Merge 5.10.77 into android12-5.10-lts

Changes in 5.10.77
	ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images
	ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
	ARM: 9134/1: remove duplicate memcpy() definition
	ARM: 9138/1: fix link warning with XIP + frame-pointer
	ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
	ARM: 9141/1: only warn about XIP address when not compile testing
	io_uring: don't take uring_lock during iowq cancel
	powerpc/bpf: Fix BPF_MOD when imm == 1
	arm64: Avoid premature usercopy failure
	ext4: fix possible UAF when remounting r/o a mmp-protected file system
	usbnet: sanity check for maxpacket
	usbnet: fix error return code in usbnet_probe()
	Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
	pinctrl: amd: disable and mask interrupts on probe
	ata: sata_mv: Fix the error handling of mv_chip_id()
	tipc: fix size validations for the MSG_CRYPTO type
	nfc: port100: fix using -ERRNO as command type mask
	Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
	net/tls: Fix flipped sign in tls_err_abort() calls
	mmc: vub300: fix control-message timeouts
	mmc: cqhci: clear HALT state after CQE enable
	mmc: mediatek: Move cqhci init behind ungate clock
	mmc: dw_mmc: exynos: fix the finding clock sample value
	mmc: sdhci: Map more voltage level to SDHCI_POWER_330
	mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
	ocfs2: fix race between searching chunks and release journal_head from buffer_head
	nvme-tcp: fix H2CData PDU send accounting (again)
	cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
	cfg80211: fix management registrations locking
	net: lan78xx: fix division by zero in send path
	mm, thp: bail out early in collapse_file for writeback page
	drm/ttm: fix memleak in ttm_transfered_destroy
	drm/amdgpu: fix out of bounds write
	cgroup: Fix memory leak caused by missing cgroup_bpf_offline
	riscv, bpf: Fix potential NULL dereference
	tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function
	bpf: Fix potential race in tail call compatibility check
	bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch()
	IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
	IB/hfi1: Fix abba locking issue with sc_disable()
	nvmet-tcp: fix data digest pointer calculation
	nvme-tcp: fix data digest pointer calculation
	nvme-tcp: fix possible req->offset corruption
	octeontx2-af: Display all enabled PF VF rsrc_alloc entries.
	RDMA/mlx5: Set user priority for DCT
	arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
	reset: brcmstb-rescal: fix incorrect polarity of status bit
	regmap: Fix possible double-free in regcache_rbtree_exit()
	net: batman-adv: fix error handling
	net-sysfs: initialize uid and gid before calling net_ns_get_ownership
	cfg80211: correct bridge/4addr mode check
	net: Prevent infinite while loop in skb_tx_hash()
	RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string
	gpio: xgs-iproc: fix parsing of ngpios property
	nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
	mlxsw: pci: Recycle received packet upon allocation failure
	net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails
	net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent
	net: nxp: lpc_eth.c: avoid hang when bringing interface down
	net/tls: Fix flipped sign in async_wait.err assignment
	phy: phy_ethtool_ksettings_get: Lock the phy for consistency
	phy: phy_ethtool_ksettings_set: Move after phy_start_aneg
	phy: phy_start_aneg: Add an unlocked version
	phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings
	sctp: use init_tag from inithdr for ABORT chunk
	sctp: fix the processing for INIT_ACK chunk
	sctp: fix the processing for COOKIE_ECHO chunk
	sctp: add vtag check in sctp_sf_violation
	sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
	sctp: add vtag check in sctp_sf_ootb
	lan743x: fix endianness when accessing descriptors
	KVM: s390: clear kicked_mask before sleeping again
	KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu
	scsi: ufs: ufs-exynos: Correct timeout value setting registers
	riscv: fix misalgned trap vector base address
	riscv: Fix asan-stack clang build
	perf script: Check session->header.env.arch before using it
	Linux 5.10.77

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4cd89af4d20b7a8a1a6d9906233d1aaf026659a8

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 5
 PATCHLEVEL = 10
-SUBLEVEL = 76
+SUBLEVEL = 77
 EXTRAVERSION =
 NAME = Dare mighty things
 

arch/arm/boot/compressed/decompress.c

@@ -47,7 +47,10 @@ extern char * strchrnul(const char *, int);
 #endif
 
 #ifdef CONFIG_KERNEL_XZ
+/* Prevent KASAN override of string helpers in decompressor */
+#undef memmove
 #define memmove memmove
+#undef memcpy
 #define memcpy memcpy
 #include "../../../../lib/decompress_unxz.c"
 #endif

arch/arm/include/asm/uaccess.h

@@ -200,6 +200,7 @@ extern int __get_user_64t_4(void *);
 		register unsigned long __l asm("r1") = __limit;		\
 		register int __e asm("r0");				\
 		unsigned int __ua_flags = uaccess_save_and_enable();	\
+		int __tmp_e;						\
 		switch (sizeof(*(__p))) {				\
 		case 1:							\
 			if (sizeof((x)) >= 8)				\
@@ -227,9 +228,10 @@ extern int __get_user_64t_4(void *);
 			break;						\
 		default: __e = __get_user_bad(); break;			\
 		}							\
+		__tmp_e = __e;						\
 		uaccess_restore(__ua_flags);				\
 		x = (typeof(*(p))) __r2;				\
-		__e;							\
+		__tmp_e;						\
 	})
 
 #define get_user(x, p)							\

arch/arm/kernel/vmlinux-xip.lds.S

@@ -40,6 +40,10 @@ SECTIONS
 		ARM_DISCARD
 		*(.alt.smp.init)
 		*(.pv_table)
+#ifndef CONFIG_ARM_UNWIND
+		*(.ARM.exidx) *(.ARM.exidx.*)
+		*(.ARM.extab) *(.ARM.extab.*)
+#endif
 	}
 
 	. = XIP_VIRT_ADDR(CONFIG_XIP_PHYS_ADDR);
@@ -172,7 +176,7 @@ ASSERT((__arch_info_end - __arch_info_begin), "no machine record defined")
 ASSERT((_end - __bss_start) >= 12288, ".bss too small for CONFIG_XIP_DEFLATED_DATA")
 #endif
 
-#ifdef CONFIG_ARM_MPU
+#if defined(CONFIG_ARM_MPU) && !defined(CONFIG_COMPILE_TEST)
 /*
  * Due to PMSAv7 restriction on base address and size we have to
  * enforce minimal alignment restrictions. It was seen that weaker

arch/arm/mm/proc-macros.S

@@ -340,6 +340,7 @@ ENTRY(\name\()_cache_fns)
 
 .macro define_tlb_functions name:req, flags_up:req, flags_smp
 	.type	\name\()_tlb_fns, #object
+	.align 2
 ENTRY(\name\()_tlb_fns)
 	.long	\name\()_flush_user_tlb_range
 	.long	\name\()_flush_kern_tlb_range

arch/arm/probes/kprobes/core.c

@@ -462,7 +462,7 @@ static struct undef_hook kprobes_arm_break_hook = {
 
 #endif /* !CONFIG_THUMB2_KERNEL */
 
-int __init arch_init_kprobes()
+int __init arch_init_kprobes(void)
 {
 	arm_probes_decode_init();
 #ifdef CONFIG_THUMB2_KERNEL

arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts

@@ -75,7 +75,7 @@
 	pinctrl-0 = <&emac_rgmii_pins>;
 	phy-supply = <&reg_gmac_3v3>;
 	phy-handle = <&ext_rgmii_phy>;
-	phy-mode = "rgmii";
+	phy-mode = "rgmii-id";
 	status = "okay";
 };
 

arch/arm64/lib/copy_from_user.S

@@ -29,7 +29,7 @@
 	.endm
 
 	.macro ldrh1 reg, ptr, val
-	uao_user_alternative 9998f, ldrh, ldtrh, \reg, \ptr, \val
+	uao_user_alternative 9997f, ldrh, ldtrh, \reg, \ptr, \val
 	.endm
 
 	.macro strh1 reg, ptr, val
@@ -37,7 +37,7 @@
 	.endm
 
 	.macro ldr1 reg, ptr, val
-	uao_user_alternative 9998f, ldr, ldtr, \reg, \ptr, \val
+	uao_user_alternative 9997f, ldr, ldtr, \reg, \ptr, \val
 	.endm
 
 	.macro str1 reg, ptr, val
@@ -45,7 +45,7 @@
 	.endm
 
 	.macro ldp1 reg1, reg2, ptr, val
-	uao_ldp 9998f, \reg1, \reg2, \ptr, \val
+	uao_ldp 9997f, \reg1, \reg2, \ptr, \val
 	.endm
 
 	.macro stp1 reg1, reg2, ptr, val
@@ -53,8 +53,10 @@
 	.endm
 
 end	.req	x5
+srcin	.req	x15
 SYM_FUNC_START(__arch_copy_from_user)
 	add	end, x0, x2
+	mov	srcin, x1
 #include "copy_template.S"
 	mov	x0, #0				// Nothing to copy
 	ret
@@ -63,6 +65,11 @@ EXPORT_SYMBOL(__arch_copy_from_user)
 
 	.section .fixup,"ax"
 	.align	2
+9997:	cmp	dst, dstin
+	b.ne	9998f
+	// Before being absolutely sure we couldn't copy anything, try harder
+USER(9998f, ldtrb tmp1w, [srcin])
+	strb	tmp1w, [dst], #1
 9998:	sub	x0, end, dst			// bytes not copied
 	ret
 	.previous

arch/arm64/lib/copy_in_user.S

@@ -30,33 +30,34 @@
 	.endm
 
 	.macro ldrh1 reg, ptr, val
-	uao_user_alternative 9998f, ldrh, ldtrh, \reg, \ptr, \val
+	uao_user_alternative 9997f, ldrh, ldtrh, \reg, \ptr, \val
 	.endm
 
 	.macro strh1 reg, ptr, val
-	uao_user_alternative 9998f, strh, sttrh, \reg, \ptr, \val
+	uao_user_alternative 9997f, strh, sttrh, \reg, \ptr, \val
 	.endm
 
 	.macro ldr1 reg, ptr, val
-	uao_user_alternative 9998f, ldr, ldtr, \reg, \ptr, \val
+	uao_user_alternative 9997f, ldr, ldtr, \reg, \ptr, \val
 	.endm
 
 	.macro str1 reg, ptr, val
-	uao_user_alternative 9998f, str, sttr, \reg, \ptr, \val
+	uao_user_alternative 9997f, str, sttr, \reg, \ptr, \val
 	.endm
 
 	.macro ldp1 reg1, reg2, ptr, val
-	uao_ldp 9998f, \reg1, \reg2, \ptr, \val
+	uao_ldp 9997f, \reg1, \reg2, \ptr, \val
 	.endm
 
 	.macro stp1 reg1, reg2, ptr, val
-	uao_stp 9998f, \reg1, \reg2, \ptr, \val
+	uao_stp 9997f, \reg1, \reg2, \ptr, \val
 	.endm
 
 end	.req	x5
-
+srcin	.req	x15
 SYM_FUNC_START(__arch_copy_in_user)
 	add	end, x0, x2
+	mov	srcin, x1
 #include "copy_template.S"
 	mov	x0, #0
 	ret
@@ -65,6 +66,12 @@ EXPORT_SYMBOL(__arch_copy_in_user)
 
 	.section .fixup,"ax"
 	.align	2
+9997:	cmp	dst, dstin
+	b.ne	9998f
+	// Before being absolutely sure we couldn't copy anything, try harder
+USER(9998f, ldtrb tmp1w, [srcin])
+USER(9998f, sttrb tmp1w, [dst])
+	add	dst, dst, #1
 9998:	sub	x0, end, dst			// bytes not copied
 	ret
 	.previous

arch/arm64/lib/copy_to_user.S

@@ -32,7 +32,7 @@
 	.endm
 
 	.macro strh1 reg, ptr, val
-	uao_user_alternative 9998f, strh, sttrh, \reg, \ptr, \val
+	uao_user_alternative 9997f, strh, sttrh, \reg, \ptr, \val
 	.endm
 
 	.macro ldr1 reg, ptr, val
@@ -40,7 +40,7 @@
 	.endm
 
 	.macro str1 reg, ptr, val
-	uao_user_alternative 9998f, str, sttr, \reg, \ptr, \val
+	uao_user_alternative 9997f, str, sttr, \reg, \ptr, \val
 	.endm
 
 	.macro ldp1 reg1, reg2, ptr, val
@@ -48,12 +48,14 @@
 	.endm
 
 	.macro stp1 reg1, reg2, ptr, val
-	uao_stp 9998f, \reg1, \reg2, \ptr, \val
+	uao_stp 9997f, \reg1, \reg2, \ptr, \val
 	.endm
 
 end	.req	x5
+srcin	.req	x15
 SYM_FUNC_START(__arch_copy_to_user)
 	add	end, x0, x2
+	mov	srcin, x1
 #include "copy_template.S"
 	mov	x0, #0
 	ret
@@ -62,6 +64,12 @@ EXPORT_SYMBOL(__arch_copy_to_user)
 
 	.section .fixup,"ax"
 	.align	2
+9997:	cmp	dst, dstin
+	b.ne	9998f
+	// Before being absolutely sure we couldn't copy anything, try harder
+	ldrb	tmp1w, [srcin]
+USER(9998f, sttrb tmp1w, [dst])
+	add	dst, dst, #1
 9998:	sub	x0, end, dst			// bytes not copied
 	ret
 	.previous

arch/nios2/platform/Kconfig.platform

@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR
 
 config NIOS2_DTB_SOURCE_BOOL
 	bool "Compile and link device tree into kernel image"
+	depends on !COMPILE_TEST
 	help
 	  This allows you to specify a dts (device tree source) file
 	  which will be compiled and linked into the kernel image.

arch/powerpc/net/bpf_jit_comp64.c

@@ -415,8 +415,14 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
 		case BPF_ALU64 | BPF_DIV | BPF_K: /* dst /= imm */
 			if (imm == 0)
 				return -EINVAL;
-			else if (imm == 1)
-				goto bpf_alu32_trunc;
+			if (imm == 1) {
+				if (BPF_OP(code) == BPF_DIV) {
+					goto bpf_alu32_trunc;
+				} else {
+					EMIT(PPC_RAW_LI(dst_reg, 0));
+					break;
+				}
+			}
 
 			PPC_LI32(b2p[TMP_REG_1], imm);
 			switch (BPF_CLASS(code)) {

arch/riscv/Kconfig

@@ -138,6 +138,12 @@ config PAGE_OFFSET
 	default 0xffffffff80000000 if 64BIT && MAXPHYSMEM_2GB
 	default 0xffffffe000000000 if 64BIT && MAXPHYSMEM_128GB
 
+config KASAN_SHADOW_OFFSET
+	hex
+	depends on KASAN_GENERIC
+	default 0xdfffffc800000000 if 64BIT
+	default 0xffffffff if 32BIT
+
 config ARCH_FLATMEM_ENABLE
 	def_bool y
 

arch/riscv/include/asm/kasan.h

@@ -14,8 +14,7 @@
 #define KASAN_SHADOW_START	KERN_VIRT_START /* 2^64 - 2^38 */
 #define KASAN_SHADOW_END	(KASAN_SHADOW_START + KASAN_SHADOW_SIZE)
 
-#define KASAN_SHADOW_OFFSET	(KASAN_SHADOW_END - (1ULL << \
-					(64 - KASAN_SHADOW_SCALE_SHIFT)))
+#define KASAN_SHADOW_OFFSET	_AC(CONFIG_KASAN_SHADOW_OFFSET, UL)
 
 void kasan_init(void);
 asmlinkage void kasan_early_init(void);

arch/riscv/kernel/head.S

@@ -175,6 +175,7 @@ setup_trap_vector:
 	csrw CSR_SCRATCH, zero
 	ret
 
+.align 2
 .Lsecondary_park:
 	/* We lack SMP support or have too many harts, so park this hart */
 	wfi

arch/riscv/mm/kasan_init.c

@@ -16,6 +16,9 @@ asmlinkage void __init kasan_early_init(void)
 	uintptr_t i;
 	pgd_t *pgd = early_pg_dir + pgd_index(KASAN_SHADOW_START);
 
+	BUILD_BUG_ON(KASAN_SHADOW_OFFSET !=
+		KASAN_SHADOW_END - (1UL << (64 - KASAN_SHADOW_SCALE_SHIFT)));
+
 	for (i = 0; i < PTRS_PER_PTE; ++i)
 		set_pte(kasan_early_shadow_pte + i,
 			mk_pte(virt_to_page(kasan_early_shadow_page),

arch/riscv/net/bpf_jit_core.c

@@ -125,7 +125,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
 
 	if (i == NR_JIT_ITERATIONS) {
 		pr_err("bpf-jit: image did not converge in <%d passes!\n", i);
-		bpf_jit_binary_free(jit_data->header);
+		if (jit_data->header)
+			bpf_jit_binary_free(jit_data->header);
 		prog = orig_prog;
 		goto out_offset;
 	}

arch/s390/kvm/interrupt.c

@@ -3053,13 +3053,14 @@ static void __airqs_kick_single_vcpu(struct kvm *kvm, u8 deliverable_mask)
 	int vcpu_idx, online_vcpus = atomic_read(&kvm->online_vcpus);
 	struct kvm_s390_gisa_interrupt *gi = &kvm->arch.gisa_int;
 	struct kvm_vcpu *vcpu;
+	u8 vcpu_isc_mask;
 
 	for_each_set_bit(vcpu_idx, kvm->arch.idle_mask, online_vcpus) {
 		vcpu = kvm_get_vcpu(kvm, vcpu_idx);
 		if (psw_ioint_disabled(vcpu))
 			continue;
-		deliverable_mask &= (u8)(vcpu->arch.sie_block->gcr[6] >> 24);
-		if (deliverable_mask) {
+		vcpu_isc_mask = (u8)(vcpu->arch.sie_block->gcr[6] >> 24);
+		if (deliverable_mask & vcpu_isc_mask) {
 			/* lately kicked but not yet running */
 			if (test_and_set_bit(vcpu_idx, gi->kicked_mask))
 				return;

arch/s390/kvm/kvm-s390.c

@@ -3312,6 +3312,7 @@ out_free_sie_block:
 
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
+	clear_bit(vcpu->vcpu_idx, vcpu->kvm->arch.gisa_int.kicked_mask);
 	return kvm_s390_vcpu_has_irq(vcpu, 0);
 }
 

drivers/ata/sata_mv.c

@@ -3892,8 +3892,8 @@ static int mv_chip_id(struct ata_host *host, unsigned int board_idx)
 		break;
 
 	default:
-		dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
-		return 1;
+		dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
+		return -EINVAL;
 	}
 
 	hpriv->hp_flags = hp_flags;