed-off-by: Shay Drory <shayd@nvidia.com> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-18T06:59:11Z Roi Dayan roid@nvidia.com 2021-08-08T06:52:42Z urn:sha1:30b1fc47f7657da952a20c16892e8d21190eefbf [ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ] Without this there is a warning if source files include psample.h before skbuff.h or doesn't include it at all. Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling") Signed-off-by: Roi Dayan <roid@nvidia.com> Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-15T12:00:25Z Mike Rapoport rppt@linux.ibm.com 2021-08-11T13:41:39Z urn:sha1:eaa7feecd366577148fc17958fd708cea4874a97 Since the commit ce6ee46e0f39 ("mm/page_alloc: fix memory map initialization for descending nodes") initialization of the memory map relies on availability of zone_to_nid() and zone_set_nid methods to link struct page to a node. But in 5.10 zone_to_nid() is only defined for NUMA, but not for DISCONTIGMEM which causes crashes on m68k systems with two memory banks. For instance on ARAnyM with both ST-RAM and FastRAM atari_defconfig build produces the following crash: Unable to handle kernel access at virtual address (ptrval) Oops: 00000000 Modules linked in: PC: [<0005fbbc>] bpf_prog_alloc_no_stats+0x5c/0xba SR: 2200 SP: (ptrval) a2: 016daa90 d0: 0000000c d1: 00000200 d2: 00000001 d3: 00000cc0 d4: 016d1f80 d5: 00034da6 a0: 305c2800 a1: 305c2a00 Process swapper (pid: 1, task=(ptrval)) Frame format=7 eff addr=31800000 ssw=0445 faddr=31800000 wb 1 stat/addr/data: 0000 00000000 00000000 wb 2 stat/addr/data: 0000 00000000 00000000 wb 3 stat/addr/data: 00c5 31800000 00000001 push data: 00000000 00000000 00000000 00000000 Stack from 3058fec8: 00000dc0 00000000 004addc2 3058ff16 0005fc34 00000238 00000000 00000210 004addc2 3058ff16 00281ae0 00000238 00000000 00000000 004addc2 004bc7ec 004aea9e 0048b0c0 3058ff16 00460042 004ba4d2 3058ff8c 004ade6a 0000007e 0000210e 0000007e 00000002 016d1f80 00034da6 000020b4 00000000 004b4764 004bc7ec 00000000 004b4760 004bc7c0 004b4744 001e4cb2 00010001 016d1fe5 016d1ff0 004994d2 003e1589 016d1f80 00412b8c 0000007e 00000001 00000001 Call Trace: [<004addc2>] sock_init+0x0/0xaa [<0005fc34>] bpf_prog_alloc+0x1a/0x66 [<004addc2>] sock_init+0x0/0xaa [<00281ae0>] bpf_prog_create+0x2e/0x7c [<004addc2>] sock_init+0x0/0xaa [<004aea9e>] ptp_classifier_init+0x22/0x44 [<004ade6a>] sock_init+0xa8/0xaa [<0000210e>] do_one_initcall+0x5a/0x150 [<00034da6>] parse_args+0x0/0x208 [<000020b4>] do_one_initcall+0x0/0x150 [<001e4cb2>] strcpy+0x0/0x1c [<00010001>] stwotoxd+0x5/0x1c [<004994d2>] kernel_init_freeable+0x154/0x1a6 [<001e4cb2>] strcpy+0x0/0x1c [<0049951a>] kernel_init_freeable+0x19c/0x1a6 [<004addc2>] sock_init+0x0/0xaa [<00321510>] kernel_init+0x0/0xd8 [<00321518>] kernel_init+0x8/0xd8 [<00321510>] kernel_init+0x0/0xd8 [<00002890>] ret_from_kernel_thread+0xc/0x14 Code: 204b 200b 4cdf 180c 4e75 700c e0aa 3682 <2748> 001c 214b 0140 022b ffbf 0002 206b 001c 2008 0680 0000 0108 2140 0108 2140 Disabling lock debugging due to kernel taint Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Using CONFIG_NEED_MULTIPLE_NODES rather than CONFIG_NUMA to guard definitions of zone_to_nid() and zone_set_nid() fixes the issue. Reported-by: Mikael Pettersson <mikpelinux@gmail.com> Fixes: ce6ee46e0f39 ("mm/page_alloc: fix memory map initialization for descending nodes") Signed-off-by: Mike Rapoport <rppt@linux.ibm.com> Tested-by: Mikael Pettersson <mikpelinux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-08-15T12:00:25Z Daniel Borkmann daniel@iogearbox.net 2021-08-09T10:43:17Z urn:sha1:d8c38598701fab30c8bf205c1a249ef6aa7b2a8d commit 51e1bb9eeaf7868db56e58f47848e364ab4c4129 upstream. Back then, commit 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") added the bpf_probe_write_user() helper in order to allow to override user space memory. Its original goal was to have a facility to "debug, divert, and manipulate execution of semi-cooperative processes" under CAP_SYS_ADMIN. Write to kernel was explicitly disallowed since it would otherwise tamper with its integrity. One use case was shown in cf9b1199de27 ("samples/bpf: Add test/example of using bpf_probe_write_user bpf helper") where the program DNATs traffic at the time of connect(2) syscall, meaning, it rewrites the arguments to a syscall while they're still in userspace, and before the syscall has a chance to copy the argument into kernel space. These days we have better mechanisms in BPF for achieving the same (e.g. for load-balancers), but without having to write to userspace memory. Of course the bpf_probe_write_user() helper can also be used to abuse many other things for both good or bad purpose. Outside of BPF, there is a similar mechanism for ptrace(2) such as PTRACE_PEEK{TEXT,DATA} and PTRACE_POKE{TEXT,DATA}, but would likely require some more effort. Commit 96ae52279594 explicitly dedicated the helper for experimentation purpose only. Thus, move the helper's availability behind a newly added LOCKDOWN_BPF_WRITE_USER lockdown knob so that the helper is disabled under the "integrity" mode. More fine-grained control can be implemented also from LSM side with this change. Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-08-15T12:00:24Z Sumit Garg sumit.garg@linaro.org 2021-06-14T22:33:15Z urn:sha1:c5a625c6a4aca90ef85947dd0ee813e31af8af5c [ Upstream commit 376e4199e327a5cf29b8ec8fb0f64f3d8b429819 ] Currently TEE_SHM_DMA_BUF flag has been inappropriately used to not register shared memory allocated for private usage by underlying TEE driver: OP-TEE in this case. So rather add a new flag as TEE_SHM_PRIV that can be utilized by underlying TEE drivers for private allocation and usage of shared memory. With this corrected, allow tee_shm_alloc_kernel_buf() to allocate a shared memory region without the backing of dma-buf. Cc: stable@vger.kernel.org Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Co-developed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>