diff options
Diffstat (limited to 'debian')
5 files changed, 7 insertions, 206 deletions
diff --git a/debian/changelog b/debian/changelog index c071b34dad38..42907b850963 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,10 @@ -linux (5.10.40-2) UNRELEASED; urgency=medium +linux (5.10.41-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.41 + - context_tracking: Move guest exit context tracking to separate helpers + - context_tracking: Move guest exit vtime accounting to separate helpers + - [x86] KVM: Defer vtime accounting 'til after IRQ handling [ Josua Mayer ] * [armhf] drivers/bluetooth: Enable BT_HCIUART as a module, with support diff --git a/debian/patches/bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch b/debian/patches/bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch deleted file mode 100644 index 471f2fe85834..000000000000 --- a/debian/patches/bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch +++ /dev/null @@ -1,74 +0,0 @@ -From bb01a1bba579b4b1c5566af24d95f1767859771e Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Fri, 21 May 2021 10:19:22 +0000 -Subject: bpf: Fix mask direction swap upon off reg sign change - -From: Daniel Borkmann <daniel@iogearbox.net> - -commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream. - -Masking direction as indicated via mask_to_left is considered to be -calculated once and then used to derive pointer limits. Thus, this -needs to be placed into bpf_sanitize_info instead so we can pass it -to sanitize_ptr_alu() call after the pointer move. Piotr noticed a -corner case where the off reg causes masking direction change which -then results in an incorrect final aux->alu_limit. - -Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") -Reported-by: Piotr Krysiuk <piotras@gmail.com> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - kernel/bpf/verifier.c | 22 ++++++++++++---------- - 1 file changed, 12 insertions(+), 10 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5666,18 +5666,10 @@ enum { - }; - - static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, -- const struct bpf_reg_state *off_reg, -- u32 *alu_limit, u8 opcode) -+ u32 *alu_limit, bool mask_to_left) - { -- bool off_is_neg = off_reg->smin_value < 0; -- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || -- (opcode == BPF_SUB && !off_is_neg); - u32 max = 0, ptr_limit = 0; - -- if (!tnum_is_const(off_reg->var_off) && -- (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) -- return REASON_BOUNDS; -- - switch (ptr_reg->type) { - case PTR_TO_STACK: - /* Offset 0 is out-of-bounds, but acceptable start for the -@@ -5745,6 +5737,7 @@ static bool sanitize_needed(u8 opcode) - - struct bpf_sanitize_info { - struct bpf_insn_aux_data aux; -+ bool mask_to_left; - }; - - static int sanitize_ptr_alu(struct bpf_verifier_env *env, -@@ -5776,7 +5769,16 @@ static int sanitize_ptr_alu(struct bpf_v - if (vstate->speculative) - goto do_sim; - -- err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); -+ if (!commit_window) { -+ if (!tnum_is_const(off_reg->var_off) && -+ (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) -+ return REASON_BOUNDS; -+ -+ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) || -+ (opcode == BPF_SUB && !off_is_neg); -+ } -+ -+ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left); - if (err < 0) - return err; - diff --git a/debian/patches/bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch b/debian/patches/bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch deleted file mode 100644 index 1f05d5ea4654..000000000000 --- a/debian/patches/bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a7036191277f9fa68d92f2071ddc38c09b1e5ee5 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Tue, 4 May 2021 08:58:25 +0000 -Subject: bpf: No need to simulate speculative domain for immediates - -From: Daniel Borkmann <daniel@iogearbox.net> - -commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream. - -In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under -speculation") we replaced masking logic with direct loads of immediates -if the register is a known constant. Given in this case we do not apply -any masking, there is also no reason for the operation to be truncated -under the speculative domain. - -Therefore, there is also zero reason for the verifier to branch-off and -simulate this case, it only needs to do it for unknown but bounded scalars. -As a side-effect, this also enables few test cases that were previously -rejected due to simulation under zero truncation. - -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - kernel/bpf/verifier.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5802,8 +5802,12 @@ do_sim: - /* If we're in commit phase, we're done here given we already - * pushed the truncated dst_reg into the speculative verification - * stack. -+ * -+ * Also, when register is a known constant, we rewrite register-based -+ * operation to immediate-based, and thus do not need masking (and as -+ * a consequence, do not need to simulate the zero-truncation either). - */ -- if (commit_window) -+ if (commit_window || off_is_imm) - return 0; - - /* Simulate and find potential out-of-bounds access under diff --git a/debian/patches/bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch b/debian/patches/bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch deleted file mode 100644 index b775f7013c28..000000000000 --- a/debian/patches/bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 3d0220f6861d713213b015b582e9f21e5b28d2e0 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Fri, 21 May 2021 10:17:36 +0000 -Subject: bpf: Wrap aux data inside bpf_sanitize_info container - -From: Daniel Borkmann <daniel@iogearbox.net> - -commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream. - -Add a container structure struct bpf_sanitize_info which holds -the current aux info, and update call-sites to sanitize_ptr_alu() -to pass it in. This is needed for passing in additional state -later on. - -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - kernel/bpf/verifier.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5743,15 +5743,19 @@ static bool sanitize_needed(u8 opcode) - return opcode == BPF_ADD || opcode == BPF_SUB; - } - -+struct bpf_sanitize_info { -+ struct bpf_insn_aux_data aux; -+}; -+ - static int sanitize_ptr_alu(struct bpf_verifier_env *env, - struct bpf_insn *insn, - const struct bpf_reg_state *ptr_reg, - const struct bpf_reg_state *off_reg, - struct bpf_reg_state *dst_reg, -- struct bpf_insn_aux_data *tmp_aux, -+ struct bpf_sanitize_info *info, - const bool commit_window) - { -- struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; -+ struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : &info->aux; - struct bpf_verifier_state *vstate = env->cur_state; - bool off_is_imm = tnum_is_const(off_reg->var_off); - bool off_is_neg = off_reg->smin_value < 0; -@@ -5780,8 +5784,8 @@ static int sanitize_ptr_alu(struct bpf_v - /* In commit phase we narrow the masking window based on - * the observed pointer move after the simulated operation. - */ -- alu_state = tmp_aux->alu_state; -- alu_limit = abs(tmp_aux->alu_limit - alu_limit); -+ alu_state = info->aux.alu_state; -+ alu_limit = abs(info->aux.alu_limit - alu_limit); - } else { - alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; - alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0; -@@ -5942,7 +5946,7 @@ static int adjust_ptr_min_max_vals(struc - smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; - u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, - umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; -- struct bpf_insn_aux_data tmp_aux = {}; -+ struct bpf_sanitize_info info = {}; - u8 opcode = BPF_OP(insn->code); - u32 dst = insn->dst_reg; - int ret; -@@ -6011,7 +6015,7 @@ static int adjust_ptr_min_max_vals(struc - - if (sanitize_needed(opcode)) { - ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, -- &tmp_aux, false); -+ &info, false); - if (ret < 0) - return sanitize_err(env, insn, ret, off_reg, dst_reg); - } -@@ -6152,7 +6156,7 @@ static int adjust_ptr_min_max_vals(struc - return -EACCES; - if (sanitize_needed(opcode)) { - ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, -- &tmp_aux, true); -+ &info, true); - if (ret < 0) - return sanitize_err(env, insn, ret, off_reg, dst_reg); - } diff --git a/debian/patches/series b/debian/patches/series index b20cd591583a..46c0eb35f2f6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -115,9 +115,6 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch -bugfix/all/bpf-wrap-aux-data-inside-bpf_sanitize_info-container.patch -bugfix/all/bpf-fix-mask-direction-swap-upon-off-reg-sign-change.patch -bugfix/all/bpf-no-need-to-simulate-speculative-domain-for-immediates.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |