Commit 3c5af882 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 4.16.12-1

linux (4.16.12-1) unstable; urgency=medium

  * New upstream stable update:
    - Revert "pinctrl: intel: Initialize GPIO properly when used through
    - [armhf] drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson
      GX SoCs
    - i40e: Fix attach VF to VM issue
    - tpm: cmd_ready command can be issued only after granting locality
    - tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
    - tpm: add retry logic
    - Revert "ath10k: send (re)assoc peer command when NSS changed"
    - bonding: do not set slave_dev npinfo before slave_enable_netpoll in
    - docs: ip-sysctl.txt: fix name of some ipv6 variables
    - ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
    - ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
    - KEYS: DNS: limit the length of option strings
    - l2tp: check sockaddr length in pppol2tp_connect()
    - llc: delete timers synchronously in llc_sk_free()
    - net: af_packet: fix race in PACKET_{R|T}X_RING
    - net: fix deadlock while clearing neighbor proxy table
    - [arm64,armhf] net: mvpp2: Fix DMA address mask size
    - net: qmi_wwan: add Wistron Neweb D19Q1
    - net/smc: fix shutdown in state SMC_LISTEN
    - net: stmmac: Disable ACS Feature for GMAC >= 4
    - packet: fix bitfield update race
    - pppoe: check sockaddr length in pppoe_connect()
    - Revert "macsec: missing dev_put() on error in macsec_newlink()"
    - sctp: do not check port in sctp_inet6_cmp_addr
    - strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
    - strparser: Fix incorrect strp->need_bytes value.
    - tcp: clear tp->packets_out when purging write queue
    - tcp: don't read out-of-bounds opsize
    - tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
    - team: avoid adding twice the same option to the event list
    - team: fix netconsole setup over team
    - tipc: add policy for TIPC_NLA_NET_ADDR
    - vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
    - vmxnet3: fix incorrect dereference when rxvlan is disabled
    - [amd64,arm64] amd-xgbe: Add pre/post auto-negotiation phy hooks
    - [amd64,arm64] amd-xgbe: Improve KR auto-negotiation and training
    - [amd64,arm64] amd-xgbe: Only use the SFP supported transceiver signals
    - net: sched: ife: signal not finding metaid
    - net: sched: ife: handle malformed tlv length
    - net: sched: ife: check on metadata length
    - l2tp: hold reference on tunnels in netlink dumps
    - l2tp: hold reference on tunnels printed in pppol2tp proc file
    - l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file
    - l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow
    - llc: hold llc_sap before release_sock()
    - llc: fix NULL pointer deref for SOCK_ZAPPED
    - [s390x] qeth: fix error handling in adapter command callbacks
    - [s390x] qeth: avoid control IO completion stalls
    - [s390x] qeth: handle failure on workqueue creation
    - [armhf] net: ethernet: ti: cpsw: fix tx vlan priority mapping
    - net: validate attribute sizes in neigh_dump_table()
    - bnxt_en: Fix memory fault in bnxt_ethtool_init()
    - virtio-net: add missing virtqueue kick when flushing packets
    - VSOCK: make af_vsock.ko removable again
    - net: aquantia: Regression on reset with 1.x firmware
    - tun: fix vlan packet truncation
    - net: aquantia: oops when shutdown on already stopped device
    - virtio_net: split out ctrl buffer
    - virtio_net: fix adding vids on big-endian
    - Revert "mm/hmm: fix header file if/else/endif maze"
    - commoncap: Handle memory allocation failure.
    - scsi: mptsas: Disable WRITE SAME
    - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940)
    - fsnotify: Fix fsnotify_mark_connector race
    - [m68k] mac: Don't remap SWIM MMIO region
    - [m68k] block/swim: Check drive type
    - [m68k] block/swim: Don't log an error message for an invalid ioctl
    - [m68k] block/swim: Remove extra put_disk() call from error path
    - [m68k] block/swim: Rename macros to avoid inconsistent inverted logic
    - [m68k] block/swim: Select appropriate drive on device open
    - [m68k] block/swim: Fix array bounds check
    - [m68k] block/swim: Fix IO error at end of medium
    - tracing: Fix missing tab for hwlat_detector print format
    - hwmon: (k10temp) Add temperature offset for Ryzen 2700X
    - hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics
    - [s390x] cio: update chpid descriptor after resource accessibility event
    - [s390x] dasd: fix IO error for newly defined devices
    - [s390x] uprobes: implement arch_uretprobe_is_alive()
    - [s390x] cpum_cf: rename IBM z13/z14 counter names
    - kprobes: Fix random address output of blacklist file
    - ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
    - ext4: set h_journal if there is a failure starting a reserved handle
    - ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
    - random: set up the NUMA crng instances after the CRNG is fully
    - random: fix possible sleeping allocation from irq context
    - random: rate limit unseeded randomness warnings
    - usbip: usbip_event: fix to not print kernel pointer address
    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
    - usbip: vhci_hcd: Fix usb device and sockfd leaks
    - usbip: vhci_hcd: check rhport before using in vhci_hub_control()
    - Revert "xhci: plat: Register shutdown for xhci_plat"
    - xhci: Fix USB ports for Dell Inspiron 5775
    - USB: serial: simple: add libtransistor console
    - USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
    - USB: serial: cp210x: add ID for NI USB serial console
    - [arm64] serial: mvebu-uart: Fix local flags handling on termios update
    - usb: typec: ucsi: Increase command completion timeout value
    - usb: core: Add quirk for HP v222w 16GB Mini
    - USB: Increment wakeup count on remote wakeup.
    - ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
    - virtio: add ability to iterate over vqs
    - virtio_console: don't tie bufs to a vq
    - virtio_console: free buffers after reset
    - virtio_console: drop custom control queue cleanup
    - virtio_console: move removal code
    - virtio_console: reset on out of memory
    - drm/virtio: fix vq wait_event condition
    - tty: Don't call panic() at tty_ldisc_init()
    - tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
    - tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
    - tty: Avoid possible error pointer dereference at tty_ldisc_restore().
    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
    - ALSA: dice: fix OUI for TC group
    - ALSA: dice: fix error path to destroy initialized stream data
    - ALSA: hda - Skip jack and others for non-existing PCM streams
    - ALSA: opl3: Hardening for potential Spectre v1
    - ALSA: asihpi: Hardening for potential Spectre v1
    - ALSA: hdspm: Hardening for potential Spectre v1
    - ALSA: rme9652: Hardening for potential Spectre v1
    - ALSA: control: Hardening for potential Spectre v1
    - ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
    - ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
    - ALSA: seq: oss: Hardening for potential Spectre v1
    - ALSA: hda: Hardening for potential Spectre v1
    - ALSA: hda/realtek - Add some fixes for ALC233
    - ALSA: hda/realtek - Update ALC255 depop optimize
    - ALSA: hda/realtek - change the location for one of two front mics
    - mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
    - mtd: rawnand: tango: Fix struct clk memory leak
    - mtd: rawnand: marvell: fix the chip-select DT parsing logic
    - kobject: don't use WARN for registration failures
    - scsi: sd_zbc: Avoid that resetting a zone fails sporadically
    - scsi: sd: Defer spinning up drive while SANITIZE is in progress
    - blk-mq: start request gstate with gen 1
    - bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
    - block: do not use interruptible wait anywhere
    - [s390x] vfio: ccw: process ssch with interrupts disabled
    - [arm64] PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
    - [arm64] PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
    - [arm64] PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq
    - [arm64] PCI: aardvark: Fix PCIe Max Read Request Size setting
    - [armhf,arm64] KVM: Close VMID generation race
    - [powerpc*] mm: Flush cache on memory hot(un)plug
    - [powerpc*] mce: Fix a bug where mce loops on memory UE.
    - [powerpc*] powernv/npu: Do a PID GPU TLB flush when invalidating a large
      address range
    - crypto: drbg - set freed buffers to NULL
    - libceph: un-backoff on tick when we have a authenticated session
    - libceph: reschedule a tick in finish_hunting()
    - libceph: validate con->state at the top of try_write()
    - PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend
      is set
    - module: Fix display of wrong module .text address
    - earlycon: Use a pointer table to fix __earlycon_table stride
    - [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
      in timer interrupt
    - [powerpc*] rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
    - drm/edid: Reset more of the display info
    - drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
    - [x86] drm/i915/fbdev: Enable late fbdev initial configuration
    - [x86] drm/i915/audio: set minimum CD clock to twice the BCLK
    - [x86] drm/i915: Enable display WA#1183 from its correct spot
    - drm/amd/display: Fix deadlock when flushing irq
    - drm/amd/display: Don't read EDID in atomic_check
    - drm/amd/display: Disallow enabling CRTC without primary plane with FB
    - objtool, perf: Fix GCC 8 -Wrestrict error
    - [x86] ipc: Fix x32 version of shmid64_ds and msqid64_ds
    - [x86] smpboot: Don't use mwait_play_dead() on AMD systems
    - [x86] microcode/intel: Save microcode patch unconditionally
    - [x86] microcode: Do not exit early from __reload_late()
    - tick/sched: Do not mess with an enqueued hrtimer
    - [x86] crypto: ccp - add check to get PSP master only when PSP is
    - [armhf,arm64] KVM: Add PSCI version selection API
    - ACPI / button: make module loadable when booted in non-ACPI mode
    - [arm64] Add work around for Arm Cortex-A55 Erratum 1024718
    - ALSA: hda - Fix incorrect usage of IS_REACHABLE()
    - ALSA: pcm: Check PCM state at xfern compat ioctl
    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
    - ALSA: dice: fix kernel NULL pointer dereference due to invalid
      calculation for array index
    - ALSA: aloop: Mark paused device as inactive
    - ALSA: aloop: Add missing cable lock to ctl API callbacks
    - errseq: Always report a writeback error once
    - tracepoint: Do not warn on ENOMEM
    - scsi: target: Fix fortify_panic kernel exception
    - Input: leds - fix out of bound access
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook
    - swiotlb: fix inversed DMA_ATTR_NO_WARN test
    - rtlwifi: cleanup 8723be ant_sel definition
    - xfs: prevent creating negative-sized file via INSERT_RANGE
    - RDMA/cxgb4: release hw resources on device removal
    - RDMA/ucma: Allow resolving address w/o specifying source address
    - RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
    - RDMA/mlx4: Add missed RSS hash inner header flag
    - RDMA/mlx5: Protect from shift operand overflow
    - NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
    - IB/mlx5: Use unlimited rate when static rate is not supported
    - infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m
    - IB/hfi1: Fix handling of FECN marked multicast packet
    - IB/hfi1: Fix loss of BECN with AHG
    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
    - iw_cxgb4: Atomically flush per QP HW CQEs
    - btrfs: Take trans lock before access running trans in check_delayed_ref
    - [arm64,armhf] drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are
    - [x86] drm/vmwgfx: Fix a buffer object leak
    - drm/bridge: vga-dac: Fix edid memory leak
    - xhci: Fix use-after-free in xhci_free_virt_device
    - USB: serial: visor: handle potential invalid device configuration
    - [arm64,armhf] usb: dwc3: gadget: Fix list_del corruption in
    - USB: Accept bulk endpoints with 1024-byte maxpacket
    - USB: serial: option: reimplement interface masking
    - USB: serial: option: adding support for ublox R410M
    - [arm64,armhf] usb: musb: host: fix potential NULL pointer dereference
    - [arm64, armhf] usb: musb: trace: fix NULL pointer dereference in
    - [x86] platform/x86: asus-wireless: Fix NULL pointer dereference
    - [x86] platform/x86: Kconfig: Fix dell-laptop dependency chain.
    - [x86] KVM: remove APIC Timer periodic/oneshot spikes
    - [x86] tsc: Always unregister clocksource_tsc_early
    - [x86] tsc: Fix mark_tsc_unstable()
    - [arm64] irqchip/qcom: Fix check for spurious interrupts
    - clocksource: Allow clocksource_mark_unstable() on unregistered
    - clocksource: Initialize cs->wd_list
    - clocksource: Consistent de-rate when marking unstable
    - tracing: Fix bad use of igrab in trace_uprobe.c
    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
    - netfilter: ebtables: don't attempt to allocate 0-sized compat array
    - clk: ti: fix flag space conflict with clkctrl clocks
    - rds: tcp: must use spin_lock_irq* and not spin_lock_bh with
    - crypto: af_alg - fix possible uninit-value in alg_bind()
    - netlink: fix uninit-value in netlink_sendmsg
    - net: fix rtnh_ok()
    - net: initialize skb->peeked when cloning
    - net: fix uninit-value in __hw_addr_add_ex()
    - dccp: initialize ireq->ir_mark
    - ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
    - soreuseport: initialise timewait reuseport field
    - inetpeer: fix uninit-value in inet_getpeer
    - bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog
    - memcg: fix per_node_info cleanup
    - perf: Remove superfluous allocation error check
    - i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
    - tcp: fix TCP_REPAIR_QUEUE bound checking
    - bdi: wake up concurrent wb_shutdown() callers.
    - bdi: Fix use after free bug in debugfs_remove()
    - bdi: Fix oops in wb_workfn()
    - compat: fix 4-byte infoleak via uninitialized struct field
    - gpioib: do not free unrequested descriptors
    - gpio: fix error path in lineevent_create
    - rfkill: gpio: fix memory leak in probe error path
    - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    - dm integrity: use kvfree for kvmalloc'd memory
    - tracing: Fix regex_match_front() to not over compare the test string
    - mm: sections are not offlined during memory hotremove
    - mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
    - ceph: fix rsize/wsize capping in ceph_direct_read_write()
    - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    - [armhf,arm64] drm/vc4: Fix scaling of uni-planar formats
    - drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
    - [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
    - [x86] drm/i915: Adjust eDP's logical vco in a reliable place.
    - drm/nouveau: Fix deadlock in nv50_mstm_register_connector()
      (Closes: #898825)
    - drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
    - drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
    - drm/atomic: Clean private obj old_state/new_state in
    - net: atm: Fix potential Spectre v1
    - atm: zatm: Fix potential Spectre v1
    - PCI / PM: Always check PME wakeup capability for runtime wakeup support
    - PCI / PM: Check device_may_wakeup() in pci_enable_wake()
    - cpufreq: schedutil: Avoid using invalid next_freq
    - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    - [x86] Bluetooth: btusb: Add Dell XPS 13 9360 to
    - Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome
    - [armhf] thermal: exynos: Reading temperature makes sense only when TMU is
      turned on
    - [armhf] thermal: exynos: Propagate error value from tmu_read()
    - nvme: add quirk to force medium priority for SQ creation
    - nvme: Fix sync controller reset return
    - smb3: directory sync should not return an error
    - swiotlb: silent unwanted warning "buffer is full"
    - sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
    - sched/autogroup: Fix possible Spectre-v1 indexing for
    - tracing/uprobe_event: Fix strncpy corner case
    - [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    - [x86] perf/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    - [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver
    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    - [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
    - bridge: check iface upper dev when setting master via ioctl
    - dccp: fix tasklet usage
    - ipv4: fix fnhe usage by non-cached routes
    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
    - llc: better deal with too small mtu
    - net: ethernet: sun: niu set correct packet size in skb
    - [armhf] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
    - net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
    - net/mlx4_en: Verify coalescing parameters are in range
    - net/mlx5e: Err if asked to offload TC match on frag being first
    - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
    - net sched actions: fix refcnt leak in skbmod
    - net_sched: fq: take care of throttled flows before reuse
    - net: support compat 64-bit time in {s,g}etsockopt
    - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is
    - qmi_wwan: do not steal interfaces from class drivers
    - r8169: fix powering up RTL8168h
    - rds: do not leak kernel memory to user land
    - sctp: delay the authentication for the duplicated cookie-echo chunk
    - sctp: fix the issue that the cookie-ack with auth can't get processed
    - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
    - sctp: remove sctp_chunk_put from fail_mark err path in
    - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
    - tcp_bbr: fix to zero idle_restart only upon S/ACKed data
    - tcp: ignore Fast Open on repair mode
    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
    - bonding: do not allow rlb updates to invalid mac
    - bonding: send learning packets for vlans on slave
    - net: sched: fix error path in tcf_proto_create() when modules are not
    - net/mlx5e: TX, Use correct counter in dma_map error flow
    - net/mlx5: Avoid cleaning flow steering table twice during error flow
    - [x86] hv_netvsc: set master device
    - ipv6: fix uninit-value in ip6_multipath_l3_keys()
    - net/mlx5e: Allow offloading ipv4 header re-write for icmp
    - udp: fix SO_BINDTODEVICE
    - net/mlx5e: DCBNL fix min inline header size for dscp
    - sctp: clear the new asoc's stream outcnt in sctp_stream_update
    - tcp: restore autocorking
    - tipc: fix one byte leak in tipc_sk_set_orig_addr()
    - [x86] hv_netvsc: Fix net device attach on older Windows hosts
    - ipv4: reset fnhe_mtu_locked after cache route flushed
    - net/mlx5: Fix mlx5_get_vector_affinity function
    - net: phy: sfp: fix the BR,min computation
    - net/smc: keep clcsock reference in smc_tcp_listen_work()
    - scsi: aacraid: Correct hba_send to include iu_type
    - proc: do not access cmdline nor environ from file-backed areas
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - usbip: usbip_host: refine probe and disconnect debug msgs to be useful
    - usbip: usbip_host: delete device from busid_table after rebind
    - usbip: usbip_host: run rebind from exit when module is removed
    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
    - usbip: usbip_host: fix bad unlock balance during stub_probe()
    - ALSA: usb: mixer: volume quirk for CM102-A+/102S+
    - ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup
    - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
    - ALSA: control: fix a redundant-copy issue
    - [amd64] spi: pxa2xx: Allow 64-bit DMA
    - KVM: vmx: update sec exec controls for UMIP iff emulating UMIP
    - [armhf,arm64] KVM: Properly protect VGIC locks from IRQs
    - [armhf,arm64] KVM: VGIC/ITS: Promote irq_lock() in update_affinity
    - [armhf,arm64] KVM: VGIC/ITS save/restore: protect kvm_read_guest() calls
    - [armhf,arm64] KVM: VGIC/ITS: protect kvm_read_guest() calls with SRCU
    - hwmon: (k10temp) Fix reading critical temperature register
    - hwmon: (k10temp) Use API function to access System Management Network
    - [s390x] vfio: ccw: fix cleanup if cp_prefetch fails
    - tracing/x86/xen: Remove zero data size trace events
    - vsprintf: Replace memory barrier with static_key for random_ptr_key
    - [x86] amd_nb: Add support for Raven Ridge CPUs
    - [arm64] tee: shm: fix use-after-free via temporarily dropped reference
    - netfilter: nf_tables: free set name in error path
    - netfilter: nf_tables: can't fail after linking rule into active rule
    - netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static
    - [arm64] dts: marvell: armada-cp110: Add clocks for the xmdio node
    - [arm64] dts: marvell: armada-cp110: Add mg_core_clk for ethernet node
    - i2c: designware: fix poll-after-enable regression
    - mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2
    - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
    - drm: Match sysfs name in link removal to link creation
    - radix tree: fix multi-order iteration race
    - mm: don't allow deferred pages with NEED_PER_CPU_KM
    - [x86] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
    - [s390x] qdio: fix access to uninitialized qdio_q fields
    - [s390x] cpum_sf: ensure sample frequency of perf event attributes is
    - [s390x] qdio: don't release memory in qdio_setup_irq()
    - [s390x] remove indirect branch from do_softirq_own_stack
    - bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n
    - [x86] pkeys: Override pkey when moving away from PROT_EXEC
    - [x86] pkeys: Do not special case protection key 0
    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
      definition for mixed mode
    - [arm*] 8771/1: kprobes: Prohibit kprobes on do_undefinstr
    - [x86] apic/x2apic: Initialize cluster ID properly
    - [x86] mm: Drop TS_COMPAT on 64-bit exec() syscall
    - tick/broadcast: Use for_each_cpu() specially on UP kernels
    - [arm*] 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
    - [arm*] 8770/1: kprobes: Prohibit probing on optimized_callback
    - [arm*] 8772/1: kprobes: Prohibit kprobes on get_user functions
    - Btrfs: fix xattr loss after power failure
    - Btrfs: send, fix invalid access to commit roots due to concurrent
    - btrfs: property: Set incompat flag if lzo/zstd compression is set
    - btrfs: fix crash when trying to resume balance without the resume flag
    - btrfs: Split btrfs_del_delalloc_inode into 2 functions
    - btrfs: Fix delalloc inodes invalidation during transaction abort
    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
    - x86/nospec: Simplify alternative_msr_write()
    - x86/bugs: Concentrate bug detection into a separate function
    - x86/bugs: Concentrate bug reporting into a separate function
    - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - x86/bugs, KVM: Support the combination of guest and host IBRS
    - x86/bugs: Expose /sys/../spec_store_bypass
    - x86/cpufeatures: Add X86_FEATURE_RDS
    - x86/bugs: Provide boot parameters for the spec_store_bypass_disable
    - x86/bugs/intel: Set proper CPU features and setup RDS
    - x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
    - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - x86/speculation: Create spec-ctrl.h to avoid include hell
    - prctl: Add speculation control prctls
    - x86/process: Allow runtime control of Speculative Store Bypass
    - x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - nospec: Allow getting/setting on non-current task
    - proc: Provide details on speculation flaw mitigations
    - seccomp: Enable speculation flaw mitigations
    - x86/bugs: Make boot modes __ro_after_init
    - prctl: Add force disable speculation
    - seccomp: Use PR_SPEC_FORCE_DISABLE
    - seccomp: Add filter flag to opt-out of SSB mitigation
    - seccomp: Move speculation migitation control to arch code
    - x86/speculation: Make "seccomp" the default mode for Speculative Store
    - x86/bugs: Rename _RDS to _SSBD
    - proc: Use underscores for SSBD in 'status'
    - Documentation/spec_ctrl: Do some minor cleanups
    - x86/bugs: Fix __ssb_select_mitigation() return type
    - x86/bugs: Make cpu_show_common() static
    - x86/bugs: Fix the parameters alignment and missing void
    - x86/cpu: Make alternative_msr_write work for 32-bit code
    - KVM: SVM: Move spec control call after restore of GS
    - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
    - x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
    - x86/cpufeatures: Disentangle SSBD enumeration
    - x86/cpufeatures: Add FEATURE_ZEN
    - x86/speculation: Handle HT correctly on AMD
    - x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
    - x86/speculation: Add virtualized speculative store bypass disable
    - x86/speculation: Rework speculative_store_bypass_update()
    - x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
    - x86/bugs: Expose x86_spec_ctrl_base directly
    - x86/bugs: Remove x86_spec_ctrl_set()
    - x86/bugs: Rework spec_ctrl base and mask logic
    - x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
    - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
    - x86/bugs: Rename SSBD_NO to SSB_NO
    - bpf: Prevent memory disambiguation attack
    - net/mlx5: Fix build break when CONFIG_SMP=n
    - net: Fix a bug in removing queues from XPS map
    - net/mlx4_core: Fix error handling in mlx4_init_port_info.
    - net/sched: fix refcnt leak in the error path of tcf_vlan_init()
    - net: sched: red: avoid hashing NULL child
    - net/smc: check for missing nlattrs in SMC_PNETID messages
    - net: test tailroom before appending to linear skb
    - packet: in packet_snd start writing at link layer allocation
    - sock_diag: fix use-after-free read in __sk_free
    - tcp: purge write queue in tcp_connect_init()
    - tun: fix use after free for ptr_ring
    - tuntap: fix use after free during release
    - cxgb4: Correct ntuple mask validation for hash filters
    - [armhf] net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule
    - net: dsa: Do not register devlink for unused ports
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rules and chain ID
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rule half deletion
    - 3c59x: convert to generic DMA API
    - cxgb4: fix offset in collecting TX rate limit info
    - vmxnet3: set the DMA mask before the first DMA map operation
    - vmxnet3: use DMA memory barriers where required
    - net: ip6_gre: Request headroom in __gre6_xmit()
    - net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
    - net: ip6_gre: Split up ip6gre_tnl_link_config()
    - net: ip6_gre: Split up ip6gre_tnl_change()
    - net: ip6_gre: Split up ip6gre_newlink()
    - net: ip6_gre: Split up ip6gre_changelink()
    - net: ip6_gre: Fix ip6erspan hlen calculation
    - net: ip6_gre: fix tunnel metadata device sharing.
    - [sparc*]: vio: use put_device() instead of kfree()
    - ext2: fix a block leak
    - [powerpc*] rfi-flush: Always enable fallback flush on pseries
    - [powerpc*] Add security feature flags for Spectre/Meltdown
    - [powerpc*] pseries: Add new H_GET_CPU_CHARACTERISTICS flags
    - [powerpc*] pseries: Set or clear security feature flags
    - [powerpc*] powerpc/powernv: Set or clear security feature flags
    - [powerpc*] powerpc/64s: Move cpu_show_meltdown()
    - [powerpc*] powerpc/64s: Enhance the information in cpu_show_meltdown()
    - [powerpc*] powerpc/powernv: Use the security flags in
    - [powerpc*] powerpc/pseries: Use the security flags in
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v1()
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v2()
    - [powerpc*] powerpc/pseries: Fix clearing of security feature flags
    - [powerpc*] powerpc: Move default security feature flags
    - [powerpc*] powerpc/64s: Add support for a store forwarding barrier at
      kernel entry/exit
    - [s390x] move nobp parameter functions to nospec-branch.c
    - [s390x] add automatic detection of the spectre defense
    - [s390x] report spectre mitigation via syslog
    - [s390x] add sysfs attributes for spectre
    - [s390x] add assembler macros for CPU alternatives
    - [s390x] correct nospec auto detection init order
    - [s390x] correct module section names for expoline code revert
    - [s390x] move expoline assembler macros to a header
    - [s390x] crc32-vx: use expoline for indirect branches
    - [s390x] lib: use expoline for indirect branches
    - [s390x] ftrace: use expoline for indirect branches
    - [s390x] kernel: use expoline for indirect branches
    - [s390x] move spectre sysfs attribute code
    - [s390x] extend expoline to BC instructions
    - [s390x] use expoline thunks in the BPF JIT
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
    - [s390x] scsi: zfcp: fix infinite iteration on ERP ready list
    - Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
    - ALSA: usb-audio: Add native DSD support for Luxman DA-06
    - [arm64,armhf] usb: dwc3: Add SoftReset PHY synchonization delay
    - [arm64,armhf] usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
    - [arm64,armhf] usb: dwc3: Makefile: fix link error on randconfig
    - xhci: zero usb device slot_id member when disabling and freeing a xhci slot
    - [arm64,armhf] usb: dwc2: Fix interval type issue
    - [arm64,armhf] usb: dwc2: hcd: Fix host channel halt flow
    - [arm64,armhf] usb: dwc2: host: Fix transaction errors in host mode
    - usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
    - media: em28xx: USB bulk packet size fix
    - Bluetooth: btusb: Add device ID for RTL8822BE
    - Bluetooth: btusb: Add support for Intel Bluetooth device 22560
    - xhci: Show what USB release number the xHC supports from protocol
    - loop: don't call into filesystem while holding lo_ctl_mutex
    - loop: fix LOOP_GET_STATUS lock imbalance
    - cfg80211: limit wiphy names to 128 bytes
    - hfsplus: stop workqueue when fill_super() failed
    - [x86] kexec: Avoid double free_page() upon do_kexec_load() failure
    - staging: bcm2835-audio: Release resources on module_exit()
    - staging: lustre: fix bug in osc_enter_cache_try
    - [x86] staging: rtl8192u: return -ENOMEM on failed allocation of
    - staging: lustre: lmv: correctly iput lmo_root
    - [arm64] crypto: inside-secure - move the digest to the request context
    - [arm64] crypto: inside-secure - wait for the request to complete if in
      the backlog
    - [x86] crypto: ccp - don't disable interrupts while setting up debugfs
    - [arm64] crypto: inside-secure - do not process request if no command was
    - [arm64] crypto: inside-secure - fix the cache_len computation
    - [arm64] crypto: inside-secure - fix the extra cache computation
    - [arm64] crypto: inside-secure - do not overwrite the threshold value
    - [armhf] crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
    - [arm64] crypto: inside-secure - fix the invalidation step during
    - scsi: aacraid: Insure command thread is not recursively stopped
    - scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays
    - scsi: lpfc: Fix NVME Initiator FirstBurst
    - scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
    - scsi: mvsas: fix wrong endianness of sgpio api
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - [armhf] clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
    - clk: Don't show the incorrect clock phase
    - clk: hisilicon: mark wdt_mux_p[] as const
    - [arm64,armhf] clk: tegra: Fix pll_u rate configuration
    - [armhf] clk: rockchip: Prevent calculating mmc phase if clock rate is
    - [armhf] clk: samsung: s3c2410: Fix PLL rates
    - [armhf] clk: samsung: exynos7: Fix PLL rates
    - [armhf] clk: samsung: exynos5260: Fix PLL rates
    - [armhf] clk: samsung: exynos5433: Fix PLL rates
    - [armhf] clk: samsung: exynos5250: Fix PLL rates
    - [armhf] clk: samsung: exynos3250: Fix PLL rates
    - clk: meson: axg: fix the od shift of the sys_pll
    - clk: meson: axg: add the fractional part of the fixed_pll
    - media: cx23885: Override 888 ImpactVCBe crystal frequency
    - media: cx23885: Set subdev host data to clk_freq pointer
    - media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
    - media: v4l: vsp1: Fix display stalls when requesting too many inputs
    - media: i2c: adv748x: fix HDMI field heights
    - media: vb2: Fix videobuf2 to map correct area
    - media: vivid: fix incorrect capabilities for radio
    - media: cx25821: prevent out-of-bounds read on array card
    - [arm64] serial: mvebu-uart: fix tx lost characters
    - [sh4] serial: sh-sci: Fix out-of-bounds access through DT alias
    - [armhf] serial: samsung: Fix out-of-bounds access through serial port
    - [armhf] serial: imx: Fix out-of-bounds access through serial port index
    - [armhf] serial: arc_uart: Fix out-of-bounds access through DT alias
    - [arm*] serial: 8250: Don't service RX FIFO if interrupts are disabled
    - [armhf] rtc: snvs: Fix usage of snvs_rtc_enable
    - rtc: hctosys: Ensure system time doesn't overflow time_t
    - [arm64,armhf] rtc: rk808: fix possible race condition
    - [armel/marvell] rtc: m41t80: fix race conditions
    - [m68k] rtc: rp5c01: fix possible race condition

  [ Romain Perier ]
  * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
  * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)

  [ Ben Hutchings ]
  * kbuild: use -fmacro-prefix-map to make __FILE__ a relative path
  * Bump ABI to 2
  * [rt] Update to 4.16.8-rt3
  * [x86] KVM: VMX: Expose SSBD properly to guests.

  [ Salvatore Bonaccorso ]
  * [rt] Update to 4.16.7-rt1 and reenable
  * [rt] certs: Reference certificate for test key used in Debian signing
parents 44a45543 f34edc87
......@@ -38,6 +38,7 @@ ENTRY(__get_user_1)
mov r0, #0
ret lr
check_uaccess r0, 2, r1, r2, __get_user_bad
......@@ -58,6 +59,7 @@ rb .req r0
mov r0, #0
ret lr
check_uaccess r0, 4, r1, r2, __get_user_bad
......@@ -65,6 +67,7 @@ ENTRY(__get_user_4)
mov r0, #0
ret lr
check_uaccess r0, 8, r1, r2, __get_user_bad8
......@@ -78,6 +81,7 @@ ENTRY(__get_user_8)
mov r0, #0
ret lr
#ifdef __ARMEB__
......@@ -91,6 +95,7 @@ ENTRY(__get_user_32t_8)
mov r0, #0
ret lr
check_uaccess r0, 1, r1, r2, __get_user_bad8
......@@ -98,6 +103,7 @@ ENTRY(__get_user_64t_1)
mov r0, #0
ret lr
check_uaccess r0, 2, r1, r2, __get_user_bad8
......@@ -114,6 +120,7 @@ rb .req r0
mov r0, #0
ret lr
check_uaccess r0, 4, r1, r2, __get_user_bad8
......@@ -121,6 +128,7 @@ ENTRY(__get_user_64t_4)
mov r0, #0
ret lr
......@@ -131,6 +139,8 @@ __get_user_bad:
ret lr
.pushsection __ex_table, "a"
.long 1b, __get_user_bad
......@@ -165,13 +165,14 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
unsigned long flags;
struct kprobe *p = &op->kp;
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
struct kprobe_ctlblk *kcb;
/* Save skipped registers */
regs->ARM_pc = (unsigned long)op->kp.addr;
regs->ARM_ORIG_r0 = ~0UL;
kcb = get_kprobe_ctlblk();
if (kprobe_running()) {
......@@ -191,6 +192,7 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *orig)
......@@ -464,6 +464,20 @@ config ARM64_ERRATUM_843419
If unsure, say Y.
config ARM64_ERRATUM_1024718
bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update"
default y
This option adds work around for Arm Cortex-A55 Erratum 1024718.
Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect
update of the hardware dirty bit when the DBM/AP bits are updated
without a break-before-make. The work around is to disable the usage
of hardware DBM locally on the affected cores. CPUs not affected by
erratum will continue to use the feature.
If unsure, say Y.
config CAVIUM_ERRATUM_22375
bool "Cavium erratum 22375, 24313"
default y
......@@ -40,9 +40,10 @@ CP110_LABEL(ethernet): ethernet@0 {
compatible = "marvell,armada-7k-pp22";
reg = <0x0 0x100000>, <0x129000 0xb000>;
clocks = <&CP110_LABEL(clk) 1 3>, <&CP110_LABEL(clk) 1 9>,
<&CP110_LABEL(clk) 1 5>, <&CP110_LABEL(clk) 1 18>;
<&CP110_LABEL(clk) 1 5>, <&CP110_LABEL(clk) 1 6>,
<&CP110_LABEL(clk) 1 18>;
clock-names = "pp_clk", "gop_clk",
"mg_clk", "axi_clk";
"mg_clk", "mg_core_clk", "axi_clk";
marvell,system-controller = <&CP110_LABEL(syscon0)>;
status = "disabled";
......@@ -143,6 +144,8 @@ CP110_LABEL(xmdio): mdio@12a600 {
#size-cells = <0>;
compatible = "marvell,xmdio";
reg = <0x12a600 0x10>;
clocks = <&CP110_LABEL(clk) 1 5>,
<&CP110_LABEL(clk) 1 6>, <&CP110_LABEL(clk) 1 18>;
status = "disabled";
......@@ -25,6 +25,7 @@
#include <asm/asm-offsets.h>
#include <asm/cpufeature.h>
#include <asm/cputype.h>
#include <asm/debug-monitors.h>
#include <asm/page.h>
#include <asm/pgtable-hwdef.h>
......@@ -595,4 +596,43 @@ USER(\label, ic ivau, \tmp2) // invalidate I line PoU
* Check the MIDR_EL1 of the current CPU for a given model and a range of
* variant/revision. See asm/cputype.h for the macros used below.
* model: MIDR_CPU_MODEL of CPU
* rv_min: Minimum of MIDR_CPU_VAR_REV()
* rv_max: Maximum of MIDR_CPU_VAR_REV()
* res: Result register.
* tmp1, tmp2, tmp3: Temporary registers
* Corrupts: res, tmp1, tmp2, tmp3
* Returns: 0, if the CPU id doesn't match. Non-zero otherwise
.macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3
mrs \res, midr_el1
mov_q \tmp2, MIDR_CPU_MODEL_MASK
and \tmp3, \res, \tmp2 // Extract model
and \tmp1, \res, \tmp1 // rev & variant
mov_q \tmp2, \model
cmp \tmp3, \tmp2
cset \res, eq
cbz \res, .Ldone\@ // Model matches ?
.if (\rv_min != 0) // Skip min check if rv_min == 0
mov_q \tmp3, \rv_min
cmp \tmp1, \tmp3
cset \res, ge
.endif // \rv_min != 0
/* Skip rv_max check if rv_min == rv_max && rv_min != 0 */
.if ((\rv_min != \rv_max) || \rv_min == 0)
mov_q \tmp2, \rv_max
cmp \tmp1, \tmp2
cset \tmp2, le
and \res, \res, \tmp2
#endif /* __ASM_ASSEMBLER_H */
......@@ -83,6 +83,7 @@
#define ARM_CPU_PART_CORTEX_A53 0xD03
#define ARM_CPU_PART_CORTEX_A73 0xD09
#define ARM_CPU_PART_CORTEX_A55 0xD05
#define APM_CPU_PART_POTENZA 0x000
......@@ -102,6 +103,7 @@
......@@ -75,6 +75,9 @@ struct kvm_arch {
/* Interrupt controller */
struct vgic_dist vgic;
/* Mandated version of PSCI */
u32 psci_version;
#define KVM_NR_MEM_OBJS 40
......@@ -348,6 +348,22 @@ static inline unsigned int kvm_get_vmid_bits(void)
return (cpuid_feature_extract_unsigned_field(reg, ID_AA64MMFR1_VMIDBITS_SHIFT) == 2) ? 16 : 8;
* We are not in the kvm->srcu critical section most of the time, so we take
* the SRCU read lock here. Since we copy the data from the user page, we
* can immediately drop the lock again.
static inline int kvm_read_guest_lock(struct kvm *kvm,
gpa_t gpa, void *data, unsigned long len)
int srcu_idx = srcu_read_lock(&kvm->srcu);
int ret = kvm_read_guest(kvm, gpa, data, len);
srcu_read_unlock(&kvm->srcu, srcu_idx);
return ret;
#include <asm/mmu.h>
......@@ -206,6 +206,12 @@ struct kvm_arch_memory_slot {
#define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2)
#define KVM_REG_ARM_TIMER_CVAL ARM64_SYS_REG(3, 3, 14, 0, 2)
/* KVM-as-firmware specific pseudo-registers */
KVM_REG_ARM_FW | ((r) & 0xffff))
/* Device Control API: ARM VGIC */
......@@ -25,6 +25,7 @@
#include <linux/module.h>
#include <linux/vmalloc.h>
#include <linux/fs.h>
#include <kvm/arm_psci.h>
#include <asm/cputype.h>
#include <linux/uaccess.h>
#include <asm/kvm.h>
......@@ -205,7 +206,7 @@ static int get_timer_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
unsigned long kvm_arm_num_regs(struct kvm_vcpu *vcpu)
return num_core_regs() + kvm_arm_num_sys_reg_descs(vcpu)
+ kvm_arm_get_fw_num_regs(vcpu) + NUM_TIMER_REGS;
......@@ -225,6 +226,11 @@ int kvm_arm_copy_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices)
ret = kvm_arm_copy_fw_reg_indices(vcpu, uindices);
if (ret)
return ret;
uindices += kvm_arm_get_fw_num_regs(vcpu);
ret = copy_timer_indices(vcpu, uindices);
if (ret)
return ret;
......@@ -243,6 +249,9 @@ int kvm_arm_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
return get_core_reg(vcpu, reg);
return kvm_arm_get_fw_reg(vcpu, reg);
if (is_timer_reg(reg->id))
return get_timer_reg(vcpu, reg);
......@@ -259,6 +268,9 @@ int kvm_arm_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
return set_core_reg(vcpu, reg);
return kvm_arm_set_fw_reg(vcpu, reg);
if (is_timer_reg(reg->id))
return set_timer_reg(vcpu, reg);
......@@ -448,6 +448,11 @@ ENTRY(__cpu_setup)
cbz x9, 2f
cmp x9, #2 1f
#ifdef CONFIG_ARM64_ERRATUM_1024718
/* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */
cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4
cbnz x1, 1f
orr x10, x10, #TCR_HD // hardware Dirty flag update
1: orr x10, x10, #TCR_HA // hardware Access flag update
......@@ -74,6 +74,27 @@
#define EX_R3 EX_DAR
nop; \
nop; \
nop; \
nop; \
nop; \
nop; \
nop; \
* r10 must be free to use, r13 must be paca
* Macros for annotating the expected destination of (h)rfid
......@@ -90,16 +111,19 @@
#define RFI_TO_USER \
rfid; \
b rfi_flush_fallback
rfid; \
b rfi_flush_fallback
#define RFI_TO_GUEST \
rfid; \
b rfi_flush_fallback
......@@ -108,21 +132,25 @@
#define HRFI_TO_USER \
hrfid; \
b hrfi_flush_fallback
hrfid; \
b hrfi_flush_fallback
#define HRFI_TO_GUEST \
hrfid; \
b hrfi_flush_fallback
hrfid; \
b hrfi_flush_fallback
......@@ -254,6 +282,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
#define __EXCEPTION_PROLOG_1_PRE(area) \
SAVE_CTR(r10, area); \
mfcr r9;
......@@ -187,6 +187,22 @@ label##3: \
FTR_ENTRY_OFFSET label##1b-label##3b; \
953: \
.pushsection __stf_entry_barrier_fixup,"a"; \
.align 2; \
954: \
FTR_ENTRY_OFFSET 953b-954b; \
955: \
.pushsection __stf_exit_barrier_fixup,"a"; \
.align 2; \
956: \
FTR_ENTRY_OFFSET 955b-956b; \
951: \
.pushsection __rfi_flush_fixup,"a"; \
......@@ -199,6 +215,9 @@ label##3: \
#ifndef __ASSEMBLY__
#include <linux/types.h>
extern long stf_barrier_fallback;
extern long __start___stf_entry_barrier_fixup, __stop___stf_entry_barrier_fixup;
extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup;
extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
void apply_feature_fixups(void);
......@@ -337,6 +337,9 @@
#define H_CPU_CHAR_L1D_FLUSH_ORI30 (1ull << 61) // IBM bit 2
#define H_CPU_CHAR_L1D_FLUSH_TRIG2 (1ull << 60) // IBM bit 3
#define H_CPU_CHAR_L1D_THREAD_PRIV (1ull << 59) // IBM bit 4
#define H_CPU_CHAR_BRANCH_HINTS_HONORED (1ull << 58) // IBM bit 5
#define H_CPU_CHAR_THREAD_RECONFIG_CTRL (1ull << 57) // IBM bit 6
#define H_CPU_CHAR_COUNT_CACHE_DISABLED (1ull << 56) // IBM bit 7
#define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0
#define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1
/* SPDX-License-Identifier: GPL-2.0+ */
* Security related feature bit definitions.
* Copyright 2018, Michael Ellerman, IBM Corporation.
extern unsigned long powerpc_security_features;
extern bool rfi_flush;
/* These are bit flags */
enum stf_barrier_type {
void setup_stf_barrier(void);
void do_stf_barrier_fixups(enum stf_barrier_type types);
static inline void security_ftr_set(unsigned long feature)
powerpc_security_features |= feature;
static inline void security_ftr_clear(unsigned long feature)
powerpc_security_features &= ~feature;
static inline bool security_ftr_enabled(unsigned long feature)
return !!(powerpc_security_features & feature);
// Features indicating support for Spectre/Meltdown mitigations
// The L1-D cache can be flushed with ori r30,r30,0
#define SEC_FTR_L1D_FLUSH_ORI30 0x0000000000000001ull
// The L1-D cache can be flushed with mtspr 882,r0 (aka SPRN_TRIG2)
#define SEC_FTR_L1D_FLUSH_TRIG2 0x0000000000000002ull
// ori r31,r31,0 acts as a speculation barrier
#define SEC_FTR_SPEC_BAR_ORI31 0x0000000000000004ull
// Speculation past bctr is disabled
#define SEC_FTR_BCCTRL_SERIALISED 0x0000000000000008ull
// Entries in L1-D are private to a SMT thread
#define SEC_FTR_L1D_THREAD_PRIV 0x0000000000000010ull
// Indirect branch prediction cache disabled
#define SEC_FTR_COUNT_CACHE_DISABLED 0x0000000000000020ull
// Features indicating need for Spectre/Meltdown mitigations
// The L1-D cache should be flushed on MSR[HV] 1->0 transition (hypervisor to guest)
#define SEC_FTR_L1D_FLUSH_HV 0x0000000000000040ull
// The L1-D cache should be flushed on MSR[PR] 0->1 transition (kernel to userspace)
#define SEC_FTR_L1D_FLUSH_PR 0x0000000000000080ull
// A speculation barrier should be used for bounds checks (Spectre variant 1)
#define SEC_FTR_BNDS_CHK_SPEC_BAR 0x0000000000000100ull
// Firmware configuration indicates user favours security over performance
#define SEC_FTR_FAVOUR_SECURITY 0x0000000000000200ull
// Features enabled by default
......@@ -42,7 +42,7 @@ obj-$(CONFIG_VDSO32) += vdso32/
obj-$(CONFIG_PPC_WATCHDOG) += watchdog.o
obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o
obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o
obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o
obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o security.o
obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o
obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_book3e.o
obj-$(CONFIG_PPC64) += vdso64/
......@@ -833,7 +833,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
EXC_REAL_MASKABLE(decrementer, 0x900, 0x80, IRQS_DISABLED)
EXC_REAL_OOL_MASKABLE(decrementer, 0x900, 0x80, IRQS_DISABLED)
EXC_VIRT_MASKABLE(decrementer, 0x4900, 0x80, 0x900, IRQS_DISABLED)
EXC_COMMON_ASYNC(decrementer_common, 0x900, timer_interrupt)
......@@ -909,6 +909,7 @@ EXC_COMMON(trap_0b_common, 0xb00, unknown_exception)
mtctr r13; \
GET_PACA(r13); \
std r10,PACA_EXGEN+EX_R10(r13); \
KVMTEST_PR(0xc00); /* uses r10, branch to do_kvm_0xc00_system_call */ \
mfctr r9;
......@@ -917,7 +918,8 @@ EXC_COMMON(trap_0b_common, 0xb00, unknown_exception)
mr r9,r13; \
GET_PACA(r13); \
......@@ -1455,6 +1457,19 @@ masked_##_H##interrupt: \
b .; \
std r9,PACA_EXRFI+EX_R9(r13)
std r10,PACA_EXRFI+EX_R10(r13)
ld r9,PACA_EXRFI+EX_R9(r13)
ld r10,PACA_EXRFI+EX_R10(r13)
ori 31,31,0
.rept 14
b 1f
......@@ -441,7 +441,6 @@ static int mce_handle_ierror(struct pt_regs *regs,
if (pfn != ULONG_MAX) {
*phys_addr =
(pfn << PAGE_SHIFT);
handled = 1;
......@@ -532,9 +531,7 @@ static int mce_handle_derror(struct pt_regs *regs,
* kernel/exception-64s.h
if (get_paca()->in_mce < MAX_MCE_DEPTH)
if (!mce_find_instr_ea_and_pfn(regs, addr,
handled = 1;