Merge remote-tracking branch 'origin/master' into buster-pve-kernel-5.11

Makefile

@@ -1,12 +1,12 @@
 # also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
 KERNEL_MAJ=5
 KERNEL_MIN=11
-KERNEL_PATCHLEVEL=21
+KERNEL_PATCHLEVEL=22
 # increment KREL if the ABI changes (abicheck target in debian/rules)
 # rebuild packages with new KREL and run 'make abiupdate'
-KREL=1
+KREL=2
 
-PKGREL=1~bpo10
+PKGREL=4~bpo10
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)
@@ -46,9 +46,10 @@ DIRS=KERNEL_SRC ZFSDIR MODULES
 
 DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+USR_HDR_DEB=pve-kernel-libc-dev_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 
-DEBS=${DST_DEB} ${HDR_DEB} ${LINUX_TOOLS_DEB}
+DEBS=${DST_DEB} ${HDR_DEB} ${USR_HDR_DEB} ${LINUX_TOOLS_DEB}
 
 all: deb
 deb: ${DEBS}
@@ -102,7 +103,7 @@ ${ZFSDIR}.prepared: ${ZFSONLINUX_SUBMODULE}
 
 .PHONY: upload
 upload: ${DEBS}
-	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg --dist buster --arch ${ARCH}
+	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist bullseye --arch ${ARCH}
 
 .PHONY: distclean
 distclean: clean

debian/changelog

@@ -1,3 +1,47 @@
+pve-kernel (5.11.22-4~bpo10) bullseye; urgency=medium
+
+  * backport to Debian Buster based releases
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 21 Jul 2021 17:53:37 +0200
+
+pve-kernel (5.11.22-4) bullseye; urgency=medium
+
+  * fix CVE-2021-33909: seq_file: disallow extremely large seq buffer
+    allocations
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 20 Jul 2021 21:40:02 +0200
+
+pve-kernel (5.11.22-3) bullseye; urgency=medium
+
+  * update ZFS to 2.0.5
+
+  * pull in upstream stable releases from v5.10.43, v5.12.10
+
+  * ensure 'performance' is the default frequency CPU governor again, as
+    schedutil seems to cause still some issues in with a few VM workloads
+
+ -- Proxmox Support Team <support@proxmox.com>  Sun, 11 Jul 2021 13:45:15 +0200
+
+pve-kernel (5.11.22-2) bullseye; urgency=medium
+
+  * net: bridge: sync fdb to new unicast-filtering ports
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Jul 2021 16:22:45 +0200
+
+pve-kernel (5.11.22-1) bullseye; urgency=medium
+
+  * update sources to stable release 5.11.22 with Ubuntu-5.11.0-23.24
+
+  * pve-kernel-libc-dev: add version to Provides dependency field for
+    linux-libc-dev to satisfy versioned dependencies from other packages
+
+  * build perf with python3
+
+  * fixes #3465: keep unstripped kernel and module files, allowing one to use
+    kdump-tools
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 23 Jun 2021 08:53:17 +0200
+
 pve-kernel (5.11.21-1~bpo10) buster; urgency=medium
 
   * backport to Debian Buster based releases

debian/control.in

@@ -32,8 +32,8 @@ Build-Depends: asciidoc-base,
                sphinx-common,
                tar,
                xmlto,
-               zlib1g-dev,
-Build-Conflicts: pve-headers-@KVNAME@,
+               zlib1g-dev
+Build-Conflicts: pve-headers-@KVNAME@
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
 
@@ -41,9 +41,7 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base,
-         ${misc:Depends},
-         ${shlibs:Depends},
+Depends: linux-base, ${misc:Depends}, ${shlibs:Depends}
 Description: Linux kernel version specific tools for version @KVMAJMIN@
  This package provides the architecture dependent parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy)
@@ -52,9 +50,8 @@ Package: pve-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers,
-          linux-headers-2.6,
-Depends: coreutils | fileutils (>= 4.0),
+Provides: linux-headers
+Depends: coreutils | fileutils (>= 4.0)
 Description: The Proxmox PVE Kernel Headers
  This package contains the linux kernel headers
 
@@ -62,22 +59,32 @@ Package: pve-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image,
-          linux-image-2.6,
-Suggests: pve-firmware,
-Depends: busybox,
-         initramfs-tools,
-Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+Provides: linux-image
+Suggests: pve-firmware
+Depends: busybox, initramfs-tools
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64
 Description: The Proxmox PVE Kernel Image
  This package contains the linux kernel and initial ramdisk used for booting
 
+Package: pve-kernel-@KVNAME@-dbgsym
+Architecture: any
+Provides: linux-debug
+Section: devel
+Priority: optional
+Description: The Proxmox PVE Kernel debug image
+ This package provides the kernel debug image for version @KVNAME@. The debug
+ kernel image contained in this package is NOT meant to boot from - it is
+ uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
+ to analyze kernel crashes. This package also contains the pve-kernel modules
+ in their unstripped version.
+
 Package: pve-kernel-libc-dev
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-libc-dev,
-Conflicts: linux-libc-dev,
-Replaces: linux-libc-dev,
+Provides: linux-libc-dev (=${binary:Version})
+Conflicts: linux-libc-dev
+Replaces: linux-libc-dev
 Depends: ${misc:Depends}
 Description: Linux support headers for userspace development
  This package provides userspaces headers from the Linux kernel.  These headers

debian/rules

@@ -14,6 +14,7 @@ include debian/rules.d/${DEB_BUILD_ARCH}.mk
 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
 
 PVE_KERNEL_PKG=pve-kernel-${KVNAME}
+PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
 PVE_HEADER_PKG=pve-headers-${KVNAME}
 PVE_USR_HEADER_PKG=pve-kernel-libc-dev
 LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
@@ -43,6 +44,7 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_NLS_ISO8859_1 \
 -d CONFIG_INPUT_EVBUG \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
+-d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
 -d CONFIG_MODULE_SIG \
 -d CONFIG_MEMCG_DISABLED \
@@ -113,6 +115,9 @@ binary: install
 .config_mark:
 	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
 	${MAKE} -C ${KERNEL_SRC} oldconfig
+	# copy to allow building in parallel to kernel/module compilation without interference
+	rm -rf ${KERNEL_SRC_COPY}
+	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
 	touch $@
 
 .compile_mark: .config_mark
@@ -132,6 +137,16 @@ binary: install
 	install -m 644 $(addprefix ${MODULES}/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
 	# remove firmware
 	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
+
+	# debug package
+	mkdir -p debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}
+	mkdir debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot
+	install -m 644 ${KERNEL_SRC}/vmlinux debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot/vmlinux-${KVNAME}
+	cp -r debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/
+	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/source
+	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/build
+	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/modules.*
+
 	# strip debug info
 	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
 	# finalize
@@ -146,7 +161,7 @@ binary: install
 	touch $@
 
 .tools_compile_mark: .compile_mark
-	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python2.7
+	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
 	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
 	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
@@ -168,9 +183,6 @@ binary: install
 	rm -rf debian/${PVE_HEADER_PKG}
 	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
 	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	# copy to allow building in parallel to kernel/module compilation without interference
-	rm -rf ${KERNEL_SRC_COPY}
-	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
 	make -C ${KERNEL_SRC_COPY} mrproper
 	cd ${KERNEL_SRC_COPY}; find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \

debian/scripts/export-patchqueue

@@ -6,7 +6,7 @@ top=$(pwd)
 
 if [ "$#" -ne 3 ]; then
     echo "USAGE: $0 repo patchdir ref"
-    echo "\t exports patches from 'repo' to 'patchdir' based on 'ref'"
+    printf "\t exports patches from 'repo' to 'patchdir' based on 'ref'\n"
     exit 1
 fi
 
@@ -26,10 +26,9 @@ git format-patch \
     --zero-commit \
     --no-signature \
     --diff-algorithm=myers \
-    --output-dir \
-    "${top}/${kernel_patchdir}" \
+    --output-directory="${top}/${kernel_patchdir}" \
     "${base_ref}.."
 
-git checkout ${base_ref}
+git checkout "${base_ref}"
 
 cd "${top}"

patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch

@@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 111 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index a74453c464b0..dca92e06e431 100644
+index 52b2f13eb26f..8c1bec09424b 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3646,6 +3646,15 @@
+@@ -3647,6 +3647,15 @@
  				Also, it enforces the PCI Local Bus spec
  				rule that those bits should be 0 in system reset
  				events (useful for kexec/kdump cases).

patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch

@@ -13,7 +13,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 2caba2828982..2080de085df5 100644
+index 7377346be880..0979e4ab19ae 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644);

patches/kernel/0005-net-core-downgrade-unregister_netdevice-refcount-lea.patch

@@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/net/core/dev.c b/net/core/dev.c
-index a5a1dbe66b76..3847f4542b81 100644
+index 76e593a4cc30..c1e9097e7a08 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
-@@ -10300,7 +10300,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
+@@ -10346,7 +10346,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
  		refcnt = netdev_refcnt_read(dev);
  
  		if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {

patches/kernel/0006-net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch

@@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 2 Jul 2021 14:07:36 +0200
+Subject: [PATCH] net: bridge: sync fdb to new unicast-filtering ports
+
+Since commit 2796d0c648c9 ("bridge: Automatically manage
+port promiscuous mode.")
+bridges with `vlan_filtering 1` and only 1 auto-port don't
+set IFF_PROMISC for unicast-filtering-capable ports.
+
+Normally on port changes `br_manage_promisc` is called to
+update the promisc flags and unicast filters if necessary,
+but it cannot distinguish between *new* ports and ones
+losing their promisc flag, and new ports end up not
+receiving the MAC address list.
+
+Fix this by calling `br_fdb_sync_static` in `br_add_if`
+after the port promisc flags are updated and the unicast
+filter was supposed to have been filled.
+
+Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ net/bridge/br_if.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index f7d2f472ae24..6e4a32354a13 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -562,7 +562,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+ 	struct net_bridge_port *p;
+ 	int err = 0;
+ 	unsigned br_hr, dev_hr;
+-	bool changed_addr;
++	bool changed_addr, fdb_synced = false;
+ 
+ 	/* Don't allow bridging non-ethernet like devices. */
+ 	if ((dev->flags & IFF_LOOPBACK) ||
+@@ -652,6 +652,19 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+ 	list_add_rcu(&p->list, &br->port_list);
+ 
+ 	nbp_update_port_count(br);
++	if (!br_promisc_port(p) && (p->dev->priv_flags & IFF_UNICAST_FLT)) {
++		/* When updating the port count we also update all ports'
++		 * promiscuous mode.
++		 * A port leaving promiscuous mode normally gets the bridge's
++		 * fdb synced to the unicast filter (if supported), however,
++		 * `br_port_clear_promisc` does not distinguish between
++		 * non-promiscuous ports and *new* ports, so we need to
++		 * sync explicitly here.
++		 */
++		fdb_synced = br_fdb_sync_static(br, p) == 0;
++		if (!fdb_synced)
++			netdev_err(dev, "failed to sync bridge static fdb addresses to this port\n");
++	}
+ 
+ 	netdev_update_features(br->dev);
+ 
+@@ -701,6 +714,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+ 	return 0;
+ 
+ err7:
++	if (fdb_synced)
++		br_fdb_unsync_static(br, p);
+ 	list_del_rcu(&p->list);
+ 	br_fdb_delete_by_port(br, p, 0, 1);
+ 	nbp_update_port_count(br);

patches/kernel/0007-seq-file-disallow-extremely-large.patch

@@ -0,0 +1,34 @@
+From 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Tue, 13 Jul 2021 17:49:23 +0200
+Subject: seq_file: disallow extremely large seq buffer allocations
+
+There is no reasonable need for a buffer larger than this, and it avoids
+int overflow pitfalls.
+
+Fixes: 058504edd026 ("fs/seq_file: fallback to vmalloc allocation")
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/seq_file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/seq_file.c b/fs/seq_file.c
+index b117b212ef288..4a2cda04d3e29 100644
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -32,6 +32,9 @@ static void seq_set_overflow(struct seq_file *m)
+ 
+ static void *seq_buf_alloc(unsigned long size)
+ {
++	if (unlikely(size > MAX_RW_COUNT))
++		return NULL;
++
+ 	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
+ }
+ 
+-- 
+cgit 1.2.3-1.el7

submodules/ubuntu-hirsute

@@ -1 +1 @@
-Subproject commit 6c982603b0dffdfff74e4faccb4388d64719530b
+Subproject commit e7bd377c9219094136ecce5e2258f04edbed58a0

submodules/zfsonlinux

@@ -1 +1 @@
-Subproject commit 28dd83391be7921ac561dae1bb2299f613419251
+Subproject commit 7764433c7066a5125956630116f894a12fd12109