This is the start of the stable review cycle for the 5.4.139 release.
There are 23 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 08 Aug 2021 08:11:03 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.139-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.4.139-rc1
Daniel Borkmann <[email protected]>
bpf, selftests: Adjust few selftest outcomes wrt unreachable code
John Fastabend <[email protected]>
bpf, selftests: Add a verifier test for assigning 32bit reg states to 64bit ones
John Fastabend <[email protected]>
bpf: Test_verifier, add alu32 bounds tracking tests
Daniel Borkmann <[email protected]>
bpf: Fix leakage under speculation on mispredicted branches
Daniel Borkmann <[email protected]>
bpf: Do not mark insn as seen under speculative path verification
Daniel Borkmann <[email protected]>
bpf: Inherit expanded/patched seen count from old aux data
Greg Kroah-Hartman <[email protected]>
Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
Cristian Marussi <[email protected]>
firmware: arm_scmi: Add delayed response status check
Sudeep Holla <[email protected]>
firmware: arm_scmi: Ensure drivers provide a probe function
Greg Kroah-Hartman <[email protected]>
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
Greg Kroah-Hartman <[email protected]>
Revert "spi: mediatek: fix fifo rx mode"
Linus Torvalds <[email protected]>
ACPI: fix NULL pointer dereference
Keith Busch <[email protected]>
nvme: fix nvme_setup_command metadata trace event
Pravin B Shelar <[email protected]>
net: Fix zero-copy head len calculation.
Jia He <[email protected]>
qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union()
Takashi Iwai <[email protected]>
r8152: Fix potential PM refcount imbalance
Kyle Russell <[email protected]>
ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits
Alain Volmat <[email protected]>
spi: stm32h7: fix full duplex irq handler handling
Axel Lin <[email protected]>
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
Filipe Manana <[email protected]>
btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction
Filipe Manana <[email protected]>
btrfs: fix race causing unnecessary inode logging during link and rename
Filipe Manana <[email protected]>
btrfs: do not commit logs and transactions during link and rename operations
Randy Dunlap <[email protected]>
btrfs: delete duplicated words + other fixes in comments
-------------
Diffstat:
Makefile | 4 +-
drivers/firmware/arm_scmi/bus.c | 3 +
drivers/firmware/arm_scmi/driver.c | 8 +-
drivers/net/ethernet/qlogic/qed/qed_mcp.c | 23 +++--
drivers/net/usb/r8152.c | 3 +-
drivers/nvme/host/trace.h | 6 +-
drivers/spi/spi-mt65xx.c | 16 +--
drivers/spi/spi-stm32.c | 15 +--
drivers/watchdog/iTCO_wdt.c | 12 +--
fs/btrfs/block-group.c | 2 +-
fs/btrfs/ctree.c | 2 +-
fs/btrfs/disk-io.c | 2 +-
fs/btrfs/extent_io.c | 2 +-
fs/btrfs/free-space-cache.c | 2 +-
fs/btrfs/inode.c | 115 +++------------------
fs/btrfs/qgroup.c | 2 +-
fs/btrfs/tree-log.c | 107 +++++++++----------
fs/btrfs/tree-log.h | 14 +--
include/acpi/acpi_bus.h | 3 +-
include/linux/mfd/rt5033-private.h | 4 +-
kernel/bpf/verifier.c | 65 ++++++++++--
net/bluetooth/hci_core.c | 16 +--
net/core/skbuff.c | 5 +-
sound/soc/codecs/tlv320aic31xx.h | 4 +-
tools/testing/selftests/bpf/test_verifier.c | 2 +-
tools/testing/selftests/bpf/verifier/bounds.c | 65 ++++++++++++
tools/testing/selftests/bpf/verifier/dead_code.c | 2 +
tools/testing/selftests/bpf/verifier/jmp32.c | 22 ++++
tools/testing/selftests/bpf/verifier/jset.c | 10 +-
tools/testing/selftests/bpf/verifier/unpriv.c | 2 +
.../selftests/bpf/verifier/value_ptr_arith.c | 7 +-
31 files changed, 295 insertions(+), 250 deletions(-)
From: John Fastabend <[email protected]>
commit 41f70fe0649dddf02046315dc566e06da5a2dc91 upstream
Its possible to have divergent ALU32 and ALU64 bounds when using JMP32
instructins and ALU64 arithmatic operations. Sometimes the clang will
even generate this code. Because the case is a bit tricky lets add
a specific test for it.
Here is pseudocode asm version to illustrate the idea,
1 r0 = 0xffffffff00000001;
2 if w0 > 1 goto %l[fail];
3 r0 += 1
5 if w0 > 2 goto %l[fail]
6 exit
The intent here is the verifier will fail the load if the 32bit bounds
are not tracked correctly through ALU64 op. Similarly we can check the
64bit bounds are correctly zero extended after ALU32 ops.
1 r0 = 0xffffffff00000001;
2 w0 += 1
2 if r0 > 3 goto %l[fail];
6 exit
The above will fail if we do not correctly zero extend 64bit bounds
after 32bit op.
Signed-off-by: John Fastabend <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Link: https://lore.kernel.org/bpf/158560430155.10843.514209255758200922.stgit@john-Precision-5820-Tower
Signed-off-by: Ovidiu Panait <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/bpf/verifier/bounds.c | 39 ++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
--- a/tools/testing/selftests/bpf/verifier/bounds.c
+++ b/tools/testing/selftests/bpf/verifier/bounds.c
@@ -506,3 +506,42 @@
.errstr = "map_value pointer and 1000000000000",
.result = REJECT
},
+{
+ "bounds check mixed 32bit and 64bit arithmatic. test1",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_MOV64_IMM(BPF_REG_1, -1),
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
+ /* r1 = 0xffffFFFF00000001 */
+ BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 1, 3),
+ /* check ALU64 op keeps 32bit bounds */
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
+ BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 2, 1),
+ BPF_JMP_A(1),
+ /* invalid ldx if bounds are lost above */
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT
+},
+{
+ "bounds check mixed 32bit and 64bit arithmatic. test2",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_MOV64_IMM(BPF_REG_1, -1),
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
+ /* r1 = 0xffffFFFF00000001 */
+ BPF_MOV64_IMM(BPF_REG_2, 3),
+ /* r1 = 0x2 */
+ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
+ /* check ALU32 op zero extends 64bit bounds */
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1),
+ BPF_JMP_A(1),
+ /* invalid ldx if bounds are lost above */
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT
+},
From: Daniel Borkmann <[email protected]>
commit fe9a5ca7e370e613a9a75a13008a3845ea759d6e upstream
... in such circumstances, we do not want to mark the instruction as seen given
the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable
from the non-speculative path verification. We do however want to verify it for
safety regardless.
With the patch as-is all the insns that have been marked as seen before the
patch will also be marked as seen after the patch (just with a potentially
different non-zero count). An upcoming patch will also verify paths that are
unreachable in the non-speculative domain, hence this extension is needed.
Signed-off-by: Daniel Borkmann <[email protected]>
Reviewed-by: John Fastabend <[email protected]>
Reviewed-by: Benedict Schlueter <[email protected]>
Reviewed-by: Piotr Krysiuk <[email protected]>
Acked-by: Alexei Starovoitov <[email protected]>
[OP: - env->pass_cnt is not used in 5.4, so adjust sanitize_mark_insn_seen()
to assign "true" instead
- drop sanitize_insn_aux_data() comment changes, as the function is not
present in 5.4]
Signed-off-by: Ovidiu Panait <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/bpf/verifier.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4435,6 +4435,19 @@ do_sim:
return !ret ? REASON_STACK : 0;
}
+static void sanitize_mark_insn_seen(struct bpf_verifier_env *env)
+{
+ struct bpf_verifier_state *vstate = env->cur_state;
+
+ /* If we simulate paths under speculation, we don't update the
+ * insn as 'seen' such that when we verify unreachable paths in
+ * the non-speculative domain, sanitize_dead_code() can still
+ * rewrite/sanitize them.
+ */
+ if (!vstate->speculative)
+ env->insn_aux_data[env->insn_idx].seen = true;
+}
+
static int sanitize_err(struct bpf_verifier_env *env,
const struct bpf_insn *insn, int reason,
const struct bpf_reg_state *off_reg,
@@ -7790,7 +7803,7 @@ static int do_check(struct bpf_verifier_
}
regs = cur_regs(env);
- env->insn_aux_data[env->insn_idx].seen = true;
+ sanitize_mark_insn_seen(env);
prev_insn_idx = env->insn_idx;
if (class == BPF_ALU || class == BPF_ALU64) {
@@ -8025,7 +8038,7 @@ process_bpf_exit:
return err;
env->insn_idx++;
- env->insn_aux_data[env->insn_idx].seen = true;
+ sanitize_mark_insn_seen(env);
} else {
verbose(env, "invalid BPF_LD mode\n");
return -EINVAL;
On Fri, Aug 06, 2021 at 10:16:32AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.139 release.
> There are 23 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 08 Aug 2021 08:11:03 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 445 pass: 445 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
Hi Greg,
On Fri, Aug 06, 2021 at 10:16:32AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.139 release.
> There are 23 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 08 Aug 2021 08:11:03 +0000.
> Anything received after that time might be too late.
Build test:
mips (gcc version 11.1.1 20210723): 65 configs -> no failure
arm (gcc version 11.1.1 20210723): 107 configs -> no new failure
arm64 (gcc version 11.1.1 20210723): 2 configs -> no failure
x86_64 (gcc version 10.2.1 20210110): 4 configs -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
[1]. https://openqa.qa.codethink.co.uk/tests/10
Tested-by: Sudip Mukherjee <[email protected]>
--
Regards
Sudip
On Fri, 6 Aug 2021 at 13:48, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.139 release.
> There are 23 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 08 Aug 2021 08:11:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.139-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
## Build
* kernel: 5.4.139-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-5.4.y
* git commit: e6d9a103071fd29a034b969983747f48d429ce9b
* git describe: v5.4.138-24-ge6d9a103071f
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.138-24-ge6d9a103071f
## No regressions (compared to v5.4.138)
## No fixes (compared to v5.4.138)
## Test result summary
total: 74755, pass: 60671, fail: 881, skip: 11660, xfail: 1543
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 192 total, 192 passed, 0 failed
* arm64: 26 total, 26 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 15 total, 15 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 45 total, 45 passed, 0 failed
* parisc: 9 total, 9 passed, 0 failed
* powerpc: 27 total, 27 passed, 0 failed
* riscv: 21 total, 21 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 18 total, 18 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 26 total, 26 passed, 0 failed
## Test suites summary
* fwts
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest-android
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance
--
Linaro LKFT
https://lkft.linaro.org
On 21/08/06 10:16AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.139 release.
> There are 23 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 08 Aug 2021 08:11:03 +0000.
> Anything received after that time might be too late.
Compiled, booted, with no regressions on x86_64
Tested-by: Aakash Hemadri <[email protected]>