mainline inclusion
from mainline-v5.11-rc5
commit 1ab3bb9d
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-22-suzuki.poulose@arm.com

--------------------------------------------------------------------------

As per the specification any update to the TRCPRGCTLR must be synchronized
by a context synchronization event (in our case an explicist ISB) before
the TRCSTATR is checked.

Link: https://lore.kernel.org/r/20210110224850.1880240-22-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-24-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit dc1747a7
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-23-suzuki.poulose@arm.com

--------------------------------------------------------------------------

ETM v4.4 onwards adds support for system instruction access
to the ETM. Detect the support on an ETM and switch to using the
mode when available.

Link: https://lore.kernel.org/r/20210110224850.1880240-23-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-25-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit fd6e7905
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-19-suzuki.poulose@arm.com

--------------------------------------------------------------------------

In preparation to detect the support for system instruction
support, move the detection of the device access to the target
CPU.

Link: https://lore.kernel.org/r/20210110224850.1880240-19-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-21-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit e49516e2
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-18-suzuki.poulose@arm.com

--------------------------------------------------------------------------

We are about to rely on TRCDEVARCH for detecting the ETM
and its architecture version, falling back to TRCIDR1 if
the former is not implemented (in older broken implementations).

Also, we use the architecture version information to
make some decisions. Streamline the architecture version
handling by adding helpers.

Link: https://lore.kernel.org/r/20210110224850.1880240-18-suzuki.poulose@arm.comSigned-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-20-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 33d5573a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-15-suzuki.poulose@arm.com

--------------------------------------------------------------------------

The Software lock is not implemented for system instructions
based accesses. So, skip the lock register access in such
cases.

Link: https://lore.kernel.org/r/20210110224850.1880240-15-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-17-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit d02dfac3
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-14-suzuki.poulose@arm.com

--------------------------------------------------------------------------

Define the fields of the DEVARCH register for identifying
a component as an ETMv4.x unit. Going forward, we use the
DEVARCH register for the component identification, rather
than the TRCIDR3.

Link: https://lore.kernel.org/r/20210110224850.1880240-14-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-16-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 91b9f018
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-13-suzuki.poulose@arm.com

--------------------------------------------------------------------------

Some of the management registers in ETMv4.x are not accessible
via system register instructions. Thus we must hide the sysfs
files exposing them to the userspace, to prevent system crashes.

This patch adds an is_visible() routine to control the visibility
at runtime for the registers that may not be accessed.

Link: https://lore.kernel.org/r/20210110224850.1880240-13-suzuki.poulose@arm.com
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-15-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 03336d0f
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-12-suzuki.poulose@arm.com

--------------------------------------------------------------------------

ETM architecture defines the system instructions for accessing
via register accesses. Add basic support for accessing a given
register via system instructions.

We split the list of registers as :
 1) Accessible only from memory mapped interface
 2) Accessible from system register instructions.

All registers are accessible via the memory-mapped interface.
However, some registers are not accessible via the system
instructions. This list is then used to further filter out
the files we expose via sysfs.

Link: https://lore.kernel.org/r/20210110224850.1880240-12-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-14-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit c03ceec1
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-10-suzuki.poulose@arm.com

--------------------------------------------------------------------------

Some of the ETM management registers are not accessible via
system instructions. Thus we need to filter accesses to these
registers depending on the access mechanism for the ETM at runtime.
The driver can cope with this for normal operation, by regular
checks. But the driver also exposes them via sysfs, which now
needs to be removed.

So far, we have used the generic coresight sysfs helper macros
to export a given device register, defining a "show" operation
per register. This is not helpful to filter the files at runtime,
based on the access.

In order to do this dynamically, we need to filter the attributes
by offsets and hard coded "show" functions doesn't make this easy.
Thus, switch to extended attributes, storing the offset in the scratch
space. This allows us to implement filtering based on the offset and
also saves us some text size. This will be later used for determining
a given attribute must be "visible" via sysfs.

Link: https://lore.kernel.org/r/20210110224850.1880240-10-suzuki.poulose@arm.com
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-12-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 5e2acf9d
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-8-suzuki.poulose@arm.com

--------------------------------------------------------------------------

As we are about to add support for sysreg access to ETM4.4+ components,
make sure that we read the registers only on the host CPU.

Link: https://lore.kernel.org/r/20210110224850.1880240-8-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-10-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 8ce00296
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-7-suzuki.poulose@arm.com

--------------------------------------------------------------------------

Convert the generic CLAIM tag management APIs to use the
device access layer abstraction.

Link: https://lore.kernel.org/r/20210110224850.1880240-7-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-9-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 02005282
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-6-suzuki.poulose@arm.com

--------------------------------------------------------------------------

Convert the generic routines to use the new access abstraction layer
gradually, starting with coresigth_timeout.

Link: https://lore.kernel.org/r/20210110224850.1880240-6-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-8-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

mainline inclusion
from mainline-v5.11-rc5
commit 6e736c60
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YCYK
CVE: NA

Reference: https://lore.kernel.org/r/20210110224850.1880240-4-suzuki.poulose@arm.com

--------------------------------------------------------------------------

We are about to introduce support for sysreg access to ETMv4.4+
component. Since there are generic routines that access the
registers (e.g, CS_LOCK/UNLOCK , claim/disclaim operations, timeout)
and in order to preserve the logic of these operations at a
single place we introduce an abstraction layer for the accesses
to a given device.

Link: https://lore.kernel.org/r/20210110224850.1880240-4-suzuki.poulose@arm.com
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: NMathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20210201181351.1475223-6-mathieu.poirier@linaro.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge Pull Request from: @allen-shi 
 
This is a cherry-pick of [PR82](https://gitee.com/openeuler/kernel/pulls/82) and [PR120](https://gitee.com/openeuler/kernel/pulls/120) from openEuler-22.09 branch.
[PR120](https://gitee.com/openeuler/kernel/pulls/120) is to fix the issue for [PR82](https://gitee.com/openeuler/kernel/pulls/82).

### For [PR82](https://gitee.com/openeuler/kernel/pulls/82), the patch set is to add uncore PMU support for Intel Sapphire Rapids platform.

It includes generic uncore discovery support and SPR specific uncore event support.

Generic uncore discovery support contains:
a) Feature patches from upstream 5.13-rc1(5 commits):
c4c55e36 perf/x86/intel/uncore: Generic support for the MMIO type of uncore blocks
42839ef4 perf/x86/intel/uncore: Generic support for the PCI type of uncore blocks
6477dc39 perf/x86/intel/uncore: Rename uncore_notifier to uncore_pci_sub_notifier
d6c75413 perf/x86/intel/uncore: Generic support for the MSR type of uncore blocks
edae1f06 perf/x86/intel/uncore: Parse uncore discovery tables

b) To fix rb_find/rb_add implicit declaration errors, adding rbtree helper patches(v5.12-rc1, 7 commits):
798172b1 rbtree, timerqueue: Use rb_add_cached()
5a798725 rbtree, rtmutex: Use rb_add_cached()
a905e84e rbtree, uprobes: Use rbtree helpers
a3b89864 rbtree, perf: Use new rbtree helpers
8ecca394 rbtree, sched/deadline: Use rb_add_cached()
bf9be9a1 rbtree, sched/fair: Use rb_add_cached()
2d24dd57 rbtree: Add generic add and find helpers

c) To fix error(too few arguments to function ‘uncore_pci_pmu_register’), add dependent patches(5.12-rc1, 2):
9a7832ce perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info
ba9506be perf/x86/intel/uncore: Store the logical die id instead of the physical die id.

SPR platform specific uncore support contains:
a) Feature upstream patches from mainline v5.15-rc1(15 commits):
c76826a6 perf/x86/intel/uncore: Support IMC free-running counters on Sapphire Rapids server
0378c93a perf/x86/intel/uncore: Support IIO free-running counters on Sapphire Rapids server
1583971b perf/x86/intel/uncore: Factor out snr_uncore_mmio_map()
8053f2d7 perf/x86/intel/uncore: Add alias PMU name
0d771caf perf/x86/intel/uncore: Add Sapphire Rapids server MDF support
2a8e51ea perf/x86/intel/uncore: Add Sapphire Rapids server M3UPI support
da5a9156 perf/x86/intel/uncore: Add Sapphire Rapids server UPI support
f57191ed perf/x86/intel/uncore: Add Sapphire Rapids server M2M support
85f2e30f perf/x86/intel/uncore: Add Sapphire Rapids server IMC support
0654dfdc perf/x86/intel/uncore: Add Sapphire Rapids server PCU support
f85ef898 perf/x86/intel/uncore: Add Sapphire Rapids server M2PCIe support
e199eb51 perf/x86/intel/uncore: Add Sapphire Rapids server IRP support
3ba7095b perf/x86/intel/uncore: Add Sapphire Rapids server IIO support
949b1138 perf/x86/intel/uncore: Add Sapphire Rapids server CHA support
c54c53d9 perf/x86/intel/uncore: Add Sapphire Rapids server framework

b) Two SPR model name related changes to make above patches apply cleanly(2 commits):
(5.14-rc2) 28188cc4 x86/cpu: Fix core name for Sapphire Rapids
(5.13-rc1) 53375a5a x86/cpu: Resort and comment Intel models

c) Some SPR uncore related bugfixes(6 commits):
v5.16-rc1:
4034fb20 perf/x86/intel/uncore: Fix Intel SPR M3UPI event constraints
f01d7d55 perf/x86/intel/uncore: Fix Intel SPR M2PCIE event constraints
67c5d443 perf/x86/intel/uncore: Fix Intel SPR IIO event constraints
9d756e40 perf/x86/intel/uncore: Fix Intel SPR CHA event constraints
e2bb9fab perf/x86/intel/uncore: Fix invalid unit check
v5.13-rc6:
4a0e3ff3 perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1

 **Intel-kernel issue:** 
[#I5BECO](https://gitee.com/openeuler/intel-kernel/issues/I5BECO)

 **Test:** 
With this patch set, on SPR:

```
# cat /sys/devices/uncore_cha_1/alias
uncore_type_0_1
# perf stat -a -e uncore_imc_0/event=0x1/ -- sleep 1

 Performance counter stats for 'system wide':

     2,407,096,566      uncore_imc_0/event=0x1/

       1.002850766 seconds time elapsed
# perf stat -a -e uncore_imc_free_running_0/rpq_cycles/ -- sleep 1

 Performance counter stats for 'system wide':

        13,879,446      uncore_imc_free_running_0/rpq_cycles/

       1.002852701 seconds time elapsed
```

Without this patch set, the "uncore_cha_1" like devices are not available under /sys/devices, and the above like uncore events will be "not supported".

 **Known issue:** 
N/A

 **Default config change:** 
N/A



### For [PR120](https://gitee.com/openeuler/kernel/pulls/120), it is to cherry-pick upstream fix for commit c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")

 **BPFTrace Issue** 
[#I5RUM5](https://gitee.com/src-openeuler/bpftrace/issues/I5RUM5)

 **Tests** 
1, run bpftrace /usr/share/bpftrace/tools/bashreadline.bt without the fix, we can see the core dump
2, Apply the fix, and run bpftrace /usr/share/bpftrace/tools/bashreadline.bt, the issue disappears.

 **Known Issue** 
N/A

 **Default config change** 
N/A 
 
Link:https://gitee.com/openeuler/kernel/pulls/229 
Reviewed-by: Jun Tian <jun.j.tian@intel.com> 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @ma-wupeng 
 
With the increase of memory capacity and density, the probability of
memory error increases. The increasing size and density of server RAM
in the data center and cloud have shown increased uncorrectable memory
errors.

Currently, the kernel has a mechanism to recover from hardware memory
errors. This patchset provides an new recovery mechanism.

For arm64, the hardware memory error handling is do_sea() which divided
into two cases:

The user state consumed the memory errors, the solution is kill the
user process and isolate the error page.
The kernel state consumed the memory errors, the solution is panic.
For case 2, Undifferentiated panic maybe not the optimal choice, it can be
handled better, in some scenarios, we can avoid panic, such as uaccess, if
the uaccess fails due to memory error, only the user process will be affected,
kill the user process and isolate the user page with hardware memory errors
is a better choice.

PR form 22.09:  
 
Link:https://gitee.com/openeuler/kernel/pulls/251 
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @hifi521 
 
#I5JMOU 
If the NLS_CODEPAGE_437.ko does not exist in the bootrom system, but the
vfat filesystem depends on the NLS_CODEPAGE_437 module, the /boot/efi fails
to be mounted.
Change the value of NLS_CODEPAGE_437 from m to y in arch/arm64/configs
/openeuler_defconfig and arch/x86/configs/openeuler_defconfig. 
 
Link:https://gitee.com/openeuler/kernel/pulls/54 
Reviewed-by: Liu Chao <liuchao173@huawei.com> 
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> 

Merge Pull Request from: @zhongjinghua 
 
KSMBD support.

KSMBD is an opensource In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It's an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over network. Initially the target is to provide improved file I/O performances, but the bigger goal is to have some new features which are much easier to develop and maintain inside the kernel and expose the layers fully. Directions can be attributed to sections where SAMBA is moving to few modules inside the kernel to have features like RDMA(Remote direct memory access) to work with actual performance gain.

issue:
https://e.gitee.com/open_euler/dashboard?issue=I60T7G 
 
Link:https://gitee.com/openeuler/kernel/pulls/255 
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com> 
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> 

Merge Pull Request from: @HuaxinLuGitee 
 
openeuler inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6202L
CVE: NA

1. set CONFIG_CRYPTO_SM2/3 to y:
The module signature based on SM2 cert has been supported now.
So the SM2/3 should be enabled by default to support SM2 cert
in kernel boot process.

2. set CONFIG_CRYPTO_SM3_GENERIC to y:
sm3-generic is architecture independent and should be build
in case other modules fail.

3. set CONFIG_CRYPTO_SM4_GENERIC to m:
sm4-generic is architecture independent and should be build
in case other modules fail.

4. enable algorithm implementations related to architecture:
Enable SM4-CE, SM4-NEON, SM3-AVX to imporve algorithm
performance.
 
 
Link:https://gitee.com/openeuler/kernel/pulls/262 
Reviewed-by: Liu Chao <liuchao173@huawei.com> 
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com> 
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> 

stable inclusion
from stable-v5.10.154
commit 6b6f94fb9a74dd2891f11de4e638c6202bc89476
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNPH?from=project-issue
CVE: CVE-2022-42896

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b6f94fb9a74dd2891f11de4e638c6202bc89476

-------------------------------

commit 711f8c3f upstream.

The Bluetooth spec states that the valid range for SPSM is from
0x0001-0x00ff so it is invalid to accept values outside of this range:

  BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
  page 1059:
  Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges

CVE: CVE-2022-42896
CC: stable@vger.kernel.org
Reported-by: NTamás Koczka <poprdi@google.com>
Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: NTedd Ho-Jeong An <tedd.an@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Reviewed-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

driver inclusion
category: Bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61RNU

----------------------------------------------------------

Use urt to run the open xrc qp business, and the following
error occurs:
Create qp failed.

because the driver does not have an ex_cmd flag, related
ioctl() or syscall() will fail to execute. so add open
xrc qp cmd flag.

Fixes: ae394640 ("RDMA/hns: Add support for XRC on HIP09")
Signed-off-by: NWenpeng Liang <liangwenpeng@huawei.com>
Reviewed-by: NYangyang Li <liyangyang20@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

driver inclusion
category: Bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61F1Q

--------------------------------------------------------------

Running roce v1 business on fpga, the following error occurs:
hns3 0000:35:00.0 hns_0: local work queue 0x2 catast error,
sub_event type is: 4

This is because the sl transmitted by the roce v1 service
driver after set dscp is incorrect, which makes the sl of
db inconsistent with the sl of qpc, resulting in an sl error
on the hardware.

Fixes: 11ef2ec6 ("RDMA/hns: Support DSCP of userspace")
Signed-off-by: NYixing Liu <liuyixing1@huawei.com>
Reviewed-by: NYangyang Li <liyangyang20@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

driver inclusion
category: Bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61FED

-----------------------------------------------------------

When it is roce v1, if the traffic_class value exceeds 63,
the following error will appear:
modify qp to 2 state failed(22)
Failed to create AH

This is because the driver intercepts the over-spec value
in set dscp, and there is no need to obtain dscp for roce v1,
so the driver does not intercept v1.

Fixes: 11ef2ec6 ("RDMA/hns: Support DSCP of userspace")
Signed-off-by: NYixing Liu <liuyixing1@huawei.com>
Reviewed-by: NYangyang Li <liyangyang20@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 187286, https://gitee.com/openeuler/kernel/issues/I4KIAO
CVE: NA

--------------------------------

The following error occurred during the fsstress test:

XFS: Assertion failed: VFS_I(ip)->i_nlink >= 2, file: fs/xfs/xfs_inode.c, line: 2452

The problem was that inode race condition causes incorrect i_nlink to be
written to disk, and then it is read into memory. Consider the following
call graph, inodes that are marked as both XFS_IFLUSHING and
XFS_IRECLAIMABLE, i_nlink will be reset to 1 and then restored to original
value in xfs_reinit_inode(). Therefore, the i_nlink of directory on disk
may be set to 1.

  xfsaild
      xfs_inode_item_push
          xfs_iflush_cluster
              xfs_iflush
                  xfs_inode_to_disk

  xfs_iget
      xfs_iget_cache_hit
          xfs_iget_recycle
              xfs_reinit_inode
  	          inode_init_always

xfs_reinit_inode() needs to hold the ILOCK_EXCL as it is changing internal
inode state and can race with other RCU protected inode lookups. On the
read side, xfs_iflush_cluster() grabs the ILOCK_SHARED while under rcu +
ip->i_flags_lock, and so xfs_iflush/xfs_inode_to_disk() are protected from
racing inode updates (during transactions) by that lock.
Signed-off-by: NLong Li <leo.lilong@huawei.com>
Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

maillist inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61O87
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c7423dbdbc9ecef7fff5239d144cad4b9887f4de

--------------------------------

IMA relies on the blocking LSM policy notifier callback to update the
LSM based IMA policy rules.

When SELinux update its policies, IMA would be notified and starts
updating all its lsm rules one-by-one. During this time, -ESTALE would
be returned by ima_filter_rule_match() if it is called with a LSM rule
that has not yet been updated. In ima_match_rules(), -ESTALE is not
handled, and the LSM rule is considered a match, causing extra files
to be measured by IMA.

Fix it by re-initializing a temporary rule if -ESTALE is returned by
ima_filter_rule_match(). The origin rule in the rule list would be
updated by the LSM policy notifier callback.

Fixes: b1694245 ("ima: use the lsm policy update notifier")
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Reviewed-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
Conflicts:
	security/integrity/ima/ima_policy.c
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

maillist inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61O87
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=d57378d3aa4d864d9e590482602068af1b20c0c5

--------------------------------

Currently ima_lsm_copy_rule() set the arg_p field of the source rule to
NULL, so that the source rule could be freed afterward. It does not make
sense for this behavior to be inside a "copy" function. So move it
outside and let the caller handle this field.

ima_lsm_copy_rule() now produce a shallow copy of the original entry
including args_p field. Meaning only the lsm.rule and the rule itself
should be freed for the original rule. Thus, instead of calling
ima_lsm_free_rule() which frees lsm.rule as well as args_p field, free
the lsm.rule directly.
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Reviewed-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
Conflicts:
	security/integrity/ima/ima_policy.c
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

stable inclusion
from stable-v5.10.135
commit 4bfc9dc60873923ffa64ee77084bac55031a30a0
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZWFM

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4bfc9dc60873923ffa64ee77084bac55031a30a0

--------------------------------

commit b4f89463 upstream.

sk_lookup doesn't allow setting data_in for bpf_prog_run. This doesn't
play well with the verifier tests, since they always set a 64 byte
input buffer. Allow not running verifier tests by setting
bpf_test.runs to a negative value and don't run the ctx access case
for sk_lookup. We have dedicated ctx access tests so skipping here
doesn't reduce coverage.
Signed-off-by: NLorenz Bauer <lmb@cloudflare.com>
Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210303101816.36774-6-lmb@cloudflare.comSigned-off-by: NTianchen Ding <dtcccc@linux.alibaba.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NPu Lehui <pulehui@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

stable inclusion
from stable-v5.10.135
commit 6d3fad2b44eb9d226a896d1c93909f0fd2e1b9ea
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZWFM

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d3fad2b44eb9d226a896d1c93909f0fd2e1b9ea

--------------------------------

commit 7c32e8f8 upstream.

Allow to pass sk_lookup programs to PROG_TEST_RUN. User space
provides the full bpf_sk_lookup struct as context. Since the
context includes a socket pointer that can't be exposed
to user space we define that PROG_TEST_RUN returns the cookie
of the selected socket or zero in place of the socket pointer.

We don't support testing programs that select a reuseport socket,
since this would mean running another (unrelated) BPF program
from the sk_lookup test handler.
Signed-off-by: NLorenz Bauer <lmb@cloudflare.com>
Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210303101816.36774-3-lmb@cloudflare.comSigned-off-by: NTianchen Ding <dtcccc@linux.alibaba.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NPu Lehui <pulehui@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

stable inclusion
from stable-v5.10.135
commit 6aad811b37eeeba902b14cc4ab698d2b37bb4fb9
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZWFM

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6aad811b37eeeba902b14cc4ab698d2b37bb4fb9

--------------------------------

commit 607b9cc9 upstream.

Share the timing / signal interruption logic between different
implementations of PROG_TEST_RUN. There is a change in behaviour
as well. We check the loop exit condition before checking for
pending signals. This resolves an edge case where a signal
arrives during the last iteration. Instead of aborting with
EINTR we return the successful result to user space.
Signed-off-by: NLorenz Bauer <lmb@cloudflare.com>
Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
Acked-by: NAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20210303101816.36774-2-lmb@cloudflare.com
[dtcccc: fix conflicts in bpf_test_run()]
Signed-off-by: NTianchen Ding <dtcccc@linux.alibaba.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Conflicts:
	net/bpf/test_run.c
Signed-off-by: NPu Lehui <pulehui@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mainline inclusion
from mainline-arm64-upstream
commit aaaee7b5
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5KAX7
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aaaee7b55c9e

----------------------------------------------------------------------

After commit 39915b6b ("drivers/perf: hisi: Add description for HNS3
PMU driver"),building the 'htmldocs' target results in the following
warning:

 | Documentation/admin-guide/perf/hns3-pmu.rst: WARNING: document isn't included in any toctree

Add 'hns3-pmu' to the perf toctree to silence the warning.
Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: NWill Deacon <will@kernel.org>
Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NYang Jihong <yangjihong1@huawei.com>
Reviewed-by: NJian Shen <shenjian15@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mainline inclusion
from mainline-arm64-upstream
commit 66637ab1
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5KAX7
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=66637ab137b4

----------------------------------------------------------------------

HNS3(HiSilicon Network System 3) PMU is RCiEP device in HiSilicon SoC NIC,
supports collection of performance statistics such as bandwidth, latency,
packet rate and interrupt rate.

NIC of each SICL has one PMU device for it. Driver registers each PMU
device to perf, and exports information of supported events, filter mode of
each event, bdf range, hardware clock frequency, identifier and so on via
sysfs.

Each PMU device has its own registers of control, counters and interrupt,
and it supports 8 hardware events, each hardward event has its own
registers for configuration, counters and interrupt.

Filter options contains:
config       - select event
port         - select physical port of nic
tc           - select tc(must be used with port)
func         - select PF/VF
queue        - select queue of PF/VF(must be used with func)
intr         - select interrupt number(must be used with func)
global       - select all functions of IO DIE
Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com>
Reviewed-by: NJohn Garry <john.garry@huawei.com>
Reviewed-by: NShaokun Zhang <zhangshaokun@hisilicon.com>
Link: https://lore.kernel.org/r/20220628063419.38514-3-huangguangbin2@huawei.comSigned-off-by: NWill Deacon <will@kernel.org>
Signed-off-by: NJiantao Xiao <xoiaojiantao1@h-partners.com>
Signed-off-by: NJunhao He <hejunhao3@huawei.com>
Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NYang Jihong <yangjihong1@huawei.com>
Reviewed-by: NJian Shen <shenjian15@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mainline inclusion
from mainline-arm64-upstream
commit 39915b6b
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5KAX7
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39915b6b5fc2

----------------------------------------------------------------------

HNS3 PMU End Point device is supported on HiSilicon HIP09 platform, so
add document hns3-pmu.rst to provide guidance on how to use it.
Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com>
Reviewed-by: NJohn Garry <john.garry@huawei.com>
Reviewed-by: NShaokun Zhang <zhangshaokun@hisilicon.com>
Link: https://lore.kernel.org/r/20220628063419.38514-2-huangguangbin2@huawei.comSigned-off-by: NWill Deacon <will@kernel.org>
Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NYang Jihong <yangjihong1@huawei.com>
Reviewed-by: NJian Shen <shenjian15@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61HSS
CVE: NA

--------------------------------

Add DMINFO() to help tracking device creation/removal success.
Signed-off-by: NLuo Meng <luomeng12@huawei.com>
Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mm: oom_kill: fix KABI broken by "oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup"

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I61FDP
CVE: NA

-------------------------------

Move oom_reaper_timer from task_struct to task_struct_resvd to fix KABI
broken.
Signed-off-by: NMa Wupeng <mawupeng1@huawei.com>
Reviewed-by: NNanyong Sun <sunnanyong@huawei.com>
Reviewed-by: Nchenhui 00515652 <judy.chenhui@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mainline inclusion
from mainline-v5.18-rc4
commit e4a38402
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61FDP
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e4a38402c36e42df28eb1a5394be87e6571fb48a

--------------------------------

The pthread struct is allocated on PRIVATE|ANONYMOUS memory [1] which
can be targeted by the oom reaper.  This mapping is used to store the
futex robust list head; the kernel does not keep a copy of the robust
list and instead references a userspace address to maintain the
robustness during a process death.

A race can occur between exit_mm and the oom reaper that allows the oom
reaper to free the memory of the futex robust list before the exit path
has handled the futex death:

    CPU1                               CPU2
    --------------------------------------------------------------------
    page_fault
    do_exit "signal"
    wake_oom_reaper
                                        oom_reaper
                                        oom_reap_task_mm (invalidates mm)
    exit_mm
    exit_mm_release
    futex_exit_release
    futex_cleanup
    exit_robust_list
    get_user (EFAULT- can't access memory)

If the get_user EFAULT's, the kernel will be unable to recover the
waiters on the robust_list, leaving userspace mutexes hung indefinitely.

Delay the OOM reaper, allowing more time for the exit path to perform
the futex cleanup.

Reproducer: https://gitlab.com/jsavitz/oom_futex_reproducer

Based on a patch by Michal Hocko.

Link: https://elixir.bootlin.com/glibc/glibc-2.35/source/nptl/allocatestack.c#L370 [1]
Link: https://lkml.kernel.org/r/20220414144042.677008-1-npache@redhat.com
Fixes: 21292580 ("mm: oom: let oom_reap_task and exit_mmap run concurrently")
Signed-off-by: NJoel Savitz <jsavitz@redhat.com>
Signed-off-by: NNico Pache <npache@redhat.com>
Co-developed-by: NJoel Savitz <jsavitz@redhat.com>
Suggested-by: NThomas Gleixner <tglx@linutronix.de>
Acked-by: NThomas Gleixner <tglx@linutronix.de>
Acked-by: NMichal Hocko <mhocko@suse.com>
Cc: Rafael Aquini <aquini@redhat.com>
Cc: Waiman Long <longman@redhat.com>
Cc: Herton R. Krzesinski <herton@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ben Segall <bsegall@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Joel Savitz <jsavitz@redhat.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: NMa Wupeng <mawupeng1@huawei.com>
Reviewed-by: NNanyong Sun <sunnanyong@huawei.com>
Reviewed-by: Nchenhui 00515652 <judy.chenhui@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: 187196, https://gitee.com/openeuler/kernel/issues/I612CS

-------------------------------

Allocate a new task_struct_resvd object for the recently cloned task
Signed-off-by: NZheng Zucheng <zhengzucheng@huawei.com>
Reviewed-by: NZhang Qiao <zhangqiao22@huawei.com>
Reviewed-by: NZhang Qiao <zhangqiao22@huawei.com>
Reviewed-by: NNanyong Sun <sunnanyong@huawei.com>
Reviewed-by: NZhang Qiao <zhangqiao22@huawei.com>
Reviewed-by: Nchenhui 00515652 <judy.chenhui@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5KAX7

--------------------------------------------------------------------------

Fixed the issue that the kabi value changed when the HiSilicon PMU driver
added the enum variable in "enum cpuhp_state{}".

The hisi_pcie_pmu and hisi_cpa_pmu drivers to replace the explicit specify
hotplug events with dynamic allocation hotplug events(CPUHP_AP_ONLINE_DYN).
The states between *CPUHP_AP_ONLINE_DYN* and *CPUHP_AP_ONLINE_DYN_END* are
reserved for the dynamic allocation.
Signed-off-by: NJunhao He <hejunhao3@huawei.com>
Reviewed-by: NYicong Yang <yangyicong@huawei.com>
Reviewed-by: NYang Jihong <yangjihong1@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 186781, https://gitee.com/openeuler/kernel/issues/I61CEW
CVE: NA

--------------------------------

When the RTC_SET_TIME and RTC_RD_TIME threads run in parallel,
there is no guarantee that uie_rtctimer.enabled is equal to the
previously read uie when executing rtc->ops->set_time.

Fix this by keeping reading uie state, disabling uie, setting
rtc time and enabling uie in critical sections.

Fixes: 7e7c005b ("rtc: disable uie before setting time and enable after")
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 186781, https://gitee.com/openeuler/kernel/issues/I61CEW
CVE: NA

--------------------------------

Split out a function that does not acquire ops_lock from
rtc_update_irq_enable, in preparation for fixing RTC_RD_TIME
and RTC_UIE_ON race problem.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

mainline inclusion
from mainline-v6.1-rc1
commit 8cfb0857
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I61CHA
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=8cfb08575c6d4585f1ce0deeb189e5c824776b04

--------------------------------

Li Huafei reports that mcount-based ftrace with module PLTs was broken
by commit:

  a6253579 ("arm64: ftrace: consistently handle PLTs.")

When a module PLTs are used and a module is loaded sufficiently far away
from the kernel, we'll create PLTs for any branches which are
out-of-range. These are separate from the special ftrace trampoline
PLTs, which the module PLT code doesn't directly manipulate.

When mcount is in use this is a problem, as each mcount callsite in a
module will be initialized to point to a module PLT, but since commit
a6253579 ftrace_make_nop() will assume that the callsite has
been initialized to point to the special ftrace trampoline PLT, and
ftrace_find_callable_addr() rejects other cases.

This means that when ftrace tries to initialize a callsite via
ftrace_make_nop(), the call to ftrace_find_callable_addr() will find
that the `_mcount` stub is out-of-range and is not handled by the ftrace
PLT, resulting in a splat:

| ftrace_test: loading out-of-tree module taints kernel.
| ftrace: no module PLT for _mcount
| ------------[ ftrace bug ]------------
| ftrace failed to modify
| [<ffff800029180014>] 0xffff800029180014
|  actual:   44:00:00:94
| Initializing ftrace call sites
| ftrace record flags: 2000000
|  (0)
|  expected tramp: ffff80000802eb3c
| ------------[ cut here ]------------
| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270
| Modules linked in:
| CPU: 3 PID: 157 Comm: insmod Tainted: G           O       6.0.0-rc6-00151-gcd722513a189-dirty #22
| Hardware name: linux,dummy-virt (DT)
| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : ftrace_bug+0x94/0x270
| lr : ftrace_bug+0x21c/0x270
| sp : ffff80000b2bbaf0
| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000
| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00
| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8
| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff
| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118
| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666
| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030
| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4
| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001
| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022
| Call trace:
|  ftrace_bug+0x94/0x270
|  ftrace_process_locs+0x308/0x430
|  ftrace_module_init+0x44/0x60
|  load_module+0x15b4/0x1ce8
|  __do_sys_init_module+0x1ec/0x238
|  __arm64_sys_init_module+0x24/0x30
|  invoke_syscall+0x54/0x118
|  el0_svc_common.constprop.4+0x84/0x100
|  do_el0_svc+0x3c/0xd0
|  el0_svc+0x1c/0x50
|  el0t_64_sync_handler+0x90/0xb8
|  el0t_64_sync+0x15c/0x160
| ---[ end trace 0000000000000000 ]---
| ---------test_init-----------

Fix this by reverting to the old behaviour of ignoring the old
instruction when initialising an mcount callsite in a module, which was
the behaviour prior to commit a6253579.
Signed-off-by: NMark Rutland <mark.rutland@arm.com>
Fixes: a6253579 ("arm64: ftrace: consistently handle PLTs.")
Reported-by: NLi Huafei <lihuafei1@huawei.com>
Link: https://lore.kernel.org/linux-arm-kernel/20220929094134.99512-1-lihuafei1@huawei.com
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20220929134525.798593-1-mark.rutland@arm.comSigned-off-by: NCatalin Marinas <catalin.marinas@arm.com>
Signed-off-by: NLi Huafei <lihuafei1@huawei.com>
Reviewed-by: NYang Jihong <yangjihong1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

stable inclusion
from stable-v5.10.154
commit 26ca2ac091b49281d73df86111d16e5a76e43bd7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNRS
CVE: CVE-2022-42895

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26ca2ac091b49281d73df86111d16e5a76e43bd7

--------------------------------

commit b1a2cd50 upstream.

On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.

CVE: CVE-2022-42895
CC: stable@vger.kernel.org
Reported-by: NTamás Koczka <poprdi@google.com>
Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: NTedd Ho-Jeong An <tedd.an@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NBaisong Zhong <zhongbaisong@huawei.com>
Reviewed-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>