[rocky9_7] History Rebuild through kernel-5.14.0-611.34.1.el9_7

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.30.1
+RHEL_RELEASE = 611.34.1
 
 #
 # ZSTREAM

arch/x86/boot/cpuflags.c

@@ -115,5 +115,18 @@ void get_cpuflags(void)
 			cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6],
 			      &cpu.flags[1]);
 		}
+
+		if (max_amd_level >= 0x8000001f) {
+			u32 ebx;
+
+			/*
+			 * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in
+			 * the virtualization flags entry (word 8) and set by
+			 * scattered.c, so the bit needs to be explicitly set.
+			 */
+			cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored);
+			if (ebx & BIT(31))
+				set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags);
+		}
 	}
 }

arch/x86/coco/sev/shared.c

@@ -1293,6 +1293,13 @@ static void pvalidate_4k_page(unsigned long vaddr, unsigned long paddr, bool val
 		if (ret)
 			__pval_terminate(PHYS_PFN(paddr), validate, RMP_PG_SIZE_4K, ret, 0);
 	}
+
+	/*
+	 * If validating memory (making it private) and affected by the
+	 * cache-coherency vulnerability, perform the cache eviction mitigation.
+	 */
+	if (validate && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO))
+		sev_evict_cache((void *)vaddr, 1);
 }
 
 static void pval_pages(struct snp_psc_desc *desc)
@@ -1477,10 +1484,31 @@ static void svsm_pval_pages(struct snp_psc_desc *desc)
 
 static void pvalidate_pages(struct snp_psc_desc *desc)
 {
+	struct psc_entry *e;
+	unsigned int i;
+
 	if (snp_vmpl)
 		svsm_pval_pages(desc);
 	else
 		pval_pages(desc);
+
+	/*
+	 * If not affected by the cache-coherency vulnerability there is no need
+	 * to perform the cache eviction mitigation.
+	 */
+	if (has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO))
+		return;
+
+	for (i = 0; i <= desc->hdr.end_entry; i++) {
+		e = &desc->entries[i];
+
+		/*
+		 * If validating memory (making it private) perform the cache
+		 * eviction mitigation.
+		 */
+		if (e->operation == SNP_PAGE_STATE_PRIVATE)
+			sev_evict_cache(pfn_to_kaddr(e->gfn), e->pagesize ? 512 : 1);
+	}
 }
 
 static int vmgexit_psc(struct ghcb *ghcb, struct snp_psc_desc *desc)

arch/x86/include/asm/cpufeatures.h

@@ -228,6 +228,7 @@
 #define X86_FEATURE_FLEXPRIORITY	( 8*32+ 1) /* "flexpriority" Intel FlexPriority */
 #define X86_FEATURE_EPT			( 8*32+ 2) /* "ept" Intel Extended Page Table */
 #define X86_FEATURE_VPID		( 8*32+ 3) /* "vpid" Intel Virtual Processor ID */
+#define X86_FEATURE_COHERENCY_SFW_NO	( 8*32+ 4) /* SNP cache coherency software work around not needed */
 
 #define X86_FEATURE_VMMCALL		( 8*32+15) /* "vmmcall" Prefer VMMCALL to VMCALL */
 #define X86_FEATURE_XENPV		( 8*32+16) /* Xen paravirtual guest */

arch/x86/include/asm/sev.h

@@ -424,6 +424,24 @@ void snp_kexec_finish(void);
 void snp_kexec_begin(void);
 int snp_svsm_vtpm_send_command(u8 *buffer);
 
+static inline void sev_evict_cache(void *va, int npages)
+{
+	volatile u8 val __always_unused;
+	u8 *bytes = va;
+	int page_idx;
+
+	/*
+	 * For SEV guests, a read from the first/last cache-lines of a 4K page
+	 * using the guest key is sufficient to cause a flush of all cache-lines
+	 * associated with that 4K page without incurring all the overhead of a
+	 * full CLFLUSH sequence.
+	 */
+	for (page_idx = 0; page_idx < npages; page_idx++) {
+		val = bytes[page_idx * PAGE_SIZE];
+		val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
+	}
+}
+
 #else	/* !CONFIG_AMD_MEM_ENCRYPT */
 
 #define snp_vmpl 0
@@ -464,6 +482,7 @@ static inline void set_pte_enc_mask(pte_t *kpte, unsigned long pfn, pgprot_t new
 static inline void snp_kexec_finish(void) { }
 static inline void snp_kexec_begin(void) { }
 static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; }
+static inline void sev_evict_cache(void *va, int npages) {}
 
 #endif	/* CONFIG_AMD_MEM_ENCRYPT */
 

arch/x86/kernel/cpu/scattered.c

@@ -47,6 +47,7 @@ static const struct cpuid_bit cpuid_bits[] = {
 	{ X86_FEATURE_PROC_FEEDBACK,		CPUID_EDX, 11, 0x80000007, 0 },
 	{ X86_FEATURE_AMD_FAST_CPPC,		CPUID_EDX, 15, 0x80000007, 0 },
 	{ X86_FEATURE_MBA,			CPUID_EBX,  6, 0x80000008, 0 },
+	{ X86_FEATURE_COHERENCY_SFW_NO,		CPUID_EBX, 31, 0x8000001f, 0 },
 	{ X86_FEATURE_SMBA,			CPUID_EBX,  2, 0x80000020, 0 },
 	{ X86_FEATURE_BMEC,			CPUID_EBX,  3, 0x80000020, 0 },
 	{ X86_FEATURE_TSA_SQ_NO,		CPUID_ECX,  1, 0x80000021, 0 },

arch/x86/net/bpf_jit_comp.c

@@ -2450,7 +2450,7 @@ st:			if (is_imm8(insn->off))
 			/* Update cleanup_addr */
 			ctx->cleanup_addr = proglen;
 			if (bpf_prog_was_classic(bpf_prog) &&
-			    !capable(CAP_SYS_ADMIN)) {
+			    !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
 				u8 *ip = image + addrs[i - 1];
 
 				if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))

ciq/ciq_backports/kernel-5.14.0-611.34.1.el9_7/7ad78592.failed

@@ -0,0 +1,183 @@
+smb: client: Add tracepoint for krb5 auth
+
+jira KERNEL-660
+Rebuild_History Non-Buildable kernel-5.14.0-611.34.1.el9_7
+commit-author Paulo Alcantara <pc@manguebit.org>
+commit 7ad785927d9eb348adb381d168ed73d0dd3c7670
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-611.34.1.el9_7/7ad78592.failed
+
+Add tracepoint to help debugging krb5 auth failures.
+
+Example:
+
+$ trace-cmd record -e smb3_kerberos_auth
+$ mount.cifs ...
+$ trace-cmd report
+mount.cifs-1667 [003] .....  5810.668549: smb3_kerberos_auth: vers=2
+host=w22-dc1.zelda.test ip=192.168.124.30:445 sec=krb5 uid=0 cruid=0
+user=root pid=1667 upcall_target=app err=-126
+
+	Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+	Reviewed-by: David Howells <dhowells@redhat.com>
+	Cc: Pierguido Lambri <plambri@redhat.com>
+	Cc: linux-cifs@vger.kernel.org
+	Signed-off-by: Steve French <stfrench@microsoft.com>
+(cherry picked from commit 7ad785927d9eb348adb381d168ed73d0dd3c7670)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/smb/client/cifs_spnego.c
+diff --cc fs/smb/client/cifs_spnego.c
+index 08885ec1b407,3a41bbada04c..000000000000
+--- a/fs/smb/client/cifs_spnego.c
++++ b/fs/smb/client/cifs_spnego.c
+@@@ -136,48 -128,38 +136,54 @@@ cifs_get_spnego_key(struct cifs_ses *se
+  	else
+  		goto out;
+
+ +	dp = description + strlen(description);
+ +
+  	/* for now, only sec=krb5 and sec=mskrb5 and iakerb are valid */
+  	if (server->sec_kerberos)
+ -		dp += sprintf(dp, ";sec=krb5");
+ +		sprintf(dp, ";sec=krb5");
+  	else if (server->sec_mskerberos)
+ -		dp += sprintf(dp, ";sec=mskrb5");
+ +		sprintf(dp, ";sec=mskrb5");
+  	else if (server->sec_iakerb)
+ -		dp += sprintf(dp, ";sec=iakerb");
+ +		sprintf(dp, ";sec=iakerb");
+  	else {
+  		cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
+ -		dp += sprintf(dp, ";sec=krb5");
+ +		sprintf(dp, ";sec=krb5");
+  	}
+
+ -	dp += sprintf(dp, ";uid=0x%x",
+ -		      from_kuid_munged(&init_user_ns, sesInfo->linux_uid));
+ +	dp = description + strlen(description);
+ +	sprintf(dp, ";uid=0x%x",
+ +		from_kuid_munged(&init_user_ns, sesInfo->linux_uid));
+
+ -	dp += sprintf(dp, ";creduid=0x%x",
+ +	dp = description + strlen(description);
+ +	sprintf(dp, ";creduid=0x%x",
+  		from_kuid_munged(&init_user_ns, sesInfo->cred_uid));
+
+ -	if (sesInfo->user_name)
+ -		dp += sprintf(dp, ";user=%s", sesInfo->user_name);
+ +	if (sesInfo->user_name) {
+ +		dp = description + strlen(description);
+ +		sprintf(dp, ";user=%s", sesInfo->user_name);
+ +	}
+
+ -	dp += sprintf(dp, ";pid=0x%x", current->pid);
+ +	dp = description + strlen(description);
+ +	sprintf(dp, ";pid=0x%x", current->pid);
+
+ -	if (sesInfo->upcall_target == UPTARGET_MOUNT)
+ -		dp += sprintf(dp, ";upcall_target=mount");
+ -	else
+ -		dp += sprintf(dp, ";upcall_target=app");
+ +	if (sesInfo->upcall_target == UPTARGET_MOUNT) {
+ +		dp = description + strlen(description);
+ +		sprintf(dp, ";upcall_target=mount");
+ +	} else {
+ +		dp = description + strlen(description);
+ +		sprintf(dp, ";upcall_target=app");
+ +	}
+
+  	cifs_dbg(FYI, "key description = %s\n", description);
+++<<<<<<< HEAD
+ +	saved_cred = override_creds(spnego_cred);
+ +	spnego_key = request_key(&cifs_spnego_key_type, description, "");
+ +	revert_creds(saved_cred);
+++=======
++ 	scoped_with_creds(spnego_cred)
++ 		spnego_key = request_key(&cifs_spnego_key_type, description, "");
++ 	trace_smb3_kerberos_auth(server, sesInfo, PTR_ERR_OR_ZERO(spnego_key));
+++>>>>>>> 7ad785927d9e (smb: client: Add tracepoint for krb5 auth)
+
+  #ifdef CONFIG_CIFS_DEBUG2
+  	if (cifsFYI && !IS_ERR(spnego_key)) {
+* Unmerged path fs/smb/client/cifs_spnego.c
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index 7310dc74adfc..1eef6c9b971e 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -1625,8 +1625,6 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data)
+ 	spnego_key = cifs_get_spnego_key(ses, server);
+ 	if (IS_ERR(spnego_key)) {
+ 		rc = PTR_ERR(spnego_key);
+-		if (rc == -ENOKEY)
+-			cifs_dbg(VFS, "Verify user has a krb5 ticket and keyutils is installed\n");
+ 		spnego_key = NULL;
+ 		goto out;
+ 	}
+diff --git a/fs/smb/client/trace.c b/fs/smb/client/trace.c
+index 16b0e719731f..8a99b68d0c71 100644
+--- a/fs/smb/client/trace.c
++++ b/fs/smb/client/trace.c
+@@ -5,5 +5,6 @@
+  *   Author(s): Steve French <stfrench@microsoft.com>
+  */
+ #include "cifsglob.h"
++#include "cifs_spnego.h"
+ #define CREATE_TRACE_POINTS
+ #include "trace.h"
+diff --git a/fs/smb/client/trace.h b/fs/smb/client/trace.h
+index c1806b9ca6ef..fba1c2616368 100644
+--- a/fs/smb/client/trace.h
++++ b/fs/smb/client/trace.h
+@@ -1435,6 +1435,49 @@ DEFINE_SMB3_CREDIT_EVENT(waitff_credits);
+ DEFINE_SMB3_CREDIT_EVENT(overflow_credits);
+ DEFINE_SMB3_CREDIT_EVENT(set_credits);
+
++TRACE_EVENT(smb3_kerberos_auth,
++		TP_PROTO(struct TCP_Server_Info *server,
++			 struct cifs_ses *ses,
++			 int rc),
++		TP_ARGS(server, ses, rc),
++		TP_STRUCT__entry(
++			__field(pid_t, pid)
++			__field(uid_t, uid)
++			__field(uid_t, cruid)
++			__string(host, server->hostname)
++			__string(user, ses->user_name)
++			__array(__u8, addr, sizeof(struct sockaddr_storage))
++			__array(char, sec, sizeof("ntlmsspi"))
++			__array(char, upcall_target, sizeof("mount"))
++			__field(int, rc)
++		),
++		TP_fast_assign(
++			__entry->pid = current->pid;
++			__entry->uid = from_kuid_munged(&init_user_ns, ses->linux_uid);
++			__entry->cruid = from_kuid_munged(&init_user_ns, ses->cred_uid);
++			__assign_str(host);
++			__assign_str(user);
++			memcpy(__entry->addr, &server->dstaddr, sizeof(__entry->addr));
++
++			if (server->sec_kerberos)
++				memcpy(__entry->sec, "krb5", sizeof("krb5"));
++			else if (server->sec_mskerberos)
++				memcpy(__entry->sec, "mskrb5", sizeof("mskrb5"));
++			else if (server->sec_iakerb)
++				memcpy(__entry->sec, "iakerb", sizeof("iakerb"));
++			else
++				memcpy(__entry->sec, "krb5", sizeof("krb5"));
++
++			if (ses->upcall_target == UPTARGET_MOUNT)
++				memcpy(__entry->upcall_target, "mount", sizeof("mount"));
++			else
++				memcpy(__entry->upcall_target, "app", sizeof("app"));
++			__entry->rc = rc;
++		),
++		TP_printk("vers=%d host=%s ip=%pISpsfc sec=%s uid=%d cruid=%d user=%s pid=%d upcall_target=%s err=%d",
++			  CIFS_SPNEGO_UPCALL_VERSION, __get_str(host), __entry->addr,
++			  __entry->sec, __entry->uid, __entry->cruid, __get_str(user),
++			  __entry->pid, __entry->upcall_target, __entry->rc))
+
+ TRACE_EVENT(smb3_tcon_ref,
+ 	    TP_PROTO(unsigned int tcon_debug_id, int ref,