From 7e902dbcd3e5828c77a6ad8fbee50452d22b9727 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Thu, 18 Jul 2019 20:50:58 +0200 Subject: [PATCH 01/19] [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) --- debian/changelog | 3 + ...x-use-after-free-access-to-LDT-entry.patch | 176 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 180 insertions(+) create mode 100644 debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch diff --git a/debian/changelog b/debian/changelog index 3b23e77d3..dbdf29032 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,9 @@ linux (4.19.37-6) UNRELEASED; urgency=medium and HNS/ROCE Infiniband - Add module:drivers/scsi/hisi_sas/* to the ABI ignore list + [ Romain Perier ] + * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) + -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high diff --git a/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch b/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch new file mode 100644 index 000000000..3498171c6 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch @@ -0,0 +1,176 @@ +From de9f869616dd95e95c00bdd6b0fcd3421e8a4323 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sun, 2 Jun 2019 03:15:58 +0200 +Subject: x86/insn-eval: Fix use-after-free access to LDT entry +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=de9f869616dd95e95c00bdd6b0fcd3421e8a4323 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13233 + +get_desc() computes a pointer into the LDT while holding a lock that +protects the LDT from being freed, but then drops the lock and returns the +(now potentially dangling) pointer to its caller. + +Fix it by giving the caller a copy of the LDT entry instead. + +Fixes: 670f928ba09b ("x86/insn-eval: Add utility function to get segment descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +--- + arch/x86/lib/insn-eval.c | 47 ++++++++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c +index cf00ab6c6621..306c3a0902ba 100644 +--- a/arch/x86/lib/insn-eval.c ++++ b/arch/x86/lib/insn-eval.c +@@ -557,7 +557,8 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, + } + + /** +- * get_desc() - Obtain pointer to a segment descriptor ++ * get_desc() - Obtain contents of a segment descriptor ++ * @out: Segment descriptor contents on success + * @sel: Segment selector + * + * Given a segment selector, obtain a pointer to the segment descriptor. +@@ -565,18 +566,18 @@ static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, + * + * Returns: + * +- * Pointer to segment descriptor on success. ++ * True on success, false on failure. + * + * NULL on error. + */ +-static struct desc_struct *get_desc(unsigned short sel) ++static bool get_desc(struct desc_struct *out, unsigned short sel) + { + struct desc_ptr gdt_desc = {0, 0}; + unsigned long desc_base; + + #ifdef CONFIG_MODIFY_LDT_SYSCALL + if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { +- struct desc_struct *desc = NULL; ++ bool success = false; + struct ldt_struct *ldt; + + /* Bits [15:3] contain the index of the desired entry. */ +@@ -584,12 +585,14 @@ static struct desc_struct *get_desc(unsigned short sel) + + mutex_lock(¤t->active_mm->context.lock); + ldt = current->active_mm->context.ldt; +- if (ldt && sel < ldt->nr_entries) +- desc = &ldt->entries[sel]; ++ if (ldt && sel < ldt->nr_entries) { ++ *out = ldt->entries[sel]; ++ success = true; ++ } + + mutex_unlock(¤t->active_mm->context.lock); + +- return desc; ++ return success; + } + #endif + native_store_gdt(&gdt_desc); +@@ -604,9 +607,10 @@ static struct desc_struct *get_desc(unsigned short sel) + desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); + + if (desc_base > gdt_desc.size) +- return NULL; ++ return false; + +- return (struct desc_struct *)(gdt_desc.address + desc_base); ++ *out = *(struct desc_struct *)(gdt_desc.address + desc_base); ++ return true; + } + + /** +@@ -628,7 +632,7 @@ static struct desc_struct *get_desc(unsigned short sel) + */ + unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + short sel; + + sel = get_segment_selector(regs, seg_reg_idx); +@@ -666,11 +670,10 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + if (!sel) + return -1L; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return -1L; + +- return get_desc_base(desc); ++ return get_desc_base(&desc); + } + + /** +@@ -692,7 +695,7 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) + */ + static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + unsigned long limit; + short sel; + +@@ -706,8 +709,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + if (!sel) + return 0; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return 0; + + /* +@@ -716,8 +718,8 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + * not tested when checking the segment limits. In practice, + * this means that the segment ends in (limit << 12) + 0xfff. + */ +- limit = get_desc_limit(desc); +- if (desc->g) ++ limit = get_desc_limit(&desc); ++ if (desc.g) + limit = (limit << 12) + 0xfff; + + return limit; +@@ -741,7 +743,7 @@ static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) + */ + int insn_get_code_seg_params(struct pt_regs *regs) + { +- struct desc_struct *desc; ++ struct desc_struct desc; + short sel; + + if (v8086_mode(regs)) +@@ -752,8 +754,7 @@ int insn_get_code_seg_params(struct pt_regs *regs) + if (sel < 0) + return sel; + +- desc = get_desc(sel); +- if (!desc) ++ if (!get_desc(&desc, sel)) + return -EINVAL; + + /* +@@ -761,10 +762,10 @@ int insn_get_code_seg_params(struct pt_regs *regs) + * determines whether a segment contains data or code. If this is a data + * segment, return error. + */ +- if (!(desc->type & BIT(3))) ++ if (!(desc.type & BIT(3))) + return -EINVAL; + +- switch ((desc->l << 1) | desc->d) { ++ switch ((desc.l << 1) | desc.d) { + case 0: /* + * Legacy mode. CS.L=0, CS.D=0. Address and operand size are + * both 16-bit. +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 637ee8ba7..f1d4fea13 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -230,6 +230,7 @@ bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch +bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From fbe4322901c84c669f6bd67a91bda3248e87eab5 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Thu, 18 Jul 2019 21:05:58 +0200 Subject: [PATCH 02/19] [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) --- debian/changelog | 1 + ...-hash-Reallocate-context-ids-on-fork.patch | 141 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 143 insertions(+) create mode 100644 debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch diff --git a/debian/changelog b/debian/changelog index dbdf29032..052c71ec9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ linux (4.19.37-6) UNRELEASED; urgency=medium [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) + * [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 diff --git a/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch b/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch new file mode 100644 index 000000000..1126878a9 --- /dev/null +++ b/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch @@ -0,0 +1,141 @@ +From e6b3afda1f296e826c07e10db055240a58047956 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 12 Jun 2019 23:35:07 +1000 +Subject: powerpc/mm/64s/hash: Reallocate context ids on fork +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca72d88378b2f2444d3ec145dd442d449d3fefbc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12817 + +When using the Hash Page Table (HPT) MMU, userspace memory mappings +are managed at two levels. Firstly in the Linux page tables, much like +other architectures, and secondly in the SLB (Segment Lookaside +Buffer) and HPT. It's the SLB and HPT that are actually used by the +hardware to do translations. + +As part of the series adding support for 4PB user virtual address +space using the hash MMU, we added support for allocating multiple +"context ids" per process, one for each 512TB chunk of address space. +These are tracked in an array called extended_id in the mm_context_t +of a process that has done a mapping above 512TB. + +If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is +copied, including the mm_context_t, and then init_new_context() is +called to reinitialise parts of the mm_context_t as appropriate to +separate the address spaces of the two processes. + +The key step in ensuring the two processes have separate address +spaces is to allocate a new context id for the process, this is done +at the beginning of hash__init_new_context(). If we didn't allocate a +new context id then the two processes would share mappings as far as +the SLB and HPT are concerned, even though their Linux page tables +would be separate. + +For mappings above 512TB, which use the extended_id array, we +neglected to allocate new context ids on fork, meaning the parent and +child use the same ids and therefore share those mappings even though +they're supposed to be separate. This can lead to the parent seeing +writes done by the child, which is essentially memory corruption. + +There is an additional exposure which is that if the child process +exits, all its context ids are freed, including the context ids that +are still in use by the parent for mappings above 512TB. One or more +of those ids can then be reallocated to a third process, that process +can then read/write to the parent's mappings above 512TB. Additionally +if the freed id is used for the third process's primary context id, +then the parent is able to read/write to the third process's mappings +*below* 512TB. + +All of these are fundamental failures to enforce separation between +processes. The only mitigating factor is that the bug only occurs if a +process creates mappings above 512TB, and most applications still do +not create such mappings. + +Only machines using the hash page table MMU are affected, eg. PowerPC +970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines +(powernv) use the Radix MMU and are not affected, unless the machine +has been explicitly booted in HPT mode (using disable_radix on the +kernel command line). KVM guests on Power9 may be affected if the host +or guest is configured to use the HPT MMU. LPARs under PowerVM on +Power9 are affected as they always use the HPT MMU. Kernels built with +PAGE_SIZE=4K are not affected. + +The fix is relatively simple, we need to reallocate context ids for +all extended mappings on fork. + +Fixes: f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss") +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Michael Ellerman +--- + arch/powerpc/mm/mmu_context_book3s64.c | 46 +++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/mm/mmu_context_book3s64.c b/arch/powerpc/mm/mmu_context_book3s64.c +index dbd8f762140b..68984d85ad6b 100644 +--- a/arch/powerpc/mm/mmu_context_book3s64.c ++++ b/arch/powerpc/mm/mmu_context_book3s64.c +@@ -53,14 +53,48 @@ int hash__alloc_context_id(void) + } + EXPORT_SYMBOL_GPL(hash__alloc_context_id); + ++static int realloc_context_ids(mm_context_t *ctx) ++{ ++ int i, id; ++ ++ /* ++ * id 0 (aka. ctx->id) is special, we always allocate a new one, even if ++ * there wasn't one allocated previously (which happens in the exec ++ * case where ctx is newly allocated). ++ * ++ * We have to be a bit careful here. We must keep the existing ids in ++ * the array, so that we can test if they're non-zero to decide if we ++ * need to allocate a new one. However in case of error we must free the ++ * ids we've allocated but *not* any of the existing ones (or risk a ++ * UAF). That's why we decrement i at the start of the error handling ++ * loop, to skip the id that we just tested but couldn't reallocate. ++ */ ++ for (i = 0; i < ARRAY_SIZE(ctx->extended_id); i++) { ++ if (i == 0 || ctx->extended_id[i]) { ++ id = hash__alloc_context_id(); ++ if (id < 0) ++ goto error; ++ ++ ctx->extended_id[i] = id; ++ } ++ } ++ ++ /* The caller expects us to return id */ ++ return ctx->id; ++ ++error: ++ for (i--; i >= 0; i--) { ++ if (ctx->extended_id[i]) ++ ida_free(&mmu_context_ida, ctx->extended_id[i]); ++ } ++ ++ return id; ++} ++ + static int hash__init_new_context(struct mm_struct *mm) + { + int index; + +- index = hash__alloc_context_id(); +- if (index < 0) +- return index; +- + /* + * The old code would re-promote on fork, we don't do that when using + * slices as it could cause problem promoting slices that have been +@@ -78,6 +112,10 @@ static int hash__init_new_context(struct mm_struct *mm) + if (mm->context.id == 0) + slice_init_new_context_exec(mm); + ++ index = realloc_context_ids(&mm->context); ++ if (index < 0) ++ return index; ++ + subpage_prot_init_new_context(mm); + + pkey_mm_init(mm); +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index f1d4fea13..272caa4c2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -231,6 +231,7 @@ bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch +bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 091f76e86d3fdcb13008f1e8fb7910f2a69db3e9 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sat, 20 Jul 2019 18:14:43 +0200 Subject: [PATCH 03/19] nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984) --- debian/changelog | 2 + ...-attributes-in-the-deactivate_target.patch | 37 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 40 insertions(+) create mode 100644 debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch diff --git a/debian/changelog b/debian/changelog index 052c71ec9..e3e299d8a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,8 @@ linux (4.19.37-6) UNRELEASED; urgency=medium [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) * [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) + * nfc: Ensure presence of required attributes in the deactivate_target handler + (CVE-2019-12984) -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 diff --git a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch new file mode 100644 index 000000000..96d569ace --- /dev/null +++ b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch @@ -0,0 +1,37 @@ +From 385097a3675749cbc9e97c085c0e5dfe4269ca51 Mon Sep 17 00:00:00 2001 +From: Young Xiao <92siuyang@gmail.com> +Date: Fri, 14 Jun 2019 15:13:02 +0800 +Subject: nfc: Ensure presence of required attributes in the deactivate_target + handler +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=385097a3675749cbc9e97c085c0e5dfe4269ca51 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12984 + +Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to +NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to +accessing them. This prevents potential unhandled NULL pointer dereference +exceptions which can be triggered by malicious user-mode programs, +if they omit one or both of these attributes. + +Signed-off-by: Young Xiao <92siuyang@gmail.com> +Signed-off-by: David S. Miller +--- + net/nfc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 1180b3e58a0a..ea64c90b14e8 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -911,7 +911,8 @@ static int nfc_genl_deactivate_target(struct sk_buff *skb, + u32 device_idx, target_idx; + int rc; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 272caa4c2..101206396 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -232,6 +232,7 @@ bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch +bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 1e1ff4ce9cd70dc34d9ef15f9c054ee4d993beea Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sat, 20 Jul 2019 18:36:49 +0200 Subject: [PATCH 04/19] binder: fix race between munmap() and direct reclaim (CVE-2019-1999) --- debian/changelog | 1 + ...ce-between-munmap-and-direct-reclaim.patch | 68 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 70 insertions(+) create mode 100644 debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch diff --git a/debian/changelog b/debian/changelog index e3e299d8a..6bb3f9e20 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,7 @@ linux (4.19.37-6) UNRELEASED; urgency=medium * [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) * nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984) + * binder: fix race between munmap() and direct reclaim (CVE-2019-1999) -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 diff --git a/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch b/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch new file mode 100644 index 000000000..1143ac8c3 --- /dev/null +++ b/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch @@ -0,0 +1,68 @@ +From 37b68ba30a93ee10b2e0531affdab9665dbe7b80 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 1 Mar 2019 15:06:06 -0800 +Subject: [PATCH] binder: fix race between munmap() and direct reclaim +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=5cec2d2e5839f9c0fec319c523a911e0a7fd299f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1999 + +An munmap() on a binder device causes binder_vma_close() to be called +which clears the alloc->vma pointer. + +If direct reclaim causes binder_alloc_free_page() to be called, there +is a race where alloc->vma is read into a local vma pointer and then +used later after the mm->mmap_sem is acquired. This can result in +calling zap_page_range() with an invalid vma which manifests as a +use-after-free in zap_page_range(). + +The fix is to check alloc->vma after acquiring the mmap_sem (which we +were acquiring anyway) and skip zap_page_range() if it has changed +to NULL. + +Signed-off-by: Todd Kjos +Reviewed-by: Joel Fernandes (Google) +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c +index 030c98f35cca..3863ef78e40f 100644 +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item, + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; ++ ++ mm = alloc->vma_vm_mm; ++ if (!mmget_not_zero(mm)) ++ goto err_mmget; ++ if (!down_write_trylock(&mm->mmap_sem)) ++ goto err_down_write_mmap_sem_failed; + vma = binder_alloc_get_vma(alloc); +- if (vma) { +- if (!mmget_not_zero(alloc->vma_vm_mm)) +- goto err_mmget; +- mm = alloc->vma_vm_mm; +- if (!down_write_trylock(&mm->mmap_sem)) +- goto err_down_write_mmap_sem_failed; +- } + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -979,9 +978,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, + + trace_binder_unmap_user_end(alloc, index); + +- up_write(&mm->mmap_sem); +- mmput(mm); + } ++ up_write(&mm->mmap_sem); ++ mmput(mm); + + trace_binder_unmap_kernel_start(alloc, index); + +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 101206396..81454443d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -233,6 +233,7 @@ bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch +bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 869c89cb6dde4df098d5c4900823cc858169f7f2 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 20 Jul 2019 21:09:43 +0200 Subject: [PATCH 05/19] Use patch headers as generated by git format-patch-for-debian --- .../binder-fix-race-between-munmap-and-direct-reclaim.patch | 5 ++--- ...nce-of-required-attributes-in-the-deactivate_target.patch | 3 +-- .../powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch | 3 +-- ...86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch | 3 +-- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch b/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch index 1143ac8c3..870262324 100644 --- a/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch +++ b/debian/patches/bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch @@ -1,8 +1,7 @@ -From 37b68ba30a93ee10b2e0531affdab9665dbe7b80 Mon Sep 17 00:00:00 2001 From: Todd Kjos Date: Fri, 1 Mar 2019 15:06:06 -0800 -Subject: [PATCH] binder: fix race between munmap() and direct reclaim -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=5cec2d2e5839f9c0fec319c523a911e0a7fd299f +Subject: binder: fix race between munmap() and direct reclaim +Origin: https://git.kernel.org/linus/5cec2d2e5839f9c0fec319c523a911e0a7fd299f Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1999 An munmap() on a binder device causes binder_vma_close() to be called diff --git a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch index 96d569ace..f53666cdc 100644 --- a/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch +++ b/debian/patches/bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch @@ -1,9 +1,8 @@ -From 385097a3675749cbc9e97c085c0e5dfe4269ca51 Mon Sep 17 00:00:00 2001 From: Young Xiao <92siuyang@gmail.com> Date: Fri, 14 Jun 2019 15:13:02 +0800 Subject: nfc: Ensure presence of required attributes in the deactivate_target handler -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=385097a3675749cbc9e97c085c0e5dfe4269ca51 +Origin: https://git.kernel.org/linus/385097a3675749cbc9e97c085c0e5dfe4269ca51 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12984 Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to diff --git a/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch b/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch index 1126878a9..e5dee4adb 100644 --- a/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch +++ b/debian/patches/bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch @@ -1,8 +1,7 @@ -From e6b3afda1f296e826c07e10db055240a58047956 Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Wed, 12 Jun 2019 23:35:07 +1000 Subject: powerpc/mm/64s/hash: Reallocate context ids on fork -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca72d88378b2f2444d3ec145dd442d449d3fefbc +Origin: https://git.kernel.org/linus/ca72d88378b2f2444d3ec145dd442d449d3fefbc Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12817 When using the Hash Page Table (HPT) MMU, userspace memory mappings diff --git a/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch b/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch index 3498171c6..b9a6bf111 100644 --- a/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch +++ b/debian/patches/bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch @@ -1,8 +1,7 @@ -From de9f869616dd95e95c00bdd6b0fcd3421e8a4323 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Sun, 2 Jun 2019 03:15:58 +0200 Subject: x86/insn-eval: Fix use-after-free access to LDT entry -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=de9f869616dd95e95c00bdd6b0fcd3421e8a4323 +Origin: https://git.kernel.org/linus/de9f869616dd95e95c00bdd6b0fcd3421e8a4323 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13233 get_desc() computes a pointer into the LDT while holding a lock that From 84b1bd80aa9a32f8ca936a656370ea44c928c8a8 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 22 Jul 2019 10:24:39 +0200 Subject: [PATCH 06/19] Revert unwanted changes for buster-security We need to be based onto 4.19.37-5+deb10u1, and only include security related topics. Things or improvements added to 4.19.37-6 (that is already in sid) should be removed because they should not be uploaded to buster-security accidentaly. --- debian/changelog | 11 - debian/config/arm64/config | 7 - debian/config/defines | 2 - ...ed-back-linkrate-max-min-when-re-att.patch | 40 -- ...ve-evaluation-of-hisi_hba-in-hisi_sa.patch | 50 -- ...x-the-race-between-IO-completion-and.patch | 139 ------ ...ee-slot-later-in-slot_complete_vx_hw.patch | 69 --- ...as-unmask-interrupts-ent72-and-ent74.patch | 32 -- ...Use-block-layer-tag-instead-for-IPTT.patch | 321 ------------- ...date-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch | 57 --- ...x-spin-lock-management-in-slot_index.patch | 36 -- ...si_sas-use-dma_set_mask_and_coherent.patch | 43 -- ...eate-separate-host-attributes-per-HB.patch | 129 ------ ...d-support-for-interrupt-converge-for.patch | 116 ----- ...d-support-for-interrupt-coalescing-f.patch | 153 ------- ...locate-some-codes-to-avoid-an-unused.patch | 97 ---- ..._sas-Fix-warnings-detected-by-sparse.patch | 432 ------------------ ...locate-some-code-to-reduce-complexit.patch | 190 -------- ...s-Make-sg_tablesize-consistent-value.patch | 85 ---- ...unnecessary-configuration-recapture-.patch | 46 -- ...ns3-remove-1000M-half-support-of-phy.patch | 32 -- ...nize-speed-and-duplex-from-phy-when-.patch | 35 -- ...-tx-and-dv-buffer-size-through-firmw.patch | 160 ------- ...ning-buffer-size-in-SSU-to-256-bytes.patch | 147 ------ ...t-hns3-fix-a-SSU-buffer-checking-bug.patch | 48 -- ...ns3-change-default-tc-state-to-close.patch | 33 -- ...-net-hns3-fix-a-bug-caused-by-udelay.patch | 42 -- ...ve-redundant-variable-initialization.patch | 31 -- ...s3_nic_net_open-while-doing-HNAE3_UP.patch | 49 -- ...-bug-with-updating-rq-head-pointer-w.patch | 52 --- ...for-the-scene-without-receiver-queue.patch | 32 -- ...straint-on-the-setting-of-local-ACK-.patch | 46 -- ...odify-the-pbl-ba-page-size-for-hip08.patch | 31 -- ...s-Assign-rq-head-pointer-when-enable.patch | 66 --- ...isi_sas-Fix-NULL-pointer-dereference.patch | 63 --- ...x-calls-to-dma_set_mask_and_coherent.patch | 73 --- ...efore-trying-to-handle-a-kprobe-trap.patch | 40 -- debian/patches/series | 36 -- 38 files changed, 3071 deletions(-) delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch delete mode 100644 debian/patches/bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch delete mode 100644 debian/patches/bugfix/sh/sh-check-for-kprobe-trap-number-before-trying-to-handle-a-kprobe-trap.patch diff --git a/debian/changelog b/debian/changelog index 6bb3f9e20..9125e7405 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,16 +1,5 @@ linux (4.19.37-6) UNRELEASED; urgency=medium - [ John Paul Adrian Glaubitz ] - * [sh4]: Check for kprobe trap number before trying to handle a kprobe trap - - [ Steve McIntyre ] - * [arm64] Improve support for the Huawei TaiShan server platform - (Closes: #930554): - - Enable the HNS/ROCE Infiniband driver - - Backport fixes from 4.20 and 4.21 for HNS3 networking, hisi_sas SAS - and HNS/ROCE Infiniband - - Add module:drivers/scsi/hisi_sas/* to the ABI ignore list - [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) * [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817) diff --git a/debian/config/arm64/config b/debian/config/arm64/config index b9d806a3c..6aedaa096 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -433,13 +433,6 @@ CONFIG_IIO_CROS_EC_LIGHT_PROX=m ## CONFIG_IIO_CROS_EC_BARO=m -## -## file: drivers/infiniband/hw/hns/Kconfig -## -CONFIG_INFINIBAND_HNS=m -CONFIG_INFINIBAND_HNS_HIP06=m -CONFIG_INFINIBAND_HNS_HIP08=m - ## ## file: drivers/input/keyboard/Kconfig ## diff --git a/debian/config/defines b/debian/config/defines index a72467d52..c9be72986 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -80,8 +80,6 @@ ignore-changes: # Not OOT nf_nat_masquerade_ipv4_register_notifier nf_nat_masquerade_ipv6_register_notifier -# ignore changes to hisi_sas/* - module:drivers/scsi/hisi_sas/* [base] arches: diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch b/debian/patches/bugfix/arm64/huawei-taishan/0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch deleted file mode 100644 index 133afd8a3..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 97a79982f8b8ddcb129a1be1ecc01cef70ab384d Mon Sep 17 00:00:00 2001 -From: Luo Jiaxing -Date: Mon, 24 Sep 2018 23:06:28 +0800 -Subject: [PATCH 01/31] scsi: hisi_sas: Feed back linkrate(max/min) when - re-attached -Origin: https://git.kernel.org/linus/5a54691f874ab29ec82f08bc6936866a3ccdaa91 - -At directly attached situation, if the user modifies the sysfs interface -of maximum_linkrate and minimum_linkrate to renegotiate the linkrate -between SAS controller and target, the value of both files mentioned -above should have change to user setting after renegotiate is over, but -it remains unchanged. - -To fix this bug, maximum_linkrate and minimum_linkrate will be directly -fed back to relevant sas_phy structure. - -Signed-off-by: Luo Jiaxing -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index fd9d82c9033d..e9747379384b 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -906,6 +906,9 @@ static void hisi_sas_phy_set_linkrate(struct hisi_hba *hisi_hba, int phy_no, - _r.maximum_linkrate = max; - _r.minimum_linkrate = min; - -+ sas_phy->phy->maximum_linkrate = max; -+ sas_phy->phy->minimum_linkrate = min; -+ - hisi_hba->hw->phy_disable(hisi_hba, phy_no); - msleep(100); - hisi_hba->hw->phy_set_linkrate(hisi_hba, phy_no, &_r); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch b/debian/patches/bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch deleted file mode 100644 index b98a6e203..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch +++ /dev/null @@ -1,50 +0,0 @@ -From bbd24b8bdc501fb5dacb43e847b6eeb9a12829f5 Mon Sep 17 00:00:00 2001 -From: Luo Jiaxing -Date: Mon, 24 Sep 2018 23:06:29 +0800 -Subject: [PATCH 02/31] scsi: hisi_sas: Move evaluation of hisi_hba in - hisi_sas_task_prep() -Origin: https://git.kernel.org/linus/1668e3b6f8f8ed2ce685691c92b90dfadeaa3f2f - -In evaluating hisi_hba, the sas_port may be NULL, so for safety relocate -the the check to value possible NULL deference. - -Signed-off-by: Luo Jiaxing -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index e9747379384b..6a959a927e9d 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -288,13 +288,13 @@ static int hisi_sas_task_prep(struct sas_task *task, - int *pass) - { - struct domain_device *device = task->dev; -- struct hisi_hba *hisi_hba = dev_to_hisi_hba(device); -+ struct hisi_hba *hisi_hba; - struct hisi_sas_device *sas_dev = device->lldd_dev; - struct hisi_sas_port *port; - struct hisi_sas_slot *slot; - struct hisi_sas_cmd_hdr *cmd_hdr_base; - struct asd_sas_port *sas_port = device->port; -- struct device *dev = hisi_hba->dev; -+ struct device *dev; - int dlvry_queue_slot, dlvry_queue, rc, slot_idx; - int n_elem = 0, n_elem_req = 0, n_elem_resp = 0; - struct hisi_sas_dq *dq; -@@ -315,6 +315,9 @@ static int hisi_sas_task_prep(struct sas_task *task, - return -ECOMM; - } - -+ hisi_hba = dev_to_hisi_hba(device); -+ dev = hisi_hba->dev; -+ - if (DEV_IS_GONE(sas_dev)) { - if (sas_dev) - dev_info(dev, "task prep: device %d not ready\n", --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch b/debian/patches/bugfix/arm64/huawei-taishan/0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch deleted file mode 100644 index aa561f30b..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch +++ /dev/null @@ -1,139 +0,0 @@ -From d754707455238c59350c70ce51123b586fefac52 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Mon, 24 Sep 2018 23:06:30 +0800 -Subject: [PATCH 03/31] scsi: hisi_sas: Fix the race between IO completion and - timeout for SMP/internal IO -Origin: https://git.kernel.org/linus/584f53fe5f529d877968c711a095923c1ed12307 - -If SMP/internal IO times out, we will possibly free the task immediately. - -However if the IO actually completes at the same time, the IO completion -may refer to task which has been freed. - -So to solve the issue, flush the tasklet to finish IO completion before -free'ing slot/task. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 55 ++++++++++++++++++++++----- - 1 file changed, 46 insertions(+), 9 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 6a959a927e9d..2f57a318a71b 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -958,8 +958,7 @@ static int hisi_sas_control_phy(struct asd_sas_phy *sas_phy, enum phy_func func, - - static void hisi_sas_task_done(struct sas_task *task) - { -- if (!del_timer(&task->slow_task->timer)) -- return; -+ del_timer(&task->slow_task->timer); - complete(&task->slow_task->completion); - } - -@@ -968,13 +967,17 @@ static void hisi_sas_tmf_timedout(struct timer_list *t) - struct sas_task_slow *slow = from_timer(slow, t, timer); - struct sas_task *task = slow->task; - unsigned long flags; -+ bool is_completed = true; - - spin_lock_irqsave(&task->task_state_lock, flags); -- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) -+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - task->task_state_flags |= SAS_TASK_STATE_ABORTED; -+ is_completed = false; -+ } - spin_unlock_irqrestore(&task->task_state_lock, flags); - -- complete(&task->slow_task->completion); -+ if (!is_completed) -+ complete(&task->slow_task->completion); - } - - #define TASK_TIMEOUT 20 -@@ -1025,10 +1028,18 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device, - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - struct hisi_sas_slot *slot = task->lldd_task; -+ struct hisi_sas_cq *cq = -+ &hisi_hba->cq[slot->dlvry_queue]; - - dev_err(dev, "abort tmf: TMF task timeout and not done\n"); -- if (slot) -+ if (slot) { -+ /* -+ * flush tasklet to avoid free'ing task -+ * before using task in IO completion -+ */ -+ tasklet_kill(&cq->tasklet); - slot->task = NULL; -+ } - - goto ex_err; - } else -@@ -1404,6 +1415,17 @@ static int hisi_sas_abort_task(struct sas_task *task) - - spin_lock_irqsave(&task->task_state_lock, flags); - if (task->task_state_flags & SAS_TASK_STATE_DONE) { -+ struct hisi_sas_slot *slot = task->lldd_task; -+ struct hisi_sas_cq *cq; -+ -+ if (slot) { -+ /* -+ * flush tasklet to avoid free'ing task -+ * before using task in IO completion -+ */ -+ cq = &hisi_hba->cq[slot->dlvry_queue]; -+ tasklet_kill(&cq->tasklet); -+ } - spin_unlock_irqrestore(&task->task_state_lock, flags); - rc = TMF_RESP_FUNC_COMPLETE; - goto out; -@@ -1459,12 +1481,19 @@ static int hisi_sas_abort_task(struct sas_task *task) - /* SMP */ - struct hisi_sas_slot *slot = task->lldd_task; - u32 tag = slot->idx; -+ struct hisi_sas_cq *cq = &hisi_hba->cq[slot->dlvry_queue]; - - rc = hisi_sas_internal_task_abort(hisi_hba, device, - HISI_SAS_INT_ABT_CMD, tag); - if (((rc < 0) || (rc == TMF_RESP_FUNC_FAILED)) && -- task->lldd_task) -- hisi_sas_do_release_task(hisi_hba, task, slot); -+ task->lldd_task) { -+ /* -+ * flush tasklet to avoid free'ing task -+ * before using task in IO completion -+ */ -+ tasklet_kill(&cq->tasklet); -+ slot->task = NULL; -+ } - } - - out: -@@ -1830,9 +1859,17 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba, - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - struct hisi_sas_slot *slot = task->lldd_task; -- -- if (slot) -+ struct hisi_sas_cq *cq = -+ &hisi_hba->cq[slot->dlvry_queue]; -+ -+ if (slot) { -+ /* -+ * flush tasklet to avoid free'ing task -+ * before using task in IO completion -+ */ -+ tasklet_kill(&cq->tasklet); - slot->task = NULL; -+ } - dev_err(dev, "internal task abort: timeout and not done.\n"); - res = -EIO; - goto exit; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch b/debian/patches/bugfix/arm64/huawei-taishan/0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch deleted file mode 100644 index 05ac1ba27..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3df1056ee50d09c97e421896a698f74d367282ef Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Mon, 24 Sep 2018 23:06:31 +0800 -Subject: [PATCH 04/31] scsi: hisi_sas: Free slot later in - slot_complete_vx_hw() -Origin: https://git.kernel.org/linus/3e178f3ecfcf91a258e832b0f0843a4cfd9059ac - -If an SSP/SMP IO times out, it may be actually in reality be -simultaneously processing completion of the slot in -slot_complete_vx_hw(). - -Then if the slot is freed in slot_complete_vx_hw() (this IPTT is freed -and it may be re-used by other slot), and we may abort the wrong slot in -hisi_sas_abort_task(). - -So to solve the issue, free the slot after the check of -SAS_TASK_STATE_ABORTED in slot_complete_vx_hw(). - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 2 +- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index 1c4ea58da1ae..c4774d63d5d0 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -2481,7 +2481,6 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - - out: -- hisi_sas_slot_task_free(hisi_hba, task, slot); - sts = ts->stat; - spin_lock_irqsave(&task->task_state_lock, flags); - if (task->task_state_flags & SAS_TASK_STATE_ABORTED) { -@@ -2491,6 +2490,7 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - task->task_state_flags |= SAS_TASK_STATE_DONE; - spin_unlock_irqrestore(&task->task_state_lock, flags); -+ hisi_sas_slot_task_free(hisi_hba, task, slot); - - if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) { - spin_lock_irqsave(&device->done_lock, flags); -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 3922b17e2ea3..fb2a5969181b 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -1749,7 +1749,6 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - - out: -- hisi_sas_slot_task_free(hisi_hba, task, slot); - sts = ts->stat; - spin_lock_irqsave(&task->task_state_lock, flags); - if (task->task_state_flags & SAS_TASK_STATE_ABORTED) { -@@ -1759,6 +1758,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - task->task_state_flags |= SAS_TASK_STATE_DONE; - spin_unlock_irqrestore(&task->task_state_lock, flags); -+ hisi_sas_slot_task_free(hisi_hba, task, slot); - - if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) { - spin_lock_irqsave(&device->done_lock, flags); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch b/debian/patches/bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch deleted file mode 100644 index e6a7931c3..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch +++ /dev/null @@ -1,32 +0,0 @@ -From de1d5713a20562acdb3f94466232432c9dd1d95c Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Mon, 24 Sep 2018 23:06:32 +0800 -Subject: [PATCH 05/31] scsi: hisi_sas: unmask interrupts ent72 and ent74 -Origin: https://git.kernel.org/linus/6ecf5ba13cd5959eb75f617ff32c93bb67790e48 - -The interrupts of ent72 and ent74 are not processed by PCIe AER handling, -so we need to unmask the interrupts and process them first in the driver. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index fb2a5969181b..06824bde9c8d 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -441,7 +441,7 @@ static void init_reg_v3_hw(struct hisi_hba *hisi_hba) - hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK1, 0xfefefefe); - hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK2, 0xfefefefe); - if (pdev->revision >= 0x21) -- hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK3, 0xffff7fff); -+ hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK3, 0xffff7aff); - else - hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK3, 0xfffe20ff); - hisi_sas_write32(hisi_hba, CHNL_PHYUPDOWN_INT_MSK, 0x0); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch b/debian/patches/bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch deleted file mode 100644 index 8bdd59bd3..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch +++ /dev/null @@ -1,321 +0,0 @@ -From d35bf6fccf7d4064065c078d3d369ffeaad6c731 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Mon, 24 Sep 2018 23:06:33 +0800 -Subject: [PATCH 06/31] scsi: hisi_sas: Use block layer tag instead for IPTT -Origin: https://git.kernel.org/linus/784b46b7cba0ae914dd293f23848c5057c6ba017 - -Currently we use the IPTT defined in LLDD to identify IOs. Actually for -IOs which are from the block layer, they have tags to identify them. So -for those IOs, use tag of the block layer directly, and for IOs which is -not from the block layer (such as internal IOs from libsas/LLDD), reserve -96 IPTTs for them. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas.h | 3 +- - drivers/scsi/hisi_sas/hisi_sas_main.c | 89 +++++++++++++++++--------- - drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 1 - - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +-- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 8 ++- - 5 files changed, 70 insertions(+), 40 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h -index 6c7d2e201abe..0ddb53c8a2e2 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas.h -+++ b/drivers/scsi/hisi_sas/hisi_sas.h -@@ -34,6 +34,7 @@ - #define HISI_SAS_MAX_DEVICES HISI_SAS_MAX_ITCT_ENTRIES - #define HISI_SAS_RESET_BIT 0 - #define HISI_SAS_REJECT_CMD_BIT 1 -+#define HISI_SAS_RESERVED_IPTT_CNT 96 - - #define HISI_SAS_STATUS_BUF_SZ (sizeof(struct hisi_sas_status_buffer)) - #define HISI_SAS_COMMAND_TABLE_SZ (sizeof(union hisi_sas_command_table)) -@@ -217,7 +218,7 @@ struct hisi_sas_hw { - int (*hw_init)(struct hisi_hba *hisi_hba); - void (*setup_itct)(struct hisi_hba *hisi_hba, - struct hisi_sas_device *device); -- int (*slot_index_alloc)(struct hisi_hba *hisi_hba, int *slot_idx, -+ int (*slot_index_alloc)(struct hisi_hba *hisi_hba, - struct domain_device *device); - struct hisi_sas_device *(*alloc_dev)(struct domain_device *device); - void (*sl_notify)(struct hisi_hba *hisi_hba, int phy_no); -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 2f57a318a71b..c2998d3ac37f 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -184,7 +184,14 @@ static void hisi_sas_slot_index_clear(struct hisi_hba *hisi_hba, int slot_idx) - - static void hisi_sas_slot_index_free(struct hisi_hba *hisi_hba, int slot_idx) - { -- hisi_sas_slot_index_clear(hisi_hba, slot_idx); -+ unsigned long flags; -+ -+ if (hisi_hba->hw->slot_index_alloc || (slot_idx >= -+ hisi_hba->hw->max_command_entries - HISI_SAS_RESERVED_IPTT_CNT)) { -+ spin_lock_irqsave(&hisi_hba->lock, flags); -+ hisi_sas_slot_index_clear(hisi_hba, slot_idx); -+ spin_unlock_irqrestore(&hisi_hba->lock, flags); -+ } - } - - static void hisi_sas_slot_index_set(struct hisi_hba *hisi_hba, int slot_idx) -@@ -194,24 +201,34 @@ static void hisi_sas_slot_index_set(struct hisi_hba *hisi_hba, int slot_idx) - set_bit(slot_idx, bitmap); - } - --static int hisi_sas_slot_index_alloc(struct hisi_hba *hisi_hba, int *slot_idx) -+static int hisi_sas_slot_index_alloc(struct hisi_hba *hisi_hba, -+ struct scsi_cmnd *scsi_cmnd) - { -- unsigned int index; -+ int index; - void *bitmap = hisi_hba->slot_index_tags; -+ unsigned long flags; - -+ if (scsi_cmnd) -+ return scsi_cmnd->request->tag; -+ -+ spin_lock_irqsave(&hisi_hba->lock, flags); - index = find_next_zero_bit(bitmap, hisi_hba->slot_index_count, -- hisi_hba->last_slot_index + 1); -+ hisi_hba->last_slot_index + 1); - if (index >= hisi_hba->slot_index_count) { -- index = find_next_zero_bit(bitmap, hisi_hba->slot_index_count, -- 0); -- if (index >= hisi_hba->slot_index_count) -+ index = find_next_zero_bit(bitmap, -+ hisi_hba->slot_index_count, -+ hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT); -+ if (index >= hisi_hba->slot_index_count) { -+ spin_unlock_irqrestore(&hisi_hba->lock, flags); - return -SAS_QUEUE_FULL; -+ } - } - hisi_sas_slot_index_set(hisi_hba, index); -- *slot_idx = index; - hisi_hba->last_slot_index = index; -+ spin_unlock_irqrestore(&hisi_hba->lock, flags); - -- return 0; -+ return index; - } - - static void hisi_sas_slot_index_init(struct hisi_hba *hisi_hba) -@@ -250,9 +267,7 @@ void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, struct sas_task *task, - - memset(slot, 0, offsetof(struct hisi_sas_slot, buf)); - -- spin_lock_irqsave(&hisi_hba->lock, flags); - hisi_sas_slot_index_free(hisi_hba, slot->idx); -- spin_unlock_irqrestore(&hisi_hba->lock, flags); - } - EXPORT_SYMBOL_GPL(hisi_sas_slot_task_free); - -@@ -385,16 +400,27 @@ static int hisi_sas_task_prep(struct sas_task *task, - goto err_out_dma_unmap; - } - -- spin_lock_irqsave(&hisi_hba->lock, flags); - if (hisi_hba->hw->slot_index_alloc) -- rc = hisi_hba->hw->slot_index_alloc(hisi_hba, &slot_idx, -- device); -- else -- rc = hisi_sas_slot_index_alloc(hisi_hba, &slot_idx); -- spin_unlock_irqrestore(&hisi_hba->lock, flags); -- if (rc) -+ rc = hisi_hba->hw->slot_index_alloc(hisi_hba, device); -+ else { -+ struct scsi_cmnd *scsi_cmnd = NULL; -+ -+ if (task->uldd_task) { -+ struct ata_queued_cmd *qc; -+ -+ if (dev_is_sata(device)) { -+ qc = task->uldd_task; -+ scsi_cmnd = qc->scsicmd; -+ } else { -+ scsi_cmnd = task->uldd_task; -+ } -+ } -+ rc = hisi_sas_slot_index_alloc(hisi_hba, scsi_cmnd); -+ } -+ if (rc < 0) - goto err_out_dma_unmap; - -+ slot_idx = rc; - slot = &hisi_hba->slot_info[slot_idx]; - - spin_lock_irqsave(&dq->lock, flags); -@@ -455,9 +481,7 @@ static int hisi_sas_task_prep(struct sas_task *task, - return 0; - - err_out_tag: -- spin_lock_irqsave(&hisi_hba->lock, flags); - hisi_sas_slot_index_free(hisi_hba, slot_idx); -- spin_unlock_irqrestore(&hisi_hba->lock, flags); - err_out_dma_unmap: - if (!sas_protocol_ata(task->task_proto)) { - if (task->num_scatter) { -@@ -1742,14 +1766,11 @@ hisi_sas_internal_abort_task_exec(struct hisi_hba *hisi_hba, int device_id, - port = to_hisi_sas_port(sas_port); - - /* simply get a slot and send abort command */ -- spin_lock_irqsave(&hisi_hba->lock, flags); -- rc = hisi_sas_slot_index_alloc(hisi_hba, &slot_idx); -- if (rc) { -- spin_unlock_irqrestore(&hisi_hba->lock, flags); -+ rc = hisi_sas_slot_index_alloc(hisi_hba, NULL); -+ if (rc < 0) - goto err_out; -- } -- spin_unlock_irqrestore(&hisi_hba->lock, flags); - -+ slot_idx = rc; - slot = &hisi_hba->slot_info[slot_idx]; - - spin_lock_irqsave(&dq->lock, flags_dq); -@@ -1785,7 +1806,6 @@ hisi_sas_internal_abort_task_exec(struct hisi_hba *hisi_hba, int device_id, - spin_lock_irqsave(&task->task_state_lock, flags); - task->task_state_flags |= SAS_TASK_AT_INITIATOR; - spin_unlock_irqrestore(&task->task_state_lock, flags); -- - WRITE_ONCE(slot->ready, 1); - /* send abort command to the chip */ - spin_lock_irqsave(&dq->lock, flags); -@@ -1796,9 +1816,7 @@ hisi_sas_internal_abort_task_exec(struct hisi_hba *hisi_hba, int device_id, - return 0; - - err_out_tag: -- spin_lock_irqsave(&hisi_hba->lock, flags); - hisi_sas_slot_index_free(hisi_hba, slot_idx); -- spin_unlock_irqrestore(&hisi_hba->lock, flags); - err_out: - dev_err(dev, "internal abort task prep: failed[%d]!\n", rc); - -@@ -2174,6 +2192,8 @@ int hisi_sas_alloc(struct hisi_hba *hisi_hba, struct Scsi_Host *shost) - hisi_sas_init_mem(hisi_hba); - - hisi_sas_slot_index_init(hisi_hba); -+ hisi_hba->last_slot_index = hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT; - - hisi_hba->wq = create_singlethread_workqueue(dev_name(dev)); - if (!hisi_hba->wq) { -@@ -2377,8 +2397,15 @@ int hisi_sas_probe(struct platform_device *pdev, - shost->max_channel = 1; - shost->max_cmd_len = 16; - shost->sg_tablesize = min_t(u16, SG_ALL, HISI_SAS_SGE_PAGE_CNT); -- shost->can_queue = hisi_hba->hw->max_command_entries; -- shost->cmd_per_lun = hisi_hba->hw->max_command_entries; -+ if (hisi_hba->hw->slot_index_alloc) { -+ shost->can_queue = hisi_hba->hw->max_command_entries; -+ shost->cmd_per_lun = hisi_hba->hw->max_command_entries; -+ } else { -+ shost->can_queue = hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT; -+ shost->cmd_per_lun = hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT; -+ } - - sha->sas_ha_name = DRV_NAME; - sha->dev = hisi_hba->dev; -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -index 410eccf0bc5e..8df822a4a1bd 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -@@ -1807,7 +1807,6 @@ static struct scsi_host_template sht_v1_hw = { - .scan_start = hisi_sas_scan_start, - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, -- .can_queue = 1, - .this_id = -1, - .sg_tablesize = SG_ALL, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index c4774d63d5d0..58a564c75a35 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -770,7 +770,7 @@ static u32 hisi_sas_phy_read32(struct hisi_hba *hisi_hba, - - /* This function needs to be protected from pre-emption. */ - static int --slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, int *slot_idx, -+slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, - struct domain_device *device) - { - int sata_dev = dev_is_sata(device); -@@ -778,6 +778,7 @@ slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, int *slot_idx, - struct hisi_sas_device *sas_dev = device->lldd_dev; - int sata_idx = sas_dev->sata_idx; - int start, end; -+ unsigned long flags; - - if (!sata_dev) { - /* -@@ -801,6 +802,7 @@ slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, int *slot_idx, - end = 64 * (sata_idx + 2); - } - -+ spin_lock_irqsave(&hisi_hba->lock, flags); - while (1) { - start = find_next_zero_bit(bitmap, - hisi_hba->slot_index_count, start); -@@ -815,8 +817,8 @@ slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, int *slot_idx, - } - - set_bit(start, bitmap); -- *slot_idx = start; -- return 0; -+ spin_unlock_irqrestore(&hisi_hba->lock, flags); -+ return start; - } - - static bool sata_index_alloc_v2_hw(struct hisi_hba *hisi_hba, int *idx) -@@ -3558,7 +3560,6 @@ static struct scsi_host_template sht_v2_hw = { - .scan_start = hisi_sas_scan_start, - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, -- .can_queue = 1, - .this_id = -1, - .sg_tablesize = SG_ALL, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 06824bde9c8d..a0fc2d5de787 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2096,7 +2096,6 @@ static struct scsi_host_template sht_v3_hw = { - .scan_start = hisi_sas_scan_start, - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, -- .can_queue = 1, - .this_id = -1, - .sg_tablesize = SG_ALL, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, -@@ -2106,6 +2105,7 @@ static struct scsi_host_template sht_v3_hw = { - .target_destroy = sas_target_destroy, - .ioctl = sas_ioctl, - .shost_attrs = host_attrs, -+ .tag_alloc_policy = BLK_TAG_ALLOC_RR, - }; - - static const struct hisi_sas_hw hisi_sas_v3_hw = { -@@ -2243,8 +2243,10 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) - shost->max_channel = 1; - shost->max_cmd_len = 16; - shost->sg_tablesize = min_t(u16, SG_ALL, HISI_SAS_SGE_PAGE_CNT); -- shost->can_queue = hisi_hba->hw->max_command_entries; -- shost->cmd_per_lun = hisi_hba->hw->max_command_entries; -+ shost->can_queue = hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT; -+ shost->cmd_per_lun = hisi_hba->hw->max_command_entries - -+ HISI_SAS_RESERVED_IPTT_CNT; - - sha->sas_ha_name = DRV_NAME; - sha->dev = dev; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch b/debian/patches/bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch deleted file mode 100644 index 8f72f96bb..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 4fdcfb8a09d75fbabf4454a60001224b89245c82 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Mon, 24 Sep 2018 23:06:34 +0800 -Subject: [PATCH 07/31] scsi: hisi_sas: Update v3 hw AIP_LIMIT and - CFG_AGING_TIME register values -Origin: https://git.kernel.org/linus/3bccfba8312762becfb05b35d698ba8cffd440f2 - -Update registers as follows: -- Default value of AIP timer is 1ms, and it is easy for some expanders to - cause IO error. Change the value to max value 65ms to avoid IO error for - those expanders. - -- A CQ completion will be reported by HW when 4 CQs have occurred or the - aging timer expires, whichever happens first. Sor serial IO scenario, it - will still wait 8us for every IO before it is reported. So in the - situation, the performance is poor. So to improve it, change the limit - time to the least value. - For other scenario, it does little affect to the performance. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index a0fc2d5de787..c3e0be90e19f 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -127,6 +127,7 @@ - #define PHY_CTRL_RESET_OFF 0 - #define PHY_CTRL_RESET_MSK (0x1 << PHY_CTRL_RESET_OFF) - #define SL_CFG (PORT_BASE + 0x84) -+#define AIP_LIMIT (PORT_BASE + 0x90) - #define SL_CONTROL (PORT_BASE + 0x94) - #define SL_CONTROL_NOTIFY_EN_OFF 0 - #define SL_CONTROL_NOTIFY_EN_MSK (0x1 << SL_CONTROL_NOTIFY_EN_OFF) -@@ -431,6 +432,7 @@ static void init_reg_v3_hw(struct hisi_hba *hisi_hba) - (u32)((1ULL << hisi_hba->queue_count) - 1)); - hisi_sas_write32(hisi_hba, CFG_MAX_TAG, 0xfff0400); - hisi_sas_write32(hisi_hba, HGC_SAS_TXFAIL_RETRY_CTRL, 0x108); -+ hisi_sas_write32(hisi_hba, CFG_AGING_TIME, 0x1); - hisi_sas_write32(hisi_hba, INT_COAL_EN, 0x1); - hisi_sas_write32(hisi_hba, OQ_INT_COAL_TIME, 0x1); - hisi_sas_write32(hisi_hba, OQ_INT_COAL_CNT, 0x1); -@@ -495,6 +497,7 @@ static void init_reg_v3_hw(struct hisi_hba *hisi_hba) - hisi_sas_phy_write32(hisi_hba, i, SAS_SSP_CON_TIMER_CFG, 0x32); - /* used for 12G negotiate */ - hisi_sas_phy_write32(hisi_hba, i, COARSETUNE_TIME, 0x1e); -+ hisi_sas_phy_write32(hisi_hba, i, AIP_LIMIT, 0x2ffff); - } - - for (i = 0; i < hisi_hba->queue_count; i++) { --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch b/debian/patches/bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch deleted file mode 100644 index d0083f64e..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f27f6edaf4983b00a3c0e2f6ab720cfa3150a147 Mon Sep 17 00:00:00 2001 -From: John Garry -Date: Tue, 16 Oct 2018 23:00:36 +0800 -Subject: [PATCH 08/31] scsi: hisi_sas: Fix spin lock management in - slot_index_alloc_quirk_v2_hw() -Origin: https://git.kernel.org/linus/fe5fb42de36227c1c2dbb1e7403329ec8a915c20 - -Currently a spin_unlock_irqrestore() call is missing on the error path, -so add it. - -Reported-by: Julia Lawall -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index 58a564c75a35..77a85ead483e 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -806,8 +806,10 @@ slot_index_alloc_quirk_v2_hw(struct hisi_hba *hisi_hba, - while (1) { - start = find_next_zero_bit(bitmap, - hisi_hba->slot_index_count, start); -- if (start >= end) -+ if (start >= end) { -+ spin_unlock_irqrestore(&hisi_hba->lock, flags); - return -SAS_QUEUE_FULL; -+ } - /* - * SAS IPTT bit0 should be 1, and SATA IPTT bit0 should be 0. - */ --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch b/debian/patches/bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch deleted file mode 100644 index 0bad1af78..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 59bc5f2f2492ef9949cd723fc98bafa7d8a6c287 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Thu, 18 Oct 2018 15:10:17 +0200 -Subject: [PATCH 09/31] scsi: hisi_sas: use dma_set_mask_and_coherent -Origin: https://git.kernel.org/linus/e4db40e7a1a2cd6af3b6d5f8f3fba15533872398 - -The driver currently uses pci_set_dma_mask despite otherwise using the -generic DMA API. Switch it over to the better generic DMA API. - -Signed-off-by: Christoph Hellwig -Acked-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index c3e0be90e19f..43005d39abe6 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2199,14 +2199,11 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) - if (rc) - goto err_out_disable_device; - -- if ((pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) != 0) || -- (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)) != 0)) { -- if ((pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) != 0) || -- (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32)) != 0)) { -- dev_err(dev, "No usable DMA addressing method\n"); -- rc = -EIO; -- goto err_out_regions; -- } -+ if (dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)) || -+ dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32))) { -+ dev_err(dev, "No usable DMA addressing method\n"); -+ rc = -EIO; -+ goto err_out_regions; - } - - shost = hisi_sas_shost_alloc_pci(pdev); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch b/debian/patches/bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch deleted file mode 100644 index 15e139004..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 4e63bca6e8c3a7fac800ee6c27f9afab13774fde Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Fri, 9 Nov 2018 22:06:32 +0800 -Subject: [PATCH 10/31] scsi: hisi_sas: Create separate host attributes per HBA -Origin: https://git.kernel.org/linus/c3566f9a617de3288739fd3b8e7539951bf2b04d - -Currently all the three HBA (v1/v2/v3 HW) share the same host attributes. - -To support each HBA having separate attributes in future, create per-HBA -attributes. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas.h | 1 - - drivers/scsi/hisi_sas/hisi_sas_main.c | 6 ------ - drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 7 ++++++- - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 7 ++++++- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 7 ++++++- - 5 files changed, 18 insertions(+), 10 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h -index 0ddb53c8a2e2..94a9e13c069c 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas.h -+++ b/drivers/scsi/hisi_sas/hisi_sas.h -@@ -468,7 +468,6 @@ extern int hisi_sas_remove(struct platform_device *pdev); - extern int hisi_sas_slave_configure(struct scsi_device *sdev); - extern int hisi_sas_scan_finished(struct Scsi_Host *shost, unsigned long time); - extern void hisi_sas_scan_start(struct Scsi_Host *shost); --extern struct device_attribute *host_attrs[]; - extern int hisi_sas_host_reset(struct Scsi_Host *shost, int reset_type); - extern void hisi_sas_phy_down(struct hisi_hba *hisi_hba, int phy_no, int rdy); - extern void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index c2998d3ac37f..dc71f8d83551 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -2009,12 +2009,6 @@ EXPORT_SYMBOL_GPL(hisi_sas_kill_tasklets); - struct scsi_transport_template *hisi_sas_stt; - EXPORT_SYMBOL_GPL(hisi_sas_stt); - --struct device_attribute *host_attrs[] = { -- &dev_attr_phy_event_threshold, -- NULL, --}; --EXPORT_SYMBOL_GPL(host_attrs); -- - static struct sas_domain_function_template hisi_sas_transport_ops = { - .lldd_dev_found = hisi_sas_dev_found, - .lldd_dev_gone = hisi_sas_dev_gone, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -index 8df822a4a1bd..e8e3a876e493 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -@@ -1797,6 +1797,11 @@ static int hisi_sas_v1_init(struct hisi_hba *hisi_hba) - return 0; - } - -+static struct device_attribute *host_attrs_v1_hw[] = { -+ &dev_attr_phy_event_threshold, -+ NULL -+}; -+ - static struct scsi_host_template sht_v1_hw = { - .name = DRV_NAME, - .module = THIS_MODULE, -@@ -1815,7 +1820,7 @@ static struct scsi_host_template sht_v1_hw = { - .eh_target_reset_handler = sas_eh_target_reset_handler, - .target_destroy = sas_target_destroy, - .ioctl = sas_ioctl, -- .shost_attrs = host_attrs, -+ .shost_attrs = host_attrs_v1_hw, - }; - - static const struct hisi_sas_hw hisi_sas_v1_hw = { -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index 77a85ead483e..574a269e2865 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -3552,6 +3552,11 @@ static void wait_cmds_complete_timeout_v2_hw(struct hisi_hba *hisi_hba, - dev_dbg(dev, "wait commands complete %dms\n", time); - } - -+struct device_attribute *host_attrs_v2_hw[] = { -+ &dev_attr_phy_event_threshold, -+ NULL -+}; -+ - static struct scsi_host_template sht_v2_hw = { - .name = DRV_NAME, - .module = THIS_MODULE, -@@ -3570,7 +3575,7 @@ static struct scsi_host_template sht_v2_hw = { - .eh_target_reset_handler = sas_eh_target_reset_handler, - .target_destroy = sas_target_destroy, - .ioctl = sas_ioctl, -- .shost_attrs = host_attrs, -+ .shost_attrs = host_attrs_v2_hw, - }; - - static const struct hisi_sas_hw hisi_sas_v2_hw = { -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 43005d39abe6..1d0896959fbb 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2089,6 +2089,11 @@ static void wait_cmds_complete_timeout_v3_hw(struct hisi_hba *hisi_hba, - dev_dbg(dev, "wait commands complete %dms\n", time); - } - -+struct device_attribute *host_attrs_v3_hw[] = { -+ &dev_attr_phy_event_threshold, -+ NULL -+}; -+ - static struct scsi_host_template sht_v3_hw = { - .name = DRV_NAME, - .module = THIS_MODULE, -@@ -2107,7 +2112,7 @@ static struct scsi_host_template sht_v3_hw = { - .eh_target_reset_handler = sas_eh_target_reset_handler, - .target_destroy = sas_target_destroy, - .ioctl = sas_ioctl, -- .shost_attrs = host_attrs, -+ .shost_attrs = host_attrs_v3_hw, - .tag_alloc_policy = BLK_TAG_ALLOC_RR, - }; - --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch b/debian/patches/bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch deleted file mode 100644 index fab91f300..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 7e5e4c2dfd67e156956e46c4d503466726a5359c Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Fri, 9 Nov 2018 22:06:33 +0800 -Subject: [PATCH 11/31] scsi: hisi_sas: Add support for interrupt converge for - v3 hw -Origin: https://git.kernel.org/linus/488cf558e3d7c95daf737d9cae165019ee3f2840 - -If CQ_INT_CONVERGE_EN is enabled, the interrupts of all the 16 CQ queues -will be reported by CQ0. - -So we need to change the process of CQ tasklet for this situation. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 29 +++++++++++++++++++++----- - 1 file changed, 24 insertions(+), 5 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 1d0896959fbb..b70190936f1b 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -42,6 +42,7 @@ - #define MAX_CON_TIME_LIMIT_TIME 0xa4 - #define BUS_INACTIVE_LIMIT_TIME 0xa8 - #define REJECT_TO_OPEN_LIMIT_TIME 0xac -+#define CQ_INT_CONVERGE_EN 0xb0 - #define CFG_AGING_TIME 0xbc - #define HGC_DFX_CFG2 0xc0 - #define CFG_ABT_SET_QUERY_IPTT 0xd4 -@@ -371,6 +372,9 @@ struct hisi_sas_err_record_v3 { - ((fis.command == ATA_CMD_DEV_RESET) && \ - ((fis.control & ATA_SRST) != 0))) - -+static bool hisi_sas_intr_conv; -+MODULE_PARM_DESC(intr_conv, "interrupt converge enable (0-1)"); -+ - static u32 hisi_sas_read32(struct hisi_hba *hisi_hba, u32 off) - { - void __iomem *regs = hisi_hba->regs + off; -@@ -436,6 +440,8 @@ static void init_reg_v3_hw(struct hisi_hba *hisi_hba) - hisi_sas_write32(hisi_hba, INT_COAL_EN, 0x1); - hisi_sas_write32(hisi_hba, OQ_INT_COAL_TIME, 0x1); - hisi_sas_write32(hisi_hba, OQ_INT_COAL_CNT, 0x1); -+ hisi_sas_write32(hisi_hba, CQ_INT_CONVERGE_EN, -+ hisi_sas_intr_conv); - hisi_sas_write32(hisi_hba, OQ_INT_SRC, 0xffff); - hisi_sas_write32(hisi_hba, ENT_INT_SRC1, 0xffffffff); - hisi_sas_write32(hisi_hba, ENT_INT_SRC2, 0xffffffff); -@@ -1878,10 +1884,12 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba) - for (i = 0; i < hisi_hba->queue_count; i++) { - struct hisi_sas_cq *cq = &hisi_hba->cq[i]; - struct tasklet_struct *t = &cq->tasklet; -+ int nr = hisi_sas_intr_conv ? 16 : 16 + i; -+ unsigned long irqflags = hisi_sas_intr_conv ? IRQF_SHARED : 0; - -- rc = devm_request_irq(dev, pci_irq_vector(pdev, i+16), -- cq_interrupt_v3_hw, 0, -- DRV_NAME " cq", cq); -+ rc = devm_request_irq(dev, pci_irq_vector(pdev, nr), -+ cq_interrupt_v3_hw, irqflags, -+ DRV_NAME " cq", cq); - if (rc) { - dev_err(dev, - "could not request cq%d interrupt, rc=%d\n", -@@ -1898,8 +1906,9 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba) - free_cq_irqs: - for (k = 0; k < i; k++) { - struct hisi_sas_cq *cq = &hisi_hba->cq[k]; -+ int nr = hisi_sas_intr_conv ? 16 : 16 + k; - -- free_irq(pci_irq_vector(pdev, k+16), cq); -+ free_irq(pci_irq_vector(pdev, nr), cq); - } - free_irq(pci_irq_vector(pdev, 11), hisi_hba); - free_chnl_interrupt: -@@ -2089,8 +2098,16 @@ static void wait_cmds_complete_timeout_v3_hw(struct hisi_hba *hisi_hba, - dev_dbg(dev, "wait commands complete %dms\n", time); - } - -+static ssize_t intr_conv_v3_hw_show(struct device *dev, -+ struct device_attribute *attr, char *buf) -+{ -+ return scnprintf(buf, PAGE_SIZE, "%u\n", hisi_sas_intr_conv); -+} -+static DEVICE_ATTR_RO(intr_conv_v3_hw); -+ - struct device_attribute *host_attrs_v3_hw[] = { - &dev_attr_phy_event_threshold, -+ &dev_attr_intr_conv_v3_hw, - NULL - }; - -@@ -2303,8 +2320,9 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba) - free_irq(pci_irq_vector(pdev, 11), hisi_hba); - for (i = 0; i < hisi_hba->queue_count; i++) { - struct hisi_sas_cq *cq = &hisi_hba->cq[i]; -+ int nr = hisi_sas_intr_conv ? 16 : 16 + i; - -- free_irq(pci_irq_vector(pdev, i+16), cq); -+ free_irq(pci_irq_vector(pdev, nr), cq); - } - pci_free_irq_vectors(pdev); - } -@@ -2626,6 +2644,7 @@ static struct pci_driver sas_v3_pci_driver = { - }; - - module_pci_driver(sas_v3_pci_driver); -+module_param_named(intr_conv, hisi_sas_intr_conv, bool, 0444); - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("John Garry "); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch b/debian/patches/bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch deleted file mode 100644 index fa038117d..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 20ca5e4f2c4a2c08340225f074c56f7be1c86f5b Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Fri, 9 Nov 2018 22:06:34 +0800 -Subject: [PATCH 12/31] scsi: hisi_sas: Add support for interrupt coalescing - for v3 hw -Origin: https://git.kernel.org/linus/37359798ec44ae03fab383a9bef3b7c9df819063 - -If INT_COAL_EN is enabled, configure time and count of interrupt -coalescing. Then if CQ collects count of CQ entries in time, it will -report the interrupt. Or if CQ doesn't collect enough CQ entries in time, -it will report the interrupt at timeout. - -As all the registers are not supported to be changed dynamically, we need -to config those register between disable and enable PHYs. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas.h | 2 + - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 100 +++++++++++++++++++++++++ - 2 files changed, 102 insertions(+) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h -index 94a9e13c069c..535c61391250 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas.h -+++ b/drivers/scsi/hisi_sas/hisi_sas.h -@@ -322,6 +322,8 @@ struct hisi_hba { - unsigned long sata_dev_bitmap[BITS_TO_LONGS(HISI_SAS_MAX_DEVICES)]; - struct work_struct rst_work; - u32 phy_state; -+ u32 intr_coal_ticks; /* Time of interrupt coalesce in us */ -+ u32 intr_coal_count; /* Interrupt count to coalesce */ - }; - - /* Generic HW DMA host memory structures */ -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index b70190936f1b..7d7cb73e4bee 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2105,9 +2105,109 @@ static ssize_t intr_conv_v3_hw_show(struct device *dev, - } - static DEVICE_ATTR_RO(intr_conv_v3_hw); - -+static void config_intr_coal_v3_hw(struct hisi_hba *hisi_hba) -+{ -+ /* config those registers between enable and disable PHYs */ -+ hisi_sas_stop_phys(hisi_hba); -+ -+ if (hisi_hba->intr_coal_ticks == 0 || -+ hisi_hba->intr_coal_count == 0) { -+ hisi_sas_write32(hisi_hba, INT_COAL_EN, 0x1); -+ hisi_sas_write32(hisi_hba, OQ_INT_COAL_TIME, 0x1); -+ hisi_sas_write32(hisi_hba, OQ_INT_COAL_CNT, 0x1); -+ } else { -+ hisi_sas_write32(hisi_hba, INT_COAL_EN, 0x3); -+ hisi_sas_write32(hisi_hba, OQ_INT_COAL_TIME, -+ hisi_hba->intr_coal_ticks); -+ hisi_sas_write32(hisi_hba, OQ_INT_COAL_CNT, -+ hisi_hba->intr_coal_count); -+ } -+ phys_init_v3_hw(hisi_hba); -+} -+ -+static ssize_t intr_coal_ticks_v3_hw_show(struct device *dev, -+ struct device_attribute *attr, -+ char *buf) -+{ -+ struct Scsi_Host *shost = class_to_shost(dev); -+ struct hisi_hba *hisi_hba = shost_priv(shost); -+ -+ return scnprintf(buf, PAGE_SIZE, "%u\n", -+ hisi_hba->intr_coal_ticks); -+} -+ -+static ssize_t intr_coal_ticks_v3_hw_store(struct device *dev, -+ struct device_attribute *attr, -+ const char *buf, size_t count) -+{ -+ struct Scsi_Host *shost = class_to_shost(dev); -+ struct hisi_hba *hisi_hba = shost_priv(shost); -+ u32 intr_coal_ticks; -+ int ret; -+ -+ ret = kstrtou32(buf, 10, &intr_coal_ticks); -+ if (ret) { -+ dev_err(dev, "Input data of interrupt coalesce unmatch\n"); -+ return -EINVAL; -+ } -+ -+ if (intr_coal_ticks >= BIT(24)) { -+ dev_err(dev, "intr_coal_ticks must be less than 2^24!\n"); -+ return -EINVAL; -+ } -+ -+ hisi_hba->intr_coal_ticks = intr_coal_ticks; -+ -+ config_intr_coal_v3_hw(hisi_hba); -+ -+ return count; -+} -+static DEVICE_ATTR_RW(intr_coal_ticks_v3_hw); -+ -+static ssize_t intr_coal_count_v3_hw_show(struct device *dev, -+ struct device_attribute -+ *attr, char *buf) -+{ -+ struct Scsi_Host *shost = class_to_shost(dev); -+ struct hisi_hba *hisi_hba = shost_priv(shost); -+ -+ return scnprintf(buf, PAGE_SIZE, "%u\n", -+ hisi_hba->intr_coal_count); -+} -+ -+static ssize_t intr_coal_count_v3_hw_store(struct device *dev, -+ struct device_attribute -+ *attr, const char *buf, size_t count) -+{ -+ struct Scsi_Host *shost = class_to_shost(dev); -+ struct hisi_hba *hisi_hba = shost_priv(shost); -+ u32 intr_coal_count; -+ int ret; -+ -+ ret = kstrtou32(buf, 10, &intr_coal_count); -+ if (ret) { -+ dev_err(dev, "Input data of interrupt coalesce unmatch\n"); -+ return -EINVAL; -+ } -+ -+ if (intr_coal_count >= BIT(8)) { -+ dev_err(dev, "intr_coal_count must be less than 2^8!\n"); -+ return -EINVAL; -+ } -+ -+ hisi_hba->intr_coal_count = intr_coal_count; -+ -+ config_intr_coal_v3_hw(hisi_hba); -+ -+ return count; -+} -+static DEVICE_ATTR_RW(intr_coal_count_v3_hw); -+ - struct device_attribute *host_attrs_v3_hw[] = { - &dev_attr_phy_event_threshold, - &dev_attr_intr_conv_v3_hw, -+ &dev_attr_intr_coal_ticks_v3_hw, -+ &dev_attr_intr_coal_count_v3_hw, - NULL - }; - --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch b/debian/patches/bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch deleted file mode 100644 index 5e52eb5c0..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 22834ed6cec2690817120e960d43bbf76ddfda17 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Fri, 9 Nov 2018 22:06:35 +0800 -Subject: [PATCH 13/31] scsi: hisi_sas: Relocate some codes to avoid an unused - check -Origin: https://git.kernel.org/linus/745b6847634c11dda1079d0290781a443eddb4b7 - -In function hisi_sas_task_prep(), we check asd_sas_port, but in function -hisi_sas_task_exec(), we already refer to asd_sas_port by using function -dev_to_hisi_hba() implicitly. So to avoid this possible invalid -dereference, relocate the check to function hisi_sas_task_prep(). - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 44 ++++++++++++++------------- - 1 file changed, 23 insertions(+), 21 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index dc71f8d83551..15360d797760 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -303,36 +303,19 @@ static int hisi_sas_task_prep(struct sas_task *task, - int *pass) - { - struct domain_device *device = task->dev; -- struct hisi_hba *hisi_hba; -+ struct hisi_hba *hisi_hba = dev_to_hisi_hba(device); - struct hisi_sas_device *sas_dev = device->lldd_dev; - struct hisi_sas_port *port; - struct hisi_sas_slot *slot; - struct hisi_sas_cmd_hdr *cmd_hdr_base; - struct asd_sas_port *sas_port = device->port; -- struct device *dev; -+ struct device *dev = hisi_hba->dev; - int dlvry_queue_slot, dlvry_queue, rc, slot_idx; - int n_elem = 0, n_elem_req = 0, n_elem_resp = 0; - struct hisi_sas_dq *dq; - unsigned long flags; - int wr_q_index; - -- if (!sas_port) { -- struct task_status_struct *ts = &task->task_status; -- -- ts->resp = SAS_TASK_UNDELIVERED; -- ts->stat = SAS_PHY_DOWN; -- /* -- * libsas will use dev->port, should -- * not call task_done for sata -- */ -- if (device->dev_type != SAS_SATA_DEV) -- task->task_done(task); -- return -ECOMM; -- } -- -- hisi_hba = dev_to_hisi_hba(device); -- dev = hisi_hba->dev; -- - if (DEV_IS_GONE(sas_dev)) { - if (sas_dev) - dev_info(dev, "task prep: device %d not ready\n", -@@ -507,10 +490,29 @@ static int hisi_sas_task_exec(struct sas_task *task, gfp_t gfp_flags, - u32 rc; - u32 pass = 0; - unsigned long flags; -- struct hisi_hba *hisi_hba = dev_to_hisi_hba(task->dev); -- struct device *dev = hisi_hba->dev; -+ struct hisi_hba *hisi_hba; -+ struct device *dev; -+ struct domain_device *device = task->dev; -+ struct asd_sas_port *sas_port = device->port; - struct hisi_sas_dq *dq = NULL; - -+ if (!sas_port) { -+ struct task_status_struct *ts = &task->task_status; -+ -+ ts->resp = SAS_TASK_UNDELIVERED; -+ ts->stat = SAS_PHY_DOWN; -+ /* -+ * libsas will use dev->port, should -+ * not call task_done for sata -+ */ -+ if (device->dev_type != SAS_SATA_DEV) -+ task->task_done(task); -+ return -ECOMM; -+ } -+ -+ hisi_hba = dev_to_hisi_hba(device); -+ dev = hisi_hba->dev; -+ - if (unlikely(test_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags))) { - if (in_softirq()) - return -EINVAL; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch b/debian/patches/bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch deleted file mode 100644 index b3746e519..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch +++ /dev/null @@ -1,432 +0,0 @@ -From 13dda01985003ca1b930b42bb3927f7522f4ce69 Mon Sep 17 00:00:00 2001 -From: John Garry -Date: Thu, 6 Dec 2018 21:34:40 +0800 -Subject: [PATCH 14/31] scsi: hisi_sas: Fix warnings detected by sparse -Origin: https://git.kernel.org/linus/735bcc77e6ba83e464665cea9041072190ede37e - -This patchset fixes some warnings detected by the sparse tool, like these: -drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52: warning: incorrect type in assignment (different base types) -drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52: expected unsigned short [unsigned] [assigned] [usertype] tag_of_task_to_be_managed -drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52: got restricted __le16 [usertype] -drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52: warning: incorrect type in assignment (different base types) -drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52: expected unsigned short [unsigned] [assigned] [usertype] tag_of_task_to_be_managed -drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52: got restricted __le16 [usertype] - -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas.h | 2 +- - drivers/scsi/hisi_sas/hisi_sas_main.c | 6 +-- - drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 15 +++--- - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 66 +++++++++++++++----------- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 37 +++++++++------ - 5 files changed, 71 insertions(+), 55 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h -index 535c61391250..912d2342a5fe 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas.h -+++ b/drivers/scsi/hisi_sas/hisi_sas.h -@@ -211,7 +211,7 @@ struct hisi_sas_slot { - /* Do not reorder/change members after here */ - void *buf; - dma_addr_t buf_dma; -- int idx; -+ u16 idx; - }; - - struct hisi_sas_hw { -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 15360d797760..ab6c7938e172 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -1463,12 +1463,12 @@ static int hisi_sas_abort_task(struct sas_task *task) - if (task->lldd_task && task->task_proto & SAS_PROTOCOL_SSP) { - struct scsi_cmnd *cmnd = task->uldd_task; - struct hisi_sas_slot *slot = task->lldd_task; -- u32 tag = slot->idx; -+ u16 tag = slot->idx; - int rc2; - - int_to_scsilun(cmnd->device->lun, &lun); - tmf_task.tmf = TMF_ABORT_TASK; -- tmf_task.tag_of_task_to_be_managed = cpu_to_le16(tag); -+ tmf_task.tag_of_task_to_be_managed = tag; - - rc = hisi_sas_debug_issue_ssp_tmf(task->dev, lun.scsi_lun, - &tmf_task); -@@ -1722,7 +1722,7 @@ static int hisi_sas_query_task(struct sas_task *task) - - int_to_scsilun(cmnd->device->lun, &lun); - tmf_task.tmf = TMF_QUERY_TASK; -- tmf_task.tag_of_task_to_be_managed = cpu_to_le16(tag); -+ tmf_task.tag_of_task_to_be_managed = tag; - - rc = hisi_sas_debug_issue_ssp_tmf(device, - lun.scsi_lun, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -index e8e3a876e493..cb1198f0ddde 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -@@ -510,6 +510,7 @@ static void setup_itct_v1_hw(struct hisi_hba *hisi_hba, - struct hisi_sas_itct *itct = &hisi_hba->itct[device_id]; - struct asd_sas_port *sas_port = device->port; - struct hisi_sas_port *port = to_hisi_sas_port(sas_port); -+ u64 sas_addr; - - memset(itct, 0, sizeof(*itct)); - -@@ -534,8 +535,8 @@ static void setup_itct_v1_hw(struct hisi_hba *hisi_hba, - itct->qw0 = cpu_to_le64(qw0); - - /* qw1 */ -- memcpy(&itct->sas_addr, device->sas_addr, SAS_ADDR_SIZE); -- itct->sas_addr = __swab64(itct->sas_addr); -+ memcpy(&sas_addr, device->sas_addr, SAS_ADDR_SIZE); -+ itct->sas_addr = cpu_to_le64(__swab64(sas_addr)); - - /* qw2 */ - itct->qw2 = cpu_to_le64((500ULL << ITCT_HDR_IT_NEXUS_LOSS_TL_OFF) | -@@ -561,7 +562,7 @@ static void clear_itct_v1_hw(struct hisi_hba *hisi_hba, - reg_val &= ~CFG_AGING_TIME_ITCT_REL_MSK; - hisi_sas_write32(hisi_hba, CFG_AGING_TIME, reg_val); - -- qw0 = cpu_to_le64(itct->qw0); -+ qw0 = le64_to_cpu(itct->qw0); - qw0 &= ~ITCT_HDR_VALID_MSK; - itct->qw0 = cpu_to_le64(qw0); - } -@@ -1100,7 +1101,7 @@ static void slot_err_v1_hw(struct hisi_hba *hisi_hba, - case SAS_PROTOCOL_SSP: - { - int error = -1; -- u32 dma_err_type = cpu_to_le32(err_record->dma_err_type); -+ u32 dma_err_type = le32_to_cpu(err_record->dma_err_type); - u32 dma_tx_err_type = ((dma_err_type & - ERR_HDR_DMA_TX_ERR_TYPE_MSK)) >> - ERR_HDR_DMA_TX_ERR_TYPE_OFF; -@@ -1108,9 +1109,9 @@ static void slot_err_v1_hw(struct hisi_hba *hisi_hba, - ERR_HDR_DMA_RX_ERR_TYPE_MSK)) >> - ERR_HDR_DMA_RX_ERR_TYPE_OFF; - u32 trans_tx_fail_type = -- cpu_to_le32(err_record->trans_tx_fail_type); -+ le32_to_cpu(err_record->trans_tx_fail_type); - u32 trans_rx_fail_type = -- cpu_to_le32(err_record->trans_rx_fail_type); -+ le32_to_cpu(err_record->trans_rx_fail_type); - - if (dma_tx_err_type) { - /* dma tx err */ -@@ -1558,7 +1559,7 @@ static irqreturn_t cq_interrupt_v1_hw(int irq, void *p) - u32 cmplt_hdr_data; - - complete_hdr = &complete_queue[rd_point]; -- cmplt_hdr_data = cpu_to_le32(complete_hdr->data); -+ cmplt_hdr_data = le32_to_cpu(complete_hdr->data); - idx = (cmplt_hdr_data & CMPLT_HDR_IPTT_MSK) >> - CMPLT_HDR_IPTT_OFF; - slot = &hisi_hba->slot_info[idx]; -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index 574a269e2865..c17dd500fba1 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -934,6 +934,7 @@ static void setup_itct_v2_hw(struct hisi_hba *hisi_hba, - struct domain_device *parent_dev = device->parent; - struct asd_sas_port *sas_port = device->port; - struct hisi_sas_port *port = to_hisi_sas_port(sas_port); -+ u64 sas_addr; - - memset(itct, 0, sizeof(*itct)); - -@@ -966,8 +967,8 @@ static void setup_itct_v2_hw(struct hisi_hba *hisi_hba, - itct->qw0 = cpu_to_le64(qw0); - - /* qw1 */ -- memcpy(&itct->sas_addr, device->sas_addr, SAS_ADDR_SIZE); -- itct->sas_addr = __swab64(itct->sas_addr); -+ memcpy(&sas_addr, device->sas_addr, SAS_ADDR_SIZE); -+ itct->sas_addr = cpu_to_le64(__swab64(sas_addr)); - - /* qw2 */ - if (!dev_is_sata(device)) -@@ -2044,11 +2045,11 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, - struct task_status_struct *ts = &task->task_status; - struct hisi_sas_err_record_v2 *err_record = - hisi_sas_status_buf_addr_mem(slot); -- u32 trans_tx_fail_type = cpu_to_le32(err_record->trans_tx_fail_type); -- u32 trans_rx_fail_type = cpu_to_le32(err_record->trans_rx_fail_type); -- u16 dma_tx_err_type = cpu_to_le16(err_record->dma_tx_err_type); -- u16 sipc_rx_err_type = cpu_to_le16(err_record->sipc_rx_err_type); -- u32 dma_rx_err_type = cpu_to_le32(err_record->dma_rx_err_type); -+ u32 trans_tx_fail_type = le32_to_cpu(err_record->trans_tx_fail_type); -+ u32 trans_rx_fail_type = le32_to_cpu(err_record->trans_rx_fail_type); -+ u16 dma_tx_err_type = le16_to_cpu(err_record->dma_tx_err_type); -+ u16 sipc_rx_err_type = le16_to_cpu(err_record->sipc_rx_err_type); -+ u32 dma_rx_err_type = le32_to_cpu(err_record->dma_rx_err_type); - int error = -1; - - if (err_phase == 1) { -@@ -2059,8 +2060,7 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, - trans_tx_fail_type); - } else if (err_phase == 2) { - /* error in RX phase, the priority is: DW1 > DW3 > DW2 */ -- error = parse_trans_rx_err_code_v2_hw( -- trans_rx_fail_type); -+ error = parse_trans_rx_err_code_v2_hw(trans_rx_fail_type); - if (error == -1) { - error = parse_dma_rx_err_code_v2_hw( - dma_rx_err_type); -@@ -2358,6 +2358,7 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - &complete_queue[slot->cmplt_queue_slot]; - unsigned long flags; - bool is_internal = slot->is_internal; -+ u32 dw0; - - if (unlikely(!task || !task->lldd_task || !task->dev)) - return -EINVAL; -@@ -2382,8 +2383,9 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - - /* Use SAS+TMF status codes */ -- switch ((complete_hdr->dw0 & CMPLT_HDR_ABORT_STAT_MSK) -- >> CMPLT_HDR_ABORT_STAT_OFF) { -+ dw0 = le32_to_cpu(complete_hdr->dw0); -+ switch ((dw0 & CMPLT_HDR_ABORT_STAT_MSK) >> -+ CMPLT_HDR_ABORT_STAT_OFF) { - case STAT_IO_ABORTED: - /* this io has been aborted by abort command */ - ts->stat = SAS_ABORTED_TASK; -@@ -2408,9 +2410,8 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - break; - } - -- if ((complete_hdr->dw0 & CMPLT_HDR_ERX_MSK) && -- (!(complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK))) { -- u32 err_phase = (complete_hdr->dw0 & CMPLT_HDR_ERR_PHASE_MSK) -+ if ((dw0 & CMPLT_HDR_ERX_MSK) && (!(dw0 & CMPLT_HDR_RSPNS_XFRD_MSK))) { -+ u32 err_phase = (dw0 & CMPLT_HDR_ERR_PHASE_MSK) - >> CMPLT_HDR_ERR_PHASE_OFF; - u32 *error_info = hisi_sas_status_buf_addr_mem(slot); - -@@ -2526,22 +2527,23 @@ static void prep_ata_v2_hw(struct hisi_hba *hisi_hba, - struct hisi_sas_tmf_task *tmf = slot->tmf; - u8 *buf_cmd; - int has_data = 0, hdr_tag = 0; -- u32 dw1 = 0, dw2 = 0; -+ u32 dw0, dw1 = 0, dw2 = 0; - - /* create header */ - /* dw0 */ -- hdr->dw0 = cpu_to_le32(port->id << CMD_HDR_PORT_OFF); -+ dw0 = port->id << CMD_HDR_PORT_OFF; - if (parent_dev && DEV_IS_EXPANDER(parent_dev->dev_type)) -- hdr->dw0 |= cpu_to_le32(3 << CMD_HDR_CMD_OFF); -+ dw0 |= 3 << CMD_HDR_CMD_OFF; - else -- hdr->dw0 |= cpu_to_le32(4 << CMD_HDR_CMD_OFF); -+ dw0 |= 4 << CMD_HDR_CMD_OFF; - - if (tmf && tmf->force_phy) { -- hdr->dw0 |= CMD_HDR_FORCE_PHY_MSK; -- hdr->dw0 |= cpu_to_le32((1 << tmf->phy_id) -- << CMD_HDR_PHY_ID_OFF); -+ dw0 |= CMD_HDR_FORCE_PHY_MSK; -+ dw0 |= (1 << tmf->phy_id) << CMD_HDR_PHY_ID_OFF; - } - -+ hdr->dw0 = cpu_to_le32(dw0); -+ - /* dw1 */ - switch (task->data_dir) { - case DMA_TO_DEVICE: -@@ -3152,20 +3154,24 @@ static void cq_tasklet_v2_hw(unsigned long val) - - /* Check for NCQ completion */ - if (complete_hdr->act) { -- u32 act_tmp = complete_hdr->act; -+ u32 act_tmp = le32_to_cpu(complete_hdr->act); - int ncq_tag_count = ffs(act_tmp); -+ u32 dw1 = le32_to_cpu(complete_hdr->dw1); - -- dev_id = (complete_hdr->dw1 & CMPLT_HDR_DEV_ID_MSK) >> -+ dev_id = (dw1 & CMPLT_HDR_DEV_ID_MSK) >> - CMPLT_HDR_DEV_ID_OFF; - itct = &hisi_hba->itct[dev_id]; - - /* The NCQ tags are held in the itct header */ - while (ncq_tag_count) { -- __le64 *ncq_tag = &itct->qw4_15[0]; -+ __le64 *_ncq_tag = &itct->qw4_15[0], __ncq_tag; -+ u64 ncq_tag; - -- ncq_tag_count -= 1; -- iptt = (ncq_tag[ncq_tag_count / 5] -- >> (ncq_tag_count % 5) * 12) & 0xfff; -+ ncq_tag_count--; -+ __ncq_tag = _ncq_tag[ncq_tag_count / 5]; -+ ncq_tag = le64_to_cpu(__ncq_tag); -+ iptt = (ncq_tag >> (ncq_tag_count % 5) * 12) & -+ 0xfff; - - slot = &hisi_hba->slot_info[iptt]; - slot->cmplt_queue_slot = rd_point; -@@ -3176,7 +3182,9 @@ static void cq_tasklet_v2_hw(unsigned long val) - ncq_tag_count = ffs(act_tmp); - } - } else { -- iptt = (complete_hdr->dw1) & CMPLT_HDR_IPTT_MSK; -+ u32 dw1 = le32_to_cpu(complete_hdr->dw1); -+ -+ iptt = dw1 & CMPLT_HDR_IPTT_MSK; - slot = &hisi_hba->slot_info[iptt]; - slot->cmplt_queue_slot = rd_point; - slot->cmplt_queue = queue; -@@ -3552,7 +3560,7 @@ static void wait_cmds_complete_timeout_v2_hw(struct hisi_hba *hisi_hba, - dev_dbg(dev, "wait commands complete %dms\n", time); - } - --struct device_attribute *host_attrs_v2_hw[] = { -+static struct device_attribute *host_attrs_v2_hw[] = { - &dev_attr_phy_event_threshold, - NULL - }; -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 7d7cb73e4bee..23f40b57b298 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -628,6 +628,7 @@ static void setup_itct_v3_hw(struct hisi_hba *hisi_hba, - struct domain_device *parent_dev = device->parent; - struct asd_sas_port *sas_port = device->port; - struct hisi_sas_port *port = to_hisi_sas_port(sas_port); -+ u64 sas_addr; - - memset(itct, 0, sizeof(*itct)); - -@@ -660,8 +661,8 @@ static void setup_itct_v3_hw(struct hisi_hba *hisi_hba, - itct->qw0 = cpu_to_le64(qw0); - - /* qw1 */ -- memcpy(&itct->sas_addr, device->sas_addr, SAS_ADDR_SIZE); -- itct->sas_addr = __swab64(itct->sas_addr); -+ memcpy(&sas_addr, device->sas_addr, SAS_ADDR_SIZE); -+ itct->sas_addr = cpu_to_le64(__swab64(sas_addr)); - - /* qw2 */ - if (!dev_is_sata(device)) -@@ -1590,15 +1591,16 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, - &complete_queue[slot->cmplt_queue_slot]; - struct hisi_sas_err_record_v3 *record = - hisi_sas_status_buf_addr_mem(slot); -- u32 dma_rx_err_type = record->dma_rx_err_type; -- u32 trans_tx_fail_type = record->trans_tx_fail_type; -+ u32 dma_rx_err_type = le32_to_cpu(record->dma_rx_err_type); -+ u32 trans_tx_fail_type = le32_to_cpu(record->trans_tx_fail_type); -+ u32 dw3 = le32_to_cpu(complete_hdr->dw3); - - switch (task->task_proto) { - case SAS_PROTOCOL_SSP: - if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { - ts->residual = trans_tx_fail_type; - ts->stat = SAS_DATA_UNDERRUN; -- } else if (complete_hdr->dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { -+ } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { - ts->stat = SAS_QUEUE_FULL; - slot->abort = 1; - } else { -@@ -1612,7 +1614,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, - if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { - ts->residual = trans_tx_fail_type; - ts->stat = SAS_DATA_UNDERRUN; -- } else if (complete_hdr->dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { -+ } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { - ts->stat = SAS_PHY_DOWN; - slot->abort = 1; - } else { -@@ -1645,6 +1647,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - &complete_queue[slot->cmplt_queue_slot]; - unsigned long flags; - bool is_internal = slot->is_internal; -+ u32 dw0, dw1, dw3; - - if (unlikely(!task || !task->lldd_task || !task->dev)) - return -EINVAL; -@@ -1668,11 +1671,14 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - goto out; - } - -+ dw0 = le32_to_cpu(complete_hdr->dw0); -+ dw1 = le32_to_cpu(complete_hdr->dw1); -+ dw3 = le32_to_cpu(complete_hdr->dw3); -+ - /* - * Use SAS+TMF status codes - */ -- switch ((complete_hdr->dw0 & CMPLT_HDR_ABORT_STAT_MSK) -- >> CMPLT_HDR_ABORT_STAT_OFF) { -+ switch ((dw0 & CMPLT_HDR_ABORT_STAT_MSK) >> CMPLT_HDR_ABORT_STAT_OFF) { - case STAT_IO_ABORTED: - /* this IO has been aborted by abort command */ - ts->stat = SAS_ABORTED_TASK; -@@ -1695,7 +1701,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - } - - /* check for erroneous completion */ -- if ((complete_hdr->dw0 & CMPLT_HDR_CMPLT_MSK) == 0x3) { -+ if ((dw0 & CMPLT_HDR_CMPLT_MSK) == 0x3) { - u32 *error_info = hisi_sas_status_buf_addr_mem(slot); - - slot_err_v3_hw(hisi_hba, task, slot); -@@ -1704,8 +1710,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot) - "CQ hdr: 0x%x 0x%x 0x%x 0x%x " - "Error info: 0x%x 0x%x 0x%x 0x%x\n", - slot->idx, task, sas_dev->device_id, -- complete_hdr->dw0, complete_hdr->dw1, -- complete_hdr->act, complete_hdr->dw3, -+ dw0, dw1, complete_hdr->act, dw3, - error_info[0], error_info[1], - error_info[2], error_info[3]); - if (unlikely(slot->abort)) -@@ -1803,11 +1808,13 @@ static void cq_tasklet_v3_hw(unsigned long val) - while (rd_point != wr_point) { - struct hisi_sas_complete_v3_hdr *complete_hdr; - struct device *dev = hisi_hba->dev; -+ u32 dw1; - int iptt; - - complete_hdr = &complete_queue[rd_point]; -+ dw1 = le32_to_cpu(complete_hdr->dw1); - -- iptt = (complete_hdr->dw1) & CMPLT_HDR_IPTT_MSK; -+ iptt = dw1 & CMPLT_HDR_IPTT_MSK; - if (likely(iptt < HISI_SAS_COMMAND_ENTRIES_V3_HW)) { - slot = &hisi_hba->slot_info[iptt]; - slot->cmplt_queue_slot = rd_point; -@@ -2203,7 +2210,7 @@ static ssize_t intr_coal_count_v3_hw_store(struct device *dev, - } - static DEVICE_ATTR_RW(intr_coal_count_v3_hw); - --struct device_attribute *host_attrs_v3_hw[] = { -+static struct device_attribute *host_attrs_v3_hw[] = { - &dev_attr_phy_event_threshold, - &dev_attr_intr_conv_v3_hw, - &dev_attr_intr_coal_ticks_v3_hw, -@@ -2649,7 +2656,7 @@ static int hisi_sas_v3_suspend(struct pci_dev *pdev, pm_message_t state) - struct hisi_hba *hisi_hba = sha->lldd_ha; - struct device *dev = hisi_hba->dev; - struct Scsi_Host *shost = hisi_hba->shost; -- u32 device_state; -+ pci_power_t device_state; - int rc; - - if (!pdev->pm_cap) { -@@ -2695,7 +2702,7 @@ static int hisi_sas_v3_resume(struct pci_dev *pdev) - struct Scsi_Host *shost = hisi_hba->shost; - struct device *dev = hisi_hba->dev; - unsigned int rc; -- u32 device_state = pdev->current_state; -+ pci_power_t device_state = pdev->current_state; - - dev_warn(dev, "resuming from operating state [D%d]\n", - device_state); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch b/debian/patches/bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch deleted file mode 100644 index 37cbfb23b..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 9e9903e8e143c32498565cb49a7aab6081734782 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Thu, 6 Dec 2018 21:34:41 +0800 -Subject: [PATCH 15/31] scsi: hisi_sas: Relocate some code to reduce complexity -Origin: https://git.kernel.org/linus/6e1b731b535231e199c7810451c851398afccd33 - -Relocate the codes related to dma_map/unmap in hisi_sas_task_prep() to -reduce complexity, with a view to add DIF/DIX support. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 146 ++++++++++++++++---------- - 1 file changed, 90 insertions(+), 56 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index ab6c7938e172..18062e4ab9a5 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -297,6 +297,90 @@ static void hisi_sas_task_prep_abort(struct hisi_hba *hisi_hba, - device_id, abort_flag, tag_to_abort); - } - -+static void hisi_sas_dma_unmap(struct hisi_hba *hisi_hba, -+ struct sas_task *task, int n_elem, -+ int n_elem_req, int n_elem_resp) -+{ -+ struct device *dev = hisi_hba->dev; -+ -+ if (!sas_protocol_ata(task->task_proto)) { -+ if (task->num_scatter) { -+ if (n_elem) -+ dma_unmap_sg(dev, task->scatter, -+ task->num_scatter, -+ task->data_dir); -+ } else if (task->task_proto & SAS_PROTOCOL_SMP) { -+ if (n_elem_req) -+ dma_unmap_sg(dev, &task->smp_task.smp_req, -+ 1, DMA_TO_DEVICE); -+ if (n_elem_resp) -+ dma_unmap_sg(dev, &task->smp_task.smp_resp, -+ 1, DMA_FROM_DEVICE); -+ } -+ } -+} -+ -+static int hisi_sas_dma_map(struct hisi_hba *hisi_hba, -+ struct sas_task *task, int *n_elem, -+ int *n_elem_req, int *n_elem_resp) -+{ -+ struct device *dev = hisi_hba->dev; -+ int rc; -+ -+ if (sas_protocol_ata(task->task_proto)) { -+ *n_elem = task->num_scatter; -+ } else { -+ unsigned int req_len, resp_len; -+ -+ if (task->num_scatter) { -+ *n_elem = dma_map_sg(dev, task->scatter, -+ task->num_scatter, task->data_dir); -+ if (!*n_elem) { -+ rc = -ENOMEM; -+ goto prep_out; -+ } -+ } else if (task->task_proto & SAS_PROTOCOL_SMP) { -+ *n_elem_req = dma_map_sg(dev, &task->smp_task.smp_req, -+ 1, DMA_TO_DEVICE); -+ if (!*n_elem_req) { -+ rc = -ENOMEM; -+ goto prep_out; -+ } -+ req_len = sg_dma_len(&task->smp_task.smp_req); -+ if (req_len & 0x3) { -+ rc = -EINVAL; -+ goto err_out_dma_unmap; -+ } -+ *n_elem_resp = dma_map_sg(dev, &task->smp_task.smp_resp, -+ 1, DMA_FROM_DEVICE); -+ if (!*n_elem_resp) { -+ rc = -ENOMEM; -+ goto err_out_dma_unmap; -+ } -+ resp_len = sg_dma_len(&task->smp_task.smp_resp); -+ if (resp_len & 0x3) { -+ rc = -EINVAL; -+ goto err_out_dma_unmap; -+ } -+ } -+ } -+ -+ if (*n_elem > HISI_SAS_SGE_PAGE_CNT) { -+ dev_err(dev, "task prep: n_elem(%d) > HISI_SAS_SGE_PAGE_CNT", -+ *n_elem); -+ rc = -EINVAL; -+ goto err_out_dma_unmap; -+ } -+ return 0; -+ -+err_out_dma_unmap: -+ /* It would be better to call dma_unmap_sg() here, but it's messy */ -+ hisi_sas_dma_unmap(hisi_hba, task, *n_elem, -+ *n_elem_req, *n_elem_resp); -+prep_out: -+ return rc; -+} -+ - static int hisi_sas_task_prep(struct sas_task *task, - struct hisi_sas_dq **dq_pointer, - bool is_tmf, struct hisi_sas_tmf_task *tmf, -@@ -339,49 +423,10 @@ static int hisi_sas_task_prep(struct sas_task *task, - return -ECOMM; - } - -- if (!sas_protocol_ata(task->task_proto)) { -- unsigned int req_len, resp_len; -- -- if (task->num_scatter) { -- n_elem = dma_map_sg(dev, task->scatter, -- task->num_scatter, task->data_dir); -- if (!n_elem) { -- rc = -ENOMEM; -- goto prep_out; -- } -- } else if (task->task_proto & SAS_PROTOCOL_SMP) { -- n_elem_req = dma_map_sg(dev, &task->smp_task.smp_req, -- 1, DMA_TO_DEVICE); -- if (!n_elem_req) { -- rc = -ENOMEM; -- goto prep_out; -- } -- req_len = sg_dma_len(&task->smp_task.smp_req); -- if (req_len & 0x3) { -- rc = -EINVAL; -- goto err_out_dma_unmap; -- } -- n_elem_resp = dma_map_sg(dev, &task->smp_task.smp_resp, -- 1, DMA_FROM_DEVICE); -- if (!n_elem_resp) { -- rc = -ENOMEM; -- goto err_out_dma_unmap; -- } -- resp_len = sg_dma_len(&task->smp_task.smp_resp); -- if (resp_len & 0x3) { -- rc = -EINVAL; -- goto err_out_dma_unmap; -- } -- } -- } else -- n_elem = task->num_scatter; -- -- if (n_elem > HISI_SAS_SGE_PAGE_CNT) { -- dev_err(dev, "task prep: n_elem(%d) > HISI_SAS_SGE_PAGE_CNT", -- n_elem); -- rc = -EINVAL; -- goto err_out_dma_unmap; -- } -+ rc = hisi_sas_dma_map(hisi_hba, task, &n_elem, -+ &n_elem_req, &n_elem_resp); -+ if (rc < 0) -+ goto prep_out; - - if (hisi_hba->hw->slot_index_alloc) - rc = hisi_hba->hw->slot_index_alloc(hisi_hba, device); -@@ -466,19 +511,8 @@ static int hisi_sas_task_prep(struct sas_task *task, - err_out_tag: - hisi_sas_slot_index_free(hisi_hba, slot_idx); - err_out_dma_unmap: -- if (!sas_protocol_ata(task->task_proto)) { -- if (task->num_scatter) { -- dma_unmap_sg(dev, task->scatter, task->num_scatter, -- task->data_dir); -- } else if (task->task_proto & SAS_PROTOCOL_SMP) { -- if (n_elem_req) -- dma_unmap_sg(dev, &task->smp_task.smp_req, -- 1, DMA_TO_DEVICE); -- if (n_elem_resp) -- dma_unmap_sg(dev, &task->smp_task.smp_resp, -- 1, DMA_FROM_DEVICE); -- } -- } -+ hisi_sas_dma_unmap(hisi_hba, task, n_elem, -+ n_elem_req, n_elem_resp); - prep_out: - dev_err(dev, "task prep: failed[%d]!\n", rc); - return rc; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch b/debian/patches/bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch deleted file mode 100644 index b9411ffcc..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 8baf75dd36d8e311434162c6a2c74a45262dc0d4 Mon Sep 17 00:00:00 2001 -From: Xiang Chen -Date: Thu, 6 Dec 2018 21:34:42 +0800 -Subject: [PATCH 16/31] scsi: hisi_sas: Make sg_tablesize consistent value -Origin: https://git.kernel.org/linus/6db831f4ef764ca19d7300d56ab9455af3cb930d - -Sht->sg_tablesize is set in the driver, and it will be assigned to -shost->sg_tablesize in SCSI mid-layer. So it is not necessary to assign -shost->sg_table one more time in the driver. - -In addition to the change, change each scsi_host_template.sg_tablesize -to HISI_SAS_SGE_PAGE_CNT instead of SG_ALL. - -Signed-off-by: Xiang Chen -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 1 - - drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 2 +- - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 2 +- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 3 +-- - 4 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 18062e4ab9a5..764d651879cf 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -2426,7 +2426,6 @@ int hisi_sas_probe(struct platform_device *pdev, - shost->max_lun = ~0; - shost->max_channel = 1; - shost->max_cmd_len = 16; -- shost->sg_tablesize = min_t(u16, SG_ALL, HISI_SAS_SGE_PAGE_CNT); - if (hisi_hba->hw->slot_index_alloc) { - shost->can_queue = hisi_hba->hw->max_command_entries; - shost->cmd_per_lun = hisi_hba->hw->max_command_entries; -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -index cb1198f0ddde..ef23d26b2271 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c -@@ -1814,7 +1814,7 @@ static struct scsi_host_template sht_v1_hw = { - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, - .this_id = -1, -- .sg_tablesize = SG_ALL, -+ .sg_tablesize = HISI_SAS_SGE_PAGE_CNT, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, - .use_clustering = ENABLE_CLUSTERING, - .eh_device_reset_handler = sas_eh_device_reset_handler, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -index c17dd500fba1..0341fa72d97e 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c -@@ -3576,7 +3576,7 @@ static struct scsi_host_template sht_v2_hw = { - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, - .this_id = -1, -- .sg_tablesize = SG_ALL, -+ .sg_tablesize = HISI_SAS_SGE_PAGE_CNT, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, - .use_clustering = ENABLE_CLUSTERING, - .eh_device_reset_handler = sas_eh_device_reset_handler, -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 23f40b57b298..6d584f232204 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2229,7 +2229,7 @@ static struct scsi_host_template sht_v3_hw = { - .change_queue_depth = sas_change_queue_depth, - .bios_param = sas_bios_param, - .this_id = -1, -- .sg_tablesize = SG_ALL, -+ .sg_tablesize = HISI_SAS_SGE_PAGE_CNT, - .max_sectors = SCSI_DEFAULT_MAX_SECTORS, - .use_clustering = ENABLE_CLUSTERING, - .eh_device_reset_handler = sas_eh_device_reset_handler, -@@ -2371,7 +2371,6 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) - shost->max_lun = ~0; - shost->max_channel = 1; - shost->max_cmd_len = 16; -- shost->sg_tablesize = min_t(u16, SG_ALL, HISI_SAS_SGE_PAGE_CNT); - shost->can_queue = hisi_hba->hw->max_command_entries - - HISI_SAS_RESERVED_IPTT_CNT; - shost->cmd_per_lun = hisi_hba->hw->max_command_entries - --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch b/debian/patches/bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch deleted file mode 100644 index 10fa425d9..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 341487a9b370af5c2566fb0c3fe5384c96bdbda7 Mon Sep 17 00:00:00 2001 -From: Huazhong Tan -Date: Tue, 18 Dec 2018 19:37:52 +0800 -Subject: [PATCH 17/31] net: hns3: remove unnecessary configuration recapture - while resetting -Origin: https://git.kernel.org/linus/b51c366df70da0100193d13975980f1990a2d47b - -When doing reset, it is unnecessary to get the hardware's default -configuration again, otherwise, the user's configuration will be -overwritten. - -Fixes: 4ed340ab8f49 ("net: hns3: Add reset process in hclge_main") -Signed-off-by: Huazhong Tan -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - .../net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 13 ------------- - 1 file changed, 13 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -index 340baf6a470c..1dada183456c 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -@@ -5812,19 +5812,6 @@ static int hclge_reset_ae_dev(struct hnae3_ae_dev *ae_dev) - return ret; - } - -- ret = hclge_get_cap(hdev); -- if (ret) { -- dev_err(&pdev->dev, "get hw capability error, ret = %d.\n", -- ret); -- return ret; -- } -- -- ret = hclge_configure(hdev); -- if (ret) { -- dev_err(&pdev->dev, "Configure dev error, ret = %d.\n", ret); -- return ret; -- } -- - ret = hclge_map_tqp(hdev); - if (ret) { - dev_err(&pdev->dev, "Map tqp error, ret = %d.\n", ret); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch b/debian/patches/bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch deleted file mode 100644 index 4704d1327..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7740fe91e657e23f25e750d9e34da059a6f607ac Mon Sep 17 00:00:00 2001 -From: Fuyun Liang -Date: Tue, 18 Dec 2018 19:37:55 +0800 -Subject: [PATCH 18/31] net: hns3: remove 1000M/half support of phy -Origin: https://git.kernel.org/linus/8362089d787724bb252f13f942921051943369c7 - -Our phy does not support 1000M/half, this patch removes 1000M/half from -PHY_SUPPORTED_FEATURES. - -Signed-off-by: Fuyun Liang -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -index 398971a062f4..a75b70ce41f8 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -@@ -14,7 +14,7 @@ - SUPPORTED_Asym_Pause | \ - PHY_10BT_FEATURES | \ - PHY_100BT_FEATURES | \ -- PHY_1000BT_FEATURES) -+ SUPPORTED_1000baseT_Full) - - enum hclge_mdio_c22_op_seq { - HCLGE_MDIO_C22_WRITE = 1, --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch b/debian/patches/bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch deleted file mode 100644 index 48cf8519d..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4f28c6b52ffb62eb5a0a5a85af4fa10658fecee5 Mon Sep 17 00:00:00 2001 -From: Peng Li -Date: Tue, 18 Dec 2018 19:37:56 +0800 -Subject: [PATCH 19/31] net: hns3: synchronize speed and duplex from phy when - phy link up -Origin: https://git.kernel.org/linus/0ad5ea5dbd6cb1e62bac547db5e61bab15af4f44 - -Driver calls phy_connect_direct and registers hclge_mac_adjust_link -to synchronize mac speed and duplex from phy. It is better to -synchronize mac speed and duplex from phy when phy link up. - -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -index a75b70ce41f8..bdbec85265f4 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c -@@ -181,6 +181,10 @@ static void hclge_mac_adjust_link(struct net_device *netdev) - int duplex, speed; - int ret; - -+ /* When phy link down, do nothing */ -+ if (netdev->phydev->link == 0) -+ return; -+ - speed = netdev->phydev->speed; - duplex = netdev->phydev->duplex; - --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch b/debian/patches/bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch deleted file mode 100644 index d9f68ee2b..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch +++ /dev/null @@ -1,160 +0,0 @@ -From caeef6247aa6f5250d14108b33cef5458ba6c58e Mon Sep 17 00:00:00 2001 -From: Yunsheng Lin -Date: Tue, 18 Dec 2018 19:37:57 +0800 -Subject: [PATCH 20/31] net: hns3: getting tx and dv buffer size through - firmware -Origin: https://git.kernel.org/linus/368686be234daf365ef184a6ee1c4a6c18ede3b1 - -This patch adds support of getting tx and dv buffer size through -firmware, because different version of hardware requires different -size of tx and dv buffer. - -This patch also add dv_buf_size to tc' private buffer size even if -pfc is not enable for the tc. - -Signed-off-by: Yunsheng Lin -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - .../hisilicon/hns3/hns3pf/hclge_cmd.h | 5 ++- - .../hisilicon/hns3/hns3pf/hclge_main.c | 41 ++++++++++++++----- - .../hisilicon/hns3/hns3pf/hclge_main.h | 3 ++ - 3 files changed, 38 insertions(+), 11 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h -index 821d4c2f84bd..827e8b13b545 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h -@@ -365,7 +365,9 @@ struct hclge_pf_res_cmd { - #define HCLGE_PF_VEC_NUM_M GENMASK(7, 0) - __le16 pf_intr_vector_number; - __le16 pf_own_fun_number; -- __le32 rsv[3]; -+ __le16 tx_buf_size; -+ __le16 dv_buf_size; -+ __le32 rsv[2]; - }; - - #define HCLGE_CFG_OFFSET_S 0 -@@ -791,6 +793,7 @@ struct hclge_serdes_lb_cmd { - #define HCLGE_TOTAL_PKT_BUF 0x108000 /* 1.03125M bytes */ - #define HCLGE_DEFAULT_DV 0xA000 /* 40k byte */ - #define HCLGE_DEFAULT_NON_DCB_DV 0x7800 /* 30K byte */ -+#define HCLGE_NON_DCB_ADDITIONAL_BUF 0x200 /* 512 byte */ - - #define HCLGE_TYPE_CRQ 0 - #define HCLGE_TYPE_CSQ 1 -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -index 1dada183456c..47cbf06ea405 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -@@ -932,6 +932,18 @@ static int hclge_query_pf_resource(struct hclge_dev *hdev) - hdev->num_tqps = __le16_to_cpu(req->tqp_num); - hdev->pkt_buf_size = __le16_to_cpu(req->buf_size) << HCLGE_BUF_UNIT_S; - -+ if (req->tx_buf_size) -+ hdev->tx_buf_size = -+ __le16_to_cpu(req->tx_buf_size) << HCLGE_BUF_UNIT_S; -+ else -+ hdev->tx_buf_size = HCLGE_DEFAULT_TX_BUF; -+ -+ if (req->dv_buf_size) -+ hdev->dv_buf_size = -+ __le16_to_cpu(req->dv_buf_size) << HCLGE_BUF_UNIT_S; -+ else -+ hdev->dv_buf_size = HCLGE_DEFAULT_DV; -+ - if (hnae3_dev_roce_supported(hdev)) { - hdev->roce_base_msix_offset = - hnae3_get_field(__le16_to_cpu(req->msixcap_localid_ba_rocee), -@@ -1592,9 +1604,10 @@ static bool hclge_is_rx_buf_ok(struct hclge_dev *hdev, - pfc_enable_num = hclge_get_pfc_enalbe_num(hdev); - - if (hnae3_dev_dcb_supported(hdev)) -- shared_buf_min = 2 * hdev->mps + HCLGE_DEFAULT_DV; -+ shared_buf_min = 2 * hdev->mps + hdev->dv_buf_size; - else -- shared_buf_min = 2 * hdev->mps + HCLGE_DEFAULT_NON_DCB_DV; -+ shared_buf_min = hdev->mps + HCLGE_NON_DCB_ADDITIONAL_BUF -+ + hdev->dv_buf_size; - - shared_buf_tc = pfc_enable_num * hdev->mps + - (tc_num - pfc_enable_num) * hdev->mps / 2 + -@@ -1607,8 +1620,15 @@ static bool hclge_is_rx_buf_ok(struct hclge_dev *hdev, - - shared_buf = rx_all - rx_priv; - buf_alloc->s_buf.buf_size = shared_buf; -- buf_alloc->s_buf.self.high = shared_buf; -- buf_alloc->s_buf.self.low = 2 * hdev->mps; -+ if (hnae3_dev_dcb_supported(hdev)) { -+ buf_alloc->s_buf.self.high = shared_buf - hdev->dv_buf_size; -+ buf_alloc->s_buf.self.low = buf_alloc->s_buf.self.high -+ - hdev->mps / 2; -+ } else { -+ buf_alloc->s_buf.self.high = hdev->mps + -+ HCLGE_NON_DCB_ADDITIONAL_BUF; -+ buf_alloc->s_buf.self.low = hdev->mps / 2; -+ } - - for (i = 0; i < HCLGE_MAX_TC_NUM; i++) { - if ((hdev->hw_tc_map & BIT(i)) && -@@ -1635,11 +1655,11 @@ static int hclge_tx_buffer_calc(struct hclge_dev *hdev, - for (i = 0; i < HCLGE_MAX_TC_NUM; i++) { - struct hclge_priv_buf *priv = &buf_alloc->priv_buf[i]; - -- if (total_size < HCLGE_DEFAULT_TX_BUF) -+ if (total_size < hdev->tx_buf_size) - return -ENOMEM; - - if (hdev->hw_tc_map & BIT(i)) -- priv->tx_buf_size = HCLGE_DEFAULT_TX_BUF; -+ priv->tx_buf_size = hdev->tx_buf_size; - else - priv->tx_buf_size = 0; - -@@ -1685,11 +1705,12 @@ static int hclge_rx_buffer_calc(struct hclge_dev *hdev, - priv->wl.low = aligned_mps; - priv->wl.high = priv->wl.low + aligned_mps; - priv->buf_size = priv->wl.high + -- HCLGE_DEFAULT_DV; -+ hdev->dv_buf_size; - } else { - priv->wl.low = 0; - priv->wl.high = 2 * aligned_mps; -- priv->buf_size = priv->wl.high; -+ priv->buf_size = priv->wl.high + -+ hdev->dv_buf_size; - } - } else { - priv->enable = 0; -@@ -1721,11 +1742,11 @@ static int hclge_rx_buffer_calc(struct hclge_dev *hdev, - if (hdev->tm_info.hw_pfc_map & BIT(i)) { - priv->wl.low = 128; - priv->wl.high = priv->wl.low + aligned_mps; -- priv->buf_size = priv->wl.high + HCLGE_DEFAULT_DV; -+ priv->buf_size = priv->wl.high + hdev->dv_buf_size; - } else { - priv->wl.low = 0; - priv->wl.high = aligned_mps; -- priv->buf_size = priv->wl.high; -+ priv->buf_size = priv->wl.high + hdev->dv_buf_size; - } - } - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h -index 1528fb3fa6be..629ee0148d4e 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h -@@ -545,6 +545,9 @@ struct hclge_dev { - u32 flag; - - u32 pkt_buf_size; /* Total pf buf size for tx/rx */ -+ u32 tx_buf_size; /* Tx buffer size for each TC */ -+ u32 dv_buf_size; /* Dv buffer size for each TC */ -+ - u32 mps; /* Max packet size */ - - enum hclge_mta_dmac_sel_type mta_mac_sel_type; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch b/debian/patches/bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch deleted file mode 100644 index 5c2e01244..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 234c314e892d40daa37e97e9057e04d3e3a0c285 Mon Sep 17 00:00:00 2001 -From: Yunsheng Lin -Date: Tue, 18 Dec 2018 19:37:58 +0800 -Subject: [PATCH 21/31] net: hns3: aligning buffer size in SSU to 256 bytes -Origin: https://git.kernel.org/linus/b9a400ac295728b2d47445e09814e1880409b311 - -The hardware expects the buffer size set to SSU is aligned to -256 bytes, this patch aligns the buffer size to 256 byte using -roundup or rounddown function. - -Signed-off-by: Yunsheng Lin -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - .../hisilicon/hns3/hns3pf/hclge_main.c | 45 ++++++++++++------- - 1 file changed, 28 insertions(+), 17 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -index 47cbf06ea405..42a38ca966d1 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -@@ -31,6 +31,10 @@ static int hclge_set_mta_filter_mode(struct hclge_dev *hdev, - enum hclge_mta_dmac_sel_type mta_mac_sel, - bool enable); - static int hclge_set_mtu(struct hnae3_handle *handle, int new_mtu); -+ -+#define HCLGE_BUF_SIZE_UNIT 256 -+ -+static int hclge_set_mac_mtu(struct hclge_dev *hdev, int new_mps); - static int hclge_init_vlan_config(struct hclge_dev *hdev); - static int hclge_reset_ae_dev(struct hnae3_ae_dev *ae_dev); - -@@ -938,12 +942,16 @@ static int hclge_query_pf_resource(struct hclge_dev *hdev) - else - hdev->tx_buf_size = HCLGE_DEFAULT_TX_BUF; - -+ hdev->tx_buf_size = roundup(hdev->tx_buf_size, HCLGE_BUF_SIZE_UNIT); -+ - if (req->dv_buf_size) - hdev->dv_buf_size = - __le16_to_cpu(req->dv_buf_size) << HCLGE_BUF_UNIT_S; - else - hdev->dv_buf_size = HCLGE_DEFAULT_DV; - -+ hdev->dv_buf_size = roundup(hdev->dv_buf_size, HCLGE_BUF_SIZE_UNIT); -+ - if (hnae3_dev_roce_supported(hdev)) { - hdev->roce_base_msix_offset = - hnae3_get_field(__le16_to_cpu(req->msixcap_localid_ba_rocee), -@@ -1596,48 +1604,50 @@ static bool hclge_is_rx_buf_ok(struct hclge_dev *hdev, - { - u32 shared_buf_min, shared_buf_tc, shared_std; - int tc_num, pfc_enable_num; -- u32 shared_buf; -+ u32 shared_buf, aligned_mps; - u32 rx_priv; - int i; - - tc_num = hclge_get_tc_num(hdev); - pfc_enable_num = hclge_get_pfc_enalbe_num(hdev); -+ aligned_mps = roundup(hdev->mps, HCLGE_BUF_SIZE_UNIT); - - if (hnae3_dev_dcb_supported(hdev)) -- shared_buf_min = 2 * hdev->mps + hdev->dv_buf_size; -+ shared_buf_min = 2 * aligned_mps + hdev->dv_buf_size; - else -- shared_buf_min = hdev->mps + HCLGE_NON_DCB_ADDITIONAL_BUF -+ shared_buf_min = aligned_mps + HCLGE_NON_DCB_ADDITIONAL_BUF - + hdev->dv_buf_size; - -- shared_buf_tc = pfc_enable_num * hdev->mps + -- (tc_num - pfc_enable_num) * hdev->mps / 2 + -- hdev->mps; -+ shared_buf_tc = pfc_enable_num * aligned_mps + -+ (tc_num - pfc_enable_num) * aligned_mps / 2 + -+ aligned_mps; - shared_std = max_t(u32, shared_buf_min, shared_buf_tc); - - rx_priv = hclge_get_rx_priv_buff_alloced(buf_alloc); - if (rx_all <= rx_priv + shared_std) - return false; - -- shared_buf = rx_all - rx_priv; -+ shared_buf = rounddown(rx_all - rx_priv, HCLGE_BUF_SIZE_UNIT); - buf_alloc->s_buf.buf_size = shared_buf; - if (hnae3_dev_dcb_supported(hdev)) { - buf_alloc->s_buf.self.high = shared_buf - hdev->dv_buf_size; - buf_alloc->s_buf.self.low = buf_alloc->s_buf.self.high -- - hdev->mps / 2; -+ - roundup(aligned_mps / 2, HCLGE_BUF_SIZE_UNIT); - } else { -- buf_alloc->s_buf.self.high = hdev->mps + -+ buf_alloc->s_buf.self.high = aligned_mps + - HCLGE_NON_DCB_ADDITIONAL_BUF; -- buf_alloc->s_buf.self.low = hdev->mps / 2; -+ buf_alloc->s_buf.self.low = -+ roundup(aligned_mps / 2, HCLGE_BUF_SIZE_UNIT); - } - - for (i = 0; i < HCLGE_MAX_TC_NUM; i++) { - if ((hdev->hw_tc_map & BIT(i)) && - (hdev->tm_info.hw_pfc_map & BIT(i))) { -- buf_alloc->s_buf.tc_thrd[i].low = hdev->mps; -- buf_alloc->s_buf.tc_thrd[i].high = 2 * hdev->mps; -+ buf_alloc->s_buf.tc_thrd[i].low = aligned_mps; -+ buf_alloc->s_buf.tc_thrd[i].high = 2 * aligned_mps; - } else { - buf_alloc->s_buf.tc_thrd[i].low = 0; -- buf_alloc->s_buf.tc_thrd[i].high = hdev->mps; -+ buf_alloc->s_buf.tc_thrd[i].high = aligned_mps; - } - } - -@@ -1677,7 +1687,6 @@ static int hclge_tx_buffer_calc(struct hclge_dev *hdev, - static int hclge_rx_buffer_calc(struct hclge_dev *hdev, - struct hclge_pkt_buf_alloc *buf_alloc) - { --#define HCLGE_BUF_SIZE_UNIT 128 - u32 rx_all = hdev->pkt_buf_size, aligned_mps; - int no_pfc_priv_num, pfc_priv_num; - struct hclge_priv_buf *priv; -@@ -1703,9 +1712,11 @@ static int hclge_rx_buffer_calc(struct hclge_dev *hdev, - priv->enable = 1; - if (hdev->tm_info.hw_pfc_map & BIT(i)) { - priv->wl.low = aligned_mps; -- priv->wl.high = priv->wl.low + aligned_mps; -+ priv->wl.high = -+ roundup(priv->wl.low + aligned_mps, -+ HCLGE_BUF_SIZE_UNIT); - priv->buf_size = priv->wl.high + -- hdev->dv_buf_size; -+ hdev->dv_buf_size; - } else { - priv->wl.low = 0; - priv->wl.high = 2 * aligned_mps; -@@ -1740,7 +1751,7 @@ static int hclge_rx_buffer_calc(struct hclge_dev *hdev, - priv->enable = 1; - - if (hdev->tm_info.hw_pfc_map & BIT(i)) { -- priv->wl.low = 128; -+ priv->wl.low = 256; - priv->wl.high = priv->wl.low + aligned_mps; - priv->buf_size = priv->wl.high + hdev->dv_buf_size; - } else { --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch b/debian/patches/bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch deleted file mode 100644 index a5278d652..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4d887b7901d59b472df97bd8a2f8bdeb43be7ced Mon Sep 17 00:00:00 2001 -From: Yunsheng Lin -Date: Tue, 18 Dec 2018 19:37:59 +0800 -Subject: [PATCH 22/31] net: hns3: fix a SSU buffer checking bug -Origin: https://git.kernel.org/linus/af854724e51e4047f534ac6d19b3ef9fb3c35c49 - -When caculating the SSU buffer, it first allocate tx and -rx private buffer, then the remaining buffer is for rx -shared buffer. The remaining buffer size should be at -least bigger than or equal to the shared_std, which is the -minimum shared buffer size required by the driver, but -currently if the remaining buffer size is equal to the -shared_std, it returns failure, which causes SSU buffer -allocation failure problem. - -This patch fixes this problem by rounding up shared_std before -checking the the remaining buffer size bigger than or equal to -the shared_std. - -Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") -Signed-off-by: Yunsheng Lin -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -index 42a38ca966d1..79232f584531 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -@@ -1621,10 +1621,11 @@ static bool hclge_is_rx_buf_ok(struct hclge_dev *hdev, - shared_buf_tc = pfc_enable_num * aligned_mps + - (tc_num - pfc_enable_num) * aligned_mps / 2 + - aligned_mps; -- shared_std = max_t(u32, shared_buf_min, shared_buf_tc); -+ shared_std = roundup(max_t(u32, shared_buf_min, shared_buf_tc), -+ HCLGE_BUF_SIZE_UNIT); - - rx_priv = hclge_get_rx_priv_buff_alloced(buf_alloc); -- if (rx_all <= rx_priv + shared_std) -+ if (rx_all < rx_priv + shared_std) - return false; - - shared_buf = rounddown(rx_all - rx_priv, HCLGE_BUF_SIZE_UNIT); --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch b/debian/patches/bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch deleted file mode 100644 index adfa4b935..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ea3eff7a2ef69730c8e48715fbf965cb9da8b0bc Mon Sep 17 00:00:00 2001 -From: Jian Shen -Date: Thu, 20 Dec 2018 11:51:59 +0800 -Subject: [PATCH 23/31] net: hns3: change default tc state to close -Origin: https://git.kernel.org/linus/a298797532d9dc244abf349d7c2ed063732c6ba3 - -In original codes, default tc value is set to the max tc. It's more -reasonable to close tc by changing default tc value to 1. Users can -enable it with lldp tool when they want to use tc. - -Signed-off-by: Jian Shen -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -index 79232f584531..8cc08ffee76f 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c -@@ -1201,7 +1201,7 @@ static int hclge_configure(struct hclge_dev *hdev) - hdev->pfc_max = hdev->tc_max; - } - -- hdev->tm_info.num_tc = hdev->tc_max; -+ hdev->tm_info.num_tc = 1; - - /* Currently not support uncontiuous tc */ - for (i = 0; i < hdev->tm_info.num_tc; i++) --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch b/debian/patches/bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch deleted file mode 100644 index a038a9ccf..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0f27af14383edac1efaf140d7cbe2d7dfdab7318 Mon Sep 17 00:00:00 2001 -From: Peng Li -Date: Thu, 20 Dec 2018 11:52:00 +0800 -Subject: [PATCH 24/31] net: hns3: fix a bug caused by udelay -Origin: https://git.kernel.org/linus/1b7d7b0581173219b82abbd81c88cf8aa7d402c2 - -udelay() in driver may always occupancy processor. If there is only -one cpu in system, the VF driver may initialize fail when insmod -PF and VF driver in the same system. This patch use msleep() to free -cpu when VF wait PF message. - -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c -index e9d5a4f96304..499131840041 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c -@@ -26,7 +26,7 @@ static int hclgevf_get_mbx_resp(struct hclgevf_dev *hdev, u16 code0, u16 code1, - u8 *resp_data, u16 resp_len) - { - #define HCLGEVF_MAX_TRY_TIMES 500 --#define HCLGEVF_SLEEP_USCOEND 1000 -+#define HCLGEVF_SLEEP_USECOND 1000 - struct hclgevf_mbx_resp_status *mbx_resp; - u16 r_code0, r_code1; - int i = 0; -@@ -40,7 +40,7 @@ static int hclgevf_get_mbx_resp(struct hclgevf_dev *hdev, u16 code0, u16 code1, - } - - while ((!hdev->mbx_resp.received_resp) && (i < HCLGEVF_MAX_TRY_TIMES)) { -- udelay(HCLGEVF_SLEEP_USCOEND); -+ usleep_range(HCLGEVF_SLEEP_USECOND, HCLGEVF_SLEEP_USECOND * 2); - i++; - } - --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch b/debian/patches/bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch deleted file mode 100644 index b724c37cc..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 883a7a53d7f6a6494e3a0df73fb02f76ecc42bc1 Mon Sep 17 00:00:00 2001 -From: Peng Li -Date: Thu, 20 Dec 2018 11:52:06 +0800 -Subject: [PATCH 25/31] net: hns3: remove redundant variable initialization -Origin: https://git.kernel.org/linus/1154bb26c879fea51c20aee167ddce4345caa255 - -This patch removes the redundant variable initialization, -as driver will devm_kzalloc to set value to hdev soon. - -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c -index 5570fb5dc2eb..dca51d9cfa4f 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c -@@ -1360,7 +1360,7 @@ static int hclgevf_configure(struct hclgevf_dev *hdev) - static int hclgevf_alloc_hdev(struct hnae3_ae_dev *ae_dev) - { - struct pci_dev *pdev = ae_dev->pdev; -- struct hclgevf_dev *hdev = ae_dev->priv; -+ struct hclgevf_dev *hdev; - - hdev = devm_kzalloc(&pdev->dev, sizeof(*hdev), GFP_KERNEL); - if (!hdev) --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch b/debian/patches/bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch deleted file mode 100644 index fcf93fd11..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch +++ /dev/null @@ -1,49 +0,0 @@ -From a4e5945057386872cb9add271aea76ca2413f481 Mon Sep 17 00:00:00 2001 -From: Huazhong Tan -Date: Mon, 31 Dec 2018 10:58:29 +0800 -Subject: [PATCH 26/31] net: hns3: call hns3_nic_net_open() while doing - HNAE3_UP_CLIENT -Origin: https://git.kernel.org/linus/e888402789b9db5de4fcda361331d66dbf0cd9fd - -For HNAE3_DOWN_CLIENT calling hns3_nic_net_stop(), HNAE3_UP_CLIENT -should call hns3_nic_net_open(), since if the number of queue or -the map of TC has is changed before HHAE3_UP_CLIENT is called, -it will cause problem. - -Also the HNS3_NIC_STATE_RESETTING flag needs to be cleared before -hns3_nic_net_open() called, and set it back while hns3_nic_net_open() -failed. - -Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client") -Signed-off-by: Huazhong Tan -Signed-off-by: Yunsheng Lin -Signed-off-by: Peng Li -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c -index 0ccfa6a84535..895c43fd1d81 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c -@@ -3439,11 +3439,15 @@ static int hns3_reset_notify_down_enet(struct hnae3_handle *handle) - static int hns3_reset_notify_up_enet(struct hnae3_handle *handle) - { - struct hnae3_knic_private_info *kinfo = &handle->kinfo; -+ struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev); - int ret = 0; - -+ clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state); -+ - if (netif_running(kinfo->netdev)) { -- ret = hns3_nic_net_up(kinfo->netdev); -+ ret = hns3_nic_net_open(kinfo->netdev); - if (ret) { -+ set_bit(HNS3_NIC_STATE_RESETTING, &priv->state); - netdev_err(kinfo->netdev, - "hns net up fail, ret=%d!\n", ret); - return ret; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch b/debian/patches/bugfix/arm64/huawei-taishan/0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch deleted file mode 100644 index b897d9320..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 42472e368c1bbe74d7316d549ae4f83097f54c87 Mon Sep 17 00:00:00 2001 -From: Lijun Ou -Date: Wed, 12 Dec 2018 17:49:06 +0800 -Subject: [PATCH 27/31] RDMA/hns: Fix the bug with updating rq head pointer - when flush cqe -Origin: https://git.kernel.org/linus/9c6ccc035c209dda07685e8dba829a203ba17499 - -When flush cqe with srq, the driver disable to update the rq head pointer -into the hardware. - -Signed-off-by: Lijun Ou -Signed-off-by: Jason Gunthorpe ---- - drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -index a442b29e7611..c7843d9817de 100644 ---- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -@@ -3499,13 +3499,16 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, - roce_set_field(qpc_mask->byte_160_sq_ci_pi, - V2_QPC_BYTE_160_SQ_PRODUCER_IDX_M, - V2_QPC_BYTE_160_SQ_PRODUCER_IDX_S, 0); -- roce_set_field(context->byte_84_rq_ci_pi, -+ -+ if (!ibqp->srq) { -+ roce_set_field(context->byte_84_rq_ci_pi, - V2_QPC_BYTE_84_RQ_PRODUCER_IDX_M, - V2_QPC_BYTE_84_RQ_PRODUCER_IDX_S, - hr_qp->rq.head); -- roce_set_field(qpc_mask->byte_84_rq_ci_pi, -+ roce_set_field(qpc_mask->byte_84_rq_ci_pi, - V2_QPC_BYTE_84_RQ_PRODUCER_IDX_M, - V2_QPC_BYTE_84_RQ_PRODUCER_IDX_S, 0); -+ } - } - - if (attr_mask & IB_QP_AV) { -@@ -3967,7 +3970,8 @@ static void hns_roce_set_qps_to_err(struct hns_roce_dev *hr_dev, u32 qpn) - if (hr_qp->ibqp.uobject) { - if (hr_qp->sdb_en == 1) { - hr_qp->sq.head = *(int *)(hr_qp->sdb.virt_addr); -- hr_qp->rq.head = *(int *)(hr_qp->rdb.virt_addr); -+ if (hr_qp->rdb_en == 1) -+ hr_qp->rq.head = *(int *)(hr_qp->rdb.virt_addr); - } else { - dev_warn(hr_dev->dev, "flush cqe is unsupported in userspace!\n"); - return; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch b/debian/patches/bugfix/arm64/huawei-taishan/0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch deleted file mode 100644 index a597b9a47..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0adf3f4bef9346c9cd3d1ecb7af4ee8f27d3b48a Mon Sep 17 00:00:00 2001 -From: Lijun Ou -Date: Wed, 12 Dec 2018 17:49:07 +0800 -Subject: [PATCH 28/31] RDMA/hns: Bugfix for the scene without receiver queue -Origin: https://git.kernel.org/linus/4d103905eb1e4f14cb62fcf962c9d35da7005dea - -In some application scenario, the user could not have receive queue when -run rdma write or read operation. - -Signed-off-by: Lijun Ou -Signed-off-by: Jason Gunthorpe ---- - drivers/infiniband/hw/hns/hns_roce_qp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c -index efb7e961ca65..de1676e25828 100644 ---- a/drivers/infiniband/hw/hns/hns_roce_qp.c -+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c -@@ -503,7 +503,8 @@ static int hns_roce_qp_has_sq(struct ib_qp_init_attr *attr) - static int hns_roce_qp_has_rq(struct ib_qp_init_attr *attr) - { - if (attr->qp_type == IB_QPT_XRC_INI || -- attr->qp_type == IB_QPT_XRC_TGT || attr->srq) -+ attr->qp_type == IB_QPT_XRC_TGT || attr->srq || -+ !attr->cap.max_recv_wr) - return 0; - - return 1; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch b/debian/patches/bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch deleted file mode 100644 index aa69c2ef4..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 84193e72c505286e4681b3c566c64eea3e25f7fd Mon Sep 17 00:00:00 2001 -From: Lijun Ou -Date: Wed, 12 Dec 2018 17:49:08 +0800 -Subject: [PATCH 29/31] RDMA/hns: Add constraint on the setting of local ACK - timeout -Origin: https://git.kernel.org/linus/44754b95dd35ee07c462b5425ae9c4cde8c7e7c8 - -According to IB protocol, local ACK timeout shall be a 5 bit -value. Currently, hip08 could not support the possible max value 31. Fail -the request in this case. - -Signed-off-by: Yixian Liu -Signed-off-by: Lijun Ou -Signed-off-by: Jason Gunthorpe ---- - drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -index c7843d9817de..627f77a6e0a9 100644 ---- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -@@ -3398,10 +3398,16 @@ static int modify_qp_rtr_to_rts(struct ib_qp *ibqp, - V2_QPC_BYTE_212_LSN_S, 0); - - if (attr_mask & IB_QP_TIMEOUT) { -- roce_set_field(context->byte_28_at_fl, V2_QPC_BYTE_28_AT_M, -- V2_QPC_BYTE_28_AT_S, attr->timeout); -- roce_set_field(qpc_mask->byte_28_at_fl, V2_QPC_BYTE_28_AT_M, -- V2_QPC_BYTE_28_AT_S, 0); -+ if (attr->timeout < 31) { -+ roce_set_field(context->byte_28_at_fl, -+ V2_QPC_BYTE_28_AT_M, V2_QPC_BYTE_28_AT_S, -+ attr->timeout); -+ roce_set_field(qpc_mask->byte_28_at_fl, -+ V2_QPC_BYTE_28_AT_M, V2_QPC_BYTE_28_AT_S, -+ 0); -+ } else { -+ dev_warn(dev, "Local ACK timeout shall be 0 to 30.\n"); -+ } - } - - roce_set_field(context->byte_172_sq_psn, V2_QPC_BYTE_172_SQ_CUR_PSN_M, --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch b/debian/patches/bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch deleted file mode 100644 index 138d7f9f9..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 454bc02382f8ed2eb3ebc7db4867ed419e3f0241 Mon Sep 17 00:00:00 2001 -From: Lijun Ou -Date: Wed, 12 Dec 2018 17:49:09 +0800 -Subject: [PATCH 30/31] RDMA/hns: Modify the pbl ba page size for hip08 -Origin: https://git.kernel.org/linus/91fb4d83b88a7b544ce564c44167aad29d4154f0 - -Modify the pbl ba page size to 16K for in order to support 4G MR size. - -Signed-off-by: Wei Hu (Xavier) -Signed-off-by: Lijun Ou -Signed-off-by: Jason Gunthorpe ---- - drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -index 627f77a6e0a9..e521cc740120 100644 ---- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c -@@ -1235,7 +1235,7 @@ static int hns_roce_v2_profile(struct hns_roce_dev *hr_dev) - caps->mpt_ba_pg_sz = 0; - caps->mpt_buf_pg_sz = 0; - caps->mpt_hop_num = HNS_ROCE_CONTEXT_HOP_NUM; -- caps->pbl_ba_pg_sz = 0; -+ caps->pbl_ba_pg_sz = 2; - caps->pbl_buf_pg_sz = 0; - caps->pbl_hop_num = HNS_ROCE_PBL_HOP_NUM; - caps->mtt_ba_pg_sz = 0; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch b/debian/patches/bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch deleted file mode 100644 index ec1312b8e..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 07a7830061e657ce352e690dbe0a794ffb10d22e Mon Sep 17 00:00:00 2001 -From: Lijun Ou -Date: Sat, 12 Jan 2019 18:36:29 +0800 -Subject: [PATCH 31/31] RDMA/hns: RDMA/hns: Assign rq head pointer when enable - rq record db -Origin: https://git.kernel.org/linus/de77503a59403e7045c18c6bb0a10c245a99b648 - -When flush cqe, it needs to get the pointer of rq and sq from db address -space of user and update it into qp context by modified qp. if rq does not -exist, it will not get the value from db address space of user. - -Signed-off-by: Lijun Ou -Signed-off-by: Jason Gunthorpe ---- - drivers/infiniband/hw/hns/hns_roce_qp.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c -index de1676e25828..b3ad35310925 100644 ---- a/drivers/infiniband/hw/hns/hns_roce_qp.c -+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c -@@ -652,6 +652,10 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev, - dev_err(dev, "rq record doorbell map failed!\n"); - goto err_sq_dbmap; - } -+ -+ /* indicate kernel supports rq record db */ -+ resp.cap_flags |= HNS_ROCE_SUPPORT_RQ_RECORD_DB; -+ hr_qp->rdb_en = 1; - } - } else { - if (init_attr->create_flags & -@@ -760,16 +764,11 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev, - else - hr_qp->doorbell_qpn = cpu_to_le64(hr_qp->qpn); - -- if (ib_pd->uobject && (udata->outlen >= sizeof(resp)) && -- (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_RECORD_DB)) { -- -- /* indicate kernel supports rq record db */ -- resp.cap_flags |= HNS_ROCE_SUPPORT_RQ_RECORD_DB; -- ret = ib_copy_to_udata(udata, &resp, sizeof(resp)); -+ if (udata) { -+ ret = ib_copy_to_udata(udata, &resp, -+ min(udata->outlen, sizeof(resp))); - if (ret) - goto err_qp; -- -- hr_qp->rdb_en = 1; - } - hr_qp->event = hns_roce_ib_qp_event; - -@@ -946,7 +945,9 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, - (attr_mask & IB_QP_STATE) && new_state == IB_QPS_ERR) { - if (hr_qp->sdb_en == 1) { - hr_qp->sq.head = *(int *)(hr_qp->sdb.virt_addr); -- hr_qp->rq.head = *(int *)(hr_qp->rdb.virt_addr); -+ -+ if (hr_qp->rdb_en == 1) -+ hr_qp->rq.head = *(int *)(hr_qp->rdb.virt_addr); - } else { - dev_warn(dev, "flush cqe is not supported in userspace!\n"); - goto out; --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch b/debian/patches/bugfix/arm64/huawei-taishan/0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch deleted file mode 100644 index 0e9e9cd44..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 19c36e6a73724c2ec33980b9ab88145428b68412 Mon Sep 17 00:00:00 2001 -From: "Gustavo A. R. Silva" -Date: Thu, 18 Oct 2018 18:59:39 +0200 -Subject: [PATCH] scsi: hisi_sas: Fix NULL pointer dereference -Origin: https://git.kernel.org/linus/f4445bb93d82a984657b469e63118c2794a4c3d3 - -There is a NULL pointer dereference in case *slot* happens to be NULL at -lines 1053 and 1878: - -struct hisi_sas_cq *cq = - &hisi_hba->cq[slot->dlvry_queue]; - -Notice that *slot* is being NULL checked at lines 1057 and 1881: -if (slot), which implies it may be NULL. - -Fix this by placing the declaration and definition of variable cq, which -contains the pointer dereference slot->dlvry_queue, after slot has been -properly NULL checked. - -Addresses-Coverity-ID: 1474515 ("Dereference before null check") -Addresses-Coverity-ID: 1474520 ("Dereference before null check") -Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO") -Signed-off-by: Gustavo A. R. Silva -Reviewed-by: Xiang Chen -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 764d651879cf..3c03de9d18dd 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -1088,11 +1088,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device, - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - struct hisi_sas_slot *slot = task->lldd_task; -- struct hisi_sas_cq *cq = -- &hisi_hba->cq[slot->dlvry_queue]; - - dev_err(dev, "abort tmf: TMF task timeout and not done\n"); - if (slot) { -+ struct hisi_sas_cq *cq = -+ &hisi_hba->cq[slot->dlvry_queue]; - /* - * flush tasklet to avoid free'ing task - * before using task in IO completion -@@ -1913,10 +1913,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba, - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - struct hisi_sas_slot *slot = task->lldd_task; -- struct hisi_sas_cq *cq = -- &hisi_hba->cq[slot->dlvry_queue]; - - if (slot) { -+ struct hisi_sas_cq *cq = -+ &hisi_hba->cq[slot->dlvry_queue]; - /* - * flush tasklet to avoid free'ing task - * before using task in IO completion --- -2.20.1 - diff --git a/debian/patches/bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch b/debian/patches/bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch deleted file mode 100644 index cefc0d202..000000000 --- a/debian/patches/bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch +++ /dev/null @@ -1,73 +0,0 @@ -From badecc38102204f5297ad6ce1d7c7875e514c6f7 Mon Sep 17 00:00:00 2001 -From: Hannes Reinecke -Date: Mon, 18 Feb 2019 08:34:25 +0100 -Subject: [PATCH] scsi: hisi_sas: fix calls to dma_set_mask_and_coherent() -Origin: https://git.kernel.org/linus/d9a00459effc30f6de2cdd887b64f15c6c54ae71 - -The change to use dma_set_mask_and_coherent() incorrectly made a second -call with the 32 bit DMA mask value when the call with the 64 bit DMA -mask value succeeded. - -[mkp: fixed commit message] - -Fixes: e4db40e7a1a2 ("scsi: hisi_sas: use dma_set_mask_and_coherent") -Cc: -Suggested-by: Ewan D. Milne -Signed-off-by: Hannes Reinecke -Reviewed-by: Christoph Hellwig -Signed-off-by: Hannes Reinecke -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++++-- - drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 8 +++++--- - 2 files changed, 11 insertions(+), 5 deletions(-) - -diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c -index 3c03de9d18dd..8aeb92d9144e 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_main.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c -@@ -2339,6 +2339,7 @@ static struct Scsi_Host *hisi_sas_shost_alloc(struct platform_device *pdev, - struct Scsi_Host *shost; - struct hisi_hba *hisi_hba; - struct device *dev = &pdev->dev; -+ int error; - - shost = scsi_host_alloc(hw->sht, sizeof(*hisi_hba)); - if (!shost) { -@@ -2359,8 +2360,11 @@ static struct Scsi_Host *hisi_sas_shost_alloc(struct platform_device *pdev, - if (hisi_sas_get_fw_info(hisi_hba) < 0) - goto err_out; - -- if (dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64)) && -- dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32))) { -+ error = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64)); -+ if (error) -+ error = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32)); -+ -+ if (error) { - dev_err(dev, "No usable DMA addressing method\n"); - goto err_out; - } -diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -index 6d584f232204..434f017afadc 100644 ---- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c -@@ -2328,10 +2328,12 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) - if (rc) - goto err_out_disable_device; - -- if (dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)) || -- dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32))) { -+ rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); -+ if (rc) -+ rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); -+ if (rc) { - dev_err(dev, "No usable DMA addressing method\n"); -- rc = -EIO; -+ rc = -ENODEV; - goto err_out_regions; - } - --- -2.20.1 - diff --git a/debian/patches/bugfix/sh/sh-check-for-kprobe-trap-number-before-trying-to-handle-a-kprobe-trap.patch b/debian/patches/bugfix/sh/sh-check-for-kprobe-trap-number-before-trying-to-handle-a-kprobe-trap.patch deleted file mode 100644 index 4814e59cc..000000000 --- a/debian/patches/bugfix/sh/sh-check-for-kprobe-trap-number-before-trying-to-handle-a-kprobe-trap.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6d7cc74d8aad33589c6cc6f38e33c4284abc07b8 Mon Sep 17 00:00:00 2001 -From: Michael Karcher -Date: Wed, 12 Jun 2019 15:08:37 +0200 -Subject: [PATCH 1/1] arch/sh: Check for kprobe trap number before trying to - handle a kprobe trap -Origin: https://marc.info/?l=linux-sh&m=156034655921917&w=2 - -The DIE_TRAP notifier chain is run both for kprobe traps and for BUG/WARN -traps. The kprobe code assumes to be only called for -BREAKPOINT_INSTRUCTION, and concludes to have hit a concurrently removed -kprobe if it finds anything else at the faulting locations. This includes -TRAPA_BUG_OPCODE used for BUG and WARN. - -The consequence is that kprobe_handler returns 1. This makes -kprobe_exceptions_notify return NOTIFY_STOP, and prevents handling the BUG -statement. This also prevents moving $pc away from the trap instruction, -so the system locks up in an endless loop - -Signed-off-by: Michael Karcher ---- - arch/sh/kernel/kprobes.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c -index 1f8c0d30567f..318296f48f1a 100644 ---- a/arch/sh/kernel/kprobes.c -+++ b/arch/sh/kernel/kprobes.c -@@ -485,7 +485,8 @@ int __kprobes kprobe_exceptions_notify(struct notifier_block *self, - struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); - - addr = (kprobe_opcode_t *) (args->regs->pc); -- if (val == DIE_TRAP) { -+ if (val == DIE_TRAP && -+ args->trapnr == (BREAKPOINT_INSTRUCTION & 0xff)) { - if (!kprobe_running()) { - if (kprobe_handler(args->regs)) { - ret = NOTIFY_STOP; --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 81454443d..716a8b69e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -69,7 +69,6 @@ bugfix/x86/platform-x86-ideapad-laptop-add-ideapad-v510-15ikb-t.patch bugfix/x86/platform-x86-ideapad-laptop-add-several-models-to-no.patch bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch -bugfix/sh/sh-check-for-kprobe-trap-number-before-trying-to-handle-a-kprobe-trap.patch bugfix/powerpc/powerpc-lib-sstep-fix-building-for-powerpcspe.patch bugfix/powerpc/powerpc-lib-makefile-don-t-pull-in-quad.o-for-32-bit.patch bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch @@ -286,40 +285,5 @@ features/all/ena/0016-net-ena-fix-compilation-error-in-xtensa-architecture.patch features/all/ena/0017-net-ena-fix-crash-during-ena_remove.patch features/all/ena/0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch -# Backported bugfixes from 4.20/4.21 for the Huawei TaiShan server platform (aka D06) -bugfix/arm64/huawei-taishan/0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch -bugfix/arm64/huawei-taishan/0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch -bugfix/arm64/huawei-taishan/0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch -bugfix/arm64/huawei-taishan/0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch -bugfix/arm64/huawei-taishan/0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch -bugfix/arm64/huawei-taishan/0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch -bugfix/arm64/huawei-taishan/0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch -bugfix/arm64/huawei-taishan/0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch -bugfix/arm64/huawei-taishan/0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch -bugfix/arm64/huawei-taishan/0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch -bugfix/arm64/huawei-taishan/0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch -bugfix/arm64/huawei-taishan/0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch -bugfix/arm64/huawei-taishan/0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch -bugfix/arm64/huawei-taishan/0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch -bugfix/arm64/huawei-taishan/0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch -bugfix/arm64/huawei-taishan/0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch -bugfix/arm64/huawei-taishan/0017-net-hns3-remove-unnecessary-configuration-recapture-.patch -bugfix/arm64/huawei-taishan/0018-net-hns3-remove-1000M-half-support-of-phy.patch -bugfix/arm64/huawei-taishan/0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch -bugfix/arm64/huawei-taishan/0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch -bugfix/arm64/huawei-taishan/0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch -bugfix/arm64/huawei-taishan/0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch -bugfix/arm64/huawei-taishan/0023-net-hns3-change-default-tc-state-to-close.patch -bugfix/arm64/huawei-taishan/0024-net-hns3-fix-a-bug-caused-by-udelay.patch -bugfix/arm64/huawei-taishan/0025-net-hns3-remove-redundant-variable-initialization.patch -bugfix/arm64/huawei-taishan/0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch -bugfix/arm64/huawei-taishan/0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch -bugfix/arm64/huawei-taishan/0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch -bugfix/arm64/huawei-taishan/0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch -bugfix/arm64/huawei-taishan/0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch -bugfix/arm64/huawei-taishan/0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch -bugfix/arm64/huawei-taishan/0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch -bugfix/arm64/huawei-taishan/0033-scsi-hisi_sas-fix-calls-to-dma_set_mask_and_coherent.patch - # ABI maintenance debian/abi/tcp-avoid-abi-change-for-dos-fixes.patch From 167ecd4ada4a14614b61da4fdde82c2b15fca8b7 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 22 Jul 2019 14:01:45 +0200 Subject: [PATCH 07/19] scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) --- debian/changelog | 5 +- ...race-condition-when-smp-task-timeout.patch | 65 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch diff --git a/debian/changelog b/debian/changelog index 9125e7405..b289ac870 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.37-6) UNRELEASED; urgency=medium +linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) @@ -6,8 +6,9 @@ linux (4.19.37-6) UNRELEASED; urgency=medium * nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984) * binder: fix race between munmap() and direct reclaim (CVE-2019-1999) + * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) - -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 + -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high diff --git a/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch b/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch new file mode 100644 index 000000000..0a9b1dd72 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch @@ -0,0 +1,65 @@ +From b90cd6f2b905905fb42671009dc0e27c310a16ae Mon Sep 17 00:00:00 2001 +From: Jason Yan +Date: Tue, 25 Sep 2018 10:56:54 +0800 +Subject: scsi: libsas: fix a race condition when smp task timeout +Origin: https://git.kernel.org/linus/b90cd6f2b905905fb42671009dc0e27c310a16ae +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20836 + +When the lldd is processing the complete sas task in interrupt and set the +task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be +triggered at the same time. And smp_task_timedout() will complete the task +wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed +before lldd end the interrupt process. Thus a use-after-free will happen. + +Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not +set. And remove the check of the return value of the del_timer(). Once the +LLDD sets DONE, it must call task->done(), which will call +smp_task_done()->complete() and the task will be completed and freed +correctly. + +Reported-by: chenxiang +Signed-off-by: Jason Yan +CC: John Garry +CC: Johannes Thumshirn +CC: Ewan Milne +CC: Christoph Hellwig +CC: Tomas Henzl +CC: Dan Williams +CC: Hannes Reinecke +Reviewed-by: Hannes Reinecke +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +--- + drivers/scsi/libsas/sas_expander.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 52222940d398..0d1f72752ca2 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -48,17 +48,16 @@ static void smp_task_timedout(struct timer_list *t) + unsigned long flags; + + spin_lock_irqsave(&task->task_state_lock, flags); +- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) ++ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { + task->task_state_flags |= SAS_TASK_STATE_ABORTED; ++ complete(&task->slow_task->completion); ++ } + spin_unlock_irqrestore(&task->task_state_lock, flags); +- +- complete(&task->slow_task->completion); + } + + static void smp_task_done(struct sas_task *task) + { +- if (!del_timer(&task->slow_task->timer)) +- return; ++ del_timer(&task->slow_task->timer); + complete(&task->slow_task->completion); + } + +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 716a8b69e..f904bd1f3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -233,6 +233,7 @@ bugfix/x86/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch +bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 8cb769111fb2e083302d61f6973a9e06cf3d6bab Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sat, 27 Jul 2019 13:15:59 +0200 Subject: [PATCH 08/19] Input: gtco - bounds check collection indent level (CVE-2019-13631) --- debian/changelog | 3 +- ...bounds-check-collection-indent-level.patch | 82 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch diff --git a/debian/changelog b/debian/changelog index b289ac870..66dc514de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,8 +7,9 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium (CVE-2019-12984) * binder: fix race between munmap() and direct reclaim (CVE-2019-1999) * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) + * Input: gtco - bounds check collection indent level (CVE-2019-13631) - -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 + -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high diff --git a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch new file mode 100644 index 000000000..e44fcff9d --- /dev/null +++ b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch @@ -0,0 +1,82 @@ +From: Grant Hernandez +Date: Sat, 13 Jul 2019 01:00:12 -0700 +Subject: Input: gtco - bounds check collection indent level +Origin: https://git.kernel.org/linus/kernel/git/stable/linux.git/patch/?id=d657077eda7b5572d86f2f618391bb016b5d9a64 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13631 + +commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. + +The GTCO tablet input driver configures itself from an HID report sent +via USB during the initial enumeration process. Some debugging messages +are generated during the parsing. A debugging message indentation +counter is not bounds checked, leading to the ability for a specially +crafted HID report to cause '-' and null bytes be written past the end +of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG +enabled, this code will not be optimized out. This was discovered +during code review after a previous syzkaller bug was found in this +driver. + +Signed-off-by: Grant Hernandez +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 4b8b9d7aa75e..35031228a6d0 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com + + /* Max size of a single report */ + #define REPORT_MAX_SIZE 10 ++#define MAX_COLLECTION_LEVELS 10 + + + /* Bitmask whether pen is in range */ +@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + char maintype = 'x'; + char globtype[12]; + int indent = 0; +- char indentstr[10] = ""; +- ++ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; + + dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); + +@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + case TAG_MAIN_COL_START: + maintype = 'S'; + ++ if (indent == MAX_COLLECTION_LEVELS) { ++ dev_err(ddev, "Collection level %d would exceed limit of %d\n", ++ indent + 1, ++ MAX_COLLECTION_LEVELS); ++ break; ++ } ++ + if (data == 0) { + dev_dbg(ddev, "======>>>>>> Physical\n"); + strcpy(globtype, "Physical"); +@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, + break; + + case TAG_MAIN_COL_END: +- dev_dbg(ddev, "<<<<<<======\n"); + maintype = 'E'; ++ ++ if (indent == 0) { ++ dev_err(ddev, "Collection level already at zero\n"); ++ break; ++ } ++ ++ dev_dbg(ddev, "<<<<<<======\n"); ++ + indent--; + for (x = 0; x < indent; x++) + indentstr[x] = '-'; +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index f904bd1f3..f2a416b16 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -234,6 +234,7 @@ bugfix/powerpc/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.patch bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch +bugfix/all/input-gtco-bounds-check-collection-indent-level.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From e890639fa782efcd802ba0a4a5b6b16a519f1c9a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 27 Jul 2019 14:24:32 +0200 Subject: [PATCH 09/19] Replace Origin reference with reachable reference Gbp-Dch: Ignore --- .../all/input-gtco-bounds-check-collection-indent-level.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch index e44fcff9d..0355e956a 100644 --- a/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch +++ b/debian/patches/bugfix/all/input-gtco-bounds-check-collection-indent-level.patch @@ -1,7 +1,7 @@ From: Grant Hernandez Date: Sat, 13 Jul 2019 01:00:12 -0700 Subject: Input: gtco - bounds check collection indent level -Origin: https://git.kernel.org/linus/kernel/git/stable/linux.git/patch/?id=d657077eda7b5572d86f2f618391bb016b5d9a64 +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d657077eda7b5572d86f2f618391bb016b5d9a64 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13631 commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. From 4962cdb5845104d4bb15b5b9ae67c1fbad4d34ca Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Tue, 30 Jul 2019 11:13:37 +0200 Subject: [PATCH 10/19] floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) --- debian/changelog | 1 + ...ix-out-of-bounds-read-in-copy_buffer.patch | 53 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 55 insertions(+) create mode 100644 debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch diff --git a/debian/changelog b/debian/changelog index 66dc514de..53583a9f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * binder: fix race between munmap() and direct reclaim (CVE-2019-1999) * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) * Input: gtco - bounds check collection indent level (CVE-2019-13631) + * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch new file mode 100644 index 000000000..3eb5630d6 --- /dev/null +++ b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -0,0 +1,53 @@ +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:23 +0300 +Subject: floppy: fix out-of-bounds read in copy_buffer +Origin: https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14283 + +[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] + +This fixes a global out-of-bounds read access in the copy_buffer +function of the floppy driver. + +The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect +and head fields (unsigned int) of the floppy_drive structure are used to +compute the max_sector (int) in the make_raw_rw_request function. It is +possible to overflow the max_sector. Next, max_sector is passed to the +copy_buffer function and used in one of the memcpy calls. + +An unprivileged user could trigger the bug if the device is accessible, +but requires a floppy disk to be inserted. + +The patch adds the check for the .sect * .head multiplication for not +overflowing in the set_geometry function. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a8de56f1936d..43e96f821aff 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + int cnt; + + /* sanity checking for parameters. */ +- if (g->sect <= 0 || +- g->head <= 0 || ++ if ((int)g->sect <= 0 || ++ (int)g->head <= 0 || ++ /* check for overflow in max_sector */ ++ (int)(g->sect * g->head) <= 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index f2a416b16..0c4ab8d97 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -235,6 +235,7 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch bugfix/all/input-gtco-bounds-check-collection-indent-level.patch +bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 24c58d8c208fe6fabb2ab5accf30252b28e42380 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Tue, 30 Jul 2019 11:20:15 +0200 Subject: [PATCH 11/19] inet: switch IP ID generator to siphash (CVE-2019-10638) --- debian/changelog | 1 + ...et-switch-IP-ID-generator-to-siphash.patch | 162 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 164 insertions(+) create mode 100644 debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch diff --git a/debian/changelog b/debian/changelog index 53583a9f8..f3f3b389e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) * Input: gtco - bounds check collection indent level (CVE-2019-13631) * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) + * inet: switch IP ID generator to siphash (CVE-2019-10638) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch b/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch new file mode 100644 index 000000000..263786943 --- /dev/null +++ b/debian/patches/bugfix/all/net-switch-IP-ID-generator-to-siphash.patch @@ -0,0 +1,162 @@ +From: Eric Dumazet +Date: Wed, 27 Mar 2019 12:40:33 -0700 +Subject: inet: switch IP ID generator to siphash +Origin: https://git.kernel.org/linus/df453700e8d81b1bdafdf684365ee2b9431fb702 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10638 + +[ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ] + +According to Amit Klein and Benny Pinkas, IP ID generation is too weak +and might be used by attackers. + +Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) +having 64bit key and Jenkins hash is risky. + +It is time to switch to siphash and its 128bit keys. + +Signed-off-by: Eric Dumazet +Reported-by: Amit Klein +Reported-by: Benny Pinkas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/siphash.h | 5 +++++ + include/net/netns/ipv4.h | 2 ++ + net/ipv4/route.c | 12 +++++++----- + net/ipv6/output_core.c | 30 ++++++++++++++++-------------- + 4 files changed, 30 insertions(+), 19 deletions(-) + +diff --git a/include/linux/siphash.h b/include/linux/siphash.h +index fa7a6b9cedbf..bf21591a9e5e 100644 +--- a/include/linux/siphash.h ++++ b/include/linux/siphash.h +@@ -21,6 +21,11 @@ typedef struct { + u64 key[2]; + } siphash_key_t; + ++static inline bool siphash_key_is_zero(const siphash_key_t *key) ++{ ++ return !(key->key[0] | key->key[1]); ++} ++ + u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); + #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index e47503b4e4d1..622db6bc2f02 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + struct tcpm_hash_bucket; + struct ctl_table_header; +@@ -214,5 +215,6 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; ++ siphash_key_t ip_id_key; + }; + #endif +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 8bacbcd2db90..40bf19f7ae1a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -500,15 +500,17 @@ EXPORT_SYMBOL(ip_idents_reserve); + + void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) + { +- static u32 ip_idents_hashrnd __read_mostly; + u32 hash, id; + +- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); + +- hash = jhash_3words((__force u32)iph->daddr, ++ hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, +- iph->protocol ^ net_hash_mix(net), +- ip_idents_hashrnd); ++ iph->protocol, ++ &net->ipv4.ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index 4fe7c90962dd..868ae23dbae1 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -10,15 +10,25 @@ + #include + #include + +-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, ++static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { ++ const struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ .src = *src, ++ }; + u32 hash, id; + +- hash = __ipv6_addr_jhash(dst, hashrnd); +- hash = __ipv6_addr_jhash(src, hash); +- hash ^= net_hash_mix(net); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); ++ ++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future +@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, + */ + __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + { +- static u32 ip6_proxy_idents_hashrnd __read_mostly; + struct in6_addr buf[2]; + struct in6_addr *addrs; + u32 id; +@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + if (!addrs) + return 0; + +- net_get_random_once(&ip6_proxy_idents_hashrnd, +- sizeof(ip6_proxy_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, +- &addrs[1], &addrs[0]); ++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); + return htonl(id); + } + EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net, + const struct in6_addr *daddr, + const struct in6_addr *saddr) + { +- static u32 ip6_idents_hashrnd __read_mostly; + u32 id; + +- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr); ++ id = __ipv6_select_ident(net, daddr, saddr); + return htonl(id); + } + EXPORT_SYMBOL(ipv6_select_ident); +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 0c4ab8d97..2687b28f0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -236,6 +236,7 @@ bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch bugfix/all/input-gtco-bounds-check-collection-indent-level.patch bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +bugfix/all/net-switch-IP-ID-generator-to-siphash.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From ec64cb4c87c6bab01550ba7dc241f3e8252ecc88 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 5 Aug 2019 17:50:40 +0200 Subject: [PATCH 12/19] floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) This retrieves the patch from the linux-4.19.y branch and refreshes the previous one "floppy: fix out-of-bounds read in copy_buffer", because this is firstly "floppy: fix div-by-zero in setup_format_params" that is applied upstream, then the one regarding out-of-bounds read in copy_buffer. The one for CVE-2019-14283 was previously refreshed because it was not applicable directly. Now both patches are synchronized with upstream and applied in the same order. --- debian/changelog | 1 + ...x-div-by-zero-in-setup_format_params.patch | 64 +++++++++++++++++++ ...ix-out-of-bounds-read-in-copy_buffer.patch | 12 ++-- debian/patches/series | 3 +- 4 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch diff --git a/debian/changelog b/debian/changelog index f3f3b389e..1a3cda3be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * Input: gtco - bounds check collection indent level (CVE-2019-13631) * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) * inet: switch IP ID generator to siphash (CVE-2019-10638) + * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch b/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch new file mode 100644 index 000000000..cb8b8bae0 --- /dev/null +++ b/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch @@ -0,0 +1,64 @@ +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:20 +0300 +Subject: floppy: fix div-by-zero in setup_format_params +Origin: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14284 + +[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] + +This fixes a divide by zero error in the setup_format_params function of +the floppy driver. + +Two consecutive ioctls can trigger the bug: The first one should set the +drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK +to become zero. Next, the floppy format operation should be called. + +A floppy disk is not required to be inserted. An unprivileged user +could trigger the bug if the device is accessible. + +The patch checks F_SECT_PER_TRACK for a non-zero value in the +set_geometry function. The proper check should involve a reasonable +upper limit for the .sect and .rate fields, but it could change the +UAPI. + +The patch also checks F_SECT_PER_TRACK in the setup_format_params, and +cancels the formatting operation in case of zero. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +(limited to 'drivers/block/floppy.c') + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a8de56f1936d..b1425b218606 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -2119,6 +2119,9 @@ static void setup_format_params(int track) + raw_cmd->kernel_data = floppy_track_buffer; + raw_cmd->length = 4 * F_SECT_PER_TRACK; + ++ if (!F_SECT_PER_TRACK) ++ return; ++ + /* allow for about 30ms for data transport per track */ + head_shift = (F_SECT_PER_TRACK + 5) / 6; + +@@ -3243,6 +3246,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + /* sanity checking for parameters. */ + if (g->sect <= 0 || + g->head <= 0 || ++ /* check for zero in F_SECT_PER_TRACK */ ++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch index 3eb5630d6..5df95a35d 100644 --- a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +++ b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -31,11 +31,13 @@ Signed-off-by: Sasha Levin drivers/block/floppy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) +(limited to 'drivers/block/floppy.c') + diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index a8de56f1936d..43e96f821aff 100644 +index 8d69a8af8b78..4a9a4d12721a 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c -@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, +@@ -3244,8 +3244,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, int cnt; /* sanity checking for parameters. */ @@ -45,9 +47,9 @@ index a8de56f1936d..43e96f821aff 100644 + (int)g->head <= 0 || + /* check for overflow in max_sector */ + (int)(g->sect * g->head) <= 0 || + /* check for zero in F_SECT_PER_TRACK */ + (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || - /* check if reserved bits are set */ - (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) -- -2.20.1 +cgit 1.2-0.3.lf.el7 diff --git a/debian/patches/series b/debian/patches/series index 2687b28f0..178ae62e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -235,8 +235,9 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch bugfix/all/input-gtco-bounds-check-collection-indent-level.patch -bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch bugfix/all/net-switch-IP-ID-generator-to-siphash.patch +bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch +bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 3b76691d2495d86d2a63cf9386295e69ec8f3bb3 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 5 Aug 2019 18:57:05 +0200 Subject: [PATCH 13/19] Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) --- debian/changelog | 1 + ...art-check-for-missing-tty-operations.patch | 152 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 154 insertions(+) create mode 100644 debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch diff --git a/debian/changelog b/debian/changelog index 1a3cda3be..41406ed27 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) * inet: switch IP ID generator to siphash (CVE-2019-10638) * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) + * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch b/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch new file mode 100644 index 000000000..d8a8452d3 --- /dev/null +++ b/debian/patches/bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch @@ -0,0 +1,152 @@ +From: Vladis Dronov +Date: Tue, 30 Jul 2019 11:33:45 +0200 +Subject: Bluetooth: hci_uart: check for missing tty operations +Origin: https://git.kernel.org/linus/b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10207 + +commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 upstream. + +Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() +functions which are called by the certain HCI UART protocols (hci_ath, +hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() +or directly. This leads to an execution at NULL and can be triggered by +an unprivileged user. Fix this by adding a helper function and a check +for the missing tty operations in the protocols code. + +This fixes CVE-2019-10207. The Fixes: lines list commits where calls to +tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART +protocols. + +Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 +Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org # v2.6.36+ +Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") +Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") +Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") +Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") +Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") +Signed-off-by: Vladis Dronov +Signed-off-by: Marcel Holtmann +Reviewed-by: Yu-Chen, Cho +Tested-by: Yu-Chen, Cho +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_ath.c | 3 +++ + drivers/bluetooth/hci_bcm.c | 3 +++ + drivers/bluetooth/hci_intel.c | 3 +++ + drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++ + drivers/bluetooth/hci_mrvl.c | 3 +++ + drivers/bluetooth/hci_qca.c | 3 +++ + drivers/bluetooth/hci_uart.h | 1 + + 7 files changed, 29 insertions(+) + +diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c +index d568fbd94d6c..20235925344d 100644 +--- a/drivers/bluetooth/hci_ath.c ++++ b/drivers/bluetooth/hci_ath.c +@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu) + + BT_DBG("hu %p", hu); + ++ if (!hci_uart_has_flow_control(hu)) ++ return -EOPNOTSUPP; ++ + ath = kzalloc(sizeof(*ath), GFP_KERNEL); + if (!ath) + return -ENOMEM; +diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c +index 800132369134..aa6b7ed9fdf1 100644 +--- a/drivers/bluetooth/hci_bcm.c ++++ b/drivers/bluetooth/hci_bcm.c +@@ -369,6 +369,9 @@ static int bcm_open(struct hci_uart *hu) + + bt_dev_dbg(hu->hdev, "hu %p", hu); + ++ if (!hci_uart_has_flow_control(hu)) ++ return -EOPNOTSUPP; ++ + bcm = kzalloc(sizeof(*bcm), GFP_KERNEL); + if (!bcm) + return -ENOMEM; +diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c +index 46ace321bf60..e9228520e4c7 100644 +--- a/drivers/bluetooth/hci_intel.c ++++ b/drivers/bluetooth/hci_intel.c +@@ -406,6 +406,9 @@ static int intel_open(struct hci_uart *hu) + + BT_DBG("hu %p", hu); + ++ if (!hci_uart_has_flow_control(hu)) ++ return -EOPNOTSUPP; ++ + intel = kzalloc(sizeof(*intel), GFP_KERNEL); + if (!intel) + return -ENOMEM; +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index c915daf01a89..efeb8137ec67 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -299,6 +299,19 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) + return 0; + } + ++/* Check the underlying device or tty has flow control support */ ++bool hci_uart_has_flow_control(struct hci_uart *hu) ++{ ++ /* serdev nodes check if the needed operations are present */ ++ if (hu->serdev) ++ return true; ++ ++ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset) ++ return true; ++ ++ return false; ++} ++ + /* Flow control or un-flow control the device */ + void hci_uart_set_flow_control(struct hci_uart *hu, bool enable) + { +diff --git a/drivers/bluetooth/hci_mrvl.c b/drivers/bluetooth/hci_mrvl.c +index ffb00669346f..23791df081ba 100644 +--- a/drivers/bluetooth/hci_mrvl.c ++++ b/drivers/bluetooth/hci_mrvl.c +@@ -66,6 +66,9 @@ static int mrvl_open(struct hci_uart *hu) + + BT_DBG("hu %p", hu); + ++ if (!hci_uart_has_flow_control(hu)) ++ return -EOPNOTSUPP; ++ + mrvl = kzalloc(sizeof(*mrvl), GFP_KERNEL); + if (!mrvl) + return -ENOMEM; +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 77004c29da08..f96e58de049b 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -450,6 +450,9 @@ static int qca_open(struct hci_uart *hu) + + BT_DBG("hu %p qca_open", hu); + ++ if (!hci_uart_has_flow_control(hu)) ++ return -EOPNOTSUPP; ++ + qca = kzalloc(sizeof(struct qca_data), GFP_KERNEL); + if (!qca) + return -ENOMEM; +diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h +index 00cab2fd7a1b..067a610f1372 100644 +--- a/drivers/bluetooth/hci_uart.h ++++ b/drivers/bluetooth/hci_uart.h +@@ -118,6 +118,7 @@ int hci_uart_tx_wakeup(struct hci_uart *hu); + int hci_uart_init_ready(struct hci_uart *hu); + void hci_uart_init_work(struct work_struct *work); + void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed); ++bool hci_uart_has_flow_control(struct hci_uart *hu); + void hci_uart_set_flow_control(struct hci_uart *hu, bool enable); + void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed, + unsigned int oper_speed); +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 178ae62e2..103c4f6e5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -238,6 +238,7 @@ bugfix/all/input-gtco-bounds-check-collection-indent-level.patch bugfix/all/net-switch-IP-ID-generator-to-siphash.patch bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 65c2005956cbbab555cb25aecd8880b1477006ba Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 5 Aug 2019 19:04:21 +0200 Subject: [PATCH 14/19] [powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648) --- debian/changelog | 1 + ...s-on-sigreturn-on-systems-without-TM.patch | 96 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 98 insertions(+) create mode 100644 debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch diff --git a/debian/changelog b/debian/changelog index 41406ed27..e779672d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * inet: switch IP ID generator to siphash (CVE-2019-10638) * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) + * [powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch new file mode 100644 index 000000000..18911ac94 --- /dev/null +++ b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch @@ -0,0 +1,96 @@ +From: Michael Neuling +Date: Fri, 19 Jul 2019 15:05:02 +1000 +Subject: powerpc/tm: Fix oops on sigreturn on systems without TM +Origin: ttps://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13648 + +commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. + +On systems like P9 powernv where we have no TM (or P8 booted with +ppc_tm=off), userspace can construct a signal context which still has +the MSR TS bits set. The kernel tries to restore this context which +results in the following crash: + + Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69 + NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000 + REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8) + MSR: 8000000102a03031 CR: 42004242 XER: 00000000 + CFAR: c0000000000022e0 IRQMASK: 0 + GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669 + GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8 + GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000 + GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420 + GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000 + GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000 + GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728 + NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80 + LR [00007fffb2d67e48] 0x7fffb2d67e48 + Call Trace: + Instruction dump: + e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00 + e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18 + +The problem is the signal code assumes TM is enabled when +CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as +with P9 powernv or if `ppc_tm=off` is used on P8. + +This means any local user can crash the system. + +Fix the problem by returning a bad stack frame to the user if they try +to set the MSR TS bits with sigreturn() on systems where TM is not +supported. + +Found with sigfuz kernel selftest on P9. + +This fixes CVE-2019-13648. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Reported-by: Praveen Pandey +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/signal_32.c | 3 +++ + arch/powerpc/kernel/signal_64.c | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index fd59fef9931b..906b05c2adae 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn) + goto bad; + + if (MSR_TM_ACTIVE(msr_hi<<32)) { ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto bad; + /* We only recheckpoint on return if we're + * transaction. + */ +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 14b0f5b6a373..b5933d7219db 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn) + if (MSR_TM_ACTIVE(msr)) { + /* We recheckpoint on return. */ + struct ucontext __user *uc_transact; ++ ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto badframe; ++ + if (__get_user(uc_transact, &uc->uc_link)) + goto badframe; + if (restore_tm_sigcontexts(current, &uc->uc_mcontext, +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 103c4f6e5..f4e381744 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -239,6 +239,7 @@ bugfix/all/net-switch-IP-ID-generator-to-siphash.patch bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch +bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From fc21f10317d80b8cac6976ffcff02c93d1d79870 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 5 Aug 2019 19:17:17 +0200 Subject: [PATCH 15/19] Adjust Origin header in CVE-2019-13648 patch Gbp-Dch: Ignore --- ...powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch index 18911ac94..cfabc9244 100644 --- a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch +++ b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch @@ -1,7 +1,7 @@ From: Michael Neuling Date: Fri, 19 Jul 2019 15:05:02 +1000 Subject: powerpc/tm: Fix oops on sigreturn on systems without TM -Origin: ttps://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe +Origin: https://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13648 commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. From 07a6d578317a06cef03b86aa0af12e32b0d06569 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 7 Aug 2019 07:21:02 +0200 Subject: [PATCH 16/19] Add patchset for CVE-2019-1125 --- debian/changelog | 11 + ...d-section-about-CPU-vulnerabilities-.patch | 760 ++++++++++++++++++ ...d-swapgs-description-to-the-Spectre-.patch | 170 ++++ ...res-Carve-out-CQM-features-retrieval.patch | 110 +++ ...Combine-word-11-and-12-into-a-new-sc.patch | 211 +++++ ...x86-entry-64-Use-JMP-instead-of-JMPQ.patch | 40 + ...Enable-Spectre-v1-swapgs-mitigations.patch | 261 ++++++ ...Prepare-entry-code-for-Spectre-v1-sw.patch | 200 +++++ ...swapgs-Exclude-ATOMs-from-speculatio.patch | 159 ++++ debian/patches/series | 8 + 10 files changed, 1930 insertions(+) create mode 100644 debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch create mode 100644 debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch create mode 100644 debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch create mode 100644 debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch create mode 100644 debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch create mode 100644 debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch create mode 100644 debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch create mode 100644 debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch diff --git a/debian/changelog b/debian/changelog index e779672d2..44f396424 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,17 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) * [powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648) + [ Salvatore Bonaccorso ] + * [x86] cpufeatures: Carve out CQM features retrieval + * [x86] cpufeatures: Combine word 11 and 12 into a new scattered features + word + * [x86] speculation: Prepare entry code for Spectre v1 swapgs mitigations + * [x86] speculation: Enable Spectre v1 swapgs mitigations (CVE-2019-1125) + * [amd64] entry: Use JMP instead of JMPQ + * [x86] speculation/swapgs: Exclude ATOMs from speculation through SWAPGS + * Documentation: Add section about CPU vulnerabilities for Spectre + * Documentation: Add swapgs description to the Spectre v1 documentation + -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high diff --git a/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch b/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch new file mode 100644 index 000000000..9fe5341ef --- /dev/null +++ b/debian/patches/bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch @@ -0,0 +1,760 @@ +From: Tim Chen +Date: Thu, 20 Jun 2019 16:10:50 -0700 +Subject: Documentation: Add section about CPU vulnerabilities for Spectre +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a815007f5fe292fa8ef082663e1259b9ae0571b + +commit 6e88559470f581741bcd0f2794f9054814ac9740 upstream. + +Add documentation for Spectre vulnerability and the mitigation mechanisms: + +- Explain the problem and risks +- Document the mitigation mechanisms +- Document the command line controls +- Document the sysfs files + +Co-developed-by: Andi Kleen +Signed-off-by: Andi Kleen +Co-developed-by: Tim Chen +Signed-off-by: Tim Chen +Reviewed-by: Randy Dunlap +Reviewed-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/hw-vuln/index.rst | 1 + + Documentation/admin-guide/hw-vuln/spectre.rst | 697 ++++++++++++++++++ + Documentation/userspace-api/spec_ctrl.rst | 2 + + 3 files changed, 700 insertions(+) + create mode 100644 Documentation/admin-guide/hw-vuln/spectre.rst + +diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst +index ffc064c1ec68..49311f3da6f2 100644 +--- a/Documentation/admin-guide/hw-vuln/index.rst ++++ b/Documentation/admin-guide/hw-vuln/index.rst +@@ -9,5 +9,6 @@ are configurable at compile, boot or run time. + .. toctree:: + :maxdepth: 1 + ++ spectre + l1tf + mds +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst +new file mode 100644 +index 000000000000..25f3b2532198 +--- /dev/null ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst +@@ -0,0 +1,697 @@ ++.. SPDX-License-Identifier: GPL-2.0 ++ ++Spectre Side Channels ++===================== ++ ++Spectre is a class of side channel attacks that exploit branch prediction ++and speculative execution on modern CPUs to read memory, possibly ++bypassing access controls. Speculative execution side channel exploits ++do not modify memory but attempt to infer privileged data in the memory. ++ ++This document covers Spectre variant 1 and Spectre variant 2. ++ ++Affected processors ++------------------- ++ ++Speculative execution side channel methods affect a wide range of modern ++high performance processors, since most modern high speed processors ++use branch prediction and speculative execution. ++ ++The following CPUs are vulnerable: ++ ++ - Intel Core, Atom, Pentium, and Xeon processors ++ ++ - AMD Phenom, EPYC, and Zen processors ++ ++ - IBM POWER and zSeries processors ++ ++ - Higher end ARM processors ++ ++ - Apple CPUs ++ ++ - Higher end MIPS CPUs ++ ++ - Likely most other high performance CPUs. Contact your CPU vendor for details. ++ ++Whether a processor is affected or not can be read out from the Spectre ++vulnerability files in sysfs. See :ref:`spectre_sys_info`. ++ ++Related CVEs ++------------ ++ ++The following CVE entries describe Spectre variants: ++ ++ ============= ======================= ================= ++ CVE-2017-5753 Bounds check bypass Spectre variant 1 ++ CVE-2017-5715 Branch target injection Spectre variant 2 ++ ============= ======================= ================= ++ ++Problem ++------- ++ ++CPUs use speculative operations to improve performance. That may leave ++traces of memory accesses or computations in the processor's caches, ++buffers, and branch predictors. Malicious software may be able to ++influence the speculative execution paths, and then use the side effects ++of the speculative execution in the CPUs' caches and buffers to infer ++privileged data touched during the speculative execution. ++ ++Spectre variant 1 attacks take advantage of speculative execution of ++conditional branches, while Spectre variant 2 attacks use speculative ++execution of indirect branches to leak privileged memory. ++See :ref:`[1] ` :ref:`[5] ` :ref:`[7] ` ++:ref:`[10] ` :ref:`[11] `. ++ ++Spectre variant 1 (Bounds Check Bypass) ++--------------------------------------- ++ ++The bounds check bypass attack :ref:`[2] ` takes advantage ++of speculative execution that bypasses conditional branch instructions ++used for memory access bounds check (e.g. checking if the index of an ++array results in memory access within a valid range). This results in ++memory accesses to invalid memory (with out-of-bound index) that are ++done speculatively before validation checks resolve. Such speculative ++memory accesses can leave side effects, creating side channels which ++leak information to the attacker. ++ ++There are some extensions of Spectre variant 1 attacks for reading data ++over the network, see :ref:`[12] `. However such attacks ++are difficult, low bandwidth, fragile, and are considered low risk. ++ ++Spectre variant 2 (Branch Target Injection) ++------------------------------------------- ++ ++The branch target injection attack takes advantage of speculative ++execution of indirect branches :ref:`[3] `. The indirect ++branch predictors inside the processor used to guess the target of ++indirect branches can be influenced by an attacker, causing gadget code ++to be speculatively executed, thus exposing sensitive data touched by ++the victim. The side effects left in the CPU's caches during speculative ++execution can be measured to infer data values. ++ ++.. _poison_btb: ++ ++In Spectre variant 2 attacks, the attacker can steer speculative indirect ++branches in the victim to gadget code by poisoning the branch target ++buffer of a CPU used for predicting indirect branch addresses. Such ++poisoning could be done by indirect branching into existing code, ++with the address offset of the indirect branch under the attacker's ++control. Since the branch prediction on impacted hardware does not ++fully disambiguate branch address and uses the offset for prediction, ++this could cause privileged code's indirect branch to jump to a gadget ++code with the same offset. ++ ++The most useful gadgets take an attacker-controlled input parameter (such ++as a register value) so that the memory read can be controlled. Gadgets ++without input parameters might be possible, but the attacker would have ++very little control over what memory can be read, reducing the risk of ++the attack revealing useful data. ++ ++One other variant 2 attack vector is for the attacker to poison the ++return stack buffer (RSB) :ref:`[13] ` to cause speculative ++subroutine return instruction execution to go to a gadget. An attacker's ++imbalanced subroutine call instructions might "poison" entries in the ++return stack buffer which are later consumed by a victim's subroutine ++return instructions. This attack can be mitigated by flushing the return ++stack buffer on context switch, or virtual machine (VM) exit. ++ ++On systems with simultaneous multi-threading (SMT), attacks are possible ++from the sibling thread, as level 1 cache and branch target buffer ++(BTB) may be shared between hardware threads in a CPU core. A malicious ++program running on the sibling thread may influence its peer's BTB to ++steer its indirect branch speculations to gadget code, and measure the ++speculative execution's side effects left in level 1 cache to infer the ++victim's data. ++ ++Attack scenarios ++---------------- ++ ++The following list of attack scenarios have been anticipated, but may ++not cover all possible attack vectors. ++ ++1. A user process attacking the kernel ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The attacker passes a parameter to the kernel via a register or ++ via a known address in memory during a syscall. Such parameter may ++ be used later by the kernel as an index to an array or to derive ++ a pointer for a Spectre variant 1 attack. The index or pointer ++ is invalid, but bound checks are bypassed in the code branch taken ++ for speculative execution. This could cause privileged memory to be ++ accessed and leaked. ++ ++ For kernel code that has been identified where data pointers could ++ potentially be influenced for Spectre attacks, new "nospec" accessor ++ macros are used to prevent speculative loading of data. ++ ++ Spectre variant 2 attacker can :ref:`poison ` the branch ++ target buffer (BTB) before issuing syscall to launch an attack. ++ After entering the kernel, the kernel could use the poisoned branch ++ target buffer on indirect jump and jump to gadget code in speculative ++ execution. ++ ++ If an attacker tries to control the memory addresses leaked during ++ speculative execution, he would also need to pass a parameter to the ++ gadget, either through a register or a known address in memory. After ++ the gadget has executed, he can measure the side effect. ++ ++ The kernel can protect itself against consuming poisoned branch ++ target buffer entries by using return trampolines (also known as ++ "retpoline") :ref:`[3] ` :ref:`[9] ` for all ++ indirect branches. Return trampolines trap speculative execution paths ++ to prevent jumping to gadget code during speculative execution. ++ x86 CPUs with Enhanced Indirect Branch Restricted Speculation ++ (Enhanced IBRS) available in hardware should use the feature to ++ mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is ++ more efficient than retpoline. ++ ++ There may be gadget code in firmware which could be exploited with ++ Spectre variant 2 attack by a rogue user process. To mitigate such ++ attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature ++ is turned on before the kernel invokes any firmware code. ++ ++2. A user process attacking another user process ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ A malicious user process can try to attack another user process, ++ either via a context switch on the same hardware thread, or from the ++ sibling hyperthread sharing a physical processor core on simultaneous ++ multi-threading (SMT) system. ++ ++ Spectre variant 1 attacks generally require passing parameters ++ between the processes, which needs a data passing relationship, such ++ as remote procedure calls (RPC). Those parameters are used in gadget ++ code to derive invalid data pointers accessing privileged memory in ++ the attacked process. ++ ++ Spectre variant 2 attacks can be launched from a rogue process by ++ :ref:`poisoning ` the branch target buffer. This can ++ influence the indirect branch targets for a victim process that either ++ runs later on the same hardware thread, or running concurrently on ++ a sibling hardware thread sharing the same physical core. ++ ++ A user process can protect itself against Spectre variant 2 attacks ++ by using the prctl() syscall to disable indirect branch speculation ++ for itself. An administrator can also cordon off an unsafe process ++ from polluting the branch target buffer by disabling the process's ++ indirect branch speculation. This comes with a performance cost ++ from not using indirect branch speculation and clearing the branch ++ target buffer. When SMT is enabled on x86, for a process that has ++ indirect branch speculation disabled, Single Threaded Indirect Branch ++ Predictors (STIBP) :ref:`[4] ` are turned on to prevent the ++ sibling thread from controlling branch target buffer. In addition, ++ the Indirect Branch Prediction Barrier (IBPB) is issued to clear the ++ branch target buffer when context switching to and from such process. ++ ++ On x86, the return stack buffer is stuffed on context switch. ++ This prevents the branch target buffer from being used for branch ++ prediction when the return stack buffer underflows while switching to ++ a deeper call stack. Any poisoned entries in the return stack buffer ++ left by the previous process will also be cleared. ++ ++ User programs should use address space randomization to make attacks ++ more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2). ++ ++3. A virtualized guest attacking the host ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The attack mechanism is similar to how user processes attack the ++ kernel. The kernel is entered via hyper-calls or other virtualization ++ exit paths. ++ ++ For Spectre variant 1 attacks, rogue guests can pass parameters ++ (e.g. in registers) via hyper-calls to derive invalid pointers to ++ speculate into privileged memory after entering the kernel. For places ++ where such kernel code has been identified, nospec accessor macros ++ are used to stop speculative memory access. ++ ++ For Spectre variant 2 attacks, rogue guests can :ref:`poison ++ ` the branch target buffer or return stack buffer, causing ++ the kernel to jump to gadget code in the speculative execution paths. ++ ++ To mitigate variant 2, the host kernel can use return trampolines ++ for indirect branches to bypass the poisoned branch target buffer, ++ and flushing the return stack buffer on VM exit. This prevents rogue ++ guests from affecting indirect branching in the host kernel. ++ ++ To protect host processes from rogue guests, host processes can have ++ indirect branch speculation disabled via prctl(). The branch target ++ buffer is cleared before context switching to such processes. ++ ++4. A virtualized guest attacking other guest ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ A rogue guest may attack another guest to get data accessible by the ++ other guest. ++ ++ Spectre variant 1 attacks are possible if parameters can be passed ++ between guests. This may be done via mechanisms such as shared memory ++ or message passing. Such parameters could be used to derive data ++ pointers to privileged data in guest. The privileged data could be ++ accessed by gadget code in the victim's speculation paths. ++ ++ Spectre variant 2 attacks can be launched from a rogue guest by ++ :ref:`poisoning ` the branch target buffer or the return ++ stack buffer. Such poisoned entries could be used to influence ++ speculation execution paths in the victim guest. ++ ++ Linux kernel mitigates attacks to other guests running in the same ++ CPU hardware thread by flushing the return stack buffer on VM exit, ++ and clearing the branch target buffer before switching to a new guest. ++ ++ If SMT is used, Spectre variant 2 attacks from an untrusted guest ++ in the sibling hyperthread can be mitigated by the administrator, ++ by turning off the unsafe guest's indirect branch speculation via ++ prctl(). A guest can also protect itself by turning on microcode ++ based mitigations (such as IBPB or STIBP on x86) within the guest. ++ ++.. _spectre_sys_info: ++ ++Spectre system information ++-------------------------- ++ ++The Linux kernel provides a sysfs interface to enumerate the current ++mitigation status of the system for Spectre: whether the system is ++vulnerable, and which mitigations are active. ++ ++The sysfs file showing Spectre variant 1 mitigation status is: ++ ++ /sys/devices/system/cpu/vulnerabilities/spectre_v1 ++ ++The possible values in this file are: ++ ++ ======================================= ================================= ++ 'Mitigation: __user pointer sanitation' Protection in kernel on a case by ++ case base with explicit pointer ++ sanitation. ++ ======================================= ================================= ++ ++However, the protections are put in place on a case by case basis, ++and there is no guarantee that all possible attack vectors for Spectre ++variant 1 are covered. ++ ++The spectre_v2 kernel file reports if the kernel has been compiled with ++retpoline mitigation or if the CPU has hardware mitigation, and if the ++CPU has support for additional process-specific mitigation. ++ ++This file also reports CPU features enabled by microcode to mitigate ++attack between user processes: ++ ++1. Indirect Branch Prediction Barrier (IBPB) to add additional ++ isolation between processes of different users. ++2. Single Thread Indirect Branch Predictors (STIBP) to add additional ++ isolation between CPU threads running on the same core. ++ ++These CPU features may impact performance when used and can be enabled ++per process on a case-by-case base. ++ ++The sysfs file showing Spectre variant 2 mitigation status is: ++ ++ /sys/devices/system/cpu/vulnerabilities/spectre_v2 ++ ++The possible values in this file are: ++ ++ - Kernel status: ++ ++ ==================================== ================================= ++ 'Not affected' The processor is not vulnerable ++ 'Vulnerable' Vulnerable, no mitigation ++ 'Mitigation: Full generic retpoline' Software-focused mitigation ++ 'Mitigation: Full AMD retpoline' AMD-specific software mitigation ++ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation ++ ==================================== ================================= ++ ++ - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is ++ used to protect against Spectre variant 2 attacks when calling firmware (x86 only). ++ ++ ========== ============================================================= ++ 'IBRS_FW' Protection against user program attacks when calling firmware ++ ========== ============================================================= ++ ++ - Indirect branch prediction barrier (IBPB) status for protection between ++ processes of different users. This feature can be controlled through ++ prctl() per process, or through kernel command line options. This is ++ an x86 only feature. For more details see below. ++ ++ =================== ======================================================== ++ 'IBPB: disabled' IBPB unused ++ 'IBPB: always-on' Use IBPB on all tasks ++ 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks ++ =================== ======================================================== ++ ++ - Single threaded indirect branch prediction (STIBP) status for protection ++ between different hyper threads. This feature can be controlled through ++ prctl per process, or through kernel command line options. This is x86 ++ only feature. For more details see below. ++ ++ ==================== ======================================================== ++ 'STIBP: disabled' STIBP unused ++ 'STIBP: forced' Use STIBP on all tasks ++ 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks ++ ==================== ======================================================== ++ ++ - Return stack buffer (RSB) protection status: ++ ++ ============= =========================================== ++ 'RSB filling' Protection of RSB on context switch enabled ++ ============= =========================================== ++ ++Full mitigation might require a microcode update from the CPU ++vendor. When the necessary microcode is not available, the kernel will ++report vulnerability. ++ ++Turning on mitigation for Spectre variant 1 and Spectre variant 2 ++----------------------------------------------------------------- ++ ++1. Kernel mitigation ++^^^^^^^^^^^^^^^^^^^^ ++ ++ For the Spectre variant 1, vulnerable kernel code (as determined ++ by code audit or scanning tools) is annotated on a case by case ++ basis to use nospec accessor macros for bounds clipping :ref:`[2] ++ ` to avoid any usable disclosure gadgets. However, it may ++ not cover all attack vectors for Spectre variant 1. ++ ++ For Spectre variant 2 mitigation, the compiler turns indirect calls or ++ jumps in the kernel into equivalent return trampolines (retpolines) ++ :ref:`[3] ` :ref:`[9] ` to go to the target ++ addresses. Speculative execution paths under retpolines are trapped ++ in an infinite loop to prevent any speculative execution jumping to ++ a gadget. ++ ++ To turn on retpoline mitigation on a vulnerable CPU, the kernel ++ needs to be compiled with a gcc compiler that supports the ++ -mindirect-branch=thunk-extern -mindirect-branch-register options. ++ If the kernel is compiled with a Clang compiler, the compiler needs ++ to support -mretpoline-external-thunk option. The kernel config ++ CONFIG_RETPOLINE needs to be turned on, and the CPU needs to run with ++ the latest updated microcode. ++ ++ On Intel Skylake-era systems the mitigation covers most, but not all, ++ cases. See :ref:`[3] ` for more details. ++ ++ On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced ++ IBRS on x86), retpoline is automatically disabled at run time. ++ ++ The retpoline mitigation is turned on by default on vulnerable ++ CPUs. It can be forced on or off by the administrator ++ via the kernel command line and sysfs control files. See ++ :ref:`spectre_mitigation_control_command_line`. ++ ++ On x86, indirect branch restricted speculation is turned on by default ++ before invoking any firmware code to prevent Spectre variant 2 exploits ++ using the firmware. ++ ++ Using kernel address space randomization (CONFIG_RANDOMIZE_SLAB=y ++ and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes ++ attacks on the kernel generally more difficult. ++ ++2. User program mitigation ++^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ User programs can mitigate Spectre variant 1 using LFENCE or "bounds ++ clipping". For more details see :ref:`[2] `. ++ ++ For Spectre variant 2 mitigation, individual user programs ++ can be compiled with return trampolines for indirect branches. ++ This protects them from consuming poisoned entries in the branch ++ target buffer left by malicious software. Alternatively, the ++ programs can disable their indirect branch speculation via prctl() ++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). ++ On x86, this will turn on STIBP to guard against attacks from the ++ sibling thread when the user program is running, and use IBPB to ++ flush the branch target buffer when switching to/from the program. ++ ++ Restricting indirect branch speculation on a user program will ++ also prevent the program from launching a variant 2 attack ++ on x86. All sand-boxed SECCOMP programs have indirect branch ++ speculation restricted by default. Administrators can change ++ that behavior via the kernel command line and sysfs control files. ++ See :ref:`spectre_mitigation_control_command_line`. ++ ++ Programs that disable their indirect branch speculation will have ++ more overhead and run slower. ++ ++ User programs should use address space randomization ++ (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more ++ difficult. ++ ++3. VM mitigation ++^^^^^^^^^^^^^^^^ ++ ++ Within the kernel, Spectre variant 1 attacks from rogue guests are ++ mitigated on a case by case basis in VM exit paths. Vulnerable code ++ uses nospec accessor macros for "bounds clipping", to avoid any ++ usable disclosure gadgets. However, this may not cover all variant ++ 1 attack vectors. ++ ++ For Spectre variant 2 attacks from rogue guests to the kernel, the ++ Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of ++ poisoned entries in branch target buffer left by rogue guests. It also ++ flushes the return stack buffer on every VM exit to prevent a return ++ stack buffer underflow so poisoned branch target buffer could be used, ++ or attacker guests leaving poisoned entries in the return stack buffer. ++ ++ To mitigate guest-to-guest attacks in the same CPU hardware thread, ++ the branch target buffer is sanitized by flushing before switching ++ to a new guest on a CPU. ++ ++ The above mitigations are turned on by default on vulnerable CPUs. ++ ++ To mitigate guest-to-guest attacks from sibling thread when SMT is ++ in use, an untrusted guest running in the sibling thread can have ++ its indirect branch speculation disabled by administrator via prctl(). ++ ++ The kernel also allows guests to use any microcode based mitigation ++ they choose to use (such as IBPB or STIBP on x86) to protect themselves. ++ ++.. _spectre_mitigation_control_command_line: ++ ++Mitigation control on the kernel command line ++--------------------------------------------- ++ ++Spectre variant 2 mitigation can be disabled or force enabled at the ++kernel command line. ++ ++ nospectre_v2 ++ ++ [X86] Disable all mitigations for the Spectre variant 2 ++ (indirect branch prediction) vulnerability. System may ++ allow data leaks with this option, which is equivalent ++ to spectre_v2=off. ++ ++ ++ spectre_v2= ++ ++ [X86] Control mitigation of Spectre variant 2 ++ (indirect branch speculation) vulnerability. ++ The default operation protects the kernel from ++ user space attacks. ++ ++ on ++ unconditionally enable, implies ++ spectre_v2_user=on ++ off ++ unconditionally disable, implies ++ spectre_v2_user=off ++ auto ++ kernel detects whether your CPU model is ++ vulnerable ++ ++ Selecting 'on' will, and 'auto' may, choose a ++ mitigation method at run time according to the ++ CPU, the available microcode, the setting of the ++ CONFIG_RETPOLINE configuration option, and the ++ compiler with which the kernel was built. ++ ++ Selecting 'on' will also enable the mitigation ++ against user space to user space task attacks. ++ ++ Selecting 'off' will disable both the kernel and ++ the user space protections. ++ ++ Specific mitigations can also be selected manually: ++ ++ retpoline ++ replace indirect branches ++ retpoline,generic ++ google's original retpoline ++ retpoline,amd ++ AMD-specific minimal thunk ++ ++ Not specifying this option is equivalent to ++ spectre_v2=auto. ++ ++For user space mitigation: ++ ++ spectre_v2_user= ++ ++ [X86] Control mitigation of Spectre variant 2 ++ (indirect branch speculation) vulnerability between ++ user space tasks ++ ++ on ++ Unconditionally enable mitigations. Is ++ enforced by spectre_v2=on ++ ++ off ++ Unconditionally disable mitigations. Is ++ enforced by spectre_v2=off ++ ++ prctl ++ Indirect branch speculation is enabled, ++ but mitigation can be enabled via prctl ++ per thread. The mitigation control state ++ is inherited on fork. ++ ++ prctl,ibpb ++ Like "prctl" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different user ++ space processes. ++ ++ seccomp ++ Same as "prctl" above, but all seccomp ++ threads will enable the mitigation unless ++ they explicitly opt out. ++ ++ seccomp,ibpb ++ Like "seccomp" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different ++ user space processes. ++ ++ auto ++ Kernel selects the mitigation depending on ++ the available CPU features and vulnerability. ++ ++ Default mitigation: ++ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" ++ ++ Not specifying this option is equivalent to ++ spectre_v2_user=auto. ++ ++ In general the kernel by default selects ++ reasonable mitigations for the current CPU. To ++ disable Spectre variant 2 mitigations, boot with ++ spectre_v2=off. Spectre variant 1 mitigations ++ cannot be disabled. ++ ++Mitigation selection guide ++-------------------------- ++ ++1. Trusted userspace ++^^^^^^^^^^^^^^^^^^^^ ++ ++ If all userspace applications are from trusted sources and do not ++ execute externally supplied untrusted code, then the mitigations can ++ be disabled. ++ ++2. Protect sensitive programs ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ For security-sensitive programs that have secrets (e.g. crypto ++ keys), protection against Spectre variant 2 can be put in place by ++ disabling indirect branch speculation when the program is running ++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). ++ ++3. Sandbox untrusted programs ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ Untrusted programs that could be a source of attacks can be cordoned ++ off by disabling their indirect branch speculation when they are run ++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). ++ This prevents untrusted programs from polluting the branch target ++ buffer. All programs running in SECCOMP sandboxes have indirect ++ branch speculation restricted by default. This behavior can be ++ changed via the kernel command line and sysfs control files. See ++ :ref:`spectre_mitigation_control_command_line`. ++ ++3. High security mode ++^^^^^^^^^^^^^^^^^^^^^ ++ ++ All Spectre variant 2 mitigations can be forced on ++ at boot time for all programs (See the "on" option in ++ :ref:`spectre_mitigation_control_command_line`). This will add ++ overhead as indirect branch speculations for all programs will be ++ restricted. ++ ++ On x86, branch target buffer will be flushed with IBPB when switching ++ to a new program. STIBP is left on all the time to protect programs ++ against variant 2 attacks originating from programs running on ++ sibling threads. ++ ++ Alternatively, STIBP can be used only when running programs ++ whose indirect branch speculation is explicitly disabled, ++ while IBPB is still used all the time when switching to a new ++ program to clear the branch target buffer (See "ibpb" option in ++ :ref:`spectre_mitigation_control_command_line`). This "ibpb" option ++ has less performance cost than the "on" option, which leaves STIBP ++ on all the time. ++ ++References on Spectre ++--------------------- ++ ++Intel white papers: ++ ++.. _spec_ref1: ++ ++[1] `Intel analysis of speculative execution side channels `_. ++ ++.. _spec_ref2: ++ ++[2] `Bounds check bypass `_. ++ ++.. _spec_ref3: ++ ++[3] `Deep dive: Retpoline: A branch target injection mitigation `_. ++ ++.. _spec_ref4: ++ ++[4] `Deep Dive: Single Thread Indirect Branch Predictors `_. ++ ++AMD white papers: ++ ++.. _spec_ref5: ++ ++[5] `AMD64 technology indirect branch control extension `_. ++ ++.. _spec_ref6: ++ ++[6] `Software techniques for managing speculation on AMD processors `_. ++ ++ARM white papers: ++ ++.. _spec_ref7: ++ ++[7] `Cache speculation side-channels `_. ++ ++.. _spec_ref8: ++ ++[8] `Cache speculation issues update `_. ++ ++Google white paper: ++ ++.. _spec_ref9: ++ ++[9] `Retpoline: a software construct for preventing branch-target-injection `_. ++ ++MIPS white paper: ++ ++.. _spec_ref10: ++ ++[10] `MIPS: response on speculative execution and side channel vulnerabilities `_. ++ ++Academic papers: ++ ++.. _spec_ref11: ++ ++[11] `Spectre Attacks: Exploiting Speculative Execution `_. ++ ++.. _spec_ref12: ++ ++[12] `NetSpectre: Read Arbitrary Memory over Network `_. ++ ++.. _spec_ref13: ++ ++[13] `Spectre Returns! Speculation Attacks using the Return Stack Buffer `_. +diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst +index c4dbe6f7cdae..0fda8f614110 100644 +--- a/Documentation/userspace-api/spec_ctrl.rst ++++ b/Documentation/userspace-api/spec_ctrl.rst +@@ -47,6 +47,8 @@ If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is + available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation + misfeature will fail. + ++.. _set_spec_ctrl: ++ + PR_SET_SPECULATION_CTRL + ----------------------- + +-- +2.20.1 + diff --git a/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch b/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch new file mode 100644 index 000000000..4513a1dca --- /dev/null +++ b/debian/patches/bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch @@ -0,0 +1,170 @@ +From: Josh Poimboeuf +Date: Sat, 3 Aug 2019 21:21:54 +0200 +Subject: Documentation: Add swapgs description to the Spectre v1 documentation +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7634b9cd27e8f867dd3438d262c78d4b9262497f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 + +commit 4c92057661a3412f547ede95715641d7ee16ddac upstream + +Add documentation to the Spectre document about the new swapgs variant of +Spectre v1. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/hw-vuln/spectre.rst | 88 +++++++++++++++++-- + 1 file changed, 80 insertions(+), 8 deletions(-) + +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst +index 25f3b2532198..e05e581af5cf 100644 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst +@@ -41,10 +41,11 @@ Related CVEs + + The following CVE entries describe Spectre variants: + +- ============= ======================= ================= ++ ============= ======================= ========================== + CVE-2017-5753 Bounds check bypass Spectre variant 1 + CVE-2017-5715 Branch target injection Spectre variant 2 +- ============= ======================= ================= ++ CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs) ++ ============= ======================= ========================== + + Problem + ------- +@@ -78,6 +79,13 @@ There are some extensions of Spectre variant 1 attacks for reading data + over the network, see :ref:`[12] `. However such attacks + are difficult, low bandwidth, fragile, and are considered low risk. + ++Note that, despite "Bounds Check Bypass" name, Spectre variant 1 is not ++only about user-controlled array bounds checks. It can affect any ++conditional checks. The kernel entry code interrupt, exception, and NMI ++handlers all have conditional swapgs checks. Those may be problematic ++in the context of Spectre v1, as kernel code can speculatively run with ++a user GS. ++ + Spectre variant 2 (Branch Target Injection) + ------------------------------------------- + +@@ -132,6 +140,9 @@ not cover all possible attack vectors. + 1. A user process attacking the kernel + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++Spectre variant 1 ++~~~~~~~~~~~~~~~~~ ++ + The attacker passes a parameter to the kernel via a register or + via a known address in memory during a syscall. Such parameter may + be used later by the kernel as an index to an array or to derive +@@ -144,7 +155,40 @@ not cover all possible attack vectors. + potentially be influenced for Spectre attacks, new "nospec" accessor + macros are used to prevent speculative loading of data. + +- Spectre variant 2 attacker can :ref:`poison ` the branch ++Spectre variant 1 (swapgs) ++~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++ An attacker can train the branch predictor to speculatively skip the ++ swapgs path for an interrupt or exception. If they initialize ++ the GS register to a user-space value, if the swapgs is speculatively ++ skipped, subsequent GS-related percpu accesses in the speculation ++ window will be done with the attacker-controlled GS value. This ++ could cause privileged memory to be accessed and leaked. ++ ++ For example: ++ ++ :: ++ ++ if (coming from user space) ++ swapgs ++ mov %gs:, %reg ++ mov (%reg), %reg1 ++ ++ When coming from user space, the CPU can speculatively skip the ++ swapgs, and then do a speculative percpu load using the user GS ++ value. So the user can speculatively force a read of any kernel ++ value. If a gadget exists which uses the percpu value as an address ++ in another load/store, then the contents of the kernel value may ++ become visible via an L1 side channel attack. ++ ++ A similar attack exists when coming from kernel space. The CPU can ++ speculatively do the swapgs, causing the user GS to get used for the ++ rest of the speculative window. ++ ++Spectre variant 2 ++~~~~~~~~~~~~~~~~~ ++ ++ A spectre variant 2 attacker can :ref:`poison ` the branch + target buffer (BTB) before issuing syscall to launch an attack. + After entering the kernel, the kernel could use the poisoned branch + target buffer on indirect jump and jump to gadget code in speculative +@@ -280,11 +324,18 @@ The sysfs file showing Spectre variant 1 mitigation status is: + + The possible values in this file are: + +- ======================================= ================================= +- 'Mitigation: __user pointer sanitation' Protection in kernel on a case by +- case base with explicit pointer +- sanitation. +- ======================================= ================================= ++ .. list-table:: ++ ++ * - 'Not affected' ++ - The processor is not vulnerable. ++ * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers' ++ - The swapgs protections are disabled; otherwise it has ++ protection in the kernel on a case by case base with explicit ++ pointer sanitation and usercopy LFENCE barriers. ++ * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization' ++ - Protection in the kernel on a case by case base with explicit ++ pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE ++ barriers. + + However, the protections are put in place on a case by case basis, + and there is no guarantee that all possible attack vectors for Spectre +@@ -366,12 +417,27 @@ Turning on mitigation for Spectre variant 1 and Spectre variant 2 + 1. Kernel mitigation + ^^^^^^^^^^^^^^^^^^^^ + ++Spectre variant 1 ++~~~~~~~~~~~~~~~~~ ++ + For the Spectre variant 1, vulnerable kernel code (as determined + by code audit or scanning tools) is annotated on a case by case + basis to use nospec accessor macros for bounds clipping :ref:`[2] + ` to avoid any usable disclosure gadgets. However, it may + not cover all attack vectors for Spectre variant 1. + ++ Copy-from-user code has an LFENCE barrier to prevent the access_ok() ++ check from being mis-speculated. The barrier is done by the ++ barrier_nospec() macro. ++ ++ For the swapgs variant of Spectre variant 1, LFENCE barriers are ++ added to interrupt, exception and NMI entry where needed. These ++ barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and ++ FENCE_SWAPGS_USER_ENTRY macros. ++ ++Spectre variant 2 ++~~~~~~~~~~~~~~~~~ ++ + For Spectre variant 2 mitigation, the compiler turns indirect calls or + jumps in the kernel into equivalent return trampolines (retpolines) + :ref:`[3] ` :ref:`[9] ` to go to the target +@@ -473,6 +539,12 @@ Mitigation control on the kernel command line + Spectre variant 2 mitigation can be disabled or force enabled at the + kernel command line. + ++ nospectre_v1 ++ ++ [X86,PPC] Disable mitigations for Spectre Variant 1 ++ (bounds check bypass). With this option data leaks are ++ possible in the system. ++ + nospectre_v2 + + [X86] Disable all mitigations for the Spectre variant 2 +-- +2.20.1 + diff --git a/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch b/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch new file mode 100644 index 000000000..68958e089 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch @@ -0,0 +1,110 @@ +From: Borislav Petkov +Date: Wed, 19 Jun 2019 17:24:34 +0200 +Subject: x86/cpufeatures: Carve out CQM features retrieval +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=16ad0b63f382a16454cb927f2eb45b32dbb71b94 + +commit 45fc56e629caa451467e7664fbd4c797c434a6c4 upstream + +... into a separate function for better readability. Split out from a +patch from Fenghua Yu to keep the mechanical, +sole code movement separate for easy review. + +No functional changes. + +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Fenghua Yu +Cc: x86@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/common.c | 60 ++++++++++++++++++++---------------- + 1 file changed, 33 insertions(+), 27 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 1073118b9bf0..a315e475e484 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -808,6 +808,38 @@ static void init_speculation_control(struct cpuinfo_x86 *c) + } + } + ++static void init_cqm(struct cpuinfo_x86 *c) ++{ ++ u32 eax, ebx, ecx, edx; ++ ++ /* Additional Intel-defined flags: level 0x0000000F */ ++ if (c->cpuid_level >= 0x0000000F) { ++ ++ /* QoS sub-leaf, EAX=0Fh, ECX=0 */ ++ cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); ++ c->x86_capability[CPUID_F_0_EDX] = edx; ++ ++ if (cpu_has(c, X86_FEATURE_CQM_LLC)) { ++ /* will be overridden if occupancy monitoring exists */ ++ c->x86_cache_max_rmid = ebx; ++ ++ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ ++ cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); ++ c->x86_capability[CPUID_F_1_EDX] = edx; ++ ++ if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || ++ ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || ++ (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { ++ c->x86_cache_max_rmid = ecx; ++ c->x86_cache_occ_scale = ebx; ++ } ++ } else { ++ c->x86_cache_max_rmid = -1; ++ c->x86_cache_occ_scale = -1; ++ } ++ } ++} ++ + void get_cpu_cap(struct cpuinfo_x86 *c) + { + u32 eax, ebx, ecx, edx; +@@ -839,33 +871,6 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_D_1_EAX] = eax; + } + +- /* Additional Intel-defined flags: level 0x0000000F */ +- if (c->cpuid_level >= 0x0000000F) { +- +- /* QoS sub-leaf, EAX=0Fh, ECX=0 */ +- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); +- c->x86_capability[CPUID_F_0_EDX] = edx; +- +- if (cpu_has(c, X86_FEATURE_CQM_LLC)) { +- /* will be overridden if occupancy monitoring exists */ +- c->x86_cache_max_rmid = ebx; +- +- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ +- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); +- c->x86_capability[CPUID_F_1_EDX] = edx; +- +- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || +- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || +- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { +- c->x86_cache_max_rmid = ecx; +- c->x86_cache_occ_scale = ebx; +- } +- } else { +- c->x86_cache_max_rmid = -1; +- c->x86_cache_occ_scale = -1; +- } +- } +- + /* AMD-defined flags: level 0x80000001 */ + eax = cpuid_eax(0x80000000); + c->extended_cpuid_level = eax; +@@ -896,6 +901,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + + init_scattered_cpuid_features(c); + init_speculation_control(c); ++ init_cqm(c); + + /* + * Clear/Set all flags overridden by options, after probe. +-- +2.20.1 + diff --git a/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch b/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch new file mode 100644 index 000000000..3d78de3ef --- /dev/null +++ b/debian/patches/bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch @@ -0,0 +1,211 @@ +From: Fenghua Yu +Date: Wed, 19 Jun 2019 18:51:09 +0200 +Subject: x86/cpufeatures: Combine word 11 and 12 into a new scattered features + word +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b5dd7f61fce44a1d5df5c63ce7bcb9e0a05ce2f7 + +commit acec0ce081de0c36459eea91647faf99296445a3 upstream + +It's a waste for the four X86_FEATURE_CQM_* feature bits to occupy two +whole feature bits words. To better utilize feature words, re-define +word 11 to host scattered features and move the four X86_FEATURE_CQM_* +features into Linux defined word 11. More scattered features can be +added in word 11 in the future. + +Rename leaf 11 in cpuid_leafs to CPUID_LNX_4 to reflect it's a +Linux-defined leaf. + +Rename leaf 12 as CPUID_DUMMY which will be replaced by a meaningful +name in the next patch when CPUID.7.1:EAX occupies world 12. + +Maximum number of RMID and cache occupancy scale are retrieved from +CPUID.0xf.1 after scattered CQM features are enumerated. Carve out the +code into a separate function. + +KVM doesn't support resctrl now. So it's safe to move the +X86_FEATURE_CQM_* features to scattered features word 11 for KVM. + +Signed-off-by: Fenghua Yu +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Aaron Lewis +Cc: Andy Lutomirski +Cc: Babu Moger +Cc: "Chang S. Bae" +Cc: "Sean J Christopherson" +Cc: Frederic Weisbecker +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jann Horn +Cc: Juergen Gross +Cc: Konrad Rzeszutek Wilk +Cc: kvm ML +Cc: Masahiro Yamada +Cc: Masami Hiramatsu +Cc: Nadav Amit +Cc: Paolo Bonzini +Cc: Pavel Tatashin +Cc: Peter Feiner +Cc: "Peter Zijlstra (Intel)" +Cc: "Radim Krčmář" +Cc: "Rafael J. Wysocki" +Cc: Ravi V Shankar +Cc: Sherry Hurwitz +Cc: Thomas Gleixner +Cc: Thomas Lendacky +Cc: x86 +Link: https://lkml.kernel.org/r/1560794416-217638-2-git-send-email-fenghua.yu@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeature.h | 4 ++-- + arch/x86/include/asm/cpufeatures.h | 17 +++++++------ + arch/x86/kernel/cpu/common.c | 38 ++++++++++++------------------ + arch/x86/kernel/cpu/cpuid-deps.c | 3 +++ + arch/x86/kernel/cpu/scattered.c | 4 ++++ + arch/x86/kvm/cpuid.h | 2 -- + 6 files changed, 34 insertions(+), 34 deletions(-) + +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index ce95b8cbd229..68889ace9c4c 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -22,8 +22,8 @@ enum cpuid_leafs + CPUID_LNX_3, + CPUID_7_0_EBX, + CPUID_D_1_EAX, +- CPUID_F_0_EDX, +- CPUID_F_1_EDX, ++ CPUID_LNX_4, ++ CPUID_DUMMY, + CPUID_8000_0008_EBX, + CPUID_6_EAX, + CPUID_8000_000A_EDX, +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 0cf704933f23..5041f19918f2 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -271,13 +271,16 @@ + #define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 instruction */ + #define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS instructions */ + +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (EDX), word 11 */ +-#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ +- +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (EDX), word 12 */ +-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring */ +-#define X86_FEATURE_CQM_MBM_TOTAL (12*32+ 1) /* LLC Total MBM monitoring */ +-#define X86_FEATURE_CQM_MBM_LOCAL (12*32+ 2) /* LLC Local MBM monitoring */ ++/* ++ * Extended auxiliary flags: Linux defined - for features scattered in various ++ * CPUID levels like 0xf, etc. ++ * ++ * Reuse free bits when adding new feature flags! ++ */ ++#define X86_FEATURE_CQM_LLC (11*32+ 0) /* LLC QoS if 1 */ ++#define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ ++#define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ ++#define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ + + /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ + #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index a315e475e484..417d09f2bcaf 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -810,33 +810,25 @@ static void init_speculation_control(struct cpuinfo_x86 *c) + + static void init_cqm(struct cpuinfo_x86 *c) + { +- u32 eax, ebx, ecx, edx; +- +- /* Additional Intel-defined flags: level 0x0000000F */ +- if (c->cpuid_level >= 0x0000000F) { ++ if (!cpu_has(c, X86_FEATURE_CQM_LLC)) { ++ c->x86_cache_max_rmid = -1; ++ c->x86_cache_occ_scale = -1; ++ return; ++ } + +- /* QoS sub-leaf, EAX=0Fh, ECX=0 */ +- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); +- c->x86_capability[CPUID_F_0_EDX] = edx; ++ /* will be overridden if occupancy monitoring exists */ ++ c->x86_cache_max_rmid = cpuid_ebx(0xf); + +- if (cpu_has(c, X86_FEATURE_CQM_LLC)) { +- /* will be overridden if occupancy monitoring exists */ +- c->x86_cache_max_rmid = ebx; ++ if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC) || ++ cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL) || ++ cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)) { ++ u32 eax, ebx, ecx, edx; + +- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ +- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); +- c->x86_capability[CPUID_F_1_EDX] = edx; ++ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ ++ cpuid_count(0xf, 1, &eax, &ebx, &ecx, &edx); + +- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || +- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || +- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { +- c->x86_cache_max_rmid = ecx; +- c->x86_cache_occ_scale = ebx; +- } +- } else { +- c->x86_cache_max_rmid = -1; +- c->x86_cache_occ_scale = -1; +- } ++ c->x86_cache_max_rmid = ecx; ++ c->x86_cache_occ_scale = ebx; + } + } + +diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c +index 2c0bd38a44ab..fa07a224e7b9 100644 +--- a/arch/x86/kernel/cpu/cpuid-deps.c ++++ b/arch/x86/kernel/cpu/cpuid-deps.c +@@ -59,6 +59,9 @@ static const struct cpuid_dep cpuid_deps[] = { + { X86_FEATURE_AVX512_4VNNIW, X86_FEATURE_AVX512F }, + { X86_FEATURE_AVX512_4FMAPS, X86_FEATURE_AVX512F }, + { X86_FEATURE_AVX512_VPOPCNTDQ, X86_FEATURE_AVX512F }, ++ { X86_FEATURE_CQM_OCCUP_LLC, X86_FEATURE_CQM_LLC }, ++ { X86_FEATURE_CQM_MBM_TOTAL, X86_FEATURE_CQM_LLC }, ++ { X86_FEATURE_CQM_MBM_LOCAL, X86_FEATURE_CQM_LLC }, + {} + }; + +diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c +index 772c219b6889..5a52672e3f8b 100644 +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -21,6 +21,10 @@ struct cpuid_bit { + static const struct cpuid_bit cpuid_bits[] = { + { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, + { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, ++ { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, ++ { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, ++ { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, ++ { X86_FEATURE_CQM_MBM_LOCAL, CPUID_EDX, 2, 0x0000000f, 1 }, + { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 }, + { X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 }, + { X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 }, +diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h +index 9a327d5b6d1f..d78a61408243 100644 +--- a/arch/x86/kvm/cpuid.h ++++ b/arch/x86/kvm/cpuid.h +@@ -47,8 +47,6 @@ static const struct cpuid_reg reverse_cpuid[] = { + [CPUID_8000_0001_ECX] = {0x80000001, 0, CPUID_ECX}, + [CPUID_7_0_EBX] = { 7, 0, CPUID_EBX}, + [CPUID_D_1_EAX] = { 0xd, 1, CPUID_EAX}, +- [CPUID_F_0_EDX] = { 0xf, 0, CPUID_EDX}, +- [CPUID_F_1_EDX] = { 0xf, 1, CPUID_EDX}, + [CPUID_8000_0008_EBX] = {0x80000008, 0, CPUID_EBX}, + [CPUID_6_EAX] = { 6, 0, CPUID_EAX}, + [CPUID_8000_000A_EDX] = {0x8000000a, 0, CPUID_EDX}, +-- +2.20.1 + diff --git a/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch b/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch new file mode 100644 index 000000000..8a65f2aee --- /dev/null +++ b/debian/patches/bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch @@ -0,0 +1,40 @@ +From: Josh Poimboeuf +Date: Mon, 15 Jul 2019 11:51:39 -0500 +Subject: x86/entry/64: Use JMP instead of JMPQ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=931b6bfe8af1069fd1a494ef6ab14509ffeacdc3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 + +commit 64dbc122b20f75183d8822618c24f85144a5a94d upstream + +Somehow the swapgs mitigation entry code patch ended up with a JMPQ +instruction instead of JMP, where only the short jump is needed. Some +assembler versions apparently fail to optimize JMPQ into a two-byte JMP +when possible, instead always using a 7-byte JMP with relocation. For +some reason that makes the entry code explode with a #GP during boot. + +Change it back to "JMP" as originally intended. + +Fixes: 18ec54fdd6d1 ("x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 7d8da285e185..ccb5e3486aee 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -612,7 +612,7 @@ ENTRY(interrupt_entry) + UNWIND_HINT_FUNC + + movq (%rdi), %rdi +- jmpq 2f ++ jmp 2f + 1: + FENCE_SWAPGS_KERNEL_ENTRY + 2: +-- +2.20.1 + diff --git a/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch b/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch new file mode 100644 index 000000000..919586a4f --- /dev/null +++ b/debian/patches/bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch @@ -0,0 +1,261 @@ +From: Josh Poimboeuf +Date: Mon, 8 Jul 2019 11:52:26 -0500 +Subject: x86/speculation: Enable Spectre v1 swapgs mitigations +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=23e7a7b3a75f6dd24c161bf7d1399f251bf5c109 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 + +commit a2059825986a1c8143fd6698774fa9d83733bb11 upstream + +The previous commit added macro calls in the entry code which mitigate the +Spectre v1 swapgs issue if the X86_FEATURE_FENCE_SWAPGS_* features are +enabled. Enable those features where applicable. + +The mitigations may be disabled with "nospectre_v1" or "mitigations=off". + +There are different features which can affect the risk of attack: + +- When FSGSBASE is enabled, unprivileged users are able to place any + value in GS, using the wrgsbase instruction. This means they can + write a GS value which points to any value in kernel space, which can + be useful with the following gadget in an interrupt/exception/NMI + handler: + + if (coming from user space) + swapgs + mov %gs:, %reg1 + // dependent load or store based on the value of %reg + // for example: mov %(reg1), %reg2 + + If an interrupt is coming from user space, and the entry code + speculatively skips the swapgs (due to user branch mistraining), it + may speculatively execute the GS-based load and a subsequent dependent + load or store, exposing the kernel data to an L1 side channel leak. + + Note that, on Intel, a similar attack exists in the above gadget when + coming from kernel space, if the swapgs gets speculatively executed to + switch back to the user GS. On AMD, this variant isn't possible + because swapgs is serializing with respect to future GS-based + accesses. + + NOTE: The FSGSBASE patch set hasn't been merged yet, so the above case + doesn't exist quite yet. + +- When FSGSBASE is disabled, the issue is mitigated somewhat because + unprivileged users must use prctl(ARCH_SET_GS) to set GS, which + restricts GS values to user space addresses only. That means the + gadget would need an additional step, since the target kernel address + needs to be read from user space first. Something like: + + if (coming from user space) + swapgs + mov %gs:, %reg1 + mov (%reg1), %reg2 + // dependent load or store based on the value of %reg2 + // for example: mov %(reg2), %reg3 + + It's difficult to audit for this gadget in all the handlers, so while + there are no known instances of it, it's entirely possible that it + exists somewhere (or could be introduced in the future). Without + tooling to analyze all such code paths, consider it vulnerable. + + Effects of SMAP on the !FSGSBASE case: + + - If SMAP is enabled, and the CPU reports RDCL_NO (i.e., not + susceptible to Meltdown), the kernel is prevented from speculatively + reading user space memory, even L1 cached values. This effectively + disables the !FSGSBASE attack vector. + + - If SMAP is enabled, but the CPU *is* susceptible to Meltdown, SMAP + still prevents the kernel from speculatively reading user space + memory. But it does *not* prevent the kernel from reading the + user value from L1, if it has already been cached. This is probably + only a small hurdle for an attacker to overcome. + +Thanks to Dave Hansen for contributing the speculative_smap() function. + +Thanks to Andrew Cooper for providing the inside scoop on whether swapgs +is serializing on AMD. + +[ tglx: Fixed the USER fence decision and polished the comment as suggested + by Dave Hansen ] + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Dave Hansen +Signed-off-by: Greg Kroah-Hartman +--- + .../admin-guide/kernel-parameters.txt | 7 +- + arch/x86/kernel/cpu/bugs.c | 115 ++++++++++++++++-- + 2 files changed, 110 insertions(+), 12 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2515,6 +2515,7 @@ + Equivalent to: nopti [X86,PPC] + nospectre_v1 [PPC] + nobp=0 [S390] ++ nospectre_v1 [X86] + nospectre_v2 [X86,PPC,S390] + spectre_v2_user=off [X86] + spec_store_bypass_disable=off [X86,PPC] +@@ -2861,9 +2862,9 @@ + nosmt=force: Force disable SMT, cannot be undone + via the sysfs control file. + +- nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds +- check bypass). With this option data leaks are possible +- in the system. ++ nospectre_v1 [X66, PPC] Disable mitigations for Spectre Variant 1 ++ (bounds check bypass). With this option data leaks ++ are possible in the system. + + nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 + (indirect branch prediction) vulnerability. System may +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -32,6 +32,7 @@ + #include + #include + ++static void __init spectre_v1_select_mitigation(void); + static void __init spectre_v2_select_mitigation(void); + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); +@@ -96,17 +97,11 @@ void __init check_bugs(void) + if (boot_cpu_has(X86_FEATURE_STIBP)) + x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; + +- /* Select the proper spectre mitigation before patching alternatives */ ++ /* Select the proper CPU mitigations before patching alternatives: */ ++ spectre_v1_select_mitigation(); + spectre_v2_select_mitigation(); +- +- /* +- * Select proper mitigation for any exposure to the Speculative Store +- * Bypass vulnerability. +- */ + ssb_select_mitigation(); +- + l1tf_select_mitigation(); +- + mds_select_mitigation(); + + arch_smt_update(); +@@ -272,6 +267,108 @@ static int __init mds_cmdline(char *str) + early_param("mds", mds_cmdline); + + #undef pr_fmt ++#define pr_fmt(fmt) "Spectre V1 : " fmt ++ ++enum spectre_v1_mitigation { ++ SPECTRE_V1_MITIGATION_NONE, ++ SPECTRE_V1_MITIGATION_AUTO, ++}; ++ ++static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init = ++ SPECTRE_V1_MITIGATION_AUTO; ++ ++static const char * const spectre_v1_strings[] = { ++ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers", ++ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", ++}; ++ ++static bool is_swapgs_serializing(void) ++{ ++ /* ++ * Technically, swapgs isn't serializing on AMD (despite it previously ++ * being documented as such in the APM). But according to AMD, %gs is ++ * updated non-speculatively, and the issuing of %gs-relative memory ++ * operands will be blocked until the %gs update completes, which is ++ * good enough for our purposes. ++ */ ++ return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; ++} ++ ++/* ++ * Does SMAP provide full mitigation against speculative kernel access to ++ * userspace? ++ */ ++static bool smap_works_speculatively(void) ++{ ++ if (!boot_cpu_has(X86_FEATURE_SMAP)) ++ return false; ++ ++ /* ++ * On CPUs which are vulnerable to Meltdown, SMAP does not ++ * prevent speculative access to user data in the L1 cache. ++ * Consider SMAP to be non-functional as a mitigation on these ++ * CPUs. ++ */ ++ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN)) ++ return false; ++ ++ return true; ++} ++ ++static void __init spectre_v1_select_mitigation(void) ++{ ++ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) { ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; ++ return; ++ } ++ ++ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) { ++ /* ++ * With Spectre v1, a user can speculatively control either ++ * path of a conditional swapgs with a user-controlled GS ++ * value. The mitigation is to add lfences to both code paths. ++ * ++ * If FSGSBASE is enabled, the user can put a kernel address in ++ * GS, in which case SMAP provides no protection. ++ * ++ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the ++ * FSGSBASE enablement patches have been merged. ] ++ * ++ * If FSGSBASE is disabled, the user can only put a user space ++ * address in GS. That makes an attack harder, but still ++ * possible if there's no SMAP protection. ++ */ ++ if (!smap_works_speculatively()) { ++ /* ++ * Mitigation can be provided from SWAPGS itself or ++ * PTI as the CR3 write in the Meltdown mitigation ++ * is serializing. ++ * ++ * If neither is there, mitigate with an LFENCE. ++ */ ++ if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_PTI)) ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); ++ ++ /* ++ * Enable lfences in the kernel entry (non-swapgs) ++ * paths, to prevent user entry from speculatively ++ * skipping swapgs. ++ */ ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL); ++ } ++ } ++ ++ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]); ++} ++ ++static int __init nospectre_v1_cmdline(char *str) ++{ ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; ++ return 0; ++} ++early_param("nospectre_v1", nospectre_v1_cmdline); ++ ++#undef pr_fmt + #define pr_fmt(fmt) "Spectre V2 : " fmt + + static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = +@@ -1249,7 +1346,7 @@ static ssize_t cpu_show_common(struct de + break; + + case X86_BUG_SPECTRE_V1: +- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); ++ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); + + case X86_BUG_SPECTRE_V2: + return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], diff --git a/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch b/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch new file mode 100644 index 000000000..f47559b40 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch @@ -0,0 +1,200 @@ +From: Josh Poimboeuf +Date: Mon, 8 Jul 2019 11:52:25 -0500 +Subject: x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=befb822c062b4c3d93380a58d5fd479395e8b267 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 + +commit 18ec54fdd6d18d92025af097cd042a75cf0ea24c upstream + +Spectre v1 isn't only about array bounds checks. It can affect any +conditional checks. The kernel entry code interrupt, exception, and NMI +handlers all have conditional swapgs checks. Those may be problematic in +the context of Spectre v1, as kernel code can speculatively run with a user +GS. + +For example: + + if (coming from user space) + swapgs + mov %gs:, %reg + mov (%reg), %reg1 + +When coming from user space, the CPU can speculatively skip the swapgs, and +then do a speculative percpu load using the user GS value. So the user can +speculatively force a read of any kernel value. If a gadget exists which +uses the percpu value as an address in another load/store, then the +contents of the kernel value may become visible via an L1 side channel +attack. + +A similar attack exists when coming from kernel space. The CPU can +speculatively do the swapgs, causing the user GS to get used for the rest +of the speculative window. + +The mitigation is similar to a traditional Spectre v1 mitigation, except: + + a) index masking isn't possible; because the index (percpu offset) + isn't user-controlled; and + + b) an lfence is needed in both the "from user" swapgs path and the + "from kernel" non-swapgs path (because of the two attacks described + above). + +The user entry swapgs paths already have SWITCH_TO_KERNEL_CR3, which has a +CR3 write when PTI is enabled. Since CR3 writes are serializing, the +lfences can be skipped in those cases. + +On the other hand, the kernel entry swapgs paths don't depend on PTI. + +To avoid unnecessary lfences for the user entry case, create two separate +features for alternative patching: + + X86_FEATURE_FENCE_SWAPGS_USER + X86_FEATURE_FENCE_SWAPGS_KERNEL + +Use these features in entry code to patch in lfences where needed. + +The features aren't enabled yet, so there's no functional change. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Dave Hansen +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/calling.h | 17 +++++++++++++++++ + arch/x86/entry/entry_64.S | 21 ++++++++++++++++++--- + arch/x86/include/asm/cpufeatures.h | 2 ++ + 3 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index e699b2041665..578b5455334f 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -329,6 +329,23 @@ For 32-bit we have the following conventions - kernel is built with + + #endif + ++/* ++ * Mitigate Spectre v1 for conditional swapgs code paths. ++ * ++ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to ++ * prevent a speculative swapgs when coming from kernel space. ++ * ++ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path, ++ * to prevent the swapgs from getting speculatively skipped when coming from ++ * user space. ++ */ ++.macro FENCE_SWAPGS_USER_ENTRY ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER ++.endm ++.macro FENCE_SWAPGS_KERNEL_ENTRY ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL ++.endm ++ + #endif /* CONFIG_X86_64 */ + + /* +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index e7572a209fbe..7d8da285e185 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -582,7 +582,7 @@ ENTRY(interrupt_entry) + testb $3, CS-ORIG_RAX+8(%rsp) + jz 1f + SWAPGS +- ++ FENCE_SWAPGS_USER_ENTRY + /* + * Switch to the thread stack. The IRET frame and orig_ax are + * on the stack, as well as the return address. RDI..R12 are +@@ -612,8 +612,10 @@ ENTRY(interrupt_entry) + UNWIND_HINT_FUNC + + movq (%rdi), %rdi ++ jmpq 2f + 1: +- ++ FENCE_SWAPGS_KERNEL_ENTRY ++2: + PUSH_AND_CLEAR_REGS save_ret=1 + ENCODE_FRAME_POINTER 8 + +@@ -1240,6 +1242,13 @@ ENTRY(paranoid_entry) + */ + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 + ++ /* ++ * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an ++ * unconditional CR3 write, even in the PTI case. So do an lfence ++ * to prevent GS speculation, regardless of whether PTI is enabled. ++ */ ++ FENCE_SWAPGS_KERNEL_ENTRY ++ + ret + END(paranoid_entry) + +@@ -1290,6 +1299,7 @@ ENTRY(error_entry) + * from user mode due to an IRET fault. + */ + SWAPGS ++ FENCE_SWAPGS_USER_ENTRY + /* We have user CR3. Change to kernel CR3. */ + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + +@@ -1311,6 +1321,8 @@ ENTRY(error_entry) + CALL_enter_from_user_mode + ret + ++.Lerror_entry_done_lfence: ++ FENCE_SWAPGS_KERNEL_ENTRY + .Lerror_entry_done: + TRACE_IRQS_OFF + ret +@@ -1329,7 +1341,7 @@ ENTRY(error_entry) + cmpq %rax, RIP+8(%rsp) + je .Lbstep_iret + cmpq $.Lgs_change, RIP+8(%rsp) +- jne .Lerror_entry_done ++ jne .Lerror_entry_done_lfence + + /* + * hack: .Lgs_change can fail with user gsbase. If this happens, fix up +@@ -1337,6 +1349,7 @@ ENTRY(error_entry) + * .Lgs_change's error handler with kernel gsbase. + */ + SWAPGS ++ FENCE_SWAPGS_USER_ENTRY + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + jmp .Lerror_entry_done + +@@ -1351,6 +1364,7 @@ ENTRY(error_entry) + * gsbase and CR3. Switch to kernel gsbase and CR3: + */ + SWAPGS ++ FENCE_SWAPGS_USER_ENTRY + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + + /* +@@ -1442,6 +1456,7 @@ ENTRY(nmi) + + swapgs + cld ++ FENCE_SWAPGS_USER_ENTRY + SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx + movq %rsp, %rdx + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 5041f19918f2..e0f47f6a1017 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -281,6 +281,8 @@ + #define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ + #define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ + #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ ++#define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ ++#define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ + + /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ + #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ +-- +2.20.1 + diff --git a/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch b/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch new file mode 100644 index 000000000..d466887ba --- /dev/null +++ b/debian/patches/bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch @@ -0,0 +1,159 @@ +From: Thomas Gleixner +Date: Wed, 17 Jul 2019 21:18:59 +0200 +Subject: x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b88241aef6f1654417bb281546da316ffab57807 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1125 + +commit f36cf386e3fec258a341d446915862eded3e13d8 upstream + +Intel provided the following information: + + On all current Atom processors, instructions that use a segment register + value (e.g. a load or store) will not speculatively execute before the + last writer of that segment retires. Thus they will not use a + speculatively written segment value. + +That means on ATOMs there is no speculation through SWAPGS, so the SWAPGS +entry paths can be excluded from the extra LFENCE if PTI is disabled. + +Create a separate bug flag for the through SWAPGS speculation and mark all +out-of-order ATOMs and AMD/HYGON CPUs as not affected. The in-order ATOMs +are excluded from the whole mitigation mess anyway. + +Reported-by: Andrew Cooper +Signed-off-by: Thomas Gleixner +Reviewed-by: Tyler Hicks +Reviewed-by: Josh Poimboeuf +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/bugs.c | 18 +++---------- + arch/x86/kernel/cpu/common.c | 42 +++++++++++++++++++----------- + 3 files changed, 32 insertions(+), 29 deletions(-) + +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index e0f47f6a1017..759f0a176612 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -388,5 +388,6 @@ + #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ + #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ + #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ ++#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 844ad5d3ef51..ee7d17611ead 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -282,18 +282,6 @@ static const char * const spectre_v1_strings[] = { + [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", + }; + +-static bool is_swapgs_serializing(void) +-{ +- /* +- * Technically, swapgs isn't serializing on AMD (despite it previously +- * being documented as such in the APM). But according to AMD, %gs is +- * updated non-speculatively, and the issuing of %gs-relative memory +- * operands will be blocked until the %gs update completes, which is +- * good enough for our purposes. +- */ +- return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; +-} +- + /* + * Does SMAP provide full mitigation against speculative kernel access to + * userspace? +@@ -344,9 +332,11 @@ static void __init spectre_v1_select_mitigation(void) + * PTI as the CR3 write in the Meltdown mitigation + * is serializing. + * +- * If neither is there, mitigate with an LFENCE. ++ * If neither is there, mitigate with an LFENCE to ++ * stop speculation through swapgs. + */ +- if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_PTI)) ++ if (boot_cpu_has_bug(X86_BUG_SWAPGS) && ++ !boot_cpu_has(X86_FEATURE_PTI)) + setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); + + /* +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 417d09f2bcaf..b33fdfa0ff49 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -952,6 +952,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) + #define NO_L1TF BIT(3) + #define NO_MDS BIT(4) + #define MSBDS_ONLY BIT(5) ++#define NO_SWAPGS BIT(6) + + #define VULNWL(_vendor, _family, _model, _whitelist) \ + { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } +@@ -975,29 +976,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { + VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), + VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), + +- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), +- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY), +- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY), +- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), +- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY), +- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY), ++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), + + VULNWL_INTEL(CORE_YONAH, NO_SSB), + +- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY), ++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS), + +- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), +- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF), ++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS), ++ ++ /* ++ * Technically, swapgs isn't serializing on AMD (despite it previously ++ * being documented as such in the APM). But according to AMD, %gs is ++ * updated non-speculatively, and the issuing of %gs-relative memory ++ * operands will be blocked until the %gs update completes, which is ++ * good enough for our purposes. ++ */ + + /* AMD Family 0xf - 0x12 */ +- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), +- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), +- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), +- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), ++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), ++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), ++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), ++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), + + /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ +- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), ++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS), + {} + }; + +@@ -1034,6 +1043,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); + } + ++ if (!cpu_matches(NO_SWAPGS)) ++ setup_force_cpu_bug(X86_BUG_SWAPGS); ++ + if (cpu_matches(NO_MELTDOWN)) + return; + +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index f4e381744..37da9881b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -240,6 +240,14 @@ bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch +bugfix/x86/x86-cpufeatures-Carve-out-CQM-features-retrieval.patch +bugfix/x86/x86-cpufeatures-Combine-word-11-and-12-into-a-new-sc.patch +bugfix/x86/x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch +bugfix/x86/x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch +bugfix/x86/x86-entry-64-Use-JMP-instead-of-JMPQ.patch +bugfix/x86/x86-speculation-swapgs-Exclude-ATOMs-from-speculatio.patch +bugfix/all/Documentation-Add-section-about-CPU-vulnerabilities-.patch +bugfix/all/Documentation-Add-swapgs-description-to-the-Spectre-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From f02f2890aaee17cb8167e084895c292caa023f27 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 8 Aug 2019 02:49:04 +0100 Subject: [PATCH 17/19] [x86] cpufeatures: Avoid ABI change for swapgs mitigations - Move swapgs feature bits to existing scattered words - Revert "x86/cpufeatures: Combine word 11 and 12 into a new scattered features word" --- debian/changelog | 6 + ...combine-word-11-and-12-into-a-new-sc.patch | 138 ++++++++++++++++++ ...move-swapgs-feature-bits-to-existing.patch | 37 +++++ debian/patches/series | 2 + 4 files changed, 183 insertions(+) create mode 100644 debian/patches/debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch create mode 100644 debian/patches/debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch diff --git a/debian/changelog b/debian/changelog index 44f396424..7809e5081 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,12 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * Documentation: Add section about CPU vulnerabilities for Spectre * Documentation: Add swapgs description to the Spectre v1 documentation + [ Ben Hutchings ] + * [x86] cpufeatures: Avoid ABI change for swapgs mitigations: + - Move swapgs feature bits to existing scattered words + - Revert "x86/cpufeatures: Combine word 11 and 12 into a new scattered + features word" + -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high diff --git a/debian/patches/debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch b/debian/patches/debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch new file mode 100644 index 000000000..b29b97512 --- /dev/null +++ b/debian/patches/debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch @@ -0,0 +1,138 @@ +From: Ben Hutchings +Date: Thu, 08 Aug 2019 02:42:32 +0100 +Subject: Revert "x86/cpufeatures: Combine word 11 and 12 into a new scattered features word" +Forwarded: not-needed + +Renumbering CPU feature bits is a kABI change (even if genksyms +doesn't notice it). And we actually had just enough spare bits in the +existing scattered features words. + +--- +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -22,8 +22,8 @@ enum cpuid_leafs + CPUID_LNX_3, + CPUID_7_0_EBX, + CPUID_D_1_EAX, +- CPUID_LNX_4, +- CPUID_DUMMY, ++ CPUID_F_0_EDX, ++ CPUID_F_1_EDX, + CPUID_8000_0008_EBX, + CPUID_6_EAX, + CPUID_8000_000A_EDX, +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -271,16 +271,13 @@ + #define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 instruction */ + #define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS instructions */ + +-/* +- * Extended auxiliary flags: Linux defined - for features scattered in various +- * CPUID levels like 0xf, etc. +- * +- * Reuse free bits when adding new feature flags! +- */ +-#define X86_FEATURE_CQM_LLC (11*32+ 0) /* LLC QoS if 1 */ +-#define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ +-#define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ +-#define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (EDX), word 11 */ ++#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ ++ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (EDX), word 12 */ ++#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring */ ++#define X86_FEATURE_CQM_MBM_TOTAL (12*32+ 1) /* LLC Total MBM monitoring */ ++#define X86_FEATURE_CQM_MBM_LOCAL (12*32+ 2) /* LLC Local MBM monitoring */ + + /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ + #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -810,25 +810,33 @@ static void init_speculation_control(str + + static void init_cqm(struct cpuinfo_x86 *c) + { +- if (!cpu_has(c, X86_FEATURE_CQM_LLC)) { +- c->x86_cache_max_rmid = -1; +- c->x86_cache_occ_scale = -1; +- return; +- } +- +- /* will be overridden if occupancy monitoring exists */ +- c->x86_cache_max_rmid = cpuid_ebx(0xf); +- +- if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC) || +- cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL) || +- cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)) { +- u32 eax, ebx, ecx, edx; ++ u32 eax, ebx, ecx, edx; + +- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ +- cpuid_count(0xf, 1, &eax, &ebx, &ecx, &edx); ++ /* Additional Intel-defined flags: level 0x0000000F */ ++ if (c->cpuid_level >= 0x0000000F) { + +- c->x86_cache_max_rmid = ecx; +- c->x86_cache_occ_scale = ebx; ++ /* QoS sub-leaf, EAX=0Fh, ECX=0 */ ++ cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); ++ c->x86_capability[CPUID_F_0_EDX] = edx; ++ ++ if (cpu_has(c, X86_FEATURE_CQM_LLC)) { ++ /* will be overridden if occupancy monitoring exists */ ++ c->x86_cache_max_rmid = ebx; ++ ++ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ ++ cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); ++ c->x86_capability[CPUID_F_1_EDX] = edx; ++ ++ if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || ++ ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || ++ (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { ++ c->x86_cache_max_rmid = ecx; ++ c->x86_cache_occ_scale = ebx; ++ } ++ } else { ++ c->x86_cache_max_rmid = -1; ++ c->x86_cache_occ_scale = -1; ++ } + } + } + +--- a/arch/x86/kernel/cpu/cpuid-deps.c ++++ b/arch/x86/kernel/cpu/cpuid-deps.c +@@ -59,9 +59,6 @@ static const struct cpuid_dep cpuid_deps + { X86_FEATURE_AVX512_4VNNIW, X86_FEATURE_AVX512F }, + { X86_FEATURE_AVX512_4FMAPS, X86_FEATURE_AVX512F }, + { X86_FEATURE_AVX512_VPOPCNTDQ, X86_FEATURE_AVX512F }, +- { X86_FEATURE_CQM_OCCUP_LLC, X86_FEATURE_CQM_LLC }, +- { X86_FEATURE_CQM_MBM_TOTAL, X86_FEATURE_CQM_LLC }, +- { X86_FEATURE_CQM_MBM_LOCAL, X86_FEATURE_CQM_LLC }, + {} + }; + +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -21,10 +21,6 @@ struct cpuid_bit { + static const struct cpuid_bit cpuid_bits[] = { + { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, + { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, +- { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, +- { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, +- { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, +- { X86_FEATURE_CQM_MBM_LOCAL, CPUID_EDX, 2, 0x0000000f, 1 }, + { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 }, + { X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 }, + { X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 }, +--- a/arch/x86/kvm/cpuid.h ++++ b/arch/x86/kvm/cpuid.h +@@ -47,6 +47,8 @@ static const struct cpuid_reg reverse_cp + [CPUID_8000_0001_ECX] = {0x80000001, 0, CPUID_ECX}, + [CPUID_7_0_EBX] = { 7, 0, CPUID_EBX}, + [CPUID_D_1_EAX] = { 0xd, 1, CPUID_EAX}, ++ [CPUID_F_0_EDX] = { 0xf, 0, CPUID_EDX}, ++ [CPUID_F_1_EDX] = { 0xf, 1, CPUID_EDX}, + [CPUID_8000_0008_EBX] = {0x80000008, 0, CPUID_EBX}, + [CPUID_6_EAX] = { 6, 0, CPUID_EAX}, + [CPUID_8000_000A_EDX] = {0x8000000a, 0, CPUID_EDX}, diff --git a/debian/patches/debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch b/debian/patches/debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch new file mode 100644 index 000000000..df6f58e76 --- /dev/null +++ b/debian/patches/debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch @@ -0,0 +1,37 @@ +From: Ben Hutchings +Date: Thu, 08 Aug 2019 02:40:23 +0100 +Subject: x86/cpufeatures: Move swapgs feature bits to existing scattered words +Forwarded: not-needed + +Renumbering CPU feature bits is a kABI change (even if genksyms +doesn't notice it). Move the new feature bits for the mitigations to +spare bits in the existing "scattered" feature words. + +--- +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -108,6 +108,7 @@ + #define X86_FEATURE_EXTD_APICID ( 3*32+26) /* Extended APICID (8 bits) */ + #define X86_FEATURE_AMD_DCM ( 3*32+27) /* AMD multi-node processor */ + #define X86_FEATURE_APERFMPERF ( 3*32+28) /* P-State hardware coordination feedback capability (APERF/MPERF MSRs) */ ++#define X86_FEATURE_FENCE_SWAPGS_USER ( 3*32+29) /* "" LFENCE in user entry SWAPGS path */ + #define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */ + #define X86_FEATURE_TSC_KNOWN_FREQ ( 3*32+31) /* TSC has known frequency */ + +@@ -221,6 +222,7 @@ + #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ ++#define X86_FEATURE_FENCE_SWAPGS_KERNEL ( 7*32+31) /* "" LFENCE in kernel entry SWAPGS path */ + + /* Virtualization flags: Linux defined, word 8 */ + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ +@@ -279,8 +281,6 @@ + #define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ + #define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ + #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ +-#define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ +-#define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ + + /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ + #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ diff --git a/debian/patches/series b/debian/patches/series index 37da9881b..d1c1e941a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -302,3 +302,5 @@ features/all/ena/0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch # ABI maintenance debian/abi/tcp-avoid-abi-change-for-dos-fixes.patch +debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch +debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch From 95a59b0c5d0545107b56a340d3f148d8e2c9d3ad Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 8 Aug 2019 03:01:19 +0100 Subject: [PATCH 18/19] inet: Avoid ABI change for IP ID hash change --- debian/changelog | 1 + ...oid-abi-change-for-ip-id-hash-change.patch | 75 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 77 insertions(+) create mode 100644 debian/patches/debian/abi/inet-avoid-abi-change-for-ip-id-hash-change.patch diff --git a/debian/changelog b/debian/changelog index 7809e5081..67f992795 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium - Move swapgs feature bits to existing scattered words - Revert "x86/cpufeatures: Combine word 11 and 12 into a new scattered features word" + * inet: Avoid ABI change for IP ID hash change -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/debian/abi/inet-avoid-abi-change-for-ip-id-hash-change.patch b/debian/patches/debian/abi/inet-avoid-abi-change-for-ip-id-hash-change.patch new file mode 100644 index 000000000..6b872b9d6 --- /dev/null +++ b/debian/patches/debian/abi/inet-avoid-abi-change-for-ip-id-hash-change.patch @@ -0,0 +1,75 @@ +From: Ben Hutchings +Date: Thu, 08 Aug 2019 02:59:40 +0100 +Subject: inet: Avoid ABI change for IP ID hash change +Forwarded: not-needed + +"inet: switch IP ID generator to siphash" adds a new member to struct +netns_ipv4. Since this is embedded in struct net, it changes the +offsets of all the following members. However struct net itself is +not embedded in anything, and is always allocated by built-in code. +So move the new member to the end of struct net, and hide it from +genksyms. + +Also hide the added element and member from modules, as they won't be +able to rely on their being present until we bump ABI. + +--- +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -163,6 +163,7 @@ struct net { + atomic_t fnhe_genid; + #if !defined(__GENKSYMS__) && !defined(MODULE) + int ipv4_sysctl_tcp_min_snd_mss; ++ siphash_key_t ipv4_ip_id_key; + #endif + } __randomize_layout; + +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -216,6 +216,6 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; +- siphash_key_t ip_id_key; ++ /* siphash_key_t ip_id_key; - bwh: moved to end of struct net */ + }; + #endif +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -503,14 +503,14 @@ void __ip_select_ident(struct net *net, + u32 hash, id; + + /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); ++ if (unlikely(siphash_key_is_zero(&net->ipv4_ip_id_key))) ++ get_random_bytes(&net->ipv4_ip_id_key, ++ sizeof(net->ipv4_ip_id_key)); + + hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, + iph->protocol, +- &net->ipv4.ip_id_key); ++ &net->ipv4_ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -24,11 +24,11 @@ static u32 __ipv6_select_ident(struct ne + u32 hash, id; + + /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); ++ if (unlikely(siphash_key_is_zero(&net->ipv4_ip_id_key))) ++ get_random_bytes(&net->ipv4_ip_id_key, ++ sizeof(net->ipv4_ip_id_key)); + +- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); ++ hash = siphash(&combined, sizeof(combined), &net->ipv4_ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future diff --git a/debian/patches/series b/debian/patches/series index d1c1e941a..f3c125d8f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -304,3 +304,4 @@ features/all/ena/0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch debian/abi/tcp-avoid-abi-change-for-dos-fixes.patch debian/abi/x86-cpufeatures-move-swapgs-feature-bits-to-existing.patch debian/abi/revert-x86-cpufeatures-combine-word-11-and-12-into-a-new-sc.patch +debian/abi/inet-avoid-abi-change-for-ip-id-hash-change.patch From 92fee68e1521171d5bc70e3fecb1ed88178c60e8 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 8 Aug 2019 03:02:38 +0100 Subject: [PATCH 19/19] Prepare to release linux (4.19.37-5+deb10u2). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 67f992795..d9f09a974 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium +linux (4.19.37-5+deb10u2) buster-security; urgency=high [ Romain Perier ] * [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233) @@ -32,7 +32,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium features word" * inet: Avoid ABI change for IP ID hash change - -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 + -- Ben Hutchings Thu, 08 Aug 2019 03:02:38 +0100 linux (4.19.37-5+deb10u1) buster-security; urgency=high