Commit 3c5af882 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 4.16.12-1

linux (4.16.12-1) unstable; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6
    - Revert "pinctrl: intel: Initialize GPIO properly when used through
      irqchip"
    - [armhf] drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson
      GX SoCs
    - i40e: Fix attach VF to VM issue
    - tpm: cmd_ready command can be issued only after granting locality
    - tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
    - tpm: add retry logic
    - Revert "ath10k: send (re)assoc peer command when NSS changed"
    - bonding: do not set slave_dev npinfo before slave_enable_netpoll in
      bond_enslave
    - docs: ip-sysctl.txt: fix name of some ipv6 variables
    - ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
    - ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
    - KEYS: DNS: limit the length of option strings
    - l2tp: check sockaddr length in pppol2tp_connect()
    - llc: delete timers synchronously in llc_sk_free()
    - net: af_packet: fix race in PACKET_{R|T}X_RING
    - net: fix deadlock while clearing neighbor proxy table
    - [arm64,armhf] net: mvpp2: Fix DMA address mask size
    - net: qmi_wwan: add Wistron Neweb D19Q1
    - net/smc: fix shutdown in state SMC_LISTEN
    - net: stmmac: Disable ACS Feature for GMAC >= 4
    - packet: fix bitfield update race
    - pppoe: check sockaddr length in pppoe_connect()
    - Revert "macsec: missing dev_put() on error in macsec_newlink()"
    - sctp: do not check port in sctp_inet6_cmp_addr
    - strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
    - strparser: Fix incorrect strp->need_bytes value.
    - tcp: clear tp->packets_out when purging write queue
    - tcp: don't read out-of-bounds opsize
    - tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
    - team: avoid adding twice the same option to the event list
    - team: fix netconsole setup over team
    - tipc: add policy for TIPC_NLA_NET_ADDR
    - vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
    - vmxnet3: fix incorrect dereference when rxvlan is disabled
    - [amd64,arm64] amd-xgbe: Add pre/post auto-negotiation phy hooks
    - [amd64,arm64] amd-xgbe: Improve KR auto-negotiation and training
    - [amd64,arm64] amd-xgbe: Only use the SFP supported transceiver signals
    - net: sched: ife: signal not finding metaid
    - net: sched: ife: handle malformed tlv length
    - net: sched: ife: check on metadata length
    - l2tp: hold reference on tunnels in netlink dumps
    - l2tp: hold reference on tunnels printed in pppol2tp proc file
    - l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file
    - l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow
    - llc: hold llc_sap before release_sock()
    - llc: fix NULL pointer deref for SOCK_ZAPPED
    - [s390x] qeth: fix error handling in adapter command callbacks
    - [s390x] qeth: avoid control IO completion stalls
    - [s390x] qeth: handle failure on workqueue creation
    - [armhf] net: ethernet: ti: cpsw: fix tx vlan priority mapping
    - net: validate attribute sizes in neigh_dump_table()
    - bnxt_en: Fix memory fault in bnxt_ethtool_init()
    - virtio-net: add missing virtqueue kick when flushing packets
    - VSOCK: make af_vsock.ko removable again
    - net: aquantia: Regression on reset with 1.x firmware
    - tun: fix vlan packet truncation
    - net: aquantia: oops when shutdown on already stopped device
    - virtio_net: split out ctrl buffer
    - virtio_net: fix adding vids on big-endian
    - Revert "mm/hmm: fix header file if/else/endif maze"
    - commoncap: Handle memory allocation failure.
    - scsi: mptsas: Disable WRITE SAME
    - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940)
    - fsnotify: Fix fsnotify_mark_connector race
    - [m68k] mac: Don't remap SWIM MMIO region
    - [m68k] block/swim: Check drive type
    - [m68k] block/swim: Don't log an error message for an invalid ioctl
    - [m68k] block/swim: Remove extra put_disk() call from error path
    - [m68k] block/swim: Rename macros to avoid inconsistent inverted logic
    - [m68k] block/swim: Select appropriate drive on device open
    - [m68k] block/swim: Fix array bounds check
    - [m68k] block/swim: Fix IO error at end of medium
    - tracing: Fix missing tab for hwlat_detector print format
    - hwmon: (k10temp) Add temperature offset for Ryzen 2700X
    - hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics
    - [s390x] cio: update chpid descriptor after resource accessibility event
    - [s390x] dasd: fix IO error for newly defined devices
    - [s390x] uprobes: implement arch_uretprobe_is_alive()
    - [s390x] cpum_cf: rename IBM z13/z14 counter names
    - kprobes: Fix random address output of blacklist file
    - ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.7
    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
    - ext4: set h_journal if there is a failure starting a reserved handle
    - ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
    - random: set up the NUMA crng instances after the CRNG is fully
      initialized
    - random: fix possible sleeping allocation from irq context
    - random: rate limit unseeded randomness warnings
    - usbip: usbip_event: fix to not print kernel pointer address
    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
    - usbip: vhci_hcd: Fix usb device and sockfd leaks
    - usbip: vhci_hcd: check rhport before using in vhci_hub_control()
    - Revert "xhci: plat: Register shutdown for xhci_plat"
    - xhci: Fix USB ports for Dell Inspiron 5775
    - USB: serial: simple: add libtransistor console
    - USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
    - USB: serial: cp210x: add ID for NI USB serial console
    - [arm64] serial: mvebu-uart: Fix local flags handling on termios update
    - usb: typec: ucsi: Increase command completion timeout value
    - usb: core: Add quirk for HP v222w 16GB Mini
    - USB: Increment wakeup count on remote wakeup.
    - ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
    - virtio: add ability to iterate over vqs
    - virtio_console: don't tie bufs to a vq
    - virtio_console: free buffers after reset
    - virtio_console: drop custom control queue cleanup
    - virtio_console: move removal code
    - virtio_console: reset on out of memory
    - drm/virtio: fix vq wait_event condition
    - tty: Don't call panic() at tty_ldisc_init()
    - tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
    - tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
    - tty: Avoid possible error pointer dereference at tty_ldisc_restore().
    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
    - ALSA: dice: fix OUI for TC group
    - ALSA: dice: fix error path to destroy initialized stream data
    - ALSA: hda - Skip jack and others for non-existing PCM streams
    - ALSA: opl3: Hardening for potential Spectre v1
    - ALSA: asihpi: Hardening for potential Spectre v1
    - ALSA: hdspm: Hardening for potential Spectre v1
    - ALSA: rme9652: Hardening for potential Spectre v1
    - ALSA: control: Hardening for potential Spectre v1
    - ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
    - ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
    - ALSA: seq: oss: Hardening for potential Spectre v1
    - ALSA: hda: Hardening for potential Spectre v1
    - ALSA: hda/realtek - Add some fixes for ALC233
    - ALSA: hda/realtek - Update ALC255 depop optimize
    - ALSA: hda/realtek - change the location for one of two front mics
    - mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
    - mtd: rawnand: tango: Fix struct clk memory leak
    - mtd: rawnand: marvell: fix the chip-select DT parsing logic
    - kobject: don't use WARN for registration failures
    - scsi: sd_zbc: Avoid that resetting a zone fails sporadically
    - scsi: sd: Defer spinning up drive while SANITIZE is in progress
    - blk-mq: start request gstate with gen 1
    - bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
    - block: do not use interruptible wait anywhere
    - [s390x] vfio: ccw: process ssch with interrupts disabled
    - [arm64] PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
    - [arm64] PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
    - [arm64] PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq
      mode
    - [arm64] PCI: aardvark: Fix PCIe Max Read Request Size setting
    - [armhf,arm64] KVM: Close VMID generation race
    - [powerpc*] mm: Flush cache on memory hot(un)plug
    - [powerpc*] mce: Fix a bug where mce loops on memory UE.
    - [powerpc*] powernv/npu: Do a PID GPU TLB flush when invalidating a large
      address range
    - crypto: drbg - set freed buffers to NULL
    - libceph: un-backoff on tick when we have a authenticated session
    - libceph: reschedule a tick in finish_hunting()
    - libceph: validate con->state at the top of try_write()
    - PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend
      is set
    - module: Fix display of wrong module .text address
    - earlycon: Use a pointer table to fix __earlycon_table stride
    - [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
      in timer interrupt
    - [powerpc*] rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
    - drm/edid: Reset more of the display info
    - drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
    - [x86] drm/i915/fbdev: Enable late fbdev initial configuration
    - [x86] drm/i915/audio: set minimum CD clock to twice the BCLK
    - [x86] drm/i915: Enable display WA#1183 from its correct spot
    - drm/amd/display: Fix deadlock when flushing irq
    - drm/amd/display: Don't read EDID in atomic_check
    - drm/amd/display: Disallow enabling CRTC without primary plane with FB
    - objtool, perf: Fix GCC 8 -Wrestrict error
    - [x86] ipc: Fix x32 version of shmid64_ds and msqid64_ds
    - [x86] smpboot: Don't use mwait_play_dead() on AMD systems
    - [x86] microcode/intel: Save microcode patch unconditionally
    - [x86] microcode: Do not exit early from __reload_late()
    - tick/sched: Do not mess with an enqueued hrtimer
    - [x86] crypto: ccp - add check to get PSP master only when PSP is
      detected
    - [armhf,arm64] KVM: Add PSCI version selection API
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.8
    - ACPI / button: make module loadable when booted in non-ACPI mode
    - [arm64] Add work around for Arm Cortex-A55 Erratum 1024718
    - ALSA: hda - Fix incorrect usage of IS_REACHABLE()
    - ALSA: pcm: Check PCM state at xfern compat ioctl
    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
    - ALSA: dice: fix kernel NULL pointer dereference due to invalid
      calculation for array index
    - ALSA: aloop: Mark paused device as inactive
    - ALSA: aloop: Add missing cable lock to ctl API callbacks
    - errseq: Always report a writeback error once
    - tracepoint: Do not warn on ENOMEM
    - scsi: target: Fix fortify_panic kernel exception
    - Input: leds - fix out of bound access
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook
      Pro
    - swiotlb: fix inversed DMA_ATTR_NO_WARN test
    - rtlwifi: cleanup 8723be ant_sel definition
    - xfs: prevent creating negative-sized file via INSERT_RANGE
    - RDMA/cxgb4: release hw resources on device removal
    - RDMA/ucma: Allow resolving address w/o specifying source address
    - RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
    - RDMA/mlx4: Add missed RSS hash inner header flag
    - RDMA/mlx5: Protect from shift operand overflow
    - NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
    - IB/mlx5: Use unlimited rate when static rate is not supported
    - infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m
    - IB/hfi1: Fix handling of FECN marked multicast packet
    - IB/hfi1: Fix loss of BECN with AHG
    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
    - iw_cxgb4: Atomically flush per QP HW CQEs
    - btrfs: Take trans lock before access running trans in check_delayed_ref
    - [arm64,armhf] drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are
      balanced
    - [x86] drm/vmwgfx: Fix a buffer object leak
    - drm/bridge: vga-dac: Fix edid memory leak
    - xhci: Fix use-after-free in xhci_free_virt_device
    - USB: serial: visor: handle potential invalid device configuration
    - [arm64,armhf] usb: dwc3: gadget: Fix list_del corruption in
      dwc3_ep_dequeue
    - USB: Accept bulk endpoints with 1024-byte maxpacket
    - USB: serial: option: reimplement interface masking
    - USB: serial: option: adding support for ublox R410M
    - [arm64,armhf] usb: musb: host: fix potential NULL pointer dereference
    - [arm64, armhf] usb: musb: trace: fix NULL pointer dereference in
      musb_g_tx()
    - [x86] platform/x86: asus-wireless: Fix NULL pointer dereference
    - [x86] platform/x86: Kconfig: Fix dell-laptop dependency chain.
    - [x86] KVM: remove APIC Timer periodic/oneshot spikes
    - [x86] tsc: Always unregister clocksource_tsc_early
    - [x86] tsc: Fix mark_tsc_unstable()
    - [arm64] irqchip/qcom: Fix check for spurious interrupts
    - clocksource: Allow clocksource_mark_unstable() on unregistered
      clocksources
    - clocksource: Initialize cs->wd_list
    - clocksource: Consistent de-rate when marking unstable
    - tracing: Fix bad use of igrab in trace_uprobe.c
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.9
    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
    - netfilter: ebtables: don't attempt to allocate 0-sized compat array
    - clk: ti: fix flag space conflict with clkctrl clocks
    - rds: tcp: must use spin_lock_irq* and not spin_lock_bh with
      rds_tcp_conn_lock
    - crypto: af_alg - fix possible uninit-value in alg_bind()
    - netlink: fix uninit-value in netlink_sendmsg
    - net: fix rtnh_ok()
    - net: initialize skb->peeked when cloning
    - net: fix uninit-value in __hw_addr_add_ex()
    - dccp: initialize ireq->ir_mark
    - ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
    - soreuseport: initialise timewait reuseport field
    - inetpeer: fix uninit-value in inet_getpeer
    - bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog
    - memcg: fix per_node_info cleanup
    - perf: Remove superfluous allocation error check
    - i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
    - tcp: fix TCP_REPAIR_QUEUE bound checking
    - bdi: wake up concurrent wb_shutdown() callers.
    - bdi: Fix use after free bug in debugfs_remove()
    - bdi: Fix oops in wb_workfn()
    - compat: fix 4-byte infoleak via uninitialized struct field
    - gpioib: do not free unrequested descriptors
    - gpio: fix error path in lineevent_create
    - rfkill: gpio: fix memory leak in probe error path
    - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    - dm integrity: use kvfree for kvmalloc'd memory
    - tracing: Fix regex_match_front() to not over compare the test string
    - mm: sections are not offlined during memory hotremove
    - mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
    - ceph: fix rsize/wsize capping in ceph_direct_read_write()
    - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    - [armhf,arm64] drm/vc4: Fix scaling of uni-planar formats
    - drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
    - [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
    - [x86] drm/i915: Adjust eDP's logical vco in a reliable place.
    - drm/nouveau: Fix deadlock in nv50_mstm_register_connector()
      (Closes: #898825)
    - drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
    - drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
    - drm/atomic: Clean private obj old_state/new_state in
      drm_atomic_state_default_clear()
    - net: atm: Fix potential Spectre v1
    - atm: zatm: Fix potential Spectre v1
    - PCI / PM: Always check PME wakeup capability for runtime wakeup support
    - PCI / PM: Check device_may_wakeup() in pci_enable_wake()
    - cpufreq: schedutil: Avoid using invalid next_freq
    - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    - [x86] Bluetooth: btusb: Add Dell XPS 13 9360 to
      btusb_needs_reset_resume_table
    - Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome
      chipsets
    - [armhf] thermal: exynos: Reading temperature makes sense only when TMU is
      turned on
    - [armhf] thermal: exynos: Propagate error value from tmu_read()
    - nvme: add quirk to force medium priority for SQ creation
    - nvme: Fix sync controller reset return
    - smb3: directory sync should not return an error
    - swiotlb: silent unwanted warning "buffer is full"
    - sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
    - sched/autogroup: Fix possible Spectre-v1 indexing for
      sched_prio_to_weight[]
    - tracing/uprobe_event: Fix strncpy corner case
    - [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    - [x86] perf/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    - [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver
    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    - [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.10
    - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
    - bridge: check iface upper dev when setting master via ioctl
    - dccp: fix tasklet usage
    - ipv4: fix fnhe usage by non-cached routes
    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
    - llc: better deal with too small mtu
    - net: ethernet: sun: niu set correct packet size in skb
    - [armhf] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
    - net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
    - net/mlx4_en: Verify coalescing parameters are in range
    - net/mlx5e: Err if asked to offload TC match on frag being first
    - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
    - net sched actions: fix refcnt leak in skbmod
    - net_sched: fq: take care of throttled flows before reuse
    - net: support compat 64-bit time in {s,g}etsockopt
    - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is
      found
    - qmi_wwan: do not steal interfaces from class drivers
    - r8169: fix powering up RTL8168h
    - rds: do not leak kernel memory to user land
    - sctp: delay the authentication for the duplicated cookie-echo chunk
    - sctp: fix the issue that the cookie-ack with auth can't get processed
    - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
    - sctp: remove sctp_chunk_put from fail_mark err path in
      sctp_ulpevent_make_rcvmsg
    - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
    - tcp_bbr: fix to zero idle_restart only upon S/ACKed data
    - tcp: ignore Fast Open on repair mode
    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
    - bonding: do not allow rlb updates to invalid mac
    - bonding: send learning packets for vlans on slave
    - net: sched: fix error path in tcf_proto_create() when modules are not
      configured
    - net/mlx5e: TX, Use correct counter in dma_map error flow
    - net/mlx5: Avoid cleaning flow steering table twice during error flow
    - [x86] hv_netvsc: set master device
    - ipv6: fix uninit-value in ip6_multipath_l3_keys()
    - net/mlx5e: Allow offloading ipv4 header re-write for icmp
    - udp: fix SO_BINDTODEVICE
    - net/mlx5e: DCBNL fix min inline header size for dscp
    - sctp: clear the new asoc's stream outcnt in sctp_stream_update
    - tcp: restore autocorking
    - tipc: fix one byte leak in tipc_sk_set_orig_addr()
    - [x86] hv_netvsc: Fix net device attach on older Windows hosts
    - ipv4: reset fnhe_mtu_locked after cache route flushed
    - net/mlx5: Fix mlx5_get_vector_affinity function
    - net: phy: sfp: fix the BR,min computation
    - net/smc: keep clcsock reference in smc_tcp_listen_work()
    - scsi: aacraid: Correct hba_send to include iu_type
    - proc: do not access cmdline nor environ from file-backed areas
      (CVE-2018-1120)
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.11
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - usbip: usbip_host: refine probe and disconnect debug msgs to be useful
    - usbip: usbip_host: delete device from busid_table after rebind
    - usbip: usbip_host: run rebind from exit when module is removed
    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
    - usbip: usbip_host: fix bad unlock balance during stub_probe()
    - ALSA: usb: mixer: volume quirk for CM102-A+/102S+
    - ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup
    - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
    - ALSA: control: fix a redundant-copy issue
    - [amd64] spi: pxa2xx: Allow 64-bit DMA
    - KVM: vmx: update sec exec controls for UMIP iff emulating UMIP
    - [armhf,arm64] KVM: Properly protect VGIC locks from IRQs
    - [armhf,arm64] KVM: VGIC/ITS: Promote irq_lock() in update_affinity
    - [armhf,arm64] KVM: VGIC/ITS save/restore: protect kvm_read_guest() calls
    - [armhf,arm64] KVM: VGIC/ITS: protect kvm_read_guest() calls with SRCU
      lock
    - hwmon: (k10temp) Fix reading critical temperature register
    - hwmon: (k10temp) Use API function to access System Management Network
    - [s390x] vfio: ccw: fix cleanup if cp_prefetch fails
    - tracing/x86/xen: Remove zero data size trace events
      trace_xen_mmu_flush_tlb{_all}
    - vsprintf: Replace memory barrier with static_key for random_ptr_key
      update
    - [x86] amd_nb: Add support for Raven Ridge CPUs
    - [arm64] tee: shm: fix use-after-free via temporarily dropped reference
    - netfilter: nf_tables: free set name in error path
    - netfilter: nf_tables: can't fail after linking rule into active rule
      list
    - netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static
    - [arm64] dts: marvell: armada-cp110: Add clocks for the xmdio node
    - [arm64] dts: marvell: armada-cp110: Add mg_core_clk for ethernet node
    - i2c: designware: fix poll-after-enable regression
    - mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2
    - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
      crashing
    - drm: Match sysfs name in link removal to link creation
    - radix tree: fix multi-order iteration race
    - mm: don't allow deferred pages with NEED_PER_CPU_KM
    - [x86] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
    - [s390x] qdio: fix access to uninitialized qdio_q fields
    - [s390x] cpum_sf: ensure sample frequency of perf event attributes is
      non-zero
    - [s390x] qdio: don't release memory in qdio_setup_irq()
    - [s390x] remove indirect branch from do_softirq_own_stack
    - bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n
    - [x86] pkeys: Override pkey when moving away from PROT_EXEC
    - [x86] pkeys: Do not special case protection key 0
    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
      definition for mixed mode
    - [arm*] 8771/1: kprobes: Prohibit kprobes on do_undefinstr
    - [x86] apic/x2apic: Initialize cluster ID properly
    - [x86] mm: Drop TS_COMPAT on 64-bit exec() syscall
    - tick/broadcast: Use for_each_cpu() specially on UP kernels
    - [arm*] 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
    - [arm*] 8770/1: kprobes: Prohibit probing on optimized_callback
    - [arm*] 8772/1: kprobes: Prohibit kprobes on get_user functions
    - Btrfs: fix xattr loss after power failure
    - Btrfs: send, fix invalid access to commit roots due to concurrent
      snapshotting
    - btrfs: property: Set incompat flag if lzo/zstd compression is set
    - btrfs: fix crash when trying to resume balance without the resume flag
    - btrfs: Split btrfs_del_delalloc_inode into 2 functions
    - btrfs: Fix delalloc inodes invalidation during transaction abort
    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
    - x86/nospec: Simplify alternative_msr_write()
    - x86/bugs: Concentrate bug detection into a separate function
    - x86/bugs: Concentrate bug reporting into a separate function
    - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - x86/bugs, KVM: Support the combination of guest and host IBRS
    - x86/bugs: Expose /sys/../spec_store_bypass
    - x86/cpufeatures: Add X86_FEATURE_RDS
    - x86/bugs: Provide boot parameters for the spec_store_bypass_disable
      mitigation
    - x86/bugs/intel: Set proper CPU features and setup RDS
    - x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
    - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - x86/speculation: Create spec-ctrl.h to avoid include hell
    - prctl: Add speculation control prctls
    - x86/process: Allow runtime control of Speculative Store Bypass
    - x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - nospec: Allow getting/setting on non-current task
    - proc: Provide details on speculation flaw mitigations
    - seccomp: Enable speculation flaw mitigations
    - x86/bugs: Make boot modes __ro_after_init
    - prctl: Add force disable speculation
    - seccomp: Use PR_SPEC_FORCE_DISABLE
    - seccomp: Add filter flag to opt-out of SSB mitigation
    - seccomp: Move speculation migitation control to arch code
    - x86/speculation: Make "seccomp" the default mode for Speculative Store
      Bypass
    - x86/bugs: Rename _RDS to _SSBD
    - proc: Use underscores for SSBD in 'status'
    - Documentation/spec_ctrl: Do some minor cleanups
    - x86/bugs: Fix __ssb_select_mitigation() return type
    - x86/bugs: Make cpu_show_common() static
    - x86/bugs: Fix the parameters alignment and missing void
    - x86/cpu: Make alternative_msr_write work for 32-bit code
    - KVM: SVM: Move spec control call after restore of GS
    - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
    - x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
    - x86/cpufeatures: Disentangle SSBD enumeration
    - x86/cpufeatures: Add FEATURE_ZEN
    - x86/speculation: Handle HT correctly on AMD
    - x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
    - x86/speculation: Add virtualized speculative store bypass disable
      support
    - x86/speculation: Rework speculative_store_bypass_update()
    - x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
    - x86/bugs: Expose x86_spec_ctrl_base directly
    - x86/bugs: Remove x86_spec_ctrl_set()
    - x86/bugs: Rework spec_ctrl base and mask logic
    - x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
    - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
    - x86/bugs: Rename SSBD_NO to SSB_NO
    - bpf: Prevent memory disambiguation attack
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.12
    - net/mlx5: Fix build break when CONFIG_SMP=n
    - net: Fix a bug in removing queues from XPS map
    - net/mlx4_core: Fix error handling in mlx4_init_port_info.
    - net/sched: fix refcnt leak in the error path of tcf_vlan_init()
    - net: sched: red: avoid hashing NULL child
    - net/smc: check for missing nlattrs in SMC_PNETID messages
    - net: test tailroom before appending to linear skb
    - packet: in packet_snd start writing at link layer allocation
    - sock_diag: fix use-after-free read in __sk_free
    - tcp: purge write queue in tcp_connect_init()
    - tun: fix use after free for ptr_ring
    - tuntap: fix use after free during release
    - cxgb4: Correct ntuple mask validation for hash filters
    - [armhf] net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule
    - net: dsa: Do not register devlink for unused ports
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rules and chain ID
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rule half deletion
    - 3c59x: convert to generic DMA API
    - cxgb4: fix offset in collecting TX rate limit info
    - vmxnet3: set the DMA mask before the first DMA map operation
    - vmxnet3: use DMA memory barriers where required
    - net: ip6_gre: Request headroom in __gre6_xmit()
    - net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
    - net: ip6_gre: Split up ip6gre_tnl_link_config()
    - net: ip6_gre: Split up ip6gre_tnl_change()
    - net: ip6_gre: Split up ip6gre_newlink()
    - net: ip6_gre: Split up ip6gre_changelink()
    - net: ip6_gre: Fix ip6erspan hlen calculation
    - net: ip6_gre: fix tunnel metadata device sharing.
    - [sparc*]: vio: use put_device() instead of kfree()
    - ext2: fix a block leak
    - [powerpc*] rfi-flush: Always enable fallback flush on pseries
    - [powerpc*] Add security feature flags for Spectre/Meltdown
    - [powerpc*] pseries: Add new H_GET_CPU_CHARACTERISTICS flags
    - [powerpc*] pseries: Set or clear security feature flags
    - [powerpc*] powerpc/powernv: Set or clear security feature flags
    - [powerpc*] powerpc/64s: Move cpu_show_meltdown()
    - [powerpc*] powerpc/64s: Enhance the information in cpu_show_meltdown()
    - [powerpc*] powerpc/powernv: Use the security flags in
      pnv_setup_rfi_flush()
    - [powerpc*] powerpc/pseries: Use the security flags in
      pseries_setup_rfi_flush()
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v1()
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v2()
    - [powerpc*] powerpc/pseries: Fix clearing of security feature flags
    - [powerpc*] powerpc: Move default security feature flags
    - [powerpc*] powerpc/64s: Add support for a store forwarding barrier at
      kernel entry/exit
    - [s390x] move nobp parameter functions to nospec-branch.c
    - [s390x] add automatic detection of the spectre defense
    - [s390x] report spectre mitigation via syslog
    - [s390x] add sysfs attributes for spectre
    - [s390x] add assembler macros for CPU alternatives
    - [s390x] correct nospec auto detection init order
    - [s390x] correct module section names for expoline code revert
    - [s390x] move expoline assembler macros to a header
    - [s390x] crc32-vx: use expoline for indirect branches
    - [s390x] lib: use expoline for indirect branches
    - [s390x] ftrace: use expoline for indirect branches
    - [s390x] kernel: use expoline for indirect branches
    - [s390x] move spectre sysfs attribute code
    - [s390x] extend expoline to BC instructions
    - [s390x] use expoline thunks in the BPF JIT
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
    - [s390x] scsi: zfcp: fix infinite iteration on ERP ready list
    - Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
    - ALSA: usb-audio: Add native DSD support for Luxman DA-06
    - [arm64,armhf] usb: dwc3: Add SoftReset PHY synchonization delay
    - [arm64,armhf] usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
    - [arm64,armhf] usb: dwc3: Makefile: fix link error on randconfig
    - xhci: zero usb device slot_id member when disabling and freeing a xhci slot
    - [arm64,armhf] usb: dwc2: Fix interval type issue
    - [arm64,armhf] usb: dwc2: hcd: Fix host channel halt flow
    - [arm64,armhf] usb: dwc2: host: Fix transaction errors in host mode
    - usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
    - media: em28xx: USB bulk packet size fix
    - Bluetooth: btusb: Add device ID for RTL8822BE
    - Bluetooth: btusb: Add support for Intel Bluetooth device 22560
      [8087:0026]
    - xhci: Show what USB release number the xHC supports from protocol
      capablity
    - loop: don't call into filesystem while holding lo_ctl_mutex
    - loop: fix LOOP_GET_STATUS lock imbalance
    - cfg80211: limit wiphy names to 128 bytes
    - hfsplus: stop workqueue when fill_super() failed
    - [x86] kexec: Avoid double free_page() upon do_kexec_load() failure
    - staging: bcm2835-audio: Release resources on module_exit()
    - staging: lustre: fix bug in osc_enter_cache_try
    - [x86] staging: rtl8192u: return -ENOMEM on failed allocation of
      priv->oldaddr
    - staging: lustre: lmv: correctly iput lmo_root
    - [arm64] crypto: inside-secure - move the digest to the request context
    - [arm64] crypto: inside-secure - wait for the request to complete if in
      the backlog
    - [x86] crypto: ccp - don't disable interrupts while setting up debugfs
    - [arm64] crypto: inside-secure - do not process request if no command was
      issued
    - [arm64] crypto: inside-secure - fix the cache_len computation
    - [arm64] crypto: inside-secure - fix the extra cache computation
    - [arm64] crypto: inside-secure - do not overwrite the threshold value
    - [armhf] crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
    - [arm64] crypto: inside-secure - fix the invalidation step during
      cra_exit
    - scsi: aacraid: Insure command thread is not recursively stopped
    - scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays
    - scsi: lpfc: Fix NVME Initiator FirstBurst
    - scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
    - scsi: mvsas: fix wrong endianness of sgpio api
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - [armhf] clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
    - clk: Don't show the incorrect clock phase
    - clk: hisilicon: mark wdt_mux_p[] as const
    - [arm64,armhf] clk: tegra: Fix pll_u rate configuration
    - [armhf] clk: rockchip: Prevent calculating mmc phase if clock rate is
      zero
    - [armhf] clk: samsung: s3c2410: Fix PLL rates
    - [armhf] clk: samsung: exynos7: Fix PLL rates
    - [armhf] clk: samsung: exynos5260: Fix PLL rates
    - [armhf] clk: samsung: exynos5433: Fix PLL rates
    - [armhf] clk: samsung: exynos5250: Fix PLL rates
    - [armhf] clk: samsung: exynos3250: Fix PLL rates
    - clk: meson: axg: fix the od shift of the sys_pll
    - clk: meson: axg: add the fractional part of the fixed_pll
    - media: cx23885: Override 888 ImpactVCBe crystal frequency
    - media: cx23885: Set subdev host data to clk_freq pointer
    - media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
    - media: v4l: vsp1: Fix display stalls when requesting too many inputs
    - media: i2c: adv748x: fix HDMI field heights
    - media: vb2: Fix videobuf2 to map correct area
    - media: vivid: fix incorrect capabilities for radio
    - media: cx25821: prevent out-of-bounds read on array card
    - [arm64] serial: mvebu-uart: fix tx lost characters
    - [sh4] serial: sh-sci: Fix out-of-bounds access through DT alias
    - [armhf] serial: samsung: Fix out-of-bounds access through serial port
      index
    - [armhf] serial: imx: Fix out-of-bounds access through serial port index
    - [armhf] serial: arc_uart: Fix out-of-bounds access through DT alias
    - [arm*] serial: 8250: Don't service RX FIFO if interrupts are disabled
    - [armhf] rtc: snvs: Fix usage of snvs_rtc_enable
    - rtc: hctosys: Ensure system time doesn't overflow time_t
    - [arm64,armhf] rtc: rk808: fix possible race condition
    - [armel/marvell] rtc: m41t80: fix race conditions
    - [m68k] rtc: rp5c01: fix possible race condition

  [ Romain Perier ]
  * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
  * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)

  [ Ben Hutchings ]
  * kbuild: use -fmacro-prefix-map to make __FILE__ a relative path
  * Bump ABI to 2
  * [rt] Update to 4.16.8-rt3
  * [x86] KVM: VMX: Expose SSBD properly to guests.

  [ Salvatore Bonaccorso ]
  * [rt] Update to 4.16.7-rt1 and reenable
  * [rt] certs: Reference certificate for test key used in Debian signing
    service
parents 44a45543 f34edc87
......@@ -176,10 +176,9 @@ void do_softirq_own_stack(void)
new -= STACK_FRAME_OVERHEAD;
((struct stack_frame *) new)->back_chain = old;
asm volatile(" la 15,0(%0)\n"
" basr 14,%2\n"
" brasl 14,__do_softirq\n"
" la 15,0(%1)\n"
: : "a" (new), "a" (old),
"a" (__do_softirq)
: : "a" (new), "a" (old)
: "0", "1", "2", "3", "4", "5", "14",
"cc", "memory" );
} else {
......
......@@ -9,13 +9,17 @@
#include <linux/linkage.h>
#include <asm/asm-offsets.h>
#include <asm/ftrace.h>
#include <asm/nospec-insn.h>
#include <asm/ptrace.h>
#include <asm/export.h>
GEN_BR_THUNK %r1
GEN_BR_THUNK %r14
.section .kprobes.text, "ax"
ENTRY(ftrace_stub)
br %r14
BR_EX %r14
#define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE)
#define STACK_PTREGS (STACK_FRAME_OVERHEAD)
......@@ -23,7 +27,7 @@ ENTRY(ftrace_stub)
#define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW)
ENTRY(_mcount)
br %r14
BR_EX %r14
EXPORT_SYMBOL(_mcount)
......@@ -53,7 +57,7 @@ ENTRY(ftrace_caller)
#endif
lgr %r3,%r14
la %r5,STACK_PTREGS(%r15)
basr %r14,%r1
BASR_EX %r14,%r1
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
# The j instruction gets runtime patched to a nop instruction.
# See ftrace_enable_ftrace_graph_caller.
......@@ -68,7 +72,7 @@ ftrace_graph_caller_end:
#endif
lg %r1,(STACK_PTREGS_PSW+8)(%r15)
lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15)
br %r1
BR_EX %r1
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
......@@ -81,6 +85,6 @@ ENTRY(return_to_handler)
aghi %r15,STACK_FRAME_OVERHEAD
lgr %r14,%r2
lmg %r2,%r5,32(%r15)
br %r14
BR_EX %r14
#endif
......@@ -159,7 +159,7 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
me->core_layout.size += me->arch.got_size;
me->arch.plt_offset = me->core_layout.size;
if (me->arch.plt_size) {
if (IS_ENABLED(CONFIG_EXPOLINE) && !nospec_call_disable)
if (IS_ENABLED(CONFIG_EXPOLINE) && !nospec_disable)
me->arch.plt_size += PLT_ENTRY_SIZE;
me->core_layout.size += me->arch.plt_size;
}
......@@ -318,8 +318,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
info->plt_offset;
ip[0] = 0x0d10e310; /* basr 1,0 */
ip[1] = 0x100a0004; /* lg 1,10(1) */
if (IS_ENABLED(CONFIG_EXPOLINE) &&
!nospec_call_disable) {
if (IS_ENABLED(CONFIG_EXPOLINE) && !nospec_disable) {
unsigned int *ij;
ij = me->core_layout.base +
me->arch.plt_offset +
......@@ -440,7 +439,7 @@ int module_finalize(const Elf_Ehdr *hdr,
void *aseg;
if (IS_ENABLED(CONFIG_EXPOLINE) &&
!nospec_call_disable && me->arch.plt_size) {
!nospec_disable && me->arch.plt_size) {
unsigned int *ij;
ij = me->core_layout.base + me->arch.plt_offset +
......@@ -466,12 +465,12 @@ int module_finalize(const Elf_Ehdr *hdr,
apply_alternatives(aseg, aseg + s->sh_size);
if (IS_ENABLED(CONFIG_EXPOLINE) &&
(!strcmp(".nospec_call_table", secname)))
nospec_call_revert(aseg, aseg + s->sh_size);
(!strncmp(".s390_indirect", secname, 14)))
nospec_revert(aseg, aseg + s->sh_size);
if (IS_ENABLED(CONFIG_EXPOLINE) &&
(!strcmp(".nospec_return_table", secname)))
nospec_return_revert(aseg, aseg + s->sh_size);
(!strncmp(".s390_return", secname, 12)))
nospec_revert(aseg, aseg + s->sh_size);
}
jump_label_apply_nops(me);
......
// SPDX-License-Identifier: GPL-2.0
#include <linux/module.h>
#include <linux/device.h>
#include <asm/nospec-branch.h>
int nospec_call_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF);
int nospec_return_disable = !IS_ENABLED(CONFIG_EXPOLINE_FULL);
static int __init nobp_setup_early(char *str)
{
bool enabled;
int rc;
rc = kstrtobool(str, &enabled);
if (rc)
return rc;
if (enabled && test_facility(82)) {
/*
* The user explicitely requested nobp=1, enable it and
* disable the expoline support.
*/
__set_facility(82, S390_lowcore.alt_stfle_fac_list);
if (IS_ENABLED(CONFIG_EXPOLINE))
nospec_disable = 1;
} else {
__clear_facility(82, S390_lowcore.alt_stfle_fac_list);
}
return 0;
}
early_param("nobp", nobp_setup_early);
static int __init nospec_setup_early(char *str)
{
__clear_facility(82, S390_lowcore.alt_stfle_fac_list);
return 0;
}
early_param("nospec", nospec_setup_early);
static int __init nospec_report(void)
{
if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
pr_info("Spectre V2 mitigation: execute trampolines.\n");
if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
pr_info("Spectre V2 mitigation: limited branch prediction.\n");
return 0;
}
arch_initcall(nospec_report);
#ifdef CONFIG_EXPOLINE
int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF);
static int __init nospectre_v2_setup_early(char *str)
{
nospec_call_disable = 1;
nospec_return_disable = 1;
nospec_disable = 1;
return 0;
}
early_param("nospectre_v2", nospectre_v2_setup_early);
void __init nospec_auto_detect(void)
{
if (IS_ENABLED(CC_USING_EXPOLINE)) {
/*
* The kernel has been compiled with expolines.
* Keep expolines enabled and disable nobp.
*/
nospec_disable = 0;
__clear_facility(82, S390_lowcore.alt_stfle_fac_list);
}
/*
* If the kernel has not been compiled with expolines the
* nobp setting decides what is done, this depends on the
* CONFIG_KERNEL_NP option and the nobp/nospec parameters.
*/
}
static int __init spectre_v2_setup_early(char *str)
{
if (str && !strncmp(str, "on", 2)) {
nospec_call_disable = 0;
nospec_return_disable = 0;
}
if (str && !strncmp(str, "off", 3)) {
nospec_call_disable = 1;
nospec_return_disable = 1;
}
if (str && !strncmp(str, "auto", 4)) {
nospec_call_disable = 0;
nospec_return_disable = 1;
nospec_disable = 0;
__clear_facility(82, S390_lowcore.alt_stfle_fac_list);
}
if (str && !strncmp(str, "off", 3))
nospec_disable = 1;
if (str && !strncmp(str, "auto", 4))
nospec_auto_detect();
return 0;
}
early_param("spectre_v2", spectre_v2_setup_early);
......@@ -39,7 +93,6 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end)
s32 *epo;
/* Second part of the instruction replace is always a nop */
memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x00, 0x00 }, 4);
for (epo = start; epo < end; epo++) {
instr = (u8 *) epo + *epo;
if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x04)
......@@ -60,18 +113,34 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end)
br = thunk + (*(int *)(thunk + 2)) * 2;
else
continue;
if (br[0] != 0x07 || (br[1] & 0xf0) != 0xf0)
/* Check for unconditional branch 0x07f? or 0x47f???? */
if ((br[0] & 0xbf) != 0x07 || (br[1] & 0xf0) != 0xf0)
continue;
memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x07, 0x00 }, 4);
switch (type) {
case BRCL_EXPOLINE:
/* brcl to thunk, replace with br + nop */
insnbuf[0] = br[0];
insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
if (br[0] == 0x47) {
/* brcl to b, replace with bc + nopr */
insnbuf[2] = br[2];
insnbuf[3] = br[3];
} else {
/* brcl to br, replace with bcr + nop */
}
break;
case BRASL_EXPOLINE:
/* brasl to thunk, replace with basr + nop */
insnbuf[0] = 0x0d;
insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
if (br[0] == 0x47) {
/* brasl to b, replace with bas + nopr */
insnbuf[0] = 0x4d;
insnbuf[2] = br[2];
insnbuf[3] = br[3];
} else {
/* brasl to br, replace with basr + nop */
insnbuf[0] = 0x0d;
}
break;
}
......@@ -79,15 +148,9 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end)
}
}
void __init_or_module nospec_call_revert(s32 *start, s32 *end)
{
if (nospec_call_disable)
__nospec_revert(start, end);
}
void __init_or_module nospec_return_revert(s32 *start, s32 *end)
void __init_or_module nospec_revert(s32 *start, s32 *end)
{
if (nospec_return_disable)
if (nospec_disable)
__nospec_revert(start, end);
}
......@@ -95,6 +158,8 @@ extern s32 __nospec_call_start[], __nospec_call_end[];
extern s32 __nospec_return_start[], __nospec_return_end[];
void __init nospec_init_branches(void)
{
nospec_call_revert(__nospec_call_start, __nospec_call_end);
nospec_return_revert(__nospec_return_start, __nospec_return_end);
nospec_revert(__nospec_call_start, __nospec_call_end);
nospec_revert(__nospec_return_start, __nospec_return_end);
}
#endif /* CONFIG_EXPOLINE */
// SPDX-License-Identifier: GPL-2.0
#include <linux/device.h>
#include <linux/cpu.h>
#include <asm/facility.h>
#include <asm/nospec-branch.h>
ssize_t cpu_show_spectre_v1(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "Mitigation: __user pointer sanitization\n");
}
ssize_t cpu_show_spectre_v2(struct device *dev,
struct device_attribute *attr, char *buf)
{
if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
return sprintf(buf, "Mitigation: execute trampolines\n");
if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
return sprintf(buf, "Mitigation: limited branch prediction\n");
return sprintf(buf, "Vulnerable\n");
}
......@@ -123,7 +123,7 @@ CPUMF_EVENT_ATTR(cf_zec12, L1I_OFFBOOK_L3_SOURCED_WRITES_IV, 0x00a1);
CPUMF_EVENT_ATTR(cf_zec12, TX_NC_TABORT, 0x00b1);
CPUMF_EVENT_ATTR(cf_zec12, TX_C_TABORT_NO_SPECIAL, 0x00b2);
CPUMF_EVENT_ATTR(cf_zec12, TX_C_TABORT_SPECIAL, 0x00b3);
CPUMF_EVENT_ATTR(cf_z13, L1D_WRITES_RO_EXCL, 0x0080);
CPUMF_EVENT_ATTR(cf_z13, L1D_RO_EXCL_WRITES, 0x0080);
CPUMF_EVENT_ATTR(cf_z13, DTLB1_WRITES, 0x0081);
CPUMF_EVENT_ATTR(cf_z13, DTLB1_MISSES, 0x0082);
CPUMF_EVENT_ATTR(cf_z13, DTLB1_HPAGE_WRITES, 0x0083);
......@@ -179,7 +179,7 @@ CPUMF_EVENT_ATTR(cf_z13, TX_C_TABORT_NO_SPECIAL, 0x00db);
CPUMF_EVENT_ATTR(cf_z13, TX_C_TABORT_SPECIAL, 0x00dc);
CPUMF_EVENT_ATTR(cf_z13, MT_DIAG_CYCLES_ONE_THR_ACTIVE, 0x01c0);
CPUMF_EVENT_ATTR(cf_z13, MT_DIAG_CYCLES_TWO_THR_ACTIVE, 0x01c1);
CPUMF_EVENT_ATTR(cf_z14, L1D_WRITES_RO_EXCL, 0x0080);
CPUMF_EVENT_ATTR(cf_z14, L1D_RO_EXCL_WRITES, 0x0080);
CPUMF_EVENT_ATTR(cf_z14, DTLB2_WRITES, 0x0081);
CPUMF_EVENT_ATTR(cf_z14, DTLB2_MISSES, 0x0082);
CPUMF_EVENT_ATTR(cf_z14, DTLB2_HPAGE_WRITES, 0x0083);
......@@ -371,7 +371,7 @@ static struct attribute *cpumcf_zec12_pmu_event_attr[] __initdata = {
};
static struct attribute *cpumcf_z13_pmu_event_attr[] __initdata = {
CPUMF_EVENT_PTR(cf_z13, L1D_WRITES_RO_EXCL),
CPUMF_EVENT_PTR(cf_z13, L1D_RO_EXCL_WRITES),
CPUMF_EVENT_PTR(cf_z13, DTLB1_WRITES),
CPUMF_EVENT_PTR(cf_z13, DTLB1_MISSES),
CPUMF_EVENT_PTR(cf_z13, DTLB1_HPAGE_WRITES),
......@@ -431,7 +431,7 @@ static struct attribute *cpumcf_z13_pmu_event_attr[] __initdata = {
};
static struct attribute *cpumcf_z14_pmu_event_attr[] __initdata = {
CPUMF_EVENT_PTR(cf_z14, L1D_WRITES_RO_EXCL),
CPUMF_EVENT_PTR(cf_z14, L1D_RO_EXCL_WRITES),
CPUMF_EVENT_PTR(cf_z14, DTLB2_WRITES),
CPUMF_EVENT_PTR(cf_z14, DTLB2_MISSES),
CPUMF_EVENT_PTR(cf_z14, DTLB2_HPAGE_WRITES),
......
......@@ -753,6 +753,10 @@ static int __hw_perf_event_init(struct perf_event *event)
*/
rate = 0;
if (attr->freq) {
if (!attr->sample_freq) {
err = -EINVAL;
goto out;
}
rate = freq_to_sample_rate(&si, attr->sample_freq);
rate = hw_limit_rate(&si, rate);
attr->freq = 0;
......
......@@ -7,8 +7,11 @@
#include <linux/linkage.h>
#include <asm/asm-offsets.h>
#include <asm/nospec-insn.h>
#include <asm/sigp.h>
GEN_BR_THUNK %r9
#
# Issue "store status" for the current CPU to its prefix page
# and call passed function afterwards
......@@ -67,9 +70,9 @@ ENTRY(store_status)
st %r4,0(%r1)
st %r5,4(%r1)
stg %r2,8(%r1)
lgr %r1,%r2
lgr %r9,%r2
lgr %r2,%r3
br %r1
BR_EX %r9
.section .bss
.align 8
......
......@@ -893,6 +893,9 @@ void __init setup_arch(char **cmdline_p)
init_mm.end_data = (unsigned long) &_edata;
init_mm.brk = (unsigned long) &_end;
if (IS_ENABLED(CONFIG_EXPOLINE_AUTO))
nospec_auto_detect();
parse_early_param();
#ifdef CONFIG_CRASH_DUMP
/* Deactivate elfcorehdr= kernel parameter */
......
......@@ -13,6 +13,7 @@
#include <asm/ptrace.h>
#include <asm/thread_info.h>
#include <asm/asm-offsets.h>
#include <asm/nospec-insn.h>
#include <asm/sigp.h>
/*
......@@ -24,6 +25,8 @@
* (see below) in the resume process.
* This function runs with disabled interrupts.
*/
GEN_BR_THUNK %r14
.section .text
ENTRY(swsusp_arch_suspend)
stmg %r6,%r15,__SF_GPRS(%r15)
......@@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend)
spx 0x318(%r1)
lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
lghi %r2,0
br %r14
BR_EX %r14
/*
* Restore saved memory image to correct place and restore register context.
......@@ -197,11 +200,10 @@ pgm_check_entry:
larl %r15,init_thread_union
ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER)
larl %r2,.Lpanic_string
larl %r3,sclp_early_printk
lghi %r1,0
sam31
sigp %r1,%r0,SIGP_SET_ARCHITECTURE
basr %r14,%r3
brasl %r14,sclp_early_printk
larl %r3,.Ldisabled_wait_31
lpsw 0(%r3)
4:
......@@ -267,7 +269,7 @@ restore_registers:
/* Return 0 */
lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
lghi %r2,0
br %r14
BR_EX %r14
.section .data..nosave,"aw",@progbits
.align 8
......
......@@ -150,6 +150,15 @@ unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline,
return orig;
}
bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
struct pt_regs *regs)
{
if (ctx == RP_CHECK_CHAIN_CALL)
return user_stack_pointer(regs) <= ret->stack;
else
return user_stack_pointer(regs) < ret->stack;
}
/* Instruction Emulation */
static void adjust_psw_addr(psw_t *psw, unsigned long len)
......
......@@ -7,6 +7,9 @@
#include <linux/linkage.h>
#include <asm/export.h>
#include <asm/nospec-insn.h>
GEN_BR_THUNK %r14
/*
* void *memmove(void *dest, const void *src, size_t n)
......@@ -33,14 +36,14 @@ ENTRY(memmove)
.Lmemmove_forward_remainder:
larl %r5,.Lmemmove_mvc
ex %r4,0(%r5)
br %r14
BR_EX %r14
.Lmemmove_reverse:
ic %r0,0(%r4,%r3)
stc %r0,0(%r4,%r1)
brctg %r4,.Lmemmove_reverse
ic %r0,0(%r4,%r3)
stc %r0,0(%r4,%r1)
br %r14
BR_EX %r14
.Lmemmove_mvc:
mvc 0(1,%r1),0(%r3)
EXPORT_SYMBOL(memmove)
......@@ -77,7 +80,7 @@ ENTRY(memset)
.Lmemset_clear_remainder:
larl %r3,.Lmemset_xc
ex %r4,0(%r3)
br %r14
BR_EX %r14
.Lmemset_fill:
cghi %r4,1
lgr %r1,%r2
......@@ -95,10 +98,10 @@ ENTRY(memset)
stc %r3,0(%r1)
larl %r5,.Lmemset_mvc
ex %r4,0(%r5)
br %r14
BR_EX %r14
.Lmemset_fill_exit:
stc %r3,0(%r1)
br %r14
BR_EX %r14
.Lmemset_xc:
xc 0(1,%r1),0(%r1)
.Lmemset_mvc:
......@@ -121,7 +124,7 @@ ENTRY(memcpy)
.Lmemcpy_remainder:
larl %r5,.Lmemcpy_mvc
ex %r4,0(%r5)
br %r14
BR_EX %r14
.Lmemcpy_loop:
mvc 0(256,%r1),0(%r3)
la %r1,256(%r1)
......@@ -159,10 +162,10 @@ ENTRY(__memset\bits)
\insn %r3,0(%r1)
larl %r5,.L__memset_mvc\bits
ex %r4,0(%r5)
br %r14
BR_EX %r14
.L__memset_exit\bits:
\insn %r3,0(%r2)
br %r14
BR_EX %r14
.L__memset_mvc\bits:
mvc \bytes(1,%r1),0(%r1)
.endm
......
......@@ -9,6 +9,7 @@
*/
#include <linux/linkage.h>
#include <asm/nospec-insn.h>
#include "bpf_jit.h"
/*
......@@ -54,7 +55,7 @@ ENTRY(sk_load_##NAME##_pos); \
clg %r3,STK_OFF_HLEN(%r15); /* Offset + SIZE > hlen? */ \
jh sk_load_##NAME##_slow; \
LOAD %r14,-SIZE(%r3,%r12); /* Get data from skb */ \
b OFF_OK(%r6); /* Return */ \
B_EX OFF_OK,%r6; /* Return */ \
\
sk_load_##NAME##_slow:; \
lgr %r2,%r7; /* Arg1 = skb pointer */ \
......@@ -64,11 +65,14 @@ sk_load_##NAME##_slow:; \
brasl %r14,skb_copy_bits; /* Get data from skb */ \
LOAD %r14,STK_OFF_TMP(%r15); /* Load from temp bufffer */ \
ltgr %r2,%r2; /* Set cc to (%r2 != 0) */ \
br %r6; /* Return */
BR_EX %r6; /* Return */
sk_load_common(word, 4, llgf) /* r14 = *(u32 *) (skb->data+offset) */
sk_load_common(half, 2, llgh) /* r14 = *(u16 *) (skb->data+offset) */
GEN_BR_THUNK %r6
GEN_B_THUNK OFF_OK,%r6
/*
* Load 1 byte from SKB (optimized version)
*/
......@@ -80,7 +84,7 @@ ENTRY(sk_load_byte_pos)
clg %r3,STK_OFF_HLEN(%r15) # Offset >= hlen?
jnl sk_load_byte_slow
llgc %r14,0(%r3,%r12) # Get byte from skb
b OFF_OK(%r6) # Return OK
B_EX OFF_OK,%r6 # Return OK
sk_load_byte_slow:
lgr %r2,%r7 # Arg1 = skb pointer
......@@ -90,7 +94,7 @@ sk_load_byte_slow:
brasl %r14,skb_copy_bits # Get data from skb
llgc %r14,STK_OFF_TMP(%r15) # Load result from temp buffer
ltgr %r2,%r2 # Set cc to (%r2 != 0)
br %r6 # Return cc
BR_EX %r6 # Return cc
#define sk_negative_common(NAME, SIZE, LOAD) \
sk_load_##NAME##_slow_neg:; \
......@@ -104,7 +108,7 @@ sk_load_##NAME##_slow_neg:; \
jz bpf_error; \
LOAD %r14,0(%r2); /* Get data from pointer */ \
xr %r3,%r3; /* Set cc to zero */ \
br %r6; /* Return cc */
BR_EX %r6; /* Return cc */
sk_negative_common(word, 4, llgf)
sk_negative_common(half, 2, llgh)
......@@ -113,4 +117,4 @@ sk_negative_common(byte, 1, llgc)
bpf_error:
# force a return 0 from jit handler
ltgr %r15,%r15 # Set condition code
br %r6
BR_EX %r6