Contents of /trunk/kernel-alx/patches-4.9/0176-4.9.77-all-fixes.patch
Parent Directory | Revision Log
Revision 3196 -
(show annotations)
(download)
Wed Aug 8 14:25:24 2018 UTC (6 years, 1 month ago) by niro
File size: 163168 byte(s)
Wed Aug 8 14:25:24 2018 UTC (6 years, 1 month ago) by niro
File size: 163168 byte(s)
-linux-4.9.77
1 | diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu |
2 | index 498741737055..dfd56ec7a850 100644 |
3 | --- a/Documentation/ABI/testing/sysfs-devices-system-cpu |
4 | +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu |
5 | @@ -350,3 +350,19 @@ Contact: Linux ARM Kernel Mailing list <linux-arm-kernel@lists.infradead.org> |
6 | Description: AArch64 CPU registers |
7 | 'identification' directory exposes the CPU ID registers for |
8 | identifying model and revision of the CPU. |
9 | + |
10 | +What: /sys/devices/system/cpu/vulnerabilities |
11 | + /sys/devices/system/cpu/vulnerabilities/meltdown |
12 | + /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
13 | + /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
14 | +Date: January 2018 |
15 | +Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> |
16 | +Description: Information about CPU vulnerabilities |
17 | + |
18 | + The files are named after the code names of CPU |
19 | + vulnerabilities. The output of those files reflects the |
20 | + state of the CPUs in the system. Possible output values: |
21 | + |
22 | + "Not affected" CPU is not affected by the vulnerability |
23 | + "Vulnerable" CPU is affected and no mitigation in effect |
24 | + "Mitigation: $M" CPU is affected and mitigation $M is in effect |
25 | diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
26 | index 5d2676d043de..4c2667aa4634 100644 |
27 | --- a/Documentation/kernel-parameters.txt |
28 | +++ b/Documentation/kernel-parameters.txt |
29 | @@ -2691,6 +2691,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
30 | nosmt [KNL,S390] Disable symmetric multithreading (SMT). |
31 | Equivalent to smt=1. |
32 | |
33 | + nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 |
34 | + (indirect branch prediction) vulnerability. System may |
35 | + allow data leaks with this option, which is equivalent |
36 | + to spectre_v2=off. |
37 | + |
38 | noxsave [BUGS=X86] Disables x86 extended register state save |
39 | and restore using xsave. The kernel will fallback to |
40 | enabling legacy floating-point and sse state. |
41 | @@ -2763,8 +2768,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
42 | |
43 | nojitter [IA-64] Disables jitter checking for ITC timers. |
44 | |
45 | - nopti [X86-64] Disable KAISER isolation of kernel from user. |
46 | - |
47 | no-kvmclock [X86,KVM] Disable paravirtualized KVM clock driver |
48 | |
49 | no-kvmapf [X86,KVM] Disable paravirtualized asynchronous page |
50 | @@ -3327,11 +3330,20 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
51 | pt. [PARIDE] |
52 | See Documentation/blockdev/paride.txt. |
53 | |
54 | - pti= [X86_64] |
55 | - Control KAISER user/kernel address space isolation: |
56 | - on - enable |
57 | - off - disable |
58 | - auto - default setting |
59 | + pti= [X86_64] Control Page Table Isolation of user and |
60 | + kernel address spaces. Disabling this feature |
61 | + removes hardening, but improves performance of |
62 | + system calls and interrupts. |
63 | + |
64 | + on - unconditionally enable |
65 | + off - unconditionally disable |
66 | + auto - kernel detects whether your CPU model is |
67 | + vulnerable to issues that PTI mitigates |
68 | + |
69 | + Not specifying this option is equivalent to pti=auto. |
70 | + |
71 | + nopti [X86_64] |
72 | + Equivalent to pti=off |
73 | |
74 | pty.legacy_count= |
75 | [KNL] Number of legacy pty's. Overwrites compiled-in |
76 | @@ -3937,6 +3949,29 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
77 | sonypi.*= [HW] Sony Programmable I/O Control Device driver |
78 | See Documentation/laptops/sonypi.txt |
79 | |
80 | + spectre_v2= [X86] Control mitigation of Spectre variant 2 |
81 | + (indirect branch speculation) vulnerability. |
82 | + |
83 | + on - unconditionally enable |
84 | + off - unconditionally disable |
85 | + auto - kernel detects whether your CPU model is |
86 | + vulnerable |
87 | + |
88 | + Selecting 'on' will, and 'auto' may, choose a |
89 | + mitigation method at run time according to the |
90 | + CPU, the available microcode, the setting of the |
91 | + CONFIG_RETPOLINE configuration option, and the |
92 | + compiler with which the kernel was built. |
93 | + |
94 | + Specific mitigations can also be selected manually: |
95 | + |
96 | + retpoline - replace indirect branches |
97 | + retpoline,generic - google's original retpoline |
98 | + retpoline,amd - AMD-specific minimal thunk |
99 | + |
100 | + Not specifying this option is equivalent to |
101 | + spectre_v2=auto. |
102 | + |
103 | spia_io_base= [HW,MTD] |
104 | spia_fio_base= |
105 | spia_pedr= |
106 | diff --git a/Documentation/x86/pti.txt b/Documentation/x86/pti.txt |
107 | new file mode 100644 |
108 | index 000000000000..d11eff61fc9a |
109 | --- /dev/null |
110 | +++ b/Documentation/x86/pti.txt |
111 | @@ -0,0 +1,186 @@ |
112 | +Overview |
113 | +======== |
114 | + |
115 | +Page Table Isolation (pti, previously known as KAISER[1]) is a |
116 | +countermeasure against attacks on the shared user/kernel address |
117 | +space such as the "Meltdown" approach[2]. |
118 | + |
119 | +To mitigate this class of attacks, we create an independent set of |
120 | +page tables for use only when running userspace applications. When |
121 | +the kernel is entered via syscalls, interrupts or exceptions, the |
122 | +page tables are switched to the full "kernel" copy. When the system |
123 | +switches back to user mode, the user copy is used again. |
124 | + |
125 | +The userspace page tables contain only a minimal amount of kernel |
126 | +data: only what is needed to enter/exit the kernel such as the |
127 | +entry/exit functions themselves and the interrupt descriptor table |
128 | +(IDT). There are a few strictly unnecessary things that get mapped |
129 | +such as the first C function when entering an interrupt (see |
130 | +comments in pti.c). |
131 | + |
132 | +This approach helps to ensure that side-channel attacks leveraging |
133 | +the paging structures do not function when PTI is enabled. It can be |
134 | +enabled by setting CONFIG_PAGE_TABLE_ISOLATION=y at compile time. |
135 | +Once enabled at compile-time, it can be disabled at boot with the |
136 | +'nopti' or 'pti=' kernel parameters (see kernel-parameters.txt). |
137 | + |
138 | +Page Table Management |
139 | +===================== |
140 | + |
141 | +When PTI is enabled, the kernel manages two sets of page tables. |
142 | +The first set is very similar to the single set which is present in |
143 | +kernels without PTI. This includes a complete mapping of userspace |
144 | +that the kernel can use for things like copy_to_user(). |
145 | + |
146 | +Although _complete_, the user portion of the kernel page tables is |
147 | +crippled by setting the NX bit in the top level. This ensures |
148 | +that any missed kernel->user CR3 switch will immediately crash |
149 | +userspace upon executing its first instruction. |
150 | + |
151 | +The userspace page tables map only the kernel data needed to enter |
152 | +and exit the kernel. This data is entirely contained in the 'struct |
153 | +cpu_entry_area' structure which is placed in the fixmap which gives |
154 | +each CPU's copy of the area a compile-time-fixed virtual address. |
155 | + |
156 | +For new userspace mappings, the kernel makes the entries in its |
157 | +page tables like normal. The only difference is when the kernel |
158 | +makes entries in the top (PGD) level. In addition to setting the |
159 | +entry in the main kernel PGD, a copy of the entry is made in the |
160 | +userspace page tables' PGD. |
161 | + |
162 | +This sharing at the PGD level also inherently shares all the lower |
163 | +layers of the page tables. This leaves a single, shared set of |
164 | +userspace page tables to manage. One PTE to lock, one set of |
165 | +accessed bits, dirty bits, etc... |
166 | + |
167 | +Overhead |
168 | +======== |
169 | + |
170 | +Protection against side-channel attacks is important. But, |
171 | +this protection comes at a cost: |
172 | + |
173 | +1. Increased Memory Use |
174 | + a. Each process now needs an order-1 PGD instead of order-0. |
175 | + (Consumes an additional 4k per process). |
176 | + b. The 'cpu_entry_area' structure must be 2MB in size and 2MB |
177 | + aligned so that it can be mapped by setting a single PMD |
178 | + entry. This consumes nearly 2MB of RAM once the kernel |
179 | + is decompressed, but no space in the kernel image itself. |
180 | + |
181 | +2. Runtime Cost |
182 | + a. CR3 manipulation to switch between the page table copies |
183 | + must be done at interrupt, syscall, and exception entry |
184 | + and exit (it can be skipped when the kernel is interrupted, |
185 | + though.) Moves to CR3 are on the order of a hundred |
186 | + cycles, and are required at every entry and exit. |
187 | + b. A "trampoline" must be used for SYSCALL entry. This |
188 | + trampoline depends on a smaller set of resources than the |
189 | + non-PTI SYSCALL entry code, so requires mapping fewer |
190 | + things into the userspace page tables. The downside is |
191 | + that stacks must be switched at entry time. |
192 | + d. Global pages are disabled for all kernel structures not |
193 | + mapped into both kernel and userspace page tables. This |
194 | + feature of the MMU allows different processes to share TLB |
195 | + entries mapping the kernel. Losing the feature means more |
196 | + TLB misses after a context switch. The actual loss of |
197 | + performance is very small, however, never exceeding 1%. |
198 | + d. Process Context IDentifiers (PCID) is a CPU feature that |
199 | + allows us to skip flushing the entire TLB when switching page |
200 | + tables by setting a special bit in CR3 when the page tables |
201 | + are changed. This makes switching the page tables (at context |
202 | + switch, or kernel entry/exit) cheaper. But, on systems with |
203 | + PCID support, the context switch code must flush both the user |
204 | + and kernel entries out of the TLB. The user PCID TLB flush is |
205 | + deferred until the exit to userspace, minimizing the cost. |
206 | + See intel.com/sdm for the gory PCID/INVPCID details. |
207 | + e. The userspace page tables must be populated for each new |
208 | + process. Even without PTI, the shared kernel mappings |
209 | + are created by copying top-level (PGD) entries into each |
210 | + new process. But, with PTI, there are now *two* kernel |
211 | + mappings: one in the kernel page tables that maps everything |
212 | + and one for the entry/exit structures. At fork(), we need to |
213 | + copy both. |
214 | + f. In addition to the fork()-time copying, there must also |
215 | + be an update to the userspace PGD any time a set_pgd() is done |
216 | + on a PGD used to map userspace. This ensures that the kernel |
217 | + and userspace copies always map the same userspace |
218 | + memory. |
219 | + g. On systems without PCID support, each CR3 write flushes |
220 | + the entire TLB. That means that each syscall, interrupt |
221 | + or exception flushes the TLB. |
222 | + h. INVPCID is a TLB-flushing instruction which allows flushing |
223 | + of TLB entries for non-current PCIDs. Some systems support |
224 | + PCIDs, but do not support INVPCID. On these systems, addresses |
225 | + can only be flushed from the TLB for the current PCID. When |
226 | + flushing a kernel address, we need to flush all PCIDs, so a |
227 | + single kernel address flush will require a TLB-flushing CR3 |
228 | + write upon the next use of every PCID. |
229 | + |
230 | +Possible Future Work |
231 | +==================== |
232 | +1. We can be more careful about not actually writing to CR3 |
233 | + unless its value is actually changed. |
234 | +2. Allow PTI to be enabled/disabled at runtime in addition to the |
235 | + boot-time switching. |
236 | + |
237 | +Testing |
238 | +======== |
239 | + |
240 | +To test stability of PTI, the following test procedure is recommended, |
241 | +ideally doing all of these in parallel: |
242 | + |
243 | +1. Set CONFIG_DEBUG_ENTRY=y |
244 | +2. Run several copies of all of the tools/testing/selftests/x86/ tests |
245 | + (excluding MPX and protection_keys) in a loop on multiple CPUs for |
246 | + several minutes. These tests frequently uncover corner cases in the |
247 | + kernel entry code. In general, old kernels might cause these tests |
248 | + themselves to crash, but they should never crash the kernel. |
249 | +3. Run the 'perf' tool in a mode (top or record) that generates many |
250 | + frequent performance monitoring non-maskable interrupts (see "NMI" |
251 | + in /proc/interrupts). This exercises the NMI entry/exit code which |
252 | + is known to trigger bugs in code paths that did not expect to be |
253 | + interrupted, including nested NMIs. Using "-c" boosts the rate of |
254 | + NMIs, and using two -c with separate counters encourages nested NMIs |
255 | + and less deterministic behavior. |
256 | + |
257 | + while true; do perf record -c 10000 -e instructions,cycles -a sleep 10; done |
258 | + |
259 | +4. Launch a KVM virtual machine. |
260 | +5. Run 32-bit binaries on systems supporting the SYSCALL instruction. |
261 | + This has been a lightly-tested code path and needs extra scrutiny. |
262 | + |
263 | +Debugging |
264 | +========= |
265 | + |
266 | +Bugs in PTI cause a few different signatures of crashes |
267 | +that are worth noting here. |
268 | + |
269 | + * Failures of the selftests/x86 code. Usually a bug in one of the |
270 | + more obscure corners of entry_64.S |
271 | + * Crashes in early boot, especially around CPU bringup. Bugs |
272 | + in the trampoline code or mappings cause these. |
273 | + * Crashes at the first interrupt. Caused by bugs in entry_64.S, |
274 | + like screwing up a page table switch. Also caused by |
275 | + incorrectly mapping the IRQ handler entry code. |
276 | + * Crashes at the first NMI. The NMI code is separate from main |
277 | + interrupt handlers and can have bugs that do not affect |
278 | + normal interrupts. Also caused by incorrectly mapping NMI |
279 | + code. NMIs that interrupt the entry code must be very |
280 | + careful and can be the cause of crashes that show up when |
281 | + running perf. |
282 | + * Kernel crashes at the first exit to userspace. entry_64.S |
283 | + bugs, or failing to map some of the exit code. |
284 | + * Crashes at first interrupt that interrupts userspace. The paths |
285 | + in entry_64.S that return to userspace are sometimes separate |
286 | + from the ones that return to the kernel. |
287 | + * Double faults: overflowing the kernel stack because of page |
288 | + faults upon page faults. Caused by touching non-pti-mapped |
289 | + data in the entry code, or forgetting to switch to kernel |
290 | + CR3 before calling into C functions which are not pti-mapped. |
291 | + * Userspace segfaults early in boot, sometimes manifesting |
292 | + as mount(8) failing to mount the rootfs. These have |
293 | + tended to be TLB invalidation issues. Usually invalidating |
294 | + the wrong PCID, or otherwise missing an invalidation. |
295 | + |
296 | +1. https://gruss.cc/files/kaiser.pdf |
297 | +2. https://meltdownattack.com/meltdown.pdf |
298 | diff --git a/Makefile b/Makefile |
299 | index 2637f0ed0a07..aba553531d6a 100644 |
300 | --- a/Makefile |
301 | +++ b/Makefile |
302 | @@ -1,6 +1,6 @@ |
303 | VERSION = 4 |
304 | PATCHLEVEL = 9 |
305 | -SUBLEVEL = 76 |
306 | +SUBLEVEL = 77 |
307 | EXTRAVERSION = |
308 | NAME = Roaring Lionus |
309 | |
310 | diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c |
311 | index b6e715fd3c90..dac7ceb1a677 100644 |
312 | --- a/arch/arm/kvm/mmio.c |
313 | +++ b/arch/arm/kvm/mmio.c |
314 | @@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) |
315 | } |
316 | |
317 | trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, |
318 | - data); |
319 | + &data); |
320 | data = vcpu_data_host_to_guest(vcpu, data, len); |
321 | vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); |
322 | } |
323 | @@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, |
324 | data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), |
325 | len); |
326 | |
327 | - trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); |
328 | + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); |
329 | kvm_mmio_write_buf(data_buf, len, data); |
330 | |
331 | ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, |
332 | data_buf); |
333 | } else { |
334 | trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, |
335 | - fault_ipa, 0); |
336 | + fault_ipa, NULL); |
337 | |
338 | ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, |
339 | data_buf); |
340 | diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c |
341 | index c558bce989cd..6e716a5f1173 100644 |
342 | --- a/arch/mips/kernel/process.c |
343 | +++ b/arch/mips/kernel/process.c |
344 | @@ -683,6 +683,18 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value) |
345 | struct task_struct *t; |
346 | int max_users; |
347 | |
348 | + /* If nothing to change, return right away, successfully. */ |
349 | + if (value == mips_get_process_fp_mode(task)) |
350 | + return 0; |
351 | + |
352 | + /* Only accept a mode change if 64-bit FP enabled for o32. */ |
353 | + if (!IS_ENABLED(CONFIG_MIPS_O32_FP64_SUPPORT)) |
354 | + return -EOPNOTSUPP; |
355 | + |
356 | + /* And only for o32 tasks. */ |
357 | + if (IS_ENABLED(CONFIG_64BIT) && !test_thread_flag(TIF_32BIT_REGS)) |
358 | + return -EOPNOTSUPP; |
359 | + |
360 | /* Check the value is valid */ |
361 | if (value & ~known_bits) |
362 | return -EOPNOTSUPP; |
363 | diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c |
364 | index 11890e6e4093..0c8ae2cc6380 100644 |
365 | --- a/arch/mips/kernel/ptrace.c |
366 | +++ b/arch/mips/kernel/ptrace.c |
367 | @@ -439,63 +439,160 @@ static int gpr64_set(struct task_struct *target, |
368 | |
369 | #endif /* CONFIG_64BIT */ |
370 | |
371 | +/* |
372 | + * Copy the floating-point context to the supplied NT_PRFPREG buffer, |
373 | + * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots |
374 | + * correspond 1:1 to buffer slots. Only general registers are copied. |
375 | + */ |
376 | +static int fpr_get_fpa(struct task_struct *target, |
377 | + unsigned int *pos, unsigned int *count, |
378 | + void **kbuf, void __user **ubuf) |
379 | +{ |
380 | + return user_regset_copyout(pos, count, kbuf, ubuf, |
381 | + &target->thread.fpu, |
382 | + 0, NUM_FPU_REGS * sizeof(elf_fpreg_t)); |
383 | +} |
384 | + |
385 | +/* |
386 | + * Copy the floating-point context to the supplied NT_PRFPREG buffer, |
387 | + * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's |
388 | + * general register slots are copied to buffer slots. Only general |
389 | + * registers are copied. |
390 | + */ |
391 | +static int fpr_get_msa(struct task_struct *target, |
392 | + unsigned int *pos, unsigned int *count, |
393 | + void **kbuf, void __user **ubuf) |
394 | +{ |
395 | + unsigned int i; |
396 | + u64 fpr_val; |
397 | + int err; |
398 | + |
399 | + BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); |
400 | + for (i = 0; i < NUM_FPU_REGS; i++) { |
401 | + fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0); |
402 | + err = user_regset_copyout(pos, count, kbuf, ubuf, |
403 | + &fpr_val, i * sizeof(elf_fpreg_t), |
404 | + (i + 1) * sizeof(elf_fpreg_t)); |
405 | + if (err) |
406 | + return err; |
407 | + } |
408 | + |
409 | + return 0; |
410 | +} |
411 | + |
412 | +/* |
413 | + * Copy the floating-point context to the supplied NT_PRFPREG buffer. |
414 | + * Choose the appropriate helper for general registers, and then copy |
415 | + * the FCSR register separately. |
416 | + */ |
417 | static int fpr_get(struct task_struct *target, |
418 | const struct user_regset *regset, |
419 | unsigned int pos, unsigned int count, |
420 | void *kbuf, void __user *ubuf) |
421 | { |
422 | - unsigned i; |
423 | + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); |
424 | int err; |
425 | - u64 fpr_val; |
426 | |
427 | - /* XXX fcr31 */ |
428 | + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) |
429 | + err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf); |
430 | + else |
431 | + err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf); |
432 | + if (err) |
433 | + return err; |
434 | |
435 | - if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) |
436 | - return user_regset_copyout(&pos, &count, &kbuf, &ubuf, |
437 | - &target->thread.fpu, |
438 | - 0, sizeof(elf_fpregset_t)); |
439 | + err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, |
440 | + &target->thread.fpu.fcr31, |
441 | + fcr31_pos, fcr31_pos + sizeof(u32)); |
442 | |
443 | - for (i = 0; i < NUM_FPU_REGS; i++) { |
444 | - fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0); |
445 | - err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, |
446 | - &fpr_val, i * sizeof(elf_fpreg_t), |
447 | - (i + 1) * sizeof(elf_fpreg_t)); |
448 | + return err; |
449 | +} |
450 | + |
451 | +/* |
452 | + * Copy the supplied NT_PRFPREG buffer to the floating-point context, |
453 | + * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP |
454 | + * context's general register slots. Only general registers are copied. |
455 | + */ |
456 | +static int fpr_set_fpa(struct task_struct *target, |
457 | + unsigned int *pos, unsigned int *count, |
458 | + const void **kbuf, const void __user **ubuf) |
459 | +{ |
460 | + return user_regset_copyin(pos, count, kbuf, ubuf, |
461 | + &target->thread.fpu, |
462 | + 0, NUM_FPU_REGS * sizeof(elf_fpreg_t)); |
463 | +} |
464 | + |
465 | +/* |
466 | + * Copy the supplied NT_PRFPREG buffer to the floating-point context, |
467 | + * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64 |
468 | + * bits only of FP context's general register slots. Only general |
469 | + * registers are copied. |
470 | + */ |
471 | +static int fpr_set_msa(struct task_struct *target, |
472 | + unsigned int *pos, unsigned int *count, |
473 | + const void **kbuf, const void __user **ubuf) |
474 | +{ |
475 | + unsigned int i; |
476 | + u64 fpr_val; |
477 | + int err; |
478 | + |
479 | + BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); |
480 | + for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) { |
481 | + err = user_regset_copyin(pos, count, kbuf, ubuf, |
482 | + &fpr_val, i * sizeof(elf_fpreg_t), |
483 | + (i + 1) * sizeof(elf_fpreg_t)); |
484 | if (err) |
485 | return err; |
486 | + set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val); |
487 | } |
488 | |
489 | return 0; |
490 | } |
491 | |
492 | +/* |
493 | + * Copy the supplied NT_PRFPREG buffer to the floating-point context. |
494 | + * Choose the appropriate helper for general registers, and then copy |
495 | + * the FCSR register separately. |
496 | + * |
497 | + * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', |
498 | + * which is supposed to have been guaranteed by the kernel before |
499 | + * calling us, e.g. in `ptrace_regset'. We enforce that requirement, |
500 | + * so that we can safely avoid preinitializing temporaries for |
501 | + * partial register writes. |
502 | + */ |
503 | static int fpr_set(struct task_struct *target, |
504 | const struct user_regset *regset, |
505 | unsigned int pos, unsigned int count, |
506 | const void *kbuf, const void __user *ubuf) |
507 | { |
508 | - unsigned i; |
509 | + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); |
510 | + u32 fcr31; |
511 | int err; |
512 | - u64 fpr_val; |
513 | |
514 | - /* XXX fcr31 */ |
515 | + BUG_ON(count % sizeof(elf_fpreg_t)); |
516 | + |
517 | + if (pos + count > sizeof(elf_fpregset_t)) |
518 | + return -EIO; |
519 | |
520 | init_fp_ctx(target); |
521 | |
522 | - if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) |
523 | - return user_regset_copyin(&pos, &count, &kbuf, &ubuf, |
524 | - &target->thread.fpu, |
525 | - 0, sizeof(elf_fpregset_t)); |
526 | + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) |
527 | + err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf); |
528 | + else |
529 | + err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf); |
530 | + if (err) |
531 | + return err; |
532 | |
533 | - BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); |
534 | - for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) { |
535 | + if (count > 0) { |
536 | err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, |
537 | - &fpr_val, i * sizeof(elf_fpreg_t), |
538 | - (i + 1) * sizeof(elf_fpreg_t)); |
539 | + &fcr31, |
540 | + fcr31_pos, fcr31_pos + sizeof(u32)); |
541 | if (err) |
542 | return err; |
543 | - set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val); |
544 | + |
545 | + ptrace_setfcr31(target, fcr31); |
546 | } |
547 | |
548 | - return 0; |
549 | + return err; |
550 | } |
551 | |
552 | enum mips_regset { |
553 | diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig |
554 | index da8156fd3d58..0ca4d12ce95c 100644 |
555 | --- a/arch/x86/Kconfig |
556 | +++ b/arch/x86/Kconfig |
557 | @@ -64,6 +64,7 @@ config X86 |
558 | select GENERIC_CLOCKEVENTS_MIN_ADJUST |
559 | select GENERIC_CMOS_UPDATE |
560 | select GENERIC_CPU_AUTOPROBE |
561 | + select GENERIC_CPU_VULNERABILITIES |
562 | select GENERIC_EARLY_IOREMAP |
563 | select GENERIC_FIND_FIRST_BIT |
564 | select GENERIC_IOMAP |
565 | @@ -407,6 +408,19 @@ config GOLDFISH |
566 | def_bool y |
567 | depends on X86_GOLDFISH |
568 | |
569 | +config RETPOLINE |
570 | + bool "Avoid speculative indirect branches in kernel" |
571 | + default y |
572 | + ---help--- |
573 | + Compile kernel with the retpoline compiler options to guard against |
574 | + kernel-to-user data leaks by avoiding speculative indirect |
575 | + branches. Requires a compiler with -mindirect-branch=thunk-extern |
576 | + support for full protection. The kernel may run slower. |
577 | + |
578 | + Without compiler support, at least indirect branches in assembler |
579 | + code are eliminated. Since this includes the syscall entry path, |
580 | + it is not entirely pointless. |
581 | + |
582 | if X86_32 |
583 | config X86_EXTENDED_PLATFORM |
584 | bool "Support for extended (non-PC) x86 platforms" |
585 | diff --git a/arch/x86/Makefile b/arch/x86/Makefile |
586 | index 2d449337a360..cd22cb8ebd42 100644 |
587 | --- a/arch/x86/Makefile |
588 | +++ b/arch/x86/Makefile |
589 | @@ -182,6 +182,14 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables |
590 | KBUILD_CFLAGS += $(mflags-y) |
591 | KBUILD_AFLAGS += $(mflags-y) |
592 | |
593 | +# Avoid indirect branches in kernel to deal with Spectre |
594 | +ifdef CONFIG_RETPOLINE |
595 | + RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) |
596 | + ifneq ($(RETPOLINE_CFLAGS),) |
597 | + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE |
598 | + endif |
599 | +endif |
600 | + |
601 | archscripts: scripts_basic |
602 | $(Q)$(MAKE) $(build)=arch/x86/tools relocs |
603 | |
604 | diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S |
605 | index 383a6f84a060..fa8801b35e51 100644 |
606 | --- a/arch/x86/crypto/aesni-intel_asm.S |
607 | +++ b/arch/x86/crypto/aesni-intel_asm.S |
608 | @@ -32,6 +32,7 @@ |
609 | #include <linux/linkage.h> |
610 | #include <asm/inst.h> |
611 | #include <asm/frame.h> |
612 | +#include <asm/nospec-branch.h> |
613 | |
614 | /* |
615 | * The following macros are used to move an (un)aligned 16 byte value to/from |
616 | @@ -2734,7 +2735,7 @@ ENTRY(aesni_xts_crypt8) |
617 | pxor INC, STATE4 |
618 | movdqu IV, 0x30(OUTP) |
619 | |
620 | - call *%r11 |
621 | + CALL_NOSPEC %r11 |
622 | |
623 | movdqu 0x00(OUTP), INC |
624 | pxor INC, STATE1 |
625 | @@ -2779,7 +2780,7 @@ ENTRY(aesni_xts_crypt8) |
626 | _aesni_gf128mul_x_ble() |
627 | movups IV, (IVP) |
628 | |
629 | - call *%r11 |
630 | + CALL_NOSPEC %r11 |
631 | |
632 | movdqu 0x40(OUTP), INC |
633 | pxor INC, STATE1 |
634 | diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S |
635 | index aa9e8bd163f6..77ff4de2224d 100644 |
636 | --- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S |
637 | +++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S |
638 | @@ -17,6 +17,7 @@ |
639 | |
640 | #include <linux/linkage.h> |
641 | #include <asm/frame.h> |
642 | +#include <asm/nospec-branch.h> |
643 | |
644 | #define CAMELLIA_TABLE_BYTE_LEN 272 |
645 | |
646 | @@ -1224,7 +1225,7 @@ camellia_xts_crypt_16way: |
647 | vpxor 14 * 16(%rax), %xmm15, %xmm14; |
648 | vpxor 15 * 16(%rax), %xmm15, %xmm15; |
649 | |
650 | - call *%r9; |
651 | + CALL_NOSPEC %r9; |
652 | |
653 | addq $(16 * 16), %rsp; |
654 | |
655 | diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S |
656 | index 16186c18656d..7384342fbb41 100644 |
657 | --- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S |
658 | +++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S |
659 | @@ -12,6 +12,7 @@ |
660 | |
661 | #include <linux/linkage.h> |
662 | #include <asm/frame.h> |
663 | +#include <asm/nospec-branch.h> |
664 | |
665 | #define CAMELLIA_TABLE_BYTE_LEN 272 |
666 | |
667 | @@ -1337,7 +1338,7 @@ camellia_xts_crypt_32way: |
668 | vpxor 14 * 32(%rax), %ymm15, %ymm14; |
669 | vpxor 15 * 32(%rax), %ymm15, %ymm15; |
670 | |
671 | - call *%r9; |
672 | + CALL_NOSPEC %r9; |
673 | |
674 | addq $(16 * 32), %rsp; |
675 | |
676 | diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S |
677 | index dc05f010ca9b..174fd4146043 100644 |
678 | --- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S |
679 | +++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S |
680 | @@ -45,6 +45,7 @@ |
681 | |
682 | #include <asm/inst.h> |
683 | #include <linux/linkage.h> |
684 | +#include <asm/nospec-branch.h> |
685 | |
686 | ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction |
687 | |
688 | @@ -172,7 +173,7 @@ continue_block: |
689 | movzxw (bufp, %rax, 2), len |
690 | lea crc_array(%rip), bufp |
691 | lea (bufp, len, 1), bufp |
692 | - jmp *bufp |
693 | + JMP_NOSPEC bufp |
694 | |
695 | ################################################################ |
696 | ## 2a) PROCESS FULL BLOCKS: |
697 | diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S |
698 | index edba8606b99a..bdc9aeaf2e45 100644 |
699 | --- a/arch/x86/entry/entry_32.S |
700 | +++ b/arch/x86/entry/entry_32.S |
701 | @@ -45,6 +45,7 @@ |
702 | #include <asm/asm.h> |
703 | #include <asm/smap.h> |
704 | #include <asm/export.h> |
705 | +#include <asm/nospec-branch.h> |
706 | |
707 | .section .entry.text, "ax" |
708 | |
709 | @@ -260,7 +261,7 @@ ENTRY(ret_from_fork) |
710 | |
711 | /* kernel thread */ |
712 | 1: movl %edi, %eax |
713 | - call *%ebx |
714 | + CALL_NOSPEC %ebx |
715 | /* |
716 | * A kernel thread is allowed to return here after successfully |
717 | * calling do_execve(). Exit to userspace to complete the execve() |
718 | @@ -984,7 +985,8 @@ trace: |
719 | movl 0x4(%ebp), %edx |
720 | subl $MCOUNT_INSN_SIZE, %eax |
721 | |
722 | - call *ftrace_trace_function |
723 | + movl ftrace_trace_function, %ecx |
724 | + CALL_NOSPEC %ecx |
725 | |
726 | popl %edx |
727 | popl %ecx |
728 | @@ -1020,7 +1022,7 @@ return_to_handler: |
729 | movl %eax, %ecx |
730 | popl %edx |
731 | popl %eax |
732 | - jmp *%ecx |
733 | + JMP_NOSPEC %ecx |
734 | #endif |
735 | |
736 | #ifdef CONFIG_TRACING |
737 | @@ -1062,7 +1064,7 @@ error_code: |
738 | movl %ecx, %es |
739 | TRACE_IRQS_OFF |
740 | movl %esp, %eax # pt_regs pointer |
741 | - call *%edi |
742 | + CALL_NOSPEC %edi |
743 | jmp ret_from_exception |
744 | END(page_fault) |
745 | |
746 | diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S |
747 | index af4e58132d91..b9c901ce6582 100644 |
748 | --- a/arch/x86/entry/entry_64.S |
749 | +++ b/arch/x86/entry/entry_64.S |
750 | @@ -37,6 +37,7 @@ |
751 | #include <asm/pgtable_types.h> |
752 | #include <asm/export.h> |
753 | #include <asm/kaiser.h> |
754 | +#include <asm/nospec-branch.h> |
755 | #include <linux/err.h> |
756 | |
757 | /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ |
758 | @@ -208,7 +209,12 @@ entry_SYSCALL_64_fastpath: |
759 | * It might end up jumping to the slow path. If it jumps, RAX |
760 | * and all argument registers are clobbered. |
761 | */ |
762 | +#ifdef CONFIG_RETPOLINE |
763 | + movq sys_call_table(, %rax, 8), %rax |
764 | + call __x86_indirect_thunk_rax |
765 | +#else |
766 | call *sys_call_table(, %rax, 8) |
767 | +#endif |
768 | .Lentry_SYSCALL_64_after_fastpath_call: |
769 | |
770 | movq %rax, RAX(%rsp) |
771 | @@ -380,7 +386,7 @@ ENTRY(stub_ptregs_64) |
772 | jmp entry_SYSCALL64_slow_path |
773 | |
774 | 1: |
775 | - jmp *%rax /* Called from C */ |
776 | + JMP_NOSPEC %rax /* Called from C */ |
777 | END(stub_ptregs_64) |
778 | |
779 | .macro ptregs_stub func |
780 | @@ -457,7 +463,7 @@ ENTRY(ret_from_fork) |
781 | 1: |
782 | /* kernel thread */ |
783 | movq %r12, %rdi |
784 | - call *%rbx |
785 | + CALL_NOSPEC %rbx |
786 | /* |
787 | * A kernel thread is allowed to return here after successfully |
788 | * calling do_execve(). Exit to userspace to complete the execve() |
789 | diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h |
790 | index d4aea31eec03..deca9b9c7923 100644 |
791 | --- a/arch/x86/include/asm/alternative.h |
792 | +++ b/arch/x86/include/asm/alternative.h |
793 | @@ -139,7 +139,7 @@ static inline int alternatives_text_reserved(void *start, void *end) |
794 | ".popsection\n" \ |
795 | ".pushsection .altinstr_replacement, \"ax\"\n" \ |
796 | ALTINSTR_REPLACEMENT(newinstr, feature, 1) \ |
797 | - ".popsection" |
798 | + ".popsection\n" |
799 | |
800 | #define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\ |
801 | OLDINSTR_2(oldinstr, 1, 2) \ |
802 | @@ -150,7 +150,7 @@ static inline int alternatives_text_reserved(void *start, void *end) |
803 | ".pushsection .altinstr_replacement, \"ax\"\n" \ |
804 | ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \ |
805 | ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \ |
806 | - ".popsection" |
807 | + ".popsection\n" |
808 | |
809 | /* |
810 | * Alternative instructions for different CPU types or capabilities. |
811 | diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h |
812 | index 44b8762fa0c7..b15aa4083dfd 100644 |
813 | --- a/arch/x86/include/asm/asm-prototypes.h |
814 | +++ b/arch/x86/include/asm/asm-prototypes.h |
815 | @@ -10,7 +10,32 @@ |
816 | #include <asm/pgtable.h> |
817 | #include <asm/special_insns.h> |
818 | #include <asm/preempt.h> |
819 | +#include <asm/asm.h> |
820 | |
821 | #ifndef CONFIG_X86_CMPXCHG64 |
822 | extern void cmpxchg8b_emu(void); |
823 | #endif |
824 | + |
825 | +#ifdef CONFIG_RETPOLINE |
826 | +#ifdef CONFIG_X86_32 |
827 | +#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_e ## reg(void); |
828 | +#else |
829 | +#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_r ## reg(void); |
830 | +INDIRECT_THUNK(8) |
831 | +INDIRECT_THUNK(9) |
832 | +INDIRECT_THUNK(10) |
833 | +INDIRECT_THUNK(11) |
834 | +INDIRECT_THUNK(12) |
835 | +INDIRECT_THUNK(13) |
836 | +INDIRECT_THUNK(14) |
837 | +INDIRECT_THUNK(15) |
838 | +#endif |
839 | +INDIRECT_THUNK(ax) |
840 | +INDIRECT_THUNK(bx) |
841 | +INDIRECT_THUNK(cx) |
842 | +INDIRECT_THUNK(dx) |
843 | +INDIRECT_THUNK(si) |
844 | +INDIRECT_THUNK(di) |
845 | +INDIRECT_THUNK(bp) |
846 | +INDIRECT_THUNK(sp) |
847 | +#endif /* CONFIG_RETPOLINE */ |
848 | diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h |
849 | index 7acb51c49fec..00523524edbf 100644 |
850 | --- a/arch/x86/include/asm/asm.h |
851 | +++ b/arch/x86/include/asm/asm.h |
852 | @@ -125,4 +125,15 @@ |
853 | /* For C file, we already have NOKPROBE_SYMBOL macro */ |
854 | #endif |
855 | |
856 | +#ifndef __ASSEMBLY__ |
857 | +/* |
858 | + * This output constraint should be used for any inline asm which has a "call" |
859 | + * instruction. Otherwise the asm may be inserted before the frame pointer |
860 | + * gets set up by the containing function. If you forget to do this, objtool |
861 | + * may print a "call without frame pointer save/setup" warning. |
862 | + */ |
863 | +register unsigned long current_stack_pointer asm(_ASM_SP); |
864 | +#define ASM_CALL_CONSTRAINT "+r" (current_stack_pointer) |
865 | +#endif |
866 | + |
867 | #endif /* _ASM_X86_ASM_H */ |
868 | diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h |
869 | index 1d2b69fc0ceb..9ea67a04ff4f 100644 |
870 | --- a/arch/x86/include/asm/cpufeature.h |
871 | +++ b/arch/x86/include/asm/cpufeature.h |
872 | @@ -135,6 +135,8 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; |
873 | set_bit(bit, (unsigned long *)cpu_caps_set); \ |
874 | } while (0) |
875 | |
876 | +#define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit) |
877 | + |
878 | #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS) |
879 | /* |
880 | * Static testing of CPU features. Used the same as boot_cpu_has(). |
881 | diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
882 | index 454a37adb823..4467568a531b 100644 |
883 | --- a/arch/x86/include/asm/cpufeatures.h |
884 | +++ b/arch/x86/include/asm/cpufeatures.h |
885 | @@ -194,6 +194,9 @@ |
886 | #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ |
887 | #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ |
888 | |
889 | +#define X86_FEATURE_RETPOLINE ( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */ |
890 | +#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */ |
891 | + |
892 | #define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ |
893 | #define X86_FEATURE_AVX512_4VNNIW (7*32+16) /* AVX-512 Neural Network Instructions */ |
894 | #define X86_FEATURE_AVX512_4FMAPS (7*32+17) /* AVX-512 Multiply Accumulation Single precision */ |
895 | @@ -316,5 +319,8 @@ |
896 | #define X86_BUG_SWAPGS_FENCE X86_BUG(11) /* SWAPGS without input dep on GS */ |
897 | #define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */ |
898 | #define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */ |
899 | +#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ |
900 | +#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ |
901 | +#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ |
902 | |
903 | #endif /* _ASM_X86_CPUFEATURES_H */ |
904 | diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
905 | index b601ddac5719..b11c4c072df8 100644 |
906 | --- a/arch/x86/include/asm/msr-index.h |
907 | +++ b/arch/x86/include/asm/msr-index.h |
908 | @@ -330,6 +330,9 @@ |
909 | #define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL |
910 | #define FAM10H_MMIO_CONF_BASE_SHIFT 20 |
911 | #define MSR_FAM10H_NODE_ID 0xc001100c |
912 | +#define MSR_F10H_DECFG 0xc0011029 |
913 | +#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1 |
914 | +#define MSR_F10H_DECFG_LFENCE_SERIALIZE BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT) |
915 | |
916 | /* K8 MSRs */ |
917 | #define MSR_K8_TOP_MEM1 0xc001001a |
918 | diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
919 | new file mode 100644 |
920 | index 000000000000..402a11c803c3 |
921 | --- /dev/null |
922 | +++ b/arch/x86/include/asm/nospec-branch.h |
923 | @@ -0,0 +1,214 @@ |
924 | +/* SPDX-License-Identifier: GPL-2.0 */ |
925 | + |
926 | +#ifndef __NOSPEC_BRANCH_H__ |
927 | +#define __NOSPEC_BRANCH_H__ |
928 | + |
929 | +#include <asm/alternative.h> |
930 | +#include <asm/alternative-asm.h> |
931 | +#include <asm/cpufeatures.h> |
932 | + |
933 | +/* |
934 | + * Fill the CPU return stack buffer. |
935 | + * |
936 | + * Each entry in the RSB, if used for a speculative 'ret', contains an |
937 | + * infinite 'pause; jmp' loop to capture speculative execution. |
938 | + * |
939 | + * This is required in various cases for retpoline and IBRS-based |
940 | + * mitigations for the Spectre variant 2 vulnerability. Sometimes to |
941 | + * eliminate potentially bogus entries from the RSB, and sometimes |
942 | + * purely to ensure that it doesn't get empty, which on some CPUs would |
943 | + * allow predictions from other (unwanted!) sources to be used. |
944 | + * |
945 | + * We define a CPP macro such that it can be used from both .S files and |
946 | + * inline assembly. It's possible to do a .macro and then include that |
947 | + * from C via asm(".include <asm/nospec-branch.h>") but let's not go there. |
948 | + */ |
949 | + |
950 | +#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */ |
951 | +#define RSB_FILL_LOOPS 16 /* To avoid underflow */ |
952 | + |
953 | +/* |
954 | + * Google experimented with loop-unrolling and this turned out to be |
955 | + * the optimal version — two calls, each with their own speculation |
956 | + * trap should their return address end up getting used, in a loop. |
957 | + */ |
958 | +#define __FILL_RETURN_BUFFER(reg, nr, sp) \ |
959 | + mov $(nr/2), reg; \ |
960 | +771: \ |
961 | + call 772f; \ |
962 | +773: /* speculation trap */ \ |
963 | + pause; \ |
964 | + jmp 773b; \ |
965 | +772: \ |
966 | + call 774f; \ |
967 | +775: /* speculation trap */ \ |
968 | + pause; \ |
969 | + jmp 775b; \ |
970 | +774: \ |
971 | + dec reg; \ |
972 | + jnz 771b; \ |
973 | + add $(BITS_PER_LONG/8) * nr, sp; |
974 | + |
975 | +#ifdef __ASSEMBLY__ |
976 | + |
977 | +/* |
978 | + * This should be used immediately before a retpoline alternative. It tells |
979 | + * objtool where the retpolines are so that it can make sense of the control |
980 | + * flow by just reading the original instruction(s) and ignoring the |
981 | + * alternatives. |
982 | + */ |
983 | +.macro ANNOTATE_NOSPEC_ALTERNATIVE |
984 | + .Lannotate_\@: |
985 | + .pushsection .discard.nospec |
986 | + .long .Lannotate_\@ - . |
987 | + .popsection |
988 | +.endm |
989 | + |
990 | +/* |
991 | + * These are the bare retpoline primitives for indirect jmp and call. |
992 | + * Do not use these directly; they only exist to make the ALTERNATIVE |
993 | + * invocation below less ugly. |
994 | + */ |
995 | +.macro RETPOLINE_JMP reg:req |
996 | + call .Ldo_rop_\@ |
997 | +.Lspec_trap_\@: |
998 | + pause |
999 | + jmp .Lspec_trap_\@ |
1000 | +.Ldo_rop_\@: |
1001 | + mov \reg, (%_ASM_SP) |
1002 | + ret |
1003 | +.endm |
1004 | + |
1005 | +/* |
1006 | + * This is a wrapper around RETPOLINE_JMP so the called function in reg |
1007 | + * returns to the instruction after the macro. |
1008 | + */ |
1009 | +.macro RETPOLINE_CALL reg:req |
1010 | + jmp .Ldo_call_\@ |
1011 | +.Ldo_retpoline_jmp_\@: |
1012 | + RETPOLINE_JMP \reg |
1013 | +.Ldo_call_\@: |
1014 | + call .Ldo_retpoline_jmp_\@ |
1015 | +.endm |
1016 | + |
1017 | +/* |
1018 | + * JMP_NOSPEC and CALL_NOSPEC macros can be used instead of a simple |
1019 | + * indirect jmp/call which may be susceptible to the Spectre variant 2 |
1020 | + * attack. |
1021 | + */ |
1022 | +.macro JMP_NOSPEC reg:req |
1023 | +#ifdef CONFIG_RETPOLINE |
1024 | + ANNOTATE_NOSPEC_ALTERNATIVE |
1025 | + ALTERNATIVE_2 __stringify(jmp *\reg), \ |
1026 | + __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ |
1027 | + __stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD |
1028 | +#else |
1029 | + jmp *\reg |
1030 | +#endif |
1031 | +.endm |
1032 | + |
1033 | +.macro CALL_NOSPEC reg:req |
1034 | +#ifdef CONFIG_RETPOLINE |
1035 | + ANNOTATE_NOSPEC_ALTERNATIVE |
1036 | + ALTERNATIVE_2 __stringify(call *\reg), \ |
1037 | + __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\ |
1038 | + __stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD |
1039 | +#else |
1040 | + call *\reg |
1041 | +#endif |
1042 | +.endm |
1043 | + |
1044 | + /* |
1045 | + * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP |
1046 | + * monstrosity above, manually. |
1047 | + */ |
1048 | +.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req |
1049 | +#ifdef CONFIG_RETPOLINE |
1050 | + ANNOTATE_NOSPEC_ALTERNATIVE |
1051 | + ALTERNATIVE "jmp .Lskip_rsb_\@", \ |
1052 | + __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)) \ |
1053 | + \ftr |
1054 | +.Lskip_rsb_\@: |
1055 | +#endif |
1056 | +.endm |
1057 | + |
1058 | +#else /* __ASSEMBLY__ */ |
1059 | + |
1060 | +#define ANNOTATE_NOSPEC_ALTERNATIVE \ |
1061 | + "999:\n\t" \ |
1062 | + ".pushsection .discard.nospec\n\t" \ |
1063 | + ".long 999b - .\n\t" \ |
1064 | + ".popsection\n\t" |
1065 | + |
1066 | +#if defined(CONFIG_X86_64) && defined(RETPOLINE) |
1067 | + |
1068 | +/* |
1069 | + * Since the inline asm uses the %V modifier which is only in newer GCC, |
1070 | + * the 64-bit one is dependent on RETPOLINE not CONFIG_RETPOLINE. |
1071 | + */ |
1072 | +# define CALL_NOSPEC \ |
1073 | + ANNOTATE_NOSPEC_ALTERNATIVE \ |
1074 | + ALTERNATIVE( \ |
1075 | + "call *%[thunk_target]\n", \ |
1076 | + "call __x86_indirect_thunk_%V[thunk_target]\n", \ |
1077 | + X86_FEATURE_RETPOLINE) |
1078 | +# define THUNK_TARGET(addr) [thunk_target] "r" (addr) |
1079 | + |
1080 | +#elif defined(CONFIG_X86_32) && defined(CONFIG_RETPOLINE) |
1081 | +/* |
1082 | + * For i386 we use the original ret-equivalent retpoline, because |
1083 | + * otherwise we'll run out of registers. We don't care about CET |
1084 | + * here, anyway. |
1085 | + */ |
1086 | +# define CALL_NOSPEC ALTERNATIVE("call *%[thunk_target]\n", \ |
1087 | + " jmp 904f;\n" \ |
1088 | + " .align 16\n" \ |
1089 | + "901: call 903f;\n" \ |
1090 | + "902: pause;\n" \ |
1091 | + " jmp 902b;\n" \ |
1092 | + " .align 16\n" \ |
1093 | + "903: addl $4, %%esp;\n" \ |
1094 | + " pushl %[thunk_target];\n" \ |
1095 | + " ret;\n" \ |
1096 | + " .align 16\n" \ |
1097 | + "904: call 901b;\n", \ |
1098 | + X86_FEATURE_RETPOLINE) |
1099 | + |
1100 | +# define THUNK_TARGET(addr) [thunk_target] "rm" (addr) |
1101 | +#else /* No retpoline for C / inline asm */ |
1102 | +# define CALL_NOSPEC "call *%[thunk_target]\n" |
1103 | +# define THUNK_TARGET(addr) [thunk_target] "rm" (addr) |
1104 | +#endif |
1105 | + |
1106 | +/* The Spectre V2 mitigation variants */ |
1107 | +enum spectre_v2_mitigation { |
1108 | + SPECTRE_V2_NONE, |
1109 | + SPECTRE_V2_RETPOLINE_MINIMAL, |
1110 | + SPECTRE_V2_RETPOLINE_MINIMAL_AMD, |
1111 | + SPECTRE_V2_RETPOLINE_GENERIC, |
1112 | + SPECTRE_V2_RETPOLINE_AMD, |
1113 | + SPECTRE_V2_IBRS, |
1114 | +}; |
1115 | + |
1116 | +/* |
1117 | + * On VMEXIT we must ensure that no RSB predictions learned in the guest |
1118 | + * can be followed in the host, by overwriting the RSB completely. Both |
1119 | + * retpoline and IBRS mitigations for Spectre v2 need this; only on future |
1120 | + * CPUs with IBRS_ATT *might* it be avoided. |
1121 | + */ |
1122 | +static inline void vmexit_fill_RSB(void) |
1123 | +{ |
1124 | +#ifdef CONFIG_RETPOLINE |
1125 | + unsigned long loops = RSB_CLEAR_LOOPS / 2; |
1126 | + |
1127 | + asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE |
1128 | + ALTERNATIVE("jmp 910f", |
1129 | + __stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)), |
1130 | + X86_FEATURE_RETPOLINE) |
1131 | + "910:" |
1132 | + : "=&r" (loops), ASM_CALL_CONSTRAINT |
1133 | + : "r" (loops) : "memory" ); |
1134 | +#endif |
1135 | +} |
1136 | +#endif /* __ASSEMBLY__ */ |
1137 | +#endif /* __NOSPEC_BRANCH_H__ */ |
1138 | diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h |
1139 | index b6d425999f99..1178a51b77f3 100644 |
1140 | --- a/arch/x86/include/asm/pgalloc.h |
1141 | +++ b/arch/x86/include/asm/pgalloc.h |
1142 | @@ -27,6 +27,17 @@ static inline void paravirt_release_pud(unsigned long pfn) {} |
1143 | */ |
1144 | extern gfp_t __userpte_alloc_gfp; |
1145 | |
1146 | +#ifdef CONFIG_PAGE_TABLE_ISOLATION |
1147 | +/* |
1148 | + * Instead of one PGD, we acquire two PGDs. Being order-1, it is |
1149 | + * both 8k in size and 8k-aligned. That lets us just flip bit 12 |
1150 | + * in a pointer to swap between the two 4k halves. |
1151 | + */ |
1152 | +#define PGD_ALLOCATION_ORDER 1 |
1153 | +#else |
1154 | +#define PGD_ALLOCATION_ORDER 0 |
1155 | +#endif |
1156 | + |
1157 | /* |
1158 | * Allocate and free page tables. |
1159 | */ |
1160 | diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h |
1161 | index 8cb52ee3ade6..e40b19ca486e 100644 |
1162 | --- a/arch/x86/include/asm/processor.h |
1163 | +++ b/arch/x86/include/asm/processor.h |
1164 | @@ -156,8 +156,8 @@ extern struct cpuinfo_x86 boot_cpu_data; |
1165 | extern struct cpuinfo_x86 new_cpu_data; |
1166 | |
1167 | extern struct tss_struct doublefault_tss; |
1168 | -extern __u32 cpu_caps_cleared[NCAPINTS]; |
1169 | -extern __u32 cpu_caps_set[NCAPINTS]; |
1170 | +extern __u32 cpu_caps_cleared[NCAPINTS + NBUGINTS]; |
1171 | +extern __u32 cpu_caps_set[NCAPINTS + NBUGINTS]; |
1172 | |
1173 | #ifdef CONFIG_SMP |
1174 | DECLARE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); |
1175 | diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h |
1176 | index ad6f5eb07a95..bdf9c4c91572 100644 |
1177 | --- a/arch/x86/include/asm/thread_info.h |
1178 | +++ b/arch/x86/include/asm/thread_info.h |
1179 | @@ -152,17 +152,6 @@ struct thread_info { |
1180 | */ |
1181 | #ifndef __ASSEMBLY__ |
1182 | |
1183 | -static inline unsigned long current_stack_pointer(void) |
1184 | -{ |
1185 | - unsigned long sp; |
1186 | -#ifdef CONFIG_X86_64 |
1187 | - asm("mov %%rsp,%0" : "=g" (sp)); |
1188 | -#else |
1189 | - asm("mov %%esp,%0" : "=g" (sp)); |
1190 | -#endif |
1191 | - return sp; |
1192 | -} |
1193 | - |
1194 | /* |
1195 | * Walks up the stack frames to make sure that the specified object is |
1196 | * entirely contained by a single stack frame. |
1197 | diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h |
1198 | index 8b678af866f7..ccdc23d89b60 100644 |
1199 | --- a/arch/x86/include/asm/xen/hypercall.h |
1200 | +++ b/arch/x86/include/asm/xen/hypercall.h |
1201 | @@ -44,6 +44,7 @@ |
1202 | #include <asm/page.h> |
1203 | #include <asm/pgtable.h> |
1204 | #include <asm/smap.h> |
1205 | +#include <asm/nospec-branch.h> |
1206 | |
1207 | #include <xen/interface/xen.h> |
1208 | #include <xen/interface/sched.h> |
1209 | @@ -216,9 +217,9 @@ privcmd_call(unsigned call, |
1210 | __HYPERCALL_5ARG(a1, a2, a3, a4, a5); |
1211 | |
1212 | stac(); |
1213 | - asm volatile("call *%[call]" |
1214 | + asm volatile(CALL_NOSPEC |
1215 | : __HYPERCALL_5PARAM |
1216 | - : [call] "a" (&hypercall_page[call]) |
1217 | + : [thunk_target] "a" (&hypercall_page[call]) |
1218 | : __HYPERCALL_CLOBBER5); |
1219 | clac(); |
1220 | |
1221 | diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c |
1222 | index 11cc600f4df0..0a1e8a67cc99 100644 |
1223 | --- a/arch/x86/kernel/acpi/boot.c |
1224 | +++ b/arch/x86/kernel/acpi/boot.c |
1225 | @@ -335,13 +335,12 @@ acpi_parse_lapic_nmi(struct acpi_subtable_header * header, const unsigned long e |
1226 | #ifdef CONFIG_X86_IO_APIC |
1227 | #define MP_ISA_BUS 0 |
1228 | |
1229 | +static int __init mp_register_ioapic_irq(u8 bus_irq, u8 polarity, |
1230 | + u8 trigger, u32 gsi); |
1231 | + |
1232 | static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, |
1233 | u32 gsi) |
1234 | { |
1235 | - int ioapic; |
1236 | - int pin; |
1237 | - struct mpc_intsrc mp_irq; |
1238 | - |
1239 | /* |
1240 | * Check bus_irq boundary. |
1241 | */ |
1242 | @@ -350,14 +349,6 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, |
1243 | return; |
1244 | } |
1245 | |
1246 | - /* |
1247 | - * Convert 'gsi' to 'ioapic.pin'. |
1248 | - */ |
1249 | - ioapic = mp_find_ioapic(gsi); |
1250 | - if (ioapic < 0) |
1251 | - return; |
1252 | - pin = mp_find_ioapic_pin(ioapic, gsi); |
1253 | - |
1254 | /* |
1255 | * TBD: This check is for faulty timer entries, where the override |
1256 | * erroneously sets the trigger to level, resulting in a HUGE |
1257 | @@ -366,16 +357,8 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, |
1258 | if ((bus_irq == 0) && (trigger == 3)) |
1259 | trigger = 1; |
1260 | |
1261 | - mp_irq.type = MP_INTSRC; |
1262 | - mp_irq.irqtype = mp_INT; |
1263 | - mp_irq.irqflag = (trigger << 2) | polarity; |
1264 | - mp_irq.srcbus = MP_ISA_BUS; |
1265 | - mp_irq.srcbusirq = bus_irq; /* IRQ */ |
1266 | - mp_irq.dstapic = mpc_ioapic_id(ioapic); /* APIC ID */ |
1267 | - mp_irq.dstirq = pin; /* INTIN# */ |
1268 | - |
1269 | - mp_save_irq(&mp_irq); |
1270 | - |
1271 | + if (mp_register_ioapic_irq(bus_irq, polarity, trigger, gsi) < 0) |
1272 | + return; |
1273 | /* |
1274 | * Reset default identity mapping if gsi is also an legacy IRQ, |
1275 | * otherwise there will be more than one entry with the same GSI |
1276 | @@ -422,6 +405,34 @@ static int mp_config_acpi_gsi(struct device *dev, u32 gsi, int trigger, |
1277 | return 0; |
1278 | } |
1279 | |
1280 | +static int __init mp_register_ioapic_irq(u8 bus_irq, u8 polarity, |
1281 | + u8 trigger, u32 gsi) |
1282 | +{ |
1283 | + struct mpc_intsrc mp_irq; |
1284 | + int ioapic, pin; |
1285 | + |
1286 | + /* Convert 'gsi' to 'ioapic.pin'(INTIN#) */ |
1287 | + ioapic = mp_find_ioapic(gsi); |
1288 | + if (ioapic < 0) { |
1289 | + pr_warn("Failed to find ioapic for gsi : %u\n", gsi); |
1290 | + return ioapic; |
1291 | + } |
1292 | + |
1293 | + pin = mp_find_ioapic_pin(ioapic, gsi); |
1294 | + |
1295 | + mp_irq.type = MP_INTSRC; |
1296 | + mp_irq.irqtype = mp_INT; |
1297 | + mp_irq.irqflag = (trigger << 2) | polarity; |
1298 | + mp_irq.srcbus = MP_ISA_BUS; |
1299 | + mp_irq.srcbusirq = bus_irq; |
1300 | + mp_irq.dstapic = mpc_ioapic_id(ioapic); |
1301 | + mp_irq.dstirq = pin; |
1302 | + |
1303 | + mp_save_irq(&mp_irq); |
1304 | + |
1305 | + return 0; |
1306 | +} |
1307 | + |
1308 | static int __init |
1309 | acpi_parse_ioapic(struct acpi_subtable_header * header, const unsigned long end) |
1310 | { |
1311 | @@ -466,7 +477,11 @@ static void __init acpi_sci_ioapic_setup(u8 bus_irq, u16 polarity, u16 trigger, |
1312 | if (acpi_sci_flags & ACPI_MADT_POLARITY_MASK) |
1313 | polarity = acpi_sci_flags & ACPI_MADT_POLARITY_MASK; |
1314 | |
1315 | - mp_override_legacy_irq(bus_irq, polarity, trigger, gsi); |
1316 | + if (bus_irq < NR_IRQS_LEGACY) |
1317 | + mp_override_legacy_irq(bus_irq, polarity, trigger, gsi); |
1318 | + else |
1319 | + mp_register_ioapic_irq(bus_irq, polarity, trigger, gsi); |
1320 | + |
1321 | acpi_penalize_sci_irq(bus_irq, trigger, polarity); |
1322 | |
1323 | /* |
1324 | diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c |
1325 | index 5cb272a7a5a3..10d5a3d6affc 100644 |
1326 | --- a/arch/x86/kernel/alternative.c |
1327 | +++ b/arch/x86/kernel/alternative.c |
1328 | @@ -340,9 +340,12 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf) |
1329 | static void __init_or_module optimize_nops(struct alt_instr *a, u8 *instr) |
1330 | { |
1331 | unsigned long flags; |
1332 | + int i; |
1333 | |
1334 | - if (instr[0] != 0x90) |
1335 | - return; |
1336 | + for (i = 0; i < a->padlen; i++) { |
1337 | + if (instr[i] != 0x90) |
1338 | + return; |
1339 | + } |
1340 | |
1341 | local_irq_save(flags); |
1342 | add_nops(instr + (a->instrlen - a->padlen), a->padlen); |
1343 | diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile |
1344 | index 4a8697f7d4ef..33b63670bf09 100644 |
1345 | --- a/arch/x86/kernel/cpu/Makefile |
1346 | +++ b/arch/x86/kernel/cpu/Makefile |
1347 | @@ -20,13 +20,11 @@ obj-y := intel_cacheinfo.o scattered.o topology.o |
1348 | obj-y += common.o |
1349 | obj-y += rdrand.o |
1350 | obj-y += match.o |
1351 | +obj-y += bugs.o |
1352 | |
1353 | obj-$(CONFIG_PROC_FS) += proc.o |
1354 | obj-$(CONFIG_X86_FEATURE_NAMES) += capflags.o powerflags.o |
1355 | |
1356 | -obj-$(CONFIG_X86_32) += bugs.o |
1357 | -obj-$(CONFIG_X86_64) += bugs_64.o |
1358 | - |
1359 | obj-$(CONFIG_CPU_SUP_INTEL) += intel.o |
1360 | obj-$(CONFIG_CPU_SUP_AMD) += amd.o |
1361 | obj-$(CONFIG_CPU_SUP_CYRIX_32) += cyrix.o |
1362 | diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
1363 | index 2b4cf04239b6..1b89f0c4251e 100644 |
1364 | --- a/arch/x86/kernel/cpu/amd.c |
1365 | +++ b/arch/x86/kernel/cpu/amd.c |
1366 | @@ -782,8 +782,32 @@ static void init_amd(struct cpuinfo_x86 *c) |
1367 | set_cpu_cap(c, X86_FEATURE_K8); |
1368 | |
1369 | if (cpu_has(c, X86_FEATURE_XMM2)) { |
1370 | - /* MFENCE stops RDTSC speculation */ |
1371 | - set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC); |
1372 | + unsigned long long val; |
1373 | + int ret; |
1374 | + |
1375 | + /* |
1376 | + * A serializing LFENCE has less overhead than MFENCE, so |
1377 | + * use it for execution serialization. On families which |
1378 | + * don't have that MSR, LFENCE is already serializing. |
1379 | + * msr_set_bit() uses the safe accessors, too, even if the MSR |
1380 | + * is not present. |
1381 | + */ |
1382 | + msr_set_bit(MSR_F10H_DECFG, |
1383 | + MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT); |
1384 | + |
1385 | + /* |
1386 | + * Verify that the MSR write was successful (could be running |
1387 | + * under a hypervisor) and only then assume that LFENCE is |
1388 | + * serializing. |
1389 | + */ |
1390 | + ret = rdmsrl_safe(MSR_F10H_DECFG, &val); |
1391 | + if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) { |
1392 | + /* A serializing LFENCE stops RDTSC speculation */ |
1393 | + set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); |
1394 | + } else { |
1395 | + /* MFENCE stops RDTSC speculation */ |
1396 | + set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC); |
1397 | + } |
1398 | } |
1399 | |
1400 | /* |
1401 | diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
1402 | index 0b6124315441..49d25ddf0e9f 100644 |
1403 | --- a/arch/x86/kernel/cpu/bugs.c |
1404 | +++ b/arch/x86/kernel/cpu/bugs.c |
1405 | @@ -9,6 +9,10 @@ |
1406 | */ |
1407 | #include <linux/init.h> |
1408 | #include <linux/utsname.h> |
1409 | +#include <linux/cpu.h> |
1410 | + |
1411 | +#include <asm/nospec-branch.h> |
1412 | +#include <asm/cmdline.h> |
1413 | #include <asm/bugs.h> |
1414 | #include <asm/processor.h> |
1415 | #include <asm/processor-flags.h> |
1416 | @@ -16,23 +20,24 @@ |
1417 | #include <asm/msr.h> |
1418 | #include <asm/paravirt.h> |
1419 | #include <asm/alternative.h> |
1420 | +#include <asm/pgtable.h> |
1421 | +#include <asm/cacheflush.h> |
1422 | + |
1423 | +static void __init spectre_v2_select_mitigation(void); |
1424 | |
1425 | void __init check_bugs(void) |
1426 | { |
1427 | -#ifdef CONFIG_X86_32 |
1428 | - /* |
1429 | - * Regardless of whether PCID is enumerated, the SDM says |
1430 | - * that it can't be enabled in 32-bit mode. |
1431 | - */ |
1432 | - setup_clear_cpu_cap(X86_FEATURE_PCID); |
1433 | -#endif |
1434 | - |
1435 | identify_boot_cpu(); |
1436 | -#ifndef CONFIG_SMP |
1437 | - pr_info("CPU: "); |
1438 | - print_cpu_info(&boot_cpu_data); |
1439 | -#endif |
1440 | |
1441 | + if (!IS_ENABLED(CONFIG_SMP)) { |
1442 | + pr_info("CPU: "); |
1443 | + print_cpu_info(&boot_cpu_data); |
1444 | + } |
1445 | + |
1446 | + /* Select the proper spectre mitigation before patching alternatives */ |
1447 | + spectre_v2_select_mitigation(); |
1448 | + |
1449 | +#ifdef CONFIG_X86_32 |
1450 | /* |
1451 | * Check whether we are able to run this kernel safely on SMP. |
1452 | * |
1453 | @@ -48,4 +53,194 @@ void __init check_bugs(void) |
1454 | alternative_instructions(); |
1455 | |
1456 | fpu__init_check_bugs(); |
1457 | +#else /* CONFIG_X86_64 */ |
1458 | + alternative_instructions(); |
1459 | + |
1460 | + /* |
1461 | + * Make sure the first 2MB area is not mapped by huge pages |
1462 | + * There are typically fixed size MTRRs in there and overlapping |
1463 | + * MTRRs into large pages causes slow downs. |
1464 | + * |
1465 | + * Right now we don't do that with gbpages because there seems |
1466 | + * very little benefit for that case. |
1467 | + */ |
1468 | + if (!direct_gbpages) |
1469 | + set_memory_4k((unsigned long)__va(0), 1); |
1470 | +#endif |
1471 | +} |
1472 | + |
1473 | +/* The kernel command line selection */ |
1474 | +enum spectre_v2_mitigation_cmd { |
1475 | + SPECTRE_V2_CMD_NONE, |
1476 | + SPECTRE_V2_CMD_AUTO, |
1477 | + SPECTRE_V2_CMD_FORCE, |
1478 | + SPECTRE_V2_CMD_RETPOLINE, |
1479 | + SPECTRE_V2_CMD_RETPOLINE_GENERIC, |
1480 | + SPECTRE_V2_CMD_RETPOLINE_AMD, |
1481 | +}; |
1482 | + |
1483 | +static const char *spectre_v2_strings[] = { |
1484 | + [SPECTRE_V2_NONE] = "Vulnerable", |
1485 | + [SPECTRE_V2_RETPOLINE_MINIMAL] = "Vulnerable: Minimal generic ASM retpoline", |
1486 | + [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline", |
1487 | + [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", |
1488 | + [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", |
1489 | +}; |
1490 | + |
1491 | +#undef pr_fmt |
1492 | +#define pr_fmt(fmt) "Spectre V2 mitigation: " fmt |
1493 | + |
1494 | +static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; |
1495 | + |
1496 | +static void __init spec2_print_if_insecure(const char *reason) |
1497 | +{ |
1498 | + if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) |
1499 | + pr_info("%s\n", reason); |
1500 | +} |
1501 | + |
1502 | +static void __init spec2_print_if_secure(const char *reason) |
1503 | +{ |
1504 | + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) |
1505 | + pr_info("%s\n", reason); |
1506 | +} |
1507 | + |
1508 | +static inline bool retp_compiler(void) |
1509 | +{ |
1510 | + return __is_defined(RETPOLINE); |
1511 | +} |
1512 | + |
1513 | +static inline bool match_option(const char *arg, int arglen, const char *opt) |
1514 | +{ |
1515 | + int len = strlen(opt); |
1516 | + |
1517 | + return len == arglen && !strncmp(arg, opt, len); |
1518 | +} |
1519 | + |
1520 | +static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) |
1521 | +{ |
1522 | + char arg[20]; |
1523 | + int ret; |
1524 | + |
1525 | + ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, |
1526 | + sizeof(arg)); |
1527 | + if (ret > 0) { |
1528 | + if (match_option(arg, ret, "off")) { |
1529 | + goto disable; |
1530 | + } else if (match_option(arg, ret, "on")) { |
1531 | + spec2_print_if_secure("force enabled on command line."); |
1532 | + return SPECTRE_V2_CMD_FORCE; |
1533 | + } else if (match_option(arg, ret, "retpoline")) { |
1534 | + spec2_print_if_insecure("retpoline selected on command line."); |
1535 | + return SPECTRE_V2_CMD_RETPOLINE; |
1536 | + } else if (match_option(arg, ret, "retpoline,amd")) { |
1537 | + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { |
1538 | + pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); |
1539 | + return SPECTRE_V2_CMD_AUTO; |
1540 | + } |
1541 | + spec2_print_if_insecure("AMD retpoline selected on command line."); |
1542 | + return SPECTRE_V2_CMD_RETPOLINE_AMD; |
1543 | + } else if (match_option(arg, ret, "retpoline,generic")) { |
1544 | + spec2_print_if_insecure("generic retpoline selected on command line."); |
1545 | + return SPECTRE_V2_CMD_RETPOLINE_GENERIC; |
1546 | + } else if (match_option(arg, ret, "auto")) { |
1547 | + return SPECTRE_V2_CMD_AUTO; |
1548 | + } |
1549 | + } |
1550 | + |
1551 | + if (!cmdline_find_option_bool(boot_command_line, "nospectre_v2")) |
1552 | + return SPECTRE_V2_CMD_AUTO; |
1553 | +disable: |
1554 | + spec2_print_if_insecure("disabled on command line."); |
1555 | + return SPECTRE_V2_CMD_NONE; |
1556 | } |
1557 | + |
1558 | +static void __init spectre_v2_select_mitigation(void) |
1559 | +{ |
1560 | + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); |
1561 | + enum spectre_v2_mitigation mode = SPECTRE_V2_NONE; |
1562 | + |
1563 | + /* |
1564 | + * If the CPU is not affected and the command line mode is NONE or AUTO |
1565 | + * then nothing to do. |
1566 | + */ |
1567 | + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) && |
1568 | + (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO)) |
1569 | + return; |
1570 | + |
1571 | + switch (cmd) { |
1572 | + case SPECTRE_V2_CMD_NONE: |
1573 | + return; |
1574 | + |
1575 | + case SPECTRE_V2_CMD_FORCE: |
1576 | + /* FALLTRHU */ |
1577 | + case SPECTRE_V2_CMD_AUTO: |
1578 | + goto retpoline_auto; |
1579 | + |
1580 | + case SPECTRE_V2_CMD_RETPOLINE_AMD: |
1581 | + if (IS_ENABLED(CONFIG_RETPOLINE)) |
1582 | + goto retpoline_amd; |
1583 | + break; |
1584 | + case SPECTRE_V2_CMD_RETPOLINE_GENERIC: |
1585 | + if (IS_ENABLED(CONFIG_RETPOLINE)) |
1586 | + goto retpoline_generic; |
1587 | + break; |
1588 | + case SPECTRE_V2_CMD_RETPOLINE: |
1589 | + if (IS_ENABLED(CONFIG_RETPOLINE)) |
1590 | + goto retpoline_auto; |
1591 | + break; |
1592 | + } |
1593 | + pr_err("kernel not compiled with retpoline; no mitigation available!"); |
1594 | + return; |
1595 | + |
1596 | +retpoline_auto: |
1597 | + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) { |
1598 | + retpoline_amd: |
1599 | + if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { |
1600 | + pr_err("LFENCE not serializing. Switching to generic retpoline\n"); |
1601 | + goto retpoline_generic; |
1602 | + } |
1603 | + mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD : |
1604 | + SPECTRE_V2_RETPOLINE_MINIMAL_AMD; |
1605 | + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); |
1606 | + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); |
1607 | + } else { |
1608 | + retpoline_generic: |
1609 | + mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_GENERIC : |
1610 | + SPECTRE_V2_RETPOLINE_MINIMAL; |
1611 | + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); |
1612 | + } |
1613 | + |
1614 | + spectre_v2_enabled = mode; |
1615 | + pr_info("%s\n", spectre_v2_strings[mode]); |
1616 | +} |
1617 | + |
1618 | +#undef pr_fmt |
1619 | + |
1620 | +#ifdef CONFIG_SYSFS |
1621 | +ssize_t cpu_show_meltdown(struct device *dev, |
1622 | + struct device_attribute *attr, char *buf) |
1623 | +{ |
1624 | + if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) |
1625 | + return sprintf(buf, "Not affected\n"); |
1626 | + if (boot_cpu_has(X86_FEATURE_KAISER)) |
1627 | + return sprintf(buf, "Mitigation: PTI\n"); |
1628 | + return sprintf(buf, "Vulnerable\n"); |
1629 | +} |
1630 | + |
1631 | +ssize_t cpu_show_spectre_v1(struct device *dev, |
1632 | + struct device_attribute *attr, char *buf) |
1633 | +{ |
1634 | + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) |
1635 | + return sprintf(buf, "Not affected\n"); |
1636 | + return sprintf(buf, "Vulnerable\n"); |
1637 | +} |
1638 | + |
1639 | +ssize_t cpu_show_spectre_v2(struct device *dev, |
1640 | + struct device_attribute *attr, char *buf) |
1641 | +{ |
1642 | + if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) |
1643 | + return sprintf(buf, "Not affected\n"); |
1644 | + |
1645 | + return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]); |
1646 | +} |
1647 | +#endif |
1648 | diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c |
1649 | deleted file mode 100644 |
1650 | index a972ac4c7e7d..000000000000 |
1651 | --- a/arch/x86/kernel/cpu/bugs_64.c |
1652 | +++ /dev/null |
1653 | @@ -1,33 +0,0 @@ |
1654 | -/* |
1655 | - * Copyright (C) 1994 Linus Torvalds |
1656 | - * Copyright (C) 2000 SuSE |
1657 | - */ |
1658 | - |
1659 | -#include <linux/kernel.h> |
1660 | -#include <linux/init.h> |
1661 | -#include <asm/alternative.h> |
1662 | -#include <asm/bugs.h> |
1663 | -#include <asm/processor.h> |
1664 | -#include <asm/mtrr.h> |
1665 | -#include <asm/cacheflush.h> |
1666 | - |
1667 | -void __init check_bugs(void) |
1668 | -{ |
1669 | - identify_boot_cpu(); |
1670 | -#if !defined(CONFIG_SMP) |
1671 | - pr_info("CPU: "); |
1672 | - print_cpu_info(&boot_cpu_data); |
1673 | -#endif |
1674 | - alternative_instructions(); |
1675 | - |
1676 | - /* |
1677 | - * Make sure the first 2MB area is not mapped by huge pages |
1678 | - * There are typically fixed size MTRRs in there and overlapping |
1679 | - * MTRRs into large pages causes slow downs. |
1680 | - * |
1681 | - * Right now we don't do that with gbpages because there seems |
1682 | - * very little benefit for that case. |
1683 | - */ |
1684 | - if (!direct_gbpages) |
1685 | - set_memory_4k((unsigned long)__va(0), 1); |
1686 | -} |
1687 | diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
1688 | index 918e44772b04..7b9ae04ddf5d 100644 |
1689 | --- a/arch/x86/kernel/cpu/common.c |
1690 | +++ b/arch/x86/kernel/cpu/common.c |
1691 | @@ -480,8 +480,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c) |
1692 | return NULL; /* Not found */ |
1693 | } |
1694 | |
1695 | -__u32 cpu_caps_cleared[NCAPINTS]; |
1696 | -__u32 cpu_caps_set[NCAPINTS]; |
1697 | +__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS]; |
1698 | +__u32 cpu_caps_set[NCAPINTS + NBUGINTS]; |
1699 | |
1700 | void load_percpu_segment(int cpu) |
1701 | { |
1702 | @@ -706,6 +706,16 @@ void cpu_detect(struct cpuinfo_x86 *c) |
1703 | } |
1704 | } |
1705 | |
1706 | +static void apply_forced_caps(struct cpuinfo_x86 *c) |
1707 | +{ |
1708 | + int i; |
1709 | + |
1710 | + for (i = 0; i < NCAPINTS + NBUGINTS; i++) { |
1711 | + c->x86_capability[i] &= ~cpu_caps_cleared[i]; |
1712 | + c->x86_capability[i] |= cpu_caps_set[i]; |
1713 | + } |
1714 | +} |
1715 | + |
1716 | void get_cpu_cap(struct cpuinfo_x86 *c) |
1717 | { |
1718 | u32 eax, ebx, ecx, edx; |
1719 | @@ -872,7 +882,22 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) |
1720 | } |
1721 | |
1722 | setup_force_cpu_cap(X86_FEATURE_ALWAYS); |
1723 | + |
1724 | + /* Assume for now that ALL x86 CPUs are insecure */ |
1725 | + setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); |
1726 | + |
1727 | + setup_force_cpu_bug(X86_BUG_SPECTRE_V1); |
1728 | + setup_force_cpu_bug(X86_BUG_SPECTRE_V2); |
1729 | + |
1730 | fpu__init_system(c); |
1731 | + |
1732 | +#ifdef CONFIG_X86_32 |
1733 | + /* |
1734 | + * Regardless of whether PCID is enumerated, the SDM says |
1735 | + * that it can't be enabled in 32-bit mode. |
1736 | + */ |
1737 | + setup_clear_cpu_cap(X86_FEATURE_PCID); |
1738 | +#endif |
1739 | } |
1740 | |
1741 | void __init early_cpu_init(void) |
1742 | @@ -1086,10 +1111,7 @@ static void identify_cpu(struct cpuinfo_x86 *c) |
1743 | this_cpu->c_identify(c); |
1744 | |
1745 | /* Clear/Set all flags overridden by options, after probe */ |
1746 | - for (i = 0; i < NCAPINTS; i++) { |
1747 | - c->x86_capability[i] &= ~cpu_caps_cleared[i]; |
1748 | - c->x86_capability[i] |= cpu_caps_set[i]; |
1749 | - } |
1750 | + apply_forced_caps(c); |
1751 | |
1752 | #ifdef CONFIG_X86_64 |
1753 | c->apicid = apic->phys_pkg_id(c->initial_apicid, 0); |
1754 | @@ -1151,10 +1173,7 @@ static void identify_cpu(struct cpuinfo_x86 *c) |
1755 | * Clear/Set all flags overridden by options, need do it |
1756 | * before following smp all cpus cap AND. |
1757 | */ |
1758 | - for (i = 0; i < NCAPINTS; i++) { |
1759 | - c->x86_capability[i] &= ~cpu_caps_cleared[i]; |
1760 | - c->x86_capability[i] |= cpu_caps_set[i]; |
1761 | - } |
1762 | + apply_forced_caps(c); |
1763 | |
1764 | /* |
1765 | * On SMP, boot_cpu_data holds the common feature set between |
1766 | diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c |
1767 | index 13dbcc0f9d03..ac3e636ad586 100644 |
1768 | --- a/arch/x86/kernel/cpu/microcode/intel.c |
1769 | +++ b/arch/x86/kernel/cpu/microcode/intel.c |
1770 | @@ -1051,8 +1051,17 @@ static bool is_blacklisted(unsigned int cpu) |
1771 | { |
1772 | struct cpuinfo_x86 *c = &cpu_data(cpu); |
1773 | |
1774 | - if (c->x86 == 6 && c->x86_model == INTEL_FAM6_BROADWELL_X) { |
1775 | - pr_err_once("late loading on model 79 is disabled.\n"); |
1776 | + /* |
1777 | + * Late loading on model 79 with microcode revision less than 0x0b000021 |
1778 | + * may result in a system hang. This behavior is documented in item |
1779 | + * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family). |
1780 | + */ |
1781 | + if (c->x86 == 6 && |
1782 | + c->x86_model == INTEL_FAM6_BROADWELL_X && |
1783 | + c->x86_mask == 0x01 && |
1784 | + c->microcode < 0x0b000021) { |
1785 | + pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode); |
1786 | + pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n"); |
1787 | return true; |
1788 | } |
1789 | |
1790 | diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c |
1791 | index 1f38d9a4d9de..2763573ee1d2 100644 |
1792 | --- a/arch/x86/kernel/irq_32.c |
1793 | +++ b/arch/x86/kernel/irq_32.c |
1794 | @@ -19,6 +19,7 @@ |
1795 | #include <linux/mm.h> |
1796 | |
1797 | #include <asm/apic.h> |
1798 | +#include <asm/nospec-branch.h> |
1799 | |
1800 | #ifdef CONFIG_DEBUG_STACKOVERFLOW |
1801 | |
1802 | @@ -54,17 +55,17 @@ DEFINE_PER_CPU(struct irq_stack *, softirq_stack); |
1803 | static void call_on_stack(void *func, void *stack) |
1804 | { |
1805 | asm volatile("xchgl %%ebx,%%esp \n" |
1806 | - "call *%%edi \n" |
1807 | + CALL_NOSPEC |
1808 | "movl %%ebx,%%esp \n" |
1809 | : "=b" (stack) |
1810 | : "0" (stack), |
1811 | - "D"(func) |
1812 | + [thunk_target] "D"(func) |
1813 | : "memory", "cc", "edx", "ecx", "eax"); |
1814 | } |
1815 | |
1816 | static inline void *current_stack(void) |
1817 | { |
1818 | - return (void *)(current_stack_pointer() & ~(THREAD_SIZE - 1)); |
1819 | + return (void *)(current_stack_pointer & ~(THREAD_SIZE - 1)); |
1820 | } |
1821 | |
1822 | static inline int execute_on_irq_stack(int overflow, struct irq_desc *desc) |
1823 | @@ -88,17 +89,17 @@ static inline int execute_on_irq_stack(int overflow, struct irq_desc *desc) |
1824 | |
1825 | /* Save the next esp at the bottom of the stack */ |
1826 | prev_esp = (u32 *)irqstk; |
1827 | - *prev_esp = current_stack_pointer(); |
1828 | + *prev_esp = current_stack_pointer; |
1829 | |
1830 | if (unlikely(overflow)) |
1831 | call_on_stack(print_stack_overflow, isp); |
1832 | |
1833 | asm volatile("xchgl %%ebx,%%esp \n" |
1834 | - "call *%%edi \n" |
1835 | + CALL_NOSPEC |
1836 | "movl %%ebx,%%esp \n" |
1837 | : "=a" (arg1), "=b" (isp) |
1838 | : "0" (desc), "1" (isp), |
1839 | - "D" (desc->handle_irq) |
1840 | + [thunk_target] "D" (desc->handle_irq) |
1841 | : "memory", "cc", "ecx"); |
1842 | return 1; |
1843 | } |
1844 | @@ -139,7 +140,7 @@ void do_softirq_own_stack(void) |
1845 | |
1846 | /* Push the previous esp onto the stack */ |
1847 | prev_esp = (u32 *)irqstk; |
1848 | - *prev_esp = current_stack_pointer(); |
1849 | + *prev_esp = current_stack_pointer; |
1850 | |
1851 | call_on_stack(__do_softirq, isp); |
1852 | } |
1853 | diff --git a/arch/x86/kernel/mcount_64.S b/arch/x86/kernel/mcount_64.S |
1854 | index 7b0d3da52fb4..287ec3bc141f 100644 |
1855 | --- a/arch/x86/kernel/mcount_64.S |
1856 | +++ b/arch/x86/kernel/mcount_64.S |
1857 | @@ -8,7 +8,7 @@ |
1858 | #include <asm/ptrace.h> |
1859 | #include <asm/ftrace.h> |
1860 | #include <asm/export.h> |
1861 | - |
1862 | +#include <asm/nospec-branch.h> |
1863 | |
1864 | .code64 |
1865 | .section .entry.text, "ax" |
1866 | @@ -290,8 +290,9 @@ trace: |
1867 | * ip and parent ip are used and the list function is called when |
1868 | * function tracing is enabled. |
1869 | */ |
1870 | - call *ftrace_trace_function |
1871 | |
1872 | + movq ftrace_trace_function, %r8 |
1873 | + CALL_NOSPEC %r8 |
1874 | restore_mcount_regs |
1875 | |
1876 | jmp fgraph_trace |
1877 | @@ -334,5 +335,5 @@ GLOBAL(return_to_handler) |
1878 | movq 8(%rsp), %rdx |
1879 | movq (%rsp), %rax |
1880 | addq $24, %rsp |
1881 | - jmp *%rdi |
1882 | + JMP_NOSPEC %rdi |
1883 | #endif |
1884 | diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c |
1885 | index bd4e3d4d3625..322f433fbc76 100644 |
1886 | --- a/arch/x86/kernel/traps.c |
1887 | +++ b/arch/x86/kernel/traps.c |
1888 | @@ -153,7 +153,7 @@ void ist_begin_non_atomic(struct pt_regs *regs) |
1889 | * from double_fault. |
1890 | */ |
1891 | BUG_ON((unsigned long)(current_top_of_stack() - |
1892 | - current_stack_pointer()) >= THREAD_SIZE); |
1893 | + current_stack_pointer) >= THREAD_SIZE); |
1894 | |
1895 | preempt_enable_no_resched(); |
1896 | } |
1897 | diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
1898 | index 8148d8ca7930..24af898fb3a6 100644 |
1899 | --- a/arch/x86/kvm/svm.c |
1900 | +++ b/arch/x86/kvm/svm.c |
1901 | @@ -44,6 +44,7 @@ |
1902 | #include <asm/debugreg.h> |
1903 | #include <asm/kvm_para.h> |
1904 | #include <asm/irq_remapping.h> |
1905 | +#include <asm/nospec-branch.h> |
1906 | |
1907 | #include <asm/virtext.h> |
1908 | #include "trace.h" |
1909 | @@ -4868,6 +4869,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
1910 | "mov %%r13, %c[r13](%[svm]) \n\t" |
1911 | "mov %%r14, %c[r14](%[svm]) \n\t" |
1912 | "mov %%r15, %c[r15](%[svm]) \n\t" |
1913 | +#endif |
1914 | + /* |
1915 | + * Clear host registers marked as clobbered to prevent |
1916 | + * speculative use. |
1917 | + */ |
1918 | + "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t" |
1919 | + "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t" |
1920 | + "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t" |
1921 | + "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t" |
1922 | + "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t" |
1923 | +#ifdef CONFIG_X86_64 |
1924 | + "xor %%r8, %%r8 \n\t" |
1925 | + "xor %%r9, %%r9 \n\t" |
1926 | + "xor %%r10, %%r10 \n\t" |
1927 | + "xor %%r11, %%r11 \n\t" |
1928 | + "xor %%r12, %%r12 \n\t" |
1929 | + "xor %%r13, %%r13 \n\t" |
1930 | + "xor %%r14, %%r14 \n\t" |
1931 | + "xor %%r15, %%r15 \n\t" |
1932 | #endif |
1933 | "pop %%" _ASM_BP |
1934 | : |
1935 | @@ -4898,6 +4918,9 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
1936 | #endif |
1937 | ); |
1938 | |
1939 | + /* Eliminate branch target predictions from guest mode */ |
1940 | + vmexit_fill_RSB(); |
1941 | + |
1942 | #ifdef CONFIG_X86_64 |
1943 | wrmsrl(MSR_GS_BASE, svm->host.gs_base); |
1944 | #else |
1945 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
1946 | index 263e56059fd5..3ca6d15994e4 100644 |
1947 | --- a/arch/x86/kvm/vmx.c |
1948 | +++ b/arch/x86/kvm/vmx.c |
1949 | @@ -48,6 +48,7 @@ |
1950 | #include <asm/kexec.h> |
1951 | #include <asm/apic.h> |
1952 | #include <asm/irq_remapping.h> |
1953 | +#include <asm/nospec-branch.h> |
1954 | |
1955 | #include "trace.h" |
1956 | #include "pmu.h" |
1957 | @@ -857,8 +858,16 @@ static inline short vmcs_field_to_offset(unsigned long field) |
1958 | { |
1959 | BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); |
1960 | |
1961 | - if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) || |
1962 | - vmcs_field_to_offset_table[field] == 0) |
1963 | + if (field >= ARRAY_SIZE(vmcs_field_to_offset_table)) |
1964 | + return -ENOENT; |
1965 | + |
1966 | + /* |
1967 | + * FIXME: Mitigation for CVE-2017-5753. To be replaced with a |
1968 | + * generic mechanism. |
1969 | + */ |
1970 | + asm("lfence"); |
1971 | + |
1972 | + if (vmcs_field_to_offset_table[field] == 0) |
1973 | return -ENOENT; |
1974 | |
1975 | return vmcs_field_to_offset_table[field]; |
1976 | @@ -8948,6 +8957,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
1977 | /* Save guest registers, load host registers, keep flags */ |
1978 | "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" |
1979 | "pop %0 \n\t" |
1980 | + "setbe %c[fail](%0)\n\t" |
1981 | "mov %%" _ASM_AX ", %c[rax](%0) \n\t" |
1982 | "mov %%" _ASM_BX ", %c[rbx](%0) \n\t" |
1983 | __ASM_SIZE(pop) " %c[rcx](%0) \n\t" |
1984 | @@ -8964,12 +8974,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
1985 | "mov %%r13, %c[r13](%0) \n\t" |
1986 | "mov %%r14, %c[r14](%0) \n\t" |
1987 | "mov %%r15, %c[r15](%0) \n\t" |
1988 | + "xor %%r8d, %%r8d \n\t" |
1989 | + "xor %%r9d, %%r9d \n\t" |
1990 | + "xor %%r10d, %%r10d \n\t" |
1991 | + "xor %%r11d, %%r11d \n\t" |
1992 | + "xor %%r12d, %%r12d \n\t" |
1993 | + "xor %%r13d, %%r13d \n\t" |
1994 | + "xor %%r14d, %%r14d \n\t" |
1995 | + "xor %%r15d, %%r15d \n\t" |
1996 | #endif |
1997 | "mov %%cr2, %%" _ASM_AX " \n\t" |
1998 | "mov %%" _ASM_AX ", %c[cr2](%0) \n\t" |
1999 | |
2000 | + "xor %%eax, %%eax \n\t" |
2001 | + "xor %%ebx, %%ebx \n\t" |
2002 | + "xor %%esi, %%esi \n\t" |
2003 | + "xor %%edi, %%edi \n\t" |
2004 | "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t" |
2005 | - "setbe %c[fail](%0) \n\t" |
2006 | ".pushsection .rodata \n\t" |
2007 | ".global vmx_return \n\t" |
2008 | "vmx_return: " _ASM_PTR " 2b \n\t" |
2009 | @@ -9006,6 +9027,9 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
2010 | #endif |
2011 | ); |
2012 | |
2013 | + /* Eliminate branch target predictions from guest mode */ |
2014 | + vmexit_fill_RSB(); |
2015 | + |
2016 | /* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */ |
2017 | if (debugctlmsr) |
2018 | update_debugctlmsr(debugctlmsr); |
2019 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c |
2020 | index 73304b1a03cc..d3f80cccb9aa 100644 |
2021 | --- a/arch/x86/kvm/x86.c |
2022 | +++ b/arch/x86/kvm/x86.c |
2023 | @@ -4264,7 +4264,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v) |
2024 | addr, n, v)) |
2025 | && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) |
2026 | break; |
2027 | - trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); |
2028 | + trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); |
2029 | handled += n; |
2030 | addr += n; |
2031 | len -= n; |
2032 | @@ -4517,7 +4517,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) |
2033 | { |
2034 | if (vcpu->mmio_read_completed) { |
2035 | trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, |
2036 | - vcpu->mmio_fragments[0].gpa, *(u64 *)val); |
2037 | + vcpu->mmio_fragments[0].gpa, val); |
2038 | vcpu->mmio_read_completed = 0; |
2039 | return 1; |
2040 | } |
2041 | @@ -4539,14 +4539,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, |
2042 | |
2043 | static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) |
2044 | { |
2045 | - trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); |
2046 | + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); |
2047 | return vcpu_mmio_write(vcpu, gpa, bytes, val); |
2048 | } |
2049 | |
2050 | static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, |
2051 | void *val, int bytes) |
2052 | { |
2053 | - trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); |
2054 | + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); |
2055 | return X86EMUL_IO_NEEDED; |
2056 | } |
2057 | |
2058 | diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile |
2059 | index 34a74131a12c..6bf1898ddf49 100644 |
2060 | --- a/arch/x86/lib/Makefile |
2061 | +++ b/arch/x86/lib/Makefile |
2062 | @@ -25,6 +25,7 @@ lib-y += memcpy_$(BITS).o |
2063 | lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o |
2064 | lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o |
2065 | lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o |
2066 | +lib-$(CONFIG_RETPOLINE) += retpoline.o |
2067 | |
2068 | obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o |
2069 | |
2070 | diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S |
2071 | index 4d34bb548b41..46e71a74e612 100644 |
2072 | --- a/arch/x86/lib/checksum_32.S |
2073 | +++ b/arch/x86/lib/checksum_32.S |
2074 | @@ -29,7 +29,8 @@ |
2075 | #include <asm/errno.h> |
2076 | #include <asm/asm.h> |
2077 | #include <asm/export.h> |
2078 | - |
2079 | +#include <asm/nospec-branch.h> |
2080 | + |
2081 | /* |
2082 | * computes a partial checksum, e.g. for TCP/UDP fragments |
2083 | */ |
2084 | @@ -156,7 +157,7 @@ ENTRY(csum_partial) |
2085 | negl %ebx |
2086 | lea 45f(%ebx,%ebx,2), %ebx |
2087 | testl %esi, %esi |
2088 | - jmp *%ebx |
2089 | + JMP_NOSPEC %ebx |
2090 | |
2091 | # Handle 2-byte-aligned regions |
2092 | 20: addw (%esi), %ax |
2093 | @@ -439,7 +440,7 @@ ENTRY(csum_partial_copy_generic) |
2094 | andl $-32,%edx |
2095 | lea 3f(%ebx,%ebx), %ebx |
2096 | testl %esi, %esi |
2097 | - jmp *%ebx |
2098 | + JMP_NOSPEC %ebx |
2099 | 1: addl $64,%esi |
2100 | addl $64,%edi |
2101 | SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl) |
2102 | diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S |
2103 | new file mode 100644 |
2104 | index 000000000000..cb45c6cb465f |
2105 | --- /dev/null |
2106 | +++ b/arch/x86/lib/retpoline.S |
2107 | @@ -0,0 +1,48 @@ |
2108 | +/* SPDX-License-Identifier: GPL-2.0 */ |
2109 | + |
2110 | +#include <linux/stringify.h> |
2111 | +#include <linux/linkage.h> |
2112 | +#include <asm/dwarf2.h> |
2113 | +#include <asm/cpufeatures.h> |
2114 | +#include <asm/alternative-asm.h> |
2115 | +#include <asm/export.h> |
2116 | +#include <asm/nospec-branch.h> |
2117 | + |
2118 | +.macro THUNK reg |
2119 | + .section .text.__x86.indirect_thunk.\reg |
2120 | + |
2121 | +ENTRY(__x86_indirect_thunk_\reg) |
2122 | + CFI_STARTPROC |
2123 | + JMP_NOSPEC %\reg |
2124 | + CFI_ENDPROC |
2125 | +ENDPROC(__x86_indirect_thunk_\reg) |
2126 | +.endm |
2127 | + |
2128 | +/* |
2129 | + * Despite being an assembler file we can't just use .irp here |
2130 | + * because __KSYM_DEPS__ only uses the C preprocessor and would |
2131 | + * only see one instance of "__x86_indirect_thunk_\reg" rather |
2132 | + * than one per register with the correct names. So we do it |
2133 | + * the simple and nasty way... |
2134 | + */ |
2135 | +#define EXPORT_THUNK(reg) EXPORT_SYMBOL(__x86_indirect_thunk_ ## reg) |
2136 | +#define GENERATE_THUNK(reg) THUNK reg ; EXPORT_THUNK(reg) |
2137 | + |
2138 | +GENERATE_THUNK(_ASM_AX) |
2139 | +GENERATE_THUNK(_ASM_BX) |
2140 | +GENERATE_THUNK(_ASM_CX) |
2141 | +GENERATE_THUNK(_ASM_DX) |
2142 | +GENERATE_THUNK(_ASM_SI) |
2143 | +GENERATE_THUNK(_ASM_DI) |
2144 | +GENERATE_THUNK(_ASM_BP) |
2145 | +GENERATE_THUNK(_ASM_SP) |
2146 | +#ifdef CONFIG_64BIT |
2147 | +GENERATE_THUNK(r8) |
2148 | +GENERATE_THUNK(r9) |
2149 | +GENERATE_THUNK(r10) |
2150 | +GENERATE_THUNK(r11) |
2151 | +GENERATE_THUNK(r12) |
2152 | +GENERATE_THUNK(r13) |
2153 | +GENERATE_THUNK(r14) |
2154 | +GENERATE_THUNK(r15) |
2155 | +#endif |
2156 | diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c |
2157 | index 8f8e5e03d083..a8ade08a9bf5 100644 |
2158 | --- a/arch/x86/mm/kaiser.c |
2159 | +++ b/arch/x86/mm/kaiser.c |
2160 | @@ -197,6 +197,8 @@ static int kaiser_add_user_map(const void *__start_addr, unsigned long size, |
2161 | * requires that not to be #defined to 0): so mask it off here. |
2162 | */ |
2163 | flags &= ~_PAGE_GLOBAL; |
2164 | + if (!(__supported_pte_mask & _PAGE_NX)) |
2165 | + flags &= ~_PAGE_NX; |
2166 | |
2167 | for (; address < end_addr; address += PAGE_SIZE) { |
2168 | target_address = get_pa_from_mapping(address); |
2169 | diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c |
2170 | index 5aaec8effc5f..209b9465e97a 100644 |
2171 | --- a/arch/x86/mm/pgtable.c |
2172 | +++ b/arch/x86/mm/pgtable.c |
2173 | @@ -345,13 +345,6 @@ static inline void _pgd_free(pgd_t *pgd) |
2174 | } |
2175 | #else |
2176 | |
2177 | -/* |
2178 | - * Instead of one pgd, Kaiser acquires two pgds. Being order-1, it is |
2179 | - * both 8k in size and 8k-aligned. That lets us just flip bit 12 |
2180 | - * in a pointer to swap between the two 4k halves. |
2181 | - */ |
2182 | -#define PGD_ALLOCATION_ORDER kaiser_enabled |
2183 | - |
2184 | static inline pgd_t *_pgd_alloc(void) |
2185 | { |
2186 | return (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ALLOCATION_ORDER); |
2187 | diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c |
2188 | index 41205de487e7..578973ade71b 100644 |
2189 | --- a/arch/x86/mm/tlb.c |
2190 | +++ b/arch/x86/mm/tlb.c |
2191 | @@ -110,7 +110,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, |
2192 | * mapped in the new pgd, we'll double-fault. Forcibly |
2193 | * map it. |
2194 | */ |
2195 | - unsigned int stack_pgd_index = pgd_index(current_stack_pointer()); |
2196 | + unsigned int stack_pgd_index = pgd_index(current_stack_pointer); |
2197 | |
2198 | pgd_t *pgd = next->pgd + stack_pgd_index; |
2199 | |
2200 | diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c |
2201 | index 2f25a363068c..dcb2d9d185a2 100644 |
2202 | --- a/arch/x86/platform/efi/efi_64.c |
2203 | +++ b/arch/x86/platform/efi/efi_64.c |
2204 | @@ -142,7 +142,7 @@ int __init efi_alloc_page_tables(void) |
2205 | return 0; |
2206 | |
2207 | gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO; |
2208 | - efi_pgd = (pgd_t *)__get_free_page(gfp_mask); |
2209 | + efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, PGD_ALLOCATION_ORDER); |
2210 | if (!efi_pgd) |
2211 | return -ENOMEM; |
2212 | |
2213 | diff --git a/crypto/algapi.c b/crypto/algapi.c |
2214 | index 1fad2a6b3bbb..5c098ffa7d3d 100644 |
2215 | --- a/crypto/algapi.c |
2216 | +++ b/crypto/algapi.c |
2217 | @@ -167,6 +167,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, |
2218 | |
2219 | spawn->alg = NULL; |
2220 | spawns = &inst->alg.cra_users; |
2221 | + |
2222 | + /* |
2223 | + * We may encounter an unregistered instance here, since |
2224 | + * an instance's spawns are set up prior to the instance |
2225 | + * being registered. An unregistered instance will have |
2226 | + * NULL ->cra_users.next, since ->cra_users isn't |
2227 | + * properly initialized until registration. But an |
2228 | + * unregistered instance cannot have any users, so treat |
2229 | + * it the same as ->cra_users being empty. |
2230 | + */ |
2231 | + if (spawns->next == NULL) |
2232 | + break; |
2233 | } |
2234 | } while ((spawns = crypto_more_spawns(alg, &stack, &top, |
2235 | &secondary_spawns))); |
2236 | diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig |
2237 | index d02e7c0f5bfd..0651010bba21 100644 |
2238 | --- a/drivers/base/Kconfig |
2239 | +++ b/drivers/base/Kconfig |
2240 | @@ -235,6 +235,9 @@ config GENERIC_CPU_DEVICES |
2241 | config GENERIC_CPU_AUTOPROBE |
2242 | bool |
2243 | |
2244 | +config GENERIC_CPU_VULNERABILITIES |
2245 | + bool |
2246 | + |
2247 | config SOC_BUS |
2248 | bool |
2249 | |
2250 | diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c |
2251 | index 4c28e1a09786..56b6c8508a89 100644 |
2252 | --- a/drivers/base/cpu.c |
2253 | +++ b/drivers/base/cpu.c |
2254 | @@ -499,10 +499,58 @@ static void __init cpu_dev_register_generic(void) |
2255 | #endif |
2256 | } |
2257 | |
2258 | +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES |
2259 | + |
2260 | +ssize_t __weak cpu_show_meltdown(struct device *dev, |
2261 | + struct device_attribute *attr, char *buf) |
2262 | +{ |
2263 | + return sprintf(buf, "Not affected\n"); |
2264 | +} |
2265 | + |
2266 | +ssize_t __weak cpu_show_spectre_v1(struct device *dev, |
2267 | + struct device_attribute *attr, char *buf) |
2268 | +{ |
2269 | + return sprintf(buf, "Not affected\n"); |
2270 | +} |
2271 | + |
2272 | +ssize_t __weak cpu_show_spectre_v2(struct device *dev, |
2273 | + struct device_attribute *attr, char *buf) |
2274 | +{ |
2275 | + return sprintf(buf, "Not affected\n"); |
2276 | +} |
2277 | + |
2278 | +static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); |
2279 | +static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); |
2280 | +static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); |
2281 | + |
2282 | +static struct attribute *cpu_root_vulnerabilities_attrs[] = { |
2283 | + &dev_attr_meltdown.attr, |
2284 | + &dev_attr_spectre_v1.attr, |
2285 | + &dev_attr_spectre_v2.attr, |
2286 | + NULL |
2287 | +}; |
2288 | + |
2289 | +static const struct attribute_group cpu_root_vulnerabilities_group = { |
2290 | + .name = "vulnerabilities", |
2291 | + .attrs = cpu_root_vulnerabilities_attrs, |
2292 | +}; |
2293 | + |
2294 | +static void __init cpu_register_vulnerabilities(void) |
2295 | +{ |
2296 | + if (sysfs_create_group(&cpu_subsys.dev_root->kobj, |
2297 | + &cpu_root_vulnerabilities_group)) |
2298 | + pr_err("Unable to register CPU vulnerabilities\n"); |
2299 | +} |
2300 | + |
2301 | +#else |
2302 | +static inline void cpu_register_vulnerabilities(void) { } |
2303 | +#endif |
2304 | + |
2305 | void __init cpu_dev_init(void) |
2306 | { |
2307 | if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups)) |
2308 | panic("Failed to register CPU subsystem"); |
2309 | |
2310 | cpu_dev_register_generic(); |
2311 | + cpu_register_vulnerabilities(); |
2312 | } |
2313 | diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c |
2314 | index 24f4b544d270..e32badd26c8a 100644 |
2315 | --- a/drivers/block/rbd.c |
2316 | +++ b/drivers/block/rbd.c |
2317 | @@ -4511,7 +4511,7 @@ static int rbd_init_disk(struct rbd_device *rbd_dev) |
2318 | segment_size = rbd_obj_bytes(&rbd_dev->header); |
2319 | blk_queue_max_hw_sectors(q, segment_size / SECTOR_SIZE); |
2320 | q->limits.max_sectors = queue_max_hw_sectors(q); |
2321 | - blk_queue_max_segments(q, segment_size / SECTOR_SIZE); |
2322 | + blk_queue_max_segments(q, USHRT_MAX); |
2323 | blk_queue_max_segment_size(q, segment_size); |
2324 | blk_queue_io_min(q, segment_size); |
2325 | blk_queue_io_opt(q, segment_size); |
2326 | diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |
2327 | index fefb9d995d2c..81f5a552e32f 100644 |
2328 | --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |
2329 | +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |
2330 | @@ -2729,6 +2729,8 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv, |
2331 | } |
2332 | |
2333 | view_type = vmw_view_cmd_to_type(header->id); |
2334 | + if (view_type == vmw_view_max) |
2335 | + return -EINVAL; |
2336 | cmd = container_of(header, typeof(*cmd), header); |
2337 | ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, |
2338 | user_surface_converter, |
2339 | diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c |
2340 | index e0a8216ecf2b..13c32eb40738 100644 |
2341 | --- a/drivers/hv/hv.c |
2342 | +++ b/drivers/hv/hv.c |
2343 | @@ -31,6 +31,7 @@ |
2344 | #include <linux/clockchips.h> |
2345 | #include <asm/hyperv.h> |
2346 | #include <asm/mshyperv.h> |
2347 | +#include <asm/nospec-branch.h> |
2348 | #include "hyperv_vmbus.h" |
2349 | |
2350 | /* The one and only */ |
2351 | @@ -103,9 +104,10 @@ u64 hv_do_hypercall(u64 control, void *input, void *output) |
2352 | return (u64)ULLONG_MAX; |
2353 | |
2354 | __asm__ __volatile__("mov %0, %%r8" : : "r" (output_address) : "r8"); |
2355 | - __asm__ __volatile__("call *%3" : "=a" (hv_status) : |
2356 | + __asm__ __volatile__(CALL_NOSPEC : |
2357 | + "=a" (hv_status) : |
2358 | "c" (control), "d" (input_address), |
2359 | - "m" (hypercall_page)); |
2360 | + THUNK_TARGET(hypercall_page)); |
2361 | |
2362 | return hv_status; |
2363 | |
2364 | @@ -123,11 +125,12 @@ u64 hv_do_hypercall(u64 control, void *input, void *output) |
2365 | if (!hypercall_page) |
2366 | return (u64)ULLONG_MAX; |
2367 | |
2368 | - __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi), |
2369 | + __asm__ __volatile__ (CALL_NOSPEC : "=d"(hv_status_hi), |
2370 | "=a"(hv_status_lo) : "d" (control_hi), |
2371 | "a" (control_lo), "b" (input_address_hi), |
2372 | "c" (input_address_lo), "D"(output_address_hi), |
2373 | - "S"(output_address_lo), "m" (hypercall_page)); |
2374 | + "S"(output_address_lo), |
2375 | + THUNK_TARGET(hypercall_page)); |
2376 | |
2377 | return hv_status_lo | ((u64)hv_status_hi << 32); |
2378 | #endif /* !x86_64 */ |
2379 | diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c |
2380 | index b9748970df4a..29ab814693fc 100644 |
2381 | --- a/drivers/infiniband/ulp/srpt/ib_srpt.c |
2382 | +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c |
2383 | @@ -992,8 +992,7 @@ static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp) |
2384 | return -ENOMEM; |
2385 | |
2386 | attr->qp_state = IB_QPS_INIT; |
2387 | - attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ | |
2388 | - IB_ACCESS_REMOTE_WRITE; |
2389 | + attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE; |
2390 | attr->port_num = ch->sport->port; |
2391 | attr->pkey_index = 0; |
2392 | |
2393 | diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c |
2394 | index 7643f72adb1c..3ec647e8b9c6 100644 |
2395 | --- a/drivers/md/dm-bufio.c |
2396 | +++ b/drivers/md/dm-bufio.c |
2397 | @@ -1554,7 +1554,8 @@ static unsigned long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan, |
2398 | int l; |
2399 | struct dm_buffer *b, *tmp; |
2400 | unsigned long freed = 0; |
2401 | - unsigned long count = nr_to_scan; |
2402 | + unsigned long count = c->n_buffers[LIST_CLEAN] + |
2403 | + c->n_buffers[LIST_DIRTY]; |
2404 | unsigned long retain_target = get_retain_buffers(c); |
2405 | |
2406 | for (l = 0; l < LIST_SIZE; l++) { |
2407 | @@ -1591,6 +1592,7 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) |
2408 | { |
2409 | struct dm_bufio_client *c; |
2410 | unsigned long count; |
2411 | + unsigned long retain_target; |
2412 | |
2413 | c = container_of(shrink, struct dm_bufio_client, shrinker); |
2414 | if (sc->gfp_mask & __GFP_FS) |
2415 | @@ -1599,8 +1601,9 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) |
2416 | return 0; |
2417 | |
2418 | count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY]; |
2419 | + retain_target = get_retain_buffers(c); |
2420 | dm_bufio_unlock(c); |
2421 | - return count; |
2422 | + return (count < retain_target) ? 0 : (count - retain_target); |
2423 | } |
2424 | |
2425 | /* |
2426 | diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c |
2427 | index eea9aea14b00..5d5012337d9e 100644 |
2428 | --- a/drivers/net/can/usb/gs_usb.c |
2429 | +++ b/drivers/net/can/usb/gs_usb.c |
2430 | @@ -449,7 +449,7 @@ static int gs_usb_set_bittiming(struct net_device *netdev) |
2431 | dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)", |
2432 | rc); |
2433 | |
2434 | - return rc; |
2435 | + return (rc > 0) ? 0 : rc; |
2436 | } |
2437 | |
2438 | static void gs_usb_xmit_callback(struct urb *urb) |
2439 | diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c |
2440 | index f3aaca743ea3..8a48656a376b 100644 |
2441 | --- a/drivers/net/ethernet/intel/e1000e/ich8lan.c |
2442 | +++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c |
2443 | @@ -1364,6 +1364,9 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force) |
2444 | * Checks to see of the link status of the hardware has changed. If a |
2445 | * change in link status has been detected, then we read the PHY registers |
2446 | * to get the current speed/duplex if link exists. |
2447 | + * |
2448 | + * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link |
2449 | + * up). |
2450 | **/ |
2451 | static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) |
2452 | { |
2453 | @@ -1379,7 +1382,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) |
2454 | * Change or Rx Sequence Error interrupt. |
2455 | */ |
2456 | if (!mac->get_link_status) |
2457 | - return 0; |
2458 | + return 1; |
2459 | |
2460 | /* First we want to see if the MII Status Register reports |
2461 | * link. If so, then we want to get the current speed/duplex |
2462 | @@ -1611,10 +1614,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) |
2463 | * different link partner. |
2464 | */ |
2465 | ret_val = e1000e_config_fc_after_link_up(hw); |
2466 | - if (ret_val) |
2467 | + if (ret_val) { |
2468 | e_dbg("Error configuring flow control\n"); |
2469 | + return ret_val; |
2470 | + } |
2471 | |
2472 | - return ret_val; |
2473 | + return 1; |
2474 | } |
2475 | |
2476 | static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter) |
2477 | diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
2478 | index 9e31a3390154..8aa91ddff287 100644 |
2479 | --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
2480 | +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |
2481 | @@ -1328,9 +1328,9 @@ mlxsw_sp_nexthop_group_refresh(struct mlxsw_sp *mlxsw_sp, |
2482 | static void __mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp_nexthop *nh, |
2483 | bool removing) |
2484 | { |
2485 | - if (!removing && !nh->should_offload) |
2486 | + if (!removing) |
2487 | nh->should_offload = 1; |
2488 | - else if (removing && nh->offloaded) |
2489 | + else |
2490 | nh->should_offload = 0; |
2491 | nh->update = 1; |
2492 | } |
2493 | diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c |
2494 | index 2140dedab712..b6816ae00b7a 100644 |
2495 | --- a/drivers/net/ethernet/renesas/sh_eth.c |
2496 | +++ b/drivers/net/ethernet/renesas/sh_eth.c |
2497 | @@ -3087,18 +3087,37 @@ static int sh_eth_drv_probe(struct platform_device *pdev) |
2498 | /* ioremap the TSU registers */ |
2499 | if (mdp->cd->tsu) { |
2500 | struct resource *rtsu; |
2501 | + |
2502 | rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1); |
2503 | - mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu); |
2504 | - if (IS_ERR(mdp->tsu_addr)) { |
2505 | - ret = PTR_ERR(mdp->tsu_addr); |
2506 | + if (!rtsu) { |
2507 | + dev_err(&pdev->dev, "no TSU resource\n"); |
2508 | + ret = -ENODEV; |
2509 | + goto out_release; |
2510 | + } |
2511 | + /* We can only request the TSU region for the first port |
2512 | + * of the two sharing this TSU for the probe to succeed... |
2513 | + */ |
2514 | + if (devno % 2 == 0 && |
2515 | + !devm_request_mem_region(&pdev->dev, rtsu->start, |
2516 | + resource_size(rtsu), |
2517 | + dev_name(&pdev->dev))) { |
2518 | + dev_err(&pdev->dev, "can't request TSU resource.\n"); |
2519 | + ret = -EBUSY; |
2520 | + goto out_release; |
2521 | + } |
2522 | + mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start, |
2523 | + resource_size(rtsu)); |
2524 | + if (!mdp->tsu_addr) { |
2525 | + dev_err(&pdev->dev, "TSU region ioremap() failed.\n"); |
2526 | + ret = -ENOMEM; |
2527 | goto out_release; |
2528 | } |
2529 | mdp->port = devno % 2; |
2530 | ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER; |
2531 | } |
2532 | |
2533 | - /* initialize first or needed device */ |
2534 | - if (!devno || pd->needs_init) { |
2535 | + /* Need to init only the first port of the two sharing a TSU */ |
2536 | + if (devno % 2 == 0) { |
2537 | if (mdp->cd->chip_reset) |
2538 | mdp->cd->chip_reset(ndev); |
2539 | |
2540 | diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |
2541 | index adf61a7b1b01..98bbb91336e4 100644 |
2542 | --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |
2543 | +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |
2544 | @@ -280,8 +280,14 @@ static void stmmac_eee_ctrl_timer(unsigned long arg) |
2545 | bool stmmac_eee_init(struct stmmac_priv *priv) |
2546 | { |
2547 | unsigned long flags; |
2548 | + int interface = priv->plat->interface; |
2549 | bool ret = false; |
2550 | |
2551 | + if ((interface != PHY_INTERFACE_MODE_MII) && |
2552 | + (interface != PHY_INTERFACE_MODE_GMII) && |
2553 | + !phy_interface_mode_is_rgmii(interface)) |
2554 | + goto out; |
2555 | + |
2556 | /* Using PCS we cannot dial with the phy registers at this stage |
2557 | * so we do not support extra feature like EEE. |
2558 | */ |
2559 | diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c |
2560 | index e221bfcee76b..947bea81d924 100644 |
2561 | --- a/drivers/net/usb/cx82310_eth.c |
2562 | +++ b/drivers/net/usb/cx82310_eth.c |
2563 | @@ -293,12 +293,9 @@ static struct sk_buff *cx82310_tx_fixup(struct usbnet *dev, struct sk_buff *skb, |
2564 | { |
2565 | int len = skb->len; |
2566 | |
2567 | - if (skb_headroom(skb) < 2) { |
2568 | - struct sk_buff *skb2 = skb_copy_expand(skb, 2, 0, flags); |
2569 | + if (skb_cow_head(skb, 2)) { |
2570 | dev_kfree_skb_any(skb); |
2571 | - skb = skb2; |
2572 | - if (!skb) |
2573 | - return NULL; |
2574 | + return NULL; |
2575 | } |
2576 | skb_push(skb, 2); |
2577 | |
2578 | diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c |
2579 | index f33460cec79f..9c257ffedb15 100644 |
2580 | --- a/drivers/net/usb/lan78xx.c |
2581 | +++ b/drivers/net/usb/lan78xx.c |
2582 | @@ -2419,14 +2419,9 @@ static struct sk_buff *lan78xx_tx_prep(struct lan78xx_net *dev, |
2583 | { |
2584 | u32 tx_cmd_a, tx_cmd_b; |
2585 | |
2586 | - if (skb_headroom(skb) < TX_OVERHEAD) { |
2587 | - struct sk_buff *skb2; |
2588 | - |
2589 | - skb2 = skb_copy_expand(skb, TX_OVERHEAD, 0, flags); |
2590 | + if (skb_cow_head(skb, TX_OVERHEAD)) { |
2591 | dev_kfree_skb_any(skb); |
2592 | - skb = skb2; |
2593 | - if (!skb) |
2594 | - return NULL; |
2595 | + return NULL; |
2596 | } |
2597 | |
2598 | if (lan78xx_linearize(skb) < 0) |
2599 | diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c |
2600 | index 9af9799935db..4cb9b11a545a 100644 |
2601 | --- a/drivers/net/usb/smsc75xx.c |
2602 | +++ b/drivers/net/usb/smsc75xx.c |
2603 | @@ -2205,13 +2205,9 @@ static struct sk_buff *smsc75xx_tx_fixup(struct usbnet *dev, |
2604 | { |
2605 | u32 tx_cmd_a, tx_cmd_b; |
2606 | |
2607 | - if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) { |
2608 | - struct sk_buff *skb2 = |
2609 | - skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags); |
2610 | + if (skb_cow_head(skb, SMSC75XX_TX_OVERHEAD)) { |
2611 | dev_kfree_skb_any(skb); |
2612 | - skb = skb2; |
2613 | - if (!skb) |
2614 | - return NULL; |
2615 | + return NULL; |
2616 | } |
2617 | |
2618 | tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN) | TX_CMD_A_FCS; |
2619 | diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c |
2620 | index 4a1e9c489f1f..aadfe1d1c37e 100644 |
2621 | --- a/drivers/net/usb/sr9700.c |
2622 | +++ b/drivers/net/usb/sr9700.c |
2623 | @@ -456,14 +456,9 @@ static struct sk_buff *sr9700_tx_fixup(struct usbnet *dev, struct sk_buff *skb, |
2624 | |
2625 | len = skb->len; |
2626 | |
2627 | - if (skb_headroom(skb) < SR_TX_OVERHEAD) { |
2628 | - struct sk_buff *skb2; |
2629 | - |
2630 | - skb2 = skb_copy_expand(skb, SR_TX_OVERHEAD, 0, flags); |
2631 | + if (skb_cow_head(skb, SR_TX_OVERHEAD)) { |
2632 | dev_kfree_skb_any(skb); |
2633 | - skb = skb2; |
2634 | - if (!skb) |
2635 | - return NULL; |
2636 | + return NULL; |
2637 | } |
2638 | |
2639 | __skb_push(skb, SR_TX_OVERHEAD); |
2640 | diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c |
2641 | index 0b4c1562420f..ba1fe61e6ea6 100644 |
2642 | --- a/drivers/net/wireless/ath/ath10k/htt_rx.c |
2643 | +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c |
2644 | @@ -548,6 +548,11 @@ static int ath10k_htt_rx_crypto_param_len(struct ath10k *ar, |
2645 | return IEEE80211_TKIP_IV_LEN; |
2646 | case HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2: |
2647 | return IEEE80211_CCMP_HDR_LEN; |
2648 | + case HTT_RX_MPDU_ENCRYPT_AES_CCM256_WPA2: |
2649 | + return IEEE80211_CCMP_256_HDR_LEN; |
2650 | + case HTT_RX_MPDU_ENCRYPT_AES_GCMP_WPA2: |
2651 | + case HTT_RX_MPDU_ENCRYPT_AES_GCMP256_WPA2: |
2652 | + return IEEE80211_GCMP_HDR_LEN; |
2653 | case HTT_RX_MPDU_ENCRYPT_WEP128: |
2654 | case HTT_RX_MPDU_ENCRYPT_WAPI: |
2655 | break; |
2656 | @@ -573,6 +578,11 @@ static int ath10k_htt_rx_crypto_tail_len(struct ath10k *ar, |
2657 | return IEEE80211_TKIP_ICV_LEN; |
2658 | case HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2: |
2659 | return IEEE80211_CCMP_MIC_LEN; |
2660 | + case HTT_RX_MPDU_ENCRYPT_AES_CCM256_WPA2: |
2661 | + return IEEE80211_CCMP_256_MIC_LEN; |
2662 | + case HTT_RX_MPDU_ENCRYPT_AES_GCMP_WPA2: |
2663 | + case HTT_RX_MPDU_ENCRYPT_AES_GCMP256_WPA2: |
2664 | + return IEEE80211_GCMP_MIC_LEN; |
2665 | case HTT_RX_MPDU_ENCRYPT_WEP128: |
2666 | case HTT_RX_MPDU_ENCRYPT_WAPI: |
2667 | break; |
2668 | @@ -1024,9 +1034,21 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar, |
2669 | hdr = (void *)msdu->data; |
2670 | |
2671 | /* Tail */ |
2672 | - if (status->flag & RX_FLAG_IV_STRIPPED) |
2673 | + if (status->flag & RX_FLAG_IV_STRIPPED) { |
2674 | skb_trim(msdu, msdu->len - |
2675 | ath10k_htt_rx_crypto_tail_len(ar, enctype)); |
2676 | + } else { |
2677 | + /* MIC */ |
2678 | + if ((status->flag & RX_FLAG_MIC_STRIPPED) && |
2679 | + enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) |
2680 | + skb_trim(msdu, msdu->len - 8); |
2681 | + |
2682 | + /* ICV */ |
2683 | + if (status->flag & RX_FLAG_ICV_STRIPPED && |
2684 | + enctype != HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) |
2685 | + skb_trim(msdu, msdu->len - |
2686 | + ath10k_htt_rx_crypto_tail_len(ar, enctype)); |
2687 | + } |
2688 | |
2689 | /* MMIC */ |
2690 | if ((status->flag & RX_FLAG_MMIC_STRIPPED) && |
2691 | @@ -1048,7 +1070,8 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar, |
2692 | static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar, |
2693 | struct sk_buff *msdu, |
2694 | struct ieee80211_rx_status *status, |
2695 | - const u8 first_hdr[64]) |
2696 | + const u8 first_hdr[64], |
2697 | + enum htt_rx_mpdu_encrypt_type enctype) |
2698 | { |
2699 | struct ieee80211_hdr *hdr; |
2700 | struct htt_rx_desc *rxd; |
2701 | @@ -1056,6 +1079,7 @@ static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar, |
2702 | u8 da[ETH_ALEN]; |
2703 | u8 sa[ETH_ALEN]; |
2704 | int l3_pad_bytes; |
2705 | + int bytes_aligned = ar->hw_params.decap_align_bytes; |
2706 | |
2707 | /* Delivered decapped frame: |
2708 | * [nwifi 802.11 header] <-- replaced with 802.11 hdr |
2709 | @@ -1084,6 +1108,14 @@ static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar, |
2710 | /* push original 802.11 header */ |
2711 | hdr = (struct ieee80211_hdr *)first_hdr; |
2712 | hdr_len = ieee80211_hdrlen(hdr->frame_control); |
2713 | + |
2714 | + if (!(status->flag & RX_FLAG_IV_STRIPPED)) { |
2715 | + memcpy(skb_push(msdu, |
2716 | + ath10k_htt_rx_crypto_param_len(ar, enctype)), |
2717 | + (void *)hdr + round_up(hdr_len, bytes_aligned), |
2718 | + ath10k_htt_rx_crypto_param_len(ar, enctype)); |
2719 | + } |
2720 | + |
2721 | memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); |
2722 | |
2723 | /* original 802.11 header has a different DA and in |
2724 | @@ -1144,6 +1176,7 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, |
2725 | u8 sa[ETH_ALEN]; |
2726 | int l3_pad_bytes; |
2727 | struct htt_rx_desc *rxd; |
2728 | + int bytes_aligned = ar->hw_params.decap_align_bytes; |
2729 | |
2730 | /* Delivered decapped frame: |
2731 | * [eth header] <-- replaced with 802.11 hdr & rfc1042/llc |
2732 | @@ -1172,6 +1205,14 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, |
2733 | /* push original 802.11 header */ |
2734 | hdr = (struct ieee80211_hdr *)first_hdr; |
2735 | hdr_len = ieee80211_hdrlen(hdr->frame_control); |
2736 | + |
2737 | + if (!(status->flag & RX_FLAG_IV_STRIPPED)) { |
2738 | + memcpy(skb_push(msdu, |
2739 | + ath10k_htt_rx_crypto_param_len(ar, enctype)), |
2740 | + (void *)hdr + round_up(hdr_len, bytes_aligned), |
2741 | + ath10k_htt_rx_crypto_param_len(ar, enctype)); |
2742 | + } |
2743 | + |
2744 | memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); |
2745 | |
2746 | /* original 802.11 header has a different DA and in |
2747 | @@ -1185,12 +1226,14 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, |
2748 | static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar, |
2749 | struct sk_buff *msdu, |
2750 | struct ieee80211_rx_status *status, |
2751 | - const u8 first_hdr[64]) |
2752 | + const u8 first_hdr[64], |
2753 | + enum htt_rx_mpdu_encrypt_type enctype) |
2754 | { |
2755 | struct ieee80211_hdr *hdr; |
2756 | size_t hdr_len; |
2757 | int l3_pad_bytes; |
2758 | struct htt_rx_desc *rxd; |
2759 | + int bytes_aligned = ar->hw_params.decap_align_bytes; |
2760 | |
2761 | /* Delivered decapped frame: |
2762 | * [amsdu header] <-- replaced with 802.11 hdr |
2763 | @@ -1206,6 +1249,14 @@ static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar, |
2764 | |
2765 | hdr = (struct ieee80211_hdr *)first_hdr; |
2766 | hdr_len = ieee80211_hdrlen(hdr->frame_control); |
2767 | + |
2768 | + if (!(status->flag & RX_FLAG_IV_STRIPPED)) { |
2769 | + memcpy(skb_push(msdu, |
2770 | + ath10k_htt_rx_crypto_param_len(ar, enctype)), |
2771 | + (void *)hdr + round_up(hdr_len, bytes_aligned), |
2772 | + ath10k_htt_rx_crypto_param_len(ar, enctype)); |
2773 | + } |
2774 | + |
2775 | memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); |
2776 | } |
2777 | |
2778 | @@ -1240,13 +1291,15 @@ static void ath10k_htt_rx_h_undecap(struct ath10k *ar, |
2779 | is_decrypted); |
2780 | break; |
2781 | case RX_MSDU_DECAP_NATIVE_WIFI: |
2782 | - ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr); |
2783 | + ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr, |
2784 | + enctype); |
2785 | break; |
2786 | case RX_MSDU_DECAP_ETHERNET2_DIX: |
2787 | ath10k_htt_rx_h_undecap_eth(ar, msdu, status, first_hdr, enctype); |
2788 | break; |
2789 | case RX_MSDU_DECAP_8023_SNAP_LLC: |
2790 | - ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr); |
2791 | + ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr, |
2792 | + enctype); |
2793 | break; |
2794 | } |
2795 | } |
2796 | @@ -1289,7 +1342,8 @@ static void ath10k_htt_rx_h_csum_offload(struct sk_buff *msdu) |
2797 | |
2798 | static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, |
2799 | struct sk_buff_head *amsdu, |
2800 | - struct ieee80211_rx_status *status) |
2801 | + struct ieee80211_rx_status *status, |
2802 | + bool fill_crypt_header) |
2803 | { |
2804 | struct sk_buff *first; |
2805 | struct sk_buff *last; |
2806 | @@ -1299,7 +1353,6 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, |
2807 | enum htt_rx_mpdu_encrypt_type enctype; |
2808 | u8 first_hdr[64]; |
2809 | u8 *qos; |
2810 | - size_t hdr_len; |
2811 | bool has_fcs_err; |
2812 | bool has_crypto_err; |
2813 | bool has_tkip_err; |
2814 | @@ -1324,15 +1377,17 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, |
2815 | * decapped header. It'll be used for undecapping of each MSDU. |
2816 | */ |
2817 | hdr = (void *)rxd->rx_hdr_status; |
2818 | - hdr_len = ieee80211_hdrlen(hdr->frame_control); |
2819 | - memcpy(first_hdr, hdr, hdr_len); |
2820 | + memcpy(first_hdr, hdr, RX_HTT_HDR_STATUS_LEN); |
2821 | |
2822 | /* Each A-MSDU subframe will use the original header as the base and be |
2823 | * reported as a separate MSDU so strip the A-MSDU bit from QoS Ctl. |
2824 | */ |
2825 | hdr = (void *)first_hdr; |
2826 | - qos = ieee80211_get_qos_ctl(hdr); |
2827 | - qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT; |
2828 | + |
2829 | + if (ieee80211_is_data_qos(hdr->frame_control)) { |
2830 | + qos = ieee80211_get_qos_ctl(hdr); |
2831 | + qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT; |
2832 | + } |
2833 | |
2834 | /* Some attention flags are valid only in the last MSDU. */ |
2835 | last = skb_peek_tail(amsdu); |
2836 | @@ -1379,9 +1434,14 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, |
2837 | status->flag |= RX_FLAG_DECRYPTED; |
2838 | |
2839 | if (likely(!is_mgmt)) |
2840 | - status->flag |= RX_FLAG_IV_STRIPPED | |
2841 | - RX_FLAG_MMIC_STRIPPED; |
2842 | -} |
2843 | + status->flag |= RX_FLAG_MMIC_STRIPPED; |
2844 | + |
2845 | + if (fill_crypt_header) |
2846 | + status->flag |= RX_FLAG_MIC_STRIPPED | |
2847 | + RX_FLAG_ICV_STRIPPED; |
2848 | + else |
2849 | + status->flag |= RX_FLAG_IV_STRIPPED; |
2850 | + } |
2851 | |
2852 | skb_queue_walk(amsdu, msdu) { |
2853 | ath10k_htt_rx_h_csum_offload(msdu); |
2854 | @@ -1397,6 +1457,9 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, |
2855 | if (is_mgmt) |
2856 | continue; |
2857 | |
2858 | + if (fill_crypt_header) |
2859 | + continue; |
2860 | + |
2861 | hdr = (void *)msdu->data; |
2862 | hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED); |
2863 | } |
2864 | @@ -1407,6 +1470,9 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar, |
2865 | struct ieee80211_rx_status *status) |
2866 | { |
2867 | struct sk_buff *msdu; |
2868 | + struct sk_buff *first_subframe; |
2869 | + |
2870 | + first_subframe = skb_peek(amsdu); |
2871 | |
2872 | while ((msdu = __skb_dequeue(amsdu))) { |
2873 | /* Setup per-MSDU flags */ |
2874 | @@ -1415,6 +1481,13 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar, |
2875 | else |
2876 | status->flag |= RX_FLAG_AMSDU_MORE; |
2877 | |
2878 | + if (msdu == first_subframe) { |
2879 | + first_subframe = NULL; |
2880 | + status->flag &= ~RX_FLAG_ALLOW_SAME_PN; |
2881 | + } else { |
2882 | + status->flag |= RX_FLAG_ALLOW_SAME_PN; |
2883 | + } |
2884 | + |
2885 | ath10k_process_rx(ar, status, msdu); |
2886 | } |
2887 | } |
2888 | @@ -1557,7 +1630,7 @@ static int ath10k_htt_rx_handle_amsdu(struct ath10k_htt *htt) |
2889 | ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status, 0xffff); |
2890 | ath10k_htt_rx_h_unchain(ar, &amsdu, ret > 0); |
2891 | ath10k_htt_rx_h_filter(ar, &amsdu, rx_status); |
2892 | - ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status); |
2893 | + ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true); |
2894 | ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status); |
2895 | |
2896 | return num_msdus; |
2897 | @@ -1892,7 +1965,7 @@ static int ath10k_htt_rx_in_ord_ind(struct ath10k *ar, struct sk_buff *skb) |
2898 | num_msdus += skb_queue_len(&amsdu); |
2899 | ath10k_htt_rx_h_ppdu(ar, &amsdu, status, vdev_id); |
2900 | ath10k_htt_rx_h_filter(ar, &amsdu, status); |
2901 | - ath10k_htt_rx_h_mpdu(ar, &amsdu, status); |
2902 | + ath10k_htt_rx_h_mpdu(ar, &amsdu, status, false); |
2903 | ath10k_htt_rx_h_deliver(ar, &amsdu, status); |
2904 | break; |
2905 | case -EAGAIN: |
2906 | diff --git a/drivers/net/wireless/ath/ath10k/rx_desc.h b/drivers/net/wireless/ath/ath10k/rx_desc.h |
2907 | index 034e7a54c5b2..e4878d0044bf 100644 |
2908 | --- a/drivers/net/wireless/ath/ath10k/rx_desc.h |
2909 | +++ b/drivers/net/wireless/ath/ath10k/rx_desc.h |
2910 | @@ -239,6 +239,9 @@ enum htt_rx_mpdu_encrypt_type { |
2911 | HTT_RX_MPDU_ENCRYPT_WAPI = 5, |
2912 | HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2 = 6, |
2913 | HTT_RX_MPDU_ENCRYPT_NONE = 7, |
2914 | + HTT_RX_MPDU_ENCRYPT_AES_CCM256_WPA2 = 8, |
2915 | + HTT_RX_MPDU_ENCRYPT_AES_GCMP_WPA2 = 9, |
2916 | + HTT_RX_MPDU_ENCRYPT_AES_GCMP256_WPA2 = 10, |
2917 | }; |
2918 | |
2919 | #define RX_MPDU_START_INFO0_PEER_IDX_MASK 0x000007ff |
2920 | diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c |
2921 | index ceeb8c188ef3..00d82e8443bd 100644 |
2922 | --- a/drivers/platform/x86/wmi.c |
2923 | +++ b/drivers/platform/x86/wmi.c |
2924 | @@ -848,5 +848,5 @@ static void __exit acpi_wmi_exit(void) |
2925 | pr_info("Mapper unloaded\n"); |
2926 | } |
2927 | |
2928 | -subsys_initcall(acpi_wmi_init); |
2929 | +subsys_initcall_sync(acpi_wmi_init); |
2930 | module_exit(acpi_wmi_exit); |
2931 | diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c |
2932 | index 2b770cb0c488..558a66b459fa 100644 |
2933 | --- a/drivers/staging/android/ashmem.c |
2934 | +++ b/drivers/staging/android/ashmem.c |
2935 | @@ -774,10 +774,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg) |
2936 | break; |
2937 | case ASHMEM_SET_SIZE: |
2938 | ret = -EINVAL; |
2939 | + mutex_lock(&ashmem_mutex); |
2940 | if (!asma->file) { |
2941 | ret = 0; |
2942 | asma->size = (size_t)arg; |
2943 | } |
2944 | + mutex_unlock(&ashmem_mutex); |
2945 | break; |
2946 | case ASHMEM_GET_SIZE: |
2947 | ret = asma->size; |
2948 | diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c |
2949 | index 72e926d9868f..04d2b6e25503 100644 |
2950 | --- a/drivers/target/iscsi/iscsi_target.c |
2951 | +++ b/drivers/target/iscsi/iscsi_target.c |
2952 | @@ -1940,7 +1940,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, |
2953 | struct iscsi_tmr_req *tmr_req; |
2954 | struct iscsi_tm *hdr; |
2955 | int out_of_order_cmdsn = 0, ret; |
2956 | - bool sess_ref = false; |
2957 | u8 function, tcm_function = TMR_UNKNOWN; |
2958 | |
2959 | hdr = (struct iscsi_tm *) buf; |
2960 | @@ -1982,18 +1981,17 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, |
2961 | buf); |
2962 | } |
2963 | |
2964 | + transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, |
2965 | + conn->sess->se_sess, 0, DMA_NONE, |
2966 | + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); |
2967 | + |
2968 | + target_get_sess_cmd(&cmd->se_cmd, true); |
2969 | + |
2970 | /* |
2971 | * TASK_REASSIGN for ERL=2 / connection stays inside of |
2972 | * LIO-Target $FABRIC_MOD |
2973 | */ |
2974 | if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { |
2975 | - transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, |
2976 | - conn->sess->se_sess, 0, DMA_NONE, |
2977 | - TCM_SIMPLE_TAG, cmd->sense_buffer + 2); |
2978 | - |
2979 | - target_get_sess_cmd(&cmd->se_cmd, true); |
2980 | - sess_ref = true; |
2981 | - |
2982 | switch (function) { |
2983 | case ISCSI_TM_FUNC_ABORT_TASK: |
2984 | tcm_function = TMR_ABORT_TASK; |
2985 | @@ -2132,12 +2130,8 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, |
2986 | * For connection recovery, this is also the default action for |
2987 | * TMR TASK_REASSIGN. |
2988 | */ |
2989 | - if (sess_ref) { |
2990 | - pr_debug("Handle TMR, using sess_ref=true check\n"); |
2991 | - target_put_sess_cmd(&cmd->se_cmd); |
2992 | - } |
2993 | - |
2994 | iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); |
2995 | + target_put_sess_cmd(&cmd->se_cmd); |
2996 | return 0; |
2997 | } |
2998 | EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd); |
2999 | diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c |
3000 | index 27dd1e12f246..14bb2db5273c 100644 |
3001 | --- a/drivers/target/target_core_tmr.c |
3002 | +++ b/drivers/target/target_core_tmr.c |
3003 | @@ -133,6 +133,15 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, |
3004 | spin_unlock(&se_cmd->t_state_lock); |
3005 | return false; |
3006 | } |
3007 | + if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) { |
3008 | + if (se_cmd->scsi_status) { |
3009 | + pr_debug("Attempted to abort io tag: %llu early failure" |
3010 | + " status: 0x%02x\n", se_cmd->tag, |
3011 | + se_cmd->scsi_status); |
3012 | + spin_unlock(&se_cmd->t_state_lock); |
3013 | + return false; |
3014 | + } |
3015 | + } |
3016 | if (sess->sess_tearing_down || se_cmd->cmd_wait_set) { |
3017 | pr_debug("Attempted to abort io tag: %llu already shutdown," |
3018 | " skipping\n", se_cmd->tag); |
3019 | diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c |
3020 | index 4c0782cb1e94..6f3eccf986c7 100644 |
3021 | --- a/drivers/target/target_core_transport.c |
3022 | +++ b/drivers/target/target_core_transport.c |
3023 | @@ -1939,6 +1939,7 @@ void target_execute_cmd(struct se_cmd *cmd) |
3024 | } |
3025 | |
3026 | cmd->t_state = TRANSPORT_PROCESSING; |
3027 | + cmd->transport_state &= ~CMD_T_PRE_EXECUTE; |
3028 | cmd->transport_state |= CMD_T_ACTIVE|CMD_T_BUSY|CMD_T_SENT; |
3029 | spin_unlock_irq(&cmd->t_state_lock); |
3030 | |
3031 | @@ -2592,6 +2593,7 @@ int target_get_sess_cmd(struct se_cmd *se_cmd, bool ack_kref) |
3032 | ret = -ESHUTDOWN; |
3033 | goto out; |
3034 | } |
3035 | + se_cmd->transport_state |= CMD_T_PRE_EXECUTE; |
3036 | list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); |
3037 | out: |
3038 | spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); |
3039 | diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c |
3040 | index 82eea55a7b5c..3b7d69ca83be 100644 |
3041 | --- a/drivers/usb/host/xhci-mem.c |
3042 | +++ b/drivers/usb/host/xhci-mem.c |
3043 | @@ -1086,7 +1086,8 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, |
3044 | |
3045 | return 1; |
3046 | fail: |
3047 | - |
3048 | + if (dev->eps[0].ring) |
3049 | + xhci_ring_free(xhci, dev->eps[0].ring); |
3050 | if (dev->in_ctx) |
3051 | xhci_free_container_ctx(xhci, dev->in_ctx); |
3052 | if (dev->out_ctx) |
3053 | diff --git a/drivers/usb/misc/usb3503.c b/drivers/usb/misc/usb3503.c |
3054 | index 8e7737d7ac0a..03be5d574f23 100644 |
3055 | --- a/drivers/usb/misc/usb3503.c |
3056 | +++ b/drivers/usb/misc/usb3503.c |
3057 | @@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503 *hub) |
3058 | if (gpio_is_valid(hub->gpio_reset)) { |
3059 | err = devm_gpio_request_one(dev, hub->gpio_reset, |
3060 | GPIOF_OUT_INIT_LOW, "usb3503 reset"); |
3061 | + /* Datasheet defines a hardware reset to be at least 100us */ |
3062 | + usleep_range(100, 10000); |
3063 | if (err) { |
3064 | dev_err(dev, |
3065 | "unable to request GPIO %d as reset pin (%d)\n", |
3066 | diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c |
3067 | index 1a874a1f3890..80b37d214beb 100644 |
3068 | --- a/drivers/usb/mon/mon_bin.c |
3069 | +++ b/drivers/usb/mon/mon_bin.c |
3070 | @@ -1002,7 +1002,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg |
3071 | break; |
3072 | |
3073 | case MON_IOCQ_RING_SIZE: |
3074 | + mutex_lock(&rp->fetch_lock); |
3075 | ret = rp->b_size; |
3076 | + mutex_unlock(&rp->fetch_lock); |
3077 | break; |
3078 | |
3079 | case MON_IOCT_RING_SIZE: |
3080 | @@ -1229,12 +1231,16 @@ static int mon_bin_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf) |
3081 | unsigned long offset, chunk_idx; |
3082 | struct page *pageptr; |
3083 | |
3084 | + mutex_lock(&rp->fetch_lock); |
3085 | offset = vmf->pgoff << PAGE_SHIFT; |
3086 | - if (offset >= rp->b_size) |
3087 | + if (offset >= rp->b_size) { |
3088 | + mutex_unlock(&rp->fetch_lock); |
3089 | return VM_FAULT_SIGBUS; |
3090 | + } |
3091 | chunk_idx = offset / CHUNK_SIZE; |
3092 | pageptr = rp->b_vec[chunk_idx].pg; |
3093 | get_page(pageptr); |
3094 | + mutex_unlock(&rp->fetch_lock); |
3095 | vmf->page = pageptr; |
3096 | return 0; |
3097 | } |
3098 | diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c |
3099 | index 11ee55e080e5..3178d8afb3e6 100644 |
3100 | --- a/drivers/usb/serial/cp210x.c |
3101 | +++ b/drivers/usb/serial/cp210x.c |
3102 | @@ -121,6 +121,7 @@ static const struct usb_device_id id_table[] = { |
3103 | { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */ |
3104 | { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ |
3105 | { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ |
3106 | + { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */ |
3107 | { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ |
3108 | { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ |
3109 | { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ |
3110 | @@ -171,6 +172,7 @@ static const struct usb_device_id id_table[] = { |
3111 | { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ |
3112 | { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ |
3113 | { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ |
3114 | + { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */ |
3115 | { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ |
3116 | { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ |
3117 | { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ |
3118 | diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h |
3119 | index 9f356f7cf7d5..719ec68ae309 100644 |
3120 | --- a/drivers/usb/storage/unusual_uas.h |
3121 | +++ b/drivers/usb/storage/unusual_uas.h |
3122 | @@ -156,6 +156,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, |
3123 | USB_SC_DEVICE, USB_PR_DEVICE, NULL, |
3124 | US_FL_NO_ATA_1X), |
3125 | |
3126 | +/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */ |
3127 | +UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999, |
3128 | + "Norelsys", |
3129 | + "NS1068X", |
3130 | + USB_SC_DEVICE, USB_PR_DEVICE, NULL, |
3131 | + US_FL_IGNORE_UAS), |
3132 | + |
3133 | /* Reported-by: Takeo Nakayama <javhera@gmx.com> */ |
3134 | UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999, |
3135 | "JMicron", |
3136 | diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c |
3137 | index e24b24fa0f16..2a5d3180777d 100644 |
3138 | --- a/drivers/usb/usbip/usbip_common.c |
3139 | +++ b/drivers/usb/usbip/usbip_common.c |
3140 | @@ -105,7 +105,7 @@ static void usbip_dump_usb_device(struct usb_device *udev) |
3141 | dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)", |
3142 | udev->devnum, udev->devpath, usb_speed_string(udev->speed)); |
3143 | |
3144 | - pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport); |
3145 | + pr_debug("tt hub ttport %d\n", udev->ttport); |
3146 | |
3147 | dev_dbg(dev, " "); |
3148 | for (i = 0; i < 16; i++) |
3149 | @@ -138,12 +138,8 @@ static void usbip_dump_usb_device(struct usb_device *udev) |
3150 | } |
3151 | pr_debug("\n"); |
3152 | |
3153 | - dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus); |
3154 | - |
3155 | - dev_dbg(dev, |
3156 | - "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n", |
3157 | - &udev->descriptor, udev->config, |
3158 | - udev->actconfig, udev->rawdescriptors); |
3159 | + dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev), |
3160 | + udev->bus->bus_name); |
3161 | |
3162 | dev_dbg(dev, "have_langid %d, string_langid %d\n", |
3163 | udev->have_langid, udev->string_langid); |
3164 | @@ -251,9 +247,6 @@ void usbip_dump_urb(struct urb *urb) |
3165 | |
3166 | dev = &urb->dev->dev; |
3167 | |
3168 | - dev_dbg(dev, " urb :%p\n", urb); |
3169 | - dev_dbg(dev, " dev :%p\n", urb->dev); |
3170 | - |
3171 | usbip_dump_usb_device(urb->dev); |
3172 | |
3173 | dev_dbg(dev, " pipe :%08x ", urb->pipe); |
3174 | @@ -262,11 +255,9 @@ void usbip_dump_urb(struct urb *urb) |
3175 | |
3176 | dev_dbg(dev, " status :%d\n", urb->status); |
3177 | dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags); |
3178 | - dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer); |
3179 | dev_dbg(dev, " transfer_buffer_length:%d\n", |
3180 | urb->transfer_buffer_length); |
3181 | dev_dbg(dev, " actual_length :%d\n", urb->actual_length); |
3182 | - dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet); |
3183 | |
3184 | if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL) |
3185 | usbip_dump_usb_ctrlrequest( |
3186 | @@ -276,8 +267,6 @@ void usbip_dump_urb(struct urb *urb) |
3187 | dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets); |
3188 | dev_dbg(dev, " interval :%d\n", urb->interval); |
3189 | dev_dbg(dev, " error_count :%d\n", urb->error_count); |
3190 | - dev_dbg(dev, " context :%p\n", urb->context); |
3191 | - dev_dbg(dev, " complete :%p\n", urb->complete); |
3192 | } |
3193 | EXPORT_SYMBOL_GPL(usbip_dump_urb); |
3194 | |
3195 | diff --git a/drivers/usb/usbip/vudc_rx.c b/drivers/usb/usbip/vudc_rx.c |
3196 | index e429b59f6f8a..d020e72b3122 100644 |
3197 | --- a/drivers/usb/usbip/vudc_rx.c |
3198 | +++ b/drivers/usb/usbip/vudc_rx.c |
3199 | @@ -132,6 +132,25 @@ static int v_recv_cmd_submit(struct vudc *udc, |
3200 | urb_p->new = 1; |
3201 | urb_p->seqnum = pdu->base.seqnum; |
3202 | |
3203 | + if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) { |
3204 | + /* validate packet size and number of packets */ |
3205 | + unsigned int maxp, packets, bytes; |
3206 | + |
3207 | + maxp = usb_endpoint_maxp(urb_p->ep->desc); |
3208 | + maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc); |
3209 | + bytes = pdu->u.cmd_submit.transfer_buffer_length; |
3210 | + packets = DIV_ROUND_UP(bytes, maxp); |
3211 | + |
3212 | + if (pdu->u.cmd_submit.number_of_packets < 0 || |
3213 | + pdu->u.cmd_submit.number_of_packets > packets) { |
3214 | + dev_err(&udc->gadget.dev, |
3215 | + "CMD_SUBMIT: isoc invalid num packets %d\n", |
3216 | + pdu->u.cmd_submit.number_of_packets); |
3217 | + ret = -EMSGSIZE; |
3218 | + goto free_urbp; |
3219 | + } |
3220 | + } |
3221 | + |
3222 | ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type); |
3223 | if (ret) { |
3224 | usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC); |
3225 | diff --git a/drivers/usb/usbip/vudc_tx.c b/drivers/usb/usbip/vudc_tx.c |
3226 | index 234661782fa0..3ab4c86486a7 100644 |
3227 | --- a/drivers/usb/usbip/vudc_tx.c |
3228 | +++ b/drivers/usb/usbip/vudc_tx.c |
3229 | @@ -97,6 +97,13 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p) |
3230 | memset(&pdu_header, 0, sizeof(pdu_header)); |
3231 | memset(&msg, 0, sizeof(msg)); |
3232 | |
3233 | + if (urb->actual_length > 0 && !urb->transfer_buffer) { |
3234 | + dev_err(&udc->gadget.dev, |
3235 | + "urb: actual_length %d transfer_buffer null\n", |
3236 | + urb->actual_length); |
3237 | + return -1; |
3238 | + } |
3239 | + |
3240 | if (urb_p->type == USB_ENDPOINT_XFER_ISOC) |
3241 | iovnum = 2 + urb->number_of_packets; |
3242 | else |
3243 | @@ -112,8 +119,8 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p) |
3244 | |
3245 | /* 1. setup usbip_header */ |
3246 | setup_ret_submit_pdu(&pdu_header, urb_p); |
3247 | - usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n", |
3248 | - pdu_header.base.seqnum, urb); |
3249 | + usbip_dbg_stub_tx("setup txdata seqnum: %d\n", |
3250 | + pdu_header.base.seqnum); |
3251 | usbip_header_correct_endian(&pdu_header, 1); |
3252 | |
3253 | iov[iovnum].iov_base = &pdu_header; |
3254 | diff --git a/include/linux/bpf.h b/include/linux/bpf.h |
3255 | index 97498be2ca2e..75ffd3b2149e 100644 |
3256 | --- a/include/linux/bpf.h |
3257 | +++ b/include/linux/bpf.h |
3258 | @@ -43,6 +43,7 @@ struct bpf_map { |
3259 | u32 max_entries; |
3260 | u32 map_flags; |
3261 | u32 pages; |
3262 | + bool unpriv_array; |
3263 | struct user_struct *user; |
3264 | const struct bpf_map_ops *ops; |
3265 | struct work_struct work; |
3266 | @@ -189,6 +190,7 @@ struct bpf_prog_aux { |
3267 | struct bpf_array { |
3268 | struct bpf_map map; |
3269 | u32 elem_size; |
3270 | + u32 index_mask; |
3271 | /* 'ownership' of prog_array is claimed by the first program that |
3272 | * is going to use this map or by the first program which FD is stored |
3273 | * in the map to make sure that all callers and callees have the same |
3274 | diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h |
3275 | index 4c4e9358c146..070fc49e39e2 100644 |
3276 | --- a/include/linux/bpf_verifier.h |
3277 | +++ b/include/linux/bpf_verifier.h |
3278 | @@ -67,7 +67,10 @@ struct bpf_verifier_state_list { |
3279 | }; |
3280 | |
3281 | struct bpf_insn_aux_data { |
3282 | - enum bpf_reg_type ptr_type; /* pointer type for load/store insns */ |
3283 | + union { |
3284 | + enum bpf_reg_type ptr_type; /* pointer type for load/store insns */ |
3285 | + struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */ |
3286 | + }; |
3287 | bool seen; /* this insn was processed by the verifier */ |
3288 | }; |
3289 | |
3290 | diff --git a/include/linux/cpu.h b/include/linux/cpu.h |
3291 | index e571128ad99a..2f475ad89a0d 100644 |
3292 | --- a/include/linux/cpu.h |
3293 | +++ b/include/linux/cpu.h |
3294 | @@ -44,6 +44,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr); |
3295 | extern int cpu_add_dev_attr_group(struct attribute_group *attrs); |
3296 | extern void cpu_remove_dev_attr_group(struct attribute_group *attrs); |
3297 | |
3298 | +extern ssize_t cpu_show_meltdown(struct device *dev, |
3299 | + struct device_attribute *attr, char *buf); |
3300 | +extern ssize_t cpu_show_spectre_v1(struct device *dev, |
3301 | + struct device_attribute *attr, char *buf); |
3302 | +extern ssize_t cpu_show_spectre_v2(struct device *dev, |
3303 | + struct device_attribute *attr, char *buf); |
3304 | + |
3305 | extern __printf(4, 5) |
3306 | struct device *cpu_device_create(struct device *parent, void *drvdata, |
3307 | const struct attribute_group **groups, |
3308 | diff --git a/include/linux/frame.h b/include/linux/frame.h |
3309 | index e6baaba3f1ae..d772c61c31da 100644 |
3310 | --- a/include/linux/frame.h |
3311 | +++ b/include/linux/frame.h |
3312 | @@ -11,7 +11,7 @@ |
3313 | * For more information, see tools/objtool/Documentation/stack-validation.txt. |
3314 | */ |
3315 | #define STACK_FRAME_NON_STANDARD(func) \ |
3316 | - static void __used __section(__func_stack_frame_non_standard) \ |
3317 | + static void __used __section(.discard.func_stack_frame_non_standard) \ |
3318 | *__func_stack_frame_non_standard_##func = func |
3319 | |
3320 | #else /* !CONFIG_STACK_VALIDATION */ |
3321 | diff --git a/include/linux/phy.h b/include/linux/phy.h |
3322 | index a04d69ab7c34..867110c9d707 100644 |
3323 | --- a/include/linux/phy.h |
3324 | +++ b/include/linux/phy.h |
3325 | @@ -683,6 +683,17 @@ static inline bool phy_is_internal(struct phy_device *phydev) |
3326 | return phydev->is_internal; |
3327 | } |
3328 | |
3329 | +/** |
3330 | + * phy_interface_mode_is_rgmii - Convenience function for testing if a |
3331 | + * PHY interface mode is RGMII (all variants) |
3332 | + * @mode: the phy_interface_t enum |
3333 | + */ |
3334 | +static inline bool phy_interface_mode_is_rgmii(phy_interface_t mode) |
3335 | +{ |
3336 | + return mode >= PHY_INTERFACE_MODE_RGMII && |
3337 | + mode <= PHY_INTERFACE_MODE_RGMII_TXID; |
3338 | +}; |
3339 | + |
3340 | /** |
3341 | * phy_interface_is_rgmii - Convenience function for testing if a PHY interface |
3342 | * is RGMII (all variants) |
3343 | diff --git a/include/linux/sh_eth.h b/include/linux/sh_eth.h |
3344 | index f2e27e078362..01b3778ba6da 100644 |
3345 | --- a/include/linux/sh_eth.h |
3346 | +++ b/include/linux/sh_eth.h |
3347 | @@ -16,7 +16,6 @@ struct sh_eth_plat_data { |
3348 | unsigned char mac_addr[ETH_ALEN]; |
3349 | unsigned no_ether_link:1; |
3350 | unsigned ether_link_active_low:1; |
3351 | - unsigned needs_init:1; |
3352 | }; |
3353 | |
3354 | #endif |
3355 | diff --git a/include/net/mac80211.h b/include/net/mac80211.h |
3356 | index 2c7d876e2a1a..8fd61bc50383 100644 |
3357 | --- a/include/net/mac80211.h |
3358 | +++ b/include/net/mac80211.h |
3359 | @@ -1007,7 +1007,7 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info) |
3360 | * @RX_FLAG_DECRYPTED: This frame was decrypted in hardware. |
3361 | * @RX_FLAG_MMIC_STRIPPED: the Michael MIC is stripped off this frame, |
3362 | * verification has been done by the hardware. |
3363 | - * @RX_FLAG_IV_STRIPPED: The IV/ICV are stripped from this frame. |
3364 | + * @RX_FLAG_IV_STRIPPED: The IV and ICV are stripped from this frame. |
3365 | * If this flag is set, the stack cannot do any replay detection |
3366 | * hence the driver or hardware will have to do that. |
3367 | * @RX_FLAG_PN_VALIDATED: Currently only valid for CCMP/GCMP frames, this |
3368 | @@ -1078,6 +1078,8 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info) |
3369 | * @RX_FLAG_ALLOW_SAME_PN: Allow the same PN as same packet before. |
3370 | * This is used for AMSDU subframes which can have the same PN as |
3371 | * the first subframe. |
3372 | + * @RX_FLAG_ICV_STRIPPED: The ICV is stripped from this frame. CRC checking must |
3373 | + * be done in the hardware. |
3374 | */ |
3375 | enum mac80211_rx_flags { |
3376 | RX_FLAG_MMIC_ERROR = BIT(0), |
3377 | @@ -1113,6 +1115,7 @@ enum mac80211_rx_flags { |
3378 | RX_FLAG_RADIOTAP_VENDOR_DATA = BIT(31), |
3379 | RX_FLAG_MIC_STRIPPED = BIT_ULL(32), |
3380 | RX_FLAG_ALLOW_SAME_PN = BIT_ULL(33), |
3381 | + RX_FLAG_ICV_STRIPPED = BIT_ULL(34), |
3382 | }; |
3383 | |
3384 | #define RX_FLAG_STBC_SHIFT 26 |
3385 | diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h |
3386 | index eb3b23b6ec54..30f99ce4c6ce 100644 |
3387 | --- a/include/target/target_core_base.h |
3388 | +++ b/include/target/target_core_base.h |
3389 | @@ -493,6 +493,7 @@ struct se_cmd { |
3390 | #define CMD_T_BUSY (1 << 9) |
3391 | #define CMD_T_TAS (1 << 10) |
3392 | #define CMD_T_FABRIC_STOP (1 << 11) |
3393 | +#define CMD_T_PRE_EXECUTE (1 << 12) |
3394 | spinlock_t t_state_lock; |
3395 | struct kref cmd_kref; |
3396 | struct completion t_transport_stop_comp; |
3397 | diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h |
3398 | index 8ade3eb6c640..90fce4d6956a 100644 |
3399 | --- a/include/trace/events/kvm.h |
3400 | +++ b/include/trace/events/kvm.h |
3401 | @@ -208,7 +208,7 @@ TRACE_EVENT(kvm_ack_irq, |
3402 | { KVM_TRACE_MMIO_WRITE, "write" } |
3403 | |
3404 | TRACE_EVENT(kvm_mmio, |
3405 | - TP_PROTO(int type, int len, u64 gpa, u64 val), |
3406 | + TP_PROTO(int type, int len, u64 gpa, void *val), |
3407 | TP_ARGS(type, len, gpa, val), |
3408 | |
3409 | TP_STRUCT__entry( |
3410 | @@ -222,7 +222,10 @@ TRACE_EVENT(kvm_mmio, |
3411 | __entry->type = type; |
3412 | __entry->len = len; |
3413 | __entry->gpa = gpa; |
3414 | - __entry->val = val; |
3415 | + __entry->val = 0; |
3416 | + if (val) |
3417 | + memcpy(&__entry->val, val, |
3418 | + min_t(u32, sizeof(__entry->val), len)); |
3419 | ), |
3420 | |
3421 | TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", |
3422 | diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c |
3423 | index f3721e150d94..9a1e6ed7babc 100644 |
3424 | --- a/kernel/bpf/arraymap.c |
3425 | +++ b/kernel/bpf/arraymap.c |
3426 | @@ -46,9 +46,10 @@ static int bpf_array_alloc_percpu(struct bpf_array *array) |
3427 | static struct bpf_map *array_map_alloc(union bpf_attr *attr) |
3428 | { |
3429 | bool percpu = attr->map_type == BPF_MAP_TYPE_PERCPU_ARRAY; |
3430 | + u32 elem_size, index_mask, max_entries; |
3431 | + bool unpriv = !capable(CAP_SYS_ADMIN); |
3432 | struct bpf_array *array; |
3433 | - u64 array_size; |
3434 | - u32 elem_size; |
3435 | + u64 array_size, mask64; |
3436 | |
3437 | /* check sanity of attributes */ |
3438 | if (attr->max_entries == 0 || attr->key_size != 4 || |
3439 | @@ -63,11 +64,32 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) |
3440 | |
3441 | elem_size = round_up(attr->value_size, 8); |
3442 | |
3443 | + max_entries = attr->max_entries; |
3444 | + |
3445 | + /* On 32 bit archs roundup_pow_of_two() with max_entries that has |
3446 | + * upper most bit set in u32 space is undefined behavior due to |
3447 | + * resulting 1U << 32, so do it manually here in u64 space. |
3448 | + */ |
3449 | + mask64 = fls_long(max_entries - 1); |
3450 | + mask64 = 1ULL << mask64; |
3451 | + mask64 -= 1; |
3452 | + |
3453 | + index_mask = mask64; |
3454 | + if (unpriv) { |
3455 | + /* round up array size to nearest power of 2, |
3456 | + * since cpu will speculate within index_mask limits |
3457 | + */ |
3458 | + max_entries = index_mask + 1; |
3459 | + /* Check for overflows. */ |
3460 | + if (max_entries < attr->max_entries) |
3461 | + return ERR_PTR(-E2BIG); |
3462 | + } |
3463 | + |
3464 | array_size = sizeof(*array); |
3465 | if (percpu) |
3466 | - array_size += (u64) attr->max_entries * sizeof(void *); |
3467 | + array_size += (u64) max_entries * sizeof(void *); |
3468 | else |
3469 | - array_size += (u64) attr->max_entries * elem_size; |
3470 | + array_size += (u64) max_entries * elem_size; |
3471 | |
3472 | /* make sure there is no u32 overflow later in round_up() */ |
3473 | if (array_size >= U32_MAX - PAGE_SIZE) |
3474 | @@ -77,6 +99,8 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) |
3475 | array = bpf_map_area_alloc(array_size); |
3476 | if (!array) |
3477 | return ERR_PTR(-ENOMEM); |
3478 | + array->index_mask = index_mask; |
3479 | + array->map.unpriv_array = unpriv; |
3480 | |
3481 | /* copy mandatory map attributes */ |
3482 | array->map.map_type = attr->map_type; |
3483 | @@ -110,7 +134,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key) |
3484 | if (unlikely(index >= array->map.max_entries)) |
3485 | return NULL; |
3486 | |
3487 | - return array->value + array->elem_size * index; |
3488 | + return array->value + array->elem_size * (index & array->index_mask); |
3489 | } |
3490 | |
3491 | /* Called from eBPF program */ |
3492 | @@ -122,7 +146,7 @@ static void *percpu_array_map_lookup_elem(struct bpf_map *map, void *key) |
3493 | if (unlikely(index >= array->map.max_entries)) |
3494 | return NULL; |
3495 | |
3496 | - return this_cpu_ptr(array->pptrs[index]); |
3497 | + return this_cpu_ptr(array->pptrs[index & array->index_mask]); |
3498 | } |
3499 | |
3500 | int bpf_percpu_array_copy(struct bpf_map *map, void *key, void *value) |
3501 | @@ -142,7 +166,7 @@ int bpf_percpu_array_copy(struct bpf_map *map, void *key, void *value) |
3502 | */ |
3503 | size = round_up(map->value_size, 8); |
3504 | rcu_read_lock(); |
3505 | - pptr = array->pptrs[index]; |
3506 | + pptr = array->pptrs[index & array->index_mask]; |
3507 | for_each_possible_cpu(cpu) { |
3508 | bpf_long_memcpy(value + off, per_cpu_ptr(pptr, cpu), size); |
3509 | off += size; |
3510 | @@ -190,10 +214,11 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value, |
3511 | return -EEXIST; |
3512 | |
3513 | if (array->map.map_type == BPF_MAP_TYPE_PERCPU_ARRAY) |
3514 | - memcpy(this_cpu_ptr(array->pptrs[index]), |
3515 | + memcpy(this_cpu_ptr(array->pptrs[index & array->index_mask]), |
3516 | value, map->value_size); |
3517 | else |
3518 | - memcpy(array->value + array->elem_size * index, |
3519 | + memcpy(array->value + |
3520 | + array->elem_size * (index & array->index_mask), |
3521 | value, map->value_size); |
3522 | return 0; |
3523 | } |
3524 | @@ -227,7 +252,7 @@ int bpf_percpu_array_update(struct bpf_map *map, void *key, void *value, |
3525 | */ |
3526 | size = round_up(map->value_size, 8); |
3527 | rcu_read_lock(); |
3528 | - pptr = array->pptrs[index]; |
3529 | + pptr = array->pptrs[index & array->index_mask]; |
3530 | for_each_possible_cpu(cpu) { |
3531 | bpf_long_memcpy(per_cpu_ptr(pptr, cpu), value + off, size); |
3532 | off += size; |
3533 | diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c |
3534 | index 72ea91df71c9..91a2d3752007 100644 |
3535 | --- a/kernel/bpf/syscall.c |
3536 | +++ b/kernel/bpf/syscall.c |
3537 | @@ -565,57 +565,6 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl) |
3538 | list_add(&tl->list_node, &bpf_prog_types); |
3539 | } |
3540 | |
3541 | -/* fixup insn->imm field of bpf_call instructions: |
3542 | - * if (insn->imm == BPF_FUNC_map_lookup_elem) |
3543 | - * insn->imm = bpf_map_lookup_elem - __bpf_call_base; |
3544 | - * else if (insn->imm == BPF_FUNC_map_update_elem) |
3545 | - * insn->imm = bpf_map_update_elem - __bpf_call_base; |
3546 | - * else ... |
3547 | - * |
3548 | - * this function is called after eBPF program passed verification |
3549 | - */ |
3550 | -static void fixup_bpf_calls(struct bpf_prog *prog) |
3551 | -{ |
3552 | - const struct bpf_func_proto *fn; |
3553 | - int i; |
3554 | - |
3555 | - for (i = 0; i < prog->len; i++) { |
3556 | - struct bpf_insn *insn = &prog->insnsi[i]; |
3557 | - |
3558 | - if (insn->code == (BPF_JMP | BPF_CALL)) { |
3559 | - /* we reach here when program has bpf_call instructions |
3560 | - * and it passed bpf_check(), means that |
3561 | - * ops->get_func_proto must have been supplied, check it |
3562 | - */ |
3563 | - BUG_ON(!prog->aux->ops->get_func_proto); |
3564 | - |
3565 | - if (insn->imm == BPF_FUNC_get_route_realm) |
3566 | - prog->dst_needed = 1; |
3567 | - if (insn->imm == BPF_FUNC_get_prandom_u32) |
3568 | - bpf_user_rnd_init_once(); |
3569 | - if (insn->imm == BPF_FUNC_tail_call) { |
3570 | - /* mark bpf_tail_call as different opcode |
3571 | - * to avoid conditional branch in |
3572 | - * interpeter for every normal call |
3573 | - * and to prevent accidental JITing by |
3574 | - * JIT compiler that doesn't support |
3575 | - * bpf_tail_call yet |
3576 | - */ |
3577 | - insn->imm = 0; |
3578 | - insn->code |= BPF_X; |
3579 | - continue; |
3580 | - } |
3581 | - |
3582 | - fn = prog->aux->ops->get_func_proto(insn->imm); |
3583 | - /* all functions that have prototype and verifier allowed |
3584 | - * programs to call them, must be real in-kernel functions |
3585 | - */ |
3586 | - BUG_ON(!fn->func); |
3587 | - insn->imm = fn->func - __bpf_call_base; |
3588 | - } |
3589 | - } |
3590 | -} |
3591 | - |
3592 | /* drop refcnt on maps used by eBPF program and free auxilary data */ |
3593 | static void free_used_maps(struct bpf_prog_aux *aux) |
3594 | { |
3595 | @@ -808,9 +757,6 @@ static int bpf_prog_load(union bpf_attr *attr) |
3596 | if (err < 0) |
3597 | goto free_used_maps; |
3598 | |
3599 | - /* fixup BPF_CALL->imm field */ |
3600 | - fixup_bpf_calls(prog); |
3601 | - |
3602 | /* eBPF program is ready to be JITed */ |
3603 | prog = bpf_prog_select_runtime(prog, &err); |
3604 | if (err < 0) |
3605 | diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c |
3606 | index d7eeebfafe8d..19c44cf59bb2 100644 |
3607 | --- a/kernel/bpf/verifier.c |
3608 | +++ b/kernel/bpf/verifier.c |
3609 | @@ -1187,7 +1187,7 @@ static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
3610 | } |
3611 | } |
3612 | |
3613 | -static int check_call(struct bpf_verifier_env *env, int func_id) |
3614 | +static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) |
3615 | { |
3616 | struct bpf_verifier_state *state = &env->cur_state; |
3617 | const struct bpf_func_proto *fn = NULL; |
3618 | @@ -1238,6 +1238,13 @@ static int check_call(struct bpf_verifier_env *env, int func_id) |
3619 | err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta); |
3620 | if (err) |
3621 | return err; |
3622 | + if (func_id == BPF_FUNC_tail_call) { |
3623 | + if (meta.map_ptr == NULL) { |
3624 | + verbose("verifier bug\n"); |
3625 | + return -EINVAL; |
3626 | + } |
3627 | + env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr; |
3628 | + } |
3629 | err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta); |
3630 | if (err) |
3631 | return err; |
3632 | @@ -3019,7 +3026,7 @@ static int do_check(struct bpf_verifier_env *env) |
3633 | return -EINVAL; |
3634 | } |
3635 | |
3636 | - err = check_call(env, insn->imm); |
3637 | + err = check_call(env, insn->imm, insn_idx); |
3638 | if (err) |
3639 | return err; |
3640 | |
3641 | @@ -3362,6 +3369,81 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) |
3642 | return 0; |
3643 | } |
3644 | |
3645 | +/* fixup insn->imm field of bpf_call instructions |
3646 | + * |
3647 | + * this function is called after eBPF program passed verification |
3648 | + */ |
3649 | +static int fixup_bpf_calls(struct bpf_verifier_env *env) |
3650 | +{ |
3651 | + struct bpf_prog *prog = env->prog; |
3652 | + struct bpf_insn *insn = prog->insnsi; |
3653 | + const struct bpf_func_proto *fn; |
3654 | + const int insn_cnt = prog->len; |
3655 | + struct bpf_insn insn_buf[16]; |
3656 | + struct bpf_prog *new_prog; |
3657 | + struct bpf_map *map_ptr; |
3658 | + int i, cnt, delta = 0; |
3659 | + |
3660 | + |
3661 | + for (i = 0; i < insn_cnt; i++, insn++) { |
3662 | + if (insn->code != (BPF_JMP | BPF_CALL)) |
3663 | + continue; |
3664 | + |
3665 | + if (insn->imm == BPF_FUNC_get_route_realm) |
3666 | + prog->dst_needed = 1; |
3667 | + if (insn->imm == BPF_FUNC_get_prandom_u32) |
3668 | + bpf_user_rnd_init_once(); |
3669 | + if (insn->imm == BPF_FUNC_tail_call) { |
3670 | + /* mark bpf_tail_call as different opcode to avoid |
3671 | + * conditional branch in the interpeter for every normal |
3672 | + * call and to prevent accidental JITing by JIT compiler |
3673 | + * that doesn't support bpf_tail_call yet |
3674 | + */ |
3675 | + insn->imm = 0; |
3676 | + insn->code |= BPF_X; |
3677 | + |
3678 | + /* instead of changing every JIT dealing with tail_call |
3679 | + * emit two extra insns: |
3680 | + * if (index >= max_entries) goto out; |
3681 | + * index &= array->index_mask; |
3682 | + * to avoid out-of-bounds cpu speculation |
3683 | + */ |
3684 | + map_ptr = env->insn_aux_data[i + delta].map_ptr; |
3685 | + if (!map_ptr->unpriv_array) |
3686 | + continue; |
3687 | + insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3, |
3688 | + map_ptr->max_entries, 2); |
3689 | + insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, |
3690 | + container_of(map_ptr, |
3691 | + struct bpf_array, |
3692 | + map)->index_mask); |
3693 | + insn_buf[2] = *insn; |
3694 | + cnt = 3; |
3695 | + new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
3696 | + if (!new_prog) |
3697 | + return -ENOMEM; |
3698 | + |
3699 | + delta += cnt - 1; |
3700 | + env->prog = prog = new_prog; |
3701 | + insn = new_prog->insnsi + i + delta; |
3702 | + continue; |
3703 | + } |
3704 | + |
3705 | + fn = prog->aux->ops->get_func_proto(insn->imm); |
3706 | + /* all functions that have prototype and verifier allowed |
3707 | + * programs to call them, must be real in-kernel functions |
3708 | + */ |
3709 | + if (!fn->func) { |
3710 | + verbose("kernel subsystem misconfigured func %d\n", |
3711 | + insn->imm); |
3712 | + return -EFAULT; |
3713 | + } |
3714 | + insn->imm = fn->func - __bpf_call_base; |
3715 | + } |
3716 | + |
3717 | + return 0; |
3718 | +} |
3719 | + |
3720 | static void free_states(struct bpf_verifier_env *env) |
3721 | { |
3722 | struct bpf_verifier_state_list *sl, *sln; |
3723 | @@ -3463,6 +3545,9 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) |
3724 | /* program is valid, convert *(u32*)(ctx + off) accesses */ |
3725 | ret = convert_ctx_accesses(env); |
3726 | |
3727 | + if (ret == 0) |
3728 | + ret = fixup_bpf_calls(env); |
3729 | + |
3730 | if (log_level && log_len >= log_size - 1) { |
3731 | BUG_ON(log_len >= log_size); |
3732 | /* verifier log exceeded user supplied buffer */ |
3733 | diff --git a/mm/zswap.c b/mm/zswap.c |
3734 | index dbef27822a98..ded051e3433d 100644 |
3735 | --- a/mm/zswap.c |
3736 | +++ b/mm/zswap.c |
3737 | @@ -752,18 +752,22 @@ static int __zswap_param_set(const char *val, const struct kernel_param *kp, |
3738 | pool = zswap_pool_find_get(type, compressor); |
3739 | if (pool) { |
3740 | zswap_pool_debug("using existing", pool); |
3741 | + WARN_ON(pool == zswap_pool_current()); |
3742 | list_del_rcu(&pool->list); |
3743 | - } else { |
3744 | - spin_unlock(&zswap_pools_lock); |
3745 | - pool = zswap_pool_create(type, compressor); |
3746 | - spin_lock(&zswap_pools_lock); |
3747 | } |
3748 | |
3749 | + spin_unlock(&zswap_pools_lock); |
3750 | + |
3751 | + if (!pool) |
3752 | + pool = zswap_pool_create(type, compressor); |
3753 | + |
3754 | if (pool) |
3755 | ret = param_set_charp(s, kp); |
3756 | else |
3757 | ret = -EINVAL; |
3758 | |
3759 | + spin_lock(&zswap_pools_lock); |
3760 | + |
3761 | if (!ret) { |
3762 | put_pool = zswap_pool_current(); |
3763 | list_add_rcu(&pool->list, &zswap_pools); |
3764 | diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c |
3765 | index 4a47074d1d7f..c8ea3cf9db85 100644 |
3766 | --- a/net/8021q/vlan.c |
3767 | +++ b/net/8021q/vlan.c |
3768 | @@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) |
3769 | vlan_gvrp_uninit_applicant(real_dev); |
3770 | } |
3771 | |
3772 | - /* Take it out of our own structures, but be sure to interlock with |
3773 | - * HW accelerating devices or SW vlan input packet processing if |
3774 | - * VLAN is not 0 (leave it there for 802.1p). |
3775 | - */ |
3776 | - if (vlan_id) |
3777 | - vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); |
3778 | + vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); |
3779 | |
3780 | /* Get rid of the vlan's reference to real_dev */ |
3781 | dev_put(real_dev); |
3782 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c |
3783 | index ffd09c1675d4..2bbca23a9d05 100644 |
3784 | --- a/net/bluetooth/l2cap_core.c |
3785 | +++ b/net/bluetooth/l2cap_core.c |
3786 | @@ -3353,9 +3353,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data |
3787 | break; |
3788 | |
3789 | case L2CAP_CONF_EFS: |
3790 | - remote_efs = 1; |
3791 | - if (olen == sizeof(efs)) |
3792 | + if (olen == sizeof(efs)) { |
3793 | + remote_efs = 1; |
3794 | memcpy(&efs, (void *) val, olen); |
3795 | + } |
3796 | break; |
3797 | |
3798 | case L2CAP_CONF_EWS: |
3799 | @@ -3574,16 +3575,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
3800 | break; |
3801 | |
3802 | case L2CAP_CONF_EFS: |
3803 | - if (olen == sizeof(efs)) |
3804 | + if (olen == sizeof(efs)) { |
3805 | memcpy(&efs, (void *)val, olen); |
3806 | |
3807 | - if (chan->local_stype != L2CAP_SERV_NOTRAFIC && |
3808 | - efs.stype != L2CAP_SERV_NOTRAFIC && |
3809 | - efs.stype != chan->local_stype) |
3810 | - return -ECONNREFUSED; |
3811 | + if (chan->local_stype != L2CAP_SERV_NOTRAFIC && |
3812 | + efs.stype != L2CAP_SERV_NOTRAFIC && |
3813 | + efs.stype != chan->local_stype) |
3814 | + return -ECONNREFUSED; |
3815 | |
3816 | - l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), |
3817 | - (unsigned long) &efs, endptr - ptr); |
3818 | + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), |
3819 | + (unsigned long) &efs, endptr - ptr); |
3820 | + } |
3821 | break; |
3822 | |
3823 | case L2CAP_CONF_FCS: |
3824 | diff --git a/net/core/ethtool.c b/net/core/ethtool.c |
3825 | index e9989b835a66..7913771ec474 100644 |
3826 | --- a/net/core/ethtool.c |
3827 | +++ b/net/core/ethtool.c |
3828 | @@ -742,15 +742,6 @@ static int ethtool_set_link_ksettings(struct net_device *dev, |
3829 | return dev->ethtool_ops->set_link_ksettings(dev, &link_ksettings); |
3830 | } |
3831 | |
3832 | -static void |
3833 | -warn_incomplete_ethtool_legacy_settings_conversion(const char *details) |
3834 | -{ |
3835 | - char name[sizeof(current->comm)]; |
3836 | - |
3837 | - pr_info_once("warning: `%s' uses legacy ethtool link settings API, %s\n", |
3838 | - get_task_comm(name, current), details); |
3839 | -} |
3840 | - |
3841 | /* Query device for its ethtool_cmd settings. |
3842 | * |
3843 | * Backward compatibility note: for compatibility with legacy ethtool, |
3844 | @@ -777,10 +768,8 @@ static int ethtool_get_settings(struct net_device *dev, void __user *useraddr) |
3845 | &link_ksettings); |
3846 | if (err < 0) |
3847 | return err; |
3848 | - if (!convert_link_ksettings_to_legacy_settings(&cmd, |
3849 | - &link_ksettings)) |
3850 | - warn_incomplete_ethtool_legacy_settings_conversion( |
3851 | - "link modes are only partially reported"); |
3852 | + convert_link_ksettings_to_legacy_settings(&cmd, |
3853 | + &link_ksettings); |
3854 | |
3855 | /* send a sensible cmd tag back to user */ |
3856 | cmd.cmd = ETHTOOL_GSET; |
3857 | diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c |
3858 | index 6b10573cc9fa..d1d9faf3046b 100644 |
3859 | --- a/net/core/sock_diag.c |
3860 | +++ b/net/core/sock_diag.c |
3861 | @@ -295,7 +295,7 @@ static int sock_diag_bind(struct net *net, int group) |
3862 | case SKNLGRP_INET6_UDP_DESTROY: |
3863 | if (!sock_diag_handlers[AF_INET6]) |
3864 | request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, |
3865 | - NETLINK_SOCK_DIAG, AF_INET); |
3866 | + NETLINK_SOCK_DIAG, AF_INET6); |
3867 | break; |
3868 | } |
3869 | return 0; |
3870 | diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
3871 | index 506efba33a89..388584b8ff31 100644 |
3872 | --- a/net/ipv6/ip6_output.c |
3873 | +++ b/net/ipv6/ip6_output.c |
3874 | @@ -1800,9 +1800,10 @@ struct sk_buff *ip6_make_skb(struct sock *sk, |
3875 | cork.base.opt = NULL; |
3876 | v6_cork.opt = NULL; |
3877 | err = ip6_setup_cork(sk, &cork, &v6_cork, ipc6, rt, fl6); |
3878 | - if (err) |
3879 | + if (err) { |
3880 | + ip6_cork_release(&cork, &v6_cork); |
3881 | return ERR_PTR(err); |
3882 | - |
3883 | + } |
3884 | if (ipc6->dontfrag < 0) |
3885 | ipc6->dontfrag = inet6_sk(sk)->dontfrag; |
3886 | |
3887 | diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
3888 | index 11d22d642488..131e6aa954bc 100644 |
3889 | --- a/net/ipv6/ip6_tunnel.c |
3890 | +++ b/net/ipv6/ip6_tunnel.c |
3891 | @@ -1080,10 +1080,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, |
3892 | memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr)); |
3893 | neigh_release(neigh); |
3894 | } |
3895 | - } else if (!(t->parms.flags & |
3896 | - (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) { |
3897 | - /* enable the cache only only if the routing decision does |
3898 | - * not depend on the current inner header value |
3899 | + } else if (t->parms.proto != 0 && !(t->parms.flags & |
3900 | + (IP6_TNL_F_USE_ORIG_TCLASS | |
3901 | + IP6_TNL_F_USE_ORIG_FWMARK))) { |
3902 | + /* enable the cache only if neither the outer protocol nor the |
3903 | + * routing decision depends on the current inner header value |
3904 | */ |
3905 | use_cache = true; |
3906 | } |
3907 | diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c |
3908 | index efa3f48f1ec5..73e8f347802e 100644 |
3909 | --- a/net/mac80211/wep.c |
3910 | +++ b/net/mac80211/wep.c |
3911 | @@ -293,7 +293,8 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx) |
3912 | return RX_DROP_UNUSABLE; |
3913 | ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key); |
3914 | /* remove ICV */ |
3915 | - if (pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN)) |
3916 | + if (!(status->flag & RX_FLAG_ICV_STRIPPED) && |
3917 | + pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN)) |
3918 | return RX_DROP_UNUSABLE; |
3919 | } |
3920 | |
3921 | diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c |
3922 | index 5c71d60f3a64..caa5986cb2e4 100644 |
3923 | --- a/net/mac80211/wpa.c |
3924 | +++ b/net/mac80211/wpa.c |
3925 | @@ -295,7 +295,8 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) |
3926 | return RX_DROP_UNUSABLE; |
3927 | |
3928 | /* Trim ICV */ |
3929 | - skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); |
3930 | + if (!(status->flag & RX_FLAG_ICV_STRIPPED)) |
3931 | + skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); |
3932 | |
3933 | /* Remove IV */ |
3934 | memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen); |
3935 | diff --git a/net/rds/rdma.c b/net/rds/rdma.c |
3936 | index de8496e60735..f6027f41cd34 100644 |
3937 | --- a/net/rds/rdma.c |
3938 | +++ b/net/rds/rdma.c |
3939 | @@ -524,6 +524,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) |
3940 | |
3941 | local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; |
3942 | |
3943 | + if (args->nr_local == 0) |
3944 | + return -EINVAL; |
3945 | + |
3946 | /* figure out the number of pages in the vector */ |
3947 | for (i = 0; i < args->nr_local; i++) { |
3948 | if (copy_from_user(&vec, &local_vec[i], |
3949 | @@ -873,6 +876,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm, |
3950 | err: |
3951 | if (page) |
3952 | put_page(page); |
3953 | + rm->atomic.op_active = 0; |
3954 | kfree(rm->atomic.op_notifier); |
3955 | |
3956 | return ret; |
3957 | diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c |
3958 | index e0aa30f83c6c..9617b42aaf20 100644 |
3959 | --- a/net/sched/act_gact.c |
3960 | +++ b/net/sched/act_gact.c |
3961 | @@ -161,7 +161,7 @@ static void tcf_gact_stats_update(struct tc_action *a, u64 bytes, u32 packets, |
3962 | if (action == TC_ACT_SHOT) |
3963 | this_cpu_ptr(gact->common.cpu_qstats)->drops += packets; |
3964 | |
3965 | - tm->lastuse = lastuse; |
3966 | + tm->lastuse = max_t(u64, tm->lastuse, lastuse); |
3967 | } |
3968 | |
3969 | static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, |
3970 | diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c |
3971 | index 6b07fba5770b..fc3650b06192 100644 |
3972 | --- a/net/sched/act_mirred.c |
3973 | +++ b/net/sched/act_mirred.c |
3974 | @@ -211,7 +211,7 @@ static void tcf_stats_update(struct tc_action *a, u64 bytes, u32 packets, |
3975 | struct tcf_t *tm = &m->tcf_tm; |
3976 | |
3977 | _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets); |
3978 | - tm->lastuse = lastuse; |
3979 | + tm->lastuse = max_t(u64, tm->lastuse, lastuse); |
3980 | } |
3981 | |
3982 | static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, |
3983 | diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c |
3984 | index bd8349759095..845eb9b800f3 100644 |
3985 | --- a/scripts/mod/modpost.c |
3986 | +++ b/scripts/mod/modpost.c |
3987 | @@ -838,6 +838,7 @@ static const char *const section_white_list[] = |
3988 | ".cmem*", /* EZchip */ |
3989 | ".fmt_slot*", /* EZchip */ |
3990 | ".gnu.lto*", |
3991 | + ".discard.*", |
3992 | NULL |
3993 | }; |
3994 | |
3995 | diff --git a/scripts/module-common.lds b/scripts/module-common.lds |
3996 | index 53234e85192a..9b6e246a45d0 100644 |
3997 | --- a/scripts/module-common.lds |
3998 | +++ b/scripts/module-common.lds |
3999 | @@ -4,7 +4,10 @@ |
4000 | * combine them automatically. |
4001 | */ |
4002 | SECTIONS { |
4003 | - /DISCARD/ : { *(.discard) } |
4004 | + /DISCARD/ : { |
4005 | + *(.discard) |
4006 | + *(.discard.*) |
4007 | + } |
4008 | |
4009 | __ksymtab 0 : { *(SORT(___ksymtab+*)) } |
4010 | __ksymtab_gpl 0 : { *(SORT(___ksymtab_gpl+*)) } |
4011 | diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c |
4012 | index ebc9fdfe64df..3321348fd86b 100644 |
4013 | --- a/sound/core/oss/pcm_oss.c |
4014 | +++ b/sound/core/oss/pcm_oss.c |
4015 | @@ -466,7 +466,6 @@ static int snd_pcm_hw_param_near(struct snd_pcm_substream *pcm, |
4016 | v = snd_pcm_hw_param_last(pcm, params, var, dir); |
4017 | else |
4018 | v = snd_pcm_hw_param_first(pcm, params, var, dir); |
4019 | - snd_BUG_ON(v < 0); |
4020 | return v; |
4021 | } |
4022 | |
4023 | @@ -1370,8 +1369,11 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha |
4024 | |
4025 | if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) |
4026 | return tmp; |
4027 | - mutex_lock(&runtime->oss.params_lock); |
4028 | while (bytes > 0) { |
4029 | + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { |
4030 | + tmp = -ERESTARTSYS; |
4031 | + break; |
4032 | + } |
4033 | if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { |
4034 | tmp = bytes; |
4035 | if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) |
4036 | @@ -1415,14 +1417,18 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha |
4037 | xfer += tmp; |
4038 | if ((substream->f_flags & O_NONBLOCK) != 0 && |
4039 | tmp != runtime->oss.period_bytes) |
4040 | - break; |
4041 | + tmp = -EAGAIN; |
4042 | } |
4043 | - } |
4044 | - mutex_unlock(&runtime->oss.params_lock); |
4045 | - return xfer; |
4046 | - |
4047 | err: |
4048 | - mutex_unlock(&runtime->oss.params_lock); |
4049 | + mutex_unlock(&runtime->oss.params_lock); |
4050 | + if (tmp < 0) |
4051 | + break; |
4052 | + if (signal_pending(current)) { |
4053 | + tmp = -ERESTARTSYS; |
4054 | + break; |
4055 | + } |
4056 | + tmp = 0; |
4057 | + } |
4058 | return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; |
4059 | } |
4060 | |
4061 | @@ -1470,8 +1476,11 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use |
4062 | |
4063 | if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) |
4064 | return tmp; |
4065 | - mutex_lock(&runtime->oss.params_lock); |
4066 | while (bytes > 0) { |
4067 | + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { |
4068 | + tmp = -ERESTARTSYS; |
4069 | + break; |
4070 | + } |
4071 | if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { |
4072 | if (runtime->oss.buffer_used == 0) { |
4073 | tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); |
4074 | @@ -1502,12 +1511,16 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use |
4075 | bytes -= tmp; |
4076 | xfer += tmp; |
4077 | } |
4078 | - } |
4079 | - mutex_unlock(&runtime->oss.params_lock); |
4080 | - return xfer; |
4081 | - |
4082 | err: |
4083 | - mutex_unlock(&runtime->oss.params_lock); |
4084 | + mutex_unlock(&runtime->oss.params_lock); |
4085 | + if (tmp < 0) |
4086 | + break; |
4087 | + if (signal_pending(current)) { |
4088 | + tmp = -ERESTARTSYS; |
4089 | + break; |
4090 | + } |
4091 | + tmp = 0; |
4092 | + } |
4093 | return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; |
4094 | } |
4095 | |
4096 | diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c |
4097 | index 727ac44d39f4..a84a1d3d23e5 100644 |
4098 | --- a/sound/core/oss/pcm_plugin.c |
4099 | +++ b/sound/core/oss/pcm_plugin.c |
4100 | @@ -591,18 +591,26 @@ snd_pcm_sframes_t snd_pcm_plug_write_transfer(struct snd_pcm_substream *plug, st |
4101 | snd_pcm_sframes_t frames = size; |
4102 | |
4103 | plugin = snd_pcm_plug_first(plug); |
4104 | - while (plugin && frames > 0) { |
4105 | + while (plugin) { |
4106 | + if (frames <= 0) |
4107 | + return frames; |
4108 | if ((next = plugin->next) != NULL) { |
4109 | snd_pcm_sframes_t frames1 = frames; |
4110 | - if (plugin->dst_frames) |
4111 | + if (plugin->dst_frames) { |
4112 | frames1 = plugin->dst_frames(plugin, frames); |
4113 | + if (frames1 <= 0) |
4114 | + return frames1; |
4115 | + } |
4116 | if ((err = next->client_channels(next, frames1, &dst_channels)) < 0) { |
4117 | return err; |
4118 | } |
4119 | if (err != frames1) { |
4120 | frames = err; |
4121 | - if (plugin->src_frames) |
4122 | + if (plugin->src_frames) { |
4123 | frames = plugin->src_frames(plugin, frames1); |
4124 | + if (frames <= 0) |
4125 | + return frames; |
4126 | + } |
4127 | } |
4128 | } else |
4129 | dst_channels = NULL; |
4130 | diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c |
4131 | index c80d80e312e3..e685e779a4b8 100644 |
4132 | --- a/sound/core/pcm_lib.c |
4133 | +++ b/sound/core/pcm_lib.c |
4134 | @@ -1664,7 +1664,7 @@ int snd_pcm_hw_param_first(struct snd_pcm_substream *pcm, |
4135 | return changed; |
4136 | if (params->rmask) { |
4137 | int err = snd_pcm_hw_refine(pcm, params); |
4138 | - if (snd_BUG_ON(err < 0)) |
4139 | + if (err < 0) |
4140 | return err; |
4141 | } |
4142 | return snd_pcm_hw_param_value(params, var, dir); |
4143 | @@ -1711,7 +1711,7 @@ int snd_pcm_hw_param_last(struct snd_pcm_substream *pcm, |
4144 | return changed; |
4145 | if (params->rmask) { |
4146 | int err = snd_pcm_hw_refine(pcm, params); |
4147 | - if (snd_BUG_ON(err < 0)) |
4148 | + if (err < 0) |
4149 | return err; |
4150 | } |
4151 | return snd_pcm_hw_param_value(params, var, dir); |
4152 | diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c |
4153 | index 54f348a4fb78..cbd20cb8ca11 100644 |
4154 | --- a/sound/drivers/aloop.c |
4155 | +++ b/sound/drivers/aloop.c |
4156 | @@ -39,6 +39,7 @@ |
4157 | #include <sound/core.h> |
4158 | #include <sound/control.h> |
4159 | #include <sound/pcm.h> |
4160 | +#include <sound/pcm_params.h> |
4161 | #include <sound/info.h> |
4162 | #include <sound/initval.h> |
4163 | |
4164 | @@ -305,19 +306,6 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) |
4165 | return 0; |
4166 | } |
4167 | |
4168 | -static void params_change_substream(struct loopback_pcm *dpcm, |
4169 | - struct snd_pcm_runtime *runtime) |
4170 | -{ |
4171 | - struct snd_pcm_runtime *dst_runtime; |
4172 | - |
4173 | - if (dpcm == NULL || dpcm->substream == NULL) |
4174 | - return; |
4175 | - dst_runtime = dpcm->substream->runtime; |
4176 | - if (dst_runtime == NULL) |
4177 | - return; |
4178 | - dst_runtime->hw = dpcm->cable->hw; |
4179 | -} |
4180 | - |
4181 | static void params_change(struct snd_pcm_substream *substream) |
4182 | { |
4183 | struct snd_pcm_runtime *runtime = substream->runtime; |
4184 | @@ -329,10 +317,6 @@ static void params_change(struct snd_pcm_substream *substream) |
4185 | cable->hw.rate_max = runtime->rate; |
4186 | cable->hw.channels_min = runtime->channels; |
4187 | cable->hw.channels_max = runtime->channels; |
4188 | - params_change_substream(cable->streams[SNDRV_PCM_STREAM_PLAYBACK], |
4189 | - runtime); |
4190 | - params_change_substream(cable->streams[SNDRV_PCM_STREAM_CAPTURE], |
4191 | - runtime); |
4192 | } |
4193 | |
4194 | static int loopback_prepare(struct snd_pcm_substream *substream) |
4195 | @@ -620,26 +604,29 @@ static unsigned int get_cable_index(struct snd_pcm_substream *substream) |
4196 | static int rule_format(struct snd_pcm_hw_params *params, |
4197 | struct snd_pcm_hw_rule *rule) |
4198 | { |
4199 | + struct loopback_pcm *dpcm = rule->private; |
4200 | + struct loopback_cable *cable = dpcm->cable; |
4201 | + struct snd_mask m; |
4202 | |
4203 | - struct snd_pcm_hardware *hw = rule->private; |
4204 | - struct snd_mask *maskp = hw_param_mask(params, rule->var); |
4205 | - |
4206 | - maskp->bits[0] &= (u_int32_t)hw->formats; |
4207 | - maskp->bits[1] &= (u_int32_t)(hw->formats >> 32); |
4208 | - memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */ |
4209 | - if (! maskp->bits[0] && ! maskp->bits[1]) |
4210 | - return -EINVAL; |
4211 | - return 0; |
4212 | + snd_mask_none(&m); |
4213 | + mutex_lock(&dpcm->loopback->cable_lock); |
4214 | + m.bits[0] = (u_int32_t)cable->hw.formats; |
4215 | + m.bits[1] = (u_int32_t)(cable->hw.formats >> 32); |
4216 | + mutex_unlock(&dpcm->loopback->cable_lock); |
4217 | + return snd_mask_refine(hw_param_mask(params, rule->var), &m); |
4218 | } |
4219 | |
4220 | static int rule_rate(struct snd_pcm_hw_params *params, |
4221 | struct snd_pcm_hw_rule *rule) |
4222 | { |
4223 | - struct snd_pcm_hardware *hw = rule->private; |
4224 | + struct loopback_pcm *dpcm = rule->private; |
4225 | + struct loopback_cable *cable = dpcm->cable; |
4226 | struct snd_interval t; |
4227 | |
4228 | - t.min = hw->rate_min; |
4229 | - t.max = hw->rate_max; |
4230 | + mutex_lock(&dpcm->loopback->cable_lock); |
4231 | + t.min = cable->hw.rate_min; |
4232 | + t.max = cable->hw.rate_max; |
4233 | + mutex_unlock(&dpcm->loopback->cable_lock); |
4234 | t.openmin = t.openmax = 0; |
4235 | t.integer = 0; |
4236 | return snd_interval_refine(hw_param_interval(params, rule->var), &t); |
4237 | @@ -648,22 +635,44 @@ static int rule_rate(struct snd_pcm_hw_params *params, |
4238 | static int rule_channels(struct snd_pcm_hw_params *params, |
4239 | struct snd_pcm_hw_rule *rule) |
4240 | { |
4241 | - struct snd_pcm_hardware *hw = rule->private; |
4242 | + struct loopback_pcm *dpcm = rule->private; |
4243 | + struct loopback_cable *cable = dpcm->cable; |
4244 | struct snd_interval t; |
4245 | |
4246 | - t.min = hw->channels_min; |
4247 | - t.max = hw->channels_max; |
4248 | + mutex_lock(&dpcm->loopback->cable_lock); |
4249 | + t.min = cable->hw.channels_min; |
4250 | + t.max = cable->hw.channels_max; |
4251 | + mutex_unlock(&dpcm->loopback->cable_lock); |
4252 | t.openmin = t.openmax = 0; |
4253 | t.integer = 0; |
4254 | return snd_interval_refine(hw_param_interval(params, rule->var), &t); |
4255 | } |
4256 | |
4257 | +static void free_cable(struct snd_pcm_substream *substream) |
4258 | +{ |
4259 | + struct loopback *loopback = substream->private_data; |
4260 | + int dev = get_cable_index(substream); |
4261 | + struct loopback_cable *cable; |
4262 | + |
4263 | + cable = loopback->cables[substream->number][dev]; |
4264 | + if (!cable) |
4265 | + return; |
4266 | + if (cable->streams[!substream->stream]) { |
4267 | + /* other stream is still alive */ |
4268 | + cable->streams[substream->stream] = NULL; |
4269 | + } else { |
4270 | + /* free the cable */ |
4271 | + loopback->cables[substream->number][dev] = NULL; |
4272 | + kfree(cable); |
4273 | + } |
4274 | +} |
4275 | + |
4276 | static int loopback_open(struct snd_pcm_substream *substream) |
4277 | { |
4278 | struct snd_pcm_runtime *runtime = substream->runtime; |
4279 | struct loopback *loopback = substream->private_data; |
4280 | struct loopback_pcm *dpcm; |
4281 | - struct loopback_cable *cable; |
4282 | + struct loopback_cable *cable = NULL; |
4283 | int err = 0; |
4284 | int dev = get_cable_index(substream); |
4285 | |
4286 | @@ -682,7 +691,6 @@ static int loopback_open(struct snd_pcm_substream *substream) |
4287 | if (!cable) { |
4288 | cable = kzalloc(sizeof(*cable), GFP_KERNEL); |
4289 | if (!cable) { |
4290 | - kfree(dpcm); |
4291 | err = -ENOMEM; |
4292 | goto unlock; |
4293 | } |
4294 | @@ -700,19 +708,19 @@ static int loopback_open(struct snd_pcm_substream *substream) |
4295 | /* are cached -> they do not reflect the actual state */ |
4296 | err = snd_pcm_hw_rule_add(runtime, 0, |
4297 | SNDRV_PCM_HW_PARAM_FORMAT, |
4298 | - rule_format, &runtime->hw, |
4299 | + rule_format, dpcm, |
4300 | SNDRV_PCM_HW_PARAM_FORMAT, -1); |
4301 | if (err < 0) |
4302 | goto unlock; |
4303 | err = snd_pcm_hw_rule_add(runtime, 0, |
4304 | SNDRV_PCM_HW_PARAM_RATE, |
4305 | - rule_rate, &runtime->hw, |
4306 | + rule_rate, dpcm, |
4307 | SNDRV_PCM_HW_PARAM_RATE, -1); |
4308 | if (err < 0) |
4309 | goto unlock; |
4310 | err = snd_pcm_hw_rule_add(runtime, 0, |
4311 | SNDRV_PCM_HW_PARAM_CHANNELS, |
4312 | - rule_channels, &runtime->hw, |
4313 | + rule_channels, dpcm, |
4314 | SNDRV_PCM_HW_PARAM_CHANNELS, -1); |
4315 | if (err < 0) |
4316 | goto unlock; |
4317 | @@ -724,6 +732,10 @@ static int loopback_open(struct snd_pcm_substream *substream) |
4318 | else |
4319 | runtime->hw = cable->hw; |
4320 | unlock: |
4321 | + if (err < 0) { |
4322 | + free_cable(substream); |
4323 | + kfree(dpcm); |
4324 | + } |
4325 | mutex_unlock(&loopback->cable_lock); |
4326 | return err; |
4327 | } |
4328 | @@ -732,20 +744,10 @@ static int loopback_close(struct snd_pcm_substream *substream) |
4329 | { |
4330 | struct loopback *loopback = substream->private_data; |
4331 | struct loopback_pcm *dpcm = substream->runtime->private_data; |
4332 | - struct loopback_cable *cable; |
4333 | - int dev = get_cable_index(substream); |
4334 | |
4335 | loopback_timer_stop(dpcm); |
4336 | mutex_lock(&loopback->cable_lock); |
4337 | - cable = loopback->cables[substream->number][dev]; |
4338 | - if (cable->streams[!substream->stream]) { |
4339 | - /* other stream is still alive */ |
4340 | - cable->streams[substream->stream] = NULL; |
4341 | - } else { |
4342 | - /* free the cable */ |
4343 | - loopback->cables[substream->number][dev] = NULL; |
4344 | - kfree(cable); |
4345 | - } |
4346 | + free_cable(substream); |
4347 | mutex_unlock(&loopback->cable_lock); |
4348 | return 0; |
4349 | } |
4350 | diff --git a/tools/objtool/builtin-check.c b/tools/objtool/builtin-check.c |
4351 | index b8dadb050d2b..a688a857a7ae 100644 |
4352 | --- a/tools/objtool/builtin-check.c |
4353 | +++ b/tools/objtool/builtin-check.c |
4354 | @@ -51,7 +51,7 @@ struct instruction { |
4355 | unsigned int len, state; |
4356 | unsigned char type; |
4357 | unsigned long immediate; |
4358 | - bool alt_group, visited; |
4359 | + bool alt_group, visited, ignore_alts; |
4360 | struct symbol *call_dest; |
4361 | struct instruction *jump_dest; |
4362 | struct list_head alts; |
4363 | @@ -352,6 +352,40 @@ static void add_ignores(struct objtool_file *file) |
4364 | } |
4365 | } |
4366 | |
4367 | +/* |
4368 | + * FIXME: For now, just ignore any alternatives which add retpolines. This is |
4369 | + * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline. |
4370 | + * But it at least allows objtool to understand the control flow *around* the |
4371 | + * retpoline. |
4372 | + */ |
4373 | +static int add_nospec_ignores(struct objtool_file *file) |
4374 | +{ |
4375 | + struct section *sec; |
4376 | + struct rela *rela; |
4377 | + struct instruction *insn; |
4378 | + |
4379 | + sec = find_section_by_name(file->elf, ".rela.discard.nospec"); |
4380 | + if (!sec) |
4381 | + return 0; |
4382 | + |
4383 | + list_for_each_entry(rela, &sec->rela_list, list) { |
4384 | + if (rela->sym->type != STT_SECTION) { |
4385 | + WARN("unexpected relocation symbol type in %s", sec->name); |
4386 | + return -1; |
4387 | + } |
4388 | + |
4389 | + insn = find_insn(file, rela->sym->sec, rela->addend); |
4390 | + if (!insn) { |
4391 | + WARN("bad .discard.nospec entry"); |
4392 | + return -1; |
4393 | + } |
4394 | + |
4395 | + insn->ignore_alts = true; |
4396 | + } |
4397 | + |
4398 | + return 0; |
4399 | +} |
4400 | + |
4401 | /* |
4402 | * Find the destination instructions for all jumps. |
4403 | */ |
4404 | @@ -382,6 +416,13 @@ static int add_jump_destinations(struct objtool_file *file) |
4405 | } else if (rela->sym->sec->idx) { |
4406 | dest_sec = rela->sym->sec; |
4407 | dest_off = rela->sym->sym.st_value + rela->addend + 4; |
4408 | + } else if (strstr(rela->sym->name, "_indirect_thunk_")) { |
4409 | + /* |
4410 | + * Retpoline jumps are really dynamic jumps in |
4411 | + * disguise, so convert them accordingly. |
4412 | + */ |
4413 | + insn->type = INSN_JUMP_DYNAMIC; |
4414 | + continue; |
4415 | } else { |
4416 | /* sibling call */ |
4417 | insn->jump_dest = 0; |
4418 | @@ -428,11 +469,18 @@ static int add_call_destinations(struct objtool_file *file) |
4419 | dest_off = insn->offset + insn->len + insn->immediate; |
4420 | insn->call_dest = find_symbol_by_offset(insn->sec, |
4421 | dest_off); |
4422 | + /* |
4423 | + * FIXME: Thanks to retpolines, it's now considered |
4424 | + * normal for a function to call within itself. So |
4425 | + * disable this warning for now. |
4426 | + */ |
4427 | +#if 0 |
4428 | if (!insn->call_dest) { |
4429 | WARN_FUNC("can't find call dest symbol at offset 0x%lx", |
4430 | insn->sec, insn->offset, dest_off); |
4431 | return -1; |
4432 | } |
4433 | +#endif |
4434 | } else if (rela->sym->type == STT_SECTION) { |
4435 | insn->call_dest = find_symbol_by_offset(rela->sym->sec, |
4436 | rela->addend+4); |
4437 | @@ -594,12 +642,6 @@ static int add_special_section_alts(struct objtool_file *file) |
4438 | return ret; |
4439 | |
4440 | list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { |
4441 | - alt = malloc(sizeof(*alt)); |
4442 | - if (!alt) { |
4443 | - WARN("malloc failed"); |
4444 | - ret = -1; |
4445 | - goto out; |
4446 | - } |
4447 | |
4448 | orig_insn = find_insn(file, special_alt->orig_sec, |
4449 | special_alt->orig_off); |
4450 | @@ -610,6 +652,10 @@ static int add_special_section_alts(struct objtool_file *file) |
4451 | goto out; |
4452 | } |
4453 | |
4454 | + /* Ignore retpoline alternatives. */ |
4455 | + if (orig_insn->ignore_alts) |
4456 | + continue; |
4457 | + |
4458 | new_insn = NULL; |
4459 | if (!special_alt->group || special_alt->new_len) { |
4460 | new_insn = find_insn(file, special_alt->new_sec, |
4461 | @@ -635,6 +681,13 @@ static int add_special_section_alts(struct objtool_file *file) |
4462 | goto out; |
4463 | } |
4464 | |
4465 | + alt = malloc(sizeof(*alt)); |
4466 | + if (!alt) { |
4467 | + WARN("malloc failed"); |
4468 | + ret = -1; |
4469 | + goto out; |
4470 | + } |
4471 | + |
4472 | alt->insn = new_insn; |
4473 | list_add_tail(&alt->list, &orig_insn->alts); |
4474 | |
4475 | @@ -854,6 +907,10 @@ static int decode_sections(struct objtool_file *file) |
4476 | |
4477 | add_ignores(file); |
4478 | |
4479 | + ret = add_nospec_ignores(file); |
4480 | + if (ret) |
4481 | + return ret; |
4482 | + |
4483 | ret = add_jump_destinations(file); |
4484 | if (ret) |
4485 | return ret; |
4486 | @@ -1173,6 +1230,14 @@ static int validate_uncallable_instructions(struct objtool_file *file) |
4487 | |
4488 | for_each_insn(file, insn) { |
4489 | if (!insn->visited && insn->type == INSN_RETURN) { |
4490 | + |
4491 | + /* |
4492 | + * Don't warn about call instructions in unvisited |
4493 | + * retpoline alternatives. |
4494 | + */ |
4495 | + if (!strcmp(insn->sec->name, ".altinstr_replacement")) |
4496 | + continue; |
4497 | + |
4498 | WARN_FUNC("return instruction outside of a callable function", |
4499 | insn->sec, insn->offset); |
4500 | warnings++; |
4501 | @@ -1229,7 +1294,7 @@ int cmd_check(int argc, const char **argv) |
4502 | |
4503 | INIT_LIST_HEAD(&file.insn_list); |
4504 | hash_init(file.insn_hash); |
4505 | - file.whitelist = find_section_by_name(file.elf, "__func_stack_frame_non_standard"); |
4506 | + file.whitelist = find_section_by_name(file.elf, ".discard.func_stack_frame_non_standard"); |
4507 | file.rodata = find_section_by_name(file.elf, ".rodata"); |
4508 | file.ignore_unreachables = false; |
4509 | file.c_file = find_section_by_name(file.elf, ".comment"); |
4510 | diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile |
4511 | index 6300c1a41ff6..4af37bfe4aea 100644 |
4512 | --- a/tools/testing/selftests/x86/Makefile |
4513 | +++ b/tools/testing/selftests/x86/Makefile |
4514 | @@ -6,7 +6,7 @@ include ../lib.mk |
4515 | |
4516 | TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt ptrace_syscall test_mremap_vdso \ |
4517 | check_initial_reg_state sigreturn ldt_gdt iopl mpx-mini-test \ |
4518 | - protection_keys |
4519 | + protection_keys test_vsyscall |
4520 | TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \ |
4521 | test_FCMOV test_FCOMI test_FISTTP \ |
4522 | vdso_restorer |
4523 | diff --git a/tools/testing/selftests/x86/test_vsyscall.c b/tools/testing/selftests/x86/test_vsyscall.c |
4524 | new file mode 100644 |
4525 | index 000000000000..6e0bd52ad53d |
4526 | --- /dev/null |
4527 | +++ b/tools/testing/selftests/x86/test_vsyscall.c |
4528 | @@ -0,0 +1,500 @@ |
4529 | +/* SPDX-License-Identifier: GPL-2.0 */ |
4530 | + |
4531 | +#define _GNU_SOURCE |
4532 | + |
4533 | +#include <stdio.h> |
4534 | +#include <sys/time.h> |
4535 | +#include <time.h> |
4536 | +#include <stdlib.h> |
4537 | +#include <sys/syscall.h> |
4538 | +#include <unistd.h> |
4539 | +#include <dlfcn.h> |
4540 | +#include <string.h> |
4541 | +#include <inttypes.h> |
4542 | +#include <signal.h> |
4543 | +#include <sys/ucontext.h> |
4544 | +#include <errno.h> |
4545 | +#include <err.h> |
4546 | +#include <sched.h> |
4547 | +#include <stdbool.h> |
4548 | +#include <setjmp.h> |
4549 | + |
4550 | +#ifdef __x86_64__ |
4551 | +# define VSYS(x) (x) |
4552 | +#else |
4553 | +# define VSYS(x) 0 |
4554 | +#endif |
4555 | + |
4556 | +#ifndef SYS_getcpu |
4557 | +# ifdef __x86_64__ |
4558 | +# define SYS_getcpu 309 |
4559 | +# else |
4560 | +# define SYS_getcpu 318 |
4561 | +# endif |
4562 | +#endif |
4563 | + |
4564 | +static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), |
4565 | + int flags) |
4566 | +{ |
4567 | + struct sigaction sa; |
4568 | + memset(&sa, 0, sizeof(sa)); |
4569 | + sa.sa_sigaction = handler; |
4570 | + sa.sa_flags = SA_SIGINFO | flags; |
4571 | + sigemptyset(&sa.sa_mask); |
4572 | + if (sigaction(sig, &sa, 0)) |
4573 | + err(1, "sigaction"); |
4574 | +} |
4575 | + |
4576 | +/* vsyscalls and vDSO */ |
4577 | +bool should_read_vsyscall = false; |
4578 | + |
4579 | +typedef long (*gtod_t)(struct timeval *tv, struct timezone *tz); |
4580 | +gtod_t vgtod = (gtod_t)VSYS(0xffffffffff600000); |
4581 | +gtod_t vdso_gtod; |
4582 | + |
4583 | +typedef int (*vgettime_t)(clockid_t, struct timespec *); |
4584 | +vgettime_t vdso_gettime; |
4585 | + |
4586 | +typedef long (*time_func_t)(time_t *t); |
4587 | +time_func_t vtime = (time_func_t)VSYS(0xffffffffff600400); |
4588 | +time_func_t vdso_time; |
4589 | + |
4590 | +typedef long (*getcpu_t)(unsigned *, unsigned *, void *); |
4591 | +getcpu_t vgetcpu = (getcpu_t)VSYS(0xffffffffff600800); |
4592 | +getcpu_t vdso_getcpu; |
4593 | + |
4594 | +static void init_vdso(void) |
4595 | +{ |
4596 | + void *vdso = dlopen("linux-vdso.so.1", RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); |
4597 | + if (!vdso) |
4598 | + vdso = dlopen("linux-gate.so.1", RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD); |
4599 | + if (!vdso) { |
4600 | + printf("[WARN]\tfailed to find vDSO\n"); |
4601 | + return; |
4602 | + } |
4603 | + |
4604 | + vdso_gtod = (gtod_t)dlsym(vdso, "__vdso_gettimeofday"); |
4605 | + if (!vdso_gtod) |
4606 | + printf("[WARN]\tfailed to find gettimeofday in vDSO\n"); |
4607 | + |
4608 | + vdso_gettime = (vgettime_t)dlsym(vdso, "__vdso_clock_gettime"); |
4609 | + if (!vdso_gettime) |
4610 | + printf("[WARN]\tfailed to find clock_gettime in vDSO\n"); |
4611 | + |
4612 | + vdso_time = (time_func_t)dlsym(vdso, "__vdso_time"); |
4613 | + if (!vdso_time) |
4614 | + printf("[WARN]\tfailed to find time in vDSO\n"); |
4615 | + |
4616 | + vdso_getcpu = (getcpu_t)dlsym(vdso, "__vdso_getcpu"); |
4617 | + if (!vdso_getcpu) { |
4618 | + /* getcpu() was never wired up in the 32-bit vDSO. */ |
4619 | + printf("[%s]\tfailed to find getcpu in vDSO\n", |
4620 | + sizeof(long) == 8 ? "WARN" : "NOTE"); |
4621 | + } |
4622 | +} |
4623 | + |
4624 | +static int init_vsys(void) |
4625 | +{ |
4626 | +#ifdef __x86_64__ |
4627 | + int nerrs = 0; |
4628 | + FILE *maps; |
4629 | + char line[128]; |
4630 | + bool found = false; |
4631 | + |
4632 | + maps = fopen("/proc/self/maps", "r"); |
4633 | + if (!maps) { |
4634 | + printf("[WARN]\tCould not open /proc/self/maps -- assuming vsyscall is r-x\n"); |
4635 | + should_read_vsyscall = true; |
4636 | + return 0; |
4637 | + } |
4638 | + |
4639 | + while (fgets(line, sizeof(line), maps)) { |
4640 | + char r, x; |
4641 | + void *start, *end; |
4642 | + char name[128]; |
4643 | + if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s", |
4644 | + &start, &end, &r, &x, name) != 5) |
4645 | + continue; |
4646 | + |
4647 | + if (strcmp(name, "[vsyscall]")) |
4648 | + continue; |
4649 | + |
4650 | + printf("\tvsyscall map: %s", line); |
4651 | + |
4652 | + if (start != (void *)0xffffffffff600000 || |
4653 | + end != (void *)0xffffffffff601000) { |
4654 | + printf("[FAIL]\taddress range is nonsense\n"); |
4655 | + nerrs++; |
4656 | + } |
4657 | + |
4658 | + printf("\tvsyscall permissions are %c-%c\n", r, x); |
4659 | + should_read_vsyscall = (r == 'r'); |
4660 | + if (x != 'x') { |
4661 | + vgtod = NULL; |
4662 | + vtime = NULL; |
4663 | + vgetcpu = NULL; |
4664 | + } |
4665 | + |
4666 | + found = true; |
4667 | + break; |
4668 | + } |
4669 | + |
4670 | + fclose(maps); |
4671 | + |
4672 | + if (!found) { |
4673 | + printf("\tno vsyscall map in /proc/self/maps\n"); |
4674 | + should_read_vsyscall = false; |
4675 | + vgtod = NULL; |
4676 | + vtime = NULL; |
4677 | + vgetcpu = NULL; |
4678 | + } |
4679 | + |
4680 | + return nerrs; |
4681 | +#else |
4682 | + return 0; |
4683 | +#endif |
4684 | +} |
4685 | + |
4686 | +/* syscalls */ |
4687 | +static inline long sys_gtod(struct timeval *tv, struct timezone *tz) |
4688 | +{ |
4689 | + return syscall(SYS_gettimeofday, tv, tz); |
4690 | +} |
4691 | + |
4692 | +static inline int sys_clock_gettime(clockid_t id, struct timespec *ts) |
4693 | +{ |
4694 | + return syscall(SYS_clock_gettime, id, ts); |
4695 | +} |
4696 | + |
4697 | +static inline long sys_time(time_t *t) |
4698 | +{ |
4699 | + return syscall(SYS_time, t); |
4700 | +} |
4701 | + |
4702 | +static inline long sys_getcpu(unsigned * cpu, unsigned * node, |
4703 | + void* cache) |
4704 | +{ |
4705 | + return syscall(SYS_getcpu, cpu, node, cache); |
4706 | +} |
4707 | + |
4708 | +static jmp_buf jmpbuf; |
4709 | + |
4710 | +static void sigsegv(int sig, siginfo_t *info, void *ctx_void) |
4711 | +{ |
4712 | + siglongjmp(jmpbuf, 1); |
4713 | +} |
4714 | + |
4715 | +static double tv_diff(const struct timeval *a, const struct timeval *b) |
4716 | +{ |
4717 | + return (double)(a->tv_sec - b->tv_sec) + |
4718 | + (double)((int)a->tv_usec - (int)b->tv_usec) * 1e-6; |
4719 | +} |
4720 | + |
4721 | +static int check_gtod(const struct timeval *tv_sys1, |
4722 | + const struct timeval *tv_sys2, |
4723 | + const struct timezone *tz_sys, |
4724 | + const char *which, |
4725 | + const struct timeval *tv_other, |
4726 | + const struct timezone *tz_other) |
4727 | +{ |
4728 | + int nerrs = 0; |
4729 | + double d1, d2; |
4730 | + |
4731 | + if (tz_other && (tz_sys->tz_minuteswest != tz_other->tz_minuteswest || tz_sys->tz_dsttime != tz_other->tz_dsttime)) { |
4732 | + printf("[FAIL] %s tz mismatch\n", which); |
4733 | + nerrs++; |
4734 | + } |
4735 | + |
4736 | + d1 = tv_diff(tv_other, tv_sys1); |
4737 | + d2 = tv_diff(tv_sys2, tv_other); |
4738 | + printf("\t%s time offsets: %lf %lf\n", which, d1, d2); |
4739 | + |
4740 | + if (d1 < 0 || d2 < 0) { |
4741 | + printf("[FAIL]\t%s time was inconsistent with the syscall\n", which); |
4742 | + nerrs++; |
4743 | + } else { |
4744 | + printf("[OK]\t%s gettimeofday()'s timeval was okay\n", which); |
4745 | + } |
4746 | + |
4747 | + return nerrs; |
4748 | +} |
4749 | + |
4750 | +static int test_gtod(void) |
4751 | +{ |
4752 | + struct timeval tv_sys1, tv_sys2, tv_vdso, tv_vsys; |
4753 | + struct timezone tz_sys, tz_vdso, tz_vsys; |
4754 | + long ret_vdso = -1; |
4755 | + long ret_vsys = -1; |
4756 | + int nerrs = 0; |
4757 | + |
4758 | + printf("[RUN]\ttest gettimeofday()\n"); |
4759 | + |
4760 | + if (sys_gtod(&tv_sys1, &tz_sys) != 0) |
4761 | + err(1, "syscall gettimeofday"); |
4762 | + if (vdso_gtod) |
4763 | + ret_vdso = vdso_gtod(&tv_vdso, &tz_vdso); |
4764 | + if (vgtod) |
4765 | + ret_vsys = vgtod(&tv_vsys, &tz_vsys); |
4766 | + if (sys_gtod(&tv_sys2, &tz_sys) != 0) |
4767 | + err(1, "syscall gettimeofday"); |
4768 | + |
4769 | + if (vdso_gtod) { |
4770 | + if (ret_vdso == 0) { |
4771 | + nerrs += check_gtod(&tv_sys1, &tv_sys2, &tz_sys, "vDSO", &tv_vdso, &tz_vdso); |
4772 | + } else { |
4773 | + printf("[FAIL]\tvDSO gettimeofday() failed: %ld\n", ret_vdso); |
4774 | + nerrs++; |
4775 | + } |
4776 | + } |
4777 | + |
4778 | + if (vgtod) { |
4779 | + if (ret_vsys == 0) { |
4780 | + nerrs += check_gtod(&tv_sys1, &tv_sys2, &tz_sys, "vsyscall", &tv_vsys, &tz_vsys); |
4781 | + } else { |
4782 | + printf("[FAIL]\tvsys gettimeofday() failed: %ld\n", ret_vsys); |
4783 | + nerrs++; |
4784 | + } |
4785 | + } |
4786 | + |
4787 | + return nerrs; |
4788 | +} |
4789 | + |
4790 | +static int test_time(void) { |
4791 | + int nerrs = 0; |
4792 | + |
4793 | + printf("[RUN]\ttest time()\n"); |
4794 | + long t_sys1, t_sys2, t_vdso = 0, t_vsys = 0; |
4795 | + long t2_sys1 = -1, t2_sys2 = -1, t2_vdso = -1, t2_vsys = -1; |
4796 | + t_sys1 = sys_time(&t2_sys1); |
4797 | + if (vdso_time) |
4798 | + t_vdso = vdso_time(&t2_vdso); |
4799 | + if (vtime) |
4800 | + t_vsys = vtime(&t2_vsys); |
4801 | + t_sys2 = sys_time(&t2_sys2); |
4802 | + if (t_sys1 < 0 || t_sys1 != t2_sys1 || t_sys2 < 0 || t_sys2 != t2_sys2) { |
4803 | + printf("[FAIL]\tsyscall failed (ret1:%ld output1:%ld ret2:%ld output2:%ld)\n", t_sys1, t2_sys1, t_sys2, t2_sys2); |
4804 | + nerrs++; |
4805 | + return nerrs; |
4806 | + } |
4807 | + |
4808 | + if (vdso_time) { |
4809 | + if (t_vdso < 0 || t_vdso != t2_vdso) { |
4810 | + printf("[FAIL]\tvDSO failed (ret:%ld output:%ld)\n", t_vdso, t2_vdso); |
4811 | + nerrs++; |
4812 | + } else if (t_vdso < t_sys1 || t_vdso > t_sys2) { |
4813 | + printf("[FAIL]\tvDSO returned the wrong time (%ld %ld %ld)\n", t_sys1, t_vdso, t_sys2); |
4814 | + nerrs++; |
4815 | + } else { |
4816 | + printf("[OK]\tvDSO time() is okay\n"); |
4817 | + } |
4818 | + } |
4819 | + |
4820 | + if (vtime) { |
4821 | + if (t_vsys < 0 || t_vsys != t2_vsys) { |
4822 | + printf("[FAIL]\tvsyscall failed (ret:%ld output:%ld)\n", t_vsys, t2_vsys); |
4823 | + nerrs++; |
4824 | + } else if (t_vsys < t_sys1 || t_vsys > t_sys2) { |
4825 | + printf("[FAIL]\tvsyscall returned the wrong time (%ld %ld %ld)\n", t_sys1, t_vsys, t_sys2); |
4826 | + nerrs++; |
4827 | + } else { |
4828 | + printf("[OK]\tvsyscall time() is okay\n"); |
4829 | + } |
4830 | + } |
4831 | + |
4832 | + return nerrs; |
4833 | +} |
4834 | + |
4835 | +static int test_getcpu(int cpu) |
4836 | +{ |
4837 | + int nerrs = 0; |
4838 | + long ret_sys, ret_vdso = -1, ret_vsys = -1; |
4839 | + |
4840 | + printf("[RUN]\tgetcpu() on CPU %d\n", cpu); |
4841 | + |
4842 | + cpu_set_t cpuset; |
4843 | + CPU_ZERO(&cpuset); |
4844 | + CPU_SET(cpu, &cpuset); |
4845 | + if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) { |
4846 | + printf("[SKIP]\tfailed to force CPU %d\n", cpu); |
4847 | + return nerrs; |
4848 | + } |
4849 | + |
4850 | + unsigned cpu_sys, cpu_vdso, cpu_vsys, node_sys, node_vdso, node_vsys; |
4851 | + unsigned node = 0; |
4852 | + bool have_node = false; |
4853 | + ret_sys = sys_getcpu(&cpu_sys, &node_sys, 0); |
4854 | + if (vdso_getcpu) |
4855 | + ret_vdso = vdso_getcpu(&cpu_vdso, &node_vdso, 0); |
4856 | + if (vgetcpu) |
4857 | + ret_vsys = vgetcpu(&cpu_vsys, &node_vsys, 0); |
4858 | + |
4859 | + if (ret_sys == 0) { |
4860 | + if (cpu_sys != cpu) { |
4861 | + printf("[FAIL]\tsyscall reported CPU %hu but should be %d\n", cpu_sys, cpu); |
4862 | + nerrs++; |
4863 | + } |
4864 | + |
4865 | + have_node = true; |
4866 | + node = node_sys; |
4867 | + } |
4868 | + |
4869 | + if (vdso_getcpu) { |
4870 | + if (ret_vdso) { |
4871 | + printf("[FAIL]\tvDSO getcpu() failed\n"); |
4872 | + nerrs++; |
4873 | + } else { |
4874 | + if (!have_node) { |
4875 | + have_node = true; |
4876 | + node = node_vdso; |
4877 | + } |
4878 | + |
4879 | + if (cpu_vdso != cpu) { |
4880 | + printf("[FAIL]\tvDSO reported CPU %hu but should be %d\n", cpu_vdso, cpu); |
4881 | + nerrs++; |
4882 | + } else { |
4883 | + printf("[OK]\tvDSO reported correct CPU\n"); |
4884 | + } |
4885 | + |
4886 | + if (node_vdso != node) { |
4887 | + printf("[FAIL]\tvDSO reported node %hu but should be %hu\n", node_vdso, node); |
4888 | + nerrs++; |
4889 | + } else { |
4890 | + printf("[OK]\tvDSO reported correct node\n"); |
4891 | + } |
4892 | + } |
4893 | + } |
4894 | + |
4895 | + if (vgetcpu) { |
4896 | + if (ret_vsys) { |
4897 | + printf("[FAIL]\tvsyscall getcpu() failed\n"); |
4898 | + nerrs++; |
4899 | + } else { |
4900 | + if (!have_node) { |
4901 | + have_node = true; |
4902 | + node = node_vsys; |
4903 | + } |
4904 | + |
4905 | + if (cpu_vsys != cpu) { |
4906 | + printf("[FAIL]\tvsyscall reported CPU %hu but should be %d\n", cpu_vsys, cpu); |
4907 | + nerrs++; |
4908 | + } else { |
4909 | + printf("[OK]\tvsyscall reported correct CPU\n"); |
4910 | + } |
4911 | + |
4912 | + if (node_vsys != node) { |
4913 | + printf("[FAIL]\tvsyscall reported node %hu but should be %hu\n", node_vsys, node); |
4914 | + nerrs++; |
4915 | + } else { |
4916 | + printf("[OK]\tvsyscall reported correct node\n"); |
4917 | + } |
4918 | + } |
4919 | + } |
4920 | + |
4921 | + return nerrs; |
4922 | +} |
4923 | + |
4924 | +static int test_vsys_r(void) |
4925 | +{ |
4926 | +#ifdef __x86_64__ |
4927 | + printf("[RUN]\tChecking read access to the vsyscall page\n"); |
4928 | + bool can_read; |
4929 | + if (sigsetjmp(jmpbuf, 1) == 0) { |
4930 | + *(volatile int *)0xffffffffff600000; |
4931 | + can_read = true; |
4932 | + } else { |
4933 | + can_read = false; |
4934 | + } |
4935 | + |
4936 | + if (can_read && !should_read_vsyscall) { |
4937 | + printf("[FAIL]\tWe have read access, but we shouldn't\n"); |
4938 | + return 1; |
4939 | + } else if (!can_read && should_read_vsyscall) { |
4940 | + printf("[FAIL]\tWe don't have read access, but we should\n"); |
4941 | + return 1; |
4942 | + } else { |
4943 | + printf("[OK]\tgot expected result\n"); |
4944 | + } |
4945 | +#endif |
4946 | + |
4947 | + return 0; |
4948 | +} |
4949 | + |
4950 | + |
4951 | +#ifdef __x86_64__ |
4952 | +#define X86_EFLAGS_TF (1UL << 8) |
4953 | +static volatile sig_atomic_t num_vsyscall_traps; |
4954 | + |
4955 | +static unsigned long get_eflags(void) |
4956 | +{ |
4957 | + unsigned long eflags; |
4958 | + asm volatile ("pushfq\n\tpopq %0" : "=rm" (eflags)); |
4959 | + return eflags; |
4960 | +} |
4961 | + |
4962 | +static void set_eflags(unsigned long eflags) |
4963 | +{ |
4964 | + asm volatile ("pushq %0\n\tpopfq" : : "rm" (eflags) : "flags"); |
4965 | +} |
4966 | + |
4967 | +static void sigtrap(int sig, siginfo_t *info, void *ctx_void) |
4968 | +{ |
4969 | + ucontext_t *ctx = (ucontext_t *)ctx_void; |
4970 | + unsigned long ip = ctx->uc_mcontext.gregs[REG_RIP]; |
4971 | + |
4972 | + if (((ip ^ 0xffffffffff600000UL) & ~0xfffUL) == 0) |
4973 | + num_vsyscall_traps++; |
4974 | +} |
4975 | + |
4976 | +static int test_native_vsyscall(void) |
4977 | +{ |
4978 | + time_t tmp; |
4979 | + bool is_native; |
4980 | + |
4981 | + if (!vtime) |
4982 | + return 0; |
4983 | + |
4984 | + printf("[RUN]\tchecking for native vsyscall\n"); |
4985 | + sethandler(SIGTRAP, sigtrap, 0); |
4986 | + set_eflags(get_eflags() | X86_EFLAGS_TF); |
4987 | + vtime(&tmp); |
4988 | + set_eflags(get_eflags() & ~X86_EFLAGS_TF); |
4989 | + |
4990 | + /* |
4991 | + * If vsyscalls are emulated, we expect a single trap in the |
4992 | + * vsyscall page -- the call instruction will trap with RIP |
4993 | + * pointing to the entry point before emulation takes over. |
4994 | + * In native mode, we expect two traps, since whatever code |
4995 | + * the vsyscall page contains will be more than just a ret |
4996 | + * instruction. |
4997 | + */ |
4998 | + is_native = (num_vsyscall_traps > 1); |
4999 | + |
5000 | + printf("\tvsyscalls are %s (%d instructions in vsyscall page)\n", |
5001 | + (is_native ? "native" : "emulated"), |
5002 | + (int)num_vsyscall_traps); |
5003 | + |
5004 | + return 0; |
5005 | +} |
5006 | +#endif |
5007 | + |
5008 | +int main(int argc, char **argv) |
5009 | +{ |
5010 | + int nerrs = 0; |
5011 | + |
5012 | + init_vdso(); |
5013 | + nerrs += init_vsys(); |
5014 | + |
5015 | + nerrs += test_gtod(); |
5016 | + nerrs += test_time(); |
5017 | + nerrs += test_getcpu(0); |
5018 | + nerrs += test_getcpu(1); |
5019 | + |
5020 | + sethandler(SIGSEGV, sigsegv, 0); |
5021 | + nerrs += test_vsys_r(); |
5022 | + |
5023 | +#ifdef __x86_64__ |
5024 | + nerrs += test_native_vsyscall(); |
5025 | +#endif |
5026 | + |
5027 | + return nerrs ? 1 : 0; |
5028 | +} |