From 0899b0f554788a62b531fb94135046a9b029a8eb Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 18 Aug 2019 20:12:38 +0100 Subject: [PATCH] Update to 4.19.67 * Drop patches which have been applied to 4.19-stable * Drop "Revert "net: stmmac: Send TSO packets always from Queue 0"" in favour of upstream fix "net: stmmac: Re-work the queue selection for TSO packets" * Refresh patches that became fuzzy --- debian/changelog | 2146 ++++++++++++++++- .../all/0001-aio-clear-IOCB_HIPRI.patch | 52 - ...-count-overflow-check-tighter-and-mo.patch | 52 - ...-aio-use-assigned-completion-handler.patch | 32 - ...-mm-add-try_get_page-helper-function.patch | 56 - ...-ring-reservation-from-req-allocatio.patch | 101 - ...ser_pages-from-overflowing-page-refc.patch | 155 -- ...-t-zero-entire-aio_kiocb-aio_get_req.patch | 52 - ...ge-refcount-overflow-in-pipe_buf_get.patch | 162 -- ...e-iocb_put-instead-of-open-coding-it.patch | 34 - ...lit-out-iocb-copy-from-io_submit_one.patch | 194 -- ...-abstract-out-io_event-filler-helper.patch | 47 - ...iocb-private-in-case-any-filesystems.patch | 32 - ...lify-and-fix-fget-fput-for-io_submit.patch | 312 --- .../all/0010-pin-iocb-through-aio.patch | 112 - ...ld-lookup_kiocb-into-its-sole-caller.patch | 61 - .../0012-aio-keep-io_event-in-aio_kiocb.patch | 105 - ...13-aio-store-event-at-final-iocb_put.patch | 101 - .../bugfix/all/0014-Fix-aio_poll-races.patch | 225 -- ...art-check-for-missing-tty-operations.patch | 152 -- .../Bluetooth-hidp-fix-buffer-overflow.patch | 34 - ...d-section-about-CPU-vulnerabilities-.patch | 760 ------ ...d-swapgs-description-to-the-Spectre-.patch | 170 -- ...ce-between-munmap-and-direct-reclaim.patch | 67 - ...type-check-for-event-handling-in-dat.patch | 106 - ...SSID-length-from-firmware-is-limited.patch | 34 - ...e-unused-memory-region-in-the-extent.patch | 82 - ...-redundant-log-messages-from-drivers.patch | 78 +- ...x-div-by-zero-in-setup_format_params.patch | 64 - ...ix-out-of-bounds-read-in-copy_buffer.patch | 55 - ...bounds-check-collection-indent-level.patch | 82 - ...ore.c-make-mincore-more-conservative.patch | 95 - ...-at-too-short-bss-descriptor-element.patch | 83 - ...t-on-small-spec-compliant-vendor-ies.patch | 135 -- ...-overflow-in-mwifiex_uap_parse_tail_.patch | 118 - ...ible-buffer-overflows-at-parsing-bss.patch | 44 - ...et-switch-IP-ID-generator-to-siphash.patch | 162 -- ...-attributes-in-the-deactivate_target.patch | 36 - ...cer_cred-handling-for-PTRACE_TRACEME.patch | 57 - ...c-send-tso-packets-always-from-queue.patch | 35 - ...race-condition-when-smp-task-timeout.patch | 65 - ...ntation-l1tf-Fix-small-spelling-typo.patch | 40 - ...02-x86-cpu-Sanitize-FAM6_ATOM-naming.patch | 782 ------ ...-Report-STIBP-on-GET_SUPPORTED_CPUID.patch | 48 - ...04-x86-msr-index-Cleanup-bit-defines.patch | 119 - ...eculation-Consolidate-CPU-whitelists.patch | 169 -- ...mds-Add-basic-bug-infrastructure-for.patch | 154 -- ...6-speculation-mds-Add-BUG_MSBDS_ONLY.patch | 90 - ...xpose-X86_FEATURE_MD_CLEAR-to-guests.patch | 43 - ...lation-mds-Add-mds_clear_cpu_buffers.patch | 231 -- ...mds-Clear-CPU-buffers-on-exit-to-use.patch | 203 -- ...MDS-protection-when-L1D-Flush-is-not.patch | 56 - ...mds-Conditionally-clear-CPU-buffers-.patch | 223 -- ...n-mds-Add-mitigation-control-for-MDS.patch | 191 -- ...tion-mds-Add-sysfs-reporting-for-MDS.patch | 127 - ...ation-mds-Add-mitigation-mode-VMWERV.patch | 129 - ...tion-Move-L1TF-to-separate-directory.patch | 123 - ...-Add-MDS-vulnerability-documentation.patch | 381 --- ...mds-Add-mds-full-nosmt-cmdline-optio.patch | 88 - ...Move-arch_smt_update-call-to-after-m.patch | 43 - ...culation-mds-Add-SMT-warning-message.patch | 58 - ...0021-x86-speculation-mds-Fix-comment.patch | 31 - ...mds-Print-SMT-vulnerable-on-MSBDS-wi.patch | 46 - ...ation-Add-mitigations-cmdline-option.patch | 164 -- ...n-Support-mitigations-cmdline-option.patch | 151 -- ...ion-Support-mitigations-cmdline-opti.patch | 122 - ...n-Support-mitigations-cmdline-option.patch | 92 - ...-mds-Add-mitigations-support-for-MDS.patch | 59 - ...SUM-variant-to-the-MDS-documentation.patch | 69 - ...orrect-the-possible-MDS-sysfs-values.patch | 62 - ...eculation-mds-Fix-documentation-typo.patch | 29 - .../spec/powerpc-64s-include-cpu-header.patch | 40 - .../all/tcp-add-tcp_min_snd_mss-sysctl.patch | 123 - ...e-tcp_min_snd_mss-in-tcp_mtu_probing.patch | 36 - ...cp-limit-payload-size-of-sacked-skbs.patch | 154 -- ...ne-memory-limit-test-in-tcp_fragment.patch | 40 - ...ment-should-apply-sane-memory-limits.patch | 70 - .../all/tracing-fix-buffer_ref-pipe-ops.patch | 137 -- ...pe1-Limit-DMA-mappings-per-container.patch | 94 - ...t-disable-PCI_COMMAND-on-PCI-device-.patch | 56 - ...vide-definition-for-COMPAT_SIGMINSTK.patch | 38 - .../MIPS-Bounds-check-virt_addr_valid.patch | 75 - ...o32-Fix-indirect-syscall-number-load.patch | 52 - ...-hash-Reallocate-context-ids-on-fork.patch | 140 -- ...s-on-sigreturn-on-systems-without-TM.patch | 96 - ...-between-sunhv_console-and-sunhv_reg.patch | 63 - ...res-Carve-out-CQM-features-retrieval.patch | 110 - ...Combine-word-11-and-12-into-a-new-sc.patch | 211 -- ...x86-entry-64-Use-JMP-instead-of-JMPQ.patch | 40 - ...x-use-after-free-access-to-LDT-entry.patch | 175 -- ...Enable-Spectre-v1-swapgs-mitigations.patch | 261 -- ...Prepare-entry-code-for-Spectre-v1-sw.patch | 200 -- ...swapgs-Exclude-ATOMs-from-speculatio.patch | 159 -- .../features/all/aufs4/aufs4-mmap.patch | 67 +- ...e-host-info-to-match-latest-ENA-spec.patch | 27 +- ...ECURE_BOOT-flag-to-indicate-secure-b.patch | 23 +- debian/patches/series | 91 - 97 files changed, 2216 insertions(+), 11030 deletions(-) delete mode 100644 debian/patches/bugfix/all/0001-aio-clear-IOCB_HIPRI.patch delete mode 100644 debian/patches/bugfix/all/0001-mm-make-page-ref-count-overflow-check-tighter-and-mo.patch delete mode 100644 debian/patches/bugfix/all/0002-aio-use-assigned-completion-handler.patch delete mode 100644 debian/patches/bugfix/all/0002-mm-add-try_get_page-helper-function.patch delete mode 100644 debian/patches/bugfix/all/0003-aio-separate-out-ring-reservation-from-req-allocatio.patch delete mode 100644 debian/patches/bugfix/all/0003-mm-prevent-get_user_pages-from-overflowing-page-refc.patch delete mode 100644 debian/patches/bugfix/all/0004-aio-don-t-zero-entire-aio_kiocb-aio_get_req.patch delete mode 100644 debian/patches/bugfix/all/0004-fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch delete mode 100644 debian/patches/bugfix/all/0005-aio-use-iocb_put-instead-of-open-coding-it.patch delete mode 100644 debian/patches/bugfix/all/0006-aio-split-out-iocb-copy-from-io_submit_one.patch delete mode 100644 debian/patches/bugfix/all/0007-aio-abstract-out-io_event-filler-helper.patch delete mode 100644 debian/patches/bugfix/all/0008-aio-initialize-kiocb-private-in-case-any-filesystems.patch delete mode 100644 debian/patches/bugfix/all/0009-aio-simplify-and-fix-fget-fput-for-io_submit.patch delete mode 100644 debian/patches/bugfix/all/0010-pin-iocb-through-aio.patch delete mode 100644 debian/patches/bugfix/all/0011-aio-fold-lookup_kiocb-into-its-sole-caller.patch delete mode 100644 debian/patches/bugfix/all/0012-aio-keep-io_event-in-aio_kiocb.patch delete mode 100644 debian/patches/bugfix/all/0013-aio-store-event-at-final-iocb_put.patch delete mode 100644 debian/patches/bugfix/all/0014-Fix-aio_poll-races.patch delete mode 100644 debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch delete mode 100644 debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch delete mode 100644 debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch delete mode 100644 debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch delete mode 100644 debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch delete mode 100644 debian/patches/bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch delete mode 100644 debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch delete mode 100644 debian/patches/bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch delete mode 100644 debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch delete mode 100644 debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch delete mode 100644 debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch delete mode 100644 debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch delete mode 100644 debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch delete mode 100644 debian/patches/bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch delete mode 100644 debian/patches/bugfix/all/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch delete mode 100644 debian/patches/bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch delete mode 100644 debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch delete mode 100644 debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch delete mode 100644 debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch delete mode 100644 debian/patches/bugfix/all/revert-net-stmmac-send-tso-packets-always-from-queue.patch delete mode 100644 debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch delete mode 100644 debian/patches/bugfix/all/spec/0001-Documentation-l1tf-Fix-small-spelling-typo.patch delete mode 100644 debian/patches/bugfix/all/spec/0002-x86-cpu-Sanitize-FAM6_ATOM-naming.patch delete mode 100644 debian/patches/bugfix/all/spec/0003-kvm-x86-Report-STIBP-on-GET_SUPPORTED_CPUID.patch delete mode 100644 debian/patches/bugfix/all/spec/0004-x86-msr-index-Cleanup-bit-defines.patch delete mode 100644 debian/patches/bugfix/all/spec/0005-x86-speculation-Consolidate-CPU-whitelists.patch delete mode 100644 debian/patches/bugfix/all/spec/0006-x86-speculation-mds-Add-basic-bug-infrastructure-for.patch delete mode 100644 debian/patches/bugfix/all/spec/0007-x86-speculation-mds-Add-BUG_MSBDS_ONLY.patch delete mode 100644 debian/patches/bugfix/all/spec/0008-x86-kvm-Expose-X86_FEATURE_MD_CLEAR-to-guests.patch delete mode 100644 debian/patches/bugfix/all/spec/0009-x86-speculation-mds-Add-mds_clear_cpu_buffers.patch delete mode 100644 debian/patches/bugfix/all/spec/0010-x86-speculation-mds-Clear-CPU-buffers-on-exit-to-use.patch delete mode 100644 debian/patches/bugfix/all/spec/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch delete mode 100644 debian/patches/bugfix/all/spec/0012-x86-speculation-mds-Conditionally-clear-CPU-buffers-.patch delete mode 100644 debian/patches/bugfix/all/spec/0013-x86-speculation-mds-Add-mitigation-control-for-MDS.patch delete mode 100644 debian/patches/bugfix/all/spec/0014-x86-speculation-mds-Add-sysfs-reporting-for-MDS.patch delete mode 100644 debian/patches/bugfix/all/spec/0015-x86-speculation-mds-Add-mitigation-mode-VMWERV.patch delete mode 100644 debian/patches/bugfix/all/spec/0016-Documentation-Move-L1TF-to-separate-directory.patch delete mode 100644 debian/patches/bugfix/all/spec/0017-Documentation-Add-MDS-vulnerability-documentation.patch delete mode 100644 debian/patches/bugfix/all/spec/0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch delete mode 100644 debian/patches/bugfix/all/spec/0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch delete mode 100644 debian/patches/bugfix/all/spec/0020-x86-speculation-mds-Add-SMT-warning-message.patch delete mode 100644 debian/patches/bugfix/all/spec/0021-x86-speculation-mds-Fix-comment.patch delete mode 100644 debian/patches/bugfix/all/spec/0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch delete mode 100644 debian/patches/bugfix/all/spec/0023-cpu-speculation-Add-mitigations-cmdline-option.patch delete mode 100644 debian/patches/bugfix/all/spec/0024-x86-speculation-Support-mitigations-cmdline-option.patch delete mode 100644 debian/patches/bugfix/all/spec/0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch delete mode 100644 debian/patches/bugfix/all/spec/0026-s390-speculation-Support-mitigations-cmdline-option.patch delete mode 100644 debian/patches/bugfix/all/spec/0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch delete mode 100644 debian/patches/bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch delete mode 100644 debian/patches/bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch delete mode 100644 debian/patches/bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch delete mode 100644 debian/patches/bugfix/all/spec/powerpc-64s-include-cpu-header.patch delete mode 100644 debian/patches/bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch delete mode 100644 debian/patches/bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch delete mode 100644 debian/patches/bugfix/all/tcp-limit-payload-size-of-sacked-skbs.patch delete mode 100644 debian/patches/bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch delete mode 100644 debian/patches/bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch delete mode 100644 debian/patches/bugfix/all/tracing-fix-buffer_ref-pipe-ops.patch delete mode 100644 debian/patches/bugfix/all/vfio-type1-Limit-DMA-mappings-per-container.patch delete mode 100644 debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch delete mode 100644 debian/patches/bugfix/arm64/arm64-compat-Provide-definition-for-COMPAT_SIGMINSTK.patch delete mode 100644 debian/patches/bugfix/mips/MIPS-Bounds-check-virt_addr_valid.patch delete mode 100644 debian/patches/bugfix/mips/MIPS-scall64-o32-Fix-indirect-syscall-number-load.patch delete mode 100644 debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch delete mode 100644 debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch delete mode 100644 debian/patches/bugfix/sparc64/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch delete mode 100644 debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch delete mode 100644 debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch delete mode 100644 debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch delete mode 100644 debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch delete mode 100644 debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch delete mode 100644 debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch delete mode 100644 debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch diff --git a/debian/changelog b/debian/changelog index faee86d05..ccef56c93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,2144 @@ -linux (4.19.37-6) UNRELEASED; urgency=medium +linux (4.19.67-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.38 + - netfilter: nft_compat: use refcnt_t type for nft_xt reference count + - netfilter: nft_compat: make lists per netns + - netfilter: nf_tables: split set destruction in deactivate and destroy + phase + - netfilter: nft_compat: destroy function must not have side effects + - netfilter: nf_tables: warn when expr implements only one of + activate/deactivate + - netfilter: nf_tables: unbind set in rule from commit path + - netfilter: nft_compat: don't use refcount_inc on newly allocated entry + - netfilter: nft_compat: use .release_ops and remove list of extension + - netfilter: nf_tables: fix set double-free in abort path + - netfilter: nf_tables: bogus EBUSY when deleting set after flush + - netfilter: nf_tables: bogus EBUSY in helper removal from transaction + - net/ibmvnic: Fix RTNL deadlock during device reset + - net: mvpp2: fix validate for PPv2.1 + - ext4: fix some error pointer dereferences + - tipc: handle the err returned from cmd header function + - loop: do not print warn message if partition scan is successful + - [armhf,arm64] drm/rockchip: fix for mailbox read validation. + - vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock + - ipvs: fix warning on unused variable + - [ppc64el] vdso32: fix CLOCK_MONOTONIC on PPC64 + - [armhf,arm64] net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init + to probe for new DSA framework + - cifs: fix memory leak in SMB2_read + - cifs: do not attempt cifs operation on smb2+ rename error + - tracing: Fix a memory leak by early error exit in trace_pid_write() + - zram: pass down the bvec we need to read into in the work struct + - trace: Fix preempt_enable_no_resched() abuse + - IB/rdmavt: Fix frwr memory registration + - RDMA/mlx5: Do not allow the user to write to the clock page + - sched/numa: Fix a possible divide-by-zero + - ceph: only use d_name directly when parent is locked + - ceph: ensure d_name stability in ceph_dentry_hash() + - ceph: fix ci->i_head_snapc leak + - nfsd: Don't release the callback slot unless it was actually held + - sunrpc: don't mark uninitialised items as VALID. + - [x86] perf/intel: Update KBL Package C-state events to also include + PC8/PC9/PC10 counters + - Input: synaptics-rmi4 - write config register values to the right offset + - [armhf] 8857/1: efi: enable CP15 DMB instructions before cleaning the + cache + - [ppc64el] mm/radix: Make Radix require HUGETLB_PAGE + - [arm*] drm/vc4: Fix memory leak during gpu reset. + - [x86] Revert "drm/i915/fbdev: Actually configure untiled displays" + - USB: Add new USB LPM helpers + - USB: Consolidate LPM checks to avoid enabling LPM twice + - slip: make slhc_free() silently accept an error pointer + - [x86] intel_th: gth: Fix an off-by-one in output unassigning + - fs/proc/proc_sysctl.c: Fix a NULL pointer dereference + - workqueue: Try to catch flush_work() without INIT_WORK(). + - sched/deadline: Correctly handle active 0-lag timers + - NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. + - netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON + - fm10k: Fix a potential NULL pointer dereference + - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable + - tipc: check link name with right length in tipc_nl_compat_link_set + - net: netrom: Fix error cleanup path of nr_proto_init + - net/rds: Check address length before reading address family + - rxrpc: fix race condition in rxrpc_input_packet() + - [x86] retpolines: Raise limit for generating indirect calls from + switch-case + - [x86] retpolines: Disable switch jump tables when retpolines are enabled + - mm: Fix warning in insert_pfn() + - [x86] fpu: Don't export __kernel_fpu_{begin,end}() + - ipv4: add sanity checks in ipv4_link_failure() + - ipv4: set the tcp_min_rtt_wlen range from 0 to one day + - net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query + - net: rds: exchange of 8K and 1M pool + - net/rose: fix unbound loop in rose_loopback_timer() + - [armhf,arm64] net: stmmac: move stmmac_check_ether_addr() to driver probe + - team: fix possible recursive locking when add slaves + - [arm64] net: hns: Fix WARNING when hns modules installed + - net/mlx5e: Fix the max MTU check in case of XDP + - net/mlx5e: Fix use-after-free after xdp_return_frame + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.39 + - selinux: use kernel linux/socket.h for genheaders and mdp + - Revert "ACPICA: Clear status of GPEs before enabling them" + - [arm*] dts: bcm283x: Fix hdmi hpd gpio pull + - [s390x] limit brk randomization to 32MB + - net: ieee802154: fix a potential NULL pointer dereference + - ieee802154: hwsim: propagate genlmsg_reply return code + - [armhf,arm64] net: stmmac: don't set own bit too early for jumbo frames + - qlcnic: Avoid potential NULL pointer dereference + - xsk: fix umem memory leak on cleanup + - netfilter: nft_set_rbtree: check for inactive element after flag mismatch + - netfilter: bridge: set skb transport_header before entering + NF_INET_PRE_ROUTING + - netfilter: fix NETFILTER_XT_TARGET_TEE dependencies + - netfilter: ip6t_srh: fix NULL pointer dereferences + - [s390x] qeth: fix race when initializing the IP address table + - [armhf] imx51: fix a leaked reference by adding missing of_node_put + - [arm64] KVM: Reset the PMU in preemptible context + - [armhf,arm64] KVM: vgic-its: Take the srcu lock when writing to guest + memory + - [armhf,arm64] KVM: vgic-its: Take the srcu lock when parsing the memslots + - [x86] usb: dwc3: pci: add support for Comet Lake PCH ID + - usb: gadget: net2280: Fix overrun of OUT messages + - usb: gadget: net2280: Fix net2280_dequeue() + - [x86] i2c: i801: Add support for Intel Comet Lake + - staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc + - staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer + dereference + - staging: rtl8712: uninitialized memory in read_bbreg_hdl() + - staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc + - [arm64] net: macb: Add null check for PCLK and HCLK + - net/sched: don't dereference a->goto_chain to read the chain index + - [armhf] dts: imx6qdl: Fix typo in imx6qdl-icore-rqs.dtsi + - [armhf,arm64] drm/tegra: hub: Fix dereference before check + - NFS: Fix a typo in nfs_init_timeout_values() + - drm: Fix drm_release() and device unplug + - [arm64] drm/meson: Fix invalid pointer in meson_drv_unbind() + - [arm64] drm/meson: Uninstall IRQ handler + - scsi: mpt3sas: Fix kernel panic during expander reset + - scsi: aacraid: Insure we don't access PCIe space during AER/EEH + - scsi: qla4xxx: fix a potential NULL pointer dereference + - leds: trigger: netdev: fix refcnt leak on interface rename + - [x86] realmode: Don't leak the trampoline kernel address + - usb: u132-hcd: fix resource leak + - ceph: fix use-after-free on symlink traversal + - [s390x] scsi: zfcp: reduce flood of fcrscn1 trace records on multi- + element RSCN + - [x86] mm: Don't exceed the valid physical address space + - libata: fix using DMA buffers on stack + - gpio: of: Fix of_gpiochip_add() error path + - nvme-multipath: relax ANA state check + - perf machine: Update kernel map address and re-order properly + - [x86] iommu/amd: Reserve exclusion range in iova-domain + - ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK + - leds: trigger: netdev: use memcpy in device_name_store + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.40 + - ipv4: ip_do_fragment: Preserve skb_iif during fragmentation + - ipv6: A few fixes on dereferencing rt->from + - ipv6: fix races in ip6_dst_destroy() + - ipv6/flowlabel: wait rcu grace period before put_pid() + - ipv6: invert flowlabel sharing check in process and user mode + - l2ip: fix possible use-after-free + - l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() + - [armhf] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc + - net: phy: marvell: Fix buffer overrun with stats counters + - rxrpc: Fix net namespace cleanup + - sctp: avoid running the sctp state machine recursively + - packet: validate msg_namelen in send directly + - bnxt_en: Improve multicast address setup logic. + - bnxt_en: Free short FW command HWRM memory in error path in + bnxt_init_one() + - bnxt_en: Fix uninitialized variable usage in bnxt_rx_pkt(). + - [x86] KVM: Whitelist port 0x7e for pre-incrementing %rip + - [x86] KVM: nVMX: Fix size checks in vmx_set_nested_state + - ALSA: line6: use dynamic buffers + - ath10k: Drop WARN_ON()s that always trigger during system resume + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.41 + - iwlwifi: fix driver operation for 5350 + - mwifiex: Make resume actually do something useful again on SDIO cards + - mac80211: don't attempt to rename ERR_PTR() debugfs dirs + - [armhf] i2c: imx: correct the method of getting private data in + notifier_call + - i2c: Remove unnecessary call to irq_find_mapping + - i2c: Clear client->irq in i2c_device_remove + - i2c: Allow recovery of the initial IRQ by an I2C client device. + - i2c: Prevent runtime suspend of adapter when Host Notify is required + - [x86] ALSA: hda/realtek - Add new Dell platform for headset mode + - [x86] ALSA: hda/realtek - Fixed Dell AIO speaker noise + - [x86] ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR + - USB: yurex: Fix protection fault after device removal + - USB: w1 ds2490: Fix bug caused by improper use of altsetting array + - USB: dummy-hcd: Fix failure to give back unlinked URBs + - usb: usbip: fix isoc packet num validation in get_pipe + - USB: core: Fix unterminated string returned by usb_string() + - USB: core: Fix bug caused by duplicate interface PM usage counter + - nvme-loop: init nvmet_ctrl fatal_err_work when allocate + - [arm64] dts: rockchip: fix rk3328-roc-cc gmac2io tx/rx_delay + - HID: logitech: check the return value of create_singlethread_workqueue + - HID: debug: fix race condition with between rdesc_show() and device + removal + - rtc: cros-ec: Fail suspend/resume if wake IRQ can't be configured + - batman-adv: Reduce claim hash refcnt only for removed entry + - batman-adv: Reduce tt_local hash refcnt only for removed entry + - batman-adv: Reduce tt_global hash refcnt only for removed entry + - batman-adv: fix warning in function batadv_v_elp_get_throughput + - [armhf] dts: rockchip: Fix gpu opp node names for rk3288 + - [arm64] reset: meson-audio-arb: Fix missing .owner setting of + reset_controller_dev + - igb: Fix WARN_ONCE on runtime suspend + - HID: quirks: Fix keyboard + touchpad on Lenovo Miix 630 + - net/mlx5: E-Switch, Fix esw manager vport indication for more vport + commands + - bonding: show full hw address in sysfs for slave entries + - [armhf,arm64] net: stmmac: use correct DMA buffer size in the RX + descriptor + - [armhf,arm64] net: stmmac: ratelimit RX error logs + - [armhf,arm64] net: stmmac: don't stop NAPI processing when dropping a + packet + - [armhf,arm64] net: stmmac: don't overwrite discard_frame status + - [armhf,arm64] net: stmmac: fix dropping of multi-descriptor RX frames + - [armhf,arm64] net: stmmac: don't log oversized frames + - jffs2: fix use-after-free on symlink traversal + - debugfs: fix use-after-free on symlink traversal + - [armhf] mfd: twl-core: Disable IRQ while suspended + - block: use blk_free_flush_queue() to free hctx->fq in blk_mq_init_hctx + - HID: input: add mapping for Assistant key + - vfio/pci: use correct format characters + - scsi: core: add new RDAC LENOVO/DE_Series device + - [x86] scsi: storvsc: Fix calculation of sub-channel count + - [arm64] fix wrong check of on_sdei_stack in nmi context + - [arm64] net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() + - [arm64] net: hns: Use NAPI_POLL_WEIGHT for hns driver + - [arm64] net: hns: Fix probabilistic memory overwrite when HNS driver + initialized + - [arm64] net: hns: fix ICMP6 neighbor solicitation messages discard + problem + - [arm64] net: hns: Fix WARNING when remove HNS driver with SMMU enabled + - libcxgb: fix incorrect ppmax calculation + - [x86] KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow + - hugetlbfs: fix memory leak for resv_map + - fs: stream_open - opener for stream-like files so that read and write can + run simultaneously without deadlock + - [armel] orion: don't use using 64-bit DMA masks + - block: pass no-op callback to INIT_WORK(). + - [x86] perf/amd: Update generic hardware cache events for Family 17h + - Bluetooth: btusb: request wake pin with NOAUTOEN + - Bluetooth: mediatek: fix up an error path to restore bdev->tx_state + - [arm64] clk: qcom: Add missing freq for usb30_master_clk on 8998 + - scsi: RDMA/srpt: Fix a credit leak for aborted commands + - [x86] ASoC: Intel: bytcr_rt5651: Revert "Fix DMIC map headsetmic mapping" + - [x86] platform: intel_pmc_core: Fix PCH IP name + - [x86] platform: intel_pmc_core: Handle CFL regmap properly + - IB/core: Unregister notifier before freeing MAD security + - IB/core: Fix potential memory leak while creating MAD agents + - IB/core: Destroy QP if XRC QP fails + - selinux: avoid silent denials in permissive mode under RCU walk + - selinux: never allow relabeling on context mounts + - mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode + - [ppc64el] mm/hash: Handle mmap_min_addr correctly in get_unmapped_area + topdown search + - [x86] mce: Improve error message when kernel cannot recover, p2 + - [x86] clk: Add system specific quirk to mark clocks as critical + - [x86] mm/KASLR: Fix the size of the direct mapping section + - [x86] mm: Fix a crash with kmemleak_scan() + - [x86] mm/tlb: Revert "x86/mm: Align TLB invalidation info" + - media: v4l2: i2c: ov7670: Fix PLL bypass register values + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.42 + - [armhf,arm64] net: stmmac: Use bfsize1 in ndesc_init_rx_desc + - [x86] Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in + hv_synic_cleanup() + - ASoC: hdmi-codec: fix S/PDIF DAI + - ASoC:soc-pcm:fix a codec fixup issue in TDM case + - [x86] ASoC:intel:skl:fix a simultaneous playback & capture issue on hda + platform + - [arm64] clk: meson-gxbb: round the vdec dividers to closest + - ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol + - [armhf] drm/omap: hdmi4_cec: Fix CEC clock handling for PM + - IB/hfi1: Eliminate opcode tests on mr deref + - IB/hfi1: Fix the allocation of RSM table + - [x86] perf/intel: Fix handling of wakeup_events for multi-entry PEBS + - [x86] perf/intel: Initialize TFA MSR + - linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() + - drm/amd/display: fix cursor black issue + - objtool: Add rewind_stack_do_exit() to the noreturn list + - slab: fix a crash by reading /proc/slab_allocators + - [armhf,arm64] drm/sun4i: tcon top: Fix NULL/invalid pointer dereference + in sun8i_tcon_top_un/bind + - virtio_pci: fix a NULL pointer reference in vp_del_vqs + - [x86] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove + - [arm64] RDMA/hns: Fix bug that caused srq creation to fail + - scsi: csiostor: fix missing data copy in csio_scsi_err_handler() + - [x86] ASoC: Intel: kbl: fix wrong number of channels + - virtio-blk: limit number of hw queues by nr_cpu_ids + - nvme-fc: correct csn initialization and increments on error + - [x86] platform: pmc_atom: Drop __initconst on dmi table + - perf/core: Fix perf_event_disable_inatomic() race + - [x86] iommu/amd: Set exclusion range correctly + - genirq: Prevent use-after-free and work list corruption + - usb: dwc3: Fix default lpm_nyet_threshold value + - USB: serial: f81232: fix interrupt worker not stop + - USB: cdc-acm: fix unthrottle races + - usb-storage: Set virt_boundary_mask to avoid SG overflows + - [x86] intel_th: pci: Add Comet Lake support + - [arm64] cpufreq: armada-37xx: fix frequency calculation for opp + - scsi: lpfc: change snprintf to scnprintf for possible overflow + - scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines + - scsi: qla2xxx: Fix device staying in blocked state + - UAS: fix alignment of scatter/gather segments + - [x86] ASoC: Intel: avoid Oops if DMA setup fails + - locking/futex: Allow low-level atomic operations to return -EAGAIN + - [arm64] futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.43 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.44 + - bfq: update internal depth state when queue depth changes + - [x86] platform: sony-laptop: Fix unintentional fall-through + - [x86] platform: thinkpad_acpi: Disable Bluetooth for some machines + - [x86] platform: dell-laptop: fix rfkill functionality + - hwmon: (pwm-fan) Disable PWM if fetching cooling data fails + - kernfs: fix barrier usage in __kernfs_new_node() + - [x86] virt: vbox: Sanity-check parameter types for hgcm-calls coming from + userspace + - USB: serial: fix unthrottle races + - acpi/nfit: Always dump _DSM output payload + - libnvdimm/namespace: Fix a potential NULL pointer dereference + - HID: input: add mapping for Expose/Overview key + - HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys + - HID: input: add mapping for "Toggle Display" key + - libnvdimm/btt: Fix a kmemdup failure check + - [s390x] dasd: Fix capacity calculation for large volumes + - mac80211: fix unaligned access in mesh table hash function + - mac80211: Increase MAX_MSG_LEN + - cfg80211: Handle WMM rules in regulatory domain intersection + - mac80211: fix memory accounting with A-MSDU aggregation + - nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands + - libnvdimm/pmem: fix a possible OOB access when read and write pmem + - [s390x] 3270: fix lockdep false positive on view->lock + - drm/amd/display: extending AUX SW Timeout + - mISDN: Check address length before reading address family + - vxge: fix return of a free'd memblock on a failed dma mapping + - qede: fix write to free'd pointer error and double free of ptp + - afs: Unlock pages for __pagevec_release() + - drm/amd/display: If one stream full updates, full update all planes + - [s390x] pkey: add one more argument space for debug feature entry + - [x86] reboot, efi: Use EFI reboot for Acer TravelMate X514-51T + - [x86] KVM: fix spectrev1 gadgets + - [x86] KVM: avoid misreporting level-triggered irqs as edge-triggered in + tracing + - tools lib traceevent: Fix missing equality check for strcmp + - ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash + - scsi: aic7xxx: fix EISA support + - mm: fix inactive list balancing between NUMA nodes and cgroups + - init: initialize jump labels before command line option parsing + - ipvs: do not schedule icmp errors from tunnels + - netfilter: ctnetlink: don't use conntrack/expect object addresses as id + - netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() + - [s390x] ctcm: fix ctcm_new_device error return code + - [armhf,arm64] drm/sun4i: Set device driver data at bind time for use in + unbind + - [armhf,arm64] drm/sun4i: Fix component unbinding and component master + deletion + - netfilter: fix nf_l4proto_log_invalid to log invalid packets + - [armhf] gpu: ipu-v3: dp: fix CSC handling + - [armhf] drm/imx: don't skip DP channel disable for background plane + - [armhf,arm64] drm/sun4i: Unbind components before releasing DRM and + memory + - Input: synaptics-rmi4 - fix possible double free + - [arm64] RDMA/hns: Bugfix for mapping user db + - mm/memory_hotplug.c: drop memory device reference after + find_memory_block() + - [ppc64el] smp: Fix NMI IPI timeout + - [ppc64el] smp: Fix NMI IPI xmon timeout + - [armhf,arm64] net: dsa: mv88e6xxx: fix few issues in + mv88e6390x_port_set_cmode + - mm/memory.c: fix modifying of page protection by insert_pfn() + - usb: typec: Fix unchecked return value + - netfilter: nf_tables: use-after-free in dynamic operations + - netfilter: nf_tables: add missing ->release_ops() in error path of + newrule() (Closes: #934168) + - net: fec: manage ahb clock in runtime pm + - net: strparser: partially revert "strparser: Call skb_unclone + conditionally" + - NFC: nci: Add some bounds checking in nci_hci_cmd_received() + - nfc: nci: Potential off by one in ->pipes[] array + - [x86] kprobes: Avoid kretprobe recursion bug + - mwl8k: Fix rate_idx underflow + - rtlwifi: rtl8723ae: Fix missing break in switch statement + - bonding: fix arp_validate toggling in active-backup mode + - bridge: Fix error path for kobject_init_and_add() + - ipv4: Fix raw socket lookup for local traffic + - net: dsa: Fix error cleanup path in dsa_init_module + - [armhf] net: ethernet: stmmac: dwmac-sun8i: enable support of unicast + filtering + - [arm64] net: macb: Change interrupt and napi enable order in open + - packet: Fix error path in packet_init + - selinux: do not report error on connect(AF_UNSPEC) + - vlan: disable SIOCSHWTSTAMP in container + - vrf: sit mtu should not be updated when vrf netdev is the link + - tuntap: fix dividing by zero in ebpf queue selection + - tuntap: synchronize through tfiles array instead of tun->numqueues + - isdn: bas_gigaset: use usb_fill_int_urb() properly + - tipc: fix hanging clients using poll with EPOLLOUT flag + - [ppc64el] book3s/64: check for NULL pointer in pgd_alloc() + - [ppc64el] powernv/idle: Restore IAMR after idle + - [x86] PCI: hv: Fix a memory leak in hv_eject_device_work() + - [x86] PCI: hv: Add hv_pci_remove_slots() when we unload the driver + - [x86] PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if + necessary + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.45 + - locking/rwsem: Prevent decrement of reader count before increment + - [x86] speculation/mds: Revert CPU buffer clear on double fault exit + - [x86] speculation/mds: Improve CPU buffer clear documentation + - objtool: Fix function fallthrough detection + - [arm64] dts: rockchip: Disable DCMDs on RK3399's eMMC controller. + - [armhf] dts: exynos: Fix interrupt for shared EINTs on Exynos5260 + - [armhf] dts: exynos: Fix audio (microphone) routing on Odroid XU3 + - [arm64] mmc: sdhci-of-arasan: Add DTS property to disable DCMDs. + - [armhf] exynos: Fix a leaked reference by adding missing of_node_put + - [armhf] power: supply: axp288_charger: Fix unchecked return value + - [armhf,arm64] power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini + PCs to the blacklist + - [arm64] mmap: Ensure file offset is treated as unsigned + - [arm64] arch_timer: Ensure counter register reads occur with seqlock held + - [arm64] compat: Reduce address limit + - [arm64] Clear OSDLR_EL1 on CPU boot + - [arm64] Save and restore OSDLR_EL1 across suspend/resume + - [x96] sched: Save [ER]FLAGS on context switch + - crypto: salsa20 - don't access already-freed walk.iv + - crypto: chacha20poly1305 - set cra_name correctly + - [x86] crypto: ccp - Do not free psp_master when PLATFORM_INIT fails + - [ppc64el] crypto: vmx - fix copy-paste error in CTR mode + - crypto: skcipher - don't WARN on unprocessed data after slow walk step + - crypto: crct10dif-generic - fix use via crypto_shash_digest() + - [x86] crypto: crct10dif-pcl - fix use via crypto_shash_digest() + - [arm64] crypto: gcm-aes-ce - fix no-NEON fallback code + - crypto: gcm - fix incompatibility between "gcm" and "gcm_base" + - [armhf,arm64] crypto: aes-neonbs - don't access already-freed walk.iv + - mmc: core: Fix tag set memory leak + - ALSA: line6: toneport: Fix broken usage of timer for delayed execution + - ALSA: usb-audio: Fix a memory leak bug + - ALSA: hda/hdmi - Read the pin sense from register when repolling + - ALSA: hda/hdmi - Consider eld_valid when reporting jack event + - ALSA: hda/realtek - EAPD turn on later + - ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14) + - [armhf,arm64] ASoC: max98090: Fix restore of DAPM Muxes + - ASoC: codec: hdac_hdmi add device_link to card device + - [arm64] bpf: remove prefetch insn in xadd mapping + - mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned + addresses + - mm/hugetlb.c: don't put_page in lock of hugetlb_lock + - hugetlb: use same fault hash key for shared and private mappings + - ocfs2: fix ocfs2 read inode data panic in ocfs2_iget + - userfaultfd: use RCU to free the task struct when fork fails + - ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle + - [arm64] mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values + - mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write + - tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0 + - tty/vt: fix write/write race in ioctl(KDSKBSENT) handler + - jbd2: check superblock mapped prior to committing + - ext4: make sanity check in mballoc more strict + - ext4: ignore e_value_offs for xattrs with value-in-ea-inode + - ext4: avoid drop reference to iloc.bh twice + - ext4: fix use-after-free race with debug_want_extra_isize + - ext4: actually request zeroing of inode table after grow + - ext4: fix ext4_show_options for file systems w/o journal + - btrfs: Check the first key and level for cached extent buffer + - btrfs: Correctly free extent buffer in case + btree_read_extent_buffer_pages fails + - Btrfs: send, flush dellaloc in order to avoid data loss + - Btrfs: do not start a transaction during fiemap + - Btrfs: do not start a transaction at iterate_extent_inodes() + - bcache: fix a race between cache register and cacheset unregister + - bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() + - ipmi:ssif: compare block number correctly for multi-part return messages + - crypto: ccm - fix incompatibility between "ccm" and "ccm_base" + - fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going + into workqueue when umount + - ext4: fix data corruption caused by overlapping unaligned and aligned IO + - ext4: fix use-after-free in dx_release() + - ext4: avoid panic during forced reboot due to aborted journal + - [x86] ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) + - ALSA: hda/realtek - Fixup headphone noise via runtime suspend + - [x86] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal + microphone bug + - jbd2: fix potential double free + - [x86] KVM: Skip EFER vs. guest CPUID checks for host-initiated writes + - [x86] KVM: lapic: Busy wait for timer to expire when using hv_timer + - xen/pvh: set xen_domain_type to HVM in xen_pvh_init + - libnvdimm/namespace: Fix label tracking error + - iov_iter: optimize page_copy_sane() + - pstore: Centralize init/exit routines + - pstore: Allocate compression during late_initcall() + - pstore: Refactor compression initialization + - ext4: don't update s_rev_level if not required + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.46 + - ipv6: fix src addr routing with the exception table + - ipv6: prevent possible fib6 leaks + - net: Always descend into dsa/ + - net: avoid weird emergency message + - net/mlx4_core: Change the error print to info print + - net: test nouarg before dereferencing zerocopy pointers + - net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions + - nfp: flower: add rcu locks when accessing netdev for tunnels + - ppp: deflate: Fix possible crash in deflate_init + - rtnetlink: always put IFLA_LINK for links with a link-netnsid + - tipc: switch order of device registration to fix a crash + - vsock/virtio: free packets during the socket release + - vsock/virtio: Initialize core virtio vsock before registering the driver + - net/mlx5: Imply MLXFW in mlx5_core + - net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled + - stm class: Fix channel free in stm output free path + - stm class: Fix channel bitmap on 32-bit systems + - brd: re-enable __GFP_HIGHMEM in brd_insert_page() + - proc: prevent changes to overridden credentials + - Revert "MD: fix lock contention for flush bios" + - md: batch flush requests. + - md: add mddev->pers to avoid potential NULL pointer dereference + - dcache: sort the freeing-without-RCU-delay mess for good. + - [x86] intel_th: msu: Fix single mode with IOMMU + - p54: drop device reference count if fails to enable device + - of: fix clang -Wunsequenced for be32_to_cpu() + - cifs: fix strcat buffer overflow and reduce raciness in + smb21_set_oplock_level() + - [armhf] phy: ti-pipe3: fix missing bit-wise or operator when assigning + val + - NFS4: Fix v4.0 client state corruption when mount + - PNFS fallback to MDS if no deviceid found + - [arm64] clk: hi3660: Mark clk_gate_ufs_subsys as critical + - [armhf,arm64] clk: tegra: Fix PLLM programming on Tegra124+ when PMC + overrides divider + - [arm64] clk: rockchip: fix wrong clock definitions for rk3328 + - udlfb: delete the unused parameter for dlfb_handle_damage + - udlfb: fix sleeping inside spinlock + - udlfb: introduce a rendering mutex + - fuse: fix writepages on 32bit + - fuse: honor RLIMIT_FSIZE in fuse_file_fallocate + - ovl: fix missing upper fs freeze protection on copy up for ioctl + - [armhf] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 + - ceph: flush dirty inodes before proceeding with remount + - [amd64] Add gap to int3 to allow for call emulation + - [amd64] Allow breakpoints to emulate call instructions + - [amd64] ftrace: Emulate call function while updating in breakpoint + handler + - tracing: Fix partial reading of trace event's id file + - [armhf,arm64] memory: tegra: Fix integer overflow on tick value + calculation + - [x86] perf intel-pt: Fix instructions sampling rate + - [x86] perf intel-pt: Fix improved sample timestamp + - [x86] perf intel-pt: Fix sample timestamp wrt non-taken branches + - fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types + - PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken + - PCI: Mark Atheros AR9462 to avoid bus reset + - PCI: Init PCIe feature bits for managed host bridge alloc + - PCI/AER: Change pci_aer_init() stub to return void + - PCI: Factor out pcie_retrain_link() function + - PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum + - dm cache metadata: Fix loading discard bitset + - dm zoned: Fix zone report handling + - dm delay: fix a crash when invalid device is specified + - dm integrity: correctly calculate the size of metadata area + - dm mpath: always free attached_handler_name in parse_path() + - fuse: Add FOPEN_STREAM to use stream_open() + - xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink + - xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module + - vti4: ipip tunnel deregistration fixes. + - xfrm: clean up xfrm protocol checks + - esp4: add length check for UDP encapsulation + - xfrm: Honor original L3 slave device in xfrmi policy lookup + - xfrm4: Fix uninitialized memory read in _decode_session4 + - [armhf,arm64] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) + - securityfs: fix use-after-free on symlink traversal + - apparmorfs: fix use-after-free on symlink traversal + - PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored + - [x86] kvm: hyper-v: deal with buggy TLB flush requests from WS2012 + - mac80211: Fix kernel panic due to use of txq after free + - net: ieee802154: fix missing checks for regmap_update_bits + - [armhf,arm64] KVM: Ensure vcpu target is unset on reset failure + - bpf: Fix preempt_enable_no_resched() abuse + - qmi_wwan: new Wistron, ZTE and D-Link devices + - iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() + - sched/cpufreq: Fix kobject memleak + - [x86] mm/mem_encrypt: Disable all instrumentation for early SME setup + - ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour + - perf bench numa: Add define for RUSAGE_THREAD if not present + - [x86] perf/intel: Fix race in intel_pmu_disable_event() + - md/raid: raid5 preserve the writeback action after the parity check + - driver core: Postpone DMA tear-down until after devres release for probe + failure + - bpf: relax inode permission check for retrieving bpf program + - bpf: add map_lookup_elem_sys_only for lookups from syscall side + - bpf, lru: avoid messing with eviction heuristics upon syscall lookup + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.47 + - [x86] Hide the int3_emulate_call/jmp functions from UML + - ext4: do not delete unlinked inode from orphan list on failed truncate + - ext4: wait for outstanding dio during truncate in nojournal mode + - f2fs: Fix use of number of devices + - [x86] KVM: fix return value for reserved EFER + - bio: fix improper use of smp_mb__before_atomic() + - sbitmap: fix improper use of smp_mb__before_atomic() + - Revert "scsi: sd: Keep disk read-only when re-reading partition" + - [ppc64el] crypto: vmx - CTR: always increment IV as quadword + - [arm*] mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold + time problem + - [arm*] mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time + problem + - [x86] kvm: svm/avic: fix off-by-one in checking host APIC ID + - libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead + - [arm64] kernel: kaslr: reduce module randomization range to 2 GB + - [arm64] iommu: handle non-remapped addresses in ->mmap and ->get_sgtable + - gfs2: Fix sign extension bug in gfs2_update_stats + - btrfs: don't double unlock on error in btrfs_punch_hole + - Btrfs: do not abort transaction at btrfs_update_root() after failure to + COW path + - Btrfs: avoid fallback to transaction commit during fsync of files with + holes + - Btrfs: fix race between ranged fsync and writeback of adjacent ranges + - btrfs: sysfs: Fix error path kobject memory leak + - btrfs: sysfs: don't leak memory when failing add fsid + - udlfb: fix some inconsistent NULL checking + - fbdev: fix divide error in fb_var_to_videomode + - NFSv4.2 fix unnecessary retry in nfs4_copy_file_range + - NFSv4.1 fix incorrect return value in copy_file_range + - bpf: add bpf_jit_limit knob to restrict unpriv allocations + - [arm64] errata: Add workaround for Cortex-A76 erratum #1463225 + - btrfs: honor path->skip_locking in backref code + - ovl: relax WARN_ON() for overlapping layers use case + - fbdev: fix WARNING in __alloc_pages_nodemask bug + - media: cpia2: Fix use-after-free in cpia2_exit + - media: serial_ir: Fix use-after-free in serial_ir_init_module + - media: vb2: add waiting_in_dqbuf flag + - media: vivid: use vfree() instead of kfree() for dev->bitmap_cap + - ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit + - bpf: devmap: fix use-after-free Read in __dev_map_entry_free + - batman-adv: mcast: fix multicast tt/tvlv worker locking + - at76c50x-usb: Don't register led_trigger if usb_register_driver failed + - acct_on(): don't mess with freeze protection + - gfs2: Fix lru_count going negative + - cxgb4: Fix error path in cxgb4_init_module + - NFS: make nfs_match_client killable + - IB/hfi1: Fix WQ_MEM_RECLAIM warning + - gfs2: Fix occasional glock use-after-free + - mmc: core: Verify SD bus width + - [arm64] dmaengine: tegra210-dma: free dma controller in remove() + - net: ena: gcc 8: fix compilation warning + - [x86] hv_netvsc: fix race that may miss tx queue wakeup + - Bluetooth: Ignore CC events not matching the last HCI command + - [x86] ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE + - [armhf,arm64] usb: dwc2: gadget: Increase descriptors count for ISOC's + - [armhf,arm64] usb: dwc3: move synchronize_irq() out of the spinlock + protected block + - ASoC: hdmi-codec: unlock the device on startup errors + - [ppc64el] perf: Return accordingly on invalid chip-id in + - [ppc64el] boot: Fix missing check of lseek() return value + - [ppc64el] perf: Fix loop exit condition in nest_imc_event_init + - [armhf] ASoC: imx: fix fiq dependencies + - [amd64] spi: pxa2xx: fix SCR (divisor) calculation + - brcm80211: potential NULL dereference in + brcmf_cfg80211_vndr_cmds_dcmd_handler() + - ACPI / property: fix handling of data_nodes in acpi_get_next_subnode() + - drm/nouveau/bar/nv50: ensure BAR is mapped + - [armel,armhf] vdso: Remove dependency with the arch_timer driver + internals + - [ppc64el] watchdog: Use hrtimers for per-CPU heartbeat + - sched/cpufreq: Fix kobject memleak + - scsi: qla2xxx: Fix a qla24xx_enable_msix() error path + - scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() + - scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in + tcm_qla2xxx_close_session() + - scsi: qla2xxx: Fix hardirq-unsafe locking + - [x86] modules: Avoid breaking W^X while loading modules + - Btrfs: fix data bytes_may_use underflow with fallocate due to failed + quota reserve + - btrfs: fix panic during relocation after ENOSPC before writeback happens + - btrfs: Don't panic when we can't find a root key + - iwlwifi: pcie: don't crash on invalid RX interrupt + - scsi: qedi: Abort ep termination if offload not scheduled + - [s390x] kexec_file: Fix detection of text segment in ELF loader + - sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs + - w1: fix the resume command API + - [s390x] qeth: address type mismatch warning + - [armhf,arm64] dmaengine: pl330: _stop: clear interrupt status + - mac80211/cfg80211: update bss channel on channel switch + - mwifiex: prevent an array overflow + - rsi: Fix NULL pointer dereference in kmalloc + - nvme: set 0 capacity if namespace block size exceeds PAGE_SIZE + - nvme-rdma: fix a NULL deref when an admin connect times out + - [armhf,arm64] crypto: sun4i-ss - Fix invalid calculation of hash end + - bcache: avoid potential memleak of list of journal_replay(s) in the + CACHE_SYNC branch of run_cache_set + - bcache: return error immediately in bch_journal_replay() + - bcache: fix failure in journal relplay + - bcache: add failure check to run_cache_set() for journal replay + - bcache: avoid clang -Wunintialized warning + - RDMA/cma: Consider scope_id while binding to ipv6 ll address + - vfio-ccw: Do not call flush_workqueue while holding the spinlock + - vfio-ccw: Release any channel program when releasing/removing vfio-ccw + mdev + - [x86] mm: Remove in_nmi() warning from 64-bit implementation of + vmalloc_fault() + - mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC + versions + - Bluetooth: hci_qca: Give enough time to ROME controller to bootup. + - HID: logitech-hidpp: use RAP instead of FAP to get the protocol version + - [armhf] pinctrl: samsung: fix leaked of_node references + - [armhf] clk: rockchip: undo several noc and special clocks as critical on + rk3288 + - [arm64] perf/arm-cci: Remove broken race mitigation + - media: au0828: stop video streaming only when last user stops + - audit: fix a memory leak bug + - media: au0828: Fix NULL pointer dereference in + au0828_analog_stream_enable() + - media: pvrusb2: Prevent a buffer overflow + - block: fix use-after-free on gendisk + - [ppc64el] numa: improve control of topology updates + - [ppc64el] Fix booting large kernels with STRICT_KERNEL_RWX + - random: fix CRNG initialization when random.trust_cpu=1 + - random: add a spinlock_t to struct batched_entropy + - cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock + - sched/core: Check quota and period overflow at usec to nsec conversion + - sched/rt: Check integer overflow at usec to nsec conversion + - sched/core: Handle overflow in cpu_shares_write_u64 + - [arm*] staging: vc04_services: handle kzalloc failure + - [arm64] drm/msm: a5xx: fix possible object reference leak + - irq_work: Do not raise an IPI when queueing work on the local CPU + - [x86] thunderbolt: Take domain lock in switch sysfs attribute callbacks + - [s390x] qeth: handle error from qeth_update_from_chp_desc() + - USB: core: Don't unbind interfaces following device reset failure + - [amd64] irq: Limit IST stack overflow check to #DB stack + - [armhf] drm: etnaviv: avoid DMA API warning when importing buffers + - [armhf,arm64] phy: sun4i-usb: Make sure to disable PHY0 passby for + peripheral mode + - i40e: Able to add up to 16 MAC filters on an untrusted VF + - i40e: don't allow changes to HW VLAN stripping on active port VLANs + - ACPI/IORT: Reject platform device creation on NUMA node mapping failure + - [arm64] vdso: Fix clock_getres() for CLOCK_REALTIME + - RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure + - [x86] perf/msr: Add Icelake support + - [x86] perf/intel/rapl: Add Icelake support + - [x86] perf/intel/cstate: Add Icelake support + - hwmon: (vt1211) Use request_muxed_region for Super-IO accesses + - hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses + - hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses + - hwmon: (pc87427) Use request_muxed_region for Super-IO accesses + - hwmon: (f71805f) Use request_muxed_region for Super-IO accesses + - scsi: libsas: Do discovery on empty PHY to update PHY info + - mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers + - [armhf,arm64] mmc_spi: add a status check for spi_sync_locked + - drm/amdgpu: fix old fence check in amdgpu_fence_emit + - PM / core: Propagate dev->power.wakeup_path when no callbacks + - [armhf] clk: rockchip: Fix video codec clocks on rk3288 + - [armhf] clk: rockchip: Make rkpwm a critical clock on rk3288 + - [s390x] zcrypt: initialize variables before_use + - [x86] microcode: Fix the ancient deprecated microcode loading method + - [s390x] mm: silence compiler warning when compiling without CONFIG_PGSTE + - [s390x] cio: fix cio_irb declaration + - qmi_wwan: Add quirk for Quectel dynamic config + - block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR + - rtlwifi: fix a potential NULL pointer dereference + - mwifiex: Fix mem leak in mwifiex_tm_cmd + - brcmfmac: fix missing checks for kmemdup + - b43: shut up clang -Wuninitialized variable warning + - brcmfmac: convert dev_init_lock mutex to completion + - brcmfmac: fix WARNING during USB disconnect in case of unempty psq + - brcmfmac: fix race during disconnect when USB completion is in progress + - brcmfmac: fix Oops when bringing up interface during USB disconnect + - [arm64] rtc: xgene: fix possible race condition + - rtlwifi: fix potential NULL pointer dereference + - scsi: ufs: Fix regulator load and icc-level configuration + - scsi: ufs: Avoid configuring regulator with undefined voltage range + - [arm64] cpu_ops: fix a leaked reference by adding missing of_node_put + - wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext + - [x86] uaccess, signal: Fix AC=1 bloat + - [amd64] ia32: Fix ia32_restore_sigcontext() AC leak + - [x86] uaccess: Fix up the fixup + - chardev: add additional check for minor range overlap + - [arm64] RDMA/hns: Fix bad endianess of port_pd variable + - HID: core: move Usage Page concatenation to Main item + - [armhf] ASoC: eukrea-tlv320: fix a leaked reference by adding missing + of_node_put + - cxgb3/l2t: Fix undefined behaviour + - HID: logitech-hidpp: change low battery level threshold from 31 to 30 + percent + - [armhf] spi: tegra114: reset controller on probe + - kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. + - [armhf] media: wl128x: prevent two potential buffer overflows + - media: gspca: Kill URBs on USB device disconnect + - efifb: Omit memory map check on legacy boot + - [x86] thunderbolt: property: Fix a missing check of kzalloc + - [x86] thunderbolt: Fix to check the return value of kmemdup + - timekeeping: Force upper bound for setting CLOCK_REALTIME + - scsi: qedf: Add missing return in qedf_post_io_req() in the fcport + offload check + - virtio_console: initialize vtermno value for ports + - tty: ipwireless: fix missing checks for ioremap + - overflow: Fix -Wtype-limits compilation warnings + - [x86] mce: Fix machine_check_poll() tests for error types + - rcutorture: Fix cleanup path for invalid torture_type strings + - [x86] mce: Handle varying MCA bank counts + - rcuperf: Fix cleanup path for invalid perf_type strings + - usb: core: Add PM runtime calls to usb_hcd_platform_shutdown + - scsi: qla4xxx: avoid freeing unallocated dma memory + - scsi: lpfc: avoid uninitialized variable warning + - selinux: avoid uninitialized variable warning + - batman-adv: allow updating DAT entry timeouts on incoming ARP Replies + - dmaengine: tegra210-adma: use devm_clk_*() helpers + - [armhf] hwrng: omap - Set default quality + - [x86] thunderbolt: Fix to check return value of ida_simple_get + - [x86] thunderbolt: Fix to check for kmemdup failure + - drm/amd/display: fix releasing planes when exiting odm + - [x86] thunderbolt: property: Fix a NULL pointer dereference + - e1000e: Disable runtime PM on CNP+ + - igb: Exclude device from suspend direct complete optimization + - media: dvbsky: Avoid leaking dvb frontend + - drm/amd/display: Fix Divide by 0 in memory calculations + - drm/amd/display: Set stream->mode_changed when connectors change + - scsi: ufs: fix a missing check of devm_reset_control_get + - media: gspca: do not resubmit URBs when streaming has stopped + - media: go7007: avoid clang frame overflow warning with KASAN + - scsi: lpfc: Fix FDMI manufacturer attribute value + - scsi: lpfc: Fix fc4type information for FDMI + - media: saa7146: avoid high stack usage with clang + - scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices + - [i386] spi : spi-topcliff-pch: Fix to handle empty DMA buffers + - [armhf] drm/omap: dsi: Fix PM for display blank with paired dss_pll calls + - [armhf] spi: imx: stop buffer overflow in RX FIFO flush + - spi: Fix zero length xfer bug + - [armhf] ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM + - drm/drv: Hold ref on parent device during drm_device lifetime + - drm: Wake up next in drm_read() chain if we are forced to putback the + event + - [s390x] vfio-ccw: Prevent quiesce function going into an infinite loop + - NFS: Fix a double unlock from nfs_match,get_client + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.48 + - bonding/802.3ad: fix slave link initialization transition states + - cxgb4: offload VLAN flows regardless of VLAN ethtype + - ipv4/igmp: fix another memory leak in igmpv3_del_delrec() + - ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST + - ipv6: Consider sk_bound_dev_if when binding a raw socket to an address + - ipv6: Fix redirect with VRF + - llc: fix skb leak in llc_build_and_send_ui_pkt() + - [armhf,arm64] net: dsa: mv88e6xxx: fix handling of upper half of + STATS_TYPE_PORT + - net-gro: fix use-after-free read in napi_gro_frags() + - [armhf,arm64] net: mvneta: Fix err code path of probe + - [armhf,arm64] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue + value + - net: phy: marvell10g: report if the PHY fails to boot firmware + - net: sched: don't use tc_action->order during action dump + - [armhf,arm64] net: stmmac: fix reset gpio free missing + - usbnet: fix kernel crash after disconnect + - net/mlx5: Avoid double free in fs init error unwinding path + - tipc: Avoid copying bytes beyond the supplied data + - net/mlx5: Allocate root ns memory using kzalloc to match kfree + - net/mlx5e: Disable rxhash when CQE compress is enabled + - [armhf,arm64] net: stmmac: dma channel control register need to be init + first + - bnxt_en: Fix aggregation buffer leak under OOM condition. + - [ppc64el] crypto: vmx - ghash: do nosimd fallback manually + - include/linux/compiler*.h: define asm_volatile_goto + - compiler.h: give up __compiletime_assert_fallback() + - jump_label: move 'asm goto' support test to Kconfig + - tipc: fix modprobe tipc failed after switch order of device registration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.49 + - include/linux/bitops.h: sanitize rotate primitives + - xhci: update bounce buffer with correct sg num + - xhci: Use %zu for printing size_t type + - xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() + - usb: xhci: avoid null pointer deref when bos field is NULL + - usbip: usbip_host: fix BUG: sleeping function called from invalid context + - usbip: usbip_host: fix stub_dev lock context imbalance regression + - USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor + - USB: sisusbvga: fix oops in error path of sisusb_probe + - USB: Add LPM quirk for Surface Dock GigE adapter + - USB: rio500: refuse more than one device at a time + - USB: rio500: fix memory leak in close after disconnect + - media: usb: siano: Fix general protection fault in smsusb + - media: usb: siano: Fix false-positive "uninitialized variable" warning + - media: smsusb: better handle optional alignment + - brcmfmac: fix NULL pointer derefence during USB disconnect + - [s390x] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from + port_remove + - [s390x] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs + (only sdevs) + - tracing: Avoid memory leak in predicate_parse() + - Btrfs: fix wrong ctime and mtime of a directory after log replay + - Btrfs: fix race updating log root item during fsync + - Btrfs: fix fsync not persisting changed attributes of a directory + - Btrfs: incremental send, fix file corruption when no-holes feature is + enabled + - [s390x] crypto: fix gcm-aes-s390 selftest failures + - [s390x] crypto: fix possible sleep during spinlock aquired + - [ppc64el] KVM: Book3S HV: XIVE: Do not clear IRQ data of passthrough + interrupts + - [ppc64el] perf: Fix MMCRA corruption by bhrb_filter + - ALSA: line6: Assure canceling delayed work at disconnection + - ALSA: hda/realtek - Set default power save node to 0 + - [s390x] KVM: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID + - drm/nouveau/i2c: Disable i2c bus access after ->fini() + - [arm64] tty: serial: msm_serial: Fix XON/XOFF + - memcg: make it work on sparse non-0-node systems + - kernel/signal.c: trace_signal_deliver when signal_group_exit + - [arm64] Fix the arm64_personality() syscall wrapper redirection + - vt/fbcon: deinitialize resources in visual_init() after failed memory + allocation + - [arm*] staging: vc04_services: prevent integer overflow in + create_pagelist() + - [x86] staging: wlan-ng: fix adapter initialization failure + - cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case + - CIFS: cifs_read_allocate_pages: don't iterate through whole page array on + ENOMEM + - Revert "lockd: Show pid of lockd for remote locks" + - [armhf,arm64] drm/tegra: gem: Fix CPU-cache maintenance for BO's + allocated using get_pages() + - [x86] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master + set + - [armhf,arm64] drm/sun4i: Fix sun8i HDMI PHY clock initialization + - [armhf,arm64] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz + - [armhf,arm64] drm/rockchip: shutdown drm subsystem on shutdown + - drm/lease: Make sure implicit planes are leased + - [x86] ftrace: Do not call function graph from dynamic trampolines + - [x86] ftrace: Set trampoline pages as executable + - [x86] kprobes: Set instruction page as executable + - scsi: lpfc: Fix backport of faf5a744f4f8 ("scsi: lpfc: avoid + uninitialized variable warning") + - media: uvcvideo: Fix uvc_alloc_entity() allocation alignment + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.50 + - ethtool: fix potential userspace buffer overflow + - Fix memory leak in sctp_process_init + - ipv4: not do cache for local delivery if bc_forwarding is enabled + - ipv6: fix the check before getting the cookie in rt6_get_cookie + - neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit + - [armhf] net: ethernet: ti: cpsw_ethtool: fix ethtool ring param set + - net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query + - [armhf,arm64] net: mvpp2: Use strscpy to handle stat strings + - net: rds: fix memory leak in rds_ib_flush_mr_pool + - net: sfp: read eeprom in maximum 16 byte increments + - packet: unconditionally free po->rollover + - pktgen: do not sleep with the thread lock held. + - ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 + - ipv6: fix EFAULT on sendto with icmpv6 and hdrincl + - rcu: locking and unlocking need to always be at least barriers + - NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter + - NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled + - fuse: fallocate: fix return with locked inode + - pstore: Remove needless lock during console writes + - pstore: Convert buf_lock to semaphore + - pstore: Set tfm to NULL on free_buf_for_compression + - pstore/ram: Run without kernel crash dump region + - [x86] power: Fix 'nosmt' vs hibernation triple fault during resume + - [s390x] mm: fix address space detection in exception handling + - xen-blkfront: switch kcalloc to kvcalloc for large array allocation + - [ppc64el] genwqe: Prevent an integer overflow in the ioctl + - test_firmware: Use correct snprintf() limit + - [x86] drm/gma500/cdv: Check vbt config bits when detecting lvds panels + - [arm64] drm/msm: fix fb references in async update + - drm: add non-desktop quirk for Valve HMDs + - drm: add non-desktop quirks to Sensics and OSVR headsets. + - drm/amdgpu/psp: move psp version specific function pointers to early_init + - drm/radeon: prefer lower reference dividers + - drm/amdgpu: remove ATPX_DGPU_REQ_POWER_FOR_DISPLAYS check when hotplug-in + - [x86] drm/i915: Fix I915_EXEC_RING_MASK + - [x86] drm/i915/fbc: disable framebuffer compression on GeminiLake + - [x86] drm/i915: Maintain consistent documentation subsection ordering + - drm: don't block fb changes for async plane updates + - [x86] drm/i915/gvt: Initialize intel_gvt_gtt_entry in stack + - TTY: serial_core, add ->install + - ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled + - ethtool: check the return value of get_regs_len + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.51 + - fs/fat/file.c: issue flush after the writeback of FAT + - sysctl: return -EINVAL if val violates minmax + - ipc: prevent lockup on alloc_msg and free_msg + - [armhf] prevent tracing IPI_CPU_BACKTRACE + - hugetlbfs: on restore reserve error path retain subpool reservation + - mem-hotplug: fix node spanned pages when we have a node with only + ZONE_MOVABLE + - mm/cma.c: fix crash on CMA allocation if bitmap allocation fails + - initramfs: free initrd memory if opening /initrd.image fails + - mm/cma.c: fix the bitmap status to show failed allocation reason + - mm: page_mkclean vs MADV_DONTNEED race + - mm/cma_debug.c: fix the break condition in cma_maxchunk_get() + - mm/slab.c: fix an infinite loop in leaks_show() + - kernel/sys.c: prctl: fix false positive in validate_prctl_map() + - drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER + - [x86] mfd: intel-lpss: Set the device in reset state when init + - drm/nouveau/disp/dp: respect sink limits when selecting failsafe link + configuration + - [armhf] mfd: twl6040: Fix device init errors for ACCCTL register + - [x86] perf/intel: Allow PEBS multi-entry in watermark mode + - drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd + when encoders change + - [arm64] drm/bridge: adv7511: Fix low refresh rate selection + - objtool: Don't use ignore flag for fake jumps + - drm/nouveau/kms/gv100-: fix spurious window immediate interlocks + - bpf: fix undefined behavior in narrow load handling + - [arm64] pwm: meson: Use the spin-lock only to protect register + modifications + - ntp: Allow TAI-UTC offset to be set to zero + - f2fs: fix to avoid panic in do_recover_data() + - f2fs: fix to avoid panic in f2fs_inplace_write_data() + - f2fs: fix to avoid panic in f2fs_remove_inode_page() + - f2fs: fix to do sanity check on free nid + - f2fs: fix to clear dirty inode in error path of f2fs_iget() + - f2fs: fix to avoid panic in dec_valid_block_count() + - f2fs: fix to use inline space only if inline_xattr is enable + - f2fs: fix to do sanity check on valid block count of segment + - f2fs: fix to do checksum even if inode page is uptodate + - percpu: remove spurious lock dependency between percpu and sched + - configfs: fix possible use-after-free in configfs_register_group + - [armhf,arm64] PCI: dwc: Free MSI in dw_pcie_host_init() error path + - [armhf,arm64] PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi() + - ovl: do not generate duplicate fsnotify events for "fake" path + - mmc: mmci: Prevent polling for busy detection in IRQ context + - netfilter: nf_flow_table: fix missing error check for + rhashtable_insert_fast + - netfilter: nf_conntrack_h323: restore boundary check correctness + - [mips*] Make sure dt memory regions are valid + - netfilter: nf_tables: fix base chain stat rcu_dereference usage + - [armhf] watchdog: imx2_wdt: Fix set_timeout for big timeout values + - watchdog: fix compile time error of pretimeout governors + - blk-mq: move cancel of requeue_work into blk_mq_release + - [x86] iommu/vt-d: Set intel_iommu_gfx_mapped correctly + - nvme-pci: unquiesce admin queue on shutdown + - nvme-pci: shutdown on timeout during deletion + - netfilter: nf_flow_table: check ttl value in flow offload data path + - netfilter: nf_flow_table: fix netdev refcnt leak + - ALSA: hda - Register irq handler after the chip initialization + - nvmem: core: fix read buffer in place + - [armhf,arm64] nvmem: sunxi_sid: Support SID on A83T and H5 + - fuse: retrieve: cap requested size to negotiated max_write + - nfsd: allow fh_want_write to be called twice + - nfsd: avoid uninitialized variable warning + - vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING" + - [armhf,arm64] iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel + - [x86] net: thunderbolt: Unregister ThunderboltIP protocol handler when + suspending + - [x86] PCI: Fix PCI IRQ routing table memory leak + - i40e: Queues are reserved despite "Invalid argument" error + - platform/chrome: cros_ec_proto: check for NULL transfer function + - [armhf] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 + - [armhf] soc: rockchip: Set the proper PWM for rk3288 + - [armhf] dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA + - [armhf] dts: imx50: Specify IMX5_CLK_IPG as "ahb" clock to SDMA + - [armhf] dts: imx53: Specify IMX5_CLK_IPG as "ahb" clock to SDMA + - [armhf] dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA + - [armhf] dts: imx6sll: Specify IMX6SLL_CLK_IPG as "ipg" clock to SDMA + - [armhf] dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA + - [armhf] dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA + - [armhf] dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA + - [ppc64el] PCI: rpadlpar: Fix leaked device_node references in add/remove + paths + - drm/amd/display: Use plane->color_space for dpp if specified + - [armhf] OMAP2+: pm33xx-core: Do not Turn OFF CEFUSE as PPA may be using + it + - [x86] platform: intel_pmc_ipc: adding error handling + - [arm64] net: hns3: return 0 and print warning when hit duplicate MAC + - scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags + - [x86] video: hgafb: fix potential NULL pointer dereference + - block, bfq: increase idling for weight-raised queues + - [arm64] PCI: xilinx: Check for __get_free_pages() failure + - ice: Add missing case in print_link_msg for printing flow control + - [x86] dmaengine: idma64: Use actual device for DMA transfers + - [armhf] pwm: tiehrpwm: Update shadow register for disabling PWMs + - [armhf] dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 + regulators on Arndale Octa + - pwm: Fix deadlock warning when removing PWM device + - [armhf] exynos: Fix undefined instruction during Exynos5422 resume + - [x86] usb: typec: fusb302: Check vconn is off when we start toggling + - soc: renesas: Identify R-Car M3-W ES1.3 + - percpu: do not search past bitmap when allocating an area + - ovl: check the capability before cred overridden + - ovl: support stacked SEEK_HOLE/SEEK_DATA + - [arm*] drm/vc4: fix fb references in async update + - ALSA: seq: Cover unsubscribe_port() in list_mutex + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.52 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.53 + - drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3) + - nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled + - HID: multitouch: handle faulty Elo touch device + - HID: wacom: Don't set tool type until we're in range + - HID: wacom: Don't report anything prior to the tool entering range + - HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact + - HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth + - HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary + - ALSA: oxfw: allow PCM capture for Stanton SCS.1m + - ALSA: hda/realtek - Update headset mode for ALC256 + - ALSA: firewire-motu: fix destruction of data for isochronous resources + - libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk + - mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node + - fs/ocfs2: fix race in ocfs2_dentry_attach_lock() + - mm/vmscan.c: fix trying to reclaim unevictable LRU page + - signal/ptrace: Don't leak unitialized kernel memory with + PTRACE_PEEK_SIGINFO + - ptrace: restore smp_rmb() in __ptrace_may_access() + - [armhf,arm64] iommu/arm-smmu: Avoid constant zero in TLBI writes + - bcache: fix stack corruption by PRECEDING_KEY() + - bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached + - cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() + - [x86] drm/i915/sdvo: Implement proper HDMI audio support for SDVO + - ALSA: seq: Fix race of get-subscription call vs port-delete ioctls + - Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var + - f2fs: fix to avoid accessing xattr across the boundary + - scsi: qedi: remove memset/memcpy to nfunc and use func instead + (CVE-2019-15090) + - scsi: qedi: remove set but not used variables 'cdev' and 'udev' + - scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show + - scsi: lpfc: add check for loss of ndlp when sending RRQ + - [arm64] mm: Inhibit huge-vmap with ptdump + - nvme: fix srcu locking on error return in nvme_get_ns_from_disk + - nvme: remove the ifdef around nvme_nvm_ioctl + - nvme: merge nvme_ns_ioctl into nvme_ioctl + - nvme: release namespace SRCU protection before performing controller + ioctls + - nvme: fix memory leak for power latency tolerance + - [x86] platform: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems + DMI table + - [x86] platform: pmc_atom: Add several Beckhoff Automation boards to + critclk_systems DMI table + - scsi: bnx2fc: fix incorrect cast to u64 on shift operation + - libnvdimm: Fix compilation warnings with W=1 + - tracing: Prevent hist_field_var_ref() from accessing NULL tracing_map_elts + - usbnet: ipheth: fix racing condition + - [armhf,arm64] KVM: Move cc/it checks under hyp's Makefile to avoid + instrumentation + - [x86] KVM: pmu: mask the result of rdpmc according to the width of the + counters + - [x86] KVM: pmu: do not mask the value that is written to fixed PMUs + - [s390x] KVM: fix memory slot handling for KVM_SET_USER_MEMORY_REGION + - [x86] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to + an invalid read + - [x86] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() + - [armhf,arm64] usb: dwc2: Fix DMA cache alignment issues + - [armhf,arm64] usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam + regression) + - USB: Fix chipmunk-like voice when using Logitech C270 for recording + audio. + - USB: usb-storage: Add new ID to ums-realtek + - USB: serial: pl2303: add Allied Telesis VT-Kit3 + - USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode + - USB: serial: option: add Telit 0x1260 and 0x1261 compositions + - timekeeping: Repair ktime_get_coarse*() granularity + - [x86] microcode, cpuhotplug: Add a microcode loader CPU hotplug callback + - [x86] mm/KASLR: Compute the size of the vmemmap section properly + - [x86] resctrl: Prevent NULL pointer dereference when local MBM is disabled + - drm/edid: abstract override/firmware EDID retrieval + - drm: add fallback override/firmware EDID modes workaround + - [armhf] rtc: pcf8523: don't return invalid date when battery is low + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.54 + - ax25: fix inconsistent lock state in ax25_destroy_timer + - be2net: Fix number of Rx queues used for flow hashing + - [x86] hv_netvsc: Set probe mode to sync + - ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero + - lapb: fixed leak of control-blocks. + - neigh: fix use-after-free read in pneigh_get_next + - net: openvswitch: do not free vport if register_netdevice() is failed. + - sctp: Free cookie before we memdup a new one + - tipc: purge deferredq list for each grp member in tipc_group_delete + - vsock/virtio: set SOCK_DONE on peer shutdown + - net/mlx5: Avoid reloading already removed devices + - [armhf,arm64] net: mvpp2: prs: Fix parser range for VID filtering + - [armhf,arm64] net: mvpp2: prs: Use the correct helpers when removing all + VID filters + - [arm*] Staging: vc04_services: Fix a couple error codes + - [x86] perf/intel/ds: Fix EVENT vs. UEVENT PEBS constraints + - netfilter: nf_queue: fix reinject verdict handling + - ipvs: Fix use-after-free in ip_vs_in + - [armhf] clk: ti: clkctrl: Fix clkdm_clk handling + - [ppc64el] powernv: Return for invalid IMC domain + - usb: xhci: Fix a potential null pointer dereference in + xhci_debugfs_create_endpoint() + - mISDN: make sure device name is NUL terminated + - [x86] CPU/AMD: Don't force the CPB cap when running under a hypervisor + - perf/ring_buffer: Fix exposing a temporarily decreased data_head + - perf/ring_buffer: Add ordering to rb->nest increment + - perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data + - [armhf,arm64] net: stmmac: update rx tail pointer register to fix rx dma + hang issue. + - ACPI/PCI: PM: Add missing wakeup.flags.valid checks + - [armhf] drm/etnaviv: lock MMU while dumping core + - net: aquantia: tx clean budget logic error + - net: aquantia: fix LRO with FCS error + - i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr + - ALSA: hda - Force polling mode on CNL for fixing codec communication + - configfs: Fix use-after-free when accessing sd->s_dentry + - perf data: Fix 'strncat may truncate' build failure with recent gcc + - perf namespace: Protect reading thread's namespace + - [s390x] perf record: Fix s390 missing module symbol and warning for + non-root users + - xenbus: Avoid deadlock during suspend due to open transactions + - [ppc64el] KVM: Book3S: Use new mutex to synchronize access to rtas token + list + - [ppc64el] KVM: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu + - [arm64] fix syscall_fn_t type + - [arm64] use the correct function type in SYSCALL_DEFINE0 + - [arm64] use the correct function type for __arm64_sys_ni_syscall + - net: phylink: ensure consistent phy interface mode + - net: phy: dp83867: Set up RGMII TX delay + - scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() + - scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask + - scsi: scsi_dh_alua: Fix possible null-ptr-deref + - scsi: libsas: delete sas port if expander discover failed + - ocfs2: fix error path kobject memory leak + - coredump: fix race condition between collapse_huge_page() and core dumping + - Abort file_remove_privs() for non-reg. files + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.55 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.56 + - tracing: Silence GCC 9 array bounds warning + - objtool: Support per-function rodata sections + - ovl: support the FS_IOC_FS[SG]ETXATTR ioctls + - ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls + - ovl: make i_ino consistent with st_ino in more cases + - ovl: detect overlapping layers + - ovl: don't fail with disconnected lower NFS + - ovl: fix bogus -Wmaybe-unitialized warning + - [s390x] jump_label: Use "jdd" constraint on gcc9 + - [s390x] ap: rework assembler functions to use unions for in/out register + variables + - mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning + - mmc: core: API to temporarily disable retuning for SDIO CRC errors + - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() + - mmc: core: Prevent processing SDIO IRQs when the card is suspended + - scsi: ufs: Avoid runtime suspend possibly being blocked forever + - [armhf,arm64] usb: chipidea: udc: workaround for endpoint conflict issue + - xhci: detect USB 3.2 capable host controllers correctly + - usb: xhci: Don't try to recover an endpoint if port is in error state. + - IB/hfi1: Validate fault injection opcode user input + - IB/hfi1: Silence txreq allocation warnings + - [x86] Input: synaptics - enable SMBus on ThinkPad E480 and E580 + - Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD + - [x86] Input: silead - add MSSL0017 to acpi_device_id + - apparmor: fix PROFILE_MEDIATES for untrusted input + - apparmor: enforce nullbyte at end of tag string + - brcmfmac: sdio: Disable auto-tuning around commands expected to fail + - brcmfmac: sdio: Don't tune while the card is off + - parport: Fix mem leak in parport_register_dev_model + - IB/rdmavt: Fix alloc_qpn() WARN_ON() + - IB/hfi1: Insure freeze_work work_struct is canceled on shutdown + - IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value + - IB/hfi1: Validate page aligned for a given virtual address + - [mips*] uprobes: remove set but not used variable 'epc' + - [armhf,arm64] net: dsa: mv88e6xxx: avoid error message on remove from + VLAN 0 + - [arm64] net: hns: Fix loopback test failed at copper ports + - mdesc: fix a missing-check bug in get_vdev_port_node_info() + - [arm64] drm/arm/mali-dp: Add a loop around the second set CVAL and try 5 + times + - [arm64] drm/arm/hdlcd: Actually validate CRTC modes + - [arm64] drm/arm/hdlcd: Allow a bit of clock tolerance + - nvmet: fix data_len to 0 for bdev-backed write_zeroes + - scsi: ufs: Check that space was properly alloced in copy_query_response + - scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous() + - net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set + - [s390x] qeth: fix VLAN attribute in bridge_hostnotify udev event + - hwmon: (core) add thermal sensors only if dev->of_node is present + - hwmon: (pmbus/core) Treat parameters as paged if on multiple pages + - nvme: Fix u32 overflow in the number of namespace list calculation + - btrfs: start readahead also in seed devices + - [armhf] can: flexcan: fix timeout when set small bitrate + - can: purge socket error queue on sock destruct + - [ppc64el] bpf: use unsigned division instruction for 64-bit operations + - [armhf] imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX + - [armhf] dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values + - [armhf] dts: am57xx-idk: Remove support for voltage switching for SD card + - [arm64] sve: should not depend on + + - [arm64] ssbd: explicitly depend on + - [x86] drm/vmwgfx: Use the backdoor port if the HB port is not available + - Bluetooth: Align minimum encryption key size for LE and BR/EDR + connections (CVE-2019-9506) + - Bluetooth: Fix regression with minimum encryption key size alignment + - SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write + - cfg80211: fix memory leak of wiphy device name + - mac80211: drop robust management frames from unknown TA + - {nl,mac}80211: allow 4addr AP operation on crypto controlled devices + - mac80211: handle deauthentication/disassociation from TDLS peer + - nl80211: fix station_info pertid memory leak + - mac80211: Do not use stack memory with scatterlist for GMAC + - [x86] resctrl: Don't stop walking closids when a locksetup group is found + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.57 + - perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit + set nul + - perf help: Remove needless use of strncpy() + - perf header: Fix unchecked usage of strncpy() + - [arm64] Don't unconditionally add -Wno-psabi to KBUILD_CFLAGS + - IB/hfi1: Close PSM sdma_progress sleep window + - 9p/xen: fix check for xenbus_read error in front_probe + - 9p: Use a slab for allocating requests + - 9p: embed fcall in req to round down buffer allocs + - 9p: add a per-client fcall kmem_cache + - 9p: rename p9_free_req() function + - 9p: Add refcount to p9_req_t + - 9p/rdma: do not disconnect on down_interruptible EAGAIN + - 9p: Rename req to rreq in trans_fd + - 9p: acl: fix uninitialized iattr access + - 9p/rdma: remove useless check in cm_event_handler + - 9p: p9dirent_read: check network-provided name length + - 9p: potential NULL dereference + - 9p/trans_fd: abort p9_read_work if req status changed + - 9p/trans_fd: put worker reqs on destroy + - net/9p: include trans_common.h to fix missing prototype warning. + - qmi_wwan: Fix out-of-bounds read + - [armhf,arm64] Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag + on cleanup" + - [armhf,arm64] usb: dwc3: gadget: combine unaligned and zero flags + - [armhf,arm64] usb: dwc3: gadget: track number of TRBs per request + - [armhf,arm64] usb: dwc3: gadget: use num_trbs when skipping TRBs on + ->dequeue() + - [armhf,arm64] usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs() + - [armhf,arm64] usb: dwc3: gadget: introduce cancelled_list + - [armhf,arm64] usb: dwc3: gadget: move requests to cancelled_list + - [armhf,arm64] usb: dwc3: gadget: remove wait_end_transfer + - [armhf,arm64] usb: dwc3: gadget: Clear req->needs_extra_trb flag on + cleanup + - fs/proc/array.c: allow reporting eip/esp for all coredumping threads + - mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask + - fs/binfmt_flat.c: make load_flat_shared_library() work + - [armhf] clk: socfpga: stratix10: fix divider entry for the emac clocks + - mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails + - mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on + !PageHuge + - mm/page_idle.c: fix oops because end_pfn is larger than max_pfn + - dm log writes: make sure super sector log updates are written in order + - [x86] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() + - [x86] speculation: Allow guests to use SSBD even if host does not + - [x86] microcode: Fix the microcode load on CPU hotplug for real + - [x86] resctrl: Prevent possible overrun during bitmap operations + - [x86] KVM: mmu: Allocate PAE root array when using SVM's 32-bit NPT + - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O + - cpu/speculation: Warn on unsupported mitigations= parameter + - SUNRPC: Clean up initialisation of the struct rpc_rqst + - [mips*] irqchip/mips-gic: Use the correct local interrupt map registers + - eeprom: at24: fix unexpected timeout under high load + - af_packet: Block execution of tasks waiting for transmit to complete in + AF_PACKET + - bonding: Always enable vlan tx offload + - ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while + loop + - net/packet: fix memory leak in packet_set_ring() + - net: remove duplicate fetch in sock_getsockopt + - [armhf,arm64] net: stmmac: fixed new system time seconds value + calculation + - [armhf,arm64] net: stmmac: set IC bit when transmitting frames with HW + timestamp + - sctp: change to hold sk after auth shkey is created successfully + - team: Always enable vlan tx offload + - tipc: change to use register_pernet_device + - tipc: check msg->req data len in tipc_nl_compat_bearer_disable + - tun: wake up waitqueues after IFF_UP is set + - bpf: simplify definition of BPF_FIB_LOOKUP related flags + - bpf: lpm_trie: check left child of last leftmost node for NULL + - bpf: fix nested bpf tracepoints with per-cpu data + - bpf: fix unconnected udp hooks + - bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro + - bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err + - [arm64] futex: Avoid copying out uninitialised stack in failed cmpxchg() + - [arm64] bpf: use more scalable stadd over ldxr / stxr loop in xadd + - futex: Update comments and docs about return values of arch futex code + - RDMA: Directly cast the sockaddr union to sockaddr + - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb + - [armhf,arm64] usb: dwc3: Reset num_trbs after skipping + - [arm64] insn: Fix ldadd instruction encoding + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.58 + - Bluetooth: Fix faulty expression for minimum encryption key size check + - block: Fix a NULL pointer dereference in generic_make_request() + - md/raid0: Do not bypass blocking queue entered for raid0 bios + - netfilter: nf_flow_table: ignore DF bit setting + - netfilter: nft_flow_offload: set liberal tracking mode for tcp + - netfilter: nft_flow_offload: don't offload when sequence numbers need + adjustment + - netfilter: nft_flow_offload: IPCB is only valid for ipv4 family + - ASoC: soc-pcm: BE dai needs prepare when pause release after resume + - spi: bitbang: Fix NULL pointer dereference in spi_unregister_master + - [armhf,arm64] ASoC: max98090: remove 24-bit format support if RJ is 0 + - [x86] CPU: Add more Icelake model numbers + - ALSA: hdac: fix memory release for SST and SOF drivers + - scsi: hpsa: correct ioaccel2 chaining + - [x86] drm: panel-orientation-quirks: Add quirk for GPD pocket2 + - [x86] drm: panel-orientation-quirks: Add quirk for GPD MicroPC + - [x86] platform: asus-wmi: Only Tell EC the OS will handle display hotkeys + from asus_nb_wmi + - [x86] platform: intel-vbtn: Report switch events when event wakes device + - [x86] platform: mlx-platform: Fix parent device in i2c-mux-reg device + registration + - i2c: pca-platform: Fix GPIO lookup code + - cpuset: restore sanity to cpuset_cpus_allowed_fallback() + - mm/mlock.c: change count_mm_mlocked_page_nr return type + - tracing: avoid build warning with HAVE_NOP_MCOUNT + - module: Fix livepatch/ftrace module text permissions race + - ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() + - [x86] drm/i915/dmc: protect against reading random memory + - crypto: user - prevent operating on larval algorithms + - crypto: cryptd - Fix skcipher instance memory leak + - ALSA: seq: fix incorrect order of dest_client/dest_ports arguments + - ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages + - ALSA: line6: Fix write on zero-sized buffer + - ALSA: usb-audio: fix sign unintended sign extension on left shifts + - [x86] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones + - [x86] ALSA: hda/realtek - Change front mic location for Lenovo M710q + - lib/mpi: Fix karactx leak in mpi_powm + - fs/userfaultfd.c: disable irqs for fault_pending and event locks + - tracing/snapshot: Resize spare buffer if size changed + - [armhf] dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node + - drm/amd/powerplay: use hardware fan control if no powerplay fan table + - drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE + - [armhf] drm/etnaviv: add missing failure path to destroy suballoc + - [armhf] drm/imx: notify drm core before sending event during crtc disable + - drm/imx: only send event on crtc disable if kept disabled + - [x86] ftrace: Remove possible deadlock between register_kprobe() and + ftrace_run_update_code() + - mm/vmscan.c: prevent useless kswapd loops + - btrfs: Ensure replaced device doesn't have pending chunk allocation + - tty: rocket: fix incorrect forward declaration of 'rp_init()' + - net/smc: move unhash before release of clcsock + - drm/fb-helper: generic: Don't take module ref for fbcon + - f2fs: don't access node/meta inode mapping after iput + - mac80211: mesh: fix missing unlock on error in table_path_del() + - scsi: tcmu: fix use after free + - [amd64] boot/compressed: Do not corrupt EDX on EFER.LME=1 setting + - [arm64] net: hns: Fixes the missing put_device in positive leg for roce + reset + - ALSA: hda: Initialize power_state field properly + - rds: Fix warning. + - ip6: fix skb leak in ip6frag_expire_frag_queue() + - netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments + - [arm64] net: hns: fix unsigned comparison to less than zero + - bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K + - netfilter: ipv6: nf_defrag: accept duplicate fragments again + - [x86] KVM: degrade WARN to pr_warn_ratelimited + - [x86] KVM: LAPIC: Fix pending interrupt in IRR blocked by software + disable LAPIC + - nfsd: Fix overflow causing non-working mounts on 1 TB machines + - svcrdma: Ignore source port when computing DRC hash + - [mips*] Fix bounds check virt_addr_valid + - [mips*] Add missing EHB in mtc0 -> mfc0 sequence. + - [arm64] dmaengine: qcom: bam_dma: Fix completed descriptors count + - [armhf] dmaengine: imx-sdma: remove BD_INTR for channel0 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.59 + - [x86] Input: elantech - enable middle button support on 2 ThinkPads + - mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() + - bpf: sockmap, fix use after free from sleep in psock backlog workqueue + - mac80211: mesh: fix RCU warning + - mac80211: free peer keys before vif down in mesh + - iwlwifi: Fix double-free problems in iwl_req_fw_callback() + - can: af_can: Fix error path of can_init() + - net: phy: rename Asix Electronics PHY driver + - [armhf] dts: am335x phytec boards: Fix cd-gpios active level + - [s390x] boot: disable address-of-packed-member warning + - [x86] drm/vmwgfx: Honor the sg list segment size limitation + - [x86] drm/vmwgfx: fix a warning due to missing dma_parms + - [armhf] Input: imx_keypad - make sure keyboard can always wake up system + - [armhf,arm64] KVM: vgic: Fix kvm_device leak in vgic_its_destroy + - mac80211: only warn once on chanctx_conf being NULL + - mac80211: do not start any work during reconfigure flow + - bpf, devmap: Fix premature entry free on destroying map + - bpf, devmap: Add missing bulk queue free + - bpf, devmap: Add missing RCU read lock on flush + - [amd64] bpf: fix stack layout of JITed bpf code + - qmi_wwan: add support for QMAP padding in the RX path + - qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode + - qmi_wwan: extend permitted QMAP mux_id value range + - mmc: core: complete HS400 before checking status + - md: fix for divide error in status_resync + - bnx2x: Check if transceiver implements DDM before access + - drm: return -EFAULT if copy_to_user() fails + - ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL + - net: lio_core: fix potential sign-extension overflow on large shift + - scsi: qedi: Check targetname while finding boot target information + - quota: fix a problem about transfer quota + - [armhf,arm64] net: dsa: mv88e6xxx: fix shift of FID bits in + mv88e6185_g1_vtu_loadpurge() + - NFS4: Only set creation opendata if O_CREAT + - net :sunrpc :clnt :Fix xps refcount imbalance on the error path + - fscrypt: don't set policy for a dead directory + - udf: Fix incorrect final NOT_ALLOCATED (hole) extent length + - media: stv0297: fix frequency range limit + - ALSA: usb-audio: Fix parse of UAC2 Extension Units + - ALSA: hda/realtek - Headphone Mic can't record after S3 + - block, bfq: NULL out the bic when it's no longer valid + - [arm64] perf pmu: Fix uncore PMU alias list for ARM64 + - [x86] ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() + - [x86] tls: Fix possible spectre-v1 in do_get_thread_area() + - USB: serial: ftdi_sio: add ID for isodebug v1 + - USB: serial: option: add support for GosunCn ME3630 RNDIS mode + - Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" + - p54usb: Fix race between disconnect and firmware loading + - usb: gadget: ether: Fix race between gether_disconnect and rx_submit + - [armhf,arm64] usb: dwc2: use a longer AHB idle timeout in + dwc2_core_reset() + - [x86] drivers/usb/typec/tps6598x.c: fix portinfo width + - [x86] drivers/usb/typec/tps6598x.c: fix 4CC cmd write + - [i386] staging: comedi: dt282x: fix a null pointer deref on interrupt + - [x86] staging: comedi: amplc_pci230: fix null pointer deref on interrupt + - HID: Add another Primax PIXART OEM mouse quirk + - binder: fix memory leak in error path + - carl9170: fix misuse of device driver API + - [x86] VMCI: Fix integer overflow in VMCI handle arrays + - staging: rtl8712: reduce stack usage, again + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.60 + - Revert "e1000e: fix cyclic resets at link up with active tx" + - e1000e: start network tx queue only when link is up + - [x86] Input: synaptics - enable SMBUS on T480 thinkpad trackpad + - nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header + - drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel + RDT + - firmware: improve LSM/IMA security behaviour + - [armhf,arm64] irqchip/gic-v3-its: Fix command queue pointer comparison + bug + - [armhf] clk: ti: clkctrl: Fix returning uninitialized data + - [amd64,arm64] efi/bgrt: Drop BGRT status field reserved bits check + - perf/core: Fix perf_sample_regs_user() mm check + - [armhf] omap2: remove incorrect __init annotation + - afs: Fix uninitialised spinlock afs_volume::cb_break_lock + - [x86] apic: Fix integer overflow on 10 bit left shift of cpu_khz + - be2net: fix link failure after ethtool offline test + - ppp: mppe: Add softdep to arc4 + - sis900: fix TX completion + - [armhf] dts: imx6ul: fix PWM[1-4] interrupts + - [armhf] pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order + - dm table: don't copy from a NULL pointer in realloc_argv() + - dm verity: use message limit for data block corruption message + - [amd64] boot: Fix crash if kernel image crosses page table boundary + - [amd64] boot: Add missing fixup_pointer() for next_early_pgt access + - HID: chicony: add another quirk for PixArt mouse + - HID: multitouch: Add pointstick support for ALPS Touchpad + - cpu/hotplug: Fix out-of-bounds read when setting fail state + - linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL + - genirq: Delay deactivation in free_irq() + - genirq: Fix misleading synchronize_irq() documentation + - genirq: Add optional hardware synchronization for shutdown + - [x86] ioapic: Implement irq_get_irqchip_state() callback + - [x86] irq: Handle spurious interrupt after shutdown gracefully + - [x86] irq: Seperate unused system vectors from spurious entry again + - [s390x] fix stfle zero padding + - [s390x] qdio: (re-)initialize tiqdio list entries + - [s390x] qdio: don't touch the dsci in tiqdio_add_input_queues() + - regmap-irq: do not write mask register if mask_base is zero + - drm/udl: introduce a macro to convert dev to udl. + - drm/udl: Replace drm_dev_unref with drm_dev_put + - drm/udl: move to embedding drm device inside udl device. + - [i386] entry: Fix ENDPROC of common_spurious + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.61 + - [arm64] efi: Mark __efistub_stext_offset as an absolute symbol explicitly + - scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not + supported + - [armhf] dmaengine: imx-sdma: fix use-after-free on probe error path + - wil6210: fix potential out-of-bounds read + - ath10k: Do not send probe response template for mesh + - ath9k: Check for errors when reading SREV register + - ath6kl: add some bounds checking + - ath10k: add peer id check in ath10k_peer_find_by_id + - wil6210: fix spurious interrupts in 3-msi + - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection + - regmap: debugfs: Fix memory leak in regmap_debugfs_init + - batman-adv: fix for leaked TVLV handler. + - media: dvb: usb: fix use after free in dvb_usb_device_exit + - media: marvell-ccic: fix DMA s/g desc number calculation + - media: media_device_enum_links32: clean a reserved field + - [armhf,arm64] net: stmmac: dwmac1000: Clear unused address entries + - [armhf,arm64] net: stmmac: dwmac4/5: Clear unused address entries + - qed: Set the doorbell address correctly + - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig + - af_key: fix leaks in key_pol_get_resp and dump_sp. + - xfrm: Fix xfrm sel prefix length validation + - fscrypt: clean up some BUG_ON()s in block encryption/decryption + - perf annotate TUI browser: Do not use member from variable within its own + initialization + - media: mc-device.c: don't memset __user pointer contents + - media: saa7164: fix remove_proc_entry warning + - net: phy: Check against net_device being NULL + - tua6100: Avoid build warnings. + - batman-adv: Fix duplicated OGMs on NETDEV_UP + - [armhf] media: wl128x: Fix some error handling in + fm_v4l2_init_video_device() + - [arm64] net: hns3: set ops to null when unregister ad_dev + - cpupower : frequency-set -r option misses the last cpu in related cpu + list + - [armhf,arm64] net: stmmac: dwmac4: fix flow control issue + - [armhf,arm64] net: stmmac: modify default value of tx-frames + - [arm64] crypto: inside-secure - do not rely on the hardware last bit for + result descriptors + - [s390x] qdio: handle PENDING state for QEBSM devices + - net: sfp: add mutex to prevent concurrent state checks + - ipset: Fix memory accounting for hash types on resize + - perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode + - [s390x] perf report: Fix OOM error in TUI mode on s390 + - [arm64] irqchip/meson-gpio: Add support for Meson-G12A SoC + - media: uvcvideo: Fix access to uninitialized fields on probe error + - iommu: Fix a leak in iommu_insert_resv_region + - [armhf] gpio: omap: fix lack of irqstatus_raw0 for OMAP4 + - [armhf] gpio: omap: ensure irq is enabled before wakeup + - regmap: fix bulk writes on paged registers + - bpf: silence warning messages in core + - selinux: fix empty write to keycreate file + - [x86] cpu: Add Ice Lake NNPI to Intel family + - [arm64] ASoC: meson: axg-tdm: fix sample clock inversion + - rcu: Force inlining of rcu_read_lock() + - [x86] cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS + - qed: iWARP - Fix tc for MPA ll2 connection + - [arm64] net: hns3: fix for skb leak when doing selftest + - block: null_blk: fix race condition for null_del_dev + - blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership + arbitration + - xfrm: fix sa selector validation + - sched/core: Add __sched tag for io_schedule() + - sched/fair: Fix "runnable_avg_yN_inv" not used warnings + - [x86] perf/intel/uncore: Handle invalid event coding for free-running + counter + - [x86] atomic: Fix smp_mb__{before,after}_atomic() + - perf evsel: Make perf_evsel__name() accept a NULL argument + - vhost_net: disable zerocopy by default + - ipoib: correcly show a VF hardware address + - [x86] cacheinfo: Fix a -Wtype-limits warning + - blk-iolatency: only account submitted bios + - ACPICA: Clear status of GPEs on first direct enable + - EDAC/sysfs: Fix memory leak when creating a csrow object + - nvme: fix possible io failures when removing multipathed ns + - nvme-pci: properly report state change failure in nvme_reset_work + - nvme-pci: set the errno on ctrl state change error + - lightnvm: pblk: fix freeing of merged pages + - [arm64] Do not enable IRQs for ct_user_exit + - ipsec: select crypto ciphers for xfrm_algo + - ipvs: defer hook registration to avoid leaks + - media: i2c: fix warning same module names + - ntp: Limit TAI-UTC offset + - timer_list: Guard procfs specific code + - [arm64] acpi: ignore 5.1 FADTs that are reported as 5.0 + - media: hdpvr: fix locking and a missing msleep + - [armhf] net: stmmac: sun8i: force select external PHY when no internal + one + - rtlwifi: rtl8192cu: fix error handle when usb probe failed + - mt7601u: do not schedule rx_tasklet when the device has been disconnected + - mt7601u: fix possible memory leak when the device is disconnected + - ipvs: fix tinfo memory leak in start_sync_thread + - ath10k: add missing error handling + - ath10k: fix PCIE device wake up failed + - perf tools: Increase MAX_NR_CPUS and MAX_CACHES + - [x86] ASoC: Intel: hdac_hdmi: Set ops to NULL on remove + - libata: don't request sense data on !ZAC ATA devices + - [armhf] clocksource/drivers/exynos_mct: Increase priority over ARM arch + timer + - xsk: Properly terminate assignment in xskq_produce_flush_desc + - rslib: Fix decoding of shortened codes + - rslib: Fix handling of of caller provided syndrome + - ixgbe: Check DDM existence in transceiver before access + - crypto: serpent - mark __serpent_setkey_sbox noinline + - wil6210: drop old event after wmi_call timeout + - EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec + - bcache: check CACHE_SET_IO_DISABLE in allocator code + - bcache: check CACHE_SET_IO_DISABLE bit in bch_journal() + - bcache: acquire bch_register_lock later in cached_dev_free() + - bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() + - bcache: fix potential deadlock in cached_def_free() + - [arm64] net: hns3: fix a -Wformat-nonliteral compile warning + - [arm64] net: hns3: add some error checking in hclge_tm module + - ath10k: destroy sdio workqueue while remove sdio module + - [armhf,arm64] net: mvpp2: prs: Don't override the sign bit in SRAM parser + shift + - igb: clear out skb->tstamp after reading the txtime + - iwlwifi: mvm: Drop large non sta frames + - perf stat: Make metric event lookup more robust + - perf stat: Fix group lookup for metric group + - bnx2x: Prevent ptp_task to be rescheduled indefinitely + - net: usb: asix: init MAC address buffers + - rxrpc: Fix oops in tracepoint + - bpf, libbpf, smatch: Fix potential NULL pointer dereference + - bonding: validate ip header before check IPPROTO_IGMP + - gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants + - [ppc64el] tools: bpftool: Fix json dump crash on powerpc + - Bluetooth: hci_bcsp: Fix memory leak in rx_skb + - Bluetooth: Add new 13d3:3491 QCA_ROME device + - Bluetooth: Add new 13d3:3501 QCA_ROME device + - Bluetooth: 6lowpan: search for destination address in all peers + - [ppc64el] perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64 + - Bluetooth: Check state in l2cap_disconnect_rsp + - gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() + - Bluetooth: validate BLE connection interval updates + - gtp: fix suspicious RCU usage + - gtp: fix Illegal context switch in RCU read-side critical section. + - gtp: fix use-after-free in gtp_encap_destroy() + - gtp: fix use-after-free in gtp_newlink() + - [armel/marvell,armhf] net: mvmdio: defer probe of orion-mdio if a clock + is not ready + - iavf: fix dereference of null rx_buffer pointer + - floppy: fix out-of-bounds read in next_valid_format + - floppy: fix invalid pointer dereference in drive_name + - xen: let alloc_xenballooned_pages() fail if not enough memory free + - scsi: core: Fix race on creating sense cache + - scsi: megaraid_sas: Fix calculation of target ID + - crypto: ghash - fix unaligned memory access in ghash_setkey() + - [x86] crypto: ccp - Validate the the error value used to index error + messages + - [arm64] crypto: sha1-ce - correct digest for empty data in finup + - [arm64] crypto: sha2-ce - correct digest for empty data in finup + - crypto: chacha20poly1305 - fix atomic sleep when using async algorithm + - [x86] crypto: ccp - memset structure fields to zero before reuse + - [x86] crypto: ccp/gcm - use const time tag comparison. + - Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()" + - bcache: Revert "bcache: fix high CPU occupancy during journal" + - bcache: Revert "bcache: free heap cache_set->flush_btree in + bch_journal_free" + - bcache: ignore read-ahead request failure on backing device + - bcache: fix mistaken sysfs entry for io_error counter + - bcache: destroy dc->writeback_write_wq if failed to create + dc->writeback_thread + - Input: alps - don't handle ALPS cs19 trackpoint-only device + - [x86] Input: synaptics - whitelist Lenovo T580 SMBus intertouch + - Input: alps - fix a mismatch between a condition check and its comment + - [armhf] regulator: s2mps11: Fix buck7 and buck8 wrong voltages + - [arm64] tegra: Update Jetson TX1 GPU regulator timings + - iwlwifi: pcie: don't service an interrupt that was masked + - iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X + - iwlwifi: don't WARN when calling iwl_get_shared_mem_conf with RF-Kill + - iwlwifi: fix RF-Kill interrupt while FW load for gen2 devices + - NFSv4: Handle the special Linux file open access mode + - pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error + - pNFS: Fix a typo in pnfs_update_layout + - pnfs: Fix a problem where we gratuitously start doing I/O through the MDS + - lib/scatterlist: Fix mapping iterator when sg->offset is greater than + PAGE_SIZE + - ASoC: dapm: Adapt for debugfs API change + - raid5-cache: Need to do start() part job after adding journal device + - ALSA: seq: Break too long mutex context in the write loop + - [x86] ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell + platform + - [x86] ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine + - media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom() + - media: videobuf2-core: Prevent size alignment wrapping buffer size to 0 + - media: videobuf2-dma-sg: Prevent size from overflowing + - [x86] KVM: vPMU: refine kvm_pmu err msg when event creation failed + - [arm64] tegra: Fix AGIC register range + - fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys + inodes. + - kconfig: fix missing choice values in auto.conf + - drm/nouveau/i2c: Enable i2c pads & busses during preinit + - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs + - dm zoned: fix zone state management race + - xen/events: fix binding user event channels to cpus + - 9p/xen: Add cleanup path in p9_trans_xen_init + - 9p/virtio: Add cleanup path in p9_virtio_init + - [x86] boot: Fix memory leak in default_get_smp_config() + - [x86] perf/intel: Fix spurious NMI on fixed counter + - [x86] perf/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 + PMCs + - [x86] perf/amd/uncore: Set the thread mask for F17h L3 PMCs + - drm/edid: parse CEA blocks embedded in DisplayID + - [x86] intel_th: pci: Add Ice Lake NNPI support + - [x86] PCI: hv: Fix a use-after-free bug in hv_eject_device_work() + - PCI: Do not poll for PME if the device is in D3cold + - [arm64] PCI: qcom: Ensure that PERST is asserted for at least 100 ms + - Btrfs: fix data loss after inode eviction, renaming it, and fsync it + - Btrfs: fix fsync not persisting dentry deletions due to inode evictions + - Btrfs: add missing inode version, ctime and mtime updates when punching + hole + - IB/mlx5: Report correctly tag matching rendezvous capability + - HID: wacom: generic: only switch the mode on devices with LEDs + - HID: wacom: generic: Correct pad syncing + - HID: wacom: correct touch resolution x/y typo + - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields + - coda: pass the host file in vma->vm_file on mmap + - include/asm-generic/bug.h: fix "cut here" for WARN_ON for __WARN_TAINT + architectures + - xfs: fix pagecache truncation prior to reflink + - xfs: flush removing page cache in xfs_reflink_remap_prep + - xfs: don't overflow xattr listent buffer + - xfs: rename m_inotbt_nores to m_finobt_nores + - xfs: don't ever put nlink > 0 inodes on the unlinked list + - xfs: reserve blocks for ifree transaction during log recovery + - xfs: fix reporting supported extra file attributes for statx() + - xfs: serialize unaligned dio writes against all other dio writes + - xfs: abort unaligned nowait directio early + - [ppc64el] watchpoint: Restore NV GPRs while returning from exception + - [ppc64el] powernv/npu: Fix reference leak + - [ppc64el] pseries: Fix oops in hotplug memory notifier + - [arm64] mmc: sdhci-msm: fix mutex while in spinlock + - eCryptfs: fix a couple type promotion bugs + - [x86] intel_th: msu: Fix single mode with disabled IOMMU + - Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug + - usb: Handle USB3 remote wakeup for LPM enabled devices correctly + - blk-throttle: fix zero wait time for iops throttled group + - blk-iolatency: clear use_delay when io.latency is set to zero + - blkcg: update blkcg_print_stat() to handle larger outputs + - [armel/marvell,armhf] net: mvmdio: allow up to four clocks to be + specified for orion-mdio + - dm bufio: fix deadlock with loop device + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.62 + - bnx2x: Prevent load reordering in tx completion processing + - [x86] hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() + - igmp: fix memory leak in igmpv3_del_delrec() + - ipv4: don't set IPv6 only flags to IPv4 addresses + - ipv6: rt6_check should return NULL if 'from' is NULL + - ipv6: Unlink sibling route in case of failure + - [armhf,arm64] net: dsa: mv88e6xxx: wait after reset deactivation + - net: make skb_dst_force return true when dst is refcounted + - net: neigh: fix multiple neigh timer scheduling + - net: openvswitch: fix csum updates for MPLS actions + - net: phy: sfp: hwmon: Fix scaling of RX power + - [armhf,arm64] net: stmmac: Re-work the queue selection for TSO packets + - nfc: fix potential illegal memory access + - r8169: fix issue with confused RX unit after PHY power-down on RTL8411b + - rxrpc: Fix send on a connected, but unbound socket + - sctp: fix error handling on stream scheduler initialization + - [x86] sky2: Disable MSI on ASUS P6T + - tcp: be more careful in tcp_fragment() + - tcp: fix tcp_set_congestion_control() use from bpf hook + - tcp: Reset bytes_acked and bytes_received when disconnecting + - vrf: make sure skb->data contains ip header to make routing + - net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn + - macsec: fix use-after-free of skb during RX + - macsec: fix checksumming after decryption + - netrom: fix a memory leak in nr_rx_frame() + - netrom: hold sock when setting skb->destructor + - net_sched: unset TCQ_F_CAN_BYPASS when adding filters + - sctp: not bind the socket in sctp_connect + - net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling + - net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query + - net: bridge: don't cache ether dest pointer on input + - net: bridge: stp: don't cache eth dest pointer before skb pull + - dma-buf: balance refcount inbalance + - dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc + - perf/core: Fix exclusive events' grouping + - perf/core: Fix race between close() and fork() + - ext4: don't allow any modifications to an immutable file + - ext4: enforce the immutable flag on open files + - mm: add filemap_fdatawait_range_keep_errors() + - jbd2: introduce jbd2_inode dirty range scoping + - ext4: use jbd2_inode dirty range scoping + - ext4: allow directory holes + - [x86] KVM: nVMX: do not use dangling shadow VMCS after guest reset + - [x86] KVM: nVMX: Clear pending KVM_REQ_GET_VMCS12_PAGES when leaving + nested + - mm: vmscan: scan anonymous pages on file refaults + - net: sched: verify that q!=NULL before setting q->flags + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.63 + - [x86] hvsock: fix epollout hang from race condition + - [armhf,arm64] drm/panel: simple: Fix panel_simple_dsi_probe + - [x86] staging: vt6656: use meaningful error code during buffer allocation + - usb: core: hub: Disable hub-initiated U1/U2 + - [armhf,arm64] pinctrl: rockchip: fix leaked of_node references + - drm/amd/display: Fill prescale_params->scale for RGB565 + - drm/amdgpu/sriov: Need to initialize the HDP_NONSURFACE_BAStE + - drm/amd/display: Disable ABM before destroy ABM struct + - drm/amdkfd: Fix a potential memory leak + - drm/amdkfd: Fix sdma queue map issue + - drm/edid: Fix a missing-check bug in drm_load_edid_firmware() + - PCI: Return error if cannot probe VF + - [armhf,arm64] gpu: host1x: Increase maximum DMA segment size + - drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry + - drm/crc-debugfs: Also sprinkle irqrestore over early exits + - memstick: Fix error cleanup path of memstick_init + - [arm64] tty: serial: msm_serial: avoid system lockup condition + - serial: 8250: Fix TX interrupt handling condition + - drm/amd/display: Always allocate initial connector state state + - drm/virtio: Add memory barriers for capset cache. + - drm/amd/display: fix compilation error + - [ppc64el] pseries/mobility: prevent cpu hotplug during DT update + - [armhf,arm64] drm/rockchip: Properly adjust to a true clock in + adjusted_mode + - [armhf] serial: imx: fix locking in set_termios() + - tty: serial_core: Set port active bit in uart_port_activate + - usb: gadget: Zero ffs_io_data + - mmc: sdhci: sdhci-pci-o2micro: Check if controller supports 8-bit width + - [ppc64el] pci/of: Fix OF flags parsing for 64bit BARs + - [arm64] drm/msm: Depopulate platform on probe failure + - [arm64] PCI: xilinx-nwl: Fix Multi MSI data programming + - iio: iio-utils: Fix possible incorrect mask calculation + - [ppc64el] cacheflush: fix variable set but not used + - [ppc64el] xmon: Fix disabling tracing while in xmon + - [ppc64el] recordmcount: Fix spurious mcount entries on powerpc + - mfd: core: Set fwnode for created devices + - [arm64] mfd: hi655x-pmic: Fix missing return value check for + devm_regmap_init_mmio_clk + - mm/swap: fix release_pages() when releasing devmap pages + - RDMA/i40iw: Set queue pair state when being queried + - IB/mlx5: Fixed reporting counters on 2nd port for Dual port RoCE + - [ppc64el] mm: Handle page table allocation failures + - IB/ipoib: Add child to parent list only if device initialized + - [arm64] assembler: Switch ESB-instruction with a vanilla nop if + !ARM64_HAS_RAS + - perf stat: Fix use-after-freed pointer detected by the smatch tool + - perf top: Fix potential NULL pointer dereference detected by the smatch + tool + - perf session: Fix potential NULL pointer dereference found by the smatch + tool + - perf annotate: Fix dereferencing freed memory found by the smatch tool + - perf hists browser: Fix potential NULL pointer dereference found by the + smatch tool + - RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM + - [armhf] PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB + - [ppc64el] boot: add {get, put}_unaligned_be32 to xz_config.h + - block: init flush rq ref count to 1 + - f2fs: avoid out-of-range memory access + - mailbox: handle failed named mailbox channel request + - dlm: check if workqueues are NULL before flushing/destroying + - [ppc64el] eeh: Handle hugepages in ioremap space + - block/bio-integrity: fix a memory leak bug + - 9p: pass the correct prototype to read_cache_page + - mm/gup.c: mark undo_dev_pagemap as __maybe_unused + - mm/gup.c: remove some BUG_ONs from get_gate_page() + - memcg, fsnotify: no oom-kill for remote memcg charging + - mm/mmu_notifier: use hlist_add_head_rcu() + - proc: use down_read_killable mmap_sem for /proc/pid/smaps_rollup + - proc: use down_read_killable mmap_sem for /proc/pid/pagemap + - proc: use down_read_killable mmap_sem for /proc/pid/clear_refs + - proc: use down_read_killable mmap_sem for /proc/pid/map_files + - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() + - proc: use down_read_killable mmap_sem for /proc/pid/maps + - locking/lockdep: Fix lock used or unused stats error + - mm: use down_read_killable for locking mmap_sem in access_remote_vm + - locking/lockdep: Hide unused 'class' variable + - usb: wusbcore: fix unbalanced get/put cluster_id + - [x86] usb: pci-quirks: Correct AMD PLL quirk detection + - btrfs: inode: Don't compress if NODATASUM or NODATACOW set + - [x86] sysfb_efi: Add quirks for some devices with swapped width and + height + - [x86] speculation/mds: Apply more accurate check on hypervisor platform + - binder: prevent transactions to context manager from its own process. + - fpga-manager: altera-ps-spi: Fix build error + - [x86] mei: me: add mule creek canyon (EHL) device ids + - [x86] hpet: Fix division by zero in hpet_time_div() + - ALSA: ac97: Fix double free of ac97_codec_device + - ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1 + - ALSA: hda - Add a conexant codec entry to let mute led work + - [ppc64el] xive: Fix loop exit-condition in xive_find_target_in_mask() + - libnvdimm/bus: Stop holding nvdimm_bus_list_mutex over __nd_ioctl() + - access: avoid the RCU grace period for the temporary subjective + credentials + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.64 + - [x86] hv_sock: Add support for delayed close + - vsock: correct removal of socket from the list + - NFS: Fix dentry revalidation on NFSv4 lookup + - NFS: Refactor nfs_lookup_revalidate() + - NFSv4: Fix lookup revalidate of regular files + - [armhf,arm64] usb: dwc2: Disable all EP's on disconnect + - [armhf,arm64] usb: dwc2: Fix disable all EP's on disconnect + - [arm64] compat: Provide definition for COMPAT_SIGMINSTKSZ + (Closes: #904385). + - binder: fix possible UAF when freeing buffer + - ISDN: hfcsusb: checking idx of ep configuration + - media: au0828: fix null dereference in error path + - ath10k: Change the warning message string + - media: cpia2_usb: first wake up, then free in disconnect + - media: pvrusb2: use a different format for warnings + - NFS: Cleanup if nfs_match_client is interrupted + - media: radio-raremono: change devm_k*alloc to k*alloc + - [x86] iommu/vt-d: Don't queue_iova() if there is no flush queue + - vhost: introduce vhost_exceeds_weight() + - vhost_net: fix possible infinite loop (CVE-2019-3900) + - vhost: vsock: add weight support + - vhost: scsi: add weight support (CVE-2019-3900) + - sched/fair: Don't free p->numa_faults with concurrent readers + - sched/fair: Use RCU accessors consistently for ->numa_group + - /proc//cmdline: remove all the special cases + - /proc//cmdline: add back the setproctitle() special case + - drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl + - Fix allyesconfig output. + - ceph: hold i_ceph_lock when removing caps for freeing inode + - block, scsi: Change the preempt-only flag into a counter + - scsi: core: Avoid that a kernel warning appears during system resume + - ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.65 + - [armhf] dts: rockchip: Make rk3288-veyron-minnie run at hs200 + - [armhf] dts: rockchip: Make rk3288-veyron-mickey's emmc work again + - [armhf] dts: rockchip: Mark that the rk3288 timer might stop in suspend + - ftrace: Enable trampoline when rec count returns back to one + - [armhf,arm64] dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag + is unset + - [arm64] dts: rockchip: fix isp iommu clocks and power domain + - kernel/module.c: Only return -EEXIST for modules that have finished + loading + - [arm64] clk: tegra210: fix PLLU and PLLU_OUT1 + - fs/adfs: super: fix use-after-free bug + - btrfs: fix minimum number of chunk errors for DUP + - btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() + - cifs: Fix a race condition with cifs_echo_request + - ceph: fix improper use of smp_mb__before_atomic() + - ceph: return -ERANGE if virtual xattr value didn't fit in buffer + - ACPI: blacklist: fix clang warning for unused DMI table + - [s390x] scsi: zfcp: fix GCC compiler warning emitted with + -Wmaybe-uninitialized + - perf version: Fix segfault due to missing OPT_END() + - [x86] kvm: avoid constant-conversion warning + - ACPI: fix false-positive -Wuninitialized warning + - be2net: Signal that the device cannot transmit during reconfiguration + - [x86] apic: Silence -Wtype-limits compiler warnings + - mm/cma.c: fail if fixed declaration can't be honored + - lib/test_overflow.c: avoid tainting the kernel and fix wrap size + - lib/test_string.c: avoid masking memset16/32/64 failures + - coda: add error handling for fget + - coda: fix build using bare-metal toolchain + - uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side + headers + - drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings + - ipc/mqueue.c: only perform resource calculation if user valid + - [x86] xen/pv: Fix a boot up hang revealed by int3 self test + - [x86] kvm: Don't call kvm_spurious_fault() from .fixup + - [x86] paravirt: Fix callee-saved function ELF sizes + - [x86] boot: Remove multiple copy of static function sanitize_boot_params() + - drm/nouveau: fix memory leak in nouveau_conn_reset() + - kconfig: Clear "written" flag to avoid data loss + - Btrfs: fix incremental send failure after deduplication + - Btrfs: fix race leading to fs corruption after transaction abort + - [armhf,arm64] mmc: dw_mmc: Fix occasional hang after tuning on eMMC + - [arm64] mmc: meson-mx-sdio: Fix misuse of GENMASK macro + - gpiolib: fix incorrect IRQ requesting of an active-low lineevent + - IB/hfi1: Fix Spectre v1 vulnerability + - mtd: rawnand: micron: handle on-die "ECC-off" devices correctly + - selinux: fix memory leak in policydb_init() + - ALSA: hda: Fix 1-minute detection delay when i915 module is not available + (Closes: #931507) + - mm: vmscan: check if mem cgroup is disabled or not before calling memcg + slab shrinker + - [s390x] dasd: fix endless loop after read unit address configuration + - [arm*] drivers/perf: arm_pmu: Fix failure path in PM notifier + - [arm64] compat: Allow single-byte watchpoints on all addresses + - [arm64] cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} + - nbd: replace kill_bdev() with __invalidate_device() again + - xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() + - IB/mlx5: Fix unreg_umr to ignore the mkey state + - IB/mlx5: Use direct mkey destroy command upon UMR unreg failure + - IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache + - IB/mlx5: Fix clean_mr() to work in the expected order + - IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification + - IB/hfi1: Check for error on call to alloc_rsm_map_table + - [x86] drm/i915/gvt: fix incorrect cache entry for guest page mapping + - eeprom: at24: make spd world-readable again + - objtool: Support GCC 9 cold subfunction naming scheme + - gcc-9: properly declare the {pv,hv}clock_page storage + - [x86] vdso: Prevent segfaults due to hoisted vclock reads + - scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.66 + - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure + - gcc-9: don't warn about uninitialized variable + - driver core: Establish order of operations for device_add and device_del + via bitflag + - drivers/base: Introduce kill_device() + - libnvdimm/bus: Prevent duplicate device_unregister() calls + - libnvdimm/region: Register badblocks before namespaces + - libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant + - libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock + - HID: wacom: fix bit shift for Cintiq Companion 2 + - HID: Add quirk for HP X1200 PIXART OEM mouse + - IB: directly cast the sockaddr union to aockaddr + - atm: iphase: Fix Spectre v1 vulnerability + - bnx2x: Disable multi-cos feature. + - ife: error out when nla attributes are empty + - ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 + - ip6_tunnel: fix possible use-after-free on xmit + - ipip: validate header length in ipip_tunnel_xmit + - [armhf,arm64] mvpp2: fix panic on module removal + - [armhf,arm64] mvpp2: refactor MTU change code + - net: bridge: delete local fdb on device init failure + - net: bridge: mcast: don't delete permanent entries when fast leave is + enabled + - net: fix ifindex collision during namespace removal + - net/mlx5e: always initialize frag->last_in_page + - net/mlx5: Use reversed order when unregister devices + - net: phylink: Fix flow control for fixed-link + - net: sched: Fix a possible null-pointer dereference in dequeue_func() + - net sched: update vlan action for batched events operations + - net: sched: use temporary variable for actions indexes + - net/smc: do not schedule tx_work in SMC_CLOSED state + - tipc: compat: allow tipc commands without arguments + - tun: mark small packets as owned by the tap sock + - net/mlx5: Fix modify_cq_in alignment + - net/mlx5e: Prevent encap flow counter update async to user query + - r8169: don't use MSI before RTL8168d + - compat_ioctl: pppoe: fix PPPOEIOCSFWD handling + - cgroup: Call cgroup_release() before __exit_signal() + - cgroup: Implement css_task_iter_skip() + - cgroup: Include dying leaders with live threads in PROCS iterations + - cgroup: css_task_iter_skip()'d iterators must be advanced before accessed + - cgroup: Fix css_task_iter_advance_css_set() cset skip condition + - [arm*] spi: bcm2835: Fix 3-wire mode if DMA is enabled + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.67 + - [x86] crypto: ccp - Fix oops by properly managing allocated structures + - [x86] crypto: ccp - Add support for valid authsize values less than 16 + - [x86] crypto: ccp - Ignore tag length when decrypting GCM ciphertext + - usb: usbfs: fix double-free of usb memory upon submiturb error + - usb: iowarrior: fix deadlock on disconnect + - sound: fix a memory leak bug + - [arm64,mips*/octeon] mmc: cavium: Set the correct dma max segment size + for mmc_host + - [arm64,mips*/octeon] mmc: cavium: Add the missing dma unmap when the dma + has finished. + - loop: set PF_MEMALLOC_NOIO for the worker thread + - Input: usbtouchscreen - initialize PM mutex before using it + - [x86] Input: elantech - enable SMBus on new (2018+) systems + - [x86] Input: synaptics - enable RMI mode for HP Spectre X360 + - [x86] mm: Check for pfn instead of page in vmalloc_sync_one() + - [x86] mm: Sync also unmappings in vmalloc_sync_all() + - mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() + - [s390x] perf annotate: Fix s390 gap between kernel end and module start + - perf db-export: Fix thread__exec_comm() + - [s390x] perf record: Fix module size on s390 + - [x86] purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS + - gfs2: gfs2_walk_metadata fix + - usb: yurex: Fix use-after-free in yurex_delete + - [x86] usb: typec: tcpm: free log buf memory when remove debug file + - [x86] usb: typec: tcpm: remove tcpm dir if no children + - [x86] usb: typec: tcpm: Add NULL check before dereferencing config + - [x86] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests + - can: peak_usb: fix potential double kfree_skb() + - netfilter: nfnetlink: avoid deadlock due to synchronous request_module + - [s390x] vfio-ccw: Set pa_nr to 0 if memory allocation fails for + pa_iova_pfn + - netfilter: Fix rpfilter dropping vrf packets by mistake + - netfilter: conntrack: always store window size un-scaled + - netfilter: nft_hash: fix symhash with modulus one + - drm/amd/display: Wait for backlight programming completion in set + backlight level + - drm/amd/display: use encoder's engine id to find matched free audio + device + - drm/amd/display: Fix dc_create failure handling and 666 color depths + - drm/amd/display: Only enable audio if speaker allocation exists + - drm/amd/display: Increase size of audios array + - [x86] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of + ISCSI_IBFT_FIND + - nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN + - mac80211: don't warn about CW params when not using them + - allocate_flower_entry: should check for null deref + - hwmon: (nct6775) Fix register address and added missed tolerance for + nct6106 + - drm: silence variable 'conn' set but not used + - [s390x] qdio: add sanity checks to the fast-requeue path + - ALSA: compress: Fix regression on compressed capture streams + - ALSA: compress: Prevent bypasses of set_params + - ALSA: compress: Don't allow paritial drain operations on capture streams + - ALSA: compress: Be more restrictive about when a drain is allowed + - perf tools: Fix proper buffer size for feature processing + - perf probe: Avoid calling freeing routine multiple times for same pointer + - drbd: dynamically allocate shash descriptor + - ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() + - nvme: fix multipath crash when ANA is deactivated + - scsi: megaraid_sas: fix panic on loading firmware crashdump + - [ppc64el] scsi: ibmvfc: fix WARN_ON during event pool release + - scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG + - test_firmware: fix a memory leak bug + - tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop + - perf/core: Fix creating kernel counters for PMUs that override event->cpu + - [s390x] dma: provide proper ARCH_ZONE_DMA_BITS value + - HID: sony: Fix race condition between rumble and device remove. + - [x86] purgatory: Do not use __builtin_memcpy and __builtin_memset + - ALSA: usb-audio: fix a memory leak bug + - can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + - can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + - hwmon: (nct7802) Fix wrong detection of in4 presence + - [x86] drm/i915: Fix wrong escape clock divisor init for GLK + - ALSA: firewire: fix a memory leak bug + - ALSA: hiface: fix multiple memory leak bugs + - ALSA: hda - Don't override global PCM hw info flag + - [x86] ALSA: hda - Workaround for crackled sound on AMD controller + (1022:1457) + - mac80211: don't WARN on short WMM parameters from AP + - dax: dax_layout_busy_page() should not unmap cow pages + - SMB3: Fix deadlock in validate negotiate hits reconnect + - smb3: send CAP_DFS capability during session setup + - NFSv4: Fix an Oops in nfs4_do_setattr + - [x86] KVM: Fix leak vCPU's VMCS value into other pCPU + - mwifiex: fix 802.11n/WPA detection + - iwlwifi: don't unmap as page memory that was mapped as single + - iwlwifi: mvm: fix an out-of-bound access + - iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 + - iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support [ Steve McIntyre ] * [arm64] Improve support for the Huawei TaiShan server platform @@ -13,10 +2153,6 @@ linux (4.19.37-6) UNRELEASED; urgency=medium * rtc-s35390a: backport fix to make hwclock able to read the time (Closes: #932845) - [ Aurelien Jarno ] - * [arm64] compat: Provide definition for COMPAT_SIGMINSTKSZ (Closes: - #904385). - -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 linux (4.19.37-5+deb10u2) buster-security; urgency=high diff --git a/debian/patches/bugfix/all/0001-aio-clear-IOCB_HIPRI.patch b/debian/patches/bugfix/all/0001-aio-clear-IOCB_HIPRI.patch deleted file mode 100644 index a54e5d098..000000000 --- a/debian/patches/bugfix/all/0001-aio-clear-IOCB_HIPRI.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Christoph Hellwig -Date: Thu, 22 Nov 2018 16:44:07 +0100 -Subject: [01/14] aio: clear IOCB_HIPRI -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9101cbe70ef64c7f35fb75552005a3a696cc288e - -commit 154989e45fd8de9bfb52bbd6e5ea763e437e54c5 upstream. - -No one is going to poll for aio (yet), so we must clear the HIPRI -flag, as we would otherwise send it down the poll queues, where no -one will be polling for completions. - -Signed-off-by: Christoph Hellwig - -IOCB_HIPRI, not RWF_HIPRI. - -Reviewed-by: Johannes Thumshirn -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 45d5ef8dd0a8..78aa249070b1 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1438,8 +1438,7 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) - ret = ioprio_check_cap(iocb->aio_reqprio); - if (ret) { - pr_debug("aio ioprio check cap error: %d\n", ret); -- fput(req->ki_filp); -- return ret; -+ goto out_fput; - } - - req->ki_ioprio = iocb->aio_reqprio; -@@ -1448,7 +1447,13 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) - - ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags); - if (unlikely(ret)) -- fput(req->ki_filp); -+ goto out_fput; -+ -+ req->ki_flags &= ~IOCB_HIPRI; /* no one is going to poll for this I/O */ -+ return 0; -+ -+out_fput: -+ fput(req->ki_filp); - return ret; - } - diff --git a/debian/patches/bugfix/all/0001-mm-make-page-ref-count-overflow-check-tighter-and-mo.patch b/debian/patches/bugfix/all/0001-mm-make-page-ref-count-overflow-check-tighter-and-mo.patch deleted file mode 100644 index 1c4231f19..000000000 --- a/debian/patches/bugfix/all/0001-mm-make-page-ref-count-overflow-check-tighter-and-mo.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Linus Torvalds -Date: Thu, 11 Apr 2019 10:06:20 -0700 -Subject: mm: make page ref count overflow check tighter and more explicit -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9f6da5fd05577ef4a05c1744cc7098d0173823af -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11487 - -commit f958d7b528b1b40c44cfda5eabe2d82760d868c3 upstream. - -We have a VM_BUG_ON() to check that the page reference count doesn't -underflow (or get close to overflow) by checking the sign of the count. - -That's all fine, but we actually want to allow people to use a "get page -ref unless it's already very high" helper function, and we want that one -to use the sign of the page ref (without triggering this VM_BUG_ON). - -Change the VM_BUG_ON to only check for small underflows (or _very_ close -to overflowing), and ignore overflows which have strayed into negative -territory. - -Acked-by: Matthew Wilcox -Cc: Jann Horn -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/mm.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/include/linux/mm.h b/include/linux/mm.h -index e899460f1bc5..9965704813dc 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -915,6 +915,10 @@ static inline bool is_device_public_page(const struct page *page) - } - #endif /* CONFIG_DEV_PAGEMAP_OPS */ - -+/* 127: arbitrary random number, small enough to assemble well */ -+#define page_ref_zero_or_close_to_overflow(page) \ -+ ((unsigned int) page_ref_count(page) + 127u <= 127u) -+ - static inline void get_page(struct page *page) - { - page = compound_head(page); -@@ -922,7 +926,7 @@ static inline void get_page(struct page *page) - * Getting a normal page or the head of a compound page - * requires to already have an elevated page->_refcount. - */ -- VM_BUG_ON_PAGE(page_ref_count(page) <= 0, page); -+ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page); - page_ref_inc(page); - } - diff --git a/debian/patches/bugfix/all/0002-aio-use-assigned-completion-handler.patch b/debian/patches/bugfix/all/0002-aio-use-assigned-completion-handler.patch deleted file mode 100644 index 7aa6b0fd5..000000000 --- a/debian/patches/bugfix/all/0002-aio-use-assigned-completion-handler.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Jens Axboe -Date: Tue, 6 Nov 2018 14:27:13 -0700 -Subject: [02/14] aio: use assigned completion handler -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=b3373253f0bab538a7521537dfcb73e731b3d732 - -commit bc9bff61624ac33b7c95861abea1af24ee7a94fc upstream. - -We know this is a read/write request, but in preparation for -having different kinds of those, ensure that we call the assigned -handler instead of assuming it's aio_complete_rq(). - -Reviewed-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 78aa249070b1..3df3fb0678e5 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1492,7 +1492,7 @@ static inline void aio_rw_done(struct kiocb *req, ssize_t ret) - ret = -EINTR; - /*FALLTHRU*/ - default: -- aio_complete_rw(req, ret, 0); -+ req->ki_complete(req, ret, 0); - } - } - diff --git a/debian/patches/bugfix/all/0002-mm-add-try_get_page-helper-function.patch b/debian/patches/bugfix/all/0002-mm-add-try_get_page-helper-function.patch deleted file mode 100644 index 97adc1823..000000000 --- a/debian/patches/bugfix/all/0002-mm-add-try_get_page-helper-function.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Linus Torvalds -Date: Thu, 11 Apr 2019 10:14:59 -0700 -Subject: mm: add 'try_get_page()' helper function -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=0612cae7ec6b79d2ff1b34562bab79d5bf96327a -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11487 - -commit 88b1a17dfc3ed7728316478fae0f5ad508f50397 upstream. - -This is the same as the traditional 'get_page()' function, but instead -of unconditionally incrementing the reference count of the page, it only -does so if the count was "safe". It returns whether the reference count -was incremented (and is marked __must_check, since the caller obviously -has to be aware of it). - -Also like 'get_page()', you can't use this function unless you already -had a reference to the page. The intent is that you can use this -exactly like get_page(), but in situations where you want to limit the -maximum reference count. - -The code currently does an unconditional WARN_ON_ONCE() if we ever hit -the reference count issues (either zero or negative), as a notification -that the conditional non-increment actually happened. - -NOTE! The count access for the "safety" check is inherently racy, but -that doesn't matter since the buffer we use is basically half the range -of the reference count (ie we look at the sign of the count). - -Acked-by: Matthew Wilcox -Cc: Jann Horn -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/mm.h | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 9965704813dc..bdec425c8e14 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -930,6 +930,15 @@ static inline void get_page(struct page *page) - page_ref_inc(page); - } - -+static inline __must_check bool try_get_page(struct page *page) -+{ -+ page = compound_head(page); -+ if (WARN_ON_ONCE(page_ref_count(page) <= 0)) -+ return false; -+ page_ref_inc(page); -+ return true; -+} -+ - static inline void put_page(struct page *page) - { - page = compound_head(page); diff --git a/debian/patches/bugfix/all/0003-aio-separate-out-ring-reservation-from-req-allocatio.patch b/debian/patches/bugfix/all/0003-aio-separate-out-ring-reservation-from-req-allocatio.patch deleted file mode 100644 index cf5aad9fe..000000000 --- a/debian/patches/bugfix/all/0003-aio-separate-out-ring-reservation-from-req-allocatio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Christoph Hellwig -Date: Mon, 19 Nov 2018 15:57:42 -0700 -Subject: [03/14] aio: separate out ring reservation from req allocation -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=730198c889d85db78058cfb57c1b41c65f55c94e - -commit 432c79978c33ecef91b1b04cea6936c20810da29 upstream. - -This is in preparation for certain types of IO not needing a ring -reserveration. - -Signed-off-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 30 +++++++++++++++++------------- - 1 file changed, 17 insertions(+), 13 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 3df3fb0678e5..b9e0df08277b 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -902,7 +902,7 @@ static void put_reqs_available(struct kioctx *ctx, unsigned nr) - local_irq_restore(flags); - } - --static bool get_reqs_available(struct kioctx *ctx) -+static bool __get_reqs_available(struct kioctx *ctx) - { - struct kioctx_cpu *kcpu; - bool ret = false; -@@ -994,6 +994,14 @@ static void user_refill_reqs_available(struct kioctx *ctx) - spin_unlock_irq(&ctx->completion_lock); - } - -+static bool get_reqs_available(struct kioctx *ctx) -+{ -+ if (__get_reqs_available(ctx)) -+ return true; -+ user_refill_reqs_available(ctx); -+ return __get_reqs_available(ctx); -+} -+ - /* aio_get_req - * Allocate a slot for an aio request. - * Returns NULL if no requests are free. -@@ -1002,24 +1010,15 @@ static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx) - { - struct aio_kiocb *req; - -- if (!get_reqs_available(ctx)) { -- user_refill_reqs_available(ctx); -- if (!get_reqs_available(ctx)) -- return NULL; -- } -- - req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO); - if (unlikely(!req)) -- goto out_put; -+ return NULL; - - percpu_ref_get(&ctx->reqs); - INIT_LIST_HEAD(&req->ki_list); - refcount_set(&req->ki_refcnt, 0); - req->ki_ctx = ctx; - return req; --out_put: -- put_reqs_available(ctx, 1); -- return NULL; - } - - static struct kioctx *lookup_ioctx(unsigned long ctx_id) -@@ -1813,9 +1812,13 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - return -EINVAL; - } - -+ if (!get_reqs_available(ctx)) -+ return -EAGAIN; -+ -+ ret = -EAGAIN; - req = aio_get_req(ctx); - if (unlikely(!req)) -- return -EAGAIN; -+ goto out_put_reqs_available; - - if (iocb.aio_flags & IOCB_FLAG_RESFD) { - /* -@@ -1878,11 +1881,12 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - goto out_put_req; - return 0; - out_put_req: -- put_reqs_available(ctx, 1); - percpu_ref_put(&ctx->reqs); - if (req->ki_eventfd) - eventfd_ctx_put(req->ki_eventfd); - kmem_cache_free(kiocb_cachep, req); -+out_put_reqs_available: -+ put_reqs_available(ctx, 1); - return ret; - } - diff --git a/debian/patches/bugfix/all/0003-mm-prevent-get_user_pages-from-overflowing-page-refc.patch b/debian/patches/bugfix/all/0003-mm-prevent-get_user_pages-from-overflowing-page-refc.patch deleted file mode 100644 index 0b248a14f..000000000 --- a/debian/patches/bugfix/all/0003-mm-prevent-get_user_pages-from-overflowing-page-refc.patch +++ /dev/null @@ -1,155 +0,0 @@ -From: Linus Torvalds -Date: Thu, 11 Apr 2019 10:49:19 -0700 -Subject: mm: prevent get_user_pages() from overflowing page refcount -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=d972ebbf42ba6712460308ae57c222a0706f2af3 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11487 - -commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream. - -If the page refcount wraps around past zero, it will be freed while -there are still four billion references to it. One of the possible -avenues for an attacker to try to make this happen is by doing direct IO -on a page multiple times. This patch makes get_user_pages() refuse to -take a new page reference if there are already more than two billion -references to the page. - -Reported-by: Jann Horn -Acked-by: Matthew Wilcox -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - mm/gup.c | 45 ++++++++++++++++++++++++++++++++++----------- - mm/hugetlb.c | 13 +++++++++++++ - 2 files changed, 47 insertions(+), 11 deletions(-) - -diff --git a/mm/gup.c b/mm/gup.c -index 0a5374e6e82d..caadd31714a5 100644 ---- a/mm/gup.c -+++ b/mm/gup.c -@@ -153,7 +153,10 @@ static struct page *follow_page_pte(struct vm_area_struct *vma, - } - - if (flags & FOLL_GET) { -- get_page(page); -+ if (unlikely(!try_get_page(page))) { -+ page = ERR_PTR(-ENOMEM); -+ goto out; -+ } - - /* drop the pgmap reference now that we hold the page */ - if (pgmap) { -@@ -296,7 +299,10 @@ static struct page *follow_pmd_mask(struct vm_area_struct *vma, - if (pmd_trans_unstable(pmd)) - ret = -EBUSY; - } else { -- get_page(page); -+ if (unlikely(!try_get_page(page))) { -+ spin_unlock(ptl); -+ return ERR_PTR(-ENOMEM); -+ } - spin_unlock(ptl); - lock_page(page); - ret = split_huge_page(page); -@@ -480,7 +486,10 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address, - if (is_device_public_page(*page)) - goto unmap; - } -- get_page(*page); -+ if (unlikely(!try_get_page(*page))) { -+ ret = -ENOMEM; -+ goto unmap; -+ } - out: - ret = 0; - unmap: -@@ -1368,6 +1377,20 @@ static void undo_dev_pagemap(int *nr, int nr_start, struct page **pages) - } - } - -+/* -+ * Return the compund head page with ref appropriately incremented, -+ * or NULL if that failed. -+ */ -+static inline struct page *try_get_compound_head(struct page *page, int refs) -+{ -+ struct page *head = compound_head(page); -+ if (WARN_ON_ONCE(page_ref_count(head) < 0)) -+ return NULL; -+ if (unlikely(!page_cache_add_speculative(head, refs))) -+ return NULL; -+ return head; -+} -+ - #ifdef CONFIG_ARCH_HAS_PTE_SPECIAL - static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end, - int write, struct page **pages, int *nr) -@@ -1402,9 +1425,9 @@ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end, - - VM_BUG_ON(!pfn_valid(pte_pfn(pte))); - page = pte_page(pte); -- head = compound_head(page); - -- if (!page_cache_get_speculative(head)) -+ head = try_get_compound_head(page, 1); -+ if (!head) - goto pte_unmap; - - if (unlikely(pte_val(pte) != pte_val(*ptep))) { -@@ -1543,8 +1566,8 @@ static int gup_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr, - refs++; - } while (addr += PAGE_SIZE, addr != end); - -- head = compound_head(pmd_page(orig)); -- if (!page_cache_add_speculative(head, refs)) { -+ head = try_get_compound_head(pmd_page(orig), refs); -+ if (!head) { - *nr -= refs; - return 0; - } -@@ -1581,8 +1604,8 @@ static int gup_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr, - refs++; - } while (addr += PAGE_SIZE, addr != end); - -- head = compound_head(pud_page(orig)); -- if (!page_cache_add_speculative(head, refs)) { -+ head = try_get_compound_head(pud_page(orig), refs); -+ if (!head) { - *nr -= refs; - return 0; - } -@@ -1618,8 +1641,8 @@ static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr, - refs++; - } while (addr += PAGE_SIZE, addr != end); - -- head = compound_head(pgd_page(orig)); -- if (!page_cache_add_speculative(head, refs)) { -+ head = try_get_compound_head(pgd_page(orig), refs); -+ if (!head) { - *nr -= refs; - return 0; - } -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 9e5f66cbf711..5fb779cda972 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -4299,6 +4299,19 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma, - - pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT; - page = pte_page(huge_ptep_get(pte)); -+ -+ /* -+ * Instead of doing 'try_get_page()' below in the same_page -+ * loop, just check the count once here. -+ */ -+ if (unlikely(page_count(page) <= 0)) { -+ if (pages) { -+ spin_unlock(ptl); -+ remainder = 0; -+ err = -ENOMEM; -+ break; -+ } -+ } - same_page: - if (pages) { - pages[i] = mem_map_offset(page, pfn_offset); diff --git a/debian/patches/bugfix/all/0004-aio-don-t-zero-entire-aio_kiocb-aio_get_req.patch b/debian/patches/bugfix/all/0004-aio-don-t-zero-entire-aio_kiocb-aio_get_req.patch deleted file mode 100644 index fd67573e3..000000000 --- a/debian/patches/bugfix/all/0004-aio-don-t-zero-entire-aio_kiocb-aio_get_req.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Jens Axboe -Date: Tue, 4 Dec 2018 09:44:49 -0700 -Subject: [04/14] aio: don't zero entire aio_kiocb aio_get_req() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=ef529eead8cfc11c051b90d239e7137f7141ea94 - -commit 2bc4ca9bb600cbe36941da2b2a67189fc4302a04 upstream. - -It's 192 bytes, fairly substantial. Most items don't need to be cleared, -especially not upfront. Clear the ones we do need to clear, and leave -the other ones for setup when the iocb is prepared and submitted. - -Reviewed-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index b9e0df08277b..2547f17b4fef 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1010,14 +1010,15 @@ static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx) - { - struct aio_kiocb *req; - -- req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO); -+ req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL); - if (unlikely(!req)) - return NULL; - - percpu_ref_get(&ctx->reqs); -+ req->ki_ctx = ctx; - INIT_LIST_HEAD(&req->ki_list); - refcount_set(&req->ki_refcnt, 0); -- req->ki_ctx = ctx; -+ req->ki_eventfd = NULL; - return req; - } - -@@ -1738,6 +1739,10 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) - if (unlikely(!req->file)) - return -EBADF; - -+ req->head = NULL; -+ req->woken = false; -+ req->cancelled = false; -+ - apt.pt._qproc = aio_poll_queue_proc; - apt.pt._key = req->events; - apt.iocb = aiocb; diff --git a/debian/patches/bugfix/all/0004-fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch b/debian/patches/bugfix/all/0004-fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch deleted file mode 100644 index 4ff0c4f7d..000000000 --- a/debian/patches/bugfix/all/0004-fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch +++ /dev/null @@ -1,162 +0,0 @@ -From: Matthew Wilcox -Date: Fri, 5 Apr 2019 14:02:10 -0700 -Subject: fs: prevent page refcount overflow in pipe_buf_get -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=0311ff82b70fa12e80d188635bff24029ec06ae1 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11487 - -commit 15fab63e1e57be9fdb5eec1bbc5916e9825e9acb upstream. - -Change pipe_buf_get() to return a bool indicating whether it succeeded -in raising the refcount of the page (if the thing in the pipe is a page). -This removes another mechanism for overflowing the page refcount. All -callers converted to handle a failure. - -Reported-by: Jann Horn -Signed-off-by: Matthew Wilcox -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/dev.c | 12 ++++++------ - fs/pipe.c | 4 ++-- - fs/splice.c | 12 ++++++++++-- - include/linux/pipe_fs_i.h | 10 ++++++---- - kernel/trace/trace.c | 6 +++++- - 5 files changed, 29 insertions(+), 15 deletions(-) - ---- a/fs/fuse/dev.c -+++ b/fs/fuse/dev.c -@@ -1989,10 +1989,8 @@ static ssize_t fuse_dev_splice_write(str - rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len; - - ret = -EINVAL; -- if (rem < len) { -- pipe_unlock(pipe); -- goto out; -- } -+ if (rem < len) -+ goto out_free; - - rem = len; - while (rem) { -@@ -2010,7 +2008,9 @@ static ssize_t fuse_dev_splice_write(str - pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1); - pipe->nrbufs--; - } else { -- pipe_buf_get(pipe, ibuf); -+ if (!pipe_buf_get(pipe, ibuf)) -+ goto out_free; -+ - *obuf = *ibuf; - obuf->flags &= ~PIPE_BUF_FLAG_GIFT; - obuf->len = rem; -@@ -2033,11 +2033,11 @@ static ssize_t fuse_dev_splice_write(str - ret = fuse_dev_do_write(fud, &cs, len); - - pipe_lock(pipe); -+out_free: - for (idx = 0; idx < nbuf; idx++) - pipe_buf_release(pipe, &bufs[idx]); - pipe_unlock(pipe); - --out: - kvfree(bufs); - return ret; - } ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -189,9 +189,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal); - * in the tee() system call, when we duplicate the buffers in one - * pipe into another. - */ --void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf) -+bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf) - { -- get_page(buf->page); -+ return try_get_page(buf->page); - } - EXPORT_SYMBOL(generic_pipe_buf_get); - ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -1586,7 +1586,11 @@ retry: - * Get a reference to this pipe buffer, - * so we can copy the contents over. - */ -- pipe_buf_get(ipipe, ibuf); -+ if (!pipe_buf_get(ipipe, ibuf)) { -+ if (ret == 0) -+ ret = -EFAULT; -+ break; -+ } - *obuf = *ibuf; - - /* -@@ -1660,7 +1664,11 @@ static int link_pipe(struct pipe_inode_i - * Get a reference to this pipe buffer, - * so we can copy the contents over. - */ -- pipe_buf_get(ipipe, ibuf); -+ if (!pipe_buf_get(ipipe, ibuf)) { -+ if (ret == 0) -+ ret = -EFAULT; -+ break; -+ } - - obuf = opipe->bufs + nbuf; - *obuf = *ibuf; ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -108,18 +108,20 @@ struct pipe_buf_operations { - /* - * Get a reference to the pipe buffer. - */ -- void (*get)(struct pipe_inode_info *, struct pipe_buffer *); -+ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *); - }; - - /** - * pipe_buf_get - get a reference to a pipe_buffer - * @pipe: the pipe that the buffer belongs to - * @buf: the buffer to get a reference to -+ * -+ * Return: %true if the reference was successfully obtained. - */ --static inline void pipe_buf_get(struct pipe_inode_info *pipe, -+static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe, - struct pipe_buffer *buf) - { -- buf->ops->get(pipe, buf); -+ return buf->ops->get(pipe, buf); - } - - /** -@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info( - void free_pipe_info(struct pipe_inode_info *); - - /* Generic pipe buffer ops functions */ --void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *); -+bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *); ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -6820,12 +6820,16 @@ static void buffer_pipe_buf_release(stru - buf->private = 0; - } - --static void buffer_pipe_buf_get(struct pipe_inode_info *pipe, -+static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe, - struct pipe_buffer *buf) - { - struct buffer_ref *ref = (struct buffer_ref *)buf->private; - -+ if (refcount_read(&ref->refcount) > INT_MAX/2) -+ return false; -+ - refcount_inc(&ref->refcount); -+ return true; - } - - /* Pipe buffer operations for a buffer. */ diff --git a/debian/patches/bugfix/all/0005-aio-use-iocb_put-instead-of-open-coding-it.patch b/debian/patches/bugfix/all/0005-aio-use-iocb_put-instead-of-open-coding-it.patch deleted file mode 100644 index 50564dd0b..000000000 --- a/debian/patches/bugfix/all/0005-aio-use-iocb_put-instead-of-open-coding-it.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jens Axboe -Date: Sat, 24 Nov 2018 21:33:09 -0700 -Subject: [05/14] aio: use iocb_put() instead of open coding it -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=4d677689742ab60d5be46e20708276368564427a - -commit 71ebc6fef0f53459f37fb39e1466792232fa52ee upstream. - -Replace the percpu_ref_put() + kmem_cache_free() with a call to -iocb_put() instead. - -Reviewed-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 2547f17b4fef..e2b63ab28ecc 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1886,10 +1886,9 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - goto out_put_req; - return 0; - out_put_req: -- percpu_ref_put(&ctx->reqs); - if (req->ki_eventfd) - eventfd_ctx_put(req->ki_eventfd); -- kmem_cache_free(kiocb_cachep, req); -+ iocb_put(req); - out_put_reqs_available: - put_reqs_available(ctx, 1); - return ret; diff --git a/debian/patches/bugfix/all/0006-aio-split-out-iocb-copy-from-io_submit_one.patch b/debian/patches/bugfix/all/0006-aio-split-out-iocb-copy-from-io_submit_one.patch deleted file mode 100644 index 8ea8bdc29..000000000 --- a/debian/patches/bugfix/all/0006-aio-split-out-iocb-copy-from-io_submit_one.patch +++ /dev/null @@ -1,194 +0,0 @@ -From: Jens Axboe -Date: Sat, 24 Nov 2018 14:46:14 -0700 -Subject: [06/14] aio: split out iocb copy from io_submit_one() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=d384f8b855a573ea301fd7f5558cc64cb22107e6 - -commit 88a6f18b950e2e4dce57d31daa151105f4f3dcff upstream. - -In preparation of handing in iocbs in a different fashion as well. Also -make it clear that the iocb being passed in isn't modified, by marking -it const throughout. - -Reviewed-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 68 +++++++++++++++++++++++++++++++------------------------- - 1 file changed, 38 insertions(+), 30 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index e2b63ab28ecc..6e1da220f04b 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1416,7 +1416,7 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2) - aio_complete(iocb, res, res2); - } - --static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) -+static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) - { - int ret; - -@@ -1457,7 +1457,7 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) - return ret; - } - --static int aio_setup_rw(int rw, struct iocb *iocb, struct iovec **iovec, -+static int aio_setup_rw(int rw, const struct iocb *iocb, struct iovec **iovec, - bool vectored, bool compat, struct iov_iter *iter) - { - void __user *buf = (void __user *)(uintptr_t)iocb->aio_buf; -@@ -1496,8 +1496,8 @@ static inline void aio_rw_done(struct kiocb *req, ssize_t ret) - } - } - --static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored, -- bool compat) -+static ssize_t aio_read(struct kiocb *req, const struct iocb *iocb, -+ bool vectored, bool compat) - { - struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; - struct iov_iter iter; -@@ -1529,8 +1529,8 @@ static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored, - return ret; - } - --static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, -- bool compat) -+static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb, -+ bool vectored, bool compat) - { - struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; - struct iov_iter iter; -@@ -1585,7 +1585,8 @@ static void aio_fsync_work(struct work_struct *work) - aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); - } - --static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync) -+static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, -+ bool datasync) - { - if (unlikely(iocb->aio_buf || iocb->aio_offset || iocb->aio_nbytes || - iocb->aio_rw_flags)) -@@ -1719,7 +1720,7 @@ aio_poll_queue_proc(struct file *file, struct wait_queue_head *head, - add_wait_queue(head, &pt->iocb->poll.wait); - } - --static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) -+static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - { - struct kioctx *ctx = aiocb->ki_ctx; - struct poll_iocb *req = &aiocb->poll; -@@ -1791,27 +1792,23 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) - return 0; - } - --static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, -- bool compat) -+static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, -+ struct iocb __user *user_iocb, bool compat) - { - struct aio_kiocb *req; -- struct iocb iocb; - ssize_t ret; - -- if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb)))) -- return -EFAULT; -- - /* enforce forwards compatibility on users */ -- if (unlikely(iocb.aio_reserved2)) { -+ if (unlikely(iocb->aio_reserved2)) { - pr_debug("EINVAL: reserve field set\n"); - return -EINVAL; - } - - /* prevent overflows */ - if (unlikely( -- (iocb.aio_buf != (unsigned long)iocb.aio_buf) || -- (iocb.aio_nbytes != (size_t)iocb.aio_nbytes) || -- ((ssize_t)iocb.aio_nbytes < 0) -+ (iocb->aio_buf != (unsigned long)iocb->aio_buf) || -+ (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) || -+ ((ssize_t)iocb->aio_nbytes < 0) - )) { - pr_debug("EINVAL: overflow check\n"); - return -EINVAL; -@@ -1825,14 +1822,14 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - if (unlikely(!req)) - goto out_put_reqs_available; - -- if (iocb.aio_flags & IOCB_FLAG_RESFD) { -+ if (iocb->aio_flags & IOCB_FLAG_RESFD) { - /* - * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an - * instance of the file* now. The file descriptor must be - * an eventfd() fd, and will be signaled for each completed - * event using the eventfd_signal() function. - */ -- req->ki_eventfd = eventfd_ctx_fdget((int) iocb.aio_resfd); -+ req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd); - if (IS_ERR(req->ki_eventfd)) { - ret = PTR_ERR(req->ki_eventfd); - req->ki_eventfd = NULL; -@@ -1847,32 +1844,32 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - } - - req->ki_user_iocb = user_iocb; -- req->ki_user_data = iocb.aio_data; -+ req->ki_user_data = iocb->aio_data; - -- switch (iocb.aio_lio_opcode) { -+ switch (iocb->aio_lio_opcode) { - case IOCB_CMD_PREAD: -- ret = aio_read(&req->rw, &iocb, false, compat); -+ ret = aio_read(&req->rw, iocb, false, compat); - break; - case IOCB_CMD_PWRITE: -- ret = aio_write(&req->rw, &iocb, false, compat); -+ ret = aio_write(&req->rw, iocb, false, compat); - break; - case IOCB_CMD_PREADV: -- ret = aio_read(&req->rw, &iocb, true, compat); -+ ret = aio_read(&req->rw, iocb, true, compat); - break; - case IOCB_CMD_PWRITEV: -- ret = aio_write(&req->rw, &iocb, true, compat); -+ ret = aio_write(&req->rw, iocb, true, compat); - break; - case IOCB_CMD_FSYNC: -- ret = aio_fsync(&req->fsync, &iocb, false); -+ ret = aio_fsync(&req->fsync, iocb, false); - break; - case IOCB_CMD_FDSYNC: -- ret = aio_fsync(&req->fsync, &iocb, true); -+ ret = aio_fsync(&req->fsync, iocb, true); - break; - case IOCB_CMD_POLL: -- ret = aio_poll(req, &iocb); -+ ret = aio_poll(req, iocb); - break; - default: -- pr_debug("invalid aio operation %d\n", iocb.aio_lio_opcode); -+ pr_debug("invalid aio operation %d\n", iocb->aio_lio_opcode); - ret = -EINVAL; - break; - } -@@ -1894,6 +1891,17 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - return ret; - } - -+static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, -+ bool compat) -+{ -+ struct iocb iocb; -+ -+ if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb)))) -+ return -EFAULT; -+ -+ return __io_submit_one(ctx, &iocb, user_iocb, compat); -+} -+ - /* sys_io_submit: - * Queue the nr iocbs pointed to by iocbpp for processing. Returns - * the number of iocbs queued. May return -EINVAL if the aio_context diff --git a/debian/patches/bugfix/all/0007-aio-abstract-out-io_event-filler-helper.patch b/debian/patches/bugfix/all/0007-aio-abstract-out-io_event-filler-helper.patch deleted file mode 100644 index 13bf1e962..000000000 --- a/debian/patches/bugfix/all/0007-aio-abstract-out-io_event-filler-helper.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Jens Axboe -Date: Tue, 20 Nov 2018 20:06:23 -0700 -Subject: [07/14] aio: abstract out io_event filler helper -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=a812f7b68a3940e0369fd0fb24febec794a67623 - -commit 875736bb3f3ded168469f6a14df7a938416a99d5 upstream. - -Reviewed-by: Christoph Hellwig -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 6e1da220f04b..f6ce01ca6903 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1059,6 +1059,15 @@ static inline void iocb_put(struct aio_kiocb *iocb) - } - } - -+static void aio_fill_event(struct io_event *ev, struct aio_kiocb *iocb, -+ long res, long res2) -+{ -+ ev->obj = (u64)(unsigned long)iocb->ki_user_iocb; -+ ev->data = iocb->ki_user_data; -+ ev->res = res; -+ ev->res2 = res2; -+} -+ - /* aio_complete - * Called when the io request on the given iocb is complete. - */ -@@ -1086,10 +1095,7 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) - ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); - event = ev_page + pos % AIO_EVENTS_PER_PAGE; - -- event->obj = (u64)(unsigned long)iocb->ki_user_iocb; -- event->data = iocb->ki_user_data; -- event->res = res; -- event->res2 = res2; -+ aio_fill_event(event, iocb, res, res2); - - kunmap_atomic(ev_page); - flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); diff --git a/debian/patches/bugfix/all/0008-aio-initialize-kiocb-private-in-case-any-filesystems.patch b/debian/patches/bugfix/all/0008-aio-initialize-kiocb-private-in-case-any-filesystems.patch deleted file mode 100644 index 8276851ee..000000000 --- a/debian/patches/bugfix/all/0008-aio-initialize-kiocb-private-in-case-any-filesystems.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Mike Marshall -Date: Tue, 5 Feb 2019 14:13:35 -0500 -Subject: [08/14] aio: initialize kiocb private in case any filesystems expect - it. -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=2afa01cd9186974051b38b7d1f31bb2407e41e3a - -commit ec51f8ee1e63498e9f521ec0e5a6d04622bb2c67 upstream. - -A recent optimization had left private uninitialized. - -Fixes: 2bc4ca9bb600 ("aio: don't zero entire aio_kiocb aio_get_req()") -Reviewed-by: Christoph Hellwig -Signed-off-by: Mike Marshall -Signed-off-by: Jens Axboe -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/aio.c b/fs/aio.c -index f6ce01ca6903..d74fc9e112ac 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1430,6 +1430,7 @@ static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) - if (unlikely(!req->ki_filp)) - return -EBADF; - req->ki_complete = aio_complete_rw; -+ req->private = NULL; - req->ki_pos = iocb->aio_offset; - req->ki_flags = iocb_flags(req->ki_filp); - if (iocb->aio_flags & IOCB_FLAG_RESFD) diff --git a/debian/patches/bugfix/all/0009-aio-simplify-and-fix-fget-fput-for-io_submit.patch b/debian/patches/bugfix/all/0009-aio-simplify-and-fix-fget-fput-for-io_submit.patch deleted file mode 100644 index e7e2d8d4a..000000000 --- a/debian/patches/bugfix/all/0009-aio-simplify-and-fix-fget-fput-for-io_submit.patch +++ /dev/null @@ -1,312 +0,0 @@ -From: Linus Torvalds -Date: Sun, 3 Mar 2019 14:23:33 -0800 -Subject: [09/14] aio: simplify - and fix - fget/fput for io_submit() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=d6b2615f7d31d8e58b685d42dbafcc7dc1204bbd -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10125 - -commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream. - -Al Viro root-caused a race where the IOCB_CMD_POLL handling of -fget/fput() could cause us to access the file pointer after it had -already been freed: - - "In more details - normally IOCB_CMD_POLL handling looks so: - - 1) io_submit(2) allocates aio_kiocb instance and passes it to - aio_poll() - - 2) aio_poll() resolves the descriptor to struct file by req->file = - fget(iocb->aio_fildes) - - 3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that - aio_kiocb to 2 (bumps by 1, that is). - - 4) aio_poll() calls vfs_poll(). After sanity checks (basically, - "poll_wait() had been called and only once") it locks the queue. - That's what the extra reference to iocb had been for - we know we - can safely access it. - - 5) With queue locked, we check if ->woken has already been set to - true (by aio_poll_wake()) and, if it had been, we unlock the - queue, drop a reference to aio_kiocb and bugger off - at that - point it's a responsibility to aio_poll_wake() and the stuff - called/scheduled by it. That code will drop the reference to file - in req->file, along with the other reference to our aio_kiocb. - - 6) otherwise, we see whether we need to wait. If we do, we unlock the - queue, drop one reference to aio_kiocb and go away - eventual - wakeup (or cancel) will deal with the reference to file and with - the other reference to aio_kiocb - - 7) otherwise we remove ourselves from waitqueue (still under the - queue lock), so that wakeup won't get us. No async activity will - be happening, so we can safely drop req->file and iocb ourselves. - - If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb - won't get freed under us, so we can do all the checks and locking - safely. And we don't touch ->file if we detect that case. - - However, vfs_poll() most certainly *does* touch the file it had been - given. So wakeup coming while we are still in ->poll() might end up - doing fput() on that file. That case is not too rare, and usually we - are saved by the still present reference from descriptor table - that - fput() is not the final one. - - But if another thread closes that descriptor right after our fget() - and wakeup does happen before ->poll() returns, we are in trouble - - final fput() done while we are in the middle of a method: - -Al also wrote a patch to take an extra reference to the file descriptor -to fix this, but I instead suggested we just streamline the whole file -pointer handling by submit_io() so that the generic aio submission code -simply keeps the file pointer around until the aio has completed. - -Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") -Acked-by: Al Viro -Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com -Signed-off-by: Linus Torvalds -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 72 +++++++++++++++++++--------------------------- - include/linux/fs.h | 8 +++++- - 2 files changed, 36 insertions(+), 44 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index d74fc9e112ac..46229e663b57 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -161,9 +161,13 @@ struct kioctx { - unsigned id; - }; - -+/* -+ * First field must be the file pointer in all the -+ * iocb unions! See also 'struct kiocb' in -+ */ - struct fsync_iocb { -- struct work_struct work; - struct file *file; -+ struct work_struct work; - bool datasync; - }; - -@@ -177,8 +181,15 @@ struct poll_iocb { - struct work_struct work; - }; - -+/* -+ * NOTE! Each of the iocb union members has the file pointer -+ * as the first entry in their struct definition. So you can -+ * access the file pointer through any of the sub-structs, -+ * or directly as just 'ki_filp' in this struct. -+ */ - struct aio_kiocb { - union { -+ struct file *ki_filp; - struct kiocb rw; - struct fsync_iocb fsync; - struct poll_iocb poll; -@@ -1054,6 +1065,8 @@ static inline void iocb_put(struct aio_kiocb *iocb) - { - if (refcount_read(&iocb->ki_refcnt) == 0 || - refcount_dec_and_test(&iocb->ki_refcnt)) { -+ if (iocb->ki_filp) -+ fput(iocb->ki_filp); - percpu_ref_put(&iocb->ki_ctx->reqs); - kmem_cache_free(kiocb_cachep, iocb); - } -@@ -1418,7 +1431,6 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2) - file_end_write(kiocb->ki_filp); - } - -- fput(kiocb->ki_filp); - aio_complete(iocb, res, res2); - } - -@@ -1426,9 +1438,6 @@ static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) - { - int ret; - -- req->ki_filp = fget(iocb->aio_fildes); -- if (unlikely(!req->ki_filp)) -- return -EBADF; - req->ki_complete = aio_complete_rw; - req->private = NULL; - req->ki_pos = iocb->aio_offset; -@@ -1445,7 +1454,7 @@ static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) - ret = ioprio_check_cap(iocb->aio_reqprio); - if (ret) { - pr_debug("aio ioprio check cap error: %d\n", ret); -- goto out_fput; -+ return ret; - } - - req->ki_ioprio = iocb->aio_reqprio; -@@ -1454,14 +1463,10 @@ static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) - - ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags); - if (unlikely(ret)) -- goto out_fput; -+ return ret; - - req->ki_flags &= ~IOCB_HIPRI; /* no one is going to poll for this I/O */ - return 0; -- --out_fput: -- fput(req->ki_filp); -- return ret; - } - - static int aio_setup_rw(int rw, const struct iocb *iocb, struct iovec **iovec, -@@ -1515,24 +1520,19 @@ static ssize_t aio_read(struct kiocb *req, const struct iocb *iocb, - if (ret) - return ret; - file = req->ki_filp; -- -- ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_READ))) -- goto out_fput; -+ return -EBADF; - ret = -EINVAL; - if (unlikely(!file->f_op->read_iter)) -- goto out_fput; -+ return -EINVAL; - - ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter); - if (ret) -- goto out_fput; -+ return ret; - ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter)); - if (!ret) - aio_rw_done(req, call_read_iter(file, req, &iter)); - kfree(iovec); --out_fput: -- if (unlikely(ret)) -- fput(file); - return ret; - } - -@@ -1549,16 +1549,14 @@ static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb, - return ret; - file = req->ki_filp; - -- ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_WRITE))) -- goto out_fput; -- ret = -EINVAL; -+ return -EBADF; - if (unlikely(!file->f_op->write_iter)) -- goto out_fput; -+ return -EINVAL; - - ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter); - if (ret) -- goto out_fput; -+ return ret; - ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter)); - if (!ret) { - /* -@@ -1576,9 +1574,6 @@ static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb, - aio_rw_done(req, call_write_iter(file, req, &iter)); - } - kfree(iovec); --out_fput: -- if (unlikely(ret)) -- fput(file); - return ret; - } - -@@ -1588,7 +1583,6 @@ static void aio_fsync_work(struct work_struct *work) - int ret; - - ret = vfs_fsync(req->file, req->datasync); -- fput(req->file); - aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); - } - -@@ -1599,13 +1593,8 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, - iocb->aio_rw_flags)) - return -EINVAL; - -- req->file = fget(iocb->aio_fildes); -- if (unlikely(!req->file)) -- return -EBADF; -- if (unlikely(!req->file->f_op->fsync)) { -- fput(req->file); -+ if (unlikely(!req->file->f_op->fsync)) - return -EINVAL; -- } - - req->datasync = datasync; - INIT_WORK(&req->work, aio_fsync_work); -@@ -1615,10 +1604,7 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, - - static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) - { -- struct file *file = iocb->poll.file; -- - aio_complete(iocb, mangle_poll(mask), 0); -- fput(file); - } - - static void aio_poll_complete_work(struct work_struct *work) -@@ -1743,9 +1729,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - - INIT_WORK(&req->work, aio_poll_complete_work); - req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP; -- req->file = fget(iocb->aio_fildes); -- if (unlikely(!req->file)) -- return -EBADF; - - req->head = NULL; - req->woken = false; -@@ -1788,10 +1771,8 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - spin_unlock_irq(&ctx->ctx_lock); - - out: -- if (unlikely(apt.error)) { -- fput(req->file); -+ if (unlikely(apt.error)) - return apt.error; -- } - - if (mask) - aio_poll_complete(aiocb, mask); -@@ -1829,6 +1810,11 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, - if (unlikely(!req)) - goto out_put_reqs_available; - -+ req->ki_filp = fget(iocb->aio_fildes); -+ ret = -EBADF; -+ if (unlikely(!req->ki_filp)) -+ goto out_put_req; -+ - if (iocb->aio_flags & IOCB_FLAG_RESFD) { - /* - * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an -diff --git a/include/linux/fs.h b/include/linux/fs.h -index 7b6084854bfe..111c94c4baa1 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -304,13 +304,19 @@ enum rw_hint { - - struct kiocb { - struct file *ki_filp; -+ -+ /* The 'ki_filp' pointer is shared in a union for aio */ -+ randomized_struct_fields_start -+ - loff_t ki_pos; - void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); - void *private; - int ki_flags; - u16 ki_hint; - u16 ki_ioprio; /* See linux/ioprio.h */ --} __randomize_layout; -+ -+ randomized_struct_fields_end -+}; - - static inline bool is_sync_kiocb(struct kiocb *kiocb) - { diff --git a/debian/patches/bugfix/all/0010-pin-iocb-through-aio.patch b/debian/patches/bugfix/all/0010-pin-iocb-through-aio.patch deleted file mode 100644 index 210086fcc..000000000 --- a/debian/patches/bugfix/all/0010-pin-iocb-through-aio.patch +++ /dev/null @@ -1,112 +0,0 @@ -From: Linus Torvalds -Date: Wed, 6 Mar 2019 20:22:54 -0500 -Subject: [10/14] pin iocb through aio. -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=c7f2525abfecf8a57a1417837b6a809df79b299e - -commit b53119f13a04879c3bf502828d99d13726639ead upstream. - -aio_poll() is not the only case that needs file pinned; worse, while -aio_read()/aio_write() can live without pinning iocb itself, the -proof is rather brittle and can easily break on later changes. - -Signed-off-by: Linus Torvalds -Signed-off-by: Al Viro -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 37 +++++++++++++++++++++---------------- - 1 file changed, 21 insertions(+), 16 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 46229e663b57..10e5a8f52dce 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1016,6 +1016,9 @@ static bool get_reqs_available(struct kioctx *ctx) - /* aio_get_req - * Allocate a slot for an aio request. - * Returns NULL if no requests are free. -+ * -+ * The refcount is initialized to 2 - one for the async op completion, -+ * one for the synchronous code that does this. - */ - static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx) - { -@@ -1028,7 +1031,7 @@ static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx) - percpu_ref_get(&ctx->reqs); - req->ki_ctx = ctx; - INIT_LIST_HEAD(&req->ki_list); -- refcount_set(&req->ki_refcnt, 0); -+ refcount_set(&req->ki_refcnt, 2); - req->ki_eventfd = NULL; - return req; - } -@@ -1061,15 +1064,18 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) - return ret; - } - -+static inline void iocb_destroy(struct aio_kiocb *iocb) -+{ -+ if (iocb->ki_filp) -+ fput(iocb->ki_filp); -+ percpu_ref_put(&iocb->ki_ctx->reqs); -+ kmem_cache_free(kiocb_cachep, iocb); -+} -+ - static inline void iocb_put(struct aio_kiocb *iocb) - { -- if (refcount_read(&iocb->ki_refcnt) == 0 || -- refcount_dec_and_test(&iocb->ki_refcnt)) { -- if (iocb->ki_filp) -- fput(iocb->ki_filp); -- percpu_ref_put(&iocb->ki_ctx->reqs); -- kmem_cache_free(kiocb_cachep, iocb); -- } -+ if (refcount_dec_and_test(&iocb->ki_refcnt)) -+ iocb_destroy(iocb); - } - - static void aio_fill_event(struct io_event *ev, struct aio_kiocb *iocb, -@@ -1743,9 +1749,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - INIT_LIST_HEAD(&req->wait.entry); - init_waitqueue_func_entry(&req->wait, aio_poll_wake); - -- /* one for removal from waitqueue, one for this function */ -- refcount_set(&aiocb->ki_refcnt, 2); -- - mask = vfs_poll(req->file, &apt.pt) & req->events; - if (unlikely(!req->head)) { - /* we did not manage to set up a waitqueue, done */ -@@ -1776,7 +1779,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - - if (mask) - aio_poll_complete(aiocb, mask); -- iocb_put(aiocb); - return 0; - } - -@@ -1867,18 +1869,21 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, - break; - } - -+ /* Done with the synchronous reference */ -+ iocb_put(req); -+ - /* - * If ret is 0, we'd either done aio_complete() ourselves or have - * arranged for that to be done asynchronously. Anything non-zero - * means that we need to destroy req ourselves. - */ -- if (ret) -- goto out_put_req; -- return 0; -+ if (!ret) -+ return 0; -+ - out_put_req: - if (req->ki_eventfd) - eventfd_ctx_put(req->ki_eventfd); -- iocb_put(req); -+ iocb_destroy(req); - out_put_reqs_available: - put_reqs_available(ctx, 1); - return ret; diff --git a/debian/patches/bugfix/all/0011-aio-fold-lookup_kiocb-into-its-sole-caller.patch b/debian/patches/bugfix/all/0011-aio-fold-lookup_kiocb-into-its-sole-caller.patch deleted file mode 100644 index c287368ca..000000000 --- a/debian/patches/bugfix/all/0011-aio-fold-lookup_kiocb-into-its-sole-caller.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Al Viro -Date: Mon, 11 Mar 2019 19:00:36 -0400 -Subject: [11/14] aio: fold lookup_kiocb() into its sole caller -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=592ea630b081a6c97ec56499b0e12f68fd2da2d8 - -commit 833f4154ed560232120bc475935ee1d6a20e159f upstream. - -Signed-off-by: Al Viro -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 29 +++++++---------------------- - 1 file changed, 7 insertions(+), 22 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 10e5a8f52dce..cda193f6de76 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1992,24 +1992,6 @@ COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id, - } - #endif - --/* lookup_kiocb -- * Finds a given iocb for cancellation. -- */ --static struct aio_kiocb * --lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb) --{ -- struct aio_kiocb *kiocb; -- -- assert_spin_locked(&ctx->ctx_lock); -- -- /* TODO: use a hash or array, this sucks. */ -- list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { -- if (kiocb->ki_user_iocb == iocb) -- return kiocb; -- } -- return NULL; --} -- - /* sys_io_cancel: - * Attempts to cancel an iocb previously passed to io_submit. If - * the operation is successfully cancelled, the resulting event is -@@ -2038,10 +2020,13 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, - return -EINVAL; - - spin_lock_irq(&ctx->ctx_lock); -- kiocb = lookup_kiocb(ctx, iocb); -- if (kiocb) { -- ret = kiocb->ki_cancel(&kiocb->rw); -- list_del_init(&kiocb->ki_list); -+ /* TODO: use a hash or array, this sucks. */ -+ list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { -+ if (kiocb->ki_user_iocb == iocb) { -+ ret = kiocb->ki_cancel(&kiocb->rw); -+ list_del_init(&kiocb->ki_list); -+ break; -+ } - } - spin_unlock_irq(&ctx->ctx_lock); - diff --git a/debian/patches/bugfix/all/0012-aio-keep-io_event-in-aio_kiocb.patch b/debian/patches/bugfix/all/0012-aio-keep-io_event-in-aio_kiocb.patch deleted file mode 100644 index ede326d17..000000000 --- a/debian/patches/bugfix/all/0012-aio-keep-io_event-in-aio_kiocb.patch +++ /dev/null @@ -1,105 +0,0 @@ -From: Al Viro -Date: Thu, 7 Mar 2019 19:43:45 -0500 -Subject: [12/14] aio: keep io_event in aio_kiocb -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=c20202c51d2b6703a4e539235f892f34daabd791 - -commit a9339b7855094ba11a97e8822ae038135e879e79 upstream. - -We want to separate forming the resulting io_event from putting it -into the ring buffer. - -Signed-off-by: Al Viro -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 31 +++++++++++++------------------ - 1 file changed, 13 insertions(+), 18 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index cda193f6de76..ec30f1bdac0c 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -198,8 +198,7 @@ struct aio_kiocb { - struct kioctx *ki_ctx; - kiocb_cancel_fn *ki_cancel; - -- struct iocb __user *ki_user_iocb; /* user's aiocb */ -- __u64 ki_user_data; /* user's data for completion */ -+ struct io_event ki_res; - - struct list_head ki_list; /* the aio core uses this - * for cancellation */ -@@ -1078,15 +1077,6 @@ static inline void iocb_put(struct aio_kiocb *iocb) - iocb_destroy(iocb); - } - --static void aio_fill_event(struct io_event *ev, struct aio_kiocb *iocb, -- long res, long res2) --{ -- ev->obj = (u64)(unsigned long)iocb->ki_user_iocb; -- ev->data = iocb->ki_user_data; -- ev->res = res; -- ev->res2 = res2; --} -- - /* aio_complete - * Called when the io request on the given iocb is complete. - */ -@@ -1098,6 +1088,8 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) - unsigned tail, pos, head; - unsigned long flags; - -+ iocb->ki_res.res = res; -+ iocb->ki_res.res2 = res2; - /* - * Add a completion event to the ring buffer. Must be done holding - * ctx->completion_lock to prevent other code from messing with the tail -@@ -1114,14 +1106,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) - ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); - event = ev_page + pos % AIO_EVENTS_PER_PAGE; - -- aio_fill_event(event, iocb, res, res2); -+ *event = iocb->ki_res; - - kunmap_atomic(ev_page); - flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); - -- pr_debug("%p[%u]: %p: %p %Lx %lx %lx\n", -- ctx, tail, iocb, iocb->ki_user_iocb, iocb->ki_user_data, -- res, res2); -+ pr_debug("%p[%u]: %p: %p %Lx %Lx %Lx\n", ctx, tail, iocb, -+ (void __user *)(unsigned long)iocb->ki_res.obj, -+ iocb->ki_res.data, iocb->ki_res.res, iocb->ki_res.res2); - - /* after flagging the request as done, we - * must never even look at it again -@@ -1838,8 +1830,10 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, - goto out_put_req; - } - -- req->ki_user_iocb = user_iocb; -- req->ki_user_data = iocb->aio_data; -+ req->ki_res.obj = (u64)(unsigned long)user_iocb; -+ req->ki_res.data = iocb->aio_data; -+ req->ki_res.res = 0; -+ req->ki_res.res2 = 0; - - switch (iocb->aio_lio_opcode) { - case IOCB_CMD_PREAD: -@@ -2009,6 +2003,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, - struct aio_kiocb *kiocb; - int ret = -EINVAL; - u32 key; -+ u64 obj = (u64)(unsigned long)iocb; - - if (unlikely(get_user(key, &iocb->aio_key))) - return -EFAULT; -@@ -2022,7 +2017,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, - spin_lock_irq(&ctx->ctx_lock); - /* TODO: use a hash or array, this sucks. */ - list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { -- if (kiocb->ki_user_iocb == iocb) { -+ if (kiocb->ki_res.obj == obj) { - ret = kiocb->ki_cancel(&kiocb->rw); - list_del_init(&kiocb->ki_list); - break; diff --git a/debian/patches/bugfix/all/0013-aio-store-event-at-final-iocb_put.patch b/debian/patches/bugfix/all/0013-aio-store-event-at-final-iocb_put.patch deleted file mode 100644 index b418252a4..000000000 --- a/debian/patches/bugfix/all/0013-aio-store-event-at-final-iocb_put.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Al Viro -Date: Thu, 7 Mar 2019 19:49:55 -0500 -Subject: [13/14] aio: store event at final iocb_put() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=aab66dfb757aa5b211ec6b0c322b42f4ef5ab34f - -commit 2bb874c0d873d13bd9b9b9c6d7b7c4edab18c8b4 upstream. - -Instead of having aio_complete() set ->ki_res.{res,res2}, do that -explicitly in its callers, drop the reference (as aio_complete() -used to do) and delay the rest until the final iocb_put(). - -Signed-off-by: Al Viro -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 33 +++++++++++++++++---------------- - 1 file changed, 17 insertions(+), 16 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index ec30f1bdac0c..556ee620038f 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1071,16 +1071,10 @@ static inline void iocb_destroy(struct aio_kiocb *iocb) - kmem_cache_free(kiocb_cachep, iocb); - } - --static inline void iocb_put(struct aio_kiocb *iocb) --{ -- if (refcount_dec_and_test(&iocb->ki_refcnt)) -- iocb_destroy(iocb); --} -- - /* aio_complete - * Called when the io request on the given iocb is complete. - */ --static void aio_complete(struct aio_kiocb *iocb, long res, long res2) -+static void aio_complete(struct aio_kiocb *iocb) - { - struct kioctx *ctx = iocb->ki_ctx; - struct aio_ring *ring; -@@ -1088,8 +1082,6 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) - unsigned tail, pos, head; - unsigned long flags; - -- iocb->ki_res.res = res; -- iocb->ki_res.res2 = res2; - /* - * Add a completion event to the ring buffer. Must be done holding - * ctx->completion_lock to prevent other code from messing with the tail -@@ -1155,7 +1147,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) - - if (waitqueue_active(&ctx->wait)) - wake_up(&ctx->wait); -- iocb_put(iocb); -+} -+ -+static inline void iocb_put(struct aio_kiocb *iocb) -+{ -+ if (refcount_dec_and_test(&iocb->ki_refcnt)) { -+ aio_complete(iocb); -+ iocb_destroy(iocb); -+ } - } - - /* aio_read_events_ring -@@ -1429,7 +1428,9 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2) - file_end_write(kiocb->ki_filp); - } - -- aio_complete(iocb, res, res2); -+ iocb->ki_res.res = res; -+ iocb->ki_res.res2 = res2; -+ iocb_put(iocb); - } - - static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) -@@ -1577,11 +1578,10 @@ static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb, - - static void aio_fsync_work(struct work_struct *work) - { -- struct fsync_iocb *req = container_of(work, struct fsync_iocb, work); -- int ret; -+ struct aio_kiocb *iocb = container_of(work, struct aio_kiocb, fsync.work); - -- ret = vfs_fsync(req->file, req->datasync); -- aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); -+ iocb->ki_res.res = vfs_fsync(iocb->fsync.file, iocb->fsync.datasync); -+ iocb_put(iocb); - } - - static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, -@@ -1602,7 +1602,8 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, - - static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) - { -- aio_complete(iocb, mangle_poll(mask), 0); -+ iocb->ki_res.res = mangle_poll(mask); -+ iocb_put(iocb); - } - - static void aio_poll_complete_work(struct work_struct *work) diff --git a/debian/patches/bugfix/all/0014-Fix-aio_poll-races.patch b/debian/patches/bugfix/all/0014-Fix-aio_poll-races.patch deleted file mode 100644 index c507e6812..000000000 --- a/debian/patches/bugfix/all/0014-Fix-aio_poll-races.patch +++ /dev/null @@ -1,225 +0,0 @@ -From: Al Viro -Date: Thu, 7 Mar 2019 21:45:41 -0500 -Subject: [14/14] Fix aio_poll() races -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=e9e47779aaa7212ccb75f8d8d4d16ab188efb313 - -commit af5c72b1fc7a00aa484e90b0c4e0eeb582545634 upstream. - -aio_poll() has to cope with several unpleasant problems: - * requests that might stay around indefinitely need to -be made visible for io_cancel(2); that must not be done to -a request already completed, though. - * in cases when ->poll() has placed us on a waitqueue, -wakeup might have happened (and request completed) before ->poll() -returns. - * worse, in some early wakeup cases request might end -up re-added into the queue later - we can't treat "woken up and -currently not in the queue" as "it's not going to stick around -indefinitely" - * ... moreover, ->poll() might have decided not to -put it on any queues to start with, and that needs to be distinguished -from the previous case - * ->poll() might have tried to put us on more than one queue. -Only the first will succeed for aio poll, so we might end up missing -wakeups. OTOH, we might very well notice that only after the -wakeup hits and request gets completed (all before ->poll() gets -around to the second poll_wait()). In that case it's too late to -decide that we have an error. - -req->woken was an attempt to deal with that. Unfortunately, it was -broken. What we need to keep track of is not that wakeup has happened - -the thing might come back after that. It's that async reference is -already gone and won't come back, so we can't (and needn't) put the -request on the list of cancellables. - -The easiest case is "request hadn't been put on any waitqueues"; we -can tell by seeing NULL apt.head, and in that case there won't be -anything async. We should either complete the request ourselves -(if vfs_poll() reports anything of interest) or return an error. - -In all other cases we get exclusion with wakeups by grabbing the -queue lock. - -If request is currently on queue and we have something interesting -from vfs_poll(), we can steal it and complete the request ourselves. - -If it's on queue and vfs_poll() has not reported anything interesting, -we either put it on the cancellable list, or, if we know that it -hadn't been put on all queues ->poll() wanted it on, we steal it and -return an error. - -If it's _not_ on queue, it's either been already dealt with (in which -case we do nothing), or there's aio_poll_complete_work() about to be -executed. In that case we either put it on the cancellable list, -or, if we know it hadn't been put on all queues ->poll() wanted it on, -simulate what cancel would've done. - -It's a lot more convoluted than I'd like it to be. Single-consumer APIs -suck, and unfortunately aio is not an exception... - -Signed-off-by: Al Viro -Cc: Guenter Roeck -Signed-off-by: Greg Kroah-Hartman ---- - fs/aio.c | 90 +++++++++++++++++++++++++------------------------------- - 1 file changed, 40 insertions(+), 50 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 556ee620038f..911e23087dfb 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -175,7 +175,7 @@ struct poll_iocb { - struct file *file; - struct wait_queue_head *head; - __poll_t events; -- bool woken; -+ bool done; - bool cancelled; - struct wait_queue_entry wait; - struct work_struct work; -@@ -1600,12 +1600,6 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, - return 0; - } - --static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) --{ -- iocb->ki_res.res = mangle_poll(mask); -- iocb_put(iocb); --} -- - static void aio_poll_complete_work(struct work_struct *work) - { - struct poll_iocb *req = container_of(work, struct poll_iocb, work); -@@ -1631,9 +1625,11 @@ static void aio_poll_complete_work(struct work_struct *work) - return; - } - list_del_init(&iocb->ki_list); -+ iocb->ki_res.res = mangle_poll(mask); -+ req->done = true; - spin_unlock_irq(&ctx->ctx_lock); - -- aio_poll_complete(iocb, mask); -+ iocb_put(iocb); - } - - /* assumes we are called with irqs disabled */ -@@ -1661,31 +1657,27 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, - __poll_t mask = key_to_poll(key); - unsigned long flags; - -- req->woken = true; -- - /* for instances that support it check for an event match first: */ -- if (mask) { -- if (!(mask & req->events)) -- return 0; -+ if (mask && !(mask & req->events)) -+ return 0; - -+ list_del_init(&req->wait.entry); -+ -+ if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { - /* - * Try to complete the iocb inline if we can. Use - * irqsave/irqrestore because not all filesystems (e.g. fuse) - * call this function with IRQs disabled and because IRQs - * have to be disabled before ctx_lock is obtained. - */ -- if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { -- list_del(&iocb->ki_list); -- spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags); -- -- list_del_init(&req->wait.entry); -- aio_poll_complete(iocb, mask); -- return 1; -- } -+ list_del(&iocb->ki_list); -+ iocb->ki_res.res = mangle_poll(mask); -+ req->done = true; -+ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags); -+ iocb_put(iocb); -+ } else { -+ schedule_work(&req->work); - } -- -- list_del_init(&req->wait.entry); -- schedule_work(&req->work); - return 1; - } - -@@ -1717,6 +1709,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - struct kioctx *ctx = aiocb->ki_ctx; - struct poll_iocb *req = &aiocb->poll; - struct aio_poll_table apt; -+ bool cancel = false; - __poll_t mask; - - /* reject any unknown events outside the normal event mask. */ -@@ -1730,7 +1723,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP; - - req->head = NULL; -- req->woken = false; -+ req->done = false; - req->cancelled = false; - - apt.pt._qproc = aio_poll_queue_proc; -@@ -1743,36 +1736,33 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) - init_waitqueue_func_entry(&req->wait, aio_poll_wake); - - mask = vfs_poll(req->file, &apt.pt) & req->events; -- if (unlikely(!req->head)) { -- /* we did not manage to set up a waitqueue, done */ -- goto out; -- } -- - spin_lock_irq(&ctx->ctx_lock); -- spin_lock(&req->head->lock); -- if (req->woken) { -- /* wake_up context handles the rest */ -- mask = 0; -+ if (likely(req->head)) { -+ spin_lock(&req->head->lock); -+ if (unlikely(list_empty(&req->wait.entry))) { -+ if (apt.error) -+ cancel = true; -+ apt.error = 0; -+ mask = 0; -+ } -+ if (mask || apt.error) { -+ list_del_init(&req->wait.entry); -+ } else if (cancel) { -+ WRITE_ONCE(req->cancelled, true); -+ } else if (!req->done) { /* actually waiting for an event */ -+ list_add_tail(&aiocb->ki_list, &ctx->active_reqs); -+ aiocb->ki_cancel = aio_poll_cancel; -+ } -+ spin_unlock(&req->head->lock); -+ } -+ if (mask) { /* no async, we'd stolen it */ -+ aiocb->ki_res.res = mangle_poll(mask); - apt.error = 0; -- } else if (mask || apt.error) { -- /* if we get an error or a mask we are done */ -- WARN_ON_ONCE(list_empty(&req->wait.entry)); -- list_del_init(&req->wait.entry); -- } else { -- /* actually waiting for an event */ -- list_add_tail(&aiocb->ki_list, &ctx->active_reqs); -- aiocb->ki_cancel = aio_poll_cancel; - } -- spin_unlock(&req->head->lock); - spin_unlock_irq(&ctx->ctx_lock); -- --out: -- if (unlikely(apt.error)) -- return apt.error; -- - if (mask) -- aio_poll_complete(aiocb, mask); -- return 0; -+ iocb_put(aiocb); -+ return apt.error; - } - - static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, diff --git a/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch b/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch deleted file mode 100644 index d8a8452d3..000000000 --- a/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch +++ /dev/null @@ -1,152 +0,0 @@ -From: Vladis Dronov -Date: Tue, 30 Jul 2019 11:33:45 +0200 -Subject: Bluetooth: hci_uart: check for missing tty operations -Origin: https://git.kernel.org/linus/b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10207 - -commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 upstream. - -Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() -functions which are called by the certain HCI UART protocols (hci_ath, -hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() -or directly. This leads to an execution at NULL and can be triggered by -an unprivileged user. Fix this by adding a helper function and a check -for the missing tty operations in the protocols code. - -This fixes CVE-2019-10207. The Fixes: lines list commits where calls to -tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART -protocols. - -Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 -Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com -Cc: stable@vger.kernel.org # v2.6.36+ -Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") -Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") -Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") -Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") -Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") -Signed-off-by: Vladis Dronov -Signed-off-by: Marcel Holtmann -Reviewed-by: Yu-Chen, Cho -Tested-by: Yu-Chen, Cho -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bluetooth/hci_ath.c | 3 +++ - drivers/bluetooth/hci_bcm.c | 3 +++ - drivers/bluetooth/hci_intel.c | 3 +++ - drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++ - drivers/bluetooth/hci_mrvl.c | 3 +++ - drivers/bluetooth/hci_qca.c | 3 +++ - drivers/bluetooth/hci_uart.h | 1 + - 7 files changed, 29 insertions(+) - -diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c -index d568fbd94d6c..20235925344d 100644 ---- a/drivers/bluetooth/hci_ath.c -+++ b/drivers/bluetooth/hci_ath.c -@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu) - - BT_DBG("hu %p", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - ath = kzalloc(sizeof(*ath), GFP_KERNEL); - if (!ath) - return -ENOMEM; -diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c -index 800132369134..aa6b7ed9fdf1 100644 ---- a/drivers/bluetooth/hci_bcm.c -+++ b/drivers/bluetooth/hci_bcm.c -@@ -369,6 +369,9 @@ static int bcm_open(struct hci_uart *hu) - - bt_dev_dbg(hu->hdev, "hu %p", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - bcm = kzalloc(sizeof(*bcm), GFP_KERNEL); - if (!bcm) - return -ENOMEM; -diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c -index 46ace321bf60..e9228520e4c7 100644 ---- a/drivers/bluetooth/hci_intel.c -+++ b/drivers/bluetooth/hci_intel.c -@@ -406,6 +406,9 @@ static int intel_open(struct hci_uart *hu) - - BT_DBG("hu %p", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - intel = kzalloc(sizeof(*intel), GFP_KERNEL); - if (!intel) - return -ENOMEM; -diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c -index c915daf01a89..efeb8137ec67 100644 ---- a/drivers/bluetooth/hci_ldisc.c -+++ b/drivers/bluetooth/hci_ldisc.c -@@ -299,6 +299,19 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) - return 0; - } - -+/* Check the underlying device or tty has flow control support */ -+bool hci_uart_has_flow_control(struct hci_uart *hu) -+{ -+ /* serdev nodes check if the needed operations are present */ -+ if (hu->serdev) -+ return true; -+ -+ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset) -+ return true; -+ -+ return false; -+} -+ - /* Flow control or un-flow control the device */ - void hci_uart_set_flow_control(struct hci_uart *hu, bool enable) - { -diff --git a/drivers/bluetooth/hci_mrvl.c b/drivers/bluetooth/hci_mrvl.c -index ffb00669346f..23791df081ba 100644 ---- a/drivers/bluetooth/hci_mrvl.c -+++ b/drivers/bluetooth/hci_mrvl.c -@@ -66,6 +66,9 @@ static int mrvl_open(struct hci_uart *hu) - - BT_DBG("hu %p", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - mrvl = kzalloc(sizeof(*mrvl), GFP_KERNEL); - if (!mrvl) - return -ENOMEM; -diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c -index 77004c29da08..f96e58de049b 100644 ---- a/drivers/bluetooth/hci_qca.c -+++ b/drivers/bluetooth/hci_qca.c -@@ -450,6 +450,9 @@ static int qca_open(struct hci_uart *hu) - - BT_DBG("hu %p qca_open", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - qca = kzalloc(sizeof(struct qca_data), GFP_KERNEL); - if (!qca) - return -ENOMEM; -diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h -index 00cab2fd7a1b..067a610f1372 100644 ---- a/drivers/bluetooth/hci_uart.h -+++ b/drivers/bluetooth/hci_uart.h -@@ -118,6 +118,7 @@ int hci_uart_tx_wakeup(struct hci_uart *hu); - int hci_uart_init_ready(struct hci_uart *hu); - void hci_uart_init_work(struct work_struct *work); - void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed); -+bool hci_uart_has_flow_control(struct hci_uart *hu); - void hci_uart_set_flow_control(struct hci_uart *hu, bool enable); - void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed, - unsigned int oper_speed); --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch b/debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch deleted file mode 100644 index 3a15ec19f..000000000 --- a/debian/patches/bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Young Xiao -Date: Fri, 12 Apr 2019 15:24:30 +0800 -Subject: Bluetooth: hidp: fix buffer overflow -Origin: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11884 - -Struct ca is copied from userspace. It is not checked whether the "name" -field is NULL terminated, which allows local users to obtain potentially -sensitive information from kernel stack memory, via a HIDPCONNADD command. - -This vulnerability is similar to CVE-2011-1079. - -Signed-off-by: Young Xiao -Signed-off-by: Marcel Holtmann -Cc: stable@vger.kernel.org ---- - net/bluetooth/hidp/sock.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c -index 9f85a1943be9..2151913892ce 100644 ---- a/net/bluetooth/hidp/sock.c -+++ b/net/bluetooth/hidp/sock.c -@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user - sockfd_put(csock); - return err; - } -+ ca.name[sizeof(ca.name)-1] = 0; - - err = hidp_connection_add(&ca, csock, isock); - if (!err && copy_to_user(argp, &ca, sizeof(ca))) --- -2.20.1 - diff --git a/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch b/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch deleted file mode 100644 index 9fe5341ef..000000000 --- a/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch +++ /dev/null @@ -1,760 +0,0 @@ -From: Tim Chen -Date: Thu, 20 Jun 2019 16:10:50 -0700 -Subject: Documentation: Add section about CPU vulnerabilities for Spectre -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a815007f5fe292fa8ef082663e1259b9ae0571b - -commit 6e88559470f581741bcd0f2794f9054814ac9740 upstream. - -Add documentation for Spectre vulnerability and the mitigation mechanisms: - -- Explain the problem and risks -- Document the mitigation mechanisms -- Document the command line controls -- Document the sysfs files - -Co-developed-by: Andi Kleen -Signed-off-by: Andi Kleen -Co-developed-by: Tim Chen -Signed-off-by: Tim Chen -Reviewed-by: Randy Dunlap -Reviewed-by: Thomas Gleixner -Cc: stable@vger.kernel.org -Signed-off-by: Jonathan Corbet -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/admin-guide/hw-vuln/index.rst | 1 + - Documentation/admin-guide/hw-vuln/spectre.rst | 697 ++++++++++++++++++ - Documentation/userspace-api/spec_ctrl.rst | 2 + - 3 files changed, 700 insertions(+) - create mode 100644 Documentation/admin-guide/hw-vuln/spectre.rst - -diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst -index ffc064c1ec68..49311f3da6f2 100644 ---- a/Documentation/admin-guide/hw-vuln/index.rst -+++ b/Documentation/admin-guide/hw-vuln/index.rst -@@ -9,5 +9,6 @@ are configurable at compile, boot or run time. - .. toctree:: - :maxdepth: 1 - -+ spectre - l1tf - mds -diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst -new file mode 100644 -index 000000000000..25f3b2532198 ---- /dev/null -+++ b/Documentation/admin-guide/hw-vuln/spectre.rst -@@ -0,0 +1,697 @@ -+.. SPDX-License-Identifier: GPL-2.0 -+ -+Spectre Side Channels -+===================== -+ -+Spectre is a class of side channel attacks that exploit branch prediction -+and speculative execution on modern CPUs to read memory, possibly -+bypassing access controls. Speculative execution side channel exploits -+do not modify memory but attempt to infer privileged data in the memory. -+ -+This document covers Spectre variant 1 and Spectre variant 2. -+ -+Affected processors -+------------------- -+ -+Speculative execution side channel methods affect a wide range of modern -+high performance processors, since most modern high speed processors -+use branch prediction and speculative execution. -+ -+The following CPUs are vulnerable: -+ -+ - Intel Core, Atom, Pentium, and Xeon processors -+ -+ - AMD Phenom, EPYC, and Zen processors -+ -+ - IBM POWER and zSeries processors -+ -+ - Higher end ARM processors -+ -+ - Apple CPUs -+ -+ - Higher end MIPS CPUs -+ -+ - Likely most other high performance CPUs. Contact your CPU vendor for details. -+ -+Whether a processor is affected or not can be read out from the Spectre -+vulnerability files in sysfs. See :ref:`spectre_sys_info`. -+ -+Related CVEs -+------------ -+ -+The following CVE entries describe Spectre variants: -+ -+ ============= ======================= ================= -+ CVE-2017-5753 Bounds check bypass Spectre variant 1 -+ CVE-2017-5715 Branch target injection Spectre variant 2 -+ ============= ======================= ================= -+ -+Problem -+------- -+ -+CPUs use speculative operations to improve performance. That may leave -+traces of memory accesses or computations in the processor's caches, -+buffers, and branch predictors. Malicious software may be able to -+influence the speculative execution paths, and then use the side effects -+of the speculative execution in the CPUs' caches and buffers to infer -+privileged data touched during the speculative execution. -+ -+Spectre variant 1 attacks take advantage of speculative execution of -+conditional branches, while Spectre variant 2 attacks use speculative -+execution of indirect branches to leak privileged memory. -+See :ref:`[1] ` :ref:`[5] ` :ref:`[7] ` -+:ref:`[10] ` :ref:`[11] `. -+ -+Spectre variant 1 (Bounds Check Bypass) -+--------------------------------------- -+ -+The bounds check bypass attack :ref:`[2] ` takes advantage -+of speculative execution that bypasses conditional branch instructions -+used for memory access bounds check (e.g. checking if the index of an -+array results in memory access within a valid range). This results in -+memory accesses to invalid memory (with out-of-bound index) that are -+done speculatively before validation checks resolve. Such speculative -+memory accesses can leave side effects, creating side channels which -+leak information to the attacker. -+ -+There are some extensions of Spectre variant 1 attacks for reading data -+over the network, see :ref:`[12] `. However such attacks -+are difficult, low bandwidth, fragile, and are considered low risk. -+ -+Spectre variant 2 (Branch Target Injection) -+------------------------------------------- -+ -+The branch target injection attack takes advantage of speculative -+execution of indirect branches :ref:`[3] `. The indirect -+branch predictors inside the processor used to guess the target of -+indirect branches can be influenced by an attacker, causing gadget code -+to be speculatively executed, thus exposing sensitive data touched by -+the victim. The side effects left in the CPU's caches during speculative -+execution can be measured to infer data values. -+ -+.. _poison_btb: -+ -+In Spectre variant 2 attacks, the attacker can steer speculative indirect -+branches in the victim to gadget code by poisoning the branch target -+buffer of a CPU used for predicting indirect branch addresses. Such -+poisoning could be done by indirect branching into existing code, -+with the address offset of the indirect branch under the attacker's -+control. Since the branch prediction on impacted hardware does not -+fully disambiguate branch address and uses the offset for prediction, -+this could cause privileged code's indirect branch to jump to a gadget -+code with the same offset. -+ -+The most useful gadgets take an attacker-controlled input parameter (such -+as a register value) so that the memory read can be controlled. Gadgets -+without input parameters might be possible, but the attacker would have -+very little control over what memory can be read, reducing the risk of -+the attack revealing useful data. -+ -+One other variant 2 attack vector is for the attacker to poison the -+return stack buffer (RSB) :ref:`[13] ` to cause speculative -+subroutine return instruction execution to go to a gadget. An attacker's -+imbalanced subroutine call instructions might "poison" entries in the -+return stack buffer which are later consumed by a victim's subroutine -+return instructions. This attack can be mitigated by flushing the return -+stack buffer on context switch, or virtual machine (VM) exit. -+ -+On systems with simultaneous multi-threading (SMT), attacks are possible -+from the sibling thread, as level 1 cache and branch target buffer -+(BTB) may be shared between hardware threads in a CPU core. A malicious -+program running on the sibling thread may influence its peer's BTB to -+steer its indirect branch speculations to gadget code, and measure the -+speculative execution's side effects left in level 1 cache to infer the -+victim's data. -+ -+Attack scenarios -+---------------- -+ -+The following list of attack scenarios have been anticipated, but may -+not cover all possible attack vectors. -+ -+1. A user process attacking the kernel -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The attacker passes a parameter to the kernel via a register or -+ via a known address in memory during a syscall. Such parameter may -+ be used later by the kernel as an index to an array or to derive -+ a pointer for a Spectre variant 1 attack. The index or pointer -+ is invalid, but bound checks are bypassed in the code branch taken -+ for speculative execution. This could cause privileged memory to be -+ accessed and leaked. -+ -+ For kernel code that has been identified where data pointers could -+ potentially be influenced for Spectre attacks, new "nospec" accessor -+ macros are used to prevent speculative loading of data. -+ -+ Spectre variant 2 attacker can :ref:`poison ` the branch -+ target buffer (BTB) before issuing syscall to launch an attack. -+ After entering the kernel, the kernel could use the poisoned branch -+ target buffer on indirect jump and jump to gadget code in speculative -+ execution. -+ -+ If an attacker tries to control the memory addresses leaked during -+ speculative execution, he would also need to pass a parameter to the -+ gadget, either through a register or a known address in memory. After -+ the gadget has executed, he can measure the side effect. -+ -+ The kernel can protect itself against consuming poisoned branch -+ target buffer entries by using return trampolines (also known as -+ "retpoline") :ref:`[3] ` :ref:`[9] ` for all -+ indirect branches. Return trampolines trap speculative execution paths -+ to prevent jumping to gadget code during speculative execution. -+ x86 CPUs with Enhanced Indirect Branch Restricted Speculation -+ (Enhanced IBRS) available in hardware should use the feature to -+ mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is -+ more efficient than retpoline. -+ -+ There may be gadget code in firmware which could be exploited with -+ Spectre variant 2 attack by a rogue user process. To mitigate such -+ attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature -+ is turned on before the kernel invokes any firmware code. -+ -+2. A user process attacking another user process -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ A malicious user process can try to attack another user process, -+ either via a context switch on the same hardware thread, or from the -+ sibling hyperthread sharing a physical processor core on simultaneous -+ multi-threading (SMT) system. -+ -+ Spectre variant 1 attacks generally require passing parameters -+ between the processes, which needs a data passing relationship, such -+ as remote procedure calls (RPC). Those parameters are used in gadget -+ code to derive invalid data pointers accessing privileged memory in -+ the attacked process. -+ -+ Spectre variant 2 attacks can be launched from a rogue process by -+ :ref:`poisoning ` the branch target buffer. This can -+ influence the indirect branch targets for a victim process that either -+ runs later on the same hardware thread, or running concurrently on -+ a sibling hardware thread sharing the same physical core. -+ -+ A user process can protect itself against Spectre variant 2 attacks -+ by using the prctl() syscall to disable indirect branch speculation -+ for itself. An administrator can also cordon off an unsafe process -+ from polluting the branch target buffer by disabling the process's -+ indirect branch speculation. This comes with a performance cost -+ from not using indirect branch speculation and clearing the branch -+ target buffer. When SMT is enabled on x86, for a process that has -+ indirect branch speculation disabled, Single Threaded Indirect Branch -+ Predictors (STIBP) :ref:`[4] ` are turned on to prevent the -+ sibling thread from controlling branch target buffer. In addition, -+ the Indirect Branch Prediction Barrier (IBPB) is issued to clear the -+ branch target buffer when context switching to and from such process. -+ -+ On x86, the return stack buffer is stuffed on context switch. -+ This prevents the branch target buffer from being used for branch -+ prediction when the return stack buffer underflows while switching to -+ a deeper call stack. Any poisoned entries in the return stack buffer -+ left by the previous process will also be cleared. -+ -+ User programs should use address space randomization to make attacks -+ more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2). -+ -+3. A virtualized guest attacking the host -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The attack mechanism is similar to how user processes attack the -+ kernel. The kernel is entered via hyper-calls or other virtualization -+ exit paths. -+ -+ For Spectre variant 1 attacks, rogue guests can pass parameters -+ (e.g. in registers) via hyper-calls to derive invalid pointers to -+ speculate into privileged memory after entering the kernel. For places -+ where such kernel code has been identified, nospec accessor macros -+ are used to stop speculative memory access. -+ -+ For Spectre variant 2 attacks, rogue guests can :ref:`poison -+ ` the branch target buffer or return stack buffer, causing -+ the kernel to jump to gadget code in the speculative execution paths. -+ -+ To mitigate variant 2, the host kernel can use return trampolines -+ for indirect branches to bypass the poisoned branch target buffer, -+ and flushing the return stack buffer on VM exit. This prevents rogue -+ guests from affecting indirect branching in the host kernel. -+ -+ To protect host processes from rogue guests, host processes can have -+ indirect branch speculation disabled via prctl(). The branch target -+ buffer is cleared before context switching to such processes. -+ -+4. A virtualized guest attacking other guest -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ A rogue guest may attack another guest to get data accessible by the -+ other guest. -+ -+ Spectre variant 1 attacks are possible if parameters can be passed -+ between guests. This may be done via mechanisms such as shared memory -+ or message passing. Such parameters could be used to derive data -+ pointers to privileged data in guest. The privileged data could be -+ accessed by gadget code in the victim's speculation paths. -+ -+ Spectre variant 2 attacks can be launched from a rogue guest by -+ :ref:`poisoning ` the branch target buffer or the return -+ stack buffer. Such poisoned entries could be used to influence -+ speculation execution paths in the victim guest. -+ -+ Linux kernel mitigates attacks to other guests running in the same -+ CPU hardware thread by flushing the return stack buffer on VM exit, -+ and clearing the branch target buffer before switching to a new guest. -+ -+ If SMT is used, Spectre variant 2 attacks from an untrusted guest -+ in the sibling hyperthread can be mitigated by the administrator, -+ by turning off the unsafe guest's indirect branch speculation via -+ prctl(). A guest can also protect itself by turning on microcode -+ based mitigations (such as IBPB or STIBP on x86) within the guest. -+ -+.. _spectre_sys_info: -+ -+Spectre system information -+-------------------------- -+ -+The Linux kernel provides a sysfs interface to enumerate the current -+mitigation status of the system for Spectre: whether the system is -+vulnerable, and which mitigations are active. -+ -+The sysfs file showing Spectre variant 1 mitigation status is: -+ -+ /sys/devices/system/cpu/vulnerabilities/spectre_v1 -+ -+The possible values in this file are: -+ -+ ======================================= ================================= -+ 'Mitigation: __user pointer sanitation' Protection in kernel on a case by -+ case base with explicit pointer -+ sanitation. -+ ======================================= ================================= -+ -+However, the protections are put in place on a case by case basis, -+and there is no guarantee that all possible attack vectors for Spectre -+variant 1 are covered. -+ -+The spectre_v2 kernel file reports if the kernel has been compiled with -+retpoline mitigation or if the CPU has hardware mitigation, and if the -+CPU has support for additional process-specific mitigation. -+ -+This file also reports CPU features enabled by microcode to mitigate -+attack between user processes: -+ -+1. Indirect Branch Prediction Barrier (IBPB) to add additional -+ isolation between processes of different users. -+2. Single Thread Indirect Branch Predictors (STIBP) to add additional -+ isolation between CPU threads running on the same core. -+ -+These CPU features may impact performance when used and can be enabled -+per process on a case-by-case base. -+ -+The sysfs file showing Spectre variant 2 mitigation status is: -+ -+ /sys/devices/system/cpu/vulnerabilities/spectre_v2 -+ -+The possible values in this file are: -+ -+ - Kernel status: -+ -+ ==================================== ================================= -+ 'Not affected' The processor is not vulnerable -+ 'Vulnerable' Vulnerable, no mitigation -+ 'Mitigation: Full generic retpoline' Software-focused mitigation -+ 'Mitigation: Full AMD retpoline' AMD-specific software mitigation -+ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation -+ ==================================== ================================= -+ -+ - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is -+ used to protect against Spectre variant 2 attacks when calling firmware (x86 only). -+ -+ ========== ============================================================= -+ 'IBRS_FW' Protection against user program attacks when calling firmware -+ ========== ============================================================= -+ -+ - Indirect branch prediction barrier (IBPB) status for protection between -+ processes of different users. This feature can be controlled through -+ prctl() per process, or through kernel command line options. This is -+ an x86 only feature. For more details see below. -+ -+ =================== ======================================================== -+ 'IBPB: disabled' IBPB unused -+ 'IBPB: always-on' Use IBPB on all tasks -+ 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks -+ =================== ======================================================== -+ -+ - Single threaded indirect branch prediction (STIBP) status for protection -+ between different hyper threads. This feature can be controlled through -+ prctl per process, or through kernel command line options. This is x86 -+ only feature. For more details see below. -+ -+ ==================== ======================================================== -+ 'STIBP: disabled' STIBP unused -+ 'STIBP: forced' Use STIBP on all tasks -+ 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks -+ ==================== ======================================================== -+ -+ - Return stack buffer (RSB) protection status: -+ -+ ============= =========================================== -+ 'RSB filling' Protection of RSB on context switch enabled -+ ============= =========================================== -+ -+Full mitigation might require a microcode update from the CPU -+vendor. When the necessary microcode is not available, the kernel will -+report vulnerability. -+ -+Turning on mitigation for Spectre variant 1 and Spectre variant 2 -+----------------------------------------------------------------- -+ -+1. Kernel mitigation -+^^^^^^^^^^^^^^^^^^^^ -+ -+ For the Spectre variant 1, vulnerable kernel code (as determined -+ by code audit or scanning tools) is annotated on a case by case -+ basis to use nospec accessor macros for bounds clipping :ref:`[2] -+ ` to avoid any usable disclosure gadgets. However, it may -+ not cover all attack vectors for Spectre variant 1. -+ -+ For Spectre variant 2 mitigation, the compiler turns indirect calls or -+ jumps in the kernel into equivalent return trampolines (retpolines) -+ :ref:`[3] ` :ref:`[9] ` to go to the target -+ addresses. Speculative execution paths under retpolines are trapped -+ in an infinite loop to prevent any speculative execution jumping to -+ a gadget. -+ -+ To turn on retpoline mitigation on a vulnerable CPU, the kernel -+ needs to be compiled with a gcc compiler that supports the -+ -mindirect-branch=thunk-extern -mindirect-branch-register options. -+ If the kernel is compiled with a Clang compiler, the compiler needs -+ to support -mretpoline-external-thunk option. The kernel config -+ CONFIG_RETPOLINE needs to be turned on, and the CPU needs to run with -+ the latest updated microcode. -+ -+ On Intel Skylake-era systems the mitigation covers most, but not all, -+ cases. See :ref:`[3] ` for more details. -+ -+ On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced -+ IBRS on x86), retpoline is automatically disabled at run time. -+ -+ The retpoline mitigation is turned on by default on vulnerable -+ CPUs. It can be forced on or off by the administrator -+ via the kernel command line and sysfs control files. See -+ :ref:`spectre_mitigation_control_command_line`. -+ -+ On x86, indirect branch restricted speculation is turned on by default -+ before invoking any firmware code to prevent Spectre variant 2 exploits -+ using the firmware. -+ -+ Using kernel address space randomization (CONFIG_RANDOMIZE_SLAB=y -+ and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes -+ attacks on the kernel generally more difficult. -+ -+2. User program mitigation -+^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ User programs can mitigate Spectre variant 1 using LFENCE or "bounds -+ clipping". For more details see :ref:`[2] `. -+ -+ For Spectre variant 2 mitigation, individual user programs -+ can be compiled with return trampolines for indirect branches. -+ This protects them from consuming poisoned entries in the branch -+ target buffer left by malicious software. Alternatively, the -+ programs can disable their indirect branch speculation via prctl() -+ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). -+ On x86, this will turn on STIBP to guard against attacks from the -+ sibling thread when the user program is running, and use IBPB to -+ flush the branch target buffer when switching to/from the program. -+ -+ Restricting indirect branch speculation on a user program will -+ also prevent the program from launching a variant 2 attack -+ on x86. All sand-boxed SECCOMP programs have indirect branch -+ speculation restricted by default. Administrators can change -+ that behavior via the kernel command line and sysfs control files. -+ See :ref:`spectre_mitigation_control_command_line`. -+ -+ Programs that disable their indirect branch speculation will have -+ more overhead and run slower. -+ -+ User programs should use address space randomization -+ (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more -+ difficult. -+ -+3. VM mitigation -+^^^^^^^^^^^^^^^^ -+ -+ Within the kernel, Spectre variant 1 attacks from rogue guests are -+ mitigated on a case by case basis in VM exit paths. Vulnerable code -+ uses nospec accessor macros for "bounds clipping", to avoid any -+ usable disclosure gadgets. However, this may not cover all variant -+ 1 attack vectors. -+ -+ For Spectre variant 2 attacks from rogue guests to the kernel, the -+ Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of -+ poisoned entries in branch target buffer left by rogue guests. It also -+ flushes the return stack buffer on every VM exit to prevent a return -+ stack buffer underflow so poisoned branch target buffer could be used, -+ or attacker guests leaving poisoned entries in the return stack buffer. -+ -+ To mitigate guest-to-guest attacks in the same CPU hardware thread, -+ the branch target buffer is sanitized by flushing before switching -+ to a new guest on a CPU. -+ -+ The above mitigations are turned on by default on vulnerable CPUs. -+ -+ To mitigate guest-to-guest attacks from sibling thread when SMT is -+ in use, an untrusted guest running in the sibling thread can have -+ its indirect branch speculation disabled by administrator via prctl(). -+ -+ The kernel also allows guests to use any microcode based mitigation -+ they choose to use (such as IBPB or STIBP on x86) to protect themselves. -+ -+.. _spectre_mitigation_control_command_line: -+ -+Mitigation control on the kernel command line -+--------------------------------------------- -+ -+Spectre variant 2 mitigation can be disabled or force enabled at the -+kernel command line. -+ -+ nospectre_v2 -+ -+ [X86] Disable all mitigations for the Spectre variant 2 -+ (indirect branch prediction) vulnerability. System may -+ allow data leaks with this option, which is equivalent -+ to spectre_v2=off. -+ -+ -+ spectre_v2= -+ -+ [X86] Control mitigation of Spectre variant 2 -+ (indirect branch speculation) vulnerability. -+ The default operation protects the kernel from -+ user space attacks. -+ -+ on -+ unconditionally enable, implies -+ spectre_v2_user=on -+ off -+ unconditionally disable, implies -+ spectre_v2_user=off -+ auto -+ kernel detects whether your CPU model is -+ vulnerable -+ -+ Selecting 'on' will, and 'auto' may, choose a -+ mitigation method at run time according to the -+ CPU, the available microcode, the setting of the -+ CONFIG_RETPOLINE configuration option, and the -+ compiler with which the kernel was built. -+ -+ Selecting 'on' will also enable the mitigation -+ against user space to user space task attacks. -+ -+ Selecting 'off' will disable both the kernel and -+ the user space protections. -+ -+ Specific mitigations can also be selected manually: -+ -+ retpoline -+ replace indirect branches -+ retpoline,generic -+ google's original retpoline -+ retpoline,amd -+ AMD-specific minimal thunk -+ -+ Not specifying this option is equivalent to -+ spectre_v2=auto. -+ -+For user space mitigation: -+ -+ spectre_v2_user= -+ -+ [X86] Control mitigation of Spectre variant 2 -+ (indirect branch speculation) vulnerability between -+ user space tasks -+ -+ on -+ Unconditionally enable mitigations. Is -+ enforced by spectre_v2=on -+ -+ off -+ Unconditionally disable mitigations. Is -+ enforced by spectre_v2=off -+ -+ prctl -+ Indirect branch speculation is enabled, -+ but mitigation can be enabled via prctl -+ per thread. The mitigation control state -+ is inherited on fork. -+ -+ prctl,ibpb -+ Like "prctl" above, but only STIBP is -+ controlled per thread. IBPB is issued -+ always when switching between different user -+ space processes. -+ -+ seccomp -+ Same as "prctl" above, but all seccomp -+ threads will enable the mitigation unless -+ they explicitly opt out. -+ -+ seccomp,ibpb -+ Like "seccomp" above, but only STIBP is -+ controlled per thread. IBPB is issued -+ always when switching between different -+ user space processes. -+ -+ auto -+ Kernel selects the mitigation depending on -+ the available CPU features and vulnerability. -+ -+ Default mitigation: -+ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" -+ -+ Not specifying this option is equivalent to -+ spectre_v2_user=auto. -+ -+ In general the kernel by default selects -+ reasonable mitigations for the current CPU. To -+ disable Spectre variant 2 mitigations, boot with -+ spectre_v2=off. Spectre variant 1 mitigations -+ cannot be disabled. -+ -+Mitigation selection guide -+-------------------------- -+ -+1. Trusted userspace -+^^^^^^^^^^^^^^^^^^^^ -+ -+ If all userspace applications are from trusted sources and do not -+ execute externally supplied untrusted code, then the mitigations can -+ be disabled. -+ -+2. Protect sensitive programs -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ For security-sensitive programs that have secrets (e.g. crypto -+ keys), protection against Spectre variant 2 can be put in place by -+ disabling indirect branch speculation when the program is running -+ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). -+ -+3. Sandbox untrusted programs -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ Untrusted programs that could be a source of attacks can be cordoned -+ off by disabling their indirect branch speculation when they are run -+ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). -+ This prevents untrusted programs from polluting the branch target -+ buffer. All programs running in SECCOMP sandboxes have indirect -+ branch speculation restricted by default. This behavior can be -+ changed via the kernel command line and sysfs control files. See -+ :ref:`spectre_mitigation_control_command_line`. -+ -+3. High security mode -+^^^^^^^^^^^^^^^^^^^^^ -+ -+ All Spectre variant 2 mitigations can be forced on -+ at boot time for all programs (See the "on" option in -+ :ref:`spectre_mitigation_control_command_line`). This will add -+ overhead as indirect branch speculations for all programs will be -+ restricted. -+ -+ On x86, branch target buffer will be flushed with IBPB when switching -+ to a new program. STIBP is left on all the time to protect programs -+ against variant 2 attacks originating from programs running on -+ sibling threads. -+ -+ Alternatively, STIBP can be used only when running programs -+ whose indirect branch speculation is explicitly disabled, -+ while IBPB is still used all the time when switching to a new -+ program to clear the branch target buffer (See "ibpb" option in -+ :ref:`spectre_mitigation_control_command_line`). This "ibpb" option -+ has less performance cost than the "on" option, which leaves STIBP -+ on all the time. -+ -+References on Spectre -+--------------------- -+ -+Intel white papers: -+ -+.. _spec_ref1: -+ -+[1] `Intel analysis of speculative execution side channels `_. -+ -+.. _spec_ref2: -+ -+[2] `Bounds check bypass `_. -+ -+.. _spec_ref3: -+ -+[3] `Deep dive: Retpoline: A branch target injection mitigation `_. -+ -+.. _spec_ref4: -+ -+[4] `Deep Dive: Single Thread Indirect Branch Predictors `_. -+ -+AMD white papers: -+ -+.. _spec_ref5: -+ -+[5] `AMD64 technology indirect branch control extension `_. -+ -+.. _spec_ref6: -+ -+[6] `Software techniques for managing speculation on AMD processors `_. -+ -+ARM white papers: -+ -+.. _spec_ref7: -+ -+[7] `Cache speculation side-channels `_. -+ -+.. _spec_ref8: -+ -+[8] `Cache speculation issues update `_. -+ -+Google white paper: -+ -+.. _spec_ref9: -+ -+[9] `Retpoline: a software construct for preventing branch-target-injection `_. -+ -+MIPS white paper: -+ -+.. _spec_ref10: -+ -+[10] `MIPS: response on speculative execution and side channel vulnerabilities `_. -+ -+Academic papers: -+ -+.. _spec_ref11: -+ -+[11] `Spectre Attacks: Exploiting Speculative Execution `_. -+ -+.. _spec_ref12: -+ -+[12] `NetSpectre: Read Arbitrary Memory over Network `_. -+ -+.. _spec_ref13: -+ -+[13] `Spectre Returns! Speculation Attacks using the Return Stack Buffer `_. -diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst -index c4dbe6f7cdae..0fda8f614110 100644 ---- a/Documentation/userspace-api/spec_ctrl.rst -+++ b/Documentation/userspace-api/spec_ctrl.rst -@@ -47,6 +47,8 @@ If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is - available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation - misfeature will fail. - -+.. _set_spec_ctrl: -+ - PR_SET_SPECULATION_CTRL - ----------------------- - --- -2.20.1 - diff --git a/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch b/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch deleted file mode 100644 index 4513a1dca..000000000 --- a/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch +++ /dev/null @@ -1,170 +0,0 @@ -From: Josh Poimboeuf -Date: Sat, 3 Aug 2019 21:21:54 +0200 -Subject: Documentation: Add swapgs description to the Spectre v1 documentation -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7634b9cd27e8f867dd3438d262c78d4b9262497f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 - -commit 4c92057661a3412f547ede95715641d7ee16ddac upstream - -Add documentation to the Spectre document about the new swapgs variant of -Spectre v1. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/admin-guide/hw-vuln/spectre.rst | 88 +++++++++++++++++-- - 1 file changed, 80 insertions(+), 8 deletions(-) - -diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst -index 25f3b2532198..e05e581af5cf 100644 ---- a/Documentation/admin-guide/hw-vuln/spectre.rst -+++ b/Documentation/admin-guide/hw-vuln/spectre.rst -@@ -41,10 +41,11 @@ Related CVEs - - The following CVE entries describe Spectre variants: - -- ============= ======================= ================= -+ ============= ======================= ========================== - CVE-2017-5753 Bounds check bypass Spectre variant 1 - CVE-2017-5715 Branch target injection Spectre variant 2 -- ============= ======================= ================= -+ CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs) -+ ============= ======================= ========================== - - Problem - ------- -@@ -78,6 +79,13 @@ There are some extensions of Spectre variant 1 attacks for reading data - over the network, see :ref:`[12] `. However such attacks - are difficult, low bandwidth, fragile, and are considered low risk. - -+Note that, despite "Bounds Check Bypass" name, Spectre variant 1 is not -+only about user-controlled array bounds checks. It can affect any -+conditional checks. The kernel entry code interrupt, exception, and NMI -+handlers all have conditional swapgs checks. Those may be problematic -+in the context of Spectre v1, as kernel code can speculatively run with -+a user GS. -+ - Spectre variant 2 (Branch Target Injection) - ------------------------------------------- - -@@ -132,6 +140,9 @@ not cover all possible attack vectors. - 1. A user process attacking the kernel - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+Spectre variant 1 -+~~~~~~~~~~~~~~~~~ -+ - The attacker passes a parameter to the kernel via a register or - via a known address in memory during a syscall. Such parameter may - be used later by the kernel as an index to an array or to derive -@@ -144,7 +155,40 @@ not cover all possible attack vectors. - potentially be influenced for Spectre attacks, new "nospec" accessor - macros are used to prevent speculative loading of data. - -- Spectre variant 2 attacker can :ref:`poison ` the branch -+Spectre variant 1 (swapgs) -+~~~~~~~~~~~~~~~~~~~~~~~~~~ -+ -+ An attacker can train the branch predictor to speculatively skip the -+ swapgs path for an interrupt or exception. If they initialize -+ the GS register to a user-space value, if the swapgs is speculatively -+ skipped, subsequent GS-related percpu accesses in the speculation -+ window will be done with the attacker-controlled GS value. This -+ could cause privileged memory to be accessed and leaked. -+ -+ For example: -+ -+ :: -+ -+ if (coming from user space) -+ swapgs -+ mov %gs:, %reg -+ mov (%reg), %reg1 -+ -+ When coming from user space, the CPU can speculatively skip the -+ swapgs, and then do a speculative percpu load using the user GS -+ value. So the user can speculatively force a read of any kernel -+ value. If a gadget exists which uses the percpu value as an address -+ in another load/store, then the contents of the kernel value may -+ become visible via an L1 side channel attack. -+ -+ A similar attack exists when coming from kernel space. The CPU can -+ speculatively do the swapgs, causing the user GS to get used for the -+ rest of the speculative window. -+ -+Spectre variant 2 -+~~~~~~~~~~~~~~~~~ -+ -+ A spectre variant 2 attacker can :ref:`poison ` the branch - target buffer (BTB) before issuing syscall to launch an attack. - After entering the kernel, the kernel could use the poisoned branch - target buffer on indirect jump and jump to gadget code in speculative -@@ -280,11 +324,18 @@ The sysfs file showing Spectre variant 1 mitigation status is: - - The possible values in this file are: - -- ======================================= ================================= -- 'Mitigation: __user pointer sanitation' Protection in kernel on a case by -- case base with explicit pointer -- sanitation. -- ======================================= ================================= -+ .. list-table:: -+ -+ * - 'Not affected' -+ - The processor is not vulnerable. -+ * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers' -+ - The swapgs protections are disabled; otherwise it has -+ protection in the kernel on a case by case base with explicit -+ pointer sanitation and usercopy LFENCE barriers. -+ * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization' -+ - Protection in the kernel on a case by case base with explicit -+ pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE -+ barriers. - - However, the protections are put in place on a case by case basis, - and there is no guarantee that all possible attack vectors for Spectre -@@ -366,12 +417,27 @@ Turning on mitigation for Spectre variant 1 and Spectre variant 2 - 1. Kernel mitigation - ^^^^^^^^^^^^^^^^^^^^ - -+Spectre variant 1 -+~~~~~~~~~~~~~~~~~ -+ - For the Spectre variant 1, vulnerable kernel code (as determined - by code audit or scanning tools) is annotated on a case by case - basis to use nospec accessor macros for bounds clipping :ref:`[2] - ` to avoid any usable disclosure gadgets. However, it may - not cover all attack vectors for Spectre variant 1. - -+ Copy-from-user code has an LFENCE barrier to prevent the access_ok() -+ check from being mis-speculated. The barrier is done by the -+ barrier_nospec() macro. -+ -+ For the swapgs variant of Spectre variant 1, LFENCE barriers are -+ added to interrupt, exception and NMI entry where needed. These -+ barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and -+ FENCE_SWAPGS_USER_ENTRY macros. -+ -+Spectre variant 2 -+~~~~~~~~~~~~~~~~~ -+ - For Spectre variant 2 mitigation, the compiler turns indirect calls or - jumps in the kernel into equivalent return trampolines (retpolines) - :ref:`[3] ` :ref:`[9] ` to go to the target -@@ -473,6 +539,12 @@ Mitigation control on the kernel command line - Spectre variant 2 mitigation can be disabled or force enabled at the - kernel command line. - -+ nospectre_v1 -+ -+ [X86,PPC] Disable mitigations for Spectre Variant 1 -+ (bounds check bypass). With this option data leaks are -+ possible in the system. -+ - nospectre_v2 - - [X86] Disable all mitigations for the Spectre variant 2 --- -2.20.1 - diff --git a/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch b/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch deleted file mode 100644 index 870262324..000000000 --- a/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Todd Kjos -Date: Fri, 1 Mar 2019 15:06:06 -0800 -Subject: binder: fix race between munmap() and direct reclaim -Origin: https://git.kernel.org/linus/5cec2d2e5839f9c0fec319c523a911e0a7fd299f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1999 - -An munmap() on a binder device causes binder_vma_close() to be called -which clears the alloc->vma pointer. - -If direct reclaim causes binder_alloc_free_page() to be called, there -is a race where alloc->vma is read into a local vma pointer and then -used later after the mm->mmap_sem is acquired. This can result in -calling zap_page_range() with an invalid vma which manifests as a -use-after-free in zap_page_range(). - -The fix is to check alloc->vma after acquiring the mmap_sem (which we -were acquiring anyway) and skip zap_page_range() if it has changed -to NULL. - -Signed-off-by: Todd Kjos -Reviewed-by: Joel Fernandes (Google) -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/android/binder_alloc.c | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c -index 030c98f35cca..3863ef78e40f 100644 ---- a/drivers/android/binder_alloc.c -+++ b/drivers/android/binder_alloc.c -@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item, - - index = page - alloc->pages; - page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; -+ -+ mm = alloc->vma_vm_mm; -+ if (!mmget_not_zero(mm)) -+ goto err_mmget; -+ if (!down_write_trylock(&mm->mmap_sem)) -+ goto err_down_write_mmap_sem_failed; - vma = binder_alloc_get_vma(alloc); -- if (vma) { -- if (!mmget_not_zero(alloc->vma_vm_mm)) -- goto err_mmget; -- mm = alloc->vma_vm_mm; -- if (!down_write_trylock(&mm->mmap_sem)) -- goto err_down_write_mmap_sem_failed; -- } - - list_lru_isolate(lru, item); - spin_unlock(lock); -@@ -979,9 +978,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, - - trace_binder_unmap_user_end(alloc, index); - -- up_write(&mm->mmap_sem); -- mmput(mm); - } -+ up_write(&mm->mmap_sem); -+ mmput(mm); - - trace_binder_unmap_kernel_start(alloc, index); - --- -2.20.1 - diff --git a/debian/patches/bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch b/debian/patches/bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch deleted file mode 100644 index 0c4910f5e..000000000 --- a/debian/patches/bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Arend van Spriel -Date: Thu, 14 Feb 2019 13:43:48 +0100 -Subject: brcmfmac: add subtype check for event handling in data path -Origin: https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9503 - -For USB there is no separate channel being used to pass events -from firmware to the host driver and as such are passed over the -data path. In order to detect mock event messages an additional -check is needed on event subtype. This check is added conditionally -using unlikely() keyword. - -Reviewed-by: Hante Meuleman -Reviewed-by: Pieter-Paul Giesberts -Reviewed-by: Franky Lin -Signed-off-by: Arend van Spriel -Signed-off-by: Kalle Valo ---- - .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++-- - .../wireless/broadcom/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++---- - .../broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +- - 3 files changed, 16 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -index e772c0845638..a368ba6e7344 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event) - } else { - /* Process special event packets */ - if (handle_event) -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, -+ BCMILCP_SUBTYPE_VENDOR_LONG); - - brcmf_netif_rx(ifp, skb); - } -@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb) - if (brcmf_rx_hdrpull(drvr, skb, &ifp)) - return; - -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, 0); - brcmu_pkt_buf_free_skb(skb); - } - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -index 31f3e8e83a21..7027243db17e 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code { - */ - #define BRCM_OUI "\x00\x10\x18" - #define BCMILCP_BCM_SUBTYPE_EVENT 1 -- -+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769 - - /** - * struct brcm_ethhdr - broadcom specific ether header. -@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, - void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing); - - static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, -- struct sk_buff *skb) -+ struct sk_buff *skb, u16 stype) - { - struct brcmf_event *event_packet; -- u16 usr_stype; -+ u16 subtype, usr_stype; - - /* only process events when protocol matches */ - if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL)) -@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, - if ((skb->len + ETH_HLEN) < sizeof(*event_packet)) - return; - -- /* check for BRCM oui match */ - event_packet = (struct brcmf_event *)skb_mac_header(skb); -+ -+ /* check subtype if needed */ -+ if (unlikely(stype)) { -+ subtype = get_unaligned_be16(&event_packet->hdr.subtype); -+ if (subtype != stype) -+ return; -+ } -+ -+ /* check for BRCM oui match */ - if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0], - sizeof(event_packet->hdr.oui))) - return; -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -index 4e8397a0cbc8..ee922b052561 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf) - - skb->protocol = eth_type_trans(skb, ifp->ndev); - -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, 0); - - exit: - brcmu_pkt_buf_free_skb(skb); --- -2.20.1 - diff --git a/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch deleted file mode 100644 index 421a7dcfe..000000000 --- a/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Arend van Spriel -Date: Thu, 14 Feb 2019 13:43:47 +0100 -Subject: brcmfmac: assure SSID length from firmware is limited -Origin: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9500 - -The SSID length as received from firmware should not exceed -IEEE80211_MAX_SSID_LEN as that would result in heap overflow. - -Reviewed-by: Hante Meuleman -Reviewed-by: Pieter-Paul Giesberts -Reviewed-by: Franky Lin -Signed-off-by: Arend van Spriel -Signed-off-by: Kalle Valo ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -index b5e291ed9496..012275fc3bf7 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e, - } - - netinfo = brcmf_get_netinfo_array(pfn_result); -+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) -+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; - memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len); - cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len; - cfg->wowl.nd->n_channels = 1; --- -2.20.1 - diff --git a/debian/patches/bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch b/debian/patches/bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch deleted file mode 100644 index 05266fb89..000000000 --- a/debian/patches/bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Sriram Rajagopalan -Date: Fri, 10 May 2019 19:28:06 -0400 -Subject: ext4: zero out the unused memory region in the extent tree block -Origin: https://git.kernel.org/linus/592acbf16821288ecdc4192c47e3774a4c48bb64 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11833 - -This commit zeroes out the unused memory region in the buffer_head -corresponding to the extent metablock after writing the extent header -and the corresponding extent node entries. - -This is done to prevent random uninitialized data from getting into -the filesystem when the extent block is synced. - -This fixes CVE-2019-11833. - -Signed-off-by: Sriram Rajagopalan -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/extents.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index 0f89f5190cd7..f2c62e2a0c98 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, - __le32 border; - ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ - int err = 0; -+ size_t ext_size = 0; - - /* make decision: where to split? */ - /* FIXME: now decision is simplest: at current extent */ -@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, - le16_add_cpu(&neh->eh_entries, m); - } - -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, - sizeof(struct ext4_extent_idx) * m); - le16_add_cpu(&neh->eh_entries, m); - } -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); -+ memset(bh->b_data + ext_size, 0, -+ inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, - ext4_fsblk_t newblock, goal = 0; - struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; - int err = 0; -+ size_t ext_size = 0; - - /* Try to prepend new index to old one */ - if (ext_depth(inode)) -@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, - goto out; - } - -+ ext_size = sizeof(EXT4_I(inode)->i_data); - /* move top-level index/leaf into new block */ -- memmove(bh->b_data, EXT4_I(inode)->i_data, -- sizeof(EXT4_I(inode)->i_data)); -+ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); -+ /* zero out unused area in the extent block */ -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - - /* set size of new block */ - neh = ext_block_hdr(bh); --- -2.20.1 - diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch index 5d58925eb..f87f5434a 100644 --- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch +++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch @@ -25,7 +25,7 @@ upstream submission. if (head->magic != 0x4e657458) { --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -747,10 +747,8 @@ static enum ucode_state request_microcod +@@ -755,10 +755,8 @@ static enum ucode_state request_microcod if (c->x86 >= 0x15) snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); @@ -175,7 +175,7 @@ upstream submission. fw->size, fw_name); --- a/drivers/dma/imx-sdma.c +++ b/drivers/dma/imx-sdma.c -@@ -1475,11 +1475,8 @@ static void sdma_load_firmware(const str +@@ -1674,11 +1674,8 @@ static void sdma_load_firmware(const str const struct sdma_script_start_addrs *addr; unsigned short *ram_code; @@ -285,7 +285,7 @@ upstream submission. ret = qib_ibsd_ucode_loaded(dd->pport, fw); --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c -@@ -2760,10 +2760,8 @@ static int mxt_load_fw(struct device *de +@@ -2783,10 +2783,8 @@ static int mxt_load_fw(struct device *de int ret; ret = request_firmware(&fw, fn, dev); @@ -314,7 +314,7 @@ upstream submission. card->name, firmware->size); --- a/drivers/media/tuners/tuner-xc2028.c +++ b/drivers/media/tuners/tuner-xc2028.c -@@ -1368,7 +1368,6 @@ static void load_firmware_cb(const struc +@@ -1367,7 +1367,6 @@ static void load_firmware_cb(const struc tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error"); if (!fw) { @@ -324,7 +324,7 @@ upstream submission. } --- a/drivers/media/usb/dvb-usb/dib0700_devices.c +++ b/drivers/media/usb/dvb-usb/dib0700_devices.c -@@ -2415,12 +2415,9 @@ static int stk9090m_frontend_attach(stru +@@ -2416,12 +2416,9 @@ static int stk9090m_frontend_attach(stru dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, 0x80); @@ -339,7 +339,7 @@ upstream submission. stk9090m_config.microcode_B_fe_size = state->frontend_firmware->size; stk9090m_config.microcode_B_fe_buffer = state->frontend_firmware->data; -@@ -2481,12 +2478,9 @@ static int nim9090md_frontend_attach(str +@@ -2482,12 +2479,9 @@ static int nim9090md_frontend_attach(str msleep(20); dib0700_set_gpio(adap->dev, GPIO0, GPIO_OUT, 1); @@ -472,7 +472,7 @@ upstream submission. if (!state->microcode) { --- a/drivers/media/dvb-frontends/drxk_hard.c +++ b/drivers/media/dvb-frontends/drxk_hard.c -@@ -6287,10 +6287,6 @@ static void load_firmware_cb(const struc +@@ -6281,10 +6281,6 @@ static void load_firmware_cb(const struc dprintk(1, ": %s\n", fw ? "firmware loaded" : "firmware not loaded"); if (!fw) { @@ -751,7 +751,7 @@ upstream submission. packet_num = ptr[0]; --- a/drivers/media/radio/wl128x/fmdrv_common.c +++ b/drivers/media/radio/wl128x/fmdrv_common.c -@@ -1242,10 +1242,8 @@ static int fm_download_firmware(struct f +@@ -1245,10 +1245,8 @@ static int fm_download_firmware(struct f ret = request_firmware(&fw_entry, fw_name, &fmdev->radio_dev->dev); @@ -944,7 +944,7 @@ upstream submission. --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c -@@ -1377,25 +1377,6 @@ static int pvr2_locate_firmware(struct p +@@ -1379,25 +1379,6 @@ static int pvr2_locate_firmware(struct p "request_firmware fatal error with code=%d",ret); return ret; } @@ -1015,7 +1015,7 @@ upstream submission. __func__, fw->size); --- a/drivers/misc/ti-st/st_kim.c +++ b/drivers/misc/ti-st/st_kim.c -@@ -302,11 +302,8 @@ static long download_firmware(struct kim +@@ -301,11 +301,8 @@ static long download_firmware(struct kim request_firmware(&kim_gdata->fw_entry, bts_scr_name, &kim_gdata->kim_pdev->dev); if (unlikely((err != 0) || (kim_gdata->fw_entry->data == NULL) || @@ -1088,7 +1088,7 @@ upstream submission. fw_tx->size, FIRMWARE_TX); --- a/drivers/net/ethernet/alteon/acenic.c +++ b/drivers/net/ethernet/alteon/acenic.c -@@ -2892,11 +2892,8 @@ static int ace_load_firmware(struct net_ +@@ -2890,11 +2890,8 @@ static int ace_load_firmware(struct net_ fw_name = "acenic/tg1.bin"; ret = request_firmware(&fw, fw_name, &ap->pdev->dev); @@ -1125,7 +1125,7 @@ upstream submission. if (bp->mips_firmware->size < sizeof(*mips_fw) || --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -@@ -13524,11 +13524,8 @@ static int bnx2x_init_firmware(struct bn +@@ -13550,11 +13550,8 @@ static int bnx2x_init_firmware(struct bn BNX2X_DEV_INFO("Loading %s\n", fw_file_name); rc = request_firmware(&bp->firmware, fw_file_name, &bp->pdev->dev); @@ -1140,7 +1140,7 @@ upstream submission. if (rc) { --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -11380,11 +11380,8 @@ static int tg3_request_firmware(struct t +@@ -11408,11 +11408,8 @@ static int tg3_request_firmware(struct t { const struct tg3_firmware_hdr *fw_hdr; @@ -1169,7 +1169,7 @@ upstream submission. *bfi_image_size = fw->size/sizeof(u32); --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c -@@ -1037,12 +1037,8 @@ int t3_get_edc_fw(struct cphy *phy, int +@@ -1038,12 +1038,8 @@ int t3_get_edc_fw(struct cphy *phy, int fw_name = get_edc_fw_name(edc_idx); if (fw_name) ret = request_firmware(&fw, fw_name, &adapter->pdev->dev); @@ -1183,7 +1183,7 @@ upstream submission. /* check size, take checksum in account */ if (fw->size > size + 4) { -@@ -1079,11 +1075,8 @@ static int upgrade_fw(struct adapter *ad +@@ -1080,11 +1076,8 @@ static int upgrade_fw(struct adapter *ad struct device *dev = &adap->pdev->dev; ret = request_firmware(&fw, FW_FNAME, dev); @@ -1196,7 +1196,7 @@ upstream submission. ret = t3_load_fw(adap, fw->data, fw->size); release_firmware(fw); -@@ -1128,11 +1121,8 @@ static int update_tpsram(struct adapter +@@ -1129,11 +1122,8 @@ static int update_tpsram(struct adapter snprintf(buf, sizeof(buf), TPSRAM_NAME, rev); ret = request_firmware(&tpsram, buf, dev); @@ -1248,7 +1248,7 @@ upstream submission. for (i = 0; i < fw->size; i++) { --- a/drivers/net/ethernet/sun/cassini.c +++ b/drivers/net/ethernet/sun/cassini.c -@@ -818,11 +818,8 @@ static void cas_saturn_firmware_init(str +@@ -805,11 +805,8 @@ static void cas_saturn_firmware_init(str return; err = request_firmware(&fw, fw_name, &cp->pdev->dev); @@ -1292,7 +1292,7 @@ upstream submission. dev_err(&kaweth->intf->dev, "Firmware too big: %zu\n", --- a/drivers/net/wimax/i2400m/fw.c +++ b/drivers/net/wimax/i2400m/fw.c -@@ -1582,11 +1582,8 @@ int i2400m_dev_bootstrap(struct i2400m * +@@ -1581,11 +1581,8 @@ int i2400m_dev_bootstrap(struct i2400m * } d_printf(1, dev, "trying firmware %s (%d)\n", fw_name, itr); ret = request_firmware(&fw, fw_name, dev); @@ -1305,7 +1305,7 @@ upstream submission. i2400m->fw_name = fw_name; ret = i2400m_fw_bootstrap(i2400m, fw, flags); release_firmware(fw); -@@ -1629,8 +1626,6 @@ void i2400m_fw_cache(struct i2400m *i240 +@@ -1628,8 +1625,6 @@ void i2400m_fw_cache(struct i2400m *i240 kref_init(&i2400m_fw->kref); result = request_firmware(&i2400m_fw->fw, i2400m->fw_name, dev); if (result < 0) { @@ -1333,7 +1333,7 @@ upstream submission. fwh = (struct at76_fw_header *)(fwe->fw->data); --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c -@@ -1163,9 +1163,6 @@ static void ath9k_hif_usb_firmware_cb(co +@@ -1164,9 +1164,6 @@ static void ath9k_hif_usb_firmware_cb(co if (!ret) return; @@ -1345,7 +1345,7 @@ upstream submission. --- a/drivers/net/wireless/ath/carl9170/usb.c +++ b/drivers/net/wireless/ath/carl9170/usb.c -@@ -1031,7 +1031,6 @@ static void carl9170_usb_firmware_step2( +@@ -1029,7 +1029,6 @@ static void carl9170_usb_firmware_step2( return; } @@ -1355,7 +1355,7 @@ upstream submission. --- a/drivers/net/wireless/atmel/atmel.c +++ b/drivers/net/wireless/atmel/atmel.c -@@ -3897,12 +3897,8 @@ static int reset_atmel_card(struct net_d +@@ -3893,12 +3893,8 @@ static int reset_atmel_card(struct net_d strcpy(priv->firmware_id, "atmel_at76c502.bin"); } err = request_firmware(&fw_entry, priv->firmware_id, priv->sys_dev); @@ -1433,7 +1433,7 @@ upstream submission. } --- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c +++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c -@@ -8417,12 +8417,8 @@ static int ipw2100_get_firmware(struct i +@@ -8410,12 +8410,8 @@ static int ipw2100_get_firmware(struct i rc = request_firmware(&fw->fw_entry, fw_name, &priv->pci_dev->dev); @@ -1463,7 +1463,7 @@ upstream submission. IPW_ERROR("%s is too small (%zd)\n", name, (*raw)->size); --- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c +++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c -@@ -1861,7 +1861,6 @@ il3945_read_ucode(struct il_priv *il) +@@ -1854,7 +1854,6 @@ il3945_read_ucode(struct il_priv *il) sprintf(buf, "%s%u%s", name_pre, idx, ".ucode"); ret = request_firmware(&ucode_raw, buf, &il->pci_dev->dev); if (ret < 0) { @@ -1484,7 +1484,7 @@ upstream submission. cfg->ucode_api_max); --- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c +++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c -@@ -818,8 +818,6 @@ static int if_usb_prog_firmware(struct i +@@ -817,8 +817,6 @@ static int if_usb_prog_firmware(struct i kernel_param_lock(THIS_MODULE); ret = request_firmware(&cardp->fw, lbtf_fw_name, &cardp->udev->dev); if (ret < 0) { @@ -1495,7 +1495,7 @@ upstream submission. } --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c -@@ -525,11 +525,8 @@ static int _mwifiex_fw_dpc(const struct +@@ -528,11 +528,8 @@ static int _mwifiex_fw_dpc(const struct struct wireless_dev *wdev; struct completion *fw_done = adapter->fw_done; @@ -1510,7 +1510,7 @@ upstream submission. adapter->firmware = firmware; --- a/drivers/net/wireless/marvell/mwl8k.c +++ b/drivers/net/wireless/marvell/mwl8k.c -@@ -5719,16 +5719,12 @@ static int mwl8k_firmware_load_success(s +@@ -5724,16 +5724,12 @@ static int mwl8k_firmware_load_success(s static void mwl8k_fw_state_machine(const struct firmware *fw, void *context) { struct mwl8k_priv *priv = context; @@ -1528,7 +1528,7 @@ upstream submission. priv->fw_helper = fw; rc = mwl8k_request_fw(priv, priv->fw_pref, &priv->fw_ucode, true); -@@ -5763,11 +5759,8 @@ static void mwl8k_fw_state_machine(const +@@ -5768,11 +5764,8 @@ static void mwl8k_fw_state_machine(const break; case FW_STATE_LOADING_ALT: @@ -1541,7 +1541,7 @@ upstream submission. priv->fw_ucode = fw; rc = mwl8k_firmware_load_success(priv); if (rc) -@@ -5805,10 +5798,8 @@ retry: +@@ -5810,10 +5803,8 @@ retry: /* Ask userland hotplug daemon for the device firmware */ rc = mwl8k_request_firmware(priv, fw_image, nowait); @@ -1623,14 +1623,14 @@ upstream submission. if (ret) { --- a/drivers/net/wireless/intersil/p54/p54usb.c +++ b/drivers/net/wireless/intersil/p54/p54usb.c -@@ -929,7 +929,6 @@ static void p54u_load_firmware_cb(const +@@ -931,7 +931,6 @@ static void p54u_load_firmware_cb(const err = p54u_start_ops(priv); } else { err = -ENOENT; - dev_err(&udev->dev, "Firmware not found.\n"); } - if (err) { + complete(&priv->fw_wait_load); --- a/drivers/net/wireless/intersil/prism54/islpci_dev.c +++ b/drivers/net/wireless/intersil/prism54/islpci_dev.c @@ -92,12 +92,9 @@ isl_upload_firmware(islpci_private *priv @@ -1716,7 +1716,7 @@ upstream submission. wl1251_error("nvs size is not multiple of 32 bits: %zu", --- a/drivers/net/wireless/ti/wlcore/main.c +++ b/drivers/net/wireless/ti/wlcore/main.c -@@ -755,10 +755,8 @@ static int wl12xx_fetch_firmware(struct +@@ -768,10 +768,8 @@ static int wl12xx_fetch_firmware(struct ret = request_firmware(&fw, fw_name, wl->dev); @@ -1835,7 +1835,7 @@ upstream submission. } --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c -@@ -4063,10 +4063,8 @@ static ssize_t ipr_store_update_fw(struc +@@ -4102,10 +4102,8 @@ static ssize_t ipr_store_update_fw(struc if (endline) *endline = '\0'; @@ -1873,7 +1873,7 @@ upstream submission. } --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -7275,8 +7275,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, +@@ -7454,8 +7454,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1882,7 +1882,7 @@ upstream submission. ql_log(ql_log_info, vha, 0x0084, "Firmware images can be retrieved from: "QLA_FW_URL ".\n"); return QLA_FUNCTION_FAILED; -@@ -7378,8 +7376,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * +@@ -7557,8 +7555,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1908,7 +1908,7 @@ upstream submission. if (qla82xx_validate_firmware_blob(vha, --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -6517,8 +6517,6 @@ qla2x00_request_firmware(scsi_qla_host_t +@@ -6533,8 +6533,6 @@ qla2x00_request_firmware(scsi_qla_host_t goto out; if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) { @@ -2297,7 +2297,7 @@ upstream submission. --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -1692,10 +1692,8 @@ static int ti_download_firmware(struct t +@@ -1693,10 +1693,8 @@ static int ti_download_firmware(struct t } check_firmware: @@ -2454,7 +2454,7 @@ upstream submission. snd_emu1010_fpga_read(emu, EMU_HANA_ID, ®); --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c -@@ -1971,10 +1971,8 @@ static void azx_firmware_cb(const struct +@@ -2077,10 +2077,8 @@ static void azx_firmware_cb(const struct struct azx *chip = card->private_data; struct pci_dev *pci = chip->pci; @@ -2524,7 +2524,7 @@ upstream submission. if (err) { --- a/sound/pci/rme9652/hdsp.c +++ b/sound/pci/rme9652/hdsp.c -@@ -5132,11 +5132,8 @@ static int hdsp_request_fw_loader(struct +@@ -5134,11 +5134,8 @@ static int hdsp_request_fw_loader(struct return -EINVAL; } diff --git a/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch b/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch deleted file mode 100644 index cb8b8bae0..000000000 --- a/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Denis Efremov -Date: Fri, 12 Jul 2019 21:55:20 +0300 -Subject: floppy: fix div-by-zero in setup_format_params -Origin: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14284 - -[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] - -This fixes a divide by zero error in the setup_format_params function of -the floppy driver. - -Two consecutive ioctls can trigger the bug: The first one should set the -drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK -to become zero. Next, the floppy format operation should be called. - -A floppy disk is not required to be inserted. An unprivileged user -could trigger the bug if the device is accessible. - -The patch checks F_SECT_PER_TRACK for a non-zero value in the -set_geometry function. The proper check should involve a reasonable -upper limit for the .sect and .rate fields, but it could change the -UAPI. - -The patch also checks F_SECT_PER_TRACK in the setup_format_params, and -cancels the formatting operation in case of zero. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov -Tested-by: Willy Tarreau -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - drivers/block/floppy.c | 5 +++++ - 1 file changed, 5 insertions(+) - -(limited to 'drivers/block/floppy.c') - -diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index a8de56f1936d..b1425b218606 100644 ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -2119,6 +2119,9 @@ static void setup_format_params(int track) - raw_cmd->kernel_data = floppy_track_buffer; - raw_cmd->length = 4 * F_SECT_PER_TRACK; - -+ if (!F_SECT_PER_TRACK) -+ return; -+ - /* allow for about 30ms for data transport per track */ - head_shift = (F_SECT_PER_TRACK + 5) / 6; - -@@ -3243,6 +3246,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, - /* sanity checking for parameters. */ - if (g->sect <= 0 || - g->head <= 0 || -+ /* check for zero in F_SECT_PER_TRACK */ -+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || - g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || - /* check if reserved bits are set */ - (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch deleted file mode 100644 index 5df95a35d..000000000 --- a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Denis Efremov -Date: Fri, 12 Jul 2019 21:55:23 +0300 -Subject: floppy: fix out-of-bounds read in copy_buffer -Origin: https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14283 - -[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] - -This fixes a global out-of-bounds read access in the copy_buffer -function of the floppy driver. - -The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect -and head fields (unsigned int) of the floppy_drive structure are used to -compute the max_sector (int) in the make_raw_rw_request function. It is -possible to overflow the max_sector. Next, max_sector is passed to the -copy_buffer function and used in one of the memcpy calls. - -An unprivileged user could trigger the bug if the device is accessible, -but requires a floppy disk to be inserted. - -The patch adds the check for the .sect * .head multiplication for not -overflowing in the set_geometry function. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov -Tested-by: Willy Tarreau -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - drivers/block/floppy.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -(limited to 'drivers/block/floppy.c') - -diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index 8d69a8af8b78..4a9a4d12721a 100644 ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3244,8 +3244,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, - int cnt; - - /* sanity checking for parameters. */ -- if (g->sect <= 0 || -- g->head <= 0 || -+ if ((int)g->sect <= 0 || -+ (int)g->head <= 0 || -+ /* check for overflow in max_sector */ -+ (int)(g->sect * g->head) <= 0 || - /* check for zero in F_SECT_PER_TRACK */ - (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || - g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch deleted file mode 100644 index 0355e956a..000000000 --- a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Grant Hernandez -Date: Sat, 13 Jul 2019 01:00:12 -0700 -Subject: Input: gtco - bounds check collection indent level -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d657077eda7b5572d86f2f618391bb016b5d9a64 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13631 - -commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. - -The GTCO tablet input driver configures itself from an HID report sent -via USB during the initial enumeration process. Some debugging messages -are generated during the parsing. A debugging message indentation -counter is not bounds checked, leading to the ability for a specially -crafted HID report to cause '-' and null bytes be written past the end -of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG -enabled, this code will not be optimized out. This was discovered -during code review after a previous syzkaller bug was found in this -driver. - -Signed-off-by: Grant Hernandez -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c -index 4b8b9d7aa75e..35031228a6d0 100644 ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com - - /* Max size of a single report */ - #define REPORT_MAX_SIZE 10 -+#define MAX_COLLECTION_LEVELS 10 - - - /* Bitmask whether pen is in range */ -@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - char maintype = 'x'; - char globtype[12]; - int indent = 0; -- char indentstr[10] = ""; -- -+ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; - - dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); - -@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - case TAG_MAIN_COL_START: - maintype = 'S'; - -+ if (indent == MAX_COLLECTION_LEVELS) { -+ dev_err(ddev, "Collection level %d would exceed limit of %d\n", -+ indent + 1, -+ MAX_COLLECTION_LEVELS); -+ break; -+ } -+ - if (data == 0) { - dev_dbg(ddev, "======>>>>>> Physical\n"); - strcpy(globtype, "Physical"); -@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - break; - - case TAG_MAIN_COL_END: -- dev_dbg(ddev, "<<<<<<======\n"); - maintype = 'E'; -+ -+ if (indent == 0) { -+ dev_err(ddev, "Collection level already at zero\n"); -+ break; -+ } -+ -+ dev_dbg(ddev, "<<<<<<======\n"); -+ - indent--; - for (x = 0; x < indent; x++) - indentstr[x] = '-'; --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch b/debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch deleted file mode 100644 index d502d26f6..000000000 --- a/debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Jiri Kosina -Date: Tue, 14 May 2019 15:41:38 -0700 -Subject: mm/mincore.c: make mincore() more conservative -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=f580a54bbd522f2518fd642f7d4d73ad728e5d58 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5489 - -commit 134fca9063ad4851de767d1768180e5dede9a881 upstream. - -The semantics of what mincore() considers to be resident is not -completely clear, but Linux has always (since 2.3.52, which is when -mincore() was initially done) treated it as "page is available in page -cache". - -That's potentially a problem, as that [in]directly exposes -meta-information about pagecache / memory mapping state even about -memory not strictly belonging to the process executing the syscall, -opening possibilities for sidechannel attacks. - -Change the semantics of mincore() so that it only reveals pagecache -information for non-anonymous mappings that belog to files that the -calling process could (if it tried to) successfully open for writing; -otherwise we'd be including shared non-exclusive mappings, which - - - is the sidechannel - - - is not the usecase for mincore(), as that's primarily used for data, - not (shared) text - -[jkosina@suse.cz: v2] - Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz -[mhocko@suse.com: restructure can_do_mincore() conditions] -Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm -Signed-off-by: Jiri Kosina -Signed-off-by: Vlastimil Babka -Acked-by: Josh Snyder -Acked-by: Michal Hocko -Originally-by: Linus Torvalds -Originally-by: Dominique Martinet -Cc: Andy Lutomirski -Cc: Dave Chinner -Cc: Kevin Easton -Cc: Matthew Wilcox -Cc: Cyril Hrubis -Cc: Tejun Heo -Cc: Kirill A. Shutemov -Cc: Daniel Gruss -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - mm/mincore.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/mm/mincore.c b/mm/mincore.c -index fc37afe226e6..2732c8c0764c 100644 ---- a/mm/mincore.c -+++ b/mm/mincore.c -@@ -169,6 +169,22 @@ static int mincore_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, - return 0; - } - -+static inline bool can_do_mincore(struct vm_area_struct *vma) -+{ -+ if (vma_is_anonymous(vma)) -+ return true; -+ if (!vma->vm_file) -+ return false; -+ /* -+ * Reveal pagecache information only for non-anonymous mappings that -+ * correspond to the files the calling process could (if tried) open -+ * for writing; otherwise we'd be including shared non-exclusive -+ * mappings, which opens a side channel. -+ */ -+ return inode_owner_or_capable(file_inode(vma->vm_file)) || -+ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0; -+} -+ - /* - * Do a chunk of "sys_mincore()". We've already checked - * all the arguments, we hold the mmap semaphore: we should -@@ -189,8 +205,13 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v - vma = find_vma(current->mm, addr); - if (!vma || addr < vma->vm_start) - return -ENOMEM; -- mincore_walk.mm = vma->vm_mm; - end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); -+ if (!can_do_mincore(vma)) { -+ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); -+ memset(vec, 1, pages); -+ return pages; -+ } -+ mincore_walk.mm = vma->vm_mm; - err = walk_page_range(addr, end, &mincore_walk); - if (err < 0) - return err; diff --git a/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch deleted file mode 100644 index b0ac33338..000000000 --- a/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Takashi Iwai -Date: Wed, 29 May 2019 14:52:20 +0200 -Subject: mwifiex: Abort at too short BSS descriptor element -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=685c9b7750bfacd6fc1db50d86579980593b7869 - -Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that -the source descriptor entries contain the enough size for each type -and performs copying without checking the source size. This may lead -to read over boundary. - -Fix this by putting the source size check in appropriate places. - -Signed-off-by: Takashi Iwai -Signed-off-by: Kalle Valo ---- - drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c -index 64ab6fe78c0d..c269a0de9413 100644 ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_FH_PARAMS: -+ if (element_len + 2 < sizeof(*fh_param_set)) -+ return -EINVAL; - fh_param_set = - (struct ieee_types_fh_param_set *) current_ptr; - memcpy(&bss_entry->phy_param_set.fh_param_set, -@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_DS_PARAMS: -+ if (element_len + 2 < sizeof(*ds_param_set)) -+ return -EINVAL; - ds_param_set = - (struct ieee_types_ds_param_set *) current_ptr; - -@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_CF_PARAMS: -+ if (element_len + 2 < sizeof(*cf_param_set)) -+ return -EINVAL; - cf_param_set = - (struct ieee_types_cf_param_set *) current_ptr; - memcpy(&bss_entry->ss_param_set.cf_param_set, -@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_IBSS_PARAMS: -+ if (element_len + 2 < sizeof(*ibss_param_set)) -+ return -EINVAL; - ibss_param_set = - (struct ieee_types_ibss_param_set *) - current_ptr; -@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_ERP_INFO: -+ if (!element_len) -+ return -EINVAL; - bss_entry->erp_flags = *(current_ptr + 2); - break; - - case WLAN_EID_PWR_CONSTRAINT: -+ if (!element_len) -+ return -EINVAL; - bss_entry->local_constraint = *(current_ptr + 2); - bss_entry->sensed_11h = true; - break; -@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_VENDOR_SPECIFIC: -+ if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) -+ return -EINVAL; -+ - vendor_ie = (struct ieee_types_vendor_specific *) - current_ptr; - diff --git a/debian/patches/bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch b/debian/patches/bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch deleted file mode 100644 index a71f61653..000000000 --- a/debian/patches/bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch +++ /dev/null @@ -1,135 +0,0 @@ -From: Brian Norris -Subject: [PATCH 5.2 1/2] mwifiex: Don't abort on small, - spec-compliant vendor IEs -Date: Fri, 14 Jun 2019 17:13:20 -0700 -Origin: https://patchwork.kernel.org/patch/10996895/ - -Per the 802.11 specification, vendor IEs are (at minimum) only required -to contain an OUI. A type field is also included in ieee80211.h (struct -ieee80211_vendor_ie) but doesn't appear in the specification. The -remaining fields (subtype, version) are a convention used in WMM -headers. - -Thus, we should not reject vendor-specific IEs that have only the -minimum length (3 bytes) -- we should skip over them (since we only want -to match longer IEs, that match either WMM or WPA formats). We can -reject elements that don't have the minimum-required 3 byte OUI. - -While we're at it, move the non-standard subtype and version fields into -the WMM structs, to avoid this confusion in the future about generic -"vendor header" attributes. - -Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element") -Cc: Takashi Iwai -Signed-off-by: Brian Norris ---- -It appears that commit 685c9b7750bf is on its way to 5.2, so I labeled -this bugfix for 5.2 as well. - - drivers/net/wireless/marvell/mwifiex/fw.h | 12 +++++++++--- - drivers/net/wireless/marvell/mwifiex/scan.c | 18 +++++++++++------- - .../net/wireless/marvell/mwifiex/sta_ioctl.c | 4 ++-- - drivers/net/wireless/marvell/mwifiex/wmm.c | 2 +- - 4 files changed, 23 insertions(+), 13 deletions(-) - ---- a/drivers/net/wireless/marvell/mwifiex/fw.h -+++ b/drivers/net/wireless/marvell/mwifiex/fw.h -@@ -1759,9 +1759,10 @@ struct mwifiex_ie_types_wmm_queue_status - struct ieee_types_vendor_header { - u8 element_id; - u8 len; -- u8 oui[4]; /* 0~2: oui, 3: oui_type */ -- u8 oui_subtype; -- u8 version; -+ struct { -+ u8 oui[3]; -+ u8 oui_type; -+ } __packed oui; - } __packed; - - struct ieee_types_wmm_parameter { -@@ -1775,6 +1776,9 @@ struct ieee_types_wmm_parameter { - * Version [1] - */ - struct ieee_types_vendor_header vend_hdr; -+ u8 oui_subtype; -+ u8 version; -+ - u8 qos_info_bitmap; - u8 reserved; - struct ieee_types_wmm_ac_parameters ac_params[IEEE80211_NUM_ACS]; -@@ -1792,6 +1796,8 @@ struct ieee_types_wmm_info { - * Version [1] - */ - struct ieee_types_vendor_header vend_hdr; -+ u8 oui_subtype; -+ u8 version; - - u8 qos_info_bitmap; - } __packed; ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -1361,21 +1361,25 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_VENDOR_SPECIFIC: -- if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) -- return -EINVAL; -- - vendor_ie = (struct ieee_types_vendor_specific *) - current_ptr; - -- if (!memcmp -- (vendor_ie->vend_hdr.oui, wpa_oui, -- sizeof(wpa_oui))) { -+ /* 802.11 requires at least 3-byte OUI. */ -+ if (element_len < sizeof(vendor_ie->vend_hdr.oui.oui)) -+ return -EINVAL; -+ -+ /* Not long enough for a match? Skip it. */ -+ if (element_len < sizeof(wpa_oui)) -+ break; -+ -+ if (!memcmp(&vendor_ie->vend_hdr.oui, wpa_oui, -+ sizeof(wpa_oui))) { - bss_entry->bcn_wpa_ie = - (struct ieee_types_vendor_specific *) - current_ptr; - bss_entry->wpa_offset = (u16) - (current_ptr - bss_entry->beacon_buf); -- } else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui, -+ } else if (!memcmp(&vendor_ie->vend_hdr.oui, wmm_oui, - sizeof(wmm_oui))) { - if (total_ie_len == - sizeof(struct ieee_types_wmm_parameter) || ---- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c -+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c -@@ -1348,7 +1348,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex - /* Test to see if it is a WPA IE, if not, then - * it is a gen IE - */ -- if (!memcmp(pvendor_ie->oui, wpa_oui, -+ if (!memcmp(&pvendor_ie->oui, wpa_oui, - sizeof(wpa_oui))) { - /* IE is a WPA/WPA2 IE so call set_wpa function - */ -@@ -1358,7 +1358,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex - goto next_ie; - } - -- if (!memcmp(pvendor_ie->oui, wps_oui, -+ if (!memcmp(&pvendor_ie->oui, wps_oui, - sizeof(wps_oui))) { - /* Test to see if it is a WPS IE, - * if so, enable wps session flag ---- a/drivers/net/wireless/marvell/mwifiex/wmm.c -+++ b/drivers/net/wireless/marvell/mwifiex/wmm.c -@@ -240,7 +240,7 @@ mwifiex_wmm_setup_queue_priorities(struc - mwifiex_dbg(priv->adapter, INFO, - "info: WMM Parameter IE: version=%d,\t" - "qos_info Parameter Set Count=%d, Reserved=%#x\n", -- wmm_ie->vend_hdr.version, wmm_ie->qos_info_bitmap & -+ wmm_ie->version, wmm_ie->qos_info_bitmap & - IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK, - wmm_ie->reserved); - diff --git a/debian/patches/bugfix/all/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch b/debian/patches/bugfix/all/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch deleted file mode 100644 index 1456e36bc..000000000 --- a/debian/patches/bugfix/all/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Takashi Iwai -Date: Fri, 31 May 2019 15:18:41 +0200 -Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=69ae4f6aac1578575126319d3f55550e7e440449 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10126 - -A few places in mwifiex_uap_parse_tail_ies() perform memcpy() -unconditionally, which may lead to either buffer overflow or read over -boundary. - -This patch addresses the issues by checking the read size and the -destination size at each place more properly. Along with the fixes, -the patch cleans up the code slightly by introducing a temporary -variable for the token size, and unifies the error path with the -standard goto statement. - -Reported-by: huangwen -Signed-off-by: Takashi Iwai -Signed-off-by: Kalle Valo -[bwh: Backported to 4.19: adjust context] ---- - drivers/net/wireless/marvell/mwifiex/ie.c | 47 +++++++++++++++-------- - 1 file changed, 31 insertions(+), 16 deletions(-) - ---- a/drivers/net/wireless/marvell/mwifiex/ie.c -+++ b/drivers/net/wireless/marvell/mwifiex/ie.c -@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(st - struct ieee80211_vendor_ie *vendorhdr; - u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; - int left_len, parsed_len = 0; -+ unsigned int token_len; -+ int err = 0; - - if (!info->tail || !info->tail_len) - return 0; -@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(st - */ - while (left_len > sizeof(struct ieee_types_header)) { - hdr = (void *)(info->tail + parsed_len); -+ token_len = hdr->len + sizeof(struct ieee_types_header); -+ if (token_len > left_len) { -+ err = -EINVAL; -+ goto out; -+ } -+ - switch (hdr->element_id) { - case WLAN_EID_SSID: - case WLAN_EID_SUPP_RATES: -@@ -361,16 +369,19 @@ static int mwifiex_uap_parse_tail_ies(st - if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, - WLAN_OUI_TYPE_MICROSOFT_WMM, - (const u8 *)hdr, -- hdr->len + sizeof(struct ieee_types_header))) -+ token_len)) - break; - default: -- memcpy(gen_ie->ie_buffer + ie_len, hdr, -- hdr->len + sizeof(struct ieee_types_header)); -- ie_len += hdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); -+ ie_len += token_len; - break; - } -- left_len -= hdr->len + sizeof(struct ieee_types_header); -- parsed_len += hdr->len + sizeof(struct ieee_types_header); -+ left_len -= token_len; -+ parsed_len += token_len; - } - - /* parse only WPA vendor IE from tail, WMM IE is configured by -@@ -380,15 +391,17 @@ static int mwifiex_uap_parse_tail_ies(st - WLAN_OUI_TYPE_MICROSOFT_WPA, - info->tail, info->tail_len); - if (vendorhdr) { -- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, -- vendorhdr->len + sizeof(struct ieee_types_header)); -- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); -+ token_len = vendorhdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); -+ ie_len += token_len; - } - -- if (!ie_len) { -- kfree(gen_ie); -- return 0; -- } -+ if (!ie_len) -+ goto out; - - gen_ie->ie_index = cpu_to_le16(gen_idx); - gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | -@@ -398,13 +411,15 @@ static int mwifiex_uap_parse_tail_ies(st - - if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, - NULL, NULL)) { -- kfree(gen_ie); -- return -1; -+ err = -EINVAL; -+ goto out; - } - - priv->gen_idx = gen_idx; -+ -+ out: - kfree(gen_ie); -- return 0; -+ return err; - } - - /* This function parses different IEs-head & tail IEs, beacon IEs, diff --git a/debian/patches/bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch b/debian/patches/bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch deleted file mode 100644 index 0c099d9ac..000000000 --- a/debian/patches/bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Takashi Iwai -Date: Wed, 29 May 2019 14:52:19 +0200 -Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=13ec7f10b87f5fc04c4ccbd491c94c7980236a74 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3846 - -mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in -a couple places without checking the destination size. Since the -source is given from user-space, this may trigger a heap buffer -overflow. - -Fix it by putting the length check before performing memcpy(). - -This fix addresses CVE-2019-3846. - -Reported-by: huangwen -Signed-off-by: Takashi Iwai -Signed-off-by: Kalle Valo ---- - drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c -index 935778ec9a1b..64ab6fe78c0d 100644 ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - } - switch (element_id) { - case WLAN_EID_SSID: -+ if (element_len > IEEE80211_MAX_SSID_LEN) -+ return -EINVAL; - bss_entry->ssid.ssid_len = element_len; - memcpy(bss_entry->ssid.ssid, (current_ptr + 2), - element_len); -@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_SUPP_RATES: -+ if (element_len > MWIFIEX_SUPPORTED_RATES) -+ return -EINVAL; - memcpy(bss_entry->data_rates, current_ptr + 2, - element_len); - memcpy(bss_entry->supported_rates, current_ptr + 2, diff --git a/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch b/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch deleted file mode 100644 index 263786943..000000000 --- a/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch +++ /dev/null @@ -1,162 +0,0 @@ -From: Eric Dumazet -Date: Wed, 27 Mar 2019 12:40:33 -0700 -Subject: inet: switch IP ID generator to siphash -Origin: https://git.kernel.org/linus/df453700e8d81b1bdafdf684365ee2b9431fb702 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10638 - -[ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ] - -According to Amit Klein and Benny Pinkas, IP ID generation is too weak -and might be used by attackers. - -Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) -having 64bit key and Jenkins hash is risky. - -It is time to switch to siphash and its 128bit keys. - -Signed-off-by: Eric Dumazet -Reported-by: Amit Klein -Reported-by: Benny Pinkas -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/siphash.h | 5 +++++ - include/net/netns/ipv4.h | 2 ++ - net/ipv4/route.c | 12 +++++++----- - net/ipv6/output_core.c | 30 ++++++++++++++++-------------- - 4 files changed, 30 insertions(+), 19 deletions(-) - -diff --git a/include/linux/siphash.h b/include/linux/siphash.h -index fa7a6b9cedbf..bf21591a9e5e 100644 ---- a/include/linux/siphash.h -+++ b/include/linux/siphash.h -@@ -21,6 +21,11 @@ typedef struct { - u64 key[2]; - } siphash_key_t; - -+static inline bool siphash_key_is_zero(const siphash_key_t *key) -+{ -+ return !(key->key[0] | key->key[1]); -+} -+ - u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); - #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS - u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); -diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h -index e47503b4e4d1..622db6bc2f02 100644 ---- a/include/net/netns/ipv4.h -+++ b/include/net/netns/ipv4.h -@@ -9,6 +9,7 @@ - #include - #include - #include -+#include - - struct tcpm_hash_bucket; - struct ctl_table_header; -@@ -214,5 +215,6 @@ struct netns_ipv4 { - unsigned int ipmr_seq; /* protected by rtnl_mutex */ - - atomic_t rt_genid; -+ siphash_key_t ip_id_key; - }; - #endif -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 8bacbcd2db90..40bf19f7ae1a 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -500,15 +500,17 @@ EXPORT_SYMBOL(ip_idents_reserve); - - void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) - { -- static u32 ip_idents_hashrnd __read_mostly; - u32 hash, id; - -- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); -+ /* Note the following code is not safe, but this is okay. */ -+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) -+ get_random_bytes(&net->ipv4.ip_id_key, -+ sizeof(net->ipv4.ip_id_key)); - -- hash = jhash_3words((__force u32)iph->daddr, -+ hash = siphash_3u32((__force u32)iph->daddr, - (__force u32)iph->saddr, -- iph->protocol ^ net_hash_mix(net), -- ip_idents_hashrnd); -+ iph->protocol, -+ &net->ipv4.ip_id_key); - id = ip_idents_reserve(hash, segs); - iph->id = htons(id); - } -diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index 4fe7c90962dd..868ae23dbae1 100644 ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -10,15 +10,25 @@ - #include - #include - --static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, -+static u32 __ipv6_select_ident(struct net *net, - const struct in6_addr *dst, - const struct in6_addr *src) - { -+ const struct { -+ struct in6_addr dst; -+ struct in6_addr src; -+ } __aligned(SIPHASH_ALIGNMENT) combined = { -+ .dst = *dst, -+ .src = *src, -+ }; - u32 hash, id; - -- hash = __ipv6_addr_jhash(dst, hashrnd); -- hash = __ipv6_addr_jhash(src, hash); -- hash ^= net_hash_mix(net); -+ /* Note the following code is not safe, but this is okay. */ -+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) -+ get_random_bytes(&net->ipv4.ip_id_key, -+ sizeof(net->ipv4.ip_id_key)); -+ -+ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); - - /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, - * set the hight order instead thus minimizing possible future -@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, - */ - __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) - { -- static u32 ip6_proxy_idents_hashrnd __read_mostly; - struct in6_addr buf[2]; - struct in6_addr *addrs; - u32 id; -@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) - if (!addrs) - return 0; - -- net_get_random_once(&ip6_proxy_idents_hashrnd, -- sizeof(ip6_proxy_idents_hashrnd)); -- -- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, -- &addrs[1], &addrs[0]); -+ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); - return htonl(id); - } - EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); -@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net, - const struct in6_addr *daddr, - const struct in6_addr *saddr) - { -- static u32 ip6_idents_hashrnd __read_mostly; - u32 id; - -- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); -- -- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr); -+ id = __ipv6_select_ident(net, daddr, saddr); - return htonl(id); - } - EXPORT_SYMBOL(ipv6_select_ident); --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch deleted file mode 100644 index f53666cdc..000000000 --- a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Young Xiao <92siuyang@gmail.com> -Date: Fri, 14 Jun 2019 15:13:02 +0800 -Subject: nfc: Ensure presence of required attributes in the deactivate_target - handler -Origin: https://git.kernel.org/linus/385097a3675749cbc9e97c085c0e5dfe4269ca51 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12984 - -Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to -NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to -accessing them. This prevents potential unhandled NULL pointer dereference -exceptions which can be triggered by malicious user-mode programs, -if they omit one or both of these attributes. - -Signed-off-by: Young Xiao <92siuyang@gmail.com> -Signed-off-by: David S. Miller ---- - net/nfc/netlink.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c -index 1180b3e58a0a..ea64c90b14e8 100644 ---- a/net/nfc/netlink.c -+++ b/net/nfc/netlink.c -@@ -911,7 +911,8 @@ static int nfc_genl_deactivate_target(struct sk_buff *skb, - u32 device_idx, target_idx; - int rc; - -- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) -+ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || -+ !info->attrs[NFC_ATTR_TARGET_INDEX]) - return -EINVAL; - - device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch b/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch deleted file mode 100644 index 68f942e40..000000000 --- a/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Jann Horn -Date: Thu, 4 Jul 2019 17:32:23 +0200 -Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME -Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272 - -Fix two issues: - -When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU -reference to the parent's objective credentials, then give that pointer -to get_cred(). However, the object lifetime rules for things like -struct cred do not permit unconditionally turning an RCU reference into -a stable reference. - -PTRACE_TRACEME records the parent's credentials as if the parent was -acting as the subject, but that's not the case. If a malicious -unprivileged child uses PTRACE_TRACEME and the parent is privileged, and -at a later point, the parent process becomes attacker-controlled -(because it drops privileges and calls execve()), the attacker ends up -with control over two processes with a privileged ptrace relationship, -which can be abused to ptrace a suid binary and obtain root privileges. - -Fix both of these by always recording the credentials of the process -that is requesting the creation of the ptrace relationship: -current_cred() can't change under us, and current is the proper subject -for access control. - -This change is theoretically userspace-visible, but I am not aware of -any code that it will actually break. - -Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") -Signed-off-by: Jann Horn -Acked-by: Oleg Nesterov -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - kernel/ptrace.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 8456b6e2205f..705887f63288 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, - */ - static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) - { -- rcu_read_lock(); -- __ptrace_link(child, new_parent, __task_cred(new_parent)); -- rcu_read_unlock(); -+ __ptrace_link(child, new_parent, current_cred()); - } - - /** --- -2.20.1 - diff --git a/debian/patches/bugfix/all/revert-net-stmmac-send-tso-packets-always-from-queue.patch b/debian/patches/bugfix/all/revert-net-stmmac-send-tso-packets-always-from-queue.patch deleted file mode 100644 index b69863966..000000000 --- a/debian/patches/bugfix/all/revert-net-stmmac-send-tso-packets-always-from-queue.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Ben Hutchings -Date: Tue, 9 Apr 2019 01:01:56 +0100 -Subject: Revert "net: stmmac: Send TSO packets always from Queue 0" -Forwarded: https://lore.kernel.org/lkml/a5f9b02fbb5ca830e598f1c601cdbecc6c86b789.camel@decadent.org.uk/T/#u - -This reverts commit 496eaed7fe94df7202d7cbe37873f96bcdda375e, which -was commit c5acdbee22a1b200dde07effd26fd1f649e9ab8a upstream. This -introduces data races. ---- - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +---------- - 1 file changed, 1 insertion(+), 10 deletions(-) - -diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -index 886176be818e..8c3e228b1da6 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -@@ -3033,17 +3033,8 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) - - /* Manage oversized TCP frames for GMAC4 device */ - if (skb_is_gso(skb) && priv->tso) { -- if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) { -- /* -- * There is no way to determine the number of TSO -- * capable Queues. Let's use always the Queue 0 -- * because if TSO is supported then at least this -- * one will be capable. -- */ -- skb_set_queue_mapping(skb, 0); -- -+ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) - return stmmac_tso_xmit(skb, dev); -- } - } - - if (unlikely(stmmac_tx_avail(priv, queue) < nfrags + 1)) { diff --git a/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch b/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch deleted file mode 100644 index 0a9b1dd72..000000000 --- a/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch +++ /dev/null @@ -1,65 +0,0 @@ -From b90cd6f2b905905fb42671009dc0e27c310a16ae Mon Sep 17 00:00:00 2001 -From: Jason Yan -Date: Tue, 25 Sep 2018 10:56:54 +0800 -Subject: scsi: libsas: fix a race condition when smp task timeout -Origin: https://git.kernel.org/linus/b90cd6f2b905905fb42671009dc0e27c310a16ae -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20836 - -When the lldd is processing the complete sas task in interrupt and set the -task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be -triggered at the same time. And smp_task_timedout() will complete the task -wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed -before lldd end the interrupt process. Thus a use-after-free will happen. - -Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not -set. And remove the check of the return value of the del_timer(). Once the -LLDD sets DONE, it must call task->done(), which will call -smp_task_done()->complete() and the task will be completed and freed -correctly. - -Reported-by: chenxiang -Signed-off-by: Jason Yan -CC: John Garry -CC: Johannes Thumshirn -CC: Ewan Milne -CC: Christoph Hellwig -CC: Tomas Henzl -CC: Dan Williams -CC: Hannes Reinecke -Reviewed-by: Hannes Reinecke -Reviewed-by: John Garry -Reviewed-by: Johannes Thumshirn -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/libsas/sas_expander.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c -index 52222940d398..0d1f72752ca2 100644 ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -48,17 +48,16 @@ static void smp_task_timedout(struct timer_list *t) - unsigned long flags; - - spin_lock_irqsave(&task->task_state_lock, flags); -- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) -+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - task->task_state_flags |= SAS_TASK_STATE_ABORTED; -+ complete(&task->slow_task->completion); -+ } - spin_unlock_irqrestore(&task->task_state_lock, flags); -- -- complete(&task->slow_task->completion); - } - - static void smp_task_done(struct sas_task *task) - { -- if (!del_timer(&task->slow_task->timer)) -- return; -+ del_timer(&task->slow_task->timer); - complete(&task->slow_task->completion); - } - --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/all/spec/0001-Documentation-l1tf-Fix-small-spelling-typo.patch b/debian/patches/bugfix/all/spec/0001-Documentation-l1tf-Fix-small-spelling-typo.patch deleted file mode 100644 index 7bd16b1ed..000000000 --- a/debian/patches/bugfix/all/spec/0001-Documentation-l1tf-Fix-small-spelling-typo.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5a3e9a68c76f16a4d3d95b5703f8c0cbf1ce526c Mon Sep 17 00:00:00 2001 -From: Salvatore Bonaccorso -Date: Wed, 15 Aug 2018 07:46:04 +0200 -Subject: [PATCH 01/30] Documentation/l1tf: Fix small spelling typo - -commit 60ca05c3b44566b70d64fbb8e87a6e0c67725468 upstream - -Fix small typo (wiil -> will) in the "3.4. Nested virtual machines" -section. - -Fixes: 5b76a3cff011 ("KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry") -Cc: linux-kernel@vger.kernel.org -Cc: Jonathan Corbet -Cc: Josh Poimboeuf -Cc: Paolo Bonzini -Cc: Greg Kroah-Hartman -Cc: Tony Luck -Cc: linux-doc@vger.kernel.org -Cc: trivial@kernel.org - -Signed-off-by: Salvatore Bonaccorso -Signed-off-by: Jonathan Corbet -Signed-off-by: Thomas Gleixner ---- - Documentation/admin-guide/l1tf.rst | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Documentation/admin-guide/l1tf.rst b/Documentation/admin-guide/l1tf.rst -index 9f5924f81f89..9af977384168 100644 ---- a/Documentation/admin-guide/l1tf.rst -+++ b/Documentation/admin-guide/l1tf.rst -@@ -556,7 +556,7 @@ carefully analyzed. For full protection the following methods are - the bare metal hypervisor, the nested hypervisor and the nested virtual - machine. VMENTER operations from the nested hypervisor into the nested - guest will always be processed by the bare metal hypervisor. If KVM is the --bare metal hypervisor it wiil: -+bare metal hypervisor it will: - - - Flush the L1D cache on every switch from the nested hypervisor to the - nested virtual machine, so that the nested hypervisor's secrets are not diff --git a/debian/patches/bugfix/all/spec/0002-x86-cpu-Sanitize-FAM6_ATOM-naming.patch b/debian/patches/bugfix/all/spec/0002-x86-cpu-Sanitize-FAM6_ATOM-naming.patch deleted file mode 100644 index c80a4d5dc..000000000 --- a/debian/patches/bugfix/all/spec/0002-x86-cpu-Sanitize-FAM6_ATOM-naming.patch +++ /dev/null @@ -1,782 +0,0 @@ -From fae627376bb7cb519a54a1ac372623653a170317 Mon Sep 17 00:00:00 2001 -From: Peter Zijlstra -Date: Tue, 7 Aug 2018 10:17:27 -0700 -Subject: [PATCH 02/30] x86/cpu: Sanitize FAM6_ATOM naming - -commit f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e upstream - -Going primarily by: - - https://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors - -with additional information gleaned from other related pages; notably: - - - Bonnell shrink was called Saltwell - - Moorefield is the Merriefield refresh which makes it Airmont - -The general naming scheme is: FAM6_ATOM_UARCH_SOCTYPE - - for i in `git grep -l FAM6_ATOM` ; do - sed -i -e 's/ATOM_PINEVIEW/ATOM_BONNELL/g' \ - -e 's/ATOM_LINCROFT/ATOM_BONNELL_MID/' \ - -e 's/ATOM_PENWELL/ATOM_SALTWELL_MID/g' \ - -e 's/ATOM_CLOVERVIEW/ATOM_SALTWELL_TABLET/g' \ - -e 's/ATOM_CEDARVIEW/ATOM_SALTWELL/g' \ - -e 's/ATOM_SILVERMONT1/ATOM_SILVERMONT/g' \ - -e 's/ATOM_SILVERMONT2/ATOM_SILVERMONT_X/g' \ - -e 's/ATOM_MERRIFIELD/ATOM_SILVERMONT_MID/g' \ - -e 's/ATOM_MOOREFIELD/ATOM_AIRMONT_MID/g' \ - -e 's/ATOM_DENVERTON/ATOM_GOLDMONT_X/g' \ - -e 's/ATOM_GEMINI_LAKE/ATOM_GOLDMONT_PLUS/g' ${i} - done - -Signed-off-by: Peter Zijlstra (Intel) -Cc: Alexander Shishkin -Cc: Arnaldo Carvalho de Melo -Cc: Jiri Olsa -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Stephane Eranian -Cc: Thomas Gleixner -Cc: Vince Weaver -Cc: dave.hansen@linux.intel.com -Cc: len.brown@intel.com -Signed-off-by: Ingo Molnar -Signed-off-by: Thomas Gleixner ---- - arch/x86/events/intel/core.c | 20 ++++---- - arch/x86/events/intel/cstate.c | 8 ++-- - arch/x86/events/intel/rapl.c | 4 +- - arch/x86/events/msr.c | 8 ++-- - arch/x86/include/asm/intel-family.h | 33 ++++++------- - arch/x86/kernel/cpu/common.c | 28 +++++------ - arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c | 4 +- - arch/x86/kernel/tsc.c | 2 +- - arch/x86/kernel/tsc_msr.c | 10 ++-- - arch/x86/platform/atom/punit_atom_debug.c | 4 +- - .../intel-mid/device_libs/platform_bt.c | 2 +- - drivers/acpi/acpi_lpss.c | 2 +- - drivers/acpi/x86/utils.c | 2 +- - drivers/cpufreq/intel_pstate.c | 4 +- - drivers/edac/pnd2_edac.c | 2 +- - drivers/idle/intel_idle.c | 18 ++++---- - drivers/mmc/host/sdhci-acpi.c | 2 +- - drivers/pci/pci-mid.c | 4 +- - drivers/platform/x86/intel_int0002_vgpio.c | 2 +- - drivers/platform/x86/intel_mid_powerbtn.c | 4 +- - .../platform/x86/intel_telemetry_debugfs.c | 2 +- - drivers/platform/x86/intel_telemetry_pltdrv.c | 2 +- - drivers/powercap/intel_rapl.c | 10 ++-- - drivers/thermal/intel_soc_dts_thermal.c | 2 +- - sound/soc/intel/boards/bytcr_rt5651.c | 2 +- - tools/power/x86/turbostat/turbostat.c | 46 +++++++++---------- - 26 files changed, 115 insertions(+), 112 deletions(-) - -diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c -index 3dd204d1dd19..a82c7b655d77 100644 ---- a/arch/x86/events/intel/core.c -+++ b/arch/x86/events/intel/core.c -@@ -4126,11 +4126,11 @@ __init int intel_pmu_init(void) - name = "nehalem"; - break; - -- case INTEL_FAM6_ATOM_PINEVIEW: -- case INTEL_FAM6_ATOM_LINCROFT: -- case INTEL_FAM6_ATOM_PENWELL: -- case INTEL_FAM6_ATOM_CLOVERVIEW: -- case INTEL_FAM6_ATOM_CEDARVIEW: -+ case INTEL_FAM6_ATOM_BONNELL: -+ case INTEL_FAM6_ATOM_BONNELL_MID: -+ case INTEL_FAM6_ATOM_SALTWELL: -+ case INTEL_FAM6_ATOM_SALTWELL_MID: -+ case INTEL_FAM6_ATOM_SALTWELL_TABLET: - memcpy(hw_cache_event_ids, atom_hw_cache_event_ids, - sizeof(hw_cache_event_ids)); - -@@ -4143,9 +4143,11 @@ __init int intel_pmu_init(void) - name = "bonnell"; - break; - -- case INTEL_FAM6_ATOM_SILVERMONT1: -- case INTEL_FAM6_ATOM_SILVERMONT2: -+ case INTEL_FAM6_ATOM_SILVERMONT: -+ case INTEL_FAM6_ATOM_SILVERMONT_X: -+ case INTEL_FAM6_ATOM_SILVERMONT_MID: - case INTEL_FAM6_ATOM_AIRMONT: -+ case INTEL_FAM6_ATOM_AIRMONT_MID: - memcpy(hw_cache_event_ids, slm_hw_cache_event_ids, - sizeof(hw_cache_event_ids)); - memcpy(hw_cache_extra_regs, slm_hw_cache_extra_regs, -@@ -4164,7 +4166,7 @@ __init int intel_pmu_init(void) - break; - - case INTEL_FAM6_ATOM_GOLDMONT: -- case INTEL_FAM6_ATOM_DENVERTON: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: - memcpy(hw_cache_event_ids, glm_hw_cache_event_ids, - sizeof(hw_cache_event_ids)); - memcpy(hw_cache_extra_regs, glm_hw_cache_extra_regs, -@@ -4190,7 +4192,7 @@ __init int intel_pmu_init(void) - name = "goldmont"; - break; - -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - memcpy(hw_cache_event_ids, glp_hw_cache_event_ids, - sizeof(hw_cache_event_ids)); - memcpy(hw_cache_extra_regs, glp_hw_cache_extra_regs, -diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c -index 6eb76106c469..56194c571299 100644 ---- a/arch/x86/events/intel/cstate.c -+++ b/arch/x86/events/intel/cstate.c -@@ -559,8 +559,8 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = { - - X86_CSTATES_MODEL(INTEL_FAM6_HASWELL_ULT, hswult_cstates), - -- X86_CSTATES_MODEL(INTEL_FAM6_ATOM_SILVERMONT1, slm_cstates), -- X86_CSTATES_MODEL(INTEL_FAM6_ATOM_SILVERMONT2, slm_cstates), -+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_SILVERMONT, slm_cstates), -+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_SILVERMONT_X, slm_cstates), - X86_CSTATES_MODEL(INTEL_FAM6_ATOM_AIRMONT, slm_cstates), - - X86_CSTATES_MODEL(INTEL_FAM6_BROADWELL_CORE, snb_cstates), -@@ -581,9 +581,9 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = { - X86_CSTATES_MODEL(INTEL_FAM6_XEON_PHI_KNM, knl_cstates), - - X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT, glm_cstates), -- X86_CSTATES_MODEL(INTEL_FAM6_ATOM_DENVERTON, glm_cstates), -+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_X, glm_cstates), - -- X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GEMINI_LAKE, glm_cstates), -+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_PLUS, glm_cstates), - { }, - }; - MODULE_DEVICE_TABLE(x86cpu, intel_cstates_match); -diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c -index 32f3e9423e99..91039ffed633 100644 ---- a/arch/x86/events/intel/rapl.c -+++ b/arch/x86/events/intel/rapl.c -@@ -777,9 +777,9 @@ static const struct x86_cpu_id rapl_cpu_match[] __initconst = { - X86_RAPL_MODEL_MATCH(INTEL_FAM6_CANNONLAKE_MOBILE, skl_rapl_init), - - X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT, hsw_rapl_init), -- X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_DENVERTON, hsw_rapl_init), -+ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_X, hsw_rapl_init), - -- X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GEMINI_LAKE, hsw_rapl_init), -+ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_PLUS, hsw_rapl_init), - {}, - }; - -diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c -index b4771a6ddbc1..1b9f85abf9bc 100644 ---- a/arch/x86/events/msr.c -+++ b/arch/x86/events/msr.c -@@ -69,14 +69,14 @@ static bool test_intel(int idx) - case INTEL_FAM6_BROADWELL_GT3E: - case INTEL_FAM6_BROADWELL_X: - -- case INTEL_FAM6_ATOM_SILVERMONT1: -- case INTEL_FAM6_ATOM_SILVERMONT2: -+ case INTEL_FAM6_ATOM_SILVERMONT: -+ case INTEL_FAM6_ATOM_SILVERMONT_X: - case INTEL_FAM6_ATOM_AIRMONT: - - case INTEL_FAM6_ATOM_GOLDMONT: -- case INTEL_FAM6_ATOM_DENVERTON: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: - -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - - case INTEL_FAM6_XEON_PHI_KNL: - case INTEL_FAM6_XEON_PHI_KNM: -diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h -index 0ad25cc895ae..058b1a1994c4 100644 ---- a/arch/x86/include/asm/intel-family.h -+++ b/arch/x86/include/asm/intel-family.h -@@ -8,9 +8,6 @@ - * The "_X" parts are generally the EP and EX Xeons, or the - * "Extreme" ones, like Broadwell-E. - * -- * Things ending in "2" are usually because we have no better -- * name for them. There's no processor called "SILVERMONT2". -- * - * While adding a new CPUID for a new microarchitecture, add a new - * group to keep logically sorted out in chronological order. Within - * that group keep the CPUID for the variants sorted by model number. -@@ -59,19 +56,23 @@ - - /* "Small Core" Processors (Atom) */ - --#define INTEL_FAM6_ATOM_PINEVIEW 0x1C --#define INTEL_FAM6_ATOM_LINCROFT 0x26 --#define INTEL_FAM6_ATOM_PENWELL 0x27 --#define INTEL_FAM6_ATOM_CLOVERVIEW 0x35 --#define INTEL_FAM6_ATOM_CEDARVIEW 0x36 --#define INTEL_FAM6_ATOM_SILVERMONT1 0x37 /* BayTrail/BYT / Valleyview */ --#define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */ --#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */ --#define INTEL_FAM6_ATOM_MERRIFIELD 0x4A /* Tangier */ --#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Anniedale */ --#define INTEL_FAM6_ATOM_GOLDMONT 0x5C --#define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */ --#define INTEL_FAM6_ATOM_GEMINI_LAKE 0x7A -+#define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ -+#define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */ -+ -+#define INTEL_FAM6_ATOM_SALTWELL 0x36 /* Cedarview */ -+#define INTEL_FAM6_ATOM_SALTWELL_MID 0x27 /* Penwell */ -+#define INTEL_FAM6_ATOM_SALTWELL_TABLET 0x35 /* Cloverview */ -+ -+#define INTEL_FAM6_ATOM_SILVERMONT 0x37 /* Bay Trail, Valleyview */ -+#define INTEL_FAM6_ATOM_SILVERMONT_X 0x4D /* Avaton, Rangely */ -+#define INTEL_FAM6_ATOM_SILVERMONT_MID 0x4A /* Merriefield */ -+ -+#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* Cherry Trail, Braswell */ -+#define INTEL_FAM6_ATOM_AIRMONT_MID 0x5A /* Moorefield */ -+ -+#define INTEL_FAM6_ATOM_GOLDMONT 0x5C /* Apollo Lake */ -+#define INTEL_FAM6_ATOM_GOLDMONT_X 0x5F /* Denverton */ -+#define INTEL_FAM6_ATOM_GOLDMONT_PLUS 0x7A /* Gemini Lake */ - - /* Xeon Phi */ - -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 44c4ef3d989b..10e5ccfa9278 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -949,11 +949,11 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) - } - - static const __initconst struct x86_cpu_id cpu_no_speculation[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW, X86_FEATURE_ANY }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL, X86_FEATURE_ANY }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL_TABLET, X86_FEATURE_ANY }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_BONNELL_MID, X86_FEATURE_ANY }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL_MID, X86_FEATURE_ANY }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_BONNELL, X86_FEATURE_ANY }, - { X86_VENDOR_CENTAUR, 5 }, - { X86_VENDOR_INTEL, 5 }, - { X86_VENDOR_NSC, 5 }, -@@ -968,10 +968,10 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { - - /* Only list CPUs which speculate but are non susceptible to SSB */ - static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_X }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_MID }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, -@@ -984,14 +984,14 @@ static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { - - static const __initconst struct x86_cpu_id cpu_no_l1tf[] = { - /* in addition to cpu_no_speculation */ -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_X }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MOOREFIELD }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_MID }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT_MID }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_DENVERTON }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GEMINI_LAKE }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT_X }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT_PLUS }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, - { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, - {} -diff --git a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c -index f8c260d522ca..912d53939f4f 100644 ---- a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c -+++ b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c -@@ -91,7 +91,7 @@ static u64 get_prefetch_disable_bits(void) - */ - return 0xF; - case INTEL_FAM6_ATOM_GOLDMONT: -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - /* - * SDM defines bits of MSR_MISC_FEATURE_CONTROL register - * as: -@@ -995,7 +995,7 @@ static int measure_cycles_perf_fn(void *_plr) - - switch (boot_cpu_data.x86_model) { - case INTEL_FAM6_ATOM_GOLDMONT: -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - l2_hit_bits = (0x52ULL << 16) | (0x2 << 8) | 0xd1; - l2_miss_bits = (0x52ULL << 16) | (0x10 << 8) | 0xd1; - break; -diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c -index 6d5dc5dabfd7..03b7529333a6 100644 ---- a/arch/x86/kernel/tsc.c -+++ b/arch/x86/kernel/tsc.c -@@ -636,7 +636,7 @@ unsigned long native_calibrate_tsc(void) - case INTEL_FAM6_KABYLAKE_DESKTOP: - crystal_khz = 24000; /* 24.0 MHz */ - break; -- case INTEL_FAM6_ATOM_DENVERTON: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: - crystal_khz = 25000; /* 25.0 MHz */ - break; - case INTEL_FAM6_ATOM_GOLDMONT: -diff --git a/arch/x86/kernel/tsc_msr.c b/arch/x86/kernel/tsc_msr.c -index 27ef714d886c..3d0e9aeea7c8 100644 ---- a/arch/x86/kernel/tsc_msr.c -+++ b/arch/x86/kernel/tsc_msr.c -@@ -59,12 +59,12 @@ static const struct freq_desc freq_desc_ann = { - }; - - static const struct x86_cpu_id tsc_msr_cpu_ids[] = { -- INTEL_CPU_FAM6(ATOM_PENWELL, freq_desc_pnw), -- INTEL_CPU_FAM6(ATOM_CLOVERVIEW, freq_desc_clv), -- INTEL_CPU_FAM6(ATOM_SILVERMONT1, freq_desc_byt), -+ INTEL_CPU_FAM6(ATOM_SALTWELL_MID, freq_desc_pnw), -+ INTEL_CPU_FAM6(ATOM_SALTWELL_TABLET, freq_desc_clv), -+ INTEL_CPU_FAM6(ATOM_SILVERMONT, freq_desc_byt), -+ INTEL_CPU_FAM6(ATOM_SILVERMONT_MID, freq_desc_tng), - INTEL_CPU_FAM6(ATOM_AIRMONT, freq_desc_cht), -- INTEL_CPU_FAM6(ATOM_MERRIFIELD, freq_desc_tng), -- INTEL_CPU_FAM6(ATOM_MOOREFIELD, freq_desc_ann), -+ INTEL_CPU_FAM6(ATOM_AIRMONT_MID, freq_desc_ann), - {} - }; - -diff --git a/arch/x86/platform/atom/punit_atom_debug.c b/arch/x86/platform/atom/punit_atom_debug.c -index 034813d4ab1e..41dae0f0d898 100644 ---- a/arch/x86/platform/atom/punit_atom_debug.c -+++ b/arch/x86/platform/atom/punit_atom_debug.c -@@ -143,8 +143,8 @@ static void punit_dbgfs_unregister(void) - (kernel_ulong_t)&drv_data } - - static const struct x86_cpu_id intel_punit_cpu_ids[] = { -- ICPU(INTEL_FAM6_ATOM_SILVERMONT1, punit_device_byt), -- ICPU(INTEL_FAM6_ATOM_MERRIFIELD, punit_device_tng), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT, punit_device_byt), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_MID, punit_device_tng), - ICPU(INTEL_FAM6_ATOM_AIRMONT, punit_device_cht), - {} - }; -diff --git a/arch/x86/platform/intel-mid/device_libs/platform_bt.c b/arch/x86/platform/intel-mid/device_libs/platform_bt.c -index 5a0483e7bf66..31dce781364c 100644 ---- a/arch/x86/platform/intel-mid/device_libs/platform_bt.c -+++ b/arch/x86/platform/intel-mid/device_libs/platform_bt.c -@@ -68,7 +68,7 @@ static struct bt_sfi_data tng_bt_sfi_data __initdata = { - { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, (kernel_ulong_t)&ddata } - - static const struct x86_cpu_id bt_sfi_cpu_ids[] = { -- ICPU(INTEL_FAM6_ATOM_MERRIFIELD, tng_bt_sfi_data), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_MID, tng_bt_sfi_data), - {} - }; - -diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c -index 969bf8d515c0..c651e206d796 100644 ---- a/drivers/acpi/acpi_lpss.c -+++ b/drivers/acpi/acpi_lpss.c -@@ -292,7 +292,7 @@ static const struct lpss_device_desc bsw_spi_dev_desc = { - #define ICPU(model) { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, } - - static const struct x86_cpu_id lpss_cpu_ids[] = { -- ICPU(INTEL_FAM6_ATOM_SILVERMONT1), /* Valleyview, Bay Trail */ -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT), /* Valleyview, Bay Trail */ - ICPU(INTEL_FAM6_ATOM_AIRMONT), /* Braswell, Cherry Trail */ - {} - }; -diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c -index 06c31ec3cc70..9a8e286dd86f 100644 ---- a/drivers/acpi/x86/utils.c -+++ b/drivers/acpi/x86/utils.c -@@ -54,7 +54,7 @@ static const struct always_present_id always_present_ids[] = { - * Bay / Cherry Trail PWM directly poked by GPU driver in win10, - * but Linux uses a separate PWM driver, harmless if not used. - */ -- ENTRY("80860F09", "1", ICPU(INTEL_FAM6_ATOM_SILVERMONT1), {}), -+ ENTRY("80860F09", "1", ICPU(INTEL_FAM6_ATOM_SILVERMONT), {}), - ENTRY("80862288", "1", ICPU(INTEL_FAM6_ATOM_AIRMONT), {}), - /* - * The INT0002 device is necessary to clear wakeup interrupt sources -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index a005711f909e..29f25d5d65e0 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -1779,7 +1779,7 @@ static const struct pstate_funcs knl_funcs = { - static const struct x86_cpu_id intel_pstate_cpu_ids[] = { - ICPU(INTEL_FAM6_SANDYBRIDGE, core_funcs), - ICPU(INTEL_FAM6_SANDYBRIDGE_X, core_funcs), -- ICPU(INTEL_FAM6_ATOM_SILVERMONT1, silvermont_funcs), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT, silvermont_funcs), - ICPU(INTEL_FAM6_IVYBRIDGE, core_funcs), - ICPU(INTEL_FAM6_HASWELL_CORE, core_funcs), - ICPU(INTEL_FAM6_BROADWELL_CORE, core_funcs), -@@ -1796,7 +1796,7 @@ static const struct x86_cpu_id intel_pstate_cpu_ids[] = { - ICPU(INTEL_FAM6_XEON_PHI_KNL, knl_funcs), - ICPU(INTEL_FAM6_XEON_PHI_KNM, knl_funcs), - ICPU(INTEL_FAM6_ATOM_GOLDMONT, core_funcs), -- ICPU(INTEL_FAM6_ATOM_GEMINI_LAKE, core_funcs), -+ ICPU(INTEL_FAM6_ATOM_GOLDMONT_PLUS, core_funcs), - ICPU(INTEL_FAM6_SKYLAKE_X, core_funcs), - {} - }; -diff --git a/drivers/edac/pnd2_edac.c b/drivers/edac/pnd2_edac.c -index df28b65358d2..903a4f1fadcc 100644 ---- a/drivers/edac/pnd2_edac.c -+++ b/drivers/edac/pnd2_edac.c -@@ -1541,7 +1541,7 @@ static struct dunit_ops dnv_ops = { - - static const struct x86_cpu_id pnd2_cpuids[] = { - { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT, 0, (kernel_ulong_t)&apl_ops }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_DENVERTON, 0, (kernel_ulong_t)&dnv_ops }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT_X, 0, (kernel_ulong_t)&dnv_ops }, - { } - }; - MODULE_DEVICE_TABLE(x86cpu, pnd2_cpuids); -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c -index b2ccce5fb071..c4bb67ed8da3 100644 ---- a/drivers/idle/intel_idle.c -+++ b/drivers/idle/intel_idle.c -@@ -1076,14 +1076,14 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - ICPU(INTEL_FAM6_WESTMERE, idle_cpu_nehalem), - ICPU(INTEL_FAM6_WESTMERE_EP, idle_cpu_nehalem), - ICPU(INTEL_FAM6_NEHALEM_EX, idle_cpu_nehalem), -- ICPU(INTEL_FAM6_ATOM_PINEVIEW, idle_cpu_atom), -- ICPU(INTEL_FAM6_ATOM_LINCROFT, idle_cpu_lincroft), -+ ICPU(INTEL_FAM6_ATOM_BONNELL, idle_cpu_atom), -+ ICPU(INTEL_FAM6_ATOM_BONNELL_MID, idle_cpu_lincroft), - ICPU(INTEL_FAM6_WESTMERE_EX, idle_cpu_nehalem), - ICPU(INTEL_FAM6_SANDYBRIDGE, idle_cpu_snb), - ICPU(INTEL_FAM6_SANDYBRIDGE_X, idle_cpu_snb), -- ICPU(INTEL_FAM6_ATOM_CEDARVIEW, idle_cpu_atom), -- ICPU(INTEL_FAM6_ATOM_SILVERMONT1, idle_cpu_byt), -- ICPU(INTEL_FAM6_ATOM_MERRIFIELD, idle_cpu_tangier), -+ ICPU(INTEL_FAM6_ATOM_SALTWELL, idle_cpu_atom), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT, idle_cpu_byt), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_MID, idle_cpu_tangier), - ICPU(INTEL_FAM6_ATOM_AIRMONT, idle_cpu_cht), - ICPU(INTEL_FAM6_IVYBRIDGE, idle_cpu_ivb), - ICPU(INTEL_FAM6_IVYBRIDGE_X, idle_cpu_ivt), -@@ -1091,7 +1091,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - ICPU(INTEL_FAM6_HASWELL_X, idle_cpu_hsw), - ICPU(INTEL_FAM6_HASWELL_ULT, idle_cpu_hsw), - ICPU(INTEL_FAM6_HASWELL_GT3E, idle_cpu_hsw), -- ICPU(INTEL_FAM6_ATOM_SILVERMONT2, idle_cpu_avn), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_X, idle_cpu_avn), - ICPU(INTEL_FAM6_BROADWELL_CORE, idle_cpu_bdw), - ICPU(INTEL_FAM6_BROADWELL_GT3E, idle_cpu_bdw), - ICPU(INTEL_FAM6_BROADWELL_X, idle_cpu_bdw), -@@ -1104,8 +1104,8 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = { - ICPU(INTEL_FAM6_XEON_PHI_KNL, idle_cpu_knl), - ICPU(INTEL_FAM6_XEON_PHI_KNM, idle_cpu_knl), - ICPU(INTEL_FAM6_ATOM_GOLDMONT, idle_cpu_bxt), -- ICPU(INTEL_FAM6_ATOM_GEMINI_LAKE, idle_cpu_bxt), -- ICPU(INTEL_FAM6_ATOM_DENVERTON, idle_cpu_dnv), -+ ICPU(INTEL_FAM6_ATOM_GOLDMONT_PLUS, idle_cpu_bxt), -+ ICPU(INTEL_FAM6_ATOM_GOLDMONT_X, idle_cpu_dnv), - {} - }; - -@@ -1322,7 +1322,7 @@ static void intel_idle_state_table_update(void) - ivt_idle_state_table_update(); - break; - case INTEL_FAM6_ATOM_GOLDMONT: -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - bxt_idle_state_table_update(); - break; - case INTEL_FAM6_SKYLAKE_DESKTOP: -diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c -index c61109f7b793..57c1ec322e42 100644 ---- a/drivers/mmc/host/sdhci-acpi.c -+++ b/drivers/mmc/host/sdhci-acpi.c -@@ -247,7 +247,7 @@ static const struct sdhci_acpi_chip sdhci_acpi_chip_int = { - static bool sdhci_acpi_byt(void) - { - static const struct x86_cpu_id byt[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, - {} - }; - -diff --git a/drivers/pci/pci-mid.c b/drivers/pci/pci-mid.c -index 314e135014dc..30fbe2ea6eab 100644 ---- a/drivers/pci/pci-mid.c -+++ b/drivers/pci/pci-mid.c -@@ -62,8 +62,8 @@ static const struct pci_platform_pm_ops mid_pci_platform_pm = { - * arch/x86/platform/intel-mid/pwr.c. - */ - static const struct x86_cpu_id lpss_cpu_ids[] = { -- ICPU(INTEL_FAM6_ATOM_PENWELL), -- ICPU(INTEL_FAM6_ATOM_MERRIFIELD), -+ ICPU(INTEL_FAM6_ATOM_SALTWELL_MID), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_MID), - {} - }; - -diff --git a/drivers/platform/x86/intel_int0002_vgpio.c b/drivers/platform/x86/intel_int0002_vgpio.c -index a473dc51b18d..e89ad4964dc1 100644 ---- a/drivers/platform/x86/intel_int0002_vgpio.c -+++ b/drivers/platform/x86/intel_int0002_vgpio.c -@@ -60,7 +60,7 @@ static const struct x86_cpu_id int0002_cpu_ids[] = { - /* - * Limit ourselves to Cherry Trail for now, until testing shows we - * need to handle the INT0002 device on Baytrail too. -- * ICPU(INTEL_FAM6_ATOM_SILVERMONT1), * Valleyview, Bay Trail * -+ * ICPU(INTEL_FAM6_ATOM_SILVERMONT), * Valleyview, Bay Trail * - */ - ICPU(INTEL_FAM6_ATOM_AIRMONT), /* Braswell, Cherry Trail */ - {} -diff --git a/drivers/platform/x86/intel_mid_powerbtn.c b/drivers/platform/x86/intel_mid_powerbtn.c -index d79fbf924b13..5ad44204a9c3 100644 ---- a/drivers/platform/x86/intel_mid_powerbtn.c -+++ b/drivers/platform/x86/intel_mid_powerbtn.c -@@ -125,8 +125,8 @@ static const struct mid_pb_ddata mrfld_ddata = { - { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, (kernel_ulong_t)&ddata } - - static const struct x86_cpu_id mid_pb_cpu_ids[] = { -- ICPU(INTEL_FAM6_ATOM_PENWELL, mfld_ddata), -- ICPU(INTEL_FAM6_ATOM_MERRIFIELD, mrfld_ddata), -+ ICPU(INTEL_FAM6_ATOM_SALTWELL_MID, mfld_ddata), -+ ICPU(INTEL_FAM6_ATOM_SILVERMONT_MID, mrfld_ddata), - {} - }; - -diff --git a/drivers/platform/x86/intel_telemetry_debugfs.c b/drivers/platform/x86/intel_telemetry_debugfs.c -index 1423fa8710fd..b998d7da97fb 100644 ---- a/drivers/platform/x86/intel_telemetry_debugfs.c -+++ b/drivers/platform/x86/intel_telemetry_debugfs.c -@@ -320,7 +320,7 @@ static struct telemetry_debugfs_conf telem_apl_debugfs_conf = { - - static const struct x86_cpu_id telemetry_debugfs_cpu_ids[] = { - TELEM_DEBUGFS_CPU(INTEL_FAM6_ATOM_GOLDMONT, telem_apl_debugfs_conf), -- TELEM_DEBUGFS_CPU(INTEL_FAM6_ATOM_GEMINI_LAKE, telem_apl_debugfs_conf), -+ TELEM_DEBUGFS_CPU(INTEL_FAM6_ATOM_GOLDMONT_PLUS, telem_apl_debugfs_conf), - {} - }; - -diff --git a/drivers/platform/x86/intel_telemetry_pltdrv.c b/drivers/platform/x86/intel_telemetry_pltdrv.c -index 2f889d6c270e..fcc6bee51a42 100644 ---- a/drivers/platform/x86/intel_telemetry_pltdrv.c -+++ b/drivers/platform/x86/intel_telemetry_pltdrv.c -@@ -192,7 +192,7 @@ static struct telemetry_plt_config telem_glk_config = { - - static const struct x86_cpu_id telemetry_cpu_ids[] = { - TELEM_CPU(INTEL_FAM6_ATOM_GOLDMONT, telem_apl_config), -- TELEM_CPU(INTEL_FAM6_ATOM_GEMINI_LAKE, telem_glk_config), -+ TELEM_CPU(INTEL_FAM6_ATOM_GOLDMONT_PLUS, telem_glk_config), - {} - }; - -diff --git a/drivers/powercap/intel_rapl.c b/drivers/powercap/intel_rapl.c -index 295d8dcba48c..8cbfcce57a06 100644 ---- a/drivers/powercap/intel_rapl.c -+++ b/drivers/powercap/intel_rapl.c -@@ -1164,13 +1164,13 @@ static const struct x86_cpu_id rapl_ids[] __initconst = { - RAPL_CPU(INTEL_FAM6_KABYLAKE_DESKTOP, rapl_defaults_core), - RAPL_CPU(INTEL_FAM6_CANNONLAKE_MOBILE, rapl_defaults_core), - -- RAPL_CPU(INTEL_FAM6_ATOM_SILVERMONT1, rapl_defaults_byt), -+ RAPL_CPU(INTEL_FAM6_ATOM_SILVERMONT, rapl_defaults_byt), - RAPL_CPU(INTEL_FAM6_ATOM_AIRMONT, rapl_defaults_cht), -- RAPL_CPU(INTEL_FAM6_ATOM_MERRIFIELD, rapl_defaults_tng), -- RAPL_CPU(INTEL_FAM6_ATOM_MOOREFIELD, rapl_defaults_ann), -+ RAPL_CPU(INTEL_FAM6_ATOM_SILVERMONT_MID, rapl_defaults_tng), -+ RAPL_CPU(INTEL_FAM6_ATOM_AIRMONT_MID, rapl_defaults_ann), - RAPL_CPU(INTEL_FAM6_ATOM_GOLDMONT, rapl_defaults_core), -- RAPL_CPU(INTEL_FAM6_ATOM_GEMINI_LAKE, rapl_defaults_core), -- RAPL_CPU(INTEL_FAM6_ATOM_DENVERTON, rapl_defaults_core), -+ RAPL_CPU(INTEL_FAM6_ATOM_GOLDMONT_PLUS, rapl_defaults_core), -+ RAPL_CPU(INTEL_FAM6_ATOM_GOLDMONT_X, rapl_defaults_core), - - RAPL_CPU(INTEL_FAM6_XEON_PHI_KNL, rapl_defaults_hsw_server), - RAPL_CPU(INTEL_FAM6_XEON_PHI_KNM, rapl_defaults_hsw_server), -diff --git a/drivers/thermal/intel_soc_dts_thermal.c b/drivers/thermal/intel_soc_dts_thermal.c -index 1e47511a6bd5..d748527d7a38 100644 ---- a/drivers/thermal/intel_soc_dts_thermal.c -+++ b/drivers/thermal/intel_soc_dts_thermal.c -@@ -45,7 +45,7 @@ static irqreturn_t soc_irq_thread_fn(int irq, void *dev_data) - } - - static const struct x86_cpu_id soc_thermal_ids[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1, 0, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT, 0, - BYT_SOC_DTS_APIC_IRQ}, - {} - }; -diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c -index b74bbee111c6..c6c8d20be1d2 100644 ---- a/sound/soc/intel/boards/bytcr_rt5651.c -+++ b/sound/soc/intel/boards/bytcr_rt5651.c -@@ -787,7 +787,7 @@ static struct snd_soc_card byt_rt5651_card = { - }; - - static const struct x86_cpu_id baytrail_cpu_ids[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, /* Valleyview */ -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, /* Valleyview */ - {} - }; - -diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c -index 83964f796edb..fbb53c952b73 100644 ---- a/tools/power/x86/turbostat/turbostat.c -+++ b/tools/power/x86/turbostat/turbostat.c -@@ -2082,7 +2082,7 @@ int has_turbo_ratio_group_limits(int family, int model) - switch (model) { - case INTEL_FAM6_ATOM_GOLDMONT: - case INTEL_FAM6_SKYLAKE_X: -- case INTEL_FAM6_ATOM_DENVERTON: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: - return 1; - } - return 0; -@@ -3149,9 +3149,9 @@ int probe_nhm_msrs(unsigned int family, unsigned int model) - pkg_cstate_limits = skx_pkg_cstate_limits; - has_misc_feature_control = 1; - break; -- case INTEL_FAM6_ATOM_SILVERMONT1: /* BYT */ -+ case INTEL_FAM6_ATOM_SILVERMONT: /* BYT */ - no_MSR_MISC_PWR_MGMT = 1; -- case INTEL_FAM6_ATOM_SILVERMONT2: /* AVN */ -+ case INTEL_FAM6_ATOM_SILVERMONT_X: /* AVN */ - pkg_cstate_limits = slv_pkg_cstate_limits; - break; - case INTEL_FAM6_ATOM_AIRMONT: /* AMT */ -@@ -3163,8 +3163,8 @@ int probe_nhm_msrs(unsigned int family, unsigned int model) - pkg_cstate_limits = phi_pkg_cstate_limits; - break; - case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -- case INTEL_FAM6_ATOM_DENVERTON: /* DNV */ -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: /* DNV */ - pkg_cstate_limits = bxt_pkg_cstate_limits; - break; - default: -@@ -3193,9 +3193,9 @@ int has_slv_msrs(unsigned int family, unsigned int model) - return 0; - - switch (model) { -- case INTEL_FAM6_ATOM_SILVERMONT1: -- case INTEL_FAM6_ATOM_MERRIFIELD: -- case INTEL_FAM6_ATOM_MOOREFIELD: -+ case INTEL_FAM6_ATOM_SILVERMONT: -+ case INTEL_FAM6_ATOM_SILVERMONT_MID: -+ case INTEL_FAM6_ATOM_AIRMONT_MID: - return 1; - } - return 0; -@@ -3207,7 +3207,7 @@ int is_dnv(unsigned int family, unsigned int model) - return 0; - - switch (model) { -- case INTEL_FAM6_ATOM_DENVERTON: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: - return 1; - } - return 0; -@@ -3724,8 +3724,8 @@ double get_tdp(unsigned int model) - return ((msr >> 0) & RAPL_POWER_GRANULARITY) * rapl_power_units; - - switch (model) { -- case INTEL_FAM6_ATOM_SILVERMONT1: -- case INTEL_FAM6_ATOM_SILVERMONT2: -+ case INTEL_FAM6_ATOM_SILVERMONT: -+ case INTEL_FAM6_ATOM_SILVERMONT_X: - return 30.0; - default: - return 135.0; -@@ -3791,7 +3791,7 @@ void rapl_probe(unsigned int family, unsigned int model) - } - break; - case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - do_rapl = RAPL_PKG | RAPL_PKG_POWER_INFO; - if (rapl_joules) - BIC_PRESENT(BIC_Pkg_J); -@@ -3850,8 +3850,8 @@ void rapl_probe(unsigned int family, unsigned int model) - BIC_PRESENT(BIC_RAMWatt); - } - break; -- case INTEL_FAM6_ATOM_SILVERMONT1: /* BYT */ -- case INTEL_FAM6_ATOM_SILVERMONT2: /* AVN */ -+ case INTEL_FAM6_ATOM_SILVERMONT: /* BYT */ -+ case INTEL_FAM6_ATOM_SILVERMONT_X: /* AVN */ - do_rapl = RAPL_PKG | RAPL_CORES; - if (rapl_joules) { - BIC_PRESENT(BIC_Pkg_J); -@@ -3861,7 +3861,7 @@ void rapl_probe(unsigned int family, unsigned int model) - BIC_PRESENT(BIC_CorWatt); - } - break; -- case INTEL_FAM6_ATOM_DENVERTON: /* DNV */ -+ case INTEL_FAM6_ATOM_GOLDMONT_X: /* DNV */ - do_rapl = RAPL_PKG | RAPL_DRAM | RAPL_DRAM_POWER_INFO | RAPL_DRAM_PERF_STATUS | RAPL_PKG_PERF_STATUS | RAPL_PKG_POWER_INFO | RAPL_CORES_ENERGY_STATUS; - BIC_PRESENT(BIC_PKG__); - BIC_PRESENT(BIC_RAM__); -@@ -3884,7 +3884,7 @@ void rapl_probe(unsigned int family, unsigned int model) - return; - - rapl_power_units = 1.0 / (1 << (msr & 0xF)); -- if (model == INTEL_FAM6_ATOM_SILVERMONT1) -+ if (model == INTEL_FAM6_ATOM_SILVERMONT) - rapl_energy_units = 1.0 * (1 << (msr >> 8 & 0x1F)) / 1000000; - else - rapl_energy_units = 1.0 / (1 << (msr >> 8 & 0x1F)); -@@ -4141,8 +4141,8 @@ int has_snb_msrs(unsigned int family, unsigned int model) - case INTEL_FAM6_CANNONLAKE_MOBILE: /* CNL */ - case INTEL_FAM6_SKYLAKE_X: /* SKX */ - case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -- case INTEL_FAM6_ATOM_DENVERTON: /* DNV */ -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: -+ case INTEL_FAM6_ATOM_GOLDMONT_X: /* DNV */ - return 1; - } - return 0; -@@ -4174,7 +4174,7 @@ int has_hsw_msrs(unsigned int family, unsigned int model) - case INTEL_FAM6_KABYLAKE_DESKTOP: /* KBL */ - case INTEL_FAM6_CANNONLAKE_MOBILE: /* CNL */ - case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - return 1; - } - return 0; -@@ -4209,8 +4209,8 @@ int is_slm(unsigned int family, unsigned int model) - if (!genuine_intel) - return 0; - switch (model) { -- case INTEL_FAM6_ATOM_SILVERMONT1: /* BYT */ -- case INTEL_FAM6_ATOM_SILVERMONT2: /* AVN */ -+ case INTEL_FAM6_ATOM_SILVERMONT: /* BYT */ -+ case INTEL_FAM6_ATOM_SILVERMONT_X: /* AVN */ - return 1; - } - return 0; -@@ -4581,11 +4581,11 @@ void process_cpuid() - case INTEL_FAM6_KABYLAKE_DESKTOP: /* KBL */ - crystal_hz = 24000000; /* 24.0 MHz */ - break; -- case INTEL_FAM6_ATOM_DENVERTON: /* DNV */ -+ case INTEL_FAM6_ATOM_GOLDMONT_X: /* DNV */ - crystal_hz = 25000000; /* 25.0 MHz */ - break; - case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ -- case INTEL_FAM6_ATOM_GEMINI_LAKE: -+ case INTEL_FAM6_ATOM_GOLDMONT_PLUS: - crystal_hz = 19200000; /* 19.2 MHz */ - break; - default: diff --git a/debian/patches/bugfix/all/spec/0003-kvm-x86-Report-STIBP-on-GET_SUPPORTED_CPUID.patch b/debian/patches/bugfix/all/spec/0003-kvm-x86-Report-STIBP-on-GET_SUPPORTED_CPUID.patch deleted file mode 100644 index bc37b20ab..000000000 --- a/debian/patches/bugfix/all/spec/0003-kvm-x86-Report-STIBP-on-GET_SUPPORTED_CPUID.patch +++ /dev/null @@ -1,48 +0,0 @@ -From e75df51aa9a06da683ae47809b52e1987d2824f8 Mon Sep 17 00:00:00 2001 -From: Eduardo Habkost -Date: Wed, 5 Dec 2018 17:19:56 -0200 -Subject: [PATCH 03/30] kvm: x86: Report STIBP on GET_SUPPORTED_CPUID - -commit d7b09c827a6cf291f66637a36f46928dd1423184 upstream - -Months ago, we have added code to allow direct access to MSR_IA32_SPEC_CTRL -to the guest, which makes STIBP available to guests. This was implemented -by commits d28b387fb74d ("KVM/VMX: Allow direct access to -MSR_IA32_SPEC_CTRL") and b2ac58f90540 ("KVM/SVM: Allow direct access to -MSR_IA32_SPEC_CTRL"). - -However, we never updated GET_SUPPORTED_CPUID to let userspace know that -STIBP can be enabled in CPUID. Fix that by updating -kvm_cpuid_8000_0008_ebx_x86_features and kvm_cpuid_7_0_edx_x86_features. - -Signed-off-by: Eduardo Habkost -Reviewed-by: Jim Mattson -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Paolo Bonzini -Signed-off-by: Thomas Gleixner ---- - arch/x86/kvm/cpuid.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index 98d13c6a64be..fe9907517fb4 100644 ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -382,7 +382,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, - /* cpuid 0x80000008.ebx */ - const u32 kvm_cpuid_8000_0008_ebx_x86_features = - F(AMD_IBPB) | F(AMD_IBRS) | F(AMD_SSBD) | F(VIRT_SSBD) | -- F(AMD_SSB_NO); -+ F(AMD_SSB_NO) | F(AMD_STIBP); - - /* cpuid 0xC0000001.edx */ - const u32 kvm_cpuid_C000_0001_edx_x86_features = -@@ -412,7 +412,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, - /* cpuid 7.0.edx*/ - const u32 kvm_cpuid_7_0_edx_x86_features = - F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | -- F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES); -+ F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES) | F(INTEL_STIBP); - - /* all calls to cpuid_count() should be made on the same cpu */ - get_cpu(); diff --git a/debian/patches/bugfix/all/spec/0004-x86-msr-index-Cleanup-bit-defines.patch b/debian/patches/bugfix/all/spec/0004-x86-msr-index-Cleanup-bit-defines.patch deleted file mode 100644 index a9a87c845..000000000 --- a/debian/patches/bugfix/all/spec/0004-x86-msr-index-Cleanup-bit-defines.patch +++ /dev/null @@ -1,119 +0,0 @@ -From de787f2bb763b7b5516f5c43df2e9c63be6ef279 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Thu, 21 Feb 2019 12:36:50 +0100 -Subject: [PATCH 04/30] x86/msr-index: Cleanup bit defines - -commit d8eabc37310a92df40d07c5a8afc53cebf996716 upstream - -Greg pointed out that speculation related bit defines are using (1 << N) -format instead of BIT(N). Aside of that (1 << N) is wrong as it should use -1UL at least. - -Clean it up. - -[ Josh Poimboeuf: Fix tools build ] - -Reported-by: Greg Kroah-Hartman -Signed-off-by: Thomas Gleixner -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Borislav Petkov -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/include/asm/msr-index.h | 34 ++++++++++--------- - tools/power/x86/turbostat/Makefile | 2 +- - .../power/x86/x86_energy_perf_policy/Makefile | 2 +- - 3 files changed, 20 insertions(+), 18 deletions(-) - -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index f14ca0be1e3f..308b7c94df00 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -2,6 +2,8 @@ - #ifndef _ASM_X86_MSR_INDEX_H - #define _ASM_X86_MSR_INDEX_H - -+#include -+ - /* - * CPU model specific register (MSR) numbers. - * -@@ -40,14 +42,14 @@ - /* Intel MSRs. Some also available on other CPUs */ - - #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ --#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ -+#define SPEC_CTRL_IBRS BIT(0) /* Indirect Branch Restricted Speculation */ - #define SPEC_CTRL_STIBP_SHIFT 1 /* Single Thread Indirect Branch Predictor (STIBP) bit */ --#define SPEC_CTRL_STIBP (1 << SPEC_CTRL_STIBP_SHIFT) /* STIBP mask */ -+#define SPEC_CTRL_STIBP BIT(SPEC_CTRL_STIBP_SHIFT) /* STIBP mask */ - #define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ --#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ -+#define SPEC_CTRL_SSBD BIT(SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ - - #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ --#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ -+#define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ - - #define MSR_PPIN_CTL 0x0000004e - #define MSR_PPIN 0x0000004f -@@ -69,20 +71,20 @@ - #define MSR_MTRRcap 0x000000fe - - #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a --#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ --#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ --#define ARCH_CAP_SKIP_VMENTRY_L1DFLUSH (1 << 3) /* Skip L1D flush on vmentry */ --#define ARCH_CAP_SSB_NO (1 << 4) /* -- * Not susceptible to Speculative Store Bypass -- * attack, so no Speculative Store Bypass -- * control required. -- */ -+#define ARCH_CAP_RDCL_NO BIT(0) /* Not susceptible to Meltdown */ -+#define ARCH_CAP_IBRS_ALL BIT(1) /* Enhanced IBRS support */ -+#define ARCH_CAP_SKIP_VMENTRY_L1DFLUSH BIT(3) /* Skip L1D flush on vmentry */ -+#define ARCH_CAP_SSB_NO BIT(4) /* -+ * Not susceptible to Speculative Store Bypass -+ * attack, so no Speculative Store Bypass -+ * control required. -+ */ - - #define MSR_IA32_FLUSH_CMD 0x0000010b --#define L1D_FLUSH (1 << 0) /* -- * Writeback and invalidate the -- * L1 data cache. -- */ -+#define L1D_FLUSH BIT(0) /* -+ * Writeback and invalidate the -+ * L1 data cache. -+ */ - - #define MSR_IA32_BBL_CR_CTL 0x00000119 - #define MSR_IA32_BBL_CR_CTL3 0x0000011e -diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile -index 2ab25aa38263..ff058bfbca3e 100644 ---- a/tools/power/x86/turbostat/Makefile -+++ b/tools/power/x86/turbostat/Makefile -@@ -9,7 +9,7 @@ ifeq ("$(origin O)", "command line") - endif - - turbostat : turbostat.c --CFLAGS += -Wall -+CFLAGS += -Wall -I../../../include - CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/asm/msr-index.h"' - CFLAGS += -DINTEL_FAMILY_HEADER='"../../../../arch/x86/include/asm/intel-family.h"' - -diff --git a/tools/power/x86/x86_energy_perf_policy/Makefile b/tools/power/x86/x86_energy_perf_policy/Makefile -index f4534fb8b951..da781b430937 100644 ---- a/tools/power/x86/x86_energy_perf_policy/Makefile -+++ b/tools/power/x86/x86_energy_perf_policy/Makefile -@@ -9,7 +9,7 @@ ifeq ("$(origin O)", "command line") - endif - - x86_energy_perf_policy : x86_energy_perf_policy.c --CFLAGS += -Wall -+CFLAGS += -Wall -I../../../include - CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/asm/msr-index.h"' - - %: %.c diff --git a/debian/patches/bugfix/all/spec/0005-x86-speculation-Consolidate-CPU-whitelists.patch b/debian/patches/bugfix/all/spec/0005-x86-speculation-Consolidate-CPU-whitelists.patch deleted file mode 100644 index b63593fe4..000000000 --- a/debian/patches/bugfix/all/spec/0005-x86-speculation-Consolidate-CPU-whitelists.patch +++ /dev/null @@ -1,169 +0,0 @@ -From bb9d4a24ba55d1487a34d287c6b940ce00b85822 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 27 Feb 2019 10:10:23 +0100 -Subject: [PATCH 05/30] x86/speculation: Consolidate CPU whitelists - -commit 36ad35131adacc29b328b9c8b6277a8bf0d6fd5d upstream - -The CPU vulnerability whitelists have some overlap and there are more -whitelists coming along. - -Use the driver_data field in the x86_cpu_id struct to denote the -whitelisted vulnerabilities and combine all whitelists into one. - -Suggested-by: Linus Torvalds -Signed-off-by: Thomas Gleixner -Reviewed-by: Frederic Weisbecker -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Borislav Petkov -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/kernel/cpu/common.c | 105 +++++++++++++++++++---------------- - 1 file changed, 56 insertions(+), 49 deletions(-) - -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 10e5ccfa9278..fd16b4cc991f 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -948,60 +948,68 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) - #endif - } - --static const __initconst struct x86_cpu_id cpu_no_speculation[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL_TABLET, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_BONNELL_MID, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SALTWELL_MID, X86_FEATURE_ANY }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_BONNELL, X86_FEATURE_ANY }, -- { X86_VENDOR_CENTAUR, 5 }, -- { X86_VENDOR_INTEL, 5 }, -- { X86_VENDOR_NSC, 5 }, -- { X86_VENDOR_ANY, 4 }, -+#define NO_SPECULATION BIT(0) -+#define NO_MELTDOWN BIT(1) -+#define NO_SSB BIT(2) -+#define NO_L1TF BIT(3) -+ -+#define VULNWL(_vendor, _family, _model, _whitelist) \ -+ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } -+ -+#define VULNWL_INTEL(model, whitelist) \ -+ VULNWL(INTEL, 6, INTEL_FAM6_##model, whitelist) -+ -+#define VULNWL_AMD(family, whitelist) \ -+ VULNWL(AMD, family, X86_MODEL_ANY, whitelist) -+ -+static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { -+ VULNWL(ANY, 4, X86_MODEL_ANY, NO_SPECULATION), -+ VULNWL(CENTAUR, 5, X86_MODEL_ANY, NO_SPECULATION), -+ VULNWL(INTEL, 5, X86_MODEL_ANY, NO_SPECULATION), -+ VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION), -+ -+ VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION), -+ VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION), -+ VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION), -+ VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), -+ VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), -+ -+ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF), -+ -+ VULNWL_INTEL(CORE_YONAH, NO_SSB), -+ -+ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT, NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_L1TF), -+ -+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF), -+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF), -+ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF), -+ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF), -+ -+ /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ -+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF), - {} - }; - --static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { -- { X86_VENDOR_AMD }, -- {} --}; -- --/* Only list CPUs which speculate but are non susceptible to SSB */ --static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_X }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_MID }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, -- { X86_VENDOR_AMD, 0x12, }, -- { X86_VENDOR_AMD, 0x11, }, -- { X86_VENDOR_AMD, 0x10, }, -- { X86_VENDOR_AMD, 0xf, }, -- {} --}; -+static bool __init cpu_matches(unsigned long which) -+{ -+ const struct x86_cpu_id *m = x86_match_cpu(cpu_vuln_whitelist); - --static const __initconst struct x86_cpu_id cpu_no_l1tf[] = { -- /* in addition to cpu_no_speculation */ -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_X }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT_MID }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT_MID }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT_X }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT_PLUS }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, -- { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, -- {} --}; -+ return m && !!(m->driver_data & which); -+} - - static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - { - u64 ia32_cap = 0; - -- if (x86_match_cpu(cpu_no_speculation)) -+ if (cpu_matches(NO_SPECULATION)) - return; - - setup_force_cpu_bug(X86_BUG_SPECTRE_V1); -@@ -1010,15 +1018,14 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) - rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); - -- if (!x86_match_cpu(cpu_no_spec_store_bypass) && -- !(ia32_cap & ARCH_CAP_SSB_NO) && -+ if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) && - !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) - setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - - if (ia32_cap & ARCH_CAP_IBRS_ALL) - setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); - -- if (x86_match_cpu(cpu_no_meltdown)) -+ if (cpu_matches(NO_MELTDOWN)) - return; - - /* Rogue Data Cache Load? No! */ -@@ -1027,7 +1034,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - - setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); - -- if (x86_match_cpu(cpu_no_l1tf)) -+ if (cpu_matches(NO_L1TF)) - return; - - setup_force_cpu_bug(X86_BUG_L1TF); diff --git a/debian/patches/bugfix/all/spec/0006-x86-speculation-mds-Add-basic-bug-infrastructure-for.patch b/debian/patches/bugfix/all/spec/0006-x86-speculation-mds-Add-basic-bug-infrastructure-for.patch deleted file mode 100644 index ec8d29d7e..000000000 --- a/debian/patches/bugfix/all/spec/0006-x86-speculation-mds-Add-basic-bug-infrastructure-for.patch +++ /dev/null @@ -1,154 +0,0 @@ -From e082f3653d17755854a3538e5658061ac92e2ab3 Mon Sep 17 00:00:00 2001 -From: Andi Kleen -Date: Fri, 18 Jan 2019 16:50:16 -0800 -Subject: [PATCH 06/30] x86/speculation/mds: Add basic bug infrastructure for - MDS - -commit ed5194c2732c8084af9fd159c146ea92bf137128 upstream - -Microarchitectural Data Sampling (MDS), is a class of side channel attacks -on internal buffers in Intel CPUs. The variants are: - - - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) - - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) - - Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127) - -MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a -dependent load (store-to-load forwarding) as an optimization. The forward -can also happen to a faulting or assisting load operation for a different -memory address, which can be exploited under certain conditions. Store -buffers are partitioned between Hyper-Threads so cross thread forwarding is -not possible. But if a thread enters or exits a sleep state the store -buffer is repartitioned which can expose data from one thread to the other. - -MFBDS leaks Fill Buffer Entries. Fill buffers are used internally to manage -L1 miss situations and to hold data which is returned or sent in response -to a memory or I/O operation. Fill buffers can forward data to a load -operation and also write data to the cache. When the fill buffer is -deallocated it can retain the stale data of the preceding operations which -can then be forwarded to a faulting or assisting load operation, which can -be exploited under certain conditions. Fill buffers are shared between -Hyper-Threads so cross thread leakage is possible. - -MLDPS leaks Load Port Data. Load ports are used to perform load operations -from memory or I/O. The received data is then forwarded to the register -file or a subsequent operation. In some implementations the Load Port can -contain stale data from a previous operation which can be forwarded to -faulting or assisting loads under certain conditions, which again can be -exploited eventually. Load ports are shared between Hyper-Threads so cross -thread leakage is possible. - -All variants have the same mitigation for single CPU thread case (SMT off), -so the kernel can treat them as one MDS issue. - -Add the basic infrastructure to detect if the current CPU is affected by -MDS. - -[ tglx: Rewrote changelog ] - -Signed-off-by: Andi Kleen -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/include/asm/cpufeatures.h | 2 ++ - arch/x86/include/asm/msr-index.h | 5 +++++ - arch/x86/kernel/cpu/common.c | 23 +++++++++++++++-------- - 3 files changed, 22 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index 7b31ee5223fc..1dc7b8129b55 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -341,6 +341,7 @@ - #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ - #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ - #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */ -+#define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */ - #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */ - #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ - #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ -@@ -378,5 +379,6 @@ - #define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ - #define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ - #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ -+#define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ - - #endif /* _ASM_X86_CPUFEATURES_H */ -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index 308b7c94df00..f85f43db9225 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -79,6 +79,11 @@ - * attack, so no Speculative Store Bypass - * control required. - */ -+#define ARCH_CAP_MDS_NO BIT(5) /* -+ * Not susceptible to -+ * Microarchitectural Data -+ * Sampling (MDS) vulnerabilities. -+ */ - - #define MSR_IA32_FLUSH_CMD 0x0000010b - #define L1D_FLUSH BIT(0) /* -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index fd16b4cc991f..0ea1e4bc3e20 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -952,6 +952,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) - #define NO_MELTDOWN BIT(1) - #define NO_SSB BIT(2) - #define NO_L1TF BIT(3) -+#define NO_MDS BIT(4) - - #define VULNWL(_vendor, _family, _model, _whitelist) \ - { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } -@@ -968,6 +969,7 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { - VULNWL(INTEL, 5, X86_MODEL_ANY, NO_SPECULATION), - VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION), - -+ /* Intel Family 6 */ - VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION), - VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION), - VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION), -@@ -984,17 +986,19 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { - VULNWL_INTEL(CORE_YONAH, NO_SSB), - - VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT, NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_L1TF), - -- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF), -- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF), -- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF), -- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF), -+ -+ /* AMD Family 0xf - 0x12 */ -+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -+ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -+ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), - - /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ -- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF), -+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), - {} - }; - -@@ -1025,6 +1029,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - if (ia32_cap & ARCH_CAP_IBRS_ALL) - setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); - -+ if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) -+ setup_force_cpu_bug(X86_BUG_MDS); -+ - if (cpu_matches(NO_MELTDOWN)) - return; - diff --git a/debian/patches/bugfix/all/spec/0007-x86-speculation-mds-Add-BUG_MSBDS_ONLY.patch b/debian/patches/bugfix/all/spec/0007-x86-speculation-mds-Add-BUG_MSBDS_ONLY.patch deleted file mode 100644 index 26f166edb..000000000 --- a/debian/patches/bugfix/all/spec/0007-x86-speculation-mds-Add-BUG_MSBDS_ONLY.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 91439bd017c726a81577dd2bee789580f5bfdf35 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Fri, 1 Mar 2019 20:21:08 +0100 -Subject: [PATCH 07/30] x86/speculation/mds: Add BUG_MSBDS_ONLY - -commit e261f209c3666e842fd645a1e31f001c3a26def9 upstream - -This bug bit is set on CPUs which are only affected by Microarchitectural -Store Buffer Data Sampling (MSBDS) and not by any other MDS variant. - -This is important because the Store Buffers are partitioned between -Hyper-Threads so cross thread forwarding is not possible. But if a thread -enters or exits a sleep state the store buffer is repartitioned which can -expose data from one thread to the other. This transition can be mitigated. - -That means that for CPUs which are only affected by MSBDS SMT can be -enabled, if the CPU is not affected by other SMT sensitive vulnerabilities, -e.g. L1TF. The XEON PHI variants fall into that category. Also the -Silvermont/Airmont ATOMs, but for them it's not really relevant as they do -not support SMT, but mark them for completeness sake. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/common.c | 20 ++++++++++++-------- - 2 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index 1dc7b8129b55..69037da75ea0 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -380,5 +380,6 @@ - #define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ - #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ - #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ -+#define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ - - #endif /* _ASM_X86_CPUFEATURES_H */ -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 0ea1e4bc3e20..1073118b9bf0 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -953,6 +953,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) - #define NO_SSB BIT(2) - #define NO_L1TF BIT(3) - #define NO_MDS BIT(4) -+#define MSBDS_ONLY BIT(5) - - #define VULNWL(_vendor, _family, _model, _whitelist) \ - { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } -@@ -976,16 +977,16 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { - VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), - VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), - -- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF), -- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF), -- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF), -- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF), -- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF), -- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF), -+ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY), - - VULNWL_INTEL(CORE_YONAH, NO_SSB), - -- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF), -+ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY), - - VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), - VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), -@@ -1029,8 +1030,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - if (ia32_cap & ARCH_CAP_IBRS_ALL) - setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); - -- if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) -+ if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) { - setup_force_cpu_bug(X86_BUG_MDS); -+ if (cpu_matches(MSBDS_ONLY)) -+ setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); -+ } - - if (cpu_matches(NO_MELTDOWN)) - return; diff --git a/debian/patches/bugfix/all/spec/0008-x86-kvm-Expose-X86_FEATURE_MD_CLEAR-to-guests.patch b/debian/patches/bugfix/all/spec/0008-x86-kvm-Expose-X86_FEATURE_MD_CLEAR-to-guests.patch deleted file mode 100644 index 840968e4e..000000000 --- a/debian/patches/bugfix/all/spec/0008-x86-kvm-Expose-X86_FEATURE_MD_CLEAR-to-guests.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 10c46ffb2f76b9a73f070877b3e83b9096bf0ed8 Mon Sep 17 00:00:00 2001 -From: Andi Kleen -Date: Fri, 18 Jan 2019 16:50:23 -0800 -Subject: [PATCH 08/30] x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests - -commit 6c4dbbd14730c43f4ed808a9c42ca41625925c22 upstream - -X86_FEATURE_MD_CLEAR is a new CPUID bit which is set when microcode -provides the mechanism to invoke a flush of various exploitable CPU buffers -by invoking the VERW instruction. - -Hand it through to guests so they can adjust their mitigations. - -This also requires corresponding qemu changes, which are available -separately. - -[ tglx: Massaged changelog ] - -Signed-off-by: Andi Kleen -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/kvm/cpuid.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index fe9907517fb4..b810102a9cfa 100644 ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -412,7 +412,8 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, - /* cpuid 7.0.edx*/ - const u32 kvm_cpuid_7_0_edx_x86_features = - F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | -- F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES) | F(INTEL_STIBP); -+ F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES) | F(INTEL_STIBP) | -+ F(MD_CLEAR); - - /* all calls to cpuid_count() should be made on the same cpu */ - get_cpu(); diff --git a/debian/patches/bugfix/all/spec/0009-x86-speculation-mds-Add-mds_clear_cpu_buffers.patch b/debian/patches/bugfix/all/spec/0009-x86-speculation-mds-Add-mds_clear_cpu_buffers.patch deleted file mode 100644 index 82e823509..000000000 --- a/debian/patches/bugfix/all/spec/0009-x86-speculation-mds-Add-mds_clear_cpu_buffers.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 370fbb129df726c669be7f89403d7b2053f035bc Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 18 Feb 2019 23:13:06 +0100 -Subject: [PATCH 09/30] x86/speculation/mds: Add mds_clear_cpu_buffers() - -commit 6a9e529272517755904b7afa639f6db59ddb793e upstream - -The Microarchitectural Data Sampling (MDS) vulernabilities are mitigated by -clearing the affected CPU buffers. The mechanism for clearing the buffers -uses the unused and obsolete VERW instruction in combination with a -microcode update which triggers a CPU buffer clear when VERW is executed. - -Provide a inline function with the assembly magic. The argument of the VERW -instruction must be a memory operand as documented: - - "MD_CLEAR enumerates that the memory-operand variant of VERW (for - example, VERW m16) has been extended to also overwrite buffers affected - by MDS. This buffer overwriting functionality is not guaranteed for the - register operand variant of VERW." - -Documentation also recommends to use a writable data segment selector: - - "The buffer overwriting occurs regardless of the result of the VERW - permission check, as well as when the selector is null or causes a - descriptor load segment violation. However, for lowest latency we - recommend using a selector that indicates a valid writable data - segment." - -Add x86 specific documentation about MDS and the internal workings of the -mitigation. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - Documentation/index.rst | 1 + - Documentation/x86/conf.py | 10 +++ - Documentation/x86/index.rst | 8 +++ - Documentation/x86/mds.rst | 99 ++++++++++++++++++++++++++++ - arch/x86/include/asm/nospec-branch.h | 25 +++++++ - 5 files changed, 143 insertions(+) - create mode 100644 Documentation/x86/conf.py - create mode 100644 Documentation/x86/index.rst - create mode 100644 Documentation/x86/mds.rst - -diff --git a/Documentation/index.rst b/Documentation/index.rst -index 5db7e87c7cb1..1cdc139adb40 100644 ---- a/Documentation/index.rst -+++ b/Documentation/index.rst -@@ -104,6 +104,7 @@ implementation. - :maxdepth: 2 - - sh/index -+ x86/index - - Filesystem Documentation - ------------------------ -diff --git a/Documentation/x86/conf.py b/Documentation/x86/conf.py -new file mode 100644 -index 000000000000..33c5c3142e20 ---- /dev/null -+++ b/Documentation/x86/conf.py -@@ -0,0 +1,10 @@ -+# -*- coding: utf-8; mode: python -*- -+ -+project = "X86 architecture specific documentation" -+ -+tags.add("subproject") -+ -+latex_documents = [ -+ ('index', 'x86.tex', project, -+ 'The kernel development community', 'manual'), -+] -diff --git a/Documentation/x86/index.rst b/Documentation/x86/index.rst -new file mode 100644 -index 000000000000..ef389dcf1b1d ---- /dev/null -+++ b/Documentation/x86/index.rst -@@ -0,0 +1,8 @@ -+========================== -+x86 architecture specifics -+========================== -+ -+.. toctree:: -+ :maxdepth: 1 -+ -+ mds -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -new file mode 100644 -index 000000000000..1096738d50f2 ---- /dev/null -+++ b/Documentation/x86/mds.rst -@@ -0,0 +1,99 @@ -+Microarchitectural Data Sampling (MDS) mitigation -+================================================= -+ -+.. _mds: -+ -+Overview -+-------- -+ -+Microarchitectural Data Sampling (MDS) is a family of side channel attacks -+on internal buffers in Intel CPUs. The variants are: -+ -+ - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) -+ - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) -+ - Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127) -+ -+MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a -+dependent load (store-to-load forwarding) as an optimization. The forward -+can also happen to a faulting or assisting load operation for a different -+memory address, which can be exploited under certain conditions. Store -+buffers are partitioned between Hyper-Threads so cross thread forwarding is -+not possible. But if a thread enters or exits a sleep state the store -+buffer is repartitioned which can expose data from one thread to the other. -+ -+MFBDS leaks Fill Buffer Entries. Fill buffers are used internally to manage -+L1 miss situations and to hold data which is returned or sent in response -+to a memory or I/O operation. Fill buffers can forward data to a load -+operation and also write data to the cache. When the fill buffer is -+deallocated it can retain the stale data of the preceding operations which -+can then be forwarded to a faulting or assisting load operation, which can -+be exploited under certain conditions. Fill buffers are shared between -+Hyper-Threads so cross thread leakage is possible. -+ -+MLPDS leaks Load Port Data. Load ports are used to perform load operations -+from memory or I/O. The received data is then forwarded to the register -+file or a subsequent operation. In some implementations the Load Port can -+contain stale data from a previous operation which can be forwarded to -+faulting or assisting loads under certain conditions, which again can be -+exploited eventually. Load ports are shared between Hyper-Threads so cross -+thread leakage is possible. -+ -+ -+Exposure assumptions -+-------------------- -+ -+It is assumed that attack code resides in user space or in a guest with one -+exception. The rationale behind this assumption is that the code construct -+needed for exploiting MDS requires: -+ -+ - to control the load to trigger a fault or assist -+ -+ - to have a disclosure gadget which exposes the speculatively accessed -+ data for consumption through a side channel. -+ -+ - to control the pointer through which the disclosure gadget exposes the -+ data -+ -+The existence of such a construct in the kernel cannot be excluded with -+100% certainty, but the complexity involved makes it extremly unlikely. -+ -+There is one exception, which is untrusted BPF. The functionality of -+untrusted BPF is limited, but it needs to be thoroughly investigated -+whether it can be used to create such a construct. -+ -+ -+Mitigation strategy -+------------------- -+ -+All variants have the same mitigation strategy at least for the single CPU -+thread case (SMT off): Force the CPU to clear the affected buffers. -+ -+This is achieved by using the otherwise unused and obsolete VERW -+instruction in combination with a microcode update. The microcode clears -+the affected CPU buffers when the VERW instruction is executed. -+ -+For virtualization there are two ways to achieve CPU buffer -+clearing. Either the modified VERW instruction or via the L1D Flush -+command. The latter is issued when L1TF mitigation is enabled so the extra -+VERW can be avoided. If the CPU is not affected by L1TF then VERW needs to -+be issued. -+ -+If the VERW instruction with the supplied segment selector argument is -+executed on a CPU without the microcode update there is no side effect -+other than a small number of pointlessly wasted CPU cycles. -+ -+This does not protect against cross Hyper-Thread attacks except for MSBDS -+which is only exploitable cross Hyper-thread when one of the Hyper-Threads -+enters a C-state. -+ -+The kernel provides a function to invoke the buffer clearing: -+ -+ mds_clear_cpu_buffers() -+ -+The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state -+(idle) transitions. -+ -+According to current knowledge additional mitigations inside the kernel -+itself are not required because the necessary gadgets to expose the leaked -+data cannot be controlled in a way which allows exploitation from malicious -+user space or VM guests. -diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h -index 032b6009baab..c022732e2cf9 100644 ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -317,6 +317,31 @@ DECLARE_STATIC_KEY_FALSE(switch_to_cond_stibp); - DECLARE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); - DECLARE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - -+#include -+ -+/** -+ * mds_clear_cpu_buffers - Mitigation for MDS vulnerability -+ * -+ * This uses the otherwise unused and obsolete VERW instruction in -+ * combination with microcode which triggers a CPU buffer flush when the -+ * instruction is executed. -+ */ -+static inline void mds_clear_cpu_buffers(void) -+{ -+ static const u16 ds = __KERNEL_DS; -+ -+ /* -+ * Has to be the memory-operand variant because only that -+ * guarantees the CPU buffer flush functionality according to -+ * documentation. The register-operand variant does not. -+ * Works with any segment selector, but a valid writable -+ * data segment is the fastest variant. -+ * -+ * "cc" clobber is required because VERW modifies ZF. -+ */ -+ asm volatile("verw %[ds]" : : [ds] "m" (ds) : "cc"); -+} -+ - #endif /* __ASSEMBLY__ */ - - /* diff --git a/debian/patches/bugfix/all/spec/0010-x86-speculation-mds-Clear-CPU-buffers-on-exit-to-use.patch b/debian/patches/bugfix/all/spec/0010-x86-speculation-mds-Clear-CPU-buffers-on-exit-to-use.patch deleted file mode 100644 index 2941b0dcd..000000000 --- a/debian/patches/bugfix/all/spec/0010-x86-speculation-mds-Clear-CPU-buffers-on-exit-to-use.patch +++ /dev/null @@ -1,203 +0,0 @@ -From d526a5f8b2e39468b2c2e88ae2ff01b4fb86a945 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 18 Feb 2019 23:42:51 +0100 -Subject: [PATCH 10/30] x86/speculation/mds: Clear CPU buffers on exit to user - -commit 04dcbdb8057827b043b3c71aa397c4c63e67d086 upstream - -Add a static key which controls the invocation of the CPU buffer clear -mechanism on exit to user space and add the call into -prepare_exit_to_usermode() and do_nmi() right before actually returning. - -Add documentation which kernel to user space transition this covers and -explain why some corner cases are not mitigated. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Borislav Petkov -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - Documentation/x86/mds.rst | 52 ++++++++++++++++++++++++++++ - arch/x86/entry/common.c | 3 ++ - arch/x86/include/asm/nospec-branch.h | 13 +++++++ - arch/x86/kernel/cpu/bugs.c | 3 ++ - arch/x86/kernel/nmi.c | 4 +++ - arch/x86/kernel/traps.c | 8 +++++ - 6 files changed, 83 insertions(+) - -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -index 1096738d50f2..54d935bf283b 100644 ---- a/Documentation/x86/mds.rst -+++ b/Documentation/x86/mds.rst -@@ -97,3 +97,55 @@ According to current knowledge additional mitigations inside the kernel - itself are not required because the necessary gadgets to expose the leaked - data cannot be controlled in a way which allows exploitation from malicious - user space or VM guests. -+ -+Mitigation points -+----------------- -+ -+1. Return to user space -+^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ When transitioning from kernel to user space the CPU buffers are flushed -+ on affected CPUs when the mitigation is not disabled on the kernel -+ command line. The migitation is enabled through the static key -+ mds_user_clear. -+ -+ The mitigation is invoked in prepare_exit_to_usermode() which covers -+ most of the kernel to user space transitions. There are a few exceptions -+ which are not invoking prepare_exit_to_usermode() on return to user -+ space. These exceptions use the paranoid exit code. -+ -+ - Non Maskable Interrupt (NMI): -+ -+ Access to sensible data like keys, credentials in the NMI context is -+ mostly theoretical: The CPU can do prefetching or execute a -+ misspeculated code path and thereby fetching data which might end up -+ leaking through a buffer. -+ -+ But for mounting other attacks the kernel stack address of the task is -+ already valuable information. So in full mitigation mode, the NMI is -+ mitigated on the return from do_nmi() to provide almost complete -+ coverage. -+ -+ - Double fault (#DF): -+ -+ A double fault is usually fatal, but the ESPFIX workaround, which can -+ be triggered from user space through modify_ldt(2) is a recoverable -+ double fault. #DF uses the paranoid exit path, so explicit mitigation -+ in the double fault handler is required. -+ -+ - Machine Check Exception (#MC): -+ -+ Another corner case is a #MC which hits between the CPU buffer clear -+ invocation and the actual return to user. As this still is in kernel -+ space it takes the paranoid exit path which does not clear the CPU -+ buffers. So the #MC handler repopulates the buffers to some -+ extent. Machine checks are not reliably controllable and the window is -+ extremly small so mitigation would just tick a checkbox that this -+ theoretical corner case is covered. To keep the amount of special -+ cases small, ignore #MC. -+ -+ - Debug Exception (#DB): -+ -+ This takes the paranoid exit path only when the INT1 breakpoint is in -+ kernel space. #DB on a user space address takes the regular exit path, -+ so no extra mitigation required. -diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c -index 3b2490b81918..8353348ddeaf 100644 ---- a/arch/x86/entry/common.c -+++ b/arch/x86/entry/common.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #define CREATE_TRACE_POINTS - #include -@@ -212,6 +213,8 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) - #endif - - user_enter_irqoff(); -+ -+ mds_user_clear_cpu_buffers(); - } - - #define SYSCALL_EXIT_WORK_FLAGS \ -diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h -index c022732e2cf9..912d509d34fc 100644 ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -317,6 +317,8 @@ DECLARE_STATIC_KEY_FALSE(switch_to_cond_stibp); - DECLARE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); - DECLARE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - -+DECLARE_STATIC_KEY_FALSE(mds_user_clear); -+ - #include - - /** -@@ -342,6 +344,17 @@ static inline void mds_clear_cpu_buffers(void) - asm volatile("verw %[ds]" : : [ds] "m" (ds) : "cc"); - } - -+/** -+ * mds_user_clear_cpu_buffers - Mitigation for MDS vulnerability -+ * -+ * Clear CPU buffers if the corresponding static key is enabled -+ */ -+static inline void mds_user_clear_cpu_buffers(void) -+{ -+ if (static_branch_likely(&mds_user_clear)) -+ mds_clear_cpu_buffers(); -+} -+ - #endif /* __ASSEMBLY__ */ - - /* -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index e5258bd64200..2a69046cc38c 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -61,6 +61,9 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); - /* Control unconditional IBPB in switch_mm() */ - DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - -+/* Control MDS CPU buffer clear before returning to user space */ -+DEFINE_STATIC_KEY_FALSE(mds_user_clear); -+ - void __init check_bugs(void) - { - identify_boot_cpu(); -diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c -index 18bc9b51ac9b..086cf1d1d71d 100644 ---- a/arch/x86/kernel/nmi.c -+++ b/arch/x86/kernel/nmi.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - - #define CREATE_TRACE_POINTS - #include -@@ -533,6 +534,9 @@ do_nmi(struct pt_regs *regs, long error_code) - write_cr2(this_cpu_read(nmi_cr2)); - if (this_cpu_dec_return(nmi_state)) - goto nmi_restart; -+ -+ if (user_mode(regs)) -+ mds_user_clear_cpu_buffers(); - } - NOKPROBE_SYMBOL(do_nmi); - -diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index e6db475164ed..0a5efd764914 100644 ---- a/arch/x86/kernel/traps.c -+++ b/arch/x86/kernel/traps.c -@@ -58,6 +58,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -387,6 +388,13 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) - regs->ip = (unsigned long)general_protection; - regs->sp = (unsigned long)&gpregs->orig_ax; - -+ /* -+ * This situation can be triggered by userspace via -+ * modify_ldt(2) and the return does not take the regular -+ * user space exit, so a CPU buffer clear is required when -+ * MDS mitigation is enabled. -+ */ -+ mds_user_clear_cpu_buffers(); - return; - } - #endif diff --git a/debian/patches/bugfix/all/spec/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch b/debian/patches/bugfix/all/spec/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch deleted file mode 100644 index 4e2e14d41..000000000 --- a/debian/patches/bugfix/all/spec/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d04d9bffb07223cb687be8f5fbb059e6fa84b25a Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 27 Feb 2019 12:48:14 +0100 -Subject: [PATCH 11/30] x86/kvm/vmx: Add MDS protection when L1D Flush is not - active - -commit 650b68a0622f933444a6d66936abb3103029413b upstream - -CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on -VMENTER when updated microcode is installed. - -If a CPU is not affected by L1TF or if the L1D Flush is not in use, then -MDS mitigation needs to be invoked explicitly. - -For these cases, follow the host mitigation state and invoke the MDS -mitigation before VMENTER. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Frederic Weisbecker -Reviewed-by: Borislav Petkov -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - arch/x86/kernel/cpu/bugs.c | 1 + - arch/x86/kvm/vmx.c | 3 +++ - 2 files changed, 4 insertions(+) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 2a69046cc38c..c01468ccefc1 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -63,6 +63,7 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - - /* Control MDS CPU buffer clear before returning to user space */ - DEFINE_STATIC_KEY_FALSE(mds_user_clear); -+EXPORT_SYMBOL_GPL(mds_user_clear); - - void __init check_bugs(void) - { -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 215339c7d161..e9bf477209dc 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -10765,8 +10765,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) - evmcs_rsp = static_branch_unlikely(&enable_evmcs) ? - (unsigned long)¤t_evmcs->host_rsp : 0; - -+ /* L1D Flush includes CPU buffer clear to mitigate MDS */ - if (static_branch_unlikely(&vmx_l1d_should_flush)) - vmx_l1d_flush(vcpu); -+ else if (static_branch_unlikely(&mds_user_clear)) -+ mds_clear_cpu_buffers(); - - asm( - /* Store host registers */ diff --git a/debian/patches/bugfix/all/spec/0012-x86-speculation-mds-Conditionally-clear-CPU-buffers-.patch b/debian/patches/bugfix/all/spec/0012-x86-speculation-mds-Conditionally-clear-CPU-buffers-.patch deleted file mode 100644 index bd9f9985d..000000000 --- a/debian/patches/bugfix/all/spec/0012-x86-speculation-mds-Conditionally-clear-CPU-buffers-.patch +++ /dev/null @@ -1,223 +0,0 @@ -From e7505a450c34e89009ba48c459c08397ee3fc227 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 18 Feb 2019 23:04:01 +0100 -Subject: [PATCH 12/30] x86/speculation/mds: Conditionally clear CPU buffers on - idle entry - -commit 07f07f55a29cb705e221eda7894dd67ab81ef343 upstream - -Add a static key which controls the invocation of the CPU buffer clear -mechanism on idle entry. This is independent of other MDS mitigations -because the idle entry invocation to mitigate the potential leakage due to -store buffer repartitioning is only necessary on SMT systems. - -Add the actual invocations to the different halt/mwait variants which -covers all usage sites. mwaitx is not patched as it's not available on -Intel CPUs. - -The buffer clear is only invoked before entering the C-State to prevent -that stale data from the idling CPU is spilled to the Hyper-Thread sibling -after the Store buffer got repartitioned and all entries are available to -the non idle sibling. - -When coming out of idle the store buffer is partitioned again so each -sibling has half of it available. Now CPU which returned from idle could be -speculatively exposed to contents of the sibling, but the buffers are -flushed either on exit to user space or on VMENTER. - -When later on conditional buffer clearing is implemented on top of this, -then there is no action required either because before returning to user -space the context switch will set the condition flag which causes a flush -on the return to user path. - -Note, that the buffer clearing on idle is only sensible on CPUs which are -solely affected by MSBDS and not any other variant of MDS because the other -MDS variants cannot be mitigated when SMT is enabled, so the buffer -clearing on idle would be a window dressing exercise. - -This intentionally does not handle the case in the acpi/processor_idle -driver which uses the legacy IO port interface for C-State transitions for -two reasons: - - - The acpi/processor_idle driver was replaced by the intel_idle driver - almost a decade ago. Anything Nehalem upwards supports it and defaults - to that new driver. - - - The legacy IO port interface is likely to be used on older and therefore - unaffected CPUs or on systems which do not receive microcode updates - anymore, so there is no point in adding that. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Frederic Weisbecker -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - Documentation/x86/mds.rst | 42 ++++++++++++++++++++++++++++ - arch/x86/include/asm/irqflags.h | 4 +++ - arch/x86/include/asm/mwait.h | 7 +++++ - arch/x86/include/asm/nospec-branch.h | 12 ++++++++ - arch/x86/kernel/cpu/bugs.c | 3 ++ - 5 files changed, 68 insertions(+) - -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -index 54d935bf283b..87ce8ac9f36e 100644 ---- a/Documentation/x86/mds.rst -+++ b/Documentation/x86/mds.rst -@@ -149,3 +149,45 @@ Mitigation points - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. -+ -+ -+2. C-State transition -+^^^^^^^^^^^^^^^^^^^^^ -+ -+ When a CPU goes idle and enters a C-State the CPU buffers need to be -+ cleared on affected CPUs when SMT is active. This addresses the -+ repartitioning of the store buffer when one of the Hyper-Threads enters -+ a C-State. -+ -+ When SMT is inactive, i.e. either the CPU does not support it or all -+ sibling threads are offline CPU buffer clearing is not required. -+ -+ The idle clearing is enabled on CPUs which are only affected by MSBDS -+ and not by any other MDS variant. The other MDS variants cannot be -+ protected against cross Hyper-Thread attacks because the Fill Buffer and -+ the Load Ports are shared. So on CPUs affected by other variants, the -+ idle clearing would be a window dressing exercise and is therefore not -+ activated. -+ -+ The invocation is controlled by the static key mds_idle_clear which is -+ switched depending on the chosen mitigation mode and the SMT state of -+ the system. -+ -+ The buffer clear is only invoked before entering the C-State to prevent -+ that stale data from the idling CPU from spilling to the Hyper-Thread -+ sibling after the store buffer got repartitioned and all entries are -+ available to the non idle sibling. -+ -+ When coming out of idle the store buffer is partitioned again so each -+ sibling has half of it available. The back from idle CPU could be then -+ speculatively exposed to contents of the sibling. The buffers are -+ flushed either on exit to user space or on VMENTER so malicious code -+ in user space or the guest cannot speculatively access them. -+ -+ The mitigation is hooked into all variants of halt()/mwait(), but does -+ not cover the legacy ACPI IO-Port mechanism because the ACPI idle driver -+ has been superseded by the intel_idle driver around 2010 and is -+ preferred on all affected CPUs which are expected to gain the MD_CLEAR -+ functionality in microcode. Aside of that the IO-Port mechanism is a -+ legacy interface which is only used on older systems which are either -+ not affected or do not receive microcode updates anymore. -diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h -index 15450a675031..c99c66b41e53 100644 ---- a/arch/x86/include/asm/irqflags.h -+++ b/arch/x86/include/asm/irqflags.h -@@ -6,6 +6,8 @@ - - #ifndef __ASSEMBLY__ - -+#include -+ - /* Provide __cpuidle; we can't safely include */ - #define __cpuidle __attribute__((__section__(".cpuidle.text"))) - -@@ -54,11 +56,13 @@ static inline void native_irq_enable(void) - - static inline __cpuidle void native_safe_halt(void) - { -+ mds_idle_clear_cpu_buffers(); - asm volatile("sti; hlt": : :"memory"); - } - - static inline __cpuidle void native_halt(void) - { -+ mds_idle_clear_cpu_buffers(); - asm volatile("hlt": : :"memory"); - } - -diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h -index 39a2fb29378a..eb0f80ce8524 100644 ---- a/arch/x86/include/asm/mwait.h -+++ b/arch/x86/include/asm/mwait.h -@@ -6,6 +6,7 @@ - #include - - #include -+#include - - #define MWAIT_SUBSTATE_MASK 0xf - #define MWAIT_CSTATE_MASK 0xf -@@ -40,6 +41,8 @@ static inline void __monitorx(const void *eax, unsigned long ecx, - - static inline void __mwait(unsigned long eax, unsigned long ecx) - { -+ mds_idle_clear_cpu_buffers(); -+ - /* "mwait %eax, %ecx;" */ - asm volatile(".byte 0x0f, 0x01, 0xc9;" - :: "a" (eax), "c" (ecx)); -@@ -74,6 +77,8 @@ static inline void __mwait(unsigned long eax, unsigned long ecx) - static inline void __mwaitx(unsigned long eax, unsigned long ebx, - unsigned long ecx) - { -+ /* No MDS buffer clear as this is AMD/HYGON only */ -+ - /* "mwaitx %eax, %ebx, %ecx;" */ - asm volatile(".byte 0x0f, 0x01, 0xfb;" - :: "a" (eax), "b" (ebx), "c" (ecx)); -@@ -81,6 +86,8 @@ static inline void __mwaitx(unsigned long eax, unsigned long ebx, - - static inline void __sti_mwait(unsigned long eax, unsigned long ecx) - { -+ mds_idle_clear_cpu_buffers(); -+ - trace_hardirqs_on(); - /* "mwait %eax, %ecx;" */ - asm volatile("sti; .byte 0x0f, 0x01, 0xc9;" -diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h -index 912d509d34fc..599c273f5d00 100644 ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -318,6 +318,7 @@ DECLARE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); - DECLARE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - - DECLARE_STATIC_KEY_FALSE(mds_user_clear); -+DECLARE_STATIC_KEY_FALSE(mds_idle_clear); - - #include - -@@ -355,6 +356,17 @@ static inline void mds_user_clear_cpu_buffers(void) - mds_clear_cpu_buffers(); - } - -+/** -+ * mds_idle_clear_cpu_buffers - Mitigation for MDS vulnerability -+ * -+ * Clear CPU buffers if the corresponding static key is enabled -+ */ -+static inline void mds_idle_clear_cpu_buffers(void) -+{ -+ if (static_branch_likely(&mds_idle_clear)) -+ mds_clear_cpu_buffers(); -+} -+ - #endif /* __ASSEMBLY__ */ - - /* -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index c01468ccefc1..428fe6590360 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -64,6 +64,9 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); - /* Control MDS CPU buffer clear before returning to user space */ - DEFINE_STATIC_KEY_FALSE(mds_user_clear); - EXPORT_SYMBOL_GPL(mds_user_clear); -+/* Control MDS CPU buffer clear before idling (halt, mwait) */ -+DEFINE_STATIC_KEY_FALSE(mds_idle_clear); -+EXPORT_SYMBOL_GPL(mds_idle_clear); - - void __init check_bugs(void) - { diff --git a/debian/patches/bugfix/all/spec/0013-x86-speculation-mds-Add-mitigation-control-for-MDS.patch b/debian/patches/bugfix/all/spec/0013-x86-speculation-mds-Add-mitigation-control-for-MDS.patch deleted file mode 100644 index 608ba82e9..000000000 --- a/debian/patches/bugfix/all/spec/0013-x86-speculation-mds-Add-mitigation-control-for-MDS.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 892ec2b2472857d93fb2b3d125a13d9df4400ce0 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 18 Feb 2019 22:04:08 +0100 -Subject: [PATCH 13/30] x86/speculation/mds: Add mitigation control for MDS - -commit bc1241700acd82ec69fde98c5763ce51086269f8 upstream - -Now that the mitigations are in place, add a command line parameter to -control the mitigation, a mitigation selector function and a SMT update -mechanism. - -This is the minimal straight forward initial implementation which just -provides an always on/off mode. The command line parameter is: - - mds=[full|off] - -This is consistent with the existing mitigations for other speculative -hardware vulnerabilities. - -The idle invocation is dynamically updated according to the SMT state of -the system similar to the dynamic update of the STIBP mitigation. The idle -mitigation is limited to CPUs which are only affected by MSBDS and not any -other variant, because the other variants cannot be mitigated on SMT -enabled systems. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - .../admin-guide/kernel-parameters.txt | 22 ++++++ - arch/x86/include/asm/processor.h | 5 ++ - arch/x86/kernel/cpu/bugs.c | 70 +++++++++++++++++++ - 3 files changed, 97 insertions(+) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 8b6567f7cb9b..a0ab4521d7c5 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2319,6 +2319,28 @@ - Format: , - Specifies range of consoles to be captured by the MDA. - -+ mds= [X86,INTEL] -+ Control mitigation for the Micro-architectural Data -+ Sampling (MDS) vulnerability. -+ -+ Certain CPUs are vulnerable to an exploit against CPU -+ internal buffers which can forward information to a -+ disclosure gadget under certain conditions. -+ -+ In vulnerable processors, the speculatively -+ forwarded data can be used in a cache side channel -+ attack, to access data to which the attacker does -+ not have direct access. -+ -+ This parameter controls the MDS mitigation. The -+ options are: -+ -+ full - Enable MDS mitigation on vulnerable CPUs -+ off - Unconditionally disable MDS mitigation -+ -+ Not specifying this option is equivalent to -+ mds=full. -+ - mem=nn[KMG] [KNL,BOOT] Force usage of a specific amount of memory - Amount of memory to be used when the kernel is not able - to see the whole system memory or for test. -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index d53c54b842da..5e9f953face0 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -997,4 +997,9 @@ enum l1tf_mitigations { - - extern enum l1tf_mitigations l1tf_mitigation; - -+enum mds_mitigations { -+ MDS_MITIGATION_OFF, -+ MDS_MITIGATION_FULL, -+}; -+ - #endif /* _ASM_X86_PROCESSOR_H */ -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 428fe6590360..413a672f03a3 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -35,6 +35,7 @@ - static void __init spectre_v2_select_mitigation(void); - static void __init ssb_select_mitigation(void); - static void __init l1tf_select_mitigation(void); -+static void __init mds_select_mitigation(void); - - /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ - u64 x86_spec_ctrl_base; -@@ -106,6 +107,8 @@ void __init check_bugs(void) - - l1tf_select_mitigation(); - -+ mds_select_mitigation(); -+ - #ifdef CONFIG_X86_32 - /* - * Check whether we are able to run this kernel safely on SMP. -@@ -211,6 +214,50 @@ static void x86_amd_ssb_disable(void) - wrmsrl(MSR_AMD64_LS_CFG, msrval); - } - -+#undef pr_fmt -+#define pr_fmt(fmt) "MDS: " fmt -+ -+/* Default mitigation for L1TF-affected CPUs */ -+static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL; -+ -+static const char * const mds_strings[] = { -+ [MDS_MITIGATION_OFF] = "Vulnerable", -+ [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers" -+}; -+ -+static void __init mds_select_mitigation(void) -+{ -+ if (!boot_cpu_has_bug(X86_BUG_MDS)) { -+ mds_mitigation = MDS_MITIGATION_OFF; -+ return; -+ } -+ -+ if (mds_mitigation == MDS_MITIGATION_FULL) { -+ if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) -+ static_branch_enable(&mds_user_clear); -+ else -+ mds_mitigation = MDS_MITIGATION_OFF; -+ } -+ pr_info("%s\n", mds_strings[mds_mitigation]); -+} -+ -+static int __init mds_cmdline(char *str) -+{ -+ if (!boot_cpu_has_bug(X86_BUG_MDS)) -+ return 0; -+ -+ if (!str) -+ return -EINVAL; -+ -+ if (!strcmp(str, "off")) -+ mds_mitigation = MDS_MITIGATION_OFF; -+ else if (!strcmp(str, "full")) -+ mds_mitigation = MDS_MITIGATION_FULL; -+ -+ return 0; -+} -+early_param("mds", mds_cmdline); -+ - #undef pr_fmt - #define pr_fmt(fmt) "Spectre V2 : " fmt - -@@ -603,6 +650,26 @@ static void update_indir_branch_cond(void) - static_branch_disable(&switch_to_cond_stibp); - } - -+/* Update the static key controlling the MDS CPU buffer clear in idle */ -+static void update_mds_branch_idle(void) -+{ -+ /* -+ * Enable the idle clearing if SMT is active on CPUs which are -+ * affected only by MSBDS and not any other MDS variant. -+ * -+ * The other variants cannot be mitigated when SMT is enabled, so -+ * clearing the buffers on idle just to prevent the Store Buffer -+ * repartitioning leak would be a window dressing exercise. -+ */ -+ if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY)) -+ return; -+ -+ if (sched_smt_active()) -+ static_branch_enable(&mds_idle_clear); -+ else -+ static_branch_disable(&mds_idle_clear); -+} -+ - void arch_smt_update(void) - { - /* Enhanced IBRS implies STIBP. No update required. */ -@@ -623,6 +690,9 @@ void arch_smt_update(void) - break; - } - -+ if (mds_mitigation == MDS_MITIGATION_FULL) -+ update_mds_branch_idle(); -+ - mutex_unlock(&spec_ctrl_mutex); - } - diff --git a/debian/patches/bugfix/all/spec/0014-x86-speculation-mds-Add-sysfs-reporting-for-MDS.patch b/debian/patches/bugfix/all/spec/0014-x86-speculation-mds-Add-sysfs-reporting-for-MDS.patch deleted file mode 100644 index ff4eebf1e..000000000 --- a/debian/patches/bugfix/all/spec/0014-x86-speculation-mds-Add-sysfs-reporting-for-MDS.patch +++ /dev/null @@ -1,127 +0,0 @@ -From dc5e8f6e2934df2c4a459c932d123843d0c2375d Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 18 Feb 2019 22:51:43 +0100 -Subject: [PATCH 14/30] x86/speculation/mds: Add sysfs reporting for MDS - -commit 8a4b06d391b0a42a373808979b5028f5c84d9c6a upstream - -Add the sysfs reporting file for MDS. It exposes the vulnerability and -mitigation state similar to the existing files for the other speculative -hardware vulnerabilities. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Borislav Petkov -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - .../ABI/testing/sysfs-devices-system-cpu | 1 + - arch/x86/kernel/cpu/bugs.c | 25 +++++++++++++++++++ - drivers/base/cpu.c | 8 ++++++ - include/linux/cpu.h | 2 ++ - 4 files changed, 36 insertions(+) - -diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu -index 73318225a368..02b7bb711214 100644 ---- a/Documentation/ABI/testing/sysfs-devices-system-cpu -+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu -@@ -477,6 +477,7 @@ What: /sys/devices/system/cpu/vulnerabilities - /sys/devices/system/cpu/vulnerabilities/spectre_v2 - /sys/devices/system/cpu/vulnerabilities/spec_store_bypass - /sys/devices/system/cpu/vulnerabilities/l1tf -+ /sys/devices/system/cpu/vulnerabilities/mds - Date: January 2018 - Contact: Linux kernel mailing list - Description: Information about CPU vulnerabilities -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 413a672f03a3..50b7d2a980e8 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1154,6 +1154,22 @@ static ssize_t l1tf_show_state(char *buf) - } - #endif - -+static ssize_t mds_show_state(char *buf) -+{ -+ if (!hypervisor_is_type(X86_HYPER_NATIVE)) { -+ return sprintf(buf, "%s; SMT Host state unknown\n", -+ mds_strings[mds_mitigation]); -+ } -+ -+ if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) { -+ return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], -+ sched_smt_active() ? "mitigated" : "disabled"); -+ } -+ -+ return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], -+ sched_smt_active() ? "vulnerable" : "disabled"); -+} -+ - static char *stibp_state(void) - { - if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) -@@ -1218,6 +1234,10 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr - if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) - return l1tf_show_state(buf); - break; -+ -+ case X86_BUG_MDS: -+ return mds_show_state(buf); -+ - default: - break; - } -@@ -1249,4 +1269,9 @@ ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *b - { - return cpu_show_common(dev, attr, buf, X86_BUG_L1TF); - } -+ -+ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ return cpu_show_common(dev, attr, buf, X86_BUG_MDS); -+} - #endif -diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c -index eb9443d5bae1..2fd6ca1021c2 100644 ---- a/drivers/base/cpu.c -+++ b/drivers/base/cpu.c -@@ -546,11 +546,18 @@ ssize_t __weak cpu_show_l1tf(struct device *dev, - return sprintf(buf, "Not affected\n"); - } - -+ssize_t __weak cpu_show_mds(struct device *dev, -+ struct device_attribute *attr, char *buf) -+{ -+ return sprintf(buf, "Not affected\n"); -+} -+ - static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); - static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); - static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); - static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); - static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); -+static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); - - static struct attribute *cpu_root_vulnerabilities_attrs[] = { - &dev_attr_meltdown.attr, -@@ -558,6 +565,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { - &dev_attr_spectre_v2.attr, - &dev_attr_spec_store_bypass.attr, - &dev_attr_l1tf.attr, -+ &dev_attr_mds.attr, - NULL - }; - -diff --git a/include/linux/cpu.h b/include/linux/cpu.h -index 5041357d0297..3c87ad888ed3 100644 ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -57,6 +57,8 @@ extern ssize_t cpu_show_spec_store_bypass(struct device *dev, - struct device_attribute *attr, char *buf); - extern ssize_t cpu_show_l1tf(struct device *dev, - struct device_attribute *attr, char *buf); -+extern ssize_t cpu_show_mds(struct device *dev, -+ struct device_attribute *attr, char *buf); - - extern __printf(4, 5) - struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/debian/patches/bugfix/all/spec/0015-x86-speculation-mds-Add-mitigation-mode-VMWERV.patch b/debian/patches/bugfix/all/spec/0015-x86-speculation-mds-Add-mitigation-mode-VMWERV.patch deleted file mode 100644 index 7a3fce010..000000000 --- a/debian/patches/bugfix/all/spec/0015-x86-speculation-mds-Add-mitigation-mode-VMWERV.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 66260821438fb5c3e8b4b662c1ebd6ba0b077c09 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 20 Feb 2019 09:40:40 +0100 -Subject: [PATCH 15/30] x86/speculation/mds: Add mitigation mode VMWERV - -commit 22dd8365088b6403630b82423cf906491859b65e upstream - -In virtualized environments it can happen that the host has the microcode -update which utilizes the VERW instruction to clear CPU buffers, but the -hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit -to guests. - -Introduce an internal mitigation mode VMWERV which enables the invocation -of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the -system has no updated microcode this results in a pointless execution of -the VERW instruction wasting a few CPU cycles. If the microcode is updated, -but not exposed to a guest then the CPU buffers will be cleared. - -That said: Virtual Machines Will Eventually Receive Vaccine - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Jon Masters -Tested-by: Jon Masters ---- - Documentation/x86/mds.rst | 27 +++++++++++++++++++++++++++ - arch/x86/include/asm/processor.h | 1 + - arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++------ - 3 files changed, 40 insertions(+), 6 deletions(-) - -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -index 87ce8ac9f36e..3d6f943f1afb 100644 ---- a/Documentation/x86/mds.rst -+++ b/Documentation/x86/mds.rst -@@ -93,11 +93,38 @@ enters a C-state. - The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state - (idle) transitions. - -+As a special quirk to address virtualization scenarios where the host has -+the microcode updated, but the hypervisor does not (yet) expose the -+MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the -+hope that it might actually clear the buffers. The state is reflected -+accordingly. -+ - According to current knowledge additional mitigations inside the kernel - itself are not required because the necessary gadgets to expose the leaked - data cannot be controlled in a way which allows exploitation from malicious - user space or VM guests. - -+Kernel internal mitigation modes -+-------------------------------- -+ -+ ======= ============================================================ -+ off Mitigation is disabled. Either the CPU is not affected or -+ mds=off is supplied on the kernel command line -+ -+ full Mitigation is eanbled. CPU is affected and MD_CLEAR is -+ advertised in CPUID. -+ -+ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not -+ advertised in CPUID. That is mainly for virtualization -+ scenarios where the host has the updated microcode but the -+ hypervisor does not expose MD_CLEAR in CPUID. It's a best -+ effort approach without guarantee. -+ ======= ============================================================ -+ -+If the CPU is affected and mds=off is not supplied on the kernel command -+line then the kernel selects the appropriate mitigation mode depending on -+the availability of the MD_CLEAR CPUID bit. -+ - Mitigation points - ----------------- - -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 5e9f953face0..b54f25697beb 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -1000,6 +1000,7 @@ extern enum l1tf_mitigations l1tf_mitigation; - enum mds_mitigations { - MDS_MITIGATION_OFF, - MDS_MITIGATION_FULL, -+ MDS_MITIGATION_VMWERV, - }; - - #endif /* _ASM_X86_PROCESSOR_H */ -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 50b7d2a980e8..053d71a3b9cc 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -222,7 +222,8 @@ static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL - - static const char * const mds_strings[] = { - [MDS_MITIGATION_OFF] = "Vulnerable", -- [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers" -+ [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers", -+ [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode", - }; - - static void __init mds_select_mitigation(void) -@@ -233,10 +234,9 @@ static void __init mds_select_mitigation(void) - } - - if (mds_mitigation == MDS_MITIGATION_FULL) { -- if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) -- static_branch_enable(&mds_user_clear); -- else -- mds_mitigation = MDS_MITIGATION_OFF; -+ if (!boot_cpu_has(X86_FEATURE_MD_CLEAR)) -+ mds_mitigation = MDS_MITIGATION_VMWERV; -+ static_branch_enable(&mds_user_clear); - } - pr_info("%s\n", mds_strings[mds_mitigation]); - } -@@ -690,8 +690,14 @@ void arch_smt_update(void) - break; - } - -- if (mds_mitigation == MDS_MITIGATION_FULL) -+ switch (mds_mitigation) { -+ case MDS_MITIGATION_FULL: -+ case MDS_MITIGATION_VMWERV: - update_mds_branch_idle(); -+ break; -+ case MDS_MITIGATION_OFF: -+ break; -+ } - - mutex_unlock(&spec_ctrl_mutex); - } diff --git a/debian/patches/bugfix/all/spec/0016-Documentation-Move-L1TF-to-separate-directory.patch b/debian/patches/bugfix/all/spec/0016-Documentation-Move-L1TF-to-separate-directory.patch deleted file mode 100644 index 350b8ff77..000000000 --- a/debian/patches/bugfix/all/spec/0016-Documentation-Move-L1TF-to-separate-directory.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 83852a8b0064f1360980a690792c3f438aec06b9 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 19 Feb 2019 11:10:49 +0100 -Subject: [PATCH 16/30] Documentation: Move L1TF to separate directory - -commit 65fd4cb65b2dad97feb8330b6690445910b56d6a upstream - -Move L!TF to a separate directory so the MDS stuff can be added at the -side. Otherwise the all hardware vulnerabilites have their own top level -entry. Should have done that right away. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Greg Kroah-Hartman -Reviewed-by: Jon Masters ---- - Documentation/ABI/testing/sysfs-devices-system-cpu | 2 +- - Documentation/admin-guide/hw-vuln/index.rst | 12 ++++++++++++ - Documentation/admin-guide/{ => hw-vuln}/l1tf.rst | 0 - Documentation/admin-guide/index.rst | 6 ++---- - Documentation/admin-guide/kernel-parameters.txt | 2 +- - arch/x86/kernel/cpu/bugs.c | 2 +- - arch/x86/kvm/vmx.c | 4 ++-- - 7 files changed, 19 insertions(+), 9 deletions(-) - create mode 100644 Documentation/admin-guide/hw-vuln/index.rst - rename Documentation/admin-guide/{ => hw-vuln}/l1tf.rst (100%) - -diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu -index 02b7bb711214..f397c2382171 100644 ---- a/Documentation/ABI/testing/sysfs-devices-system-cpu -+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu -@@ -491,7 +491,7 @@ Description: Information about CPU vulnerabilities - "Mitigation: $M" CPU is affected and mitigation $M is in effect - - Details about the l1tf file can be found in -- Documentation/admin-guide/l1tf.rst -+ Documentation/admin-guide/hw-vuln/l1tf.rst - - What: /sys/devices/system/cpu/smt - /sys/devices/system/cpu/smt/active -diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst -new file mode 100644 -index 000000000000..8ce2009f1981 ---- /dev/null -+++ b/Documentation/admin-guide/hw-vuln/index.rst -@@ -0,0 +1,12 @@ -+======================== -+Hardware vulnerabilities -+======================== -+ -+This section describes CPU vulnerabilities and provides an overview of the -+possible mitigations along with guidance for selecting mitigations if they -+are configurable at compile, boot or run time. -+ -+.. toctree:: -+ :maxdepth: 1 -+ -+ l1tf -diff --git a/Documentation/admin-guide/l1tf.rst b/Documentation/admin-guide/hw-vuln/l1tf.rst -similarity index 100% -rename from Documentation/admin-guide/l1tf.rst -rename to Documentation/admin-guide/hw-vuln/l1tf.rst -diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst -index 0873685bab0f..89abc5057349 100644 ---- a/Documentation/admin-guide/index.rst -+++ b/Documentation/admin-guide/index.rst -@@ -17,14 +17,12 @@ etc. - kernel-parameters - devices - --This section describes CPU vulnerabilities and provides an overview of the --possible mitigations along with guidance for selecting mitigations if they --are configurable at compile, boot or run time. -+This section describes CPU vulnerabilities and their mitigations. - - .. toctree:: - :maxdepth: 1 - -- l1tf -+ hw-vuln/index - - Here is a set of documents aimed at users who are trying to track down - problems and bugs in particular. -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index a0ab4521d7c5..b2c9e47c4167 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2079,7 +2079,7 @@ - - Default is 'flush'. - -- For details see: Documentation/admin-guide/l1tf.rst -+ For details see: Documentation/admin-guide/hw-vuln/l1tf.rst - - l2cr= [PPC] - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 053d71a3b9cc..a7e54a91abc4 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1089,7 +1089,7 @@ static void __init l1tf_select_mitigation(void) - pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n", - half_pa); - pr_info("However, doing so will make a part of your RAM unusable.\n"); -- pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n"); -+ pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n"); - return; - } - -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index e9bf477209dc..73d6d585dd66 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -11130,8 +11130,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) - return ERR_PTR(err); - } - --#define L1TF_MSG_SMT "L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.\n" --#define L1TF_MSG_L1D "L1TF CPU bug present and virtualization mitigation disabled, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.\n" -+#define L1TF_MSG_SMT "L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.\n" -+#define L1TF_MSG_L1D "L1TF CPU bug present and virtualization mitigation disabled, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.\n" - - static int vmx_vm_init(struct kvm *kvm) - { diff --git a/debian/patches/bugfix/all/spec/0017-Documentation-Add-MDS-vulnerability-documentation.patch b/debian/patches/bugfix/all/spec/0017-Documentation-Add-MDS-vulnerability-documentation.patch deleted file mode 100644 index 9870ca67c..000000000 --- a/debian/patches/bugfix/all/spec/0017-Documentation-Add-MDS-vulnerability-documentation.patch +++ /dev/null @@ -1,381 +0,0 @@ -From 4fb7f5dc689d79884f4e6e33f5d2704f44edd42a Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 19 Feb 2019 00:02:31 +0100 -Subject: [PATCH 17/30] Documentation: Add MDS vulnerability documentation - -commit 5999bbe7a6ea3c62029532ec84dc06003a1fa258 upstream - -Add the initial MDS vulnerability documentation. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Jon Masters ---- - .../ABI/testing/sysfs-devices-system-cpu | 3 +- - Documentation/admin-guide/hw-vuln/index.rst | 1 + - Documentation/admin-guide/hw-vuln/l1tf.rst | 1 + - Documentation/admin-guide/hw-vuln/mds.rst | 307 ++++++++++++++++++ - .../admin-guide/kernel-parameters.txt | 2 + - 5 files changed, 312 insertions(+), 2 deletions(-) - create mode 100644 Documentation/admin-guide/hw-vuln/mds.rst - -diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu -index f397c2382171..8718d4ad227b 100644 ---- a/Documentation/ABI/testing/sysfs-devices-system-cpu -+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu -@@ -490,8 +490,7 @@ Description: Information about CPU vulnerabilities - "Vulnerable" CPU is affected and no mitigation in effect - "Mitigation: $M" CPU is affected and mitigation $M is in effect - -- Details about the l1tf file can be found in -- Documentation/admin-guide/hw-vuln/l1tf.rst -+ See also: Documentation/admin-guide/hw-vuln/index.rst - - What: /sys/devices/system/cpu/smt - /sys/devices/system/cpu/smt/active -diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst -index 8ce2009f1981..ffc064c1ec68 100644 ---- a/Documentation/admin-guide/hw-vuln/index.rst -+++ b/Documentation/admin-guide/hw-vuln/index.rst -@@ -10,3 +10,4 @@ are configurable at compile, boot or run time. - :maxdepth: 1 - - l1tf -+ mds -diff --git a/Documentation/admin-guide/hw-vuln/l1tf.rst b/Documentation/admin-guide/hw-vuln/l1tf.rst -index 9af977384168..31653a9f0e1b 100644 ---- a/Documentation/admin-guide/hw-vuln/l1tf.rst -+++ b/Documentation/admin-guide/hw-vuln/l1tf.rst -@@ -445,6 +445,7 @@ The default is 'cond'. If 'l1tf=full,force' is given on the kernel command - line, then 'always' is enforced and the kvm-intel.vmentry_l1d_flush - module parameter is ignored and writes to the sysfs file are rejected. - -+.. _mitigation_selection: - - Mitigation selection guide - -------------------------- -diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst -new file mode 100644 -index 000000000000..1de29d28903d ---- /dev/null -+++ b/Documentation/admin-guide/hw-vuln/mds.rst -@@ -0,0 +1,307 @@ -+MDS - Microarchitectural Data Sampling -+====================================== -+ -+Microarchitectural Data Sampling is a hardware vulnerability which allows -+unprivileged speculative access to data which is available in various CPU -+internal buffers. -+ -+Affected processors -+------------------- -+ -+This vulnerability affects a wide range of Intel processors. The -+vulnerability is not present on: -+ -+ - Processors from AMD, Centaur and other non Intel vendors -+ -+ - Older processor models, where the CPU family is < 6 -+ -+ - Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus) -+ -+ - Intel processors which have the ARCH_CAP_MDS_NO bit set in the -+ IA32_ARCH_CAPABILITIES MSR. -+ -+Whether a processor is affected or not can be read out from the MDS -+vulnerability file in sysfs. See :ref:`mds_sys_info`. -+ -+Not all processors are affected by all variants of MDS, but the mitigation -+is identical for all of them so the kernel treats them as a single -+vulnerability. -+ -+Related CVEs -+------------ -+ -+The following CVE entries are related to the MDS vulnerability: -+ -+ ============== ===== ============================================== -+ CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling -+ CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling -+ CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling -+ ============== ===== ============================================== -+ -+Problem -+------- -+ -+When performing store, load, L1 refill operations, processors write data -+into temporary microarchitectural structures (buffers). The data in the -+buffer can be forwarded to load operations as an optimization. -+ -+Under certain conditions, usually a fault/assist caused by a load -+operation, data unrelated to the load memory address can be speculatively -+forwarded from the buffers. Because the load operation causes a fault or -+assist and its result will be discarded, the forwarded data will not cause -+incorrect program execution or state changes. But a malicious operation -+may be able to forward this speculative data to a disclosure gadget which -+allows in turn to infer the value via a cache side channel attack. -+ -+Because the buffers are potentially shared between Hyper-Threads cross -+Hyper-Thread attacks are possible. -+ -+Deeper technical information is available in the MDS specific x86 -+architecture section: :ref:`Documentation/x86/mds.rst `. -+ -+ -+Attack scenarios -+---------------- -+ -+Attacks against the MDS vulnerabilities can be mounted from malicious non -+priviledged user space applications running on hosts or guest. Malicious -+guest OSes can obviously mount attacks as well. -+ -+Contrary to other speculation based vulnerabilities the MDS vulnerability -+does not allow the attacker to control the memory target address. As a -+consequence the attacks are purely sampling based, but as demonstrated with -+the TLBleed attack samples can be postprocessed successfully. -+ -+Web-Browsers -+^^^^^^^^^^^^ -+ -+ It's unclear whether attacks through Web-Browsers are possible at -+ all. The exploitation through Java-Script is considered very unlikely, -+ but other widely used web technologies like Webassembly could possibly be -+ abused. -+ -+ -+.. _mds_sys_info: -+ -+MDS system information -+----------------------- -+ -+The Linux kernel provides a sysfs interface to enumerate the current MDS -+status of the system: whether the system is vulnerable, and which -+mitigations are active. The relevant sysfs file is: -+ -+/sys/devices/system/cpu/vulnerabilities/mds -+ -+The possible values in this file are: -+ -+ ========================================= ================================= -+ 'Not affected' The processor is not vulnerable -+ -+ 'Vulnerable' The processor is vulnerable, -+ but no mitigation enabled -+ -+ 'Vulnerable: Clear CPU buffers attempted' The processor is vulnerable but -+ microcode is not updated. -+ The mitigation is enabled on a -+ best effort basis. -+ See :ref:`vmwerv` -+ -+ 'Mitigation: CPU buffer clear' The processor is vulnerable and the -+ CPU buffer clearing mitigation is -+ enabled. -+ ========================================= ================================= -+ -+If the processor is vulnerable then the following information is appended -+to the above information: -+ -+ ======================== ============================================ -+ 'SMT vulnerable' SMT is enabled -+ 'SMT mitigated' SMT is enabled and mitigated -+ 'SMT disabled' SMT is disabled -+ 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown -+ ======================== ============================================ -+ -+.. _vmwerv: -+ -+Best effort mitigation mode -+^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ If the processor is vulnerable, but the availability of the microcode based -+ mitigation mechanism is not advertised via CPUID the kernel selects a best -+ effort mitigation mode. This mode invokes the mitigation instructions -+ without a guarantee that they clear the CPU buffers. -+ -+ This is done to address virtualization scenarios where the host has the -+ microcode update applied, but the hypervisor is not yet updated to expose -+ the CPUID to the guest. If the host has updated microcode the protection -+ takes effect otherwise a few cpu cycles are wasted pointlessly. -+ -+ The state in the mds sysfs file reflects this situation accordingly. -+ -+ -+Mitigation mechanism -+------------------------- -+ -+The kernel detects the affected CPUs and the presence of the microcode -+which is required. -+ -+If a CPU is affected and the microcode is available, then the kernel -+enables the mitigation by default. The mitigation can be controlled at boot -+time via a kernel command line option. See -+:ref:`mds_mitigation_control_command_line`. -+ -+.. _cpu_buffer_clear: -+ -+CPU buffer clearing -+^^^^^^^^^^^^^^^^^^^ -+ -+ The mitigation for MDS clears the affected CPU buffers on return to user -+ space and when entering a guest. -+ -+ If SMT is enabled it also clears the buffers on idle entry when the CPU -+ is only affected by MSBDS and not any other MDS variant, because the -+ other variants cannot be protected against cross Hyper-Thread attacks. -+ -+ For CPUs which are only affected by MSBDS the user space, guest and idle -+ transition mitigations are sufficient and SMT is not affected. -+ -+.. _virt_mechanism: -+ -+Virtualization mitigation -+^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The protection for host to guest transition depends on the L1TF -+ vulnerability of the CPU: -+ -+ - CPU is affected by L1TF: -+ -+ If the L1D flush mitigation is enabled and up to date microcode is -+ available, the L1D flush mitigation is automatically protecting the -+ guest transition. -+ -+ If the L1D flush mitigation is disabled then the MDS mitigation is -+ invoked explicit when the host MDS mitigation is enabled. -+ -+ For details on L1TF and virtualization see: -+ :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst `. -+ -+ - CPU is not affected by L1TF: -+ -+ CPU buffers are flushed before entering the guest when the host MDS -+ mitigation is enabled. -+ -+ The resulting MDS protection matrix for the host to guest transition: -+ -+ ============ ===== ============= ============ ================= -+ L1TF MDS VMX-L1FLUSH Host MDS MDS-State -+ -+ Don't care No Don't care N/A Not affected -+ -+ Yes Yes Disabled Off Vulnerable -+ -+ Yes Yes Disabled Full Mitigated -+ -+ Yes Yes Enabled Don't care Mitigated -+ -+ No Yes N/A Off Vulnerable -+ -+ No Yes N/A Full Mitigated -+ ============ ===== ============= ============ ================= -+ -+ This only covers the host to guest transition, i.e. prevents leakage from -+ host to guest, but does not protect the guest internally. Guests need to -+ have their own protections. -+ -+.. _xeon_phi: -+ -+XEON PHI specific considerations -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The XEON PHI processor family is affected by MSBDS which can be exploited -+ cross Hyper-Threads when entering idle states. Some XEON PHI variants allow -+ to use MWAIT in user space (Ring 3) which opens an potential attack vector -+ for malicious user space. The exposure can be disabled on the kernel -+ command line with the 'ring3mwait=disable' command line option. -+ -+ XEON PHI is not affected by the other MDS variants and MSBDS is mitigated -+ before the CPU enters a idle state. As XEON PHI is not affected by L1TF -+ either disabling SMT is not required for full protection. -+ -+.. _mds_smt_control: -+ -+SMT control -+^^^^^^^^^^^ -+ -+ All MDS variants except MSBDS can be attacked cross Hyper-Threads. That -+ means on CPUs which are affected by MFBDS or MLPDS it is necessary to -+ disable SMT for full protection. These are most of the affected CPUs; the -+ exception is XEON PHI, see :ref:`xeon_phi`. -+ -+ Disabling SMT can have a significant performance impact, but the impact -+ depends on the type of workloads. -+ -+ See the relevant chapter in the L1TF mitigation documentation for details: -+ :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst `. -+ -+ -+.. _mds_mitigation_control_command_line: -+ -+Mitigation control on the kernel command line -+--------------------------------------------- -+ -+The kernel command line allows to control the MDS mitigations at boot -+time with the option "mds=". The valid arguments for this option are: -+ -+ ============ ============================================================= -+ full If the CPU is vulnerable, enable all available mitigations -+ for the MDS vulnerability, CPU buffer clearing on exit to -+ userspace and when entering a VM. Idle transitions are -+ protected as well if SMT is enabled. -+ -+ It does not automatically disable SMT. -+ -+ off Disables MDS mitigations completely. -+ -+ ============ ============================================================= -+ -+Not specifying this option is equivalent to "mds=full". -+ -+ -+Mitigation selection guide -+-------------------------- -+ -+1. Trusted userspace -+^^^^^^^^^^^^^^^^^^^^ -+ -+ If all userspace applications are from a trusted source and do not -+ execute untrusted code which is supplied externally, then the mitigation -+ can be disabled. -+ -+ -+2. Virtualization with trusted guests -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The same considerations as above versus trusted user space apply. -+ -+3. Virtualization with untrusted guests -+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+ -+ The protection depends on the state of the L1TF mitigations. -+ See :ref:`virt_mechanism`. -+ -+ If the MDS mitigation is enabled and SMT is disabled, guest to host and -+ guest to guest attacks are prevented. -+ -+.. _mds_default_mitigations: -+ -+Default mitigations -+------------------- -+ -+ The kernel default mitigations for vulnerable processors are: -+ -+ - Enable CPU buffer clearing -+ -+ The kernel does not by default enforce the disabling of SMT, which leaves -+ SMT systems vulnerable when running untrusted code. The same rationale as -+ for L1TF applies. -+ See :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst `. -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index b2c9e47c4167..290f0946f2ef 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2341,6 +2341,8 @@ - Not specifying this option is equivalent to - mds=full. - -+ For details see: Documentation/admin-guide/hw-vuln/mds.rst -+ - mem=nn[KMG] [KNL,BOOT] Force usage of a specific amount of memory - Amount of memory to be used when the kernel is not able - to see the whole system memory or for test. diff --git a/debian/patches/bugfix/all/spec/0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch b/debian/patches/bugfix/all/spec/0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch deleted file mode 100644 index d5aeee4c7..000000000 --- a/debian/patches/bugfix/all/spec/0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 71cd118bd3491d54b45c8185bb0d8c3a2466424f Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Tue, 2 Apr 2019 09:59:33 -0500 -Subject: [PATCH 18/30] x86/speculation/mds: Add mds=full,nosmt cmdline option - -commit d71eb0ce109a124b0fa714832823b9452f2762cf upstream - -Add the mds=full,nosmt cmdline option. This is like mds=full, but with -SMT disabled if the CPU is vulnerable. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Acked-by: Jiri Kosina ---- - Documentation/admin-guide/hw-vuln/mds.rst | 3 +++ - Documentation/admin-guide/kernel-parameters.txt | 6 ++++-- - arch/x86/kernel/cpu/bugs.c | 10 ++++++++++ - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst -index 1de29d28903d..244ab47d1fb3 100644 ---- a/Documentation/admin-guide/hw-vuln/mds.rst -+++ b/Documentation/admin-guide/hw-vuln/mds.rst -@@ -260,6 +260,9 @@ The kernel command line allows to control the MDS mitigations at boot - - It does not automatically disable SMT. - -+ full,nosmt The same as mds=full, with SMT disabled on vulnerable -+ CPUs. This is the complete mitigation. -+ - off Disables MDS mitigations completely. - - ============ ============================================================= -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 290f0946f2ef..df8d10668b11 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2335,8 +2335,10 @@ - This parameter controls the MDS mitigation. The - options are: - -- full - Enable MDS mitigation on vulnerable CPUs -- off - Unconditionally disable MDS mitigation -+ full - Enable MDS mitigation on vulnerable CPUs -+ full,nosmt - Enable MDS mitigation and disable -+ SMT on vulnerable CPUs -+ off - Unconditionally disable MDS mitigation - - Not specifying this option is equivalent to - mds=full. -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index a7e54a91abc4..3f70da3a4e58 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -219,6 +219,7 @@ static void x86_amd_ssb_disable(void) - - /* Default mitigation for L1TF-affected CPUs */ - static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL; -+static bool mds_nosmt __ro_after_init = false; - - static const char * const mds_strings[] = { - [MDS_MITIGATION_OFF] = "Vulnerable", -@@ -236,8 +237,13 @@ static void __init mds_select_mitigation(void) - if (mds_mitigation == MDS_MITIGATION_FULL) { - if (!boot_cpu_has(X86_FEATURE_MD_CLEAR)) - mds_mitigation = MDS_MITIGATION_VMWERV; -+ - static_branch_enable(&mds_user_clear); -+ -+ if (mds_nosmt && !boot_cpu_has(X86_BUG_MSBDS_ONLY)) -+ cpu_smt_disable(false); - } -+ - pr_info("%s\n", mds_strings[mds_mitigation]); - } - -@@ -253,6 +259,10 @@ static int __init mds_cmdline(char *str) - mds_mitigation = MDS_MITIGATION_OFF; - else if (!strcmp(str, "full")) - mds_mitigation = MDS_MITIGATION_FULL; -+ else if (!strcmp(str, "full,nosmt")) { -+ mds_mitigation = MDS_MITIGATION_FULL; -+ mds_nosmt = true; -+ } - - return 0; - } diff --git a/debian/patches/bugfix/all/spec/0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch b/debian/patches/bugfix/all/spec/0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch deleted file mode 100644 index 6a3878a21..000000000 --- a/debian/patches/bugfix/all/spec/0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 39a5de311379c9c80f0886522296d08121582cad Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Tue, 2 Apr 2019 10:00:14 -0500 -Subject: [PATCH 19/30] x86/speculation: Move arch_smt_update() call to after - mitigation decisions - -commit 7c3658b20194a5b3209a143f63bc9c643c6a3ae2 upstream - -arch_smt_update() now has a dependency on both Spectre v2 and MDS -mitigations. Move its initial call to after all the mitigation decisions -have been made. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Acked-by: Jiri Kosina ---- - arch/x86/kernel/cpu/bugs.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 3f70da3a4e58..6ccbcac2cb1d 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -109,6 +109,8 @@ void __init check_bugs(void) - - mds_select_mitigation(); - -+ arch_smt_update(); -+ - #ifdef CONFIG_X86_32 - /* - * Check whether we are able to run this kernel safely on SMP. -@@ -624,9 +626,6 @@ static void __init spectre_v2_select_mitigation(void) - - /* Set up IBPB and STIBP depending on the general spectre V2 command */ - spectre_v2_user_select_mitigation(cmd); -- -- /* Enable STIBP if appropriate */ -- arch_smt_update(); - } - - static void update_stibp_msr(void * __unused) diff --git a/debian/patches/bugfix/all/spec/0020-x86-speculation-mds-Add-SMT-warning-message.patch b/debian/patches/bugfix/all/spec/0020-x86-speculation-mds-Add-SMT-warning-message.patch deleted file mode 100644 index 3ec362492..000000000 --- a/debian/patches/bugfix/all/spec/0020-x86-speculation-mds-Add-SMT-warning-message.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7b41a615bd0f13959d9236abd341879c80379069 Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Tue, 2 Apr 2019 10:00:51 -0500 -Subject: [PATCH 20/30] x86/speculation/mds: Add SMT warning message - -commit 39226ef02bfb43248b7db12a4fdccb39d95318e3 upstream - -MDS is vulnerable with SMT. Make that clear with a one-time printk -whenever SMT first gets enabled. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Acked-by: Jiri Kosina ---- - arch/x86/kernel/cpu/bugs.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 6ccbcac2cb1d..8e74282da80e 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -659,6 +659,9 @@ static void update_indir_branch_cond(void) - static_branch_disable(&switch_to_cond_stibp); - } - -+#undef pr_fmt -+#define pr_fmt(fmt) fmt -+ - /* Update the static key controlling the MDS CPU buffer clear in idle */ - static void update_mds_branch_idle(void) - { -@@ -679,6 +682,8 @@ static void update_mds_branch_idle(void) - static_branch_disable(&mds_idle_clear); - } - -+#define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n" -+ - void arch_smt_update(void) - { - /* Enhanced IBRS implies STIBP. No update required. */ -@@ -702,6 +707,8 @@ void arch_smt_update(void) - switch (mds_mitigation) { - case MDS_MITIGATION_FULL: - case MDS_MITIGATION_VMWERV: -+ if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY)) -+ pr_warn_once(MDS_MSG_SMT); - update_mds_branch_idle(); - break; - case MDS_MITIGATION_OFF: -@@ -1131,6 +1138,7 @@ static int __init l1tf_cmdline(char *str) - early_param("l1tf", l1tf_cmdline); - - #undef pr_fmt -+#define pr_fmt(fmt) fmt - - #ifdef CONFIG_SYSFS - diff --git a/debian/patches/bugfix/all/spec/0021-x86-speculation-mds-Fix-comment.patch b/debian/patches/bugfix/all/spec/0021-x86-speculation-mds-Fix-comment.patch deleted file mode 100644 index 6cc7fcc4e..000000000 --- a/debian/patches/bugfix/all/spec/0021-x86-speculation-mds-Fix-comment.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7a4591bd67b72f2f6c3e0520f7a670eb3085ccdb Mon Sep 17 00:00:00 2001 -From: Boris Ostrovsky -Date: Fri, 12 Apr 2019 17:50:57 -0400 -Subject: [PATCH 21/30] x86/speculation/mds: Fix comment - -commit cae5ec342645746d617dd420d206e1588d47768a upstream - -s/L1TF/MDS/ - -Signed-off-by: Boris Ostrovsky -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Reviewed-by: Josh Poimboeuf ---- - arch/x86/kernel/cpu/bugs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 8e74282da80e..1726f43853ca 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -219,7 +219,7 @@ static void x86_amd_ssb_disable(void) - #undef pr_fmt - #define pr_fmt(fmt) "MDS: " fmt - --/* Default mitigation for L1TF-affected CPUs */ -+/* Default mitigation for MDS-affected CPUs */ - static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL; - static bool mds_nosmt __ro_after_init = false; - diff --git a/debian/patches/bugfix/all/spec/0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch b/debian/patches/bugfix/all/spec/0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch deleted file mode 100644 index ab07d2441..000000000 --- a/debian/patches/bugfix/all/spec/0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 902c28c3ffa6271ab3f6f1104b03683eff7c2ac9 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk -Date: Fri, 12 Apr 2019 17:50:58 -0400 -Subject: [PATCH 22/30] x86/speculation/mds: Print SMT vulnerable on MSBDS with - mitigations off - -commit e2c3c94788b08891dcf3dbe608f9880523ecd71b upstream - -This code is only for CPUs which are affected by MSBDS, but are *not* -affected by the other two MDS issues. - -For such CPUs, enabling the mds_idle_clear mitigation is enough to -mitigate SMT. - -However if user boots with 'mds=off' and still has SMT enabled, we should -not report that SMT is mitigated: - -$cat /sys//devices/system/cpu/vulnerabilities/mds -Vulnerable; SMT mitigated - -But rather: -Vulnerable; SMT vulnerable - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Reviewed-by: Josh Poimboeuf -Link: https://lkml.kernel.org/r/20190412215118.294906495@localhost.localdomain ---- - arch/x86/kernel/cpu/bugs.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 1726f43853ca..8d432a3d38a3 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1186,7 +1186,8 @@ static ssize_t mds_show_state(char *buf) - - if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) { - return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], -- sched_smt_active() ? "mitigated" : "disabled"); -+ (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" : -+ sched_smt_active() ? "mitigated" : "disabled")); - } - - return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], diff --git a/debian/patches/bugfix/all/spec/0023-cpu-speculation-Add-mitigations-cmdline-option.patch b/debian/patches/bugfix/all/spec/0023-cpu-speculation-Add-mitigations-cmdline-option.patch deleted file mode 100644 index 09962c80a..000000000 --- a/debian/patches/bugfix/all/spec/0023-cpu-speculation-Add-mitigations-cmdline-option.patch +++ /dev/null @@ -1,164 +0,0 @@ -From 0e44e1761b78d31665fbce073ce58f42a0ffd4de Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Fri, 12 Apr 2019 15:39:28 -0500 -Subject: [PATCH 23/30] cpu/speculation: Add 'mitigations=' cmdline option - -commit 98af8452945c55652de68536afdde3b520fec429 upstream - -Keeping track of the number of mitigations for all the CPU speculation -bugs has become overwhelming for many users. It's getting more and more -complicated to decide which mitigations are needed for a given -architecture. Complicating matters is the fact that each arch tends to -have its own custom way to mitigate the same vulnerability. - -Most users fall into a few basic categories: - -a) they want all mitigations off; - -b) they want all reasonable mitigations on, with SMT enabled even if - it's vulnerable; or - -c) they want all reasonable mitigations on, with SMT disabled if - vulnerable. - -Define a set of curated, arch-independent options, each of which is an -aggregation of existing options: - -- mitigations=off: Disable all mitigations. - -- mitigations=auto: [default] Enable all the default mitigations, but - leave SMT enabled, even if it's vulnerable. - -- mitigations=auto,nosmt: Enable all the default mitigations, disabling - SMT if needed by a mitigation. - -Currently, these options are placeholders which don't actually do -anything. They will be fleshed out in upcoming patches. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Tested-by: Jiri Kosina (on x86) -Reviewed-by: Jiri Kosina -Cc: Borislav Petkov -Cc: "H . Peter Anvin" -Cc: Andy Lutomirski -Cc: Peter Zijlstra -Cc: Jiri Kosina -Cc: Waiman Long -Cc: Andrea Arcangeli -Cc: Jon Masters -Cc: Benjamin Herrenschmidt -Cc: Paul Mackerras -Cc: Michael Ellerman -Cc: linuxppc-dev@lists.ozlabs.org -Cc: Martin Schwidefsky -Cc: Heiko Carstens -Cc: linux-s390@vger.kernel.org -Cc: Catalin Marinas -Cc: Will Deacon -Cc: linux-arm-kernel@lists.infradead.org -Cc: linux-arch@vger.kernel.org -Cc: Greg Kroah-Hartman -Cc: Tyler Hicks -Cc: Linus Torvalds -Cc: Randy Dunlap -Cc: Steven Price -Cc: Phil Auld -Link: https://lkml.kernel.org/r/b07a8ef9b7c5055c3a4637c87d07c296d5016fe0.1555085500.git.jpoimboe@redhat.com ---- - .../admin-guide/kernel-parameters.txt | 24 +++++++++++++++++++ - include/linux/cpu.h | 24 +++++++++++++++++++ - kernel/cpu.c | 15 ++++++++++++ - 3 files changed, 63 insertions(+) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index df8d10668b11..6a1b94afb005 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2502,6 +2502,30 @@ - in the "bleeding edge" mini2440 support kernel at - http://repo.or.cz/w/linux-2.6/mini2440.git - -+ mitigations= -+ Control optional mitigations for CPU vulnerabilities. -+ This is a set of curated, arch-independent options, each -+ of which is an aggregation of existing arch-specific -+ options. -+ -+ off -+ Disable all optional CPU mitigations. This -+ improves system performance, but it may also -+ expose users to several CPU vulnerabilities. -+ -+ auto (default) -+ Mitigate all CPU vulnerabilities, but leave SMT -+ enabled, even if it's vulnerable. This is for -+ users who don't want to be surprised by SMT -+ getting disabled across kernel upgrades, or who -+ have other ways of avoiding SMT-based attacks. -+ This is the default behavior. -+ -+ auto,nosmt -+ Mitigate all CPU vulnerabilities, disabling SMT -+ if needed. This is for users who always want to -+ be fully mitigated, even if it means losing SMT. -+ - mminit_loglevel= - [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this - parameter allows control of the logging verbosity for -diff --git a/include/linux/cpu.h b/include/linux/cpu.h -index 3c87ad888ed3..57ae83c4d5f4 100644 ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -189,4 +189,28 @@ static inline void cpu_smt_disable(bool force) { } - static inline void cpu_smt_check_topology(void) { } - #endif - -+/* -+ * These are used for a global "mitigations=" cmdline option for toggling -+ * optional CPU mitigations. -+ */ -+enum cpu_mitigations { -+ CPU_MITIGATIONS_OFF, -+ CPU_MITIGATIONS_AUTO, -+ CPU_MITIGATIONS_AUTO_NOSMT, -+}; -+ -+extern enum cpu_mitigations cpu_mitigations; -+ -+/* mitigations=off */ -+static inline bool cpu_mitigations_off(void) -+{ -+ return cpu_mitigations == CPU_MITIGATIONS_OFF; -+} -+ -+/* mitigations=auto,nosmt */ -+static inline bool cpu_mitigations_auto_nosmt(void) -+{ -+ return cpu_mitigations == CPU_MITIGATIONS_AUTO_NOSMT; -+} -+ - #endif /* _LINUX_CPU_H_ */ -diff --git a/kernel/cpu.c b/kernel/cpu.c -index dc250ec2c096..bc6c880a093f 100644 ---- a/kernel/cpu.c -+++ b/kernel/cpu.c -@@ -2278,3 +2278,18 @@ void __init boot_cpu_hotplug_init(void) - #endif - this_cpu_write(cpuhp_state.state, CPUHP_ONLINE); - } -+ -+enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO; -+ -+static int __init mitigations_parse_cmdline(char *arg) -+{ -+ if (!strcmp(arg, "off")) -+ cpu_mitigations = CPU_MITIGATIONS_OFF; -+ else if (!strcmp(arg, "auto")) -+ cpu_mitigations = CPU_MITIGATIONS_AUTO; -+ else if (!strcmp(arg, "auto,nosmt")) -+ cpu_mitigations = CPU_MITIGATIONS_AUTO_NOSMT; -+ -+ return 0; -+} -+early_param("mitigations", mitigations_parse_cmdline); diff --git a/debian/patches/bugfix/all/spec/0024-x86-speculation-Support-mitigations-cmdline-option.patch b/debian/patches/bugfix/all/spec/0024-x86-speculation-Support-mitigations-cmdline-option.patch deleted file mode 100644 index f0876b582..000000000 --- a/debian/patches/bugfix/all/spec/0024-x86-speculation-Support-mitigations-cmdline-option.patch +++ /dev/null @@ -1,151 +0,0 @@ -From d0bf64abd7f837c5faf16e0550d678aed630e520 Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Fri, 12 Apr 2019 15:39:29 -0500 -Subject: [PATCH 24/30] x86/speculation: Support 'mitigations=' cmdline option - -commit d68be4c4d31295ff6ae34a8ddfaa4c1a8ff42812 upstream - -Configure x86 runtime CPU speculation bug mitigations in accordance with -the 'mitigations=' cmdline option. This affects Meltdown, Spectre v2, -Speculative Store Bypass, and L1TF. - -The default behavior is unchanged. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Tested-by: Jiri Kosina (on x86) -Reviewed-by: Jiri Kosina -Cc: Borislav Petkov -Cc: "H . Peter Anvin" -Cc: Andy Lutomirski -Cc: Peter Zijlstra -Cc: Jiri Kosina -Cc: Waiman Long -Cc: Andrea Arcangeli -Cc: Jon Masters -Cc: Benjamin Herrenschmidt -Cc: Paul Mackerras -Cc: Michael Ellerman -Cc: linuxppc-dev@lists.ozlabs.org -Cc: Martin Schwidefsky -Cc: Heiko Carstens -Cc: linux-s390@vger.kernel.org -Cc: Catalin Marinas -Cc: Will Deacon -Cc: linux-arm-kernel@lists.infradead.org -Cc: linux-arch@vger.kernel.org -Cc: Greg Kroah-Hartman -Cc: Tyler Hicks -Cc: Linus Torvalds -Cc: Randy Dunlap -Cc: Steven Price -Cc: Phil Auld -Link: https://lkml.kernel.org/r/6616d0ae169308516cfdf5216bedd169f8a8291b.1555085500.git.jpoimboe@redhat.com ---- - Documentation/admin-guide/kernel-parameters.txt | 16 +++++++++++----- - arch/x86/kernel/cpu/bugs.c | 11 +++++++++-- - arch/x86/mm/pti.c | 4 +++- - 3 files changed, 23 insertions(+), 8 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 6a1b94afb005..31c17532c219 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2503,15 +2503,20 @@ - http://repo.or.cz/w/linux-2.6/mini2440.git - - mitigations= -- Control optional mitigations for CPU vulnerabilities. -- This is a set of curated, arch-independent options, each -- of which is an aggregation of existing arch-specific -- options. -+ [X86] Control optional mitigations for CPU -+ vulnerabilities. This is a set of curated, -+ arch-independent options, each of which is an -+ aggregation of existing arch-specific options. - - off - Disable all optional CPU mitigations. This - improves system performance, but it may also - expose users to several CPU vulnerabilities. -+ Equivalent to: nopti [X86] -+ nospectre_v2 [X86] -+ spectre_v2_user=off [X86] -+ spec_store_bypass_disable=off [X86] -+ l1tf=off [X86] - - auto (default) - Mitigate all CPU vulnerabilities, but leave SMT -@@ -2519,12 +2524,13 @@ - users who don't want to be surprised by SMT - getting disabled across kernel upgrades, or who - have other ways of avoiding SMT-based attacks. -- This is the default behavior. -+ Equivalent to: (default behavior) - - auto,nosmt - Mitigate all CPU vulnerabilities, disabling SMT - if needed. This is for users who always want to - be fully mitigated, even if it means losing SMT. -+ Equivalent to: l1tf=flush,nosmt [X86] - - mminit_loglevel= - [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 8d432a3d38a3..904d55cf80a2 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -494,7 +494,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) - char arg[20]; - int ret, i; - -- if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) -+ if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") || -+ cpu_mitigations_off()) - return SPECTRE_V2_CMD_NONE; - - ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); -@@ -756,7 +757,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) - char arg[20]; - int ret, i; - -- if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { -+ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") || -+ cpu_mitigations_off()) { - return SPEC_STORE_BYPASS_CMD_NONE; - } else { - ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", -@@ -1077,6 +1079,11 @@ static void __init l1tf_select_mitigation(void) - if (!boot_cpu_has_bug(X86_BUG_L1TF)) - return; - -+ if (cpu_mitigations_off()) -+ l1tf_mitigation = L1TF_MITIGATION_OFF; -+ else if (cpu_mitigations_auto_nosmt()) -+ l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; -+ - override_cache_bits(&boot_cpu_data); - - switch (l1tf_mitigation) { -diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c -index c1fc1ae6b429..4df3e5c89d57 100644 ---- a/arch/x86/mm/pti.c -+++ b/arch/x86/mm/pti.c -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -115,7 +116,8 @@ void __init pti_check_boottime_disable(void) - } - } - -- if (cmdline_find_option_bool(boot_command_line, "nopti")) { -+ if (cmdline_find_option_bool(boot_command_line, "nopti") || -+ cpu_mitigations_off()) { - pti_mode = PTI_FORCE_OFF; - pti_print_if_insecure("disabled on command line."); - return; diff --git a/debian/patches/bugfix/all/spec/0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch b/debian/patches/bugfix/all/spec/0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch deleted file mode 100644 index 962fc57d9..000000000 --- a/debian/patches/bugfix/all/spec/0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 7cd777a49624b9e186919a5e1b7fec49dafdb8eb Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Fri, 12 Apr 2019 15:39:30 -0500 -Subject: [PATCH 25/30] powerpc/speculation: Support 'mitigations=' cmdline - option - -commit 782e69efb3dfed6e8360bc612e8c7827a901a8f9 upstream - -Configure powerpc CPU runtime speculation bug mitigations in accordance -with the 'mitigations=' cmdline option. This affects Meltdown, Spectre -v1, Spectre v2, and Speculative Store Bypass. - -The default behavior is unchanged. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Tested-by: Jiri Kosina (on x86) -Reviewed-by: Jiri Kosina -Cc: Borislav Petkov -Cc: "H . Peter Anvin" -Cc: Andy Lutomirski -Cc: Peter Zijlstra -Cc: Jiri Kosina -Cc: Waiman Long -Cc: Andrea Arcangeli -Cc: Jon Masters -Cc: Benjamin Herrenschmidt -Cc: Paul Mackerras -Cc: Michael Ellerman -Cc: linuxppc-dev@lists.ozlabs.org -Cc: Martin Schwidefsky -Cc: Heiko Carstens -Cc: linux-s390@vger.kernel.org -Cc: Catalin Marinas -Cc: Will Deacon -Cc: linux-arm-kernel@lists.infradead.org -Cc: linux-arch@vger.kernel.org -Cc: Greg Kroah-Hartman -Cc: Tyler Hicks -Cc: Linus Torvalds -Cc: Randy Dunlap -Cc: Steven Price -Cc: Phil Auld -Link: https://lkml.kernel.org/r/245a606e1a42a558a310220312d9b6adb9159df6.1555085500.git.jpoimboe@redhat.com ---- - Documentation/admin-guide/kernel-parameters.txt | 9 +++++---- - arch/powerpc/kernel/security.c | 6 +++--- - arch/powerpc/kernel/setup_64.c | 2 +- - 3 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 31c17532c219..49aa191979c1 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2503,7 +2503,7 @@ - http://repo.or.cz/w/linux-2.6/mini2440.git - - mitigations= -- [X86] Control optional mitigations for CPU -+ [X86,PPC] Control optional mitigations for CPU - vulnerabilities. This is a set of curated, - arch-independent options, each of which is an - aggregation of existing arch-specific options. -@@ -2512,10 +2512,11 @@ - Disable all optional CPU mitigations. This - improves system performance, but it may also - expose users to several CPU vulnerabilities. -- Equivalent to: nopti [X86] -- nospectre_v2 [X86] -+ Equivalent to: nopti [X86,PPC] -+ nospectre_v1 [PPC] -+ nospectre_v2 [X86,PPC] - spectre_v2_user=off [X86] -- spec_store_bypass_disable=off [X86] -+ spec_store_bypass_disable=off [X86,PPC] - l1tf=off [X86] - - auto (default) -diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c -index 1341325599a7..4ccbf611a3c5 100644 ---- a/arch/powerpc/kernel/security.c -+++ b/arch/powerpc/kernel/security.c -@@ -56,7 +56,7 @@ void setup_barrier_nospec(void) - enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && - security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR); - -- if (!no_nospec) -+ if (!no_nospec && !cpu_mitigations_off()) - enable_barrier_nospec(enable); - } - -@@ -115,7 +115,7 @@ static int __init handle_nospectre_v2(char *p) - early_param("nospectre_v2", handle_nospectre_v2); - void setup_spectre_v2(void) - { -- if (no_spectrev2) -+ if (no_spectrev2 || cpu_mitigations_off()) - do_btb_flush_fixups(); - else - btb_flush_enabled = true; -@@ -299,7 +299,7 @@ void setup_stf_barrier(void) - - stf_enabled_flush_types = type; - -- if (!no_stf_barrier) -+ if (!no_stf_barrier && !cpu_mitigations_off()) - stf_barrier_enable(enable); - } - -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index faf00222b324..eaf7300be5ab 100644 ---- a/arch/powerpc/kernel/setup_64.c -+++ b/arch/powerpc/kernel/setup_64.c -@@ -955,7 +955,7 @@ void setup_rfi_flush(enum l1d_flush_type types, bool enable) - - enabled_flush_types = types; - -- if (!no_rfi_flush) -+ if (!no_rfi_flush && !cpu_mitigations_off()) - rfi_flush_enable(enable); - } - diff --git a/debian/patches/bugfix/all/spec/0026-s390-speculation-Support-mitigations-cmdline-option.patch b/debian/patches/bugfix/all/spec/0026-s390-speculation-Support-mitigations-cmdline-option.patch deleted file mode 100644 index 5c572fcc8..000000000 --- a/debian/patches/bugfix/all/spec/0026-s390-speculation-Support-mitigations-cmdline-option.patch +++ /dev/null @@ -1,92 +0,0 @@ -From cf0b4c8e4d70fe1d282b4e910834f3982ca10eb4 Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Fri, 12 Apr 2019 15:39:31 -0500 -Subject: [PATCH 26/30] s390/speculation: Support 'mitigations=' cmdline option - -commit 0336e04a6520bdaefdb0769d2a70084fa52e81ed upstream - -Configure s390 runtime CPU speculation bug mitigations in accordance -with the 'mitigations=' cmdline option. This affects Spectre v1 and -Spectre v2. - -The default behavior is unchanged. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Tested-by: Jiri Kosina (on x86) -Reviewed-by: Jiri Kosina -Cc: Borislav Petkov -Cc: "H . Peter Anvin" -Cc: Andy Lutomirski -Cc: Peter Zijlstra -Cc: Jiri Kosina -Cc: Waiman Long -Cc: Andrea Arcangeli -Cc: Jon Masters -Cc: Benjamin Herrenschmidt -Cc: Paul Mackerras -Cc: Michael Ellerman -Cc: linuxppc-dev@lists.ozlabs.org -Cc: Martin Schwidefsky -Cc: Heiko Carstens -Cc: linux-s390@vger.kernel.org -Cc: Catalin Marinas -Cc: Will Deacon -Cc: linux-arm-kernel@lists.infradead.org -Cc: linux-arch@vger.kernel.org -Cc: Greg Kroah-Hartman -Cc: Tyler Hicks -Cc: Linus Torvalds -Cc: Randy Dunlap -Cc: Steven Price -Cc: Phil Auld -Link: https://lkml.kernel.org/r/e4a161805458a5ec88812aac0307ae3908a030fc.1555085500.git.jpoimboe@redhat.com ---- - Documentation/admin-guide/kernel-parameters.txt | 5 +++-- - arch/s390/kernel/nospec-branch.c | 3 ++- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 49aa191979c1..4f3efaaa46bd 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2503,7 +2503,7 @@ - http://repo.or.cz/w/linux-2.6/mini2440.git - - mitigations= -- [X86,PPC] Control optional mitigations for CPU -+ [X86,PPC,S390] Control optional mitigations for CPU - vulnerabilities. This is a set of curated, - arch-independent options, each of which is an - aggregation of existing arch-specific options. -@@ -2514,7 +2514,8 @@ - expose users to several CPU vulnerabilities. - Equivalent to: nopti [X86,PPC] - nospectre_v1 [PPC] -- nospectre_v2 [X86,PPC] -+ nobp=0 [S390] -+ nospectre_v2 [X86,PPC,S390] - spectre_v2_user=off [X86] - spec_store_bypass_disable=off [X86,PPC] - l1tf=off [X86] -diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c -index bdddaae96559..649135cbedd5 100644 ---- a/arch/s390/kernel/nospec-branch.c -+++ b/arch/s390/kernel/nospec-branch.c -@@ -1,6 +1,7 @@ - // SPDX-License-Identifier: GPL-2.0 - #include - #include -+#include - #include - - static int __init nobp_setup_early(char *str) -@@ -58,7 +59,7 @@ early_param("nospectre_v2", nospectre_v2_setup_early); - - void __init nospec_auto_detect(void) - { -- if (test_facility(156)) { -+ if (test_facility(156) || cpu_mitigations_off()) { - /* - * The machine supports etokens. - * Disable expolines and disable nobp. diff --git a/debian/patches/bugfix/all/spec/0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch b/debian/patches/bugfix/all/spec/0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch deleted file mode 100644 index b9282fd65..000000000 --- a/debian/patches/bugfix/all/spec/0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d15a5678215ac4702f48d739ca3653ad1e568b52 Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Wed, 17 Apr 2019 16:39:02 -0500 -Subject: [PATCH 27/30] x86/speculation/mds: Add 'mitigations=' support for MDS - -commit 5c14068f87d04adc73ba3f41c2a303d3c3d1fa12 upstream - -Add MDS to the new 'mitigations=' cmdline option. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner ---- - Documentation/admin-guide/kernel-parameters.txt | 2 ++ - arch/x86/kernel/cpu/bugs.c | 5 +++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 4f3efaaa46bd..a29301d6e6c6 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2519,6 +2519,7 @@ - spectre_v2_user=off [X86] - spec_store_bypass_disable=off [X86,PPC] - l1tf=off [X86] -+ mds=off [X86] - - auto (default) - Mitigate all CPU vulnerabilities, but leave SMT -@@ -2533,6 +2534,7 @@ - if needed. This is for users who always want to - be fully mitigated, even if it means losing SMT. - Equivalent to: l1tf=flush,nosmt [X86] -+ mds=full,nosmt [X86] - - mminit_loglevel= - [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 904d55cf80a2..9b096f26d1c8 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -231,7 +231,7 @@ static const char * const mds_strings[] = { - - static void __init mds_select_mitigation(void) - { -- if (!boot_cpu_has_bug(X86_BUG_MDS)) { -+ if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) { - mds_mitigation = MDS_MITIGATION_OFF; - return; - } -@@ -242,7 +242,8 @@ static void __init mds_select_mitigation(void) - - static_branch_enable(&mds_user_clear); - -- if (mds_nosmt && !boot_cpu_has(X86_BUG_MSBDS_ONLY)) -+ if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) && -+ (mds_nosmt || cpu_mitigations_auto_nosmt())) - cpu_smt_disable(false); - } - diff --git a/debian/patches/bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch b/debian/patches/bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch deleted file mode 100644 index c0de92c34..000000000 --- a/debian/patches/bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch +++ /dev/null @@ -1,69 +0,0 @@ -From ce4dbfe6007776bac14b2435bcf7c17976daeafe Mon Sep 17 00:00:00 2001 -From: speck for Pawan Gupta -Date: Mon, 6 May 2019 12:23:50 -0700 -Subject: [PATCH 28/30] x86/mds: Add MDSUM variant to the MDS documentation - -commit e672f8bf71c66253197e503f75c771dd28ada4a0 upstream - -Updated the documentation for a new CVE-2019-11091 Microarchitectural Data -Sampling Uncacheable Memory (MDSUM) which is a variant of -Microarchitectural Data Sampling (MDS). MDS is a family of side channel -attacks on internal buffers in Intel CPUs. - -MDSUM is a special case of MSBDS, MFBDS and MLPDS. An uncacheable load from -memory that takes a fault or assist can leave data in a microarchitectural -structure that may later be observed using one of the same methods used by -MSBDS, MFBDS or MLPDS. There are no new code changes expected for MDSUM. -The existing mitigation for MDS applies to MDSUM as well. - -Signed-off-by: Pawan Gupta -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Reviewed-by: Jon Masters ---- - Documentation/admin-guide/hw-vuln/mds.rst | 5 +++-- - Documentation/x86/mds.rst | 5 +++++ - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst -index 244ab47d1fb3..e0dccf414eca 100644 ---- a/Documentation/admin-guide/hw-vuln/mds.rst -+++ b/Documentation/admin-guide/hw-vuln/mds.rst -@@ -32,11 +32,12 @@ Related CVEs - - The following CVE entries are related to the MDS vulnerability: - -- ============== ===== ============================================== -+ ============== ===== =================================================== - CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling - CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling - CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling -- ============== ===== ============================================== -+ CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory -+ ============== ===== =================================================== - - Problem - ------- -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -index 3d6f943f1afb..979945be257a 100644 ---- a/Documentation/x86/mds.rst -+++ b/Documentation/x86/mds.rst -@@ -12,6 +12,7 @@ Microarchitectural Data Sampling (MDS) is a family of side channel attacks - - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) - - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) - - Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127) -+ - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091) - - MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a - dependent load (store-to-load forwarding) as an optimization. The forward -@@ -38,6 +39,10 @@ faulting or assisting loads under certain conditions, which again can be - exploited eventually. Load ports are shared between Hyper-Threads so cross - thread leakage is possible. - -+MDSUM is a special case of MSBDS, MFBDS and MLPDS. An uncacheable load from -+memory that takes a fault or assist can leave data in a microarchitectural -+structure that may later be observed using one of the same methods used by -+MSBDS, MFBDS or MLPDS. - - Exposure assumptions - -------------------- diff --git a/debian/patches/bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch b/debian/patches/bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch deleted file mode 100644 index 4a843dd5f..000000000 --- a/debian/patches/bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9cd0e06f7739f9e1a15379e971b3e6c64816d36f Mon Sep 17 00:00:00 2001 -From: Tyler Hicks -Date: Mon, 6 May 2019 23:52:58 +0000 -Subject: [PATCH 29/30] Documentation: Correct the possible MDS sysfs values - -commit ea01668f9f43021b28b3f4d5ffad50106a1e1301 upstream - -Adjust the last two rows in the table that display possible values when -MDS mitigation is enabled. They both were slightly innacurate. - -In addition, convert the table of possible values and their descriptions -to a list-table. The simple table format uses the top border of equals -signs to determine cell width which resulted in the first column being -far too wide in comparison to the second column that contained the -majority of the text. - -Signed-off-by: Tyler Hicks -Signed-off-by: Thomas Gleixner ---- - Documentation/admin-guide/hw-vuln/mds.rst | 29 ++++++++++------------- - 1 file changed, 13 insertions(+), 16 deletions(-) - -diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst -index e0dccf414eca..e3a796c0d3a2 100644 ---- a/Documentation/admin-guide/hw-vuln/mds.rst -+++ b/Documentation/admin-guide/hw-vuln/mds.rst -@@ -95,22 +95,19 @@ status of the system: whether the system is vulnerable, and which - - The possible values in this file are: - -- ========================================= ================================= -- 'Not affected' The processor is not vulnerable -- -- 'Vulnerable' The processor is vulnerable, -- but no mitigation enabled -- -- 'Vulnerable: Clear CPU buffers attempted' The processor is vulnerable but -- microcode is not updated. -- The mitigation is enabled on a -- best effort basis. -- See :ref:`vmwerv` -- -- 'Mitigation: CPU buffer clear' The processor is vulnerable and the -- CPU buffer clearing mitigation is -- enabled. -- ========================================= ================================= -+ .. list-table:: -+ -+ * - 'Not affected' -+ - The processor is not vulnerable -+ * - 'Vulnerable' -+ - The processor is vulnerable, but no mitigation enabled -+ * - 'Vulnerable: Clear CPU buffers attempted, no microcode' -+ - The processor is vulnerable but microcode is not updated. -+ -+ The mitigation is enabled on a best effort basis. See :ref:`vmwerv` -+ * - 'Mitigation: Clear CPU buffers' -+ - The processor is vulnerable and the CPU buffer clearing mitigation is -+ enabled. - - If the processor is vulnerable then the following information is appended - to the above information: diff --git a/debian/patches/bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch b/debian/patches/bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch deleted file mode 100644 index 685a342e7..000000000 --- a/debian/patches/bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 011c5b50bb2e545174b2bcd1452b4f1a099e79b0 Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Tue, 7 May 2019 15:05:22 -0500 -Subject: [PATCH 30/30] x86/speculation/mds: Fix documentation typo - -commit 95310e348a321b45fb746c176961d4da72344282 upstream - -Fix a minor typo in the MDS documentation: "eanbled" -> "enabled". - -Reported-by: Jeff Bastian -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner ---- - Documentation/x86/mds.rst | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst -index 979945be257a..534e9baa4e1d 100644 ---- a/Documentation/x86/mds.rst -+++ b/Documentation/x86/mds.rst -@@ -116,7 +116,7 @@ Kernel internal mitigation modes - off Mitigation is disabled. Either the CPU is not affected or - mds=off is supplied on the kernel command line - -- full Mitigation is eanbled. CPU is affected and MD_CLEAR is -+ full Mitigation is enabled. CPU is affected and MD_CLEAR is - advertised in CPUID. - - vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not diff --git a/debian/patches/bugfix/all/spec/powerpc-64s-include-cpu-header.patch b/debian/patches/bugfix/all/spec/powerpc-64s-include-cpu-header.patch deleted file mode 100644 index 564e6d1b8..000000000 --- a/debian/patches/bugfix/all/spec/powerpc-64s-include-cpu-header.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Breno Leitao -Date: Mon, 22 Oct 2018 11:54:12 -0300 -Subject: powerpc/64s: Include cpu header -Origin: https://git.kernel.org/linus/42e2acde1237878462b028f5a27d9cc5bea7502c - -Current powerpc security.c file is defining functions, as -cpu_show_meltdown(), cpu_show_spectre_v{1,2} and others, that are being -declared at linux/cpu.h header without including the header file that -contains these declarations. - -This is being reported by sparse, which thinks that these functions are -static, due to the lack of declaration: - - arch/powerpc/kernel/security.c:105:9: warning: symbol 'cpu_show_meltdown' was not declared. Should it be static? - arch/powerpc/kernel/security.c:139:9: warning: symbol 'cpu_show_spectre_v1' was not declared. Should it be static? - arch/powerpc/kernel/security.c:161:9: warning: symbol 'cpu_show_spectre_v2' was not declared. Should it be static? - arch/powerpc/kernel/security.c:209:6: warning: symbol 'stf_barrier' was not declared. Should it be static? - arch/powerpc/kernel/security.c:289:9: warning: symbol 'cpu_show_spec_store_bypass' was not declared. Should it be static? - -This patch simply includes the proper header (linux/cpu.h) to match -function definition and declaration. - -Signed-off-by: Breno Leitao -Signed-off-by: Michael Ellerman ---- - arch/powerpc/kernel/security.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c -index f6f469fc4073..9703dce36307 100644 ---- a/arch/powerpc/kernel/security.c -+++ b/arch/powerpc/kernel/security.c -@@ -4,6 +4,7 @@ - // - // Copyright 2018, Michael Ellerman, IBM Corporation. - -+#include - #include - #include - #include diff --git a/debian/patches/bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch b/debian/patches/bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch deleted file mode 100644 index 18985b044..000000000 --- a/debian/patches/bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch +++ /dev/null @@ -1,123 +0,0 @@ -From: Eric Dumazet -Date: Mon, 17 Jun 2019 10:03:53 -0700 -Subject: [PATCH net 3/4] tcp: add tcp_min_snd_mss sysctl -Origin: https://patchwork.ozlabs.org/patch/1117157/ - -Some TCP peers announce a very small MSS option in their SYN and/or -SYN/ACK messages. - -This forces the stack to send packets with a very high network/cpu -overhead. - -Linux has enforced a minimal value of 48. Since this value includes -the size of TCP options, and that the options can consume up to 40 -bytes, this means that each segment can include only 8 bytes of payload. - -In some cases, it can be useful to increase the minimal value -to a saner value. - -We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility -reasons. - -Note that TCP_MAXSEG socket option enforces a minimal value -of (TCP_MIN_MSS). David Miller increased this minimal value -in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.") -from 64 to 88. - -We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS. - -CVE-2019-11479 -- tcp mss hardcoded to 48 - -Signed-off-by: Eric Dumazet -Suggested-by: Jonathan Looney -Acked-by: Neal Cardwell -Cc: Yuchung Cheng -Cc: Tyler Hicks -Cc: Bruce Curtis -Cc: Jonathan Lemon -Acked-by: Jonathan Lemon -Acked-by: Tyler Hicks ---- - Documentation/networking/ip-sysctl.txt | 8 ++++++++ - include/net/netns/ipv4.h | 1 + - net/ipv4/sysctl_net_ipv4.c | 11 +++++++++++ - net/ipv4/tcp_ipv4.c | 1 + - net/ipv4/tcp_output.c | 3 +-- - 5 files changed, 22 insertions(+), 2 deletions(-) - ---- a/Documentation/networking/ip-sysctl.txt -+++ b/Documentation/networking/ip-sysctl.txt -@@ -250,6 +250,14 @@ tcp_base_mss - INTEGER - Path MTU discovery (MTU probing). If MTU probing is enabled, - this is the initial MSS used by the connection. - -+tcp_min_snd_mss - INTEGER -+ TCP SYN and SYNACK messages usually advertise an ADVMSS option, -+ as described in RFC 1122 and RFC 6691. -+ If this ADVMSS option is smaller than tcp_min_snd_mss, -+ it is silently capped to tcp_min_snd_mss. -+ -+ Default : 48 (at least 8 bytes of payload per segment) -+ - tcp_congestion_control - STRING - Set the congestion control algorithm to be used for new - connections. The algorithm "reno" is always available, but ---- a/include/net/netns/ipv4.h -+++ b/include/net/netns/ipv4.h -@@ -113,6 +113,7 @@ struct netns_ipv4 { - #endif - int sysctl_tcp_mtu_probing; - int sysctl_tcp_base_mss; -+ int sysctl_tcp_min_snd_mss; - int sysctl_tcp_probe_threshold; - u32 sysctl_tcp_probe_interval; - ---- a/net/ipv4/sysctl_net_ipv4.c -+++ b/net/ipv4/sysctl_net_ipv4.c -@@ -39,6 +39,8 @@ static int ip_local_port_range_min[] = { - static int ip_local_port_range_max[] = { 65535, 65535 }; - static int tcp_adv_win_scale_min = -31; - static int tcp_adv_win_scale_max = 31; -+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS; -+static int tcp_min_snd_mss_max = 65535; - static int ip_privileged_port_min; - static int ip_privileged_port_max = 65535; - static int ip_ttl_min = 1; -@@ -737,6 +739,15 @@ static struct ctl_table ipv4_net_table[] - .proc_handler = proc_dointvec, - }, - { -+ .procname = "tcp_min_snd_mss", -+ .data = &init_net.ipv4.sysctl_tcp_min_snd_mss, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &tcp_min_snd_mss_min, -+ .extra2 = &tcp_min_snd_mss_max, -+ }, -+ { - .procname = "tcp_probe_threshold", - .data = &init_net.ipv4.sysctl_tcp_probe_threshold, - .maxlen = sizeof(int), ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -2527,6 +2527,7 @@ static int __net_init tcp_sk_init(struct - net->ipv4.sysctl_tcp_ecn_fallback = 1; - - net->ipv4.sysctl_tcp_base_mss = TCP_BASE_MSS; -+ net->ipv4.sysctl_tcp_min_snd_mss = TCP_MIN_SND_MSS; - net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD; - net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL; - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1462,8 +1462,7 @@ static inline int __tcp_mtu_to_mss(struc - mss_now -= icsk->icsk_ext_hdr_len; - - /* Then reserve room for full set of TCP options and 8 bytes of data */ -- if (mss_now < TCP_MIN_SND_MSS) -- mss_now = TCP_MIN_SND_MSS; -+ mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss); - return mss_now; - } - diff --git a/debian/patches/bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch b/debian/patches/bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch deleted file mode 100644 index 17104536e..000000000 --- a/debian/patches/bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Eric Dumazet -Date: Mon, 17 Jun 2019 10:03:54 -0700 -Subject: [PATCH net 4/4] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() -Origin: https://patchwork.ozlabs.org/patch/1117158/ - -If mtu probing is enabled tcp_mtu_probing() could very well end up -with a too small MSS. - -Use the new sysctl tcp_min_snd_mss to make sure MSS search -is performed in an acceptable range. - -CVE-2019-11479 -- tcp mss hardcoded to 48 - -Signed-off-by: Eric Dumazet -Reported-by: Jonathan Lemon -Cc: Jonathan Looney -Acked-by: Neal Cardwell -Cc: Yuchung Cheng -Cc: Tyler Hicks -Cc: Bruce Curtis -Acked-by: Jonathan Lemon -Acked-by: Tyler Hicks ---- - net/ipv4/tcp_timer.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/ipv4/tcp_timer.c -+++ b/net/ipv4/tcp_timer.c -@@ -166,6 +166,7 @@ static void tcp_mtu_probing(struct inet_ - mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; - mss = min(net->ipv4.sysctl_tcp_base_mss, mss); - mss = max(mss, 68 - tcp_sk(sk)->tcp_header_len); -+ mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss); - icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss); - } - tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); diff --git a/debian/patches/bugfix/all/tcp-limit-payload-size-of-sacked-skbs.patch b/debian/patches/bugfix/all/tcp-limit-payload-size-of-sacked-skbs.patch deleted file mode 100644 index fc5f6af1d..000000000 --- a/debian/patches/bugfix/all/tcp-limit-payload-size-of-sacked-skbs.patch +++ /dev/null @@ -1,154 +0,0 @@ -From: Eric Dumazet -Date: Mon, 17 Jun 2019 10:03:51 -0700 -Subject: [PATCH net 1/4] tcp: limit payload size of sacked skbs -Origin: https://patchwork.ozlabs.org/patch/1117155/ - -Jonathan Looney reported that TCP can trigger the following crash -in tcp_shifted_skb() : - - BUG_ON(tcp_skb_pcount(skb) < pcount); - -This can happen if the remote peer has advertized the smallest -MSS that linux TCP accepts : 48 - -An skb can hold 17 fragments, and each fragment can hold 32KB -on x86, or 64KB on PowerPC. - -This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs -can overflow. - -Note that tcp_sendmsg() builds skbs with less than 64KB -of payload, so this problem needs SACK to be enabled. -SACK blocks allow TCP to coalesce multiple skbs in the retransmit -queue, thus filling the 17 fragments to maximal capacity. - -CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs - -Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing") -Signed-off-by: Eric Dumazet -Reported-by: Jonathan Looney -Acked-by: Neal Cardwell -Reviewed-by: Tyler Hicks -Cc: Yuchung Cheng -Cc: Bruce Curtis -Cc: Jonathan Lemon -Acked-by: Jonathan Lemon ---- - include/linux/tcp.h | 4 ++++ - include/net/tcp.h | 2 ++ - net/ipv4/tcp.c | 1 + - net/ipv4/tcp_input.c | 26 ++++++++++++++++++++------ - net/ipv4/tcp_output.c | 6 +++--- - 5 files changed, 30 insertions(+), 9 deletions(-) - ---- a/include/linux/tcp.h -+++ b/include/linux/tcp.h -@@ -485,4 +485,8 @@ static inline u16 tcp_mss_clamp(const st - - return (user_mss && user_mss < mss) ? user_mss : mss; - } -+ -+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from, int pcount, -+ int shiftlen); -+ - #endif /* _LINUX_TCP_H */ ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -55,6 +55,8 @@ void tcp_time_wait(struct sock *sk, int - - #define MAX_TCP_HEADER (128 + MAX_HEADER) - #define MAX_TCP_OPTION_SPACE 40 -+#define TCP_MIN_SND_MSS 48 -+#define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE) - - /* - * Never offer a window over 32767 without using window scaling. Some ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3829,6 +3829,7 @@ void __init tcp_init(void) - unsigned long limit; - unsigned int i; - -+ BUILD_BUG_ON(TCP_MIN_SND_MSS <= MAX_TCP_OPTION_SPACE); - BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > - FIELD_SIZEOF(struct sk_buff, cb)); - ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -1315,7 +1315,7 @@ static bool tcp_shifted_skb(struct sock - TCP_SKB_CB(skb)->seq += shifted; - - tcp_skb_pcount_add(prev, pcount); -- BUG_ON(tcp_skb_pcount(skb) < pcount); -+ WARN_ON_ONCE(tcp_skb_pcount(skb) < pcount); - tcp_skb_pcount_add(skb, -pcount); - - /* When we're adding to gso_segs == 1, gso_size will be zero, -@@ -1381,6 +1381,21 @@ static int skb_can_shift(const struct sk - return !skb_headlen(skb) && skb_is_nonlinear(skb); - } - -+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from, -+ int pcount, int shiftlen) -+{ -+ /* TCP min gso_size is 8 bytes (TCP_MIN_GSO_SIZE) -+ * Since TCP_SKB_CB(skb)->tcp_gso_segs is 16 bits, we need -+ * to make sure not storing more than 65535 * 8 bytes per skb, -+ * even if current MSS is bigger. -+ */ -+ if (unlikely(to->len + shiftlen >= 65535 * TCP_MIN_GSO_SIZE)) -+ return 0; -+ if (unlikely(tcp_skb_pcount(to) + pcount > 65535)) -+ return 0; -+ return skb_shift(to, from, shiftlen); -+} -+ - /* Try collapsing SACK blocks spanning across multiple skbs to a single - * skb. - */ -@@ -1486,7 +1501,7 @@ static struct sk_buff *tcp_shift_skb_dat - if (!after(TCP_SKB_CB(skb)->seq + len, tp->snd_una)) - goto fallback; - -- if (!skb_shift(prev, skb, len)) -+ if (!tcp_skb_shift(prev, skb, pcount, len)) - goto fallback; - if (!tcp_shifted_skb(sk, prev, skb, state, pcount, len, mss, dup_sack)) - goto out; -@@ -1504,11 +1519,10 @@ static struct sk_buff *tcp_shift_skb_dat - goto out; - - len = skb->len; -- if (skb_shift(prev, skb, len)) { -- pcount += tcp_skb_pcount(skb); -- tcp_shifted_skb(sk, prev, skb, state, tcp_skb_pcount(skb), -+ pcount = tcp_skb_pcount(skb); -+ if (tcp_skb_shift(prev, skb, pcount, len)) -+ tcp_shifted_skb(sk, prev, skb, state, pcount, - len, mss, 0); -- } - - out: - return prev; ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1457,8 +1457,8 @@ static inline int __tcp_mtu_to_mss(struc - mss_now -= icsk->icsk_ext_hdr_len; - - /* Then reserve room for full set of TCP options and 8 bytes of data */ -- if (mss_now < 48) -- mss_now = 48; -+ if (mss_now < TCP_MIN_SND_MSS) -+ mss_now = TCP_MIN_SND_MSS; - return mss_now; - } - -@@ -2727,7 +2727,7 @@ static bool tcp_collapse_retrans(struct - if (next_skb_size <= skb_availroom(skb)) - skb_copy_bits(next_skb, 0, skb_put(skb, next_skb_size), - next_skb_size); -- else if (!skb_shift(skb, next_skb, next_skb_size)) -+ else if (!tcp_skb_shift(skb, next_skb, 1, next_skb_size)) - return false; - } - tcp_highest_sack_replace(sk, next_skb, skb); diff --git a/debian/patches/bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch b/debian/patches/bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch deleted file mode 100644 index 2e5887e9d..000000000 --- a/debian/patches/bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Eric Dumazet -Date: Fri, 21 Jun 2019 06:09:55 -0700 -Subject: tcp: refine memory limit test in tcp_fragment() -Origin: https://git.kernel.org/linus/b6653b3629e5b88202be3c9abc44713973f5c4b4 -Bug-Debian: https://bugs.debian.org/930904 - -tcp_fragment() might be called for skbs in the write queue. - -Memory limits might have been exceeded because tcp_sendmsg() only -checks limits at full skb (64KB) boundaries. - -Therefore, we need to make sure tcp_fragment() wont punish applications -that might have setup very low SO_SNDBUF values. - -Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") -Signed-off-by: Eric Dumazet -Reported-by: Christoph Paasch -Tested-by: Christoph Paasch -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_output.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 00c01a01b547..0ebc33d1c9e5 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1296,7 +1296,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue, - if (nsize < 0) - nsize = 0; - -- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { -+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf && -+ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); - return -ENOMEM; - } --- -2.20.1 - diff --git a/debian/patches/bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/debian/patches/bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch deleted file mode 100644 index e7f46130e..000000000 --- a/debian/patches/bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Eric Dumazet -Date: Mon, 17 Jun 2019 10:03:52 -0700 -Subject: [PATCH net 2/4] tcp: tcp_fragment() should apply sane memory limits -Origin: https://patchwork.ozlabs.org/patch/1117156/ - -Jonathan Looney reported that a malicious peer can force a sender -to fragment its retransmit queue into tiny skbs, inflating memory -usage and/or overflow 32bit counters. - -TCP allows an application to queue up to sk_sndbuf bytes, -so we need to give some allowance for non malicious splitting -of retransmit queue. - -A new SNMP counter is added to monitor how many times TCP -did not allow to split an skb if the allowance was exceeded. - -Note that this counter might increase in the case applications -use SO_SNDBUF socket option to lower sk_sndbuf. - -CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the - socket is already using more than half the allowed space - -Signed-off-by: Eric Dumazet -Reported-by: Jonathan Looney -Acked-by: Neal Cardwell -Acked-by: Yuchung Cheng -Reviewed-by: Tyler Hicks -Cc: Bruce Curtis -Cc: Jonathan Lemon -Acked-by: Jonathan Lemon ---- - include/uapi/linux/snmp.h | 1 + - net/ipv4/proc.c | 1 + - net/ipv4/tcp_output.c | 5 +++++ - 3 files changed, 7 insertions(+) - ---- a/include/uapi/linux/snmp.h -+++ b/include/uapi/linux/snmp.h -@@ -282,6 +282,7 @@ enum - LINUX_MIB_TCPACKCOMPRESSED, /* TCPAckCompressed */ - LINUX_MIB_TCPZEROWINDOWDROP, /* TCPZeroWindowDrop */ - LINUX_MIB_TCPRCVQDROP, /* TCPRcvQDrop */ -+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */ - __LINUX_MIB_MAX - }; - ---- a/net/ipv4/proc.c -+++ b/net/ipv4/proc.c -@@ -290,6 +290,7 @@ static const struct snmp_mib snmp4_net_l - SNMP_MIB_ITEM("TCPAckCompressed", LINUX_MIB_TCPACKCOMPRESSED), - SNMP_MIB_ITEM("TCPZeroWindowDrop", LINUX_MIB_TCPZEROWINDOWDROP), - SNMP_MIB_ITEM("TCPRcvQDrop", LINUX_MIB_TCPRCVQDROP), -+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG), - SNMP_MIB_SENTINEL - }; - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1299,6 +1299,11 @@ int tcp_fragment(struct sock *sk, enum t - if (nsize < 0) - nsize = 0; - -+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { -+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); -+ return -ENOMEM; -+ } -+ - if (skb_unclone(skb, gfp)) - return -ENOMEM; - diff --git a/debian/patches/bugfix/all/tracing-fix-buffer_ref-pipe-ops.patch b/debian/patches/bugfix/all/tracing-fix-buffer_ref-pipe-ops.patch deleted file mode 100644 index 23f6bda0a..000000000 --- a/debian/patches/bugfix/all/tracing-fix-buffer_ref-pipe-ops.patch +++ /dev/null @@ -1,137 +0,0 @@ -From: Jann Horn -Date: Thu, 4 Apr 2019 23:59:25 +0200 -Subject: tracing: Fix buffer_ref pipe ops -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=cffeb9c84d20816a2173e3cfeca210c8bfa8e357 - -commit b987222654f84f7b4ca95b3a55eca784cb30235b upstream. - -This fixes multiple issues in buffer_pipe_buf_ops: - - - The ->steal() handler must not return zero unless the pipe buffer has - the only reference to the page. But generic_pipe_buf_steal() assumes - that every reference to the pipe is tracked by the page's refcount, - which isn't true for these buffers - buffer_pipe_buf_get(), which - duplicates a buffer, doesn't touch the page's refcount. - Fix it by using generic_pipe_buf_nosteal(), which refuses every - attempted theft. It should be easy to actually support ->steal, but the - only current users of pipe_buf_steal() are the virtio console and FUSE, - and they also only use it as an optimization. So it's probably not worth - the effort. - - The ->get() and ->release() handlers can be invoked concurrently on pipe - buffers backed by the same struct buffer_ref. Make them safe against - concurrency by using refcount_t. - - The pointers stored in ->private were only zeroed out when the last - reference to the buffer_ref was dropped. As far as I know, this - shouldn't be necessary anyway, but if we do it, let's always do it. - -Link: http://lkml.kernel.org/r/20190404215925.253531-1-jannh@google.com - -Cc: Ingo Molnar -Cc: Masami Hiramatsu -Cc: Al Viro -Cc: stable@vger.kernel.org -Fixes: 73a757e63114d ("ring-buffer: Return reader page back into existing ring buffer") -Signed-off-by: Jann Horn -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Greg Kroah-Hartman ---- - fs/splice.c | 4 ++-- - include/linux/pipe_fs_i.h | 1 + - kernel/trace/trace.c | 28 ++++++++++++++-------------- - 3 files changed, 17 insertions(+), 16 deletions(-) - ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -333,8 +333,8 @@ const struct pipe_buf_operations default - .get = generic_pipe_buf_get, - }; - --static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe, -- struct pipe_buffer *buf) -+int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe, -+ struct pipe_buffer *buf) - { - return 1; - } ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -181,6 +181,7 @@ void free_pipe_info(struct pipe_inode_in - void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *); -+int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *); - void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *); - void pipe_buf_mark_unmergeable(struct pipe_buffer *buf); - ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -6800,19 +6800,23 @@ struct buffer_ref { - struct ring_buffer *buffer; - void *page; - int cpu; -- int ref; -+ refcount_t refcount; - }; - -+static void buffer_ref_release(struct buffer_ref *ref) -+{ -+ if (!refcount_dec_and_test(&ref->refcount)) -+ return; -+ ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); -+ kfree(ref); -+} -+ - static void buffer_pipe_buf_release(struct pipe_inode_info *pipe, - struct pipe_buffer *buf) - { - struct buffer_ref *ref = (struct buffer_ref *)buf->private; - -- if (--ref->ref) -- return; -- -- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); -- kfree(ref); -+ buffer_ref_release(ref); - buf->private = 0; - } - -@@ -6821,7 +6825,7 @@ static void buffer_pipe_buf_get(struct p - { - struct buffer_ref *ref = (struct buffer_ref *)buf->private; - -- ref->ref++; -+ refcount_inc(&ref->refcount); - } - - /* Pipe buffer operations for a buffer. */ -@@ -6829,7 +6833,7 @@ static const struct pipe_buf_operations - .can_merge = 0, - .confirm = generic_pipe_buf_confirm, - .release = buffer_pipe_buf_release, -- .steal = generic_pipe_buf_steal, -+ .steal = generic_pipe_buf_nosteal, - .get = buffer_pipe_buf_get, - }; - -@@ -6842,11 +6846,7 @@ static void buffer_spd_release(struct sp - struct buffer_ref *ref = - (struct buffer_ref *)spd->partial[i].private; - -- if (--ref->ref) -- return; -- -- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); -- kfree(ref); -+ buffer_ref_release(ref); - spd->partial[i].private = 0; - } - -@@ -6901,7 +6901,7 @@ tracing_buffers_splice_read(struct file - break; - } - -- ref->ref = 1; -+ refcount_set(&ref->refcount, 1); - ref->buffer = iter->trace_buffer->buffer; - ref->page = ring_buffer_alloc_read_page(ref->buffer, iter->cpu_file); - if (IS_ERR(ref->page)) { diff --git a/debian/patches/bugfix/all/vfio-type1-Limit-DMA-mappings-per-container.patch b/debian/patches/bugfix/all/vfio-type1-Limit-DMA-mappings-per-container.patch deleted file mode 100644 index 6046e5e64..000000000 --- a/debian/patches/bugfix/all/vfio-type1-Limit-DMA-mappings-per-container.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Alex Williamson -Date: Wed, 3 Apr 2019 12:36:21 -0600 -Subject: vfio/type1: Limit DMA mappings per container -Origin: https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3882 - -Memory backed DMA mappings are accounted against a user's locked -memory limit, including multiple mappings of the same memory. This -accounting bounds the number of such mappings that a user can create. -However, DMA mappings that are not backed by memory, such as DMA -mappings of device MMIO via mmaps, do not make use of page pinning -and therefore do not count against the user's locked memory limit. -These mappings still consume memory, but the memory is not well -associated to the process for the purpose of oom killing a task. - -To add bounding on this use case, we introduce a limit to the total -number of concurrent DMA mappings that a user is allowed to create. -This limit is exposed as a tunable module option where the default -value of 64K is expected to be well in excess of any reasonable use -case (a large virtual machine configuration would typically only make -use of tens of concurrent mappings). - -This fixes CVE-2019-3882. - -Reviewed-by: Eric Auger -Tested-by: Eric Auger -Reviewed-by: Peter Xu -Reviewed-by: Cornelia Huck -Signed-off-by: Alex Williamson ---- - drivers/vfio/vfio_iommu_type1.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c -index 73652e21efec..d0f731c9920a 100644 ---- a/drivers/vfio/vfio_iommu_type1.c -+++ b/drivers/vfio/vfio_iommu_type1.c -@@ -58,12 +58,18 @@ module_param_named(disable_hugepages, - MODULE_PARM_DESC(disable_hugepages, - "Disable VFIO IOMMU support for IOMMU hugepages."); - -+static unsigned int dma_entry_limit __read_mostly = U16_MAX; -+module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); -+MODULE_PARM_DESC(dma_entry_limit, -+ "Maximum number of user DMA mappings per container (65535)."); -+ - struct vfio_iommu { - struct list_head domain_list; - struct vfio_domain *external_domain; /* domain for external user */ - struct mutex lock; - struct rb_root dma_list; - struct blocking_notifier_head notifier; -+ unsigned int dma_avail; - bool v2; - bool nesting; - }; -@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma) - vfio_unlink_dma(iommu, dma); - put_task_struct(dma->task); - kfree(dma); -+ iommu->dma_avail++; - } - - static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) -@@ -1081,12 +1088,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu, - goto out_unlock; - } - -+ if (!iommu->dma_avail) { -+ ret = -ENOSPC; -+ goto out_unlock; -+ } -+ - dma = kzalloc(sizeof(*dma), GFP_KERNEL); - if (!dma) { - ret = -ENOMEM; - goto out_unlock; - } - -+ iommu->dma_avail--; - dma->iova = iova; - dma->vaddr = vaddr; - dma->prot = prot; -@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg) - - INIT_LIST_HEAD(&iommu->domain_list); - iommu->dma_list = RB_ROOT; -+ iommu->dma_avail = dma_entry_limit; - mutex_init(&iommu->lock); - BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier); - --- -2.11.0 - diff --git a/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch b/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch deleted file mode 100644 index e9ef64a5a..000000000 --- a/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Konrad Rzeszutek Wilk -Date: Wed, 13 Feb 2019 18:21:31 -0500 -Subject: xen/pciback: Don't disable PCI_COMMAND on PCI device reset. -Origin: https://git.kernel.org/linus/7681f31ec9cdacab4fd10570be924f2cef6669ba -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8553 -Bug: http://xenbits.xen.org/xsa/advisory-120.html - -There is no need for this at all. Worst it means that if -the guest tries to write to BARs it could lead (on certain -platforms) to PCI SERR errors. - -Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b -"xen-pciback: limit guest control of command register" -a guest is still allowed to enable those control bits (safely), but -is not allowed to disable them and that therefore a well behaved -frontend which enables things before using them will still -function correctly. - -This is done via an write to the configuration register 0x4 which -triggers on the backend side: -command_write - \- pci_enable_device - \- pci_enable_device_flags - \- do_pci_enable_device - \- pcibios_enable_device - \-pci_enable_resourcess - [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO] - -However guests (and drivers) which don't do this could cause -problems, including the security issues which XSA-120 sought -to address. - -Reported-by: Jan Beulich -Signed-off-by: Konrad Rzeszutek Wilk -Reviewed-by: Prarit Bhargava -Signed-off-by: Juergen Gross ---- - drivers/xen/xen-pciback/pciback_ops.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c -index ea4a08b83fa0..787966f44589 100644 ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -127,8 +127,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev) - if (pci_is_enabled(dev)) - pci_disable_device(dev); - -- pci_write_config_word(dev, PCI_COMMAND, 0); -- - dev->is_busmaster = 0; - } else { - pci_read_config_word(dev, PCI_COMMAND, &cmd); --- -2.11.0 - diff --git a/debian/patches/bugfix/arm64/arm64-compat-Provide-definition-for-COMPAT_SIGMINSTK.patch b/debian/patches/bugfix/arm64/arm64-compat-Provide-definition-for-COMPAT_SIGMINSTK.patch deleted file mode 100644 index bf6ffcf09..000000000 --- a/debian/patches/bugfix/arm64/arm64-compat-Provide-definition-for-COMPAT_SIGMINSTK.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Will Deacon -Date: Wed, 5 Sep 2018 15:34:43 +0100 -Subject: arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ -Origin: https://git.kernel.org/linus/24951465cbd279f60b1fdc2421b3694405bcff42 - -arch/arm/ defines a SIGMINSTKSZ of 2k, so we should use the same value -for compat tasks. - -Cc: Arnd Bergmann -Cc: Dominik Brodowski -Cc: "Eric W. Biederman" -Cc: Andrew Morton -Cc: Al Viro -Cc: Oleg Nesterov -Reviewed-by: Dave Martin -Reported-by: Steve McIntyre -Tested-by: Steve McIntyre <93sam@debian.org> -Signed-off-by: Will Deacon -Signed-off-by: Catalin Marinas ---- - arch/arm64/include/asm/compat.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h -index 1a037b94eba1..cee28a05ee98 100644 ---- a/arch/arm64/include/asm/compat.h -+++ b/arch/arm64/include/asm/compat.h -@@ -159,6 +159,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - } - - #define compat_user_stack_pointer() (user_stack_pointer(task_pt_regs(current))) -+#define COMPAT_MINSIGSTKSZ 2048 - - static inline void __user *arch_compat_alloc_user_space(long len) - { --- -2.20.1 - diff --git a/debian/patches/bugfix/mips/MIPS-Bounds-check-virt_addr_valid.patch b/debian/patches/bugfix/mips/MIPS-Bounds-check-virt_addr_valid.patch deleted file mode 100644 index e7386b843..000000000 --- a/debian/patches/bugfix/mips/MIPS-Bounds-check-virt_addr_valid.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Paul Burton -Date: Tue, 28 May 2019 17:05:03 +0000 -Subject: MIPS: Bounds check virt_addr_valid -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/074a1e1167afd82c26f6d03a9a8b997d564bb241 - -The virt_addr_valid() function is meant to return true iff -virt_to_page() will return a valid struct page reference. This is true -iff the address provided is found within the unmapped address range -between PAGE_OFFSET & MAP_BASE, but we don't currently check for that -condition. Instead we simply mask the address to obtain what will be a -physical address if the virtual address is indeed in the desired range, -shift it to form a PFN & then call pfn_valid(). This can incorrectly -return true if called with a virtual address which, after masking, -happens to form a physical address corresponding to a valid PFN. - -For example we may vmalloc an address in the kernel mapped region -starting a MAP_BASE & obtain the virtual address: - - addr = 0xc000000000002000 - -When masked by virt_to_phys(), which uses __pa() & in turn CPHYSADDR(), -we obtain the following (bogus) physical address: - - addr = 0x2000 - -In a common system with PHYS_OFFSET=0 this will correspond to a valid -struct page which should really be accessed by virtual address -PAGE_OFFSET+0x2000, causing virt_addr_valid() to incorrectly return 1 -indicating that the original address corresponds to a struct page. - -This is equivalent to the ARM64 change made in commit ca219452c6b8 -("arm64: Correctly bounds check virt_addr_valid"). - -This fixes fallout when hardened usercopy is enabled caused by the -related commit 517e1fbeb65f ("mm/usercopy: Drop extra -is_vmalloc_or_module() check") which removed a check for the vmalloc -range that was present from the introduction of the hardened usercopy -feature. - -Signed-off-by: Paul Burton -References: ca219452c6b8 ("arm64: Correctly bounds check virt_addr_valid") -References: 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check") -Reported-by: Julien Cristau -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: YunQiang Su -URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929366 -Cc: stable@vger.kernel.org # v4.12+ -Cc: linux-mips@vger.kernel.org -Cc: Yunqiang Su ---- - arch/mips/mm/mmap.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c -index 2f616ebeb7e0..7755a1fad05a 100644 ---- a/arch/mips/mm/mmap.c -+++ b/arch/mips/mm/mmap.c -@@ -203,6 +203,11 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) - - int __virt_addr_valid(const volatile void *kaddr) - { -+ unsigned long vaddr = (unsigned long)vaddr; -+ -+ if ((vaddr < PAGE_OFFSET) || (vaddr >= MAP_BASE)) -+ return 0; -+ - return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); - } - EXPORT_SYMBOL_GPL(__virt_addr_valid); --- -2.20.1 - diff --git a/debian/patches/bugfix/mips/MIPS-scall64-o32-Fix-indirect-syscall-number-load.patch b/debian/patches/bugfix/mips/MIPS-scall64-o32-Fix-indirect-syscall-number-load.patch deleted file mode 100644 index f9502d050..000000000 --- a/debian/patches/bugfix/mips/MIPS-scall64-o32-Fix-indirect-syscall-number-load.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Aurelien Jarno -Date: Tue, 9 Apr 2019 16:53:55 +0200 -Subject: MIPS: scall64-o32: Fix indirect syscall number load -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/79b4a9cf0e2ea8203ce777c8d5cfa86c71eae86e - -Commit 4c21b8fd8f14 (MIPS: seccomp: Handle indirect system calls (o32)) -added indirect syscall detection for O32 processes running on MIPS64, -but it did not work correctly for big endian kernel/processes. The -reason is that the syscall number is loaded from ARG1 using the lw -instruction while this is a 64-bit value, so zero is loaded instead of -the syscall number. - -Fix the code by using the ld instruction instead. When running a 32-bit -processes on a 64 bit CPU, the values are properly sign-extended, so it -ensures the value passed to syscall_trace_enter is correct. - -Recent systemd versions with seccomp enabled whitelist the getpid -syscall for their internal processes (e.g. systemd-journald), but call -it through syscall(SYS_getpid). This fix therefore allows O32 big endian -systems with a 64-bit kernel to run recent systemd versions. - -Signed-off-by: Aurelien Jarno -Cc: # v3.15+ -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Paul Burton -Cc: Ralf Baechle -Cc: James Hogan -Cc: linux-mips@vger.kernel.org -Cc: linux-kernel@vger.kernel.org ---- - arch/mips/kernel/scall64-o32.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S -index f158c5894a9a..feb2653490df 100644 ---- a/arch/mips/kernel/scall64-o32.S -+++ b/arch/mips/kernel/scall64-o32.S -@@ -125,7 +125,7 @@ trace_a_syscall: - subu t1, v0, __NR_O32_Linux - move a1, v0 - bnez t1, 1f /* __NR_syscall at offset 0 */ -- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ -+ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ - .set pop - - 1: jal syscall_trace_enter --- -2.20.1 - diff --git a/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch b/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch deleted file mode 100644 index e5dee4adb..000000000 --- a/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch +++ /dev/null @@ -1,140 +0,0 @@ -From: Michael Ellerman -Date: Wed, 12 Jun 2019 23:35:07 +1000 -Subject: powerpc/mm/64s/hash: Reallocate context ids on fork -Origin: https://git.kernel.org/linus/ca72d88378b2f2444d3ec145dd442d449d3fefbc -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12817 - -When using the Hash Page Table (HPT) MMU, userspace memory mappings -are managed at two levels. Firstly in the Linux page tables, much like -other architectures, and secondly in the SLB (Segment Lookaside -Buffer) and HPT. It's the SLB and HPT that are actually used by the -hardware to do translations. - -As part of the series adding support for 4PB user virtual address -space using the hash MMU, we added support for allocating multiple -"context ids" per process, one for each 512TB chunk of address space. -These are tracked in an array called extended_id in the mm_context_t -of a process that has done a mapping above 512TB. - -If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is -copied, including the mm_context_t, and then init_new_context() is -called to reinitialise parts of the mm_context_t as appropriate to -separate the address spaces of the two processes. - -The key step in ensuring the two processes have separate address -spaces is to allocate a new context id for the process, this is done -at the beginning of hash__init_new_context(). If we didn't allocate a -new context id then the two processes would share mappings as far as -the SLB and HPT are concerned, even though their Linux page tables -would be separate. - -For mappings above 512TB, which use the extended_id array, we -neglected to allocate new context ids on fork, meaning the parent and -child use the same ids and therefore share those mappings even though -they're supposed to be separate. This can lead to the parent seeing -writes done by the child, which is essentially memory corruption. - -There is an additional exposure which is that if the child process -exits, all its context ids are freed, including the context ids that -are still in use by the parent for mappings above 512TB. One or more -of those ids can then be reallocated to a third process, that process -can then read/write to the parent's mappings above 512TB. Additionally -if the freed id is used for the third process's primary context id, -then the parent is able to read/write to the third process's mappings -*below* 512TB. - -All of these are fundamental failures to enforce separation between -processes. The only mitigating factor is that the bug only occurs if a -process creates mappings above 512TB, and most applications still do -not create such mappings. - -Only machines using the hash page table MMU are affected, eg. PowerPC -970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines -(powernv) use the Radix MMU and are not affected, unless the machine -has been explicitly booted in HPT mode (using disable_radix on the -kernel command line). KVM guests on Power9 may be affected if the host -or guest is configured to use the HPT MMU. LPARs under PowerVM on -Power9 are affected as they always use the HPT MMU. Kernels built with -PAGE_SIZE=4K are not affected. - -The fix is relatively simple, we need to reallocate context ids for -all extended mappings on fork. - -Fixes: f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss") -Cc: stable@vger.kernel.org # v4.17+ -Signed-off-by: Michael Ellerman ---- - arch/powerpc/mm/mmu_context_book3s64.c | 46 +++++++++++++++++++++++--- - 1 file changed, 42 insertions(+), 4 deletions(-) - -diff --git a/arch/powerpc/mm/mmu_context_book3s64.c b/arch/powerpc/mm/mmu_context_book3s64.c -index dbd8f762140b..68984d85ad6b 100644 ---- a/arch/powerpc/mm/mmu_context_book3s64.c -+++ b/arch/powerpc/mm/mmu_context_book3s64.c -@@ -53,14 +53,48 @@ int hash__alloc_context_id(void) - } - EXPORT_SYMBOL_GPL(hash__alloc_context_id); - -+static int realloc_context_ids(mm_context_t *ctx) -+{ -+ int i, id; -+ -+ /* -+ * id 0 (aka. ctx->id) is special, we always allocate a new one, even if -+ * there wasn't one allocated previously (which happens in the exec -+ * case where ctx is newly allocated). -+ * -+ * We have to be a bit careful here. We must keep the existing ids in -+ * the array, so that we can test if they're non-zero to decide if we -+ * need to allocate a new one. However in case of error we must free the -+ * ids we've allocated but *not* any of the existing ones (or risk a -+ * UAF). That's why we decrement i at the start of the error handling -+ * loop, to skip the id that we just tested but couldn't reallocate. -+ */ -+ for (i = 0; i < ARRAY_SIZE(ctx->extended_id); i++) { -+ if (i == 0 || ctx->extended_id[i]) { -+ id = hash__alloc_context_id(); -+ if (id < 0) -+ goto error; -+ -+ ctx->extended_id[i] = id; -+ } -+ } -+ -+ /* The caller expects us to return id */ -+ return ctx->id; -+ -+error: -+ for (i--; i >= 0; i--) { -+ if (ctx->extended_id[i]) -+ ida_free(&mmu_context_ida, ctx->extended_id[i]); -+ } -+ -+ return id; -+} -+ - static int hash__init_new_context(struct mm_struct *mm) - { - int index; - -- index = hash__alloc_context_id(); -- if (index < 0) -- return index; -- - /* - * The old code would re-promote on fork, we don't do that when using - * slices as it could cause problem promoting slices that have been -@@ -78,6 +112,10 @@ static int hash__init_new_context(struct mm_struct *mm) - if (mm->context.id == 0) - slice_init_new_context_exec(mm); - -+ index = realloc_context_ids(&mm->context); -+ if (index < 0) -+ return index; -+ - subpage_prot_init_new_context(mm); - - pkey_mm_init(mm); --- -2.20.1 - diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch deleted file mode 100644 index cfabc9244..000000000 --- a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch +++ /dev/null @@ -1,96 +0,0 @@ -From: Michael Neuling -Date: Fri, 19 Jul 2019 15:05:02 +1000 -Subject: powerpc/tm: Fix oops on sigreturn on systems without TM -Origin: https://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13648 - -commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. - -On systems like P9 powernv where we have no TM (or P8 booted with -ppc_tm=off), userspace can construct a signal context which still has -the MSR TS bits set. The kernel tries to restore this context which -results in the following crash: - - Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033 - Oops: Unrecoverable exception, sig: 6 [#1] - LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries - Modules linked in: - CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69 - NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000 - REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8) - MSR: 8000000102a03031 CR: 42004242 XER: 00000000 - CFAR: c0000000000022e0 IRQMASK: 0 - GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669 - GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8 - GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 - GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000 - GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420 - GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000 - GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000 - GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728 - NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80 - LR [00007fffb2d67e48] 0x7fffb2d67e48 - Call Trace: - Instruction dump: - e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00 - e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18 - -The problem is the signal code assumes TM is enabled when -CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as -with P9 powernv or if `ppc_tm=off` is used on P8. - -This means any local user can crash the system. - -Fix the problem by returning a bad stack frame to the user if they try -to set the MSR TS bits with sigreturn() on systems where TM is not -supported. - -Found with sigfuz kernel selftest on P9. - -This fixes CVE-2019-13648. - -Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") -Cc: stable@vger.kernel.org # v3.9 -Reported-by: Praveen Pandey -Signed-off-by: Michael Neuling -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/kernel/signal_32.c | 3 +++ - arch/powerpc/kernel/signal_64.c | 5 +++++ - 2 files changed, 8 insertions(+) - -diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index fd59fef9931b..906b05c2adae 100644 ---- a/arch/powerpc/kernel/signal_32.c -+++ b/arch/powerpc/kernel/signal_32.c -@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn) - goto bad; - - if (MSR_TM_ACTIVE(msr_hi<<32)) { -+ /* Trying to start TM on non TM system */ -+ if (!cpu_has_feature(CPU_FTR_TM)) -+ goto bad; - /* We only recheckpoint on return if we're - * transaction. - */ -diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index 14b0f5b6a373..b5933d7219db 100644 ---- a/arch/powerpc/kernel/signal_64.c -+++ b/arch/powerpc/kernel/signal_64.c -@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn) - if (MSR_TM_ACTIVE(msr)) { - /* We recheckpoint on return. */ - struct ucontext __user *uc_transact; -+ -+ /* Trying to start TM on non TM system */ -+ if (!cpu_has_feature(CPU_FTR_TM)) -+ goto badframe; -+ - if (__get_user(uc_transact, &uc->uc_link)) - goto badframe; - if (restore_tm_sigcontexts(current, &uc->uc_mcontext, --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/sparc64/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch b/debian/patches/bugfix/sparc64/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch deleted file mode 100644 index 33261ea66..000000000 --- a/debian/patches/bugfix/sparc64/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST -From: John Paul Adrian Glaubitz -Date: Tue, 11 Jun 2019 17:38:37 +0200 -Subject: sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg -Bug-Debian: https://bugs.debian.org/926539 -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc.git/commit/?id=07a6d63eb1b54b5fb38092780fe618dfe1d96e23 - -From: John Paul Adrian Glaubitz - -[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ] - -In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS" -to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged. - -This results in the hypervisor console device to be listed as "ttyHV0" under -/proc/consoles while the device node is still named "ttyS0": - -root@osaka:~# cat /proc/consoles -ttyHV0 -W- (EC p ) 4:64 -tty0 -WU (E ) 4:1 -root@osaka:~# readlink /sys/dev/char/4:64 -../../devices/root/f02836f0/f0285690/tty/ttyS0 -root@osaka:~# - -This means that any userland code which tries to determine the name of the -device file of the hypervisor console device can not rely on the information -provided by /proc/consoles. In particular, booting current versions of debian- -installer inside a SPARC LDOM will fail with the installer unable to determine -the console device. - -After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well, -the inconsistency is fixed and it is possible again to determine the name -of the device file of the hypervisor console device by reading the contents -of /proc/console: - -root@osaka:~# cat /proc/consoles -ttyHV0 -W- (EC p ) 4:64 -tty0 -WU (E ) 4:1 -root@osaka:~# readlink /sys/dev/char/4:64 -../../devices/root/f02836f0/f0285690/tty/ttyHV0 -root@osaka:~# - -With this change, debian-installer works correctly when installing inside -a SPARC LDOM. - -Signed-off-by: John Paul Adrian Glaubitz -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/sunhv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/tty/serial/sunhv.c -+++ b/drivers/tty/serial/sunhv.c -@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops - static struct uart_driver sunhv_reg = { - .owner = THIS_MODULE, - .driver_name = "sunhv", -- .dev_name = "ttyS", -+ .dev_name = "ttyHV", - .major = TTY_MAJOR, - }; - diff --git a/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch b/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch deleted file mode 100644 index 68958e089..000000000 --- a/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: Borislav Petkov -Date: Wed, 19 Jun 2019 17:24:34 +0200 -Subject: x86/cpufeatures: Carve out CQM features retrieval -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=16ad0b63f382a16454cb927f2eb45b32dbb71b94 - -commit 45fc56e629caa451467e7664fbd4c797c434a6c4 upstream - -... into a separate function for better readability. Split out from a -patch from Fenghua Yu to keep the mechanical, -sole code movement separate for easy review. - -No functional changes. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Cc: Fenghua Yu -Cc: x86@kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/common.c | 60 ++++++++++++++++++++---------------- - 1 file changed, 33 insertions(+), 27 deletions(-) - -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 1073118b9bf0..a315e475e484 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -808,6 +808,38 @@ static void init_speculation_control(struct cpuinfo_x86 *c) - } - } - -+static void init_cqm(struct cpuinfo_x86 *c) -+{ -+ u32 eax, ebx, ecx, edx; -+ -+ /* Additional Intel-defined flags: level 0x0000000F */ -+ if (c->cpuid_level >= 0x0000000F) { -+ -+ /* QoS sub-leaf, EAX=0Fh, ECX=0 */ -+ cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); -+ c->x86_capability[CPUID_F_0_EDX] = edx; -+ -+ if (cpu_has(c, X86_FEATURE_CQM_LLC)) { -+ /* will be overridden if occupancy monitoring exists */ -+ c->x86_cache_max_rmid = ebx; -+ -+ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ -+ cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); -+ c->x86_capability[CPUID_F_1_EDX] = edx; -+ -+ if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || -+ ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || -+ (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { -+ c->x86_cache_max_rmid = ecx; -+ c->x86_cache_occ_scale = ebx; -+ } -+ } else { -+ c->x86_cache_max_rmid = -1; -+ c->x86_cache_occ_scale = -1; -+ } -+ } -+} -+ - void get_cpu_cap(struct cpuinfo_x86 *c) - { - u32 eax, ebx, ecx, edx; -@@ -839,33 +871,6 @@ void get_cpu_cap(struct cpuinfo_x86 *c) - c->x86_capability[CPUID_D_1_EAX] = eax; - } - -- /* Additional Intel-defined flags: level 0x0000000F */ -- if (c->cpuid_level >= 0x0000000F) { -- -- /* QoS sub-leaf, EAX=0Fh, ECX=0 */ -- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); -- c->x86_capability[CPUID_F_0_EDX] = edx; -- -- if (cpu_has(c, X86_FEATURE_CQM_LLC)) { -- /* will be overridden if occupancy monitoring exists */ -- c->x86_cache_max_rmid = ebx; -- -- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ -- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); -- c->x86_capability[CPUID_F_1_EDX] = edx; -- -- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || -- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || -- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { -- c->x86_cache_max_rmid = ecx; -- c->x86_cache_occ_scale = ebx; -- } -- } else { -- c->x86_cache_max_rmid = -1; -- c->x86_cache_occ_scale = -1; -- } -- } -- - /* AMD-defined flags: level 0x80000001 */ - eax = cpuid_eax(0x80000000); - c->extended_cpuid_level = eax; -@@ -896,6 +901,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) - - init_scattered_cpuid_features(c); - init_speculation_control(c); -+ init_cqm(c); - - /* - * Clear/Set all flags overridden by options, after probe. --- -2.20.1 - diff --git a/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch b/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch deleted file mode 100644 index 3d78de3ef..000000000 --- a/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch +++ /dev/null @@ -1,211 +0,0 @@ -From: Fenghua Yu -Date: Wed, 19 Jun 2019 18:51:09 +0200 -Subject: x86/cpufeatures: Combine word 11 and 12 into a new scattered features - word -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b5dd7f61fce44a1d5df5c63ce7bcb9e0a05ce2f7 - -commit acec0ce081de0c36459eea91647faf99296445a3 upstream - -It's a waste for the four X86_FEATURE_CQM_* feature bits to occupy two -whole feature bits words. To better utilize feature words, re-define -word 11 to host scattered features and move the four X86_FEATURE_CQM_* -features into Linux defined word 11. More scattered features can be -added in word 11 in the future. - -Rename leaf 11 in cpuid_leafs to CPUID_LNX_4 to reflect it's a -Linux-defined leaf. - -Rename leaf 12 as CPUID_DUMMY which will be replaced by a meaningful -name in the next patch when CPUID.7.1:EAX occupies world 12. - -Maximum number of RMID and cache occupancy scale are retrieved from -CPUID.0xf.1 after scattered CQM features are enumerated. Carve out the -code into a separate function. - -KVM doesn't support resctrl now. So it's safe to move the -X86_FEATURE_CQM_* features to scattered features word 11 for KVM. - -Signed-off-by: Fenghua Yu -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Cc: Aaron Lewis -Cc: Andy Lutomirski -Cc: Babu Moger -Cc: "Chang S. Bae" -Cc: "Sean J Christopherson" -Cc: Frederic Weisbecker -Cc: "H. Peter Anvin" -Cc: Ingo Molnar -Cc: Jann Horn -Cc: Juergen Gross -Cc: Konrad Rzeszutek Wilk -Cc: kvm ML -Cc: Masahiro Yamada -Cc: Masami Hiramatsu -Cc: Nadav Amit -Cc: Paolo Bonzini -Cc: Pavel Tatashin -Cc: Peter Feiner -Cc: "Peter Zijlstra (Intel)" -Cc: "Radim Krčmář" -Cc: "Rafael J. Wysocki" -Cc: Ravi V Shankar -Cc: Sherry Hurwitz -Cc: Thomas Gleixner -Cc: Thomas Lendacky -Cc: x86 -Link: https://lkml.kernel.org/r/1560794416-217638-2-git-send-email-fenghua.yu@intel.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeature.h | 4 ++-- - arch/x86/include/asm/cpufeatures.h | 17 +++++++------ - arch/x86/kernel/cpu/common.c | 38 ++++++++++++------------------ - arch/x86/kernel/cpu/cpuid-deps.c | 3 +++ - arch/x86/kernel/cpu/scattered.c | 4 ++++ - arch/x86/kvm/cpuid.h | 2 -- - 6 files changed, 34 insertions(+), 34 deletions(-) - -diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index ce95b8cbd229..68889ace9c4c 100644 ---- a/arch/x86/include/asm/cpufeature.h -+++ b/arch/x86/include/asm/cpufeature.h -@@ -22,8 +22,8 @@ enum cpuid_leafs - CPUID_LNX_3, - CPUID_7_0_EBX, - CPUID_D_1_EAX, -- CPUID_F_0_EDX, -- CPUID_F_1_EDX, -+ CPUID_LNX_4, -+ CPUID_DUMMY, - CPUID_8000_0008_EBX, - CPUID_6_EAX, - CPUID_8000_000A_EDX, -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index 0cf704933f23..5041f19918f2 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -271,13 +271,16 @@ - #define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 instruction */ - #define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS instructions */ - --/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (EDX), word 11 */ --#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ -- --/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (EDX), word 12 */ --#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring */ --#define X86_FEATURE_CQM_MBM_TOTAL (12*32+ 1) /* LLC Total MBM monitoring */ --#define X86_FEATURE_CQM_MBM_LOCAL (12*32+ 2) /* LLC Local MBM monitoring */ -+/* -+ * Extended auxiliary flags: Linux defined - for features scattered in various -+ * CPUID levels like 0xf, etc. -+ * -+ * Reuse free bits when adding new feature flags! -+ */ -+#define X86_FEATURE_CQM_LLC (11*32+ 0) /* LLC QoS if 1 */ -+#define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ -+#define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ -+#define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ - - /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ - #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index a315e475e484..417d09f2bcaf 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -810,33 +810,25 @@ static void init_speculation_control(struct cpuinfo_x86 *c) - - static void init_cqm(struct cpuinfo_x86 *c) - { -- u32 eax, ebx, ecx, edx; -- -- /* Additional Intel-defined flags: level 0x0000000F */ -- if (c->cpuid_level >= 0x0000000F) { -+ if (!cpu_has(c, X86_FEATURE_CQM_LLC)) { -+ c->x86_cache_max_rmid = -1; -+ c->x86_cache_occ_scale = -1; -+ return; -+ } - -- /* QoS sub-leaf, EAX=0Fh, ECX=0 */ -- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); -- c->x86_capability[CPUID_F_0_EDX] = edx; -+ /* will be overridden if occupancy monitoring exists */ -+ c->x86_cache_max_rmid = cpuid_ebx(0xf); - -- if (cpu_has(c, X86_FEATURE_CQM_LLC)) { -- /* will be overridden if occupancy monitoring exists */ -- c->x86_cache_max_rmid = ebx; -+ if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC) || -+ cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL) || -+ cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)) { -+ u32 eax, ebx, ecx, edx; - -- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ -- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); -- c->x86_capability[CPUID_F_1_EDX] = edx; -+ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ -+ cpuid_count(0xf, 1, &eax, &ebx, &ecx, &edx); - -- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || -- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || -- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { -- c->x86_cache_max_rmid = ecx; -- c->x86_cache_occ_scale = ebx; -- } -- } else { -- c->x86_cache_max_rmid = -1; -- c->x86_cache_occ_scale = -1; -- } -+ c->x86_cache_max_rmid = ecx; -+ c->x86_cache_occ_scale = ebx; - } - } - -diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c -index 2c0bd38a44ab..fa07a224e7b9 100644 ---- a/arch/x86/kernel/cpu/cpuid-deps.c -+++ b/arch/x86/kernel/cpu/cpuid-deps.c -@@ -59,6 +59,9 @@ static const struct cpuid_dep cpuid_deps[] = { - { X86_FEATURE_AVX512_4VNNIW, X86_FEATURE_AVX512F }, - { X86_FEATURE_AVX512_4FMAPS, X86_FEATURE_AVX512F }, - { X86_FEATURE_AVX512_VPOPCNTDQ, X86_FEATURE_AVX512F }, -+ { X86_FEATURE_CQM_OCCUP_LLC, X86_FEATURE_CQM_LLC }, -+ { X86_FEATURE_CQM_MBM_TOTAL, X86_FEATURE_CQM_LLC }, -+ { X86_FEATURE_CQM_MBM_LOCAL, X86_FEATURE_CQM_LLC }, - {} - }; - -diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c -index 772c219b6889..5a52672e3f8b 100644 ---- a/arch/x86/kernel/cpu/scattered.c -+++ b/arch/x86/kernel/cpu/scattered.c -@@ -21,6 +21,10 @@ struct cpuid_bit { - static const struct cpuid_bit cpuid_bits[] = { - { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, - { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, -+ { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, -+ { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, -+ { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, -+ { X86_FEATURE_CQM_MBM_LOCAL, CPUID_EDX, 2, 0x0000000f, 1 }, - { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 }, - { X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 }, - { X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 }, -diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h -index 9a327d5b6d1f..d78a61408243 100644 ---- a/arch/x86/kvm/cpuid.h -+++ b/arch/x86/kvm/cpuid.h -@@ -47,8 +47,6 @@ static const struct cpuid_reg reverse_cpuid[] = { - [CPUID_8000_0001_ECX] = {0x80000001, 0, CPUID_ECX}, - [CPUID_7_0_EBX] = { 7, 0, CPUID_EBX}, - [CPUID_D_1_EAX] = { 0xd, 1, CPUID_EAX}, -- [CPUID_F_0_EDX] = { 0xf, 0, CPUID_EDX}, -- [CPUID_F_1_EDX] = { 0xf, 1, CPUID_EDX}, - [CPUID_8000_0008_EBX] = {0x80000008, 0, CPUID_EBX}, - [CPUID_6_EAX] = { 6, 0, CPUID_EAX}, - [CPUID_8000_000A_EDX] = {0x8000000a, 0, CPUID_EDX}, --- -2.20.1 - diff --git a/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch b/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch deleted file mode 100644 index 8a65f2aee..000000000 --- a/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Josh Poimboeuf -Date: Mon, 15 Jul 2019 11:51:39 -0500 -Subject: x86/entry/64: Use JMP instead of JMPQ -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=931b6bfe8af1069fd1a494ef6ab14509ffeacdc3 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 - -commit 64dbc122b20f75183d8822618c24f85144a5a94d upstream - -Somehow the swapgs mitigation entry code patch ended up with a JMPQ -instruction instead of JMP, where only the short jump is needed. Some -assembler versions apparently fail to optimize JMPQ into a two-byte JMP -when possible, instead always using a 7-byte JMP with relocation. For -some reason that makes the entry code explode with a #GP during boot. - -Change it back to "JMP" as originally intended. - -Fixes: 18ec54fdd6d1 ("x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations") -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/entry/entry_64.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S -index 7d8da285e185..ccb5e3486aee 100644 ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -612,7 +612,7 @@ ENTRY(interrupt_entry) - UNWIND_HINT_FUNC - - movq (%rdi), %rdi -- jmpq 2f -+ jmp 2f - 1: - FENCE_SWAPGS_KERNEL_ENTRY - 2: --- -2.20.1 - diff --git a/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch b/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch deleted file mode 100644 index b9a6bf111..000000000 --- a/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch +++ /dev/null @@ -1,175 +0,0 @@ -From: Jann Horn -Date: Sun, 2 Jun 2019 03:15:58 +0200 -Subject: x86/insn-eval: Fix use-after-free access to LDT entry -Origin: https://git.kernel.org/linus/de9f869616dd95e95c00bdd6b0fcd3421e8a4323 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13233 - -get_desc() computes a pointer into the LDT while holding a lock that -protects the LDT from being freed, but then drops the lock and returns the -(now potentially dangling) pointer to its caller. - -Fix it by giving the caller a copy of the LDT entry instead. - -Fixes: 670f928ba09b ("x86/insn-eval: Add utility function to get segment descriptor") -Cc: stable@vger.kernel.org -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds ---- - arch/x86/lib/insn-eval.c | 47 ++++++++++++++++++++++++----------------------- - 1 file changed, 24 insertions(+), 23 deletions(-) - -diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c -index cf00ab6c6621..306c3a0902ba 100644 ---- a/arch/x86/lib/insn-eval.c -+++ b/arch/x86/lib/insn-eval.c -@@ -557,7 +557,8 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, - } - - /** -- * get_desc() - Obtain pointer to a segment descriptor -+ * get_desc() - Obtain contents of a segment descriptor -+ * @out: Segment descriptor contents on success - * @sel: Segment selector - * - * Given a segment selector, obtain a pointer to the segment descriptor. -@@ -565,18 +566,18 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, - * - * Returns: - * -- * Pointer to segment descriptor on success. -+ * True on success, false on failure. - * - * NULL on error. - */ --static struct desc_struct *get_desc(unsigned short sel) -+static bool get_desc(struct desc_struct *out, unsigned short sel) - { - struct desc_ptr gdt_desc = {0, 0}; - unsigned long desc_base; - - #ifdef CONFIG_MODIFY_LDT_SYSCALL - if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { -- struct desc_struct *desc = NULL; -+ bool success = false; - struct ldt_struct *ldt; - - /* Bits [15:3] contain the index of the desired entry. */ -@@ -584,12 +585,14 @@ static struct desc_struct *get_desc(unsigned short sel) - - mutex_lock(¤t->active_mm->context.lock); - ldt = current->active_mm->context.ldt; -- if (ldt && sel < ldt->nr_entries) -- desc = &ldt->entries[sel]; -+ if (ldt && sel < ldt->nr_entries) { -+ *out = ldt->entries[sel]; -+ success = true; -+ } - - mutex_unlock(¤t->active_mm->context.lock); - -- return desc; -+ return success; - } - #endif - native_store_gdt(&gdt_desc); -@@ -604,9 +607,10 @@ static struct desc_struct *get_desc(unsigned short sel) - desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); - - if (desc_base > gdt_desc.size) -- return NULL; -+ return false; - -- return (struct desc_struct *)(gdt_desc.address + desc_base); -+ *out = *(struct desc_struct *)(gdt_desc.address + desc_base); -+ return true; - } - - /** -@@ -628,7 +632,7 @@ static struct desc_struct *get_desc(unsigned short sel) - */ - unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) - { -- struct desc_struct *desc; -+ struct desc_struct desc; - short sel; - - sel = get_segment_selector(regs, seg_reg_idx); -@@ -666,11 +670,10 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) - if (!sel) - return -1L; - -- desc = get_desc(sel); -- if (!desc) -+ if (!get_desc(&desc, sel)) - return -1L; - -- return get_desc_base(desc); -+ return get_desc_base(&desc); - } - - /** -@@ -692,7 +695,7 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) - */ - static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) - { -- struct desc_struct *desc; -+ struct desc_struct desc; - unsigned long limit; - short sel; - -@@ -706,8 +709,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) - if (!sel) - return 0; - -- desc = get_desc(sel); -- if (!desc) -+ if (!get_desc(&desc, sel)) - return 0; - - /* -@@ -716,8 +718,8 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) - * not tested when checking the segment limits. In practice, - * this means that the segment ends in (limit << 12) + 0xfff. - */ -- limit = get_desc_limit(desc); -- if (desc->g) -+ limit = get_desc_limit(&desc); -+ if (desc.g) - limit = (limit << 12) + 0xfff; - - return limit; -@@ -741,7 +743,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) - */ - int insn_get_code_seg_params(struct pt_regs *regs) - { -- struct desc_struct *desc; -+ struct desc_struct desc; - short sel; - - if (v8086_mode(regs)) -@@ -752,8 +754,7 @@ int insn_get_code_seg_params(struct pt_regs *regs) - if (sel < 0) - return sel; - -- desc = get_desc(sel); -- if (!desc) -+ if (!get_desc(&desc, sel)) - return -EINVAL; - - /* -@@ -761,10 +762,10 @@ int insn_get_code_seg_params(struct pt_regs *regs) - * determines whether a segment contains data or code. If this is a data - * segment, return error. - */ -- if (!(desc->type & BIT(3))) -+ if (!(desc.type & BIT(3))) - return -EINVAL; - -- switch ((desc->l << 1) | desc->d) { -+ switch ((desc.l << 1) | desc.d) { - case 0: /* - * Legacy mode. CS.L=0, CS.D=0. Address and operand size are - * both 16-bit. --- -cgit 1.2-0.3.lf.el7 - diff --git a/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch b/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch deleted file mode 100644 index 919586a4f..000000000 --- a/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch +++ /dev/null @@ -1,261 +0,0 @@ -From: Josh Poimboeuf -Date: Mon, 8 Jul 2019 11:52:26 -0500 -Subject: x86/speculation: Enable Spectre v1 swapgs mitigations -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=23e7a7b3a75f6dd24c161bf7d1399f251bf5c109 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 - -commit a2059825986a1c8143fd6698774fa9d83733bb11 upstream - -The previous commit added macro calls in the entry code which mitigate the -Spectre v1 swapgs issue if the X86_FEATURE_FENCE_SWAPGS_* features are -enabled. Enable those features where applicable. - -The mitigations may be disabled with "nospectre_v1" or "mitigations=off". - -There are different features which can affect the risk of attack: - -- When FSGSBASE is enabled, unprivileged users are able to place any - value in GS, using the wrgsbase instruction. This means they can - write a GS value which points to any value in kernel space, which can - be useful with the following gadget in an interrupt/exception/NMI - handler: - - if (coming from user space) - swapgs - mov %gs:, %reg1 - // dependent load or store based on the value of %reg - // for example: mov %(reg1), %reg2 - - If an interrupt is coming from user space, and the entry code - speculatively skips the swapgs (due to user branch mistraining), it - may speculatively execute the GS-based load and a subsequent dependent - load or store, exposing the kernel data to an L1 side channel leak. - - Note that, on Intel, a similar attack exists in the above gadget when - coming from kernel space, if the swapgs gets speculatively executed to - switch back to the user GS. On AMD, this variant isn't possible - because swapgs is serializing with respect to future GS-based - accesses. - - NOTE: The FSGSBASE patch set hasn't been merged yet, so the above case - doesn't exist quite yet. - -- When FSGSBASE is disabled, the issue is mitigated somewhat because - unprivileged users must use prctl(ARCH_SET_GS) to set GS, which - restricts GS values to user space addresses only. That means the - gadget would need an additional step, since the target kernel address - needs to be read from user space first. Something like: - - if (coming from user space) - swapgs - mov %gs:, %reg1 - mov (%reg1), %reg2 - // dependent load or store based on the value of %reg2 - // for example: mov %(reg2), %reg3 - - It's difficult to audit for this gadget in all the handlers, so while - there are no known instances of it, it's entirely possible that it - exists somewhere (or could be introduced in the future). Without - tooling to analyze all such code paths, consider it vulnerable. - - Effects of SMAP on the !FSGSBASE case: - - - If SMAP is enabled, and the CPU reports RDCL_NO (i.e., not - susceptible to Meltdown), the kernel is prevented from speculatively - reading user space memory, even L1 cached values. This effectively - disables the !FSGSBASE attack vector. - - - If SMAP is enabled, but the CPU *is* susceptible to Meltdown, SMAP - still prevents the kernel from speculatively reading user space - memory. But it does *not* prevent the kernel from reading the - user value from L1, if it has already been cached. This is probably - only a small hurdle for an attacker to overcome. - -Thanks to Dave Hansen for contributing the speculative_smap() function. - -Thanks to Andrew Cooper for providing the inside scoop on whether swapgs -is serializing on AMD. - -[ tglx: Fixed the USER fence decision and polished the comment as suggested - by Dave Hansen ] - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Reviewed-by: Dave Hansen -Signed-off-by: Greg Kroah-Hartman ---- - .../admin-guide/kernel-parameters.txt | 7 +- - arch/x86/kernel/cpu/bugs.c | 115 ++++++++++++++++-- - 2 files changed, 110 insertions(+), 12 deletions(-) - ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2515,6 +2515,7 @@ - Equivalent to: nopti [X86,PPC] - nospectre_v1 [PPC] - nobp=0 [S390] -+ nospectre_v1 [X86] - nospectre_v2 [X86,PPC,S390] - spectre_v2_user=off [X86] - spec_store_bypass_disable=off [X86,PPC] -@@ -2861,9 +2862,9 @@ - nosmt=force: Force disable SMT, cannot be undone - via the sysfs control file. - -- nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds -- check bypass). With this option data leaks are possible -- in the system. -+ nospectre_v1 [X66, PPC] Disable mitigations for Spectre Variant 1 -+ (bounds check bypass). With this option data leaks -+ are possible in the system. - - nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 - (indirect branch prediction) vulnerability. System may ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -32,6 +32,7 @@ - #include - #include - -+static void __init spectre_v1_select_mitigation(void); - static void __init spectre_v2_select_mitigation(void); - static void __init ssb_select_mitigation(void); - static void __init l1tf_select_mitigation(void); -@@ -96,17 +97,11 @@ void __init check_bugs(void) - if (boot_cpu_has(X86_FEATURE_STIBP)) - x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; - -- /* Select the proper spectre mitigation before patching alternatives */ -+ /* Select the proper CPU mitigations before patching alternatives: */ -+ spectre_v1_select_mitigation(); - spectre_v2_select_mitigation(); -- -- /* -- * Select proper mitigation for any exposure to the Speculative Store -- * Bypass vulnerability. -- */ - ssb_select_mitigation(); -- - l1tf_select_mitigation(); -- - mds_select_mitigation(); - - arch_smt_update(); -@@ -272,6 +267,108 @@ static int __init mds_cmdline(char *str) - early_param("mds", mds_cmdline); - - #undef pr_fmt -+#define pr_fmt(fmt) "Spectre V1 : " fmt -+ -+enum spectre_v1_mitigation { -+ SPECTRE_V1_MITIGATION_NONE, -+ SPECTRE_V1_MITIGATION_AUTO, -+}; -+ -+static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init = -+ SPECTRE_V1_MITIGATION_AUTO; -+ -+static const char * const spectre_v1_strings[] = { -+ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers", -+ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", -+}; -+ -+static bool is_swapgs_serializing(void) -+{ -+ /* -+ * Technically, swapgs isn't serializing on AMD (despite it previously -+ * being documented as such in the APM). But according to AMD, %gs is -+ * updated non-speculatively, and the issuing of %gs-relative memory -+ * operands will be blocked until the %gs update completes, which is -+ * good enough for our purposes. -+ */ -+ return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; -+} -+ -+/* -+ * Does SMAP provide full mitigation against speculative kernel access to -+ * userspace? -+ */ -+static bool smap_works_speculatively(void) -+{ -+ if (!boot_cpu_has(X86_FEATURE_SMAP)) -+ return false; -+ -+ /* -+ * On CPUs which are vulnerable to Meltdown, SMAP does not -+ * prevent speculative access to user data in the L1 cache. -+ * Consider SMAP to be non-functional as a mitigation on these -+ * CPUs. -+ */ -+ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN)) -+ return false; -+ -+ return true; -+} -+ -+static void __init spectre_v1_select_mitigation(void) -+{ -+ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) { -+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; -+ return; -+ } -+ -+ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) { -+ /* -+ * With Spectre v1, a user can speculatively control either -+ * path of a conditional swapgs with a user-controlled GS -+ * value. The mitigation is to add lfences to both code paths. -+ * -+ * If FSGSBASE is enabled, the user can put a kernel address in -+ * GS, in which case SMAP provides no protection. -+ * -+ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the -+ * FSGSBASE enablement patches have been merged. ] -+ * -+ * If FSGSBASE is disabled, the user can only put a user space -+ * address in GS. That makes an attack harder, but still -+ * possible if there's no SMAP protection. -+ */ -+ if (!smap_works_speculatively()) { -+ /* -+ * Mitigation can be provided from SWAPGS itself or -+ * PTI as the CR3 write in the Meltdown mitigation -+ * is serializing. -+ * -+ * If neither is there, mitigate with an LFENCE. -+ */ -+ if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_PTI)) -+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); -+ -+ /* -+ * Enable lfences in the kernel entry (non-swapgs) -+ * paths, to prevent user entry from speculatively -+ * skipping swapgs. -+ */ -+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL); -+ } -+ } -+ -+ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]); -+} -+ -+static int __init nospectre_v1_cmdline(char *str) -+{ -+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; -+ return 0; -+} -+early_param("nospectre_v1", nospectre_v1_cmdline); -+ -+#undef pr_fmt - #define pr_fmt(fmt) "Spectre V2 : " fmt - - static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = -@@ -1249,7 +1346,7 @@ static ssize_t cpu_show_common(struct de - break; - - case X86_BUG_SPECTRE_V1: -- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -+ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); - - case X86_BUG_SPECTRE_V2: - return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], diff --git a/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch b/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch deleted file mode 100644 index f47559b40..000000000 --- a/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch +++ /dev/null @@ -1,200 +0,0 @@ -From: Josh Poimboeuf -Date: Mon, 8 Jul 2019 11:52:25 -0500 -Subject: x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=befb822c062b4c3d93380a58d5fd479395e8b267 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 - -commit 18ec54fdd6d18d92025af097cd042a75cf0ea24c upstream - -Spectre v1 isn't only about array bounds checks. It can affect any -conditional checks. The kernel entry code interrupt, exception, and NMI -handlers all have conditional swapgs checks. Those may be problematic in -the context of Spectre v1, as kernel code can speculatively run with a user -GS. - -For example: - - if (coming from user space) - swapgs - mov %gs:, %reg - mov (%reg), %reg1 - -When coming from user space, the CPU can speculatively skip the swapgs, and -then do a speculative percpu load using the user GS value. So the user can -speculatively force a read of any kernel value. If a gadget exists which -uses the percpu value as an address in another load/store, then the -contents of the kernel value may become visible via an L1 side channel -attack. - -A similar attack exists when coming from kernel space. The CPU can -speculatively do the swapgs, causing the user GS to get used for the rest -of the speculative window. - -The mitigation is similar to a traditional Spectre v1 mitigation, except: - - a) index masking isn't possible; because the index (percpu offset) - isn't user-controlled; and - - b) an lfence is needed in both the "from user" swapgs path and the - "from kernel" non-swapgs path (because of the two attacks described - above). - -The user entry swapgs paths already have SWITCH_TO_KERNEL_CR3, which has a -CR3 write when PTI is enabled. Since CR3 writes are serializing, the -lfences can be skipped in those cases. - -On the other hand, the kernel entry swapgs paths don't depend on PTI. - -To avoid unnecessary lfences for the user entry case, create two separate -features for alternative patching: - - X86_FEATURE_FENCE_SWAPGS_USER - X86_FEATURE_FENCE_SWAPGS_KERNEL - -Use these features in entry code to patch in lfences where needed. - -The features aren't enabled yet, so there's no functional change. - -Signed-off-by: Josh Poimboeuf -Signed-off-by: Thomas Gleixner -Reviewed-by: Dave Hansen -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/entry/calling.h | 17 +++++++++++++++++ - arch/x86/entry/entry_64.S | 21 ++++++++++++++++++--- - arch/x86/include/asm/cpufeatures.h | 2 ++ - 3 files changed, 37 insertions(+), 3 deletions(-) - -diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h -index e699b2041665..578b5455334f 100644 ---- a/arch/x86/entry/calling.h -+++ b/arch/x86/entry/calling.h -@@ -329,6 +329,23 @@ For 32-bit we have the following conventions - kernel is built with - - #endif - -+/* -+ * Mitigate Spectre v1 for conditional swapgs code paths. -+ * -+ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to -+ * prevent a speculative swapgs when coming from kernel space. -+ * -+ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path, -+ * to prevent the swapgs from getting speculatively skipped when coming from -+ * user space. -+ */ -+.macro FENCE_SWAPGS_USER_ENTRY -+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER -+.endm -+.macro FENCE_SWAPGS_KERNEL_ENTRY -+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL -+.endm -+ - #endif /* CONFIG_X86_64 */ - - /* -diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S -index e7572a209fbe..7d8da285e185 100644 ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -582,7 +582,7 @@ ENTRY(interrupt_entry) - testb $3, CS-ORIG_RAX+8(%rsp) - jz 1f - SWAPGS -- -+ FENCE_SWAPGS_USER_ENTRY - /* - * Switch to the thread stack. The IRET frame and orig_ax are - * on the stack, as well as the return address. RDI..R12 are -@@ -612,8 +612,10 @@ ENTRY(interrupt_entry) - UNWIND_HINT_FUNC - - movq (%rdi), %rdi -+ jmpq 2f - 1: -- -+ FENCE_SWAPGS_KERNEL_ENTRY -+2: - PUSH_AND_CLEAR_REGS save_ret=1 - ENCODE_FRAME_POINTER 8 - -@@ -1240,6 +1242,13 @@ ENTRY(paranoid_entry) - */ - SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 - -+ /* -+ * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an -+ * unconditional CR3 write, even in the PTI case. So do an lfence -+ * to prevent GS speculation, regardless of whether PTI is enabled. -+ */ -+ FENCE_SWAPGS_KERNEL_ENTRY -+ - ret - END(paranoid_entry) - -@@ -1290,6 +1299,7 @@ ENTRY(error_entry) - * from user mode due to an IRET fault. - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - /* We have user CR3. Change to kernel CR3. */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - -@@ -1311,6 +1321,8 @@ ENTRY(error_entry) - CALL_enter_from_user_mode - ret - -+.Lerror_entry_done_lfence: -+ FENCE_SWAPGS_KERNEL_ENTRY - .Lerror_entry_done: - TRACE_IRQS_OFF - ret -@@ -1329,7 +1341,7 @@ ENTRY(error_entry) - cmpq %rax, RIP+8(%rsp) - je .Lbstep_iret - cmpq $.Lgs_change, RIP+8(%rsp) -- jne .Lerror_entry_done -+ jne .Lerror_entry_done_lfence - - /* - * hack: .Lgs_change can fail with user gsbase. If this happens, fix up -@@ -1337,6 +1349,7 @@ ENTRY(error_entry) - * .Lgs_change's error handler with kernel gsbase. - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - jmp .Lerror_entry_done - -@@ -1351,6 +1364,7 @@ ENTRY(error_entry) - * gsbase and CR3. Switch to kernel gsbase and CR3: - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - SWITCH_TO_KERNEL_CR3 scratch_reg=%rax - - /* -@@ -1442,6 +1456,7 @@ ENTRY(nmi) - - swapgs - cld -+ FENCE_SWAPGS_USER_ENTRY - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx - movq %rsp, %rdx - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index 5041f19918f2..e0f47f6a1017 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -281,6 +281,8 @@ - #define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ - #define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ - #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ -+#define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ -+#define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ - - /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ - #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ --- -2.20.1 - diff --git a/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch b/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch deleted file mode 100644 index d466887ba..000000000 --- a/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: Thomas Gleixner -Date: Wed, 17 Jul 2019 21:18:59 +0200 -Subject: x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b88241aef6f1654417bb281546da316ffab57807 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 - -commit f36cf386e3fec258a341d446915862eded3e13d8 upstream - -Intel provided the following information: - - On all current Atom processors, instructions that use a segment register - value (e.g. a load or store) will not speculatively execute before the - last writer of that segment retires. Thus they will not use a - speculatively written segment value. - -That means on ATOMs there is no speculation through SWAPGS, so the SWAPGS -entry paths can be excluded from the extra LFENCE if PTI is disabled. - -Create a separate bug flag for the through SWAPGS speculation and mark all -out-of-order ATOMs and AMD/HYGON CPUs as not affected. The in-order ATOMs -are excluded from the whole mitigation mess anyway. - -Reported-by: Andrew Cooper -Signed-off-by: Thomas Gleixner -Reviewed-by: Tyler Hicks -Reviewed-by: Josh Poimboeuf -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/bugs.c | 18 +++---------- - arch/x86/kernel/cpu/common.c | 42 +++++++++++++++++++----------- - 3 files changed, 32 insertions(+), 29 deletions(-) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index e0f47f6a1017..759f0a176612 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -388,5 +388,6 @@ - #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ - #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ - #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ -+#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ - - #endif /* _ASM_X86_CPUFEATURES_H */ -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 844ad5d3ef51..ee7d17611ead 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -282,18 +282,6 @@ static const char * const spectre_v1_strings[] = { - [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", - }; - --static bool is_swapgs_serializing(void) --{ -- /* -- * Technically, swapgs isn't serializing on AMD (despite it previously -- * being documented as such in the APM). But according to AMD, %gs is -- * updated non-speculatively, and the issuing of %gs-relative memory -- * operands will be blocked until the %gs update completes, which is -- * good enough for our purposes. -- */ -- return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; --} -- - /* - * Does SMAP provide full mitigation against speculative kernel access to - * userspace? -@@ -344,9 +332,11 @@ static void __init spectre_v1_select_mitigation(void) - * PTI as the CR3 write in the Meltdown mitigation - * is serializing. - * -- * If neither is there, mitigate with an LFENCE. -+ * If neither is there, mitigate with an LFENCE to -+ * stop speculation through swapgs. - */ -- if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_PTI)) -+ if (boot_cpu_has_bug(X86_BUG_SWAPGS) && -+ !boot_cpu_has(X86_FEATURE_PTI)) - setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); - - /* -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 417d09f2bcaf..b33fdfa0ff49 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -952,6 +952,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) - #define NO_L1TF BIT(3) - #define NO_MDS BIT(4) - #define MSBDS_ONLY BIT(5) -+#define NO_SWAPGS BIT(6) - - #define VULNWL(_vendor, _family, _model, _whitelist) \ - { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } -@@ -975,29 +976,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { - VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), - VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), - -- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), - - VULNWL_INTEL(CORE_YONAH, NO_SSB), - -- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS), - -- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS), -+ -+ /* -+ * Technically, swapgs isn't serializing on AMD (despite it previously -+ * being documented as such in the APM). But according to AMD, %gs is -+ * updated non-speculatively, and the issuing of %gs-relative memory -+ * operands will be blocked until the %gs update completes, which is -+ * good enough for our purposes. -+ */ - - /* AMD Family 0xf - 0x12 */ -- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), - - /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ -- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), -+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS), - {} - }; - -@@ -1034,6 +1043,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); - } - -+ if (!cpu_matches(NO_SWAPGS)) -+ setup_force_cpu_bug(X86_BUG_SWAPGS); -+ - if (cpu_matches(NO_MELTDOWN)) - return; - --- -2.20.1 - diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index fe5f1c12d..795419f67 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -9,12 +9,10 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch SPDX-License-Identifier: GPL-2.0 aufs4.x-rcN mmap patch -diff --git a/fs/proc/base.c b/fs/proc/base.c -index ccf86f1..a44e9d9 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c -@@ -2002,7 +2002,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) - down_read(&mm->mmap_sem); +@@ -2036,7 +2036,7 @@ static int map_files_get_link(struct den + rc = -ENOENT; vma = find_exact_vma(mm, vm_start, vm_end); if (vma && vma->vm_file) { - *path = vma->vm_file->f_path; @@ -22,11 +20,9 @@ index ccf86f1..a44e9d9 100644 path_get(path); rc = 0; } -diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c -index 3b63be6..fb9913b 100644 --- a/fs/proc/nommu.c +++ b/fs/proc/nommu.c -@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region) +@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_ file = region->vm_file; if (file) { @@ -38,11 +34,9 @@ index 3b63be6..fb9913b 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; } -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 5ea1d64..7865a470 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -305,7 +305,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -309,7 +309,10 @@ show_map_vma(struct seq_file *m, struct const char *name = NULL; if (file) { @@ -54,7 +48,7 @@ index 5ea1d64..7865a470 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; -@@ -1727,7 +1730,7 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1766,7 +1769,7 @@ static int show_numa_map(struct seq_file struct proc_maps_private *proc_priv = &numa_priv->proc_maps; struct vm_area_struct *vma = v; struct numa_maps *md = &numa_priv->md; @@ -63,11 +57,9 @@ index 5ea1d64..7865a470 100644 struct mm_struct *mm = vma->vm_mm; struct mm_walk walk = { .hugetlb_entry = gather_hugetlb_stats, -diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index 0b63d68..400d1c5 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c -@@ -155,7 +155,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma) +@@ -155,7 +155,10 @@ static int nommu_vma_show(struct seq_fil file = vma->vm_file; if (file) { @@ -79,11 +71,9 @@ index 0b63d68..400d1c5 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT; -diff --git a/include/linux/mm.h b/include/linux/mm.h -index a61ebe8..111f031 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -1440,6 +1440,28 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping, +@@ -1453,6 +1453,28 @@ static inline void unmap_shared_mapping_ unmap_mapping_range(mapping, holebegin, holelen, 0); } @@ -112,8 +102,6 @@ index a61ebe8..111f031 100644 extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, unsigned int gup_flags); extern int access_remote_vm(struct mm_struct *mm, unsigned long addr, -diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index cd2bc93..e499e57 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -239,6 +239,7 @@ struct vm_region { @@ -132,11 +120,9 @@ index cd2bc93..e499e57 100644 void * vm_private_data; /* was vm_pte (shared mem) */ atomic_long_t swap_readahead_info; -diff --git a/kernel/fork.c b/kernel/fork.c -index d896e9c..ea800e9 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -505,7 +505,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, +@@ -505,7 +505,7 @@ static __latent_entropy int dup_mmap(str struct inode *inode = file_inode(file); struct address_space *mapping = file->f_mapping; @@ -145,11 +131,9 @@ index d896e9c..ea800e9 100644 if (tmp->vm_flags & VM_DENYWRITE) atomic_dec(&inode->i_writecount); i_mmap_lock_write(mapping); -diff --git a/mm/Makefile b/mm/Makefile -index 8716bda..68afd6d 100644 --- a/mm/Makefile +++ b/mm/Makefile -@@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ +@@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill. mm_init.o mmu_context.o percpu.o slab_common.o \ compaction.o vmacache.o \ interval_tree.o list_lru.o workingset.o \ @@ -158,11 +142,9 @@ index 8716bda..68afd6d 100644 obj-y += init-mm.o -diff --git a/mm/filemap.c b/mm/filemap.c -index 52517f2..250f675 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -2700,7 +2700,7 @@ vm_fault_t filemap_page_mkwrite(struct vm_fault *vmf) +@@ -2722,7 +2722,7 @@ vm_fault_t filemap_page_mkwrite(struct v vm_fault_t ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); @@ -171,11 +153,9 @@ index 52517f2..250f675 100644 lock_page(page); if (page->mapping != inode->i_mapping) { unlock_page(page); -diff --git a/mm/mmap.c b/mm/mmap.c -index 5f2b2b1..d71330c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -180,7 +180,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -181,7 +181,7 @@ static struct vm_area_struct *remove_vma if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -184,7 +164,7 @@ index 5f2b2b1..d71330c 100644 mpol_put(vma_policy(vma)); vm_area_free(vma); return next; -@@ -905,7 +905,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, +@@ -906,7 +906,7 @@ again: if (remove_next) { if (file) { uprobe_munmap(next, next->vm_start, next->vm_end); @@ -193,7 +173,7 @@ index 5f2b2b1..d71330c 100644 } if (next->anon_vma) anon_vma_merge(vma, next); -@@ -1821,8 +1821,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1822,8 +1822,8 @@ out: return addr; unmap_and_free_vma: @@ -203,7 +183,7 @@ index 5f2b2b1..d71330c 100644 /* Undo any partial mapping done by a device driver. */ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -@@ -2641,7 +2641,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2645,7 +2645,7 @@ int __split_vma(struct mm_struct *mm, st goto out_free_mpol; if (new->vm_file) @@ -212,7 +192,7 @@ index 5f2b2b1..d71330c 100644 if (new->vm_ops && new->vm_ops->open) new->vm_ops->open(new); -@@ -2660,7 +2660,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2664,7 +2664,7 @@ int __split_vma(struct mm_struct *mm, st if (new->vm_ops && new->vm_ops->close) new->vm_ops->close(new); if (new->vm_file) @@ -221,7 +201,7 @@ index 5f2b2b1..d71330c 100644 unlink_anon_vmas(new); out_free_mpol: mpol_put(vma_policy(new)); -@@ -2822,7 +2822,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2826,7 +2826,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign struct vm_area_struct *vma; unsigned long populate = 0; unsigned long ret = -EINVAL; @@ -230,7 +210,7 @@ index 5f2b2b1..d71330c 100644 pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n", current->comm, current->pid); -@@ -2897,10 +2897,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2901,10 +2901,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsign } } @@ -259,7 +239,7 @@ index 5f2b2b1..d71330c 100644 out: up_write(&mm->mmap_sem); if (populate) -@@ -3206,7 +3223,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -3210,7 +3227,7 @@ struct vm_area_struct *copy_vma(struct v if (anon_vma_clone(new_vma, vma)) goto out_free_mempol; if (new_vma->vm_file) @@ -268,11 +248,9 @@ index 5f2b2b1..d71330c 100644 if (new_vma->vm_ops && new_vma->vm_ops->open) new_vma->vm_ops->open(new_vma); vma_link(mm, new_vma, prev, rb_link, rb_parent); -diff --git a/mm/nommu.c b/mm/nommu.c -index e4aac33..b27b200 100644 --- a/mm/nommu.c +++ b/mm/nommu.c -@@ -625,7 +625,7 @@ static void __put_nommu_region(struct vm_region *region) +@@ -625,7 +625,7 @@ static void __put_nommu_region(struct vm up_write(&nommu_region_sem); if (region->vm_file) @@ -281,7 +259,7 @@ index e4aac33..b27b200 100644 /* IO memory and memory shared directly out of the pagecache * from ramfs/tmpfs mustn't be released here */ -@@ -763,7 +763,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -763,7 +763,7 @@ static void delete_vma(struct mm_struct if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -299,7 +277,7 @@ index e4aac33..b27b200 100644 kmem_cache_free(vm_region_jar, region); region = pregion; result = start; -@@ -1361,7 +1361,7 @@ unsigned long do_mmap(struct file *file, +@@ -1361,7 +1361,7 @@ error_just_free: up_write(&nommu_region_sem); error: if (region->vm_file) @@ -308,9 +286,6 @@ index e4aac33..b27b200 100644 kmem_cache_free(vm_region_jar, region); if (vma->vm_file) fput(vma->vm_file); -diff --git a/mm/prfile.c b/mm/prfile.c -new file mode 100644 -index 0000000..a27ac36 --- /dev/null +++ b/mm/prfile.c @@ -0,0 +1,86 @@ diff --git a/debian/patches/features/all/ena/0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch b/debian/patches/features/all/ena/0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch index 381544ab4..398028799 100644 --- a/debian/patches/features/all/ena/0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch +++ b/debian/patches/features/all/ena/0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch @@ -15,8 +15,6 @@ Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_netdev.c | 10 ++++-- 4 files changed, 43 insertions(+), 14 deletions(-) -diff --git a/drivers/net/ethernet/amazon/ena/ena_admin_defs.h b/drivers/net/ethernet/amazon/ena/ena_admin_defs.h -index 4532e574ebcd..d735164efea3 100644 --- a/drivers/net/ethernet/amazon/ena/ena_admin_defs.h +++ b/drivers/net/ethernet/amazon/ena/ena_admin_defs.h @@ -63,6 +63,8 @@ enum ena_admin_aq_completion_status { @@ -68,7 +66,7 @@ index 4532e574ebcd..d735164efea3 100644 }; struct ena_admin_rss_ind_table_entry { -@@ -1008,6 +1030,13 @@ struct ena_admin_ena_mmio_req_read_less_resp { +@@ -1008,6 +1030,13 @@ struct ena_admin_ena_mmio_req_read_less_ #define ENA_ADMIN_HOST_INFO_MINOR_MASK GENMASK(15, 8) #define ENA_ADMIN_HOST_INFO_SUB_MINOR_SHIFT 16 #define ENA_ADMIN_HOST_INFO_SUB_MINOR_MASK GENMASK(23, 16) @@ -82,8 +80,6 @@ index 4532e574ebcd..d735164efea3 100644 /* aenq_common_desc */ #define ENA_ADMIN_AENQ_COMMON_DESC_PHASE_MASK BIT(0) -diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c -index 7635c38e77dd..b6e6a4721931 100644 --- a/drivers/net/ethernet/amazon/ena/ena_com.c +++ b/drivers/net/ethernet/amazon/ena/ena_com.c @@ -41,9 +41,6 @@ @@ -96,7 +92,7 @@ index 7635c38e77dd..b6e6a4721931 100644 #define ENA_CTRL_MAJOR 0 #define ENA_CTRL_MINOR 0 -@@ -1400,11 +1397,6 @@ int ena_com_validate_version(struct ena_com_dev *ena_dev) +@@ -1400,11 +1397,6 @@ int ena_com_validate_version(struct ena_ ENA_REGS_VERSION_MAJOR_VERSION_SHIFT, ver & ENA_REGS_VERSION_MINOR_VERSION_MASK); @@ -108,7 +104,7 @@ index 7635c38e77dd..b6e6a4721931 100644 pr_info("ena controller version: %d.%d.%d implementation version %d\n", (ctrl_ver & ENA_REGS_CONTROLLER_VERSION_MAJOR_VERSION_MASK) >> ENA_REGS_CONTROLLER_VERSION_MAJOR_VERSION_SHIFT, -@@ -2441,6 +2433,10 @@ int ena_com_allocate_host_info(struct ena_com_dev *ena_dev) +@@ -2441,6 +2433,10 @@ int ena_com_allocate_host_info(struct en if (unlikely(!host_attr->host_info)) return -ENOMEM; @@ -119,8 +115,6 @@ index 7635c38e77dd..b6e6a4721931 100644 return 0; } -diff --git a/drivers/net/ethernet/amazon/ena/ena_common_defs.h b/drivers/net/ethernet/amazon/ena/ena_common_defs.h -index bb8d73676eab..23beb7e7ed7b 100644 --- a/drivers/net/ethernet/amazon/ena/ena_common_defs.h +++ b/drivers/net/ethernet/amazon/ena/ena_common_defs.h @@ -32,8 +32,8 @@ @@ -134,11 +128,9 @@ index bb8d73676eab..23beb7e7ed7b 100644 /* ENA operates with 48-bit memory addresses. ena_mem_addr_t */ struct ena_common_mem_addr { -diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c -index 69a49784b204..0c9c0d3ce856 100644 --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c -@@ -2206,7 +2206,8 @@ static u16 ena_select_queue(struct net_device *dev, struct sk_buff *skb, +@@ -2206,7 +2206,8 @@ static u16 ena_select_queue(struct net_d return qid; } @@ -148,15 +140,15 @@ index 69a49784b204..0c9c0d3ce856 100644 { struct ena_admin_host_info *host_info; int rc; -@@ -2220,6 +2221,7 @@ static void ena_config_host_info(struct ena_com_dev *ena_dev) +@@ -2220,6 +2221,7 @@ static void ena_config_host_info(struct host_info = ena_dev->host_attr.host_info; + host_info->bdf = (pdev->bus->number << 8) | pdev->devfn; host_info->os_type = ENA_ADMIN_OS_LINUX; host_info->kernel_ver = LINUX_VERSION_CODE; - strncpy(host_info->kernel_ver_str, utsname()->version, -@@ -2230,7 +2232,9 @@ static void ena_config_host_info(struct ena_com_dev *ena_dev) + strlcpy(host_info->kernel_ver_str, utsname()->version, +@@ -2230,7 +2232,9 @@ static void ena_config_host_info(struct host_info->driver_version = (DRV_MODULE_VER_MAJOR) | (DRV_MODULE_VER_MINOR << ENA_ADMIN_HOST_INFO_MINOR_SHIFT) | @@ -167,7 +159,7 @@ index 69a49784b204..0c9c0d3ce856 100644 rc = ena_com_set_host_attributes(ena_dev); if (rc) { -@@ -2454,7 +2458,7 @@ static int ena_device_init(struct ena_com_dev *ena_dev, struct pci_dev *pdev, +@@ -2454,7 +2458,7 @@ static int ena_device_init(struct ena_co */ ena_com_set_admin_polling_mode(ena_dev, true); @@ -176,6 +168,3 @@ index 69a49784b204..0c9c0d3ce856 100644 /* Get Device Attributes*/ rc = ena_com_get_dev_attr_feat(ena_dev, get_feat_ctx); --- -2.19.2 - diff --git a/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch index ff6dbcb05..04099fd75 100644 --- a/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch +++ b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch @@ -22,11 +22,9 @@ cc: linux-efi@vger.kernel.org 4 files changed, 50 insertions(+), 19 deletions(-) create mode 100644 drivers/firmware/efi/secureboot.c -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 0957dd73d127..7c2162f9e769 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p) +@@ -1159,19 +1159,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -47,11 +45,9 @@ index 0957dd73d127..7c2162f9e769 100644 reserve_initrd(); -diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile -index 0329d319d89a..883f9f7eefc6 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile -@@ -23,6 +23,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o +@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o @@ -59,9 +55,6 @@ index 0329d319d89a..883f9f7eefc6 100644 obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o -diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c -new file mode 100644 -index 000000000000..9070055de0a1 --- /dev/null +++ b/drivers/firmware/efi/secureboot.c @@ -0,0 +1,38 @@ @@ -103,11 +96,9 @@ index 000000000000..9070055de0a1 + } + } +} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 66f4a4e79f4b..7c7a7e33e4d1 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1103,6 +1103,14 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1152,6 +1152,14 @@ extern int __init efi_setup_pcdp_console #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ @@ -122,7 +113,7 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 #ifdef CONFIG_EFI /* -@@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature) +@@ -1164,6 +1172,7 @@ static inline bool efi_enabled(int featu extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); extern bool efi_is_table_address(unsigned long phys_addr); @@ -130,7 +121,7 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 #else static inline bool efi_enabled(int feature) { -@@ -1133,6 +1142,7 @@ static inline bool efi_is_table_address(unsigned long phys_addr) +@@ -1182,6 +1191,7 @@ static inline bool efi_is_table_address( { return false; } @@ -138,8 +129,8 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644 #endif extern int efi_status_to_err(efi_status_t status); -@@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, - bool efi_runtime_disabled(void); +@@ -1572,12 +1582,6 @@ static inline bool efi_runtime_disabled( + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); -enum efi_secureboot_mode { diff --git a/debian/patches/series b/debian/patches/series index 577400b1f..87196a6ce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -81,10 +81,6 @@ bugfix/arm/ARM-dts-sun8i-h3-add-sy8106a-to-orange-pi-plus.patch bugfix/arm64/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch bugfix/mips/MIPS-Loongson-Introduce-and-use-loongson_llsc_mb.patch bugfix/powerpc/powerpc-vdso-make-vdso32-installation-conditional-in.patch -bugfix/mips/MIPS-scall64-o32-Fix-indirect-syscall-number-load.patch -bugfix/mips/MIPS-Bounds-check-virt_addr_valid.patch -bugfix/sparc64/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch -bugfix/arm64/arm64-compat-Provide-definition-for-COMPAT_SIGMINSTK.patch # Arch features features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch @@ -106,7 +102,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/mt76-use-the-correct-hweight8-function.patch -bugfix/all/revert-net-stmmac-send-tso-packets-always-from-queue.patch bugfix/all/rtc-s35390a-set-uie_unsupported.patch # Miscellaneous features @@ -163,93 +158,7 @@ features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/vfio-type1-Limit-DMA-mappings-per-container.patch -bugfix/all/0001-aio-clear-IOCB_HIPRI.patch -bugfix/all/0002-aio-use-assigned-completion-handler.patch -bugfix/all/0003-aio-separate-out-ring-reservation-from-req-allocatio.patch -bugfix/all/0004-aio-don-t-zero-entire-aio_kiocb-aio_get_req.patch -bugfix/all/0005-aio-use-iocb_put-instead-of-open-coding-it.patch -bugfix/all/0006-aio-split-out-iocb-copy-from-io_submit_one.patch -bugfix/all/0007-aio-abstract-out-io_event-filler-helper.patch -bugfix/all/0008-aio-initialize-kiocb-private-in-case-any-filesystems.patch -bugfix/all/0009-aio-simplify-and-fix-fget-fput-for-io_submit.patch -bugfix/all/0010-pin-iocb-through-aio.patch -bugfix/all/0011-aio-fold-lookup_kiocb-into-its-sole-caller.patch -bugfix/all/0012-aio-keep-io_event-in-aio_kiocb.patch -bugfix/all/0013-aio-store-event-at-final-iocb_put.patch -bugfix/all/0014-Fix-aio_poll-races.patch -bugfix/all/tracing-fix-buffer_ref-pipe-ops.patch -bugfix/all/0001-mm-make-page-ref-count-overflow-check-tighter-and-mo.patch -bugfix/all/0002-mm-add-try_get_page-helper-function.patch -bugfix/all/0003-mm-prevent-get_user_pages-from-overflowing-page-refc.patch -bugfix/all/0004-fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch -bugfix/all/spec/0001-Documentation-l1tf-Fix-small-spelling-typo.patch -bugfix/all/spec/0002-x86-cpu-Sanitize-FAM6_ATOM-naming.patch -bugfix/all/spec/0003-kvm-x86-Report-STIBP-on-GET_SUPPORTED_CPUID.patch -bugfix/all/spec/0004-x86-msr-index-Cleanup-bit-defines.patch -bugfix/all/spec/0005-x86-speculation-Consolidate-CPU-whitelists.patch -bugfix/all/spec/0006-x86-speculation-mds-Add-basic-bug-infrastructure-for.patch -bugfix/all/spec/0007-x86-speculation-mds-Add-BUG_MSBDS_ONLY.patch -bugfix/all/spec/0008-x86-kvm-Expose-X86_FEATURE_MD_CLEAR-to-guests.patch -bugfix/all/spec/0009-x86-speculation-mds-Add-mds_clear_cpu_buffers.patch -bugfix/all/spec/0010-x86-speculation-mds-Clear-CPU-buffers-on-exit-to-use.patch -bugfix/all/spec/0011-x86-kvm-vmx-Add-MDS-protection-when-L1D-Flush-is-not.patch -bugfix/all/spec/0012-x86-speculation-mds-Conditionally-clear-CPU-buffers-.patch -bugfix/all/spec/0013-x86-speculation-mds-Add-mitigation-control-for-MDS.patch -bugfix/all/spec/0014-x86-speculation-mds-Add-sysfs-reporting-for-MDS.patch -bugfix/all/spec/0015-x86-speculation-mds-Add-mitigation-mode-VMWERV.patch -bugfix/all/spec/0016-Documentation-Move-L1TF-to-separate-directory.patch -bugfix/all/spec/0017-Documentation-Add-MDS-vulnerability-documentation.patch -bugfix/all/spec/0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch -bugfix/all/spec/0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch -bugfix/all/spec/0020-x86-speculation-mds-Add-SMT-warning-message.patch -bugfix/all/spec/0021-x86-speculation-mds-Fix-comment.patch -bugfix/all/spec/0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch -bugfix/all/spec/0023-cpu-speculation-Add-mitigations-cmdline-option.patch -bugfix/all/spec/0024-x86-speculation-Support-mitigations-cmdline-option.patch -bugfix/all/spec/0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch -bugfix/all/spec/0026-s390-speculation-Support-mitigations-cmdline-option.patch -bugfix/all/spec/0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch -bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch -bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch -bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch -bugfix/all/spec/powerpc-64s-include-cpu-header.patch -bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch -bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch -bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch -bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch -bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch -bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch -bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch -bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch -bugfix/all/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch -bugfix/all/tcp-limit-payload-size-of-sacked-skbs.patch -bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch -bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch -bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch -bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch -bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch -bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch -bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch -bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch -bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch -bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch -bugfix/all/input-gtco-bounds-check-collection-indent-level.patch -bugfix/all/net-switch-IP-ID-generator-to-siphash.patch -bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch -bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch -bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch -bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch -bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch -bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch -bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch -bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch -bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch -bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch -bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch -bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch