Commit 3c5af882 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 4.16.12-1

linux (4.16.12-1) unstable; urgency=medium

  * New upstream stable update:
    - Revert "pinctrl: intel: Initialize GPIO properly when used through
    - [armhf] drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson
      GX SoCs
    - i40e: Fix attach VF to VM issue
    - tpm: cmd_ready command can be issued only after granting locality
    - tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
    - tpm: add retry logic
    - Revert "ath10k: send (re)assoc peer command when NSS changed"
    - bonding: do not set slave_dev npinfo before slave_enable_netpoll in
    - docs: ip-sysctl.txt: fix name of some ipv6 variables
    - ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
    - ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
    - KEYS: DNS: limit the length of option strings
    - l2tp: check sockaddr length in pppol2tp_connect()
    - llc: delete timers synchronously in llc_sk_free()
    - net: af_packet: fix race in PACKET_{R|T}X_RING
    - net: fix deadlock while clearing neighbor proxy table
    - [arm64,armhf] net: mvpp2: Fix DMA address mask size
    - net: qmi_wwan: add Wistron Neweb D19Q1
    - net/smc: fix shutdown in state SMC_LISTEN
    - net: stmmac: Disable ACS Feature for GMAC >= 4
    - packet: fix bitfield update race
    - pppoe: check sockaddr length in pppoe_connect()
    - Revert "macsec: missing dev_put() on error in macsec_newlink()"
    - sctp: do not check port in sctp_inet6_cmp_addr
    - strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
    - strparser: Fix incorrect strp->need_bytes value.
    - tcp: clear tp->packets_out when purging write queue
    - tcp: don't read out-of-bounds opsize
    - tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
    - team: avoid adding twice the same option to the event list
    - team: fix netconsole setup over team
    - tipc: add policy for TIPC_NLA_NET_ADDR
    - vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
    - vmxnet3: fix incorrect dereference when rxvlan is disabled
    - [amd64,arm64] amd-xgbe: Add pre/post auto-negotiation phy hooks
    - [amd64,arm64] amd-xgbe: Improve KR auto-negotiation and training
    - [amd64,arm64] amd-xgbe: Only use the SFP supported transceiver signals
    - net: sched: ife: signal not finding metaid
    - net: sched: ife: handle malformed tlv length
    - net: sched: ife: check on metadata length
    - l2tp: hold reference on tunnels in netlink dumps
    - l2tp: hold reference on tunnels printed in pppol2tp proc file
    - l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file
    - l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow
    - llc: hold llc_sap before release_sock()
    - llc: fix NULL pointer deref for SOCK_ZAPPED
    - [s390x] qeth: fix error handling in adapter command callbacks
    - [s390x] qeth: avoid control IO completion stalls
    - [s390x] qeth: handle failure on workqueue creation
    - [armhf] net: ethernet: ti: cpsw: fix tx vlan priority mapping
    - net: validate attribute sizes in neigh_dump_table()
    - bnxt_en: Fix memory fault in bnxt_ethtool_init()
    - virtio-net: add missing virtqueue kick when flushing packets
    - VSOCK: make af_vsock.ko removable again
    - net: aquantia: Regression on reset with 1.x firmware
    - tun: fix vlan packet truncation
    - net: aquantia: oops when shutdown on already stopped device
    - virtio_net: split out ctrl buffer
    - virtio_net: fix adding vids on big-endian
    - Revert "mm/hmm: fix header file if/else/endif maze"
    - commoncap: Handle memory allocation failure.
    - scsi: mptsas: Disable WRITE SAME
    - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940)
    - fsnotify: Fix fsnotify_mark_connector race
    - [m68k] mac: Don't remap SWIM MMIO region
    - [m68k] block/swim: Check drive type
    - [m68k] block/swim: Don't log an error message for an invalid ioctl
    - [m68k] block/swim: Remove extra put_disk() call from error path
    - [m68k] block/swim: Rename macros to avoid inconsistent inverted logic
    - [m68k] block/swim: Select appropriate drive on device open
    - [m68k] block/swim: Fix array bounds check
    - [m68k] block/swim: Fix IO error at end of medium
    - tracing: Fix missing tab for hwlat_detector print format
    - hwmon: (k10temp) Add temperature offset for Ryzen 2700X
    - hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics
    - [s390x] cio: update chpid descriptor after resource accessibility event
    - [s390x] dasd: fix IO error for newly defined devices
    - [s390x] uprobes: implement arch_uretprobe_is_alive()
    - [s390x] cpum_cf: rename IBM z13/z14 counter names
    - kprobes: Fix random address output of blacklist file
    - ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
    - ext4: set h_journal if there is a failure starting a reserved handle
    - ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
    - random: set up the NUMA crng instances after the CRNG is fully
    - random: fix possible sleeping allocation from irq context
    - random: rate limit unseeded randomness warnings
    - usbip: usbip_event: fix to not print kernel pointer address
    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
    - usbip: vhci_hcd: Fix usb device and sockfd leaks
    - usbip: vhci_hcd: check rhport before using in vhci_hub_control()
    - Revert "xhci: plat: Register shutdown for xhci_plat"
    - xhci: Fix USB ports for Dell Inspiron 5775
    - USB: serial: simple: add libtransistor console
    - USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
    - USB: serial: cp210x: add ID for NI USB serial console
    - [arm64] serial: mvebu-uart: Fix local flags handling on termios update
    - usb: typec: ucsi: Increase command completion timeout value
    - usb: core: Add quirk for HP v222w 16GB Mini
    - USB: Increment wakeup count on remote wakeup.
    - ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
    - virtio: add ability to iterate over vqs
    - virtio_console: don't tie bufs to a vq
    - virtio_console: free buffers after reset
    - virtio_console: drop custom control queue cleanup
    - virtio_console: move removal code
    - virtio_console: reset on out of memory
    - drm/virtio: fix vq wait_event condition
    - tty: Don't call panic() at tty_ldisc_init()
    - tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
    - tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
    - tty: Avoid possible error pointer dereference at tty_ldisc_restore().
    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
    - ALSA: dice: fix OUI for TC group
    - ALSA: dice: fix error path to destroy initialized stream data
    - ALSA: hda - Skip jack and others for non-existing PCM streams
    - ALSA: opl3: Hardening for potential Spectre v1
    - ALSA: asihpi: Hardening for potential Spectre v1
    - ALSA: hdspm: Hardening for potential Spectre v1
    - ALSA: rme9652: Hardening for potential Spectre v1
    - ALSA: control: Hardening for potential Spectre v1
    - ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
    - ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
    - ALSA: seq: oss: Hardening for potential Spectre v1
    - ALSA: hda: Hardening for potential Spectre v1
    - ALSA: hda/realtek - Add some fixes for ALC233
    - ALSA: hda/realtek - Update ALC255 depop optimize
    - ALSA: hda/realtek - change the location for one of two front mics
    - mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
    - mtd: rawnand: tango: Fix struct clk memory leak
    - mtd: rawnand: marvell: fix the chip-select DT parsing logic
    - kobject: don't use WARN for registration failures
    - scsi: sd_zbc: Avoid that resetting a zone fails sporadically
    - scsi: sd: Defer spinning up drive while SANITIZE is in progress
    - blk-mq: start request gstate with gen 1
    - bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
    - block: do not use interruptible wait anywhere
    - [s390x] vfio: ccw: process ssch with interrupts disabled
    - [arm64] PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
    - [arm64] PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
    - [arm64] PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq
    - [arm64] PCI: aardvark: Fix PCIe Max Read Request Size setting
    - [armhf,arm64] KVM: Close VMID generation race
    - [powerpc*] mm: Flush cache on memory hot(un)plug
    - [powerpc*] mce: Fix a bug where mce loops on memory UE.
    - [powerpc*] powernv/npu: Do a PID GPU TLB flush when invalidating a large
      address range
    - crypto: drbg - set freed buffers to NULL
    - libceph: un-backoff on tick when we have a authenticated session
    - libceph: reschedule a tick in finish_hunting()
    - libceph: validate con->state at the top of try_write()
    - PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend
      is set
    - module: Fix display of wrong module .text address
    - earlycon: Use a pointer table to fix __earlycon_table stride
    - [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
      in timer interrupt
    - [powerpc*] rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
    - drm/edid: Reset more of the display info
    - drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
    - [x86] drm/i915/fbdev: Enable late fbdev initial configuration
    - [x86] drm/i915/audio: set minimum CD clock to twice the BCLK
    - [x86] drm/i915: Enable display WA#1183 from its correct spot
    - drm/amd/display: Fix deadlock when flushing irq
    - drm/amd/display: Don't read EDID in atomic_check
    - drm/amd/display: Disallow enabling CRTC without primary plane with FB
    - objtool, perf: Fix GCC 8 -Wrestrict error
    - [x86] ipc: Fix x32 version of shmid64_ds and msqid64_ds
    - [x86] smpboot: Don't use mwait_play_dead() on AMD systems
    - [x86] microcode/intel: Save microcode patch unconditionally
    - [x86] microcode: Do not exit early from __reload_late()
    - tick/sched: Do not mess with an enqueued hrtimer
    - [x86] crypto: ccp - add check to get PSP master only when PSP is
    - [armhf,arm64] KVM: Add PSCI version selection API
    - ACPI / button: make module loadable when booted in non-ACPI mode
    - [arm64] Add work around for Arm Cortex-A55 Erratum 1024718
    - ALSA: hda - Fix incorrect usage of IS_REACHABLE()
    - ALSA: pcm: Check PCM state at xfern compat ioctl
    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
    - ALSA: dice: fix kernel NULL pointer dereference due to invalid
      calculation for array index
    - ALSA: aloop: Mark paused device as inactive
    - ALSA: aloop: Add missing cable lock to ctl API callbacks
    - errseq: Always report a writeback error once
    - tracepoint: Do not warn on ENOMEM
    - scsi: target: Fix fortify_panic kernel exception
    - Input: leds - fix out of bound access
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook
    - swiotlb: fix inversed DMA_ATTR_NO_WARN test
    - rtlwifi: cleanup 8723be ant_sel definition
    - xfs: prevent creating negative-sized file via INSERT_RANGE
    - RDMA/cxgb4: release hw resources on device removal
    - RDMA/ucma: Allow resolving address w/o specifying source address
    - RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
    - RDMA/mlx4: Add missed RSS hash inner header flag
    - RDMA/mlx5: Protect from shift operand overflow
    - NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
    - IB/mlx5: Use unlimited rate when static rate is not supported
    - infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m
    - IB/hfi1: Fix handling of FECN marked multicast packet
    - IB/hfi1: Fix loss of BECN with AHG
    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
    - iw_cxgb4: Atomically flush per QP HW CQEs
    - btrfs: Take trans lock before access running trans in check_delayed_ref
    - [arm64,armhf] drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are
    - [x86] drm/vmwgfx: Fix a buffer object leak
    - drm/bridge: vga-dac: Fix edid memory leak
    - xhci: Fix use-after-free in xhci_free_virt_device
    - USB: serial: visor: handle potential invalid device configuration
    - [arm64,armhf] usb: dwc3: gadget: Fix list_del corruption in
    - USB: Accept bulk endpoints with 1024-byte maxpacket
    - USB: serial: option: reimplement interface masking
    - USB: serial: option: adding support for ublox R410M
    - [arm64,armhf] usb: musb: host: fix potential NULL pointer dereference
    - [arm64, armhf] usb: musb: trace: fix NULL pointer dereference in
    - [x86] platform/x86: asus-wireless: Fix NULL pointer dereference
    - [x86] platform/x86: Kconfig: Fix dell-laptop dependency chain.
    - [x86] KVM: remove APIC Timer periodic/oneshot spikes
    - [x86] tsc: Always unregister clocksource_tsc_early
    - [x86] tsc: Fix mark_tsc_unstable()
    - [arm64] irqchip/qcom: Fix check for spurious interrupts
    - clocksource: Allow clocksource_mark_unstable() on unregistered
    - clocksource: Initialize cs->wd_list
    - clocksource: Consistent de-rate when marking unstable
    - tracing: Fix bad use of igrab in trace_uprobe.c
    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
    - netfilter: ebtables: don't attempt to allocate 0-sized compat array
    - clk: ti: fix flag space conflict with clkctrl clocks
    - rds: tcp: must use spin_lock_irq* and not spin_lock_bh with
    - crypto: af_alg - fix possible uninit-value in alg_bind()
    - netlink: fix uninit-value in netlink_sendmsg
    - net: fix rtnh_ok()
    - net: initialize skb->peeked when cloning
    - net: fix uninit-value in __hw_addr_add_ex()
    - dccp: initialize ireq->ir_mark
    - ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
    - soreuseport: initialise timewait reuseport field
    - inetpeer: fix uninit-value in inet_getpeer
    - bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog
    - memcg: fix per_node_info cleanup
    - perf: Remove superfluous allocation error check
    - i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
    - tcp: fix TCP_REPAIR_QUEUE bound checking
    - bdi: wake up concurrent wb_shutdown() callers.
    - bdi: Fix use after free bug in debugfs_remove()
    - bdi: Fix oops in wb_workfn()
    - compat: fix 4-byte infoleak via uninitialized struct field
    - gpioib: do not free unrequested descriptors
    - gpio: fix error path in lineevent_create
    - rfkill: gpio: fix memory leak in probe error path
    - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    - dm integrity: use kvfree for kvmalloc'd memory
    - tracing: Fix regex_match_front() to not over compare the test string
    - mm: sections are not offlined during memory hotremove
    - mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
    - ceph: fix rsize/wsize capping in ceph_direct_read_write()
    - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    - [armhf,arm64] drm/vc4: Fix scaling of uni-planar formats
    - drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
    - [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
    - [x86] drm/i915: Adjust eDP's logical vco in a reliable place.
    - drm/nouveau: Fix deadlock in nv50_mstm_register_connector()
      (Closes: #898825)
    - drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
    - drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
    - drm/atomic: Clean private obj old_state/new_state in
    - net: atm: Fix potential Spectre v1
    - atm: zatm: Fix potential Spectre v1
    - PCI / PM: Always check PME wakeup capability for runtime wakeup support
    - PCI / PM: Check device_may_wakeup() in pci_enable_wake()
    - cpufreq: schedutil: Avoid using invalid next_freq
    - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    - [x86] Bluetooth: btusb: Add Dell XPS 13 9360 to
    - Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome
    - [armhf] thermal: exynos: Reading temperature makes sense only when TMU is
      turned on
    - [armhf] thermal: exynos: Propagate error value from tmu_read()
    - nvme: add quirk to force medium priority for SQ creation
    - nvme: Fix sync controller reset return
    - smb3: directory sync should not return an error
    - swiotlb: silent unwanted warning "buffer is full"
    - sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
    - sched/autogroup: Fix possible Spectre-v1 indexing for
    - tracing/uprobe_event: Fix strncpy corner case
    - [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    - [x86] perf/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    - [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver
    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    - [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
    - bridge: check iface upper dev when setting master via ioctl
    - dccp: fix tasklet usage
    - ipv4: fix fnhe usage by non-cached routes
    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
    - llc: better deal with too small mtu
    - net: ethernet: sun: niu set correct packet size in skb
    - [armhf] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
    - net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
    - net/mlx4_en: Verify coalescing parameters are in range
    - net/mlx5e: Err if asked to offload TC match on frag being first
    - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
    - net sched actions: fix refcnt leak in skbmod
    - net_sched: fq: take care of throttled flows before reuse
    - net: support compat 64-bit time in {s,g}etsockopt
    - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is
    - qmi_wwan: do not steal interfaces from class drivers
    - r8169: fix powering up RTL8168h
    - rds: do not leak kernel memory to user land
    - sctp: delay the authentication for the duplicated cookie-echo chunk
    - sctp: fix the issue that the cookie-ack with auth can't get processed
    - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
    - sctp: remove sctp_chunk_put from fail_mark err path in
    - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
    - tcp_bbr: fix to zero idle_restart only upon S/ACKed data
    - tcp: ignore Fast Open on repair mode
    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
    - bonding: do not allow rlb updates to invalid mac
    - bonding: send learning packets for vlans on slave
    - net: sched: fix error path in tcf_proto_create() when modules are not
    - net/mlx5e: TX, Use correct counter in dma_map error flow
    - net/mlx5: Avoid cleaning flow steering table twice during error flow
    - [x86] hv_netvsc: set master device
    - ipv6: fix uninit-value in ip6_multipath_l3_keys()
    - net/mlx5e: Allow offloading ipv4 header re-write for icmp
    - udp: fix SO_BINDTODEVICE
    - net/mlx5e: DCBNL fix min inline header size for dscp
    - sctp: clear the new asoc's stream outcnt in sctp_stream_update
    - tcp: restore autocorking
    - tipc: fix one byte leak in tipc_sk_set_orig_addr()
    - [x86] hv_netvsc: Fix net device attach on older Windows hosts
    - ipv4: reset fnhe_mtu_locked after cache route flushed
    - net/mlx5: Fix mlx5_get_vector_affinity function
    - net: phy: sfp: fix the BR,min computation
    - net/smc: keep clcsock reference in smc_tcp_listen_work()
    - scsi: aacraid: Correct hba_send to include iu_type
    - proc: do not access cmdline nor environ from file-backed areas
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - usbip: usbip_host: refine probe and disconnect debug msgs to be useful
    - usbip: usbip_host: delete device from busid_table after rebind
    - usbip: usbip_host: run rebind from exit when module is removed
    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
    - usbip: usbip_host: fix bad unlock balance during stub_probe()
    - ALSA: usb: mixer: volume quirk for CM102-A+/102S+
    - ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup
    - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
    - ALSA: control: fix a redundant-copy issue
    - [amd64] spi: pxa2xx: Allow 64-bit DMA
    - KVM: vmx: update sec exec controls for UMIP iff emulating UMIP
    - [armhf,arm64] KVM: Properly protect VGIC locks from IRQs
    - [armhf,arm64] KVM: VGIC/ITS: Promote irq_lock() in update_affinity
    - [armhf,arm64] KVM: VGIC/ITS save/restore: protect kvm_read_guest() calls
    - [armhf,arm64] KVM: VGIC/ITS: protect kvm_read_guest() calls with SRCU
    - hwmon: (k10temp) Fix reading critical temperature register
    - hwmon: (k10temp) Use API function to access System Management Network
    - [s390x] vfio: ccw: fix cleanup if cp_prefetch fails
    - tracing/x86/xen: Remove zero data size trace events
    - vsprintf: Replace memory barrier with static_key for random_ptr_key
    - [x86] amd_nb: Add support for Raven Ridge CPUs
    - [arm64] tee: shm: fix use-after-free via temporarily dropped reference
    - netfilter: nf_tables: free set name in error path
    - netfilter: nf_tables: can't fail after linking rule into active rule
    - netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static
    - [arm64] dts: marvell: armada-cp110: Add clocks for the xmdio node
    - [arm64] dts: marvell: armada-cp110: Add mg_core_clk for ethernet node
    - i2c: designware: fix poll-after-enable regression
    - mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2
    - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
    - drm: Match sysfs name in link removal to link creation
    - radix tree: fix multi-order iteration race
    - mm: don't allow deferred pages with NEED_PER_CPU_KM
    - [x86] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
    - [s390x] qdio: fix access to uninitialized qdio_q fields
    - [s390x] cpum_sf: ensure sample frequency of perf event attributes is
    - [s390x] qdio: don't release memory in qdio_setup_irq()
    - [s390x] remove indirect branch from do_softirq_own_stack
    - bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n
    - [x86] pkeys: Override pkey when moving away from PROT_EXEC
    - [x86] pkeys: Do not special case protection key 0
    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
      definition for mixed mode
    - [arm*] 8771/1: kprobes: Prohibit kprobes on do_undefinstr
    - [x86] apic/x2apic: Initialize cluster ID properly
    - [x86] mm: Drop TS_COMPAT on 64-bit exec() syscall
    - tick/broadcast: Use for_each_cpu() specially on UP kernels
    - [arm*] 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
    - [arm*] 8770/1: kprobes: Prohibit probing on optimized_callback
    - [arm*] 8772/1: kprobes: Prohibit kprobes on get_user functions
    - Btrfs: fix xattr loss after power failure
    - Btrfs: send, fix invalid access to commit roots due to concurrent
    - btrfs: property: Set incompat flag if lzo/zstd compression is set
    - btrfs: fix crash when trying to resume balance without the resume flag
    - btrfs: Split btrfs_del_delalloc_inode into 2 functions
    - btrfs: Fix delalloc inodes invalidation during transaction abort
    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
    - x86/nospec: Simplify alternative_msr_write()
    - x86/bugs: Concentrate bug detection into a separate function
    - x86/bugs: Concentrate bug reporting into a separate function
    - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - x86/bugs, KVM: Support the combination of guest and host IBRS
    - x86/bugs: Expose /sys/../spec_store_bypass
    - x86/cpufeatures: Add X86_FEATURE_RDS
    - x86/bugs: Provide boot parameters for the spec_store_bypass_disable
    - x86/bugs/intel: Set proper CPU features and setup RDS
    - x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
    - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - x86/speculation: Create spec-ctrl.h to avoid include hell
    - prctl: Add speculation control prctls
    - x86/process: Allow runtime control of Speculative Store Bypass
    - x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - nospec: Allow getting/setting on non-current task
    - proc: Provide details on speculation flaw mitigations
    - seccomp: Enable speculation flaw mitigations
    - x86/bugs: Make boot modes __ro_after_init
    - prctl: Add force disable speculation
    - seccomp: Use PR_SPEC_FORCE_DISABLE
    - seccomp: Add filter flag to opt-out of SSB mitigation
    - seccomp: Move speculation migitation control to arch code
    - x86/speculation: Make "seccomp" the default mode for Speculative Store
    - x86/bugs: Rename _RDS to _SSBD
    - proc: Use underscores for SSBD in 'status'
    - Documentation/spec_ctrl: Do some minor cleanups
    - x86/bugs: Fix __ssb_select_mitigation() return type
    - x86/bugs: Make cpu_show_common() static
    - x86/bugs: Fix the parameters alignment and missing void
    - x86/cpu: Make alternative_msr_write work for 32-bit code
    - KVM: SVM: Move spec control call after restore of GS
    - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
    - x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
    - x86/cpufeatures: Disentangle SSBD enumeration
    - x86/cpufeatures: Add FEATURE_ZEN
    - x86/speculation: Handle HT correctly on AMD
    - x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
    - x86/speculation: Add virtualized speculative store bypass disable
    - x86/speculation: Rework speculative_store_bypass_update()
    - x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
    - x86/bugs: Expose x86_spec_ctrl_base directly
    - x86/bugs: Remove x86_spec_ctrl_set()
    - x86/bugs: Rework spec_ctrl base and mask logic
    - x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
    - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
    - x86/bugs: Rename SSBD_NO to SSB_NO
    - bpf: Prevent memory disambiguation attack
    - net/mlx5: Fix build break when CONFIG_SMP=n
    - net: Fix a bug in removing queues from XPS map
    - net/mlx4_core: Fix error handling in mlx4_init_port_info.
    - net/sched: fix refcnt leak in the error path of tcf_vlan_init()
    - net: sched: red: avoid hashing NULL child
    - net/smc: check for missing nlattrs in SMC_PNETID messages
    - net: test tailroom before appending to linear skb
    - packet: in packet_snd start writing at link layer allocation
    - sock_diag: fix use-after-free read in __sk_free
    - tcp: purge write queue in tcp_connect_init()
    - tun: fix use after free for ptr_ring
    - tuntap: fix use after free during release
    - cxgb4: Correct ntuple mask validation for hash filters
    - [armhf] net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule
    - net: dsa: Do not register devlink for unused ports
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rules and chain ID
    - [armhf] net: dsa: bcm_sf2: Fix IPv6 rule half deletion
    - 3c59x: convert to generic DMA API
    - cxgb4: fix offset in collecting TX rate limit info
    - vmxnet3: set the DMA mask before the first DMA map operation
    - vmxnet3: use DMA memory barriers where required
    - net: ip6_gre: Request headroom in __gre6_xmit()
    - net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
    - net: ip6_gre: Split up ip6gre_tnl_link_config()
    - net: ip6_gre: Split up ip6gre_tnl_change()
    - net: ip6_gre: Split up ip6gre_newlink()
    - net: ip6_gre: Split up ip6gre_changelink()
    - net: ip6_gre: Fix ip6erspan hlen calculation
    - net: ip6_gre: fix tunnel metadata device sharing.
    - [sparc*]: vio: use put_device() instead of kfree()
    - ext2: fix a block leak
    - [powerpc*] rfi-flush: Always enable fallback flush on pseries
    - [powerpc*] Add security feature flags for Spectre/Meltdown
    - [powerpc*] pseries: Add new H_GET_CPU_CHARACTERISTICS flags
    - [powerpc*] pseries: Set or clear security feature flags
    - [powerpc*] powerpc/powernv: Set or clear security feature flags
    - [powerpc*] powerpc/64s: Move cpu_show_meltdown()
    - [powerpc*] powerpc/64s: Enhance the information in cpu_show_meltdown()
    - [powerpc*] powerpc/powernv: Use the security flags in
    - [powerpc*] powerpc/pseries: Use the security flags in
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v1()
    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v2()
    - [powerpc*] powerpc/pseries: Fix clearing of security feature flags
    - [powerpc*] powerpc: Move default security feature flags
    - [powerpc*] powerpc/64s: Add support for a store forwarding barrier at
      kernel entry/exit
    - [s390x] move nobp parameter functions to nospec-branch.c
    - [s390x] add automatic detection of the spectre defense
    - [s390x] report spectre mitigation via syslog
    - [s390x] add sysfs attributes for spectre
    - [s390x] add assembler macros for CPU alternatives
    - [s390x] correct nospec auto detection init order
    - [s390x] correct module section names for expoline code revert
    - [s390x] move expoline assembler macros to a header
    - [s390x] crc32-vx: use expoline for indirect branches
    - [s390x] lib: use expoline for indirect branches
    - [s390x] ftrace: use expoline for indirect branches
    - [s390x] kernel: use expoline for indirect branches
    - [s390x] move spectre sysfs attribute code
    - [s390x] extend expoline to BC instructions
    - [s390x] use expoline thunks in the BPF JIT
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
    - [s390x] scsi: zfcp: fix infinite iteration on ERP ready list
    - Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
    - ALSA: usb-audio: Add native DSD support for Luxman DA-06
    - [arm64,armhf] usb: dwc3: Add SoftReset PHY synchonization delay
    - [arm64,armhf] usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
    - [arm64,armhf] usb: dwc3: Makefile: fix link error on randconfig
    - xhci: zero usb device slot_id member when disabling and freeing a xhci slot
    - [arm64,armhf] usb: dwc2: Fix interval type issue
    - [arm64,armhf] usb: dwc2: hcd: Fix host channel halt flow
    - [arm64,armhf] usb: dwc2: host: Fix transaction errors in host mode
    - usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
    - media: em28xx: USB bulk packet size fix
    - Bluetooth: btusb: Add device ID for RTL8822BE
    - Bluetooth: btusb: Add support for Intel Bluetooth device 22560
    - xhci: Show what USB release number the xHC supports from protocol
    - loop: don't call into filesystem while holding lo_ctl_mutex
    - loop: fix LOOP_GET_STATUS lock imbalance
    - cfg80211: limit wiphy names to 128 bytes
    - hfsplus: stop workqueue when fill_super() failed
    - [x86] kexec: Avoid double free_page() upon do_kexec_load() failure
    - staging: bcm2835-audio: Release resources on module_exit()
    - staging: lustre: fix bug in osc_enter_cache_try
    - [x86] staging: rtl8192u: return -ENOMEM on failed allocation of
    - staging: lustre: lmv: correctly iput lmo_root
    - [arm64] crypto: inside-secure - move the digest to the request context
    - [arm64] crypto: inside-secure - wait for the request to complete if in
      the backlog
    - [x86] crypto: ccp - don't disable interrupts while setting up debugfs
    - [arm64] crypto: inside-secure - do not process request if no command was
    - [arm64] crypto: inside-secure - fix the cache_len computation
    - [arm64] crypto: inside-secure - fix the extra cache computation
    - [arm64] crypto: inside-secure - do not overwrite the threshold value
    - [armhf] crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
    - [arm64] crypto: inside-secure - fix the invalidation step during
    - scsi: aacraid: Insure command thread is not recursively stopped
    - scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays
    - scsi: lpfc: Fix NVME Initiator FirstBurst
    - scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
    - scsi: mvsas: fix wrong endianness of sgpio api
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - [armhf] clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
    - clk: Don't show the incorrect clock phase
    - clk: hisilicon: mark wdt_mux_p[] as const
    - [arm64,armhf] clk: tegra: Fix pll_u rate configuration
    - [armhf] clk: rockchip: Prevent calculating mmc phase if clock rate is
    - [armhf] clk: samsung: s3c2410: Fix PLL rates
    - [armhf] clk: samsung: exynos7: Fix PLL rates
    - [armhf] clk: samsung: exynos5260: Fix PLL rates
    - [armhf] clk: samsung: exynos5433: Fix PLL rates
    - [armhf] clk: samsung: exynos5250: Fix PLL rates
    - [armhf] clk: samsung: exynos3250: Fix PLL rates
    - clk: meson: axg: fix the od shift of the sys_pll
    - clk: meson: axg: add the fractional part of the fixed_pll
    - media: cx23885: Override 888 ImpactVCBe crystal frequency
    - media: cx23885: Set subdev host data to clk_freq pointer
    - media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
    - media: v4l: vsp1: Fix display stalls when requesting too many inputs
    - media: i2c: adv748x: fix HDMI field heights
    - media: vb2: Fix videobuf2 to map correct area
    - media: vivid: fix incorrect capabilities for radio
    - media: cx25821: prevent out-of-bounds read on array card
    - [arm64] serial: mvebu-uart: fix tx lost characters
    - [sh4] serial: sh-sci: Fix out-of-bounds access through DT alias
    - [armhf] serial: samsung: Fix out-of-bounds access through serial port
    - [armhf] serial: imx: Fix out-of-bounds access through serial port index
    - [armhf] serial: arc_uart: Fix out-of-bounds access through DT alias
    - [arm*] serial: 8250: Don't service RX FIFO if interrupts are disabled
    - [armhf] rtc: snvs: Fix usage of snvs_rtc_enable
    - rtc: hctosys: Ensure system time doesn't overflow time_t
    - [arm64,armhf] rtc: rk808: fix possible race condition
    - [armel/marvell] rtc: m41t80: fix race conditions
    - [m68k] rtc: rp5c01: fix possible race condition

  [ Romain Perier ]
  * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
  * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)

  [ Ben Hutchings ]
  * kbuild: use -fmacro-prefix-map to make __FILE__ a relative path
  * Bump ABI to 2
  * [rt] Update to 4.16.8-rt3
  * [x86] KVM: VMX: Expose SSBD properly to guests.

  [ Salvatore Bonaccorso ]
  * [rt] Update to 4.16.7-rt1 and reenable
  * [rt] certs: Reference certificate for test key used in Debian signing
parents 44a45543 f34edc87
......@@ -198,7 +198,6 @@
#define X86_FEATURE_CAT_L2 ( 7*32+ 5) /* Cache Allocation Technology L2 */
#define X86_FEATURE_CDP_L3 ( 7*32+ 6) /* Code and Data Prioritization L3 */
#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */
#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
#define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */
......@@ -207,13 +206,19 @@
#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
#define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
#define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */
#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */
#define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */
#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
#define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation via LS_CFG MSR */
#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
/* Virtualization flags: Linux defined, word 8 */
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
......@@ -274,9 +279,10 @@
#define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */
#define X86_FEATURE_IRPERF (13*32+ 1) /* Instructions Retired Count */
#define X86_FEATURE_XSAVEERPTR (13*32+ 2) /* Always save/restore FP error pointers */
#define X86_FEATURE_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */
#define X86_FEATURE_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */
#define X86_FEATURE_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */
#define X86_FEATURE_AMD_IBPB (13*32+12) /* "" Indirect Branch Prediction Barrier */
#define X86_FEATURE_AMD_IBRS (13*32+14) /* "" Indirect Branch Restricted Speculation */
#define X86_FEATURE_AMD_STIBP (13*32+15) /* "" Single Thread Indirect Branch Predictors */
#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */
/* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */
#define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */
......@@ -333,6 +339,7 @@
#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */
* BUG word(s)
......@@ -362,5 +369,6 @@
#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */
#endif /* _ASM_X86_CPUFEATURES_H */
......@@ -933,7 +933,7 @@ struct kvm_x86_ops {
int (*hardware_setup)(void); /* __init */
void (*hardware_unsetup)(void); /* __exit */
bool (*cpu_has_accelerated_tpr)(void);
bool (*cpu_has_high_real_mode_segbase)(void);
bool (*has_emulated_msr)(int index);
void (*cpuid_update)(struct kvm_vcpu *vcpu);
int (*vm_init)(struct kvm *kvm);
......@@ -192,7 +192,7 @@ static inline int init_new_context(struct task_struct *tsk,
if (cpu_feature_enabled(X86_FEATURE_OSPKE)) {
/* pkey 0 is the default and always allocated */
/* pkey 0 is the default and allocated implicitly */
mm->context.pkey_allocation_map = 0x1;
/* -1 means unallocated or invalid */
mm->context.execute_only_pkey = -1;
......@@ -42,6 +42,8 @@
#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
#define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */
#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */
#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
......@@ -68,6 +70,11 @@
#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
#define ARCH_CAP_SSB_NO (1 << 4) /*
* Not susceptible to Speculative Store Bypass
* attack, so no Speculative Store Bypass
* control required.
#define MSR_IA32_BBL_CR_CTL 0x00000119
#define MSR_IA32_BBL_CR_CTL3 0x0000011e
......@@ -340,6 +347,8 @@
#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
/* Fam 17h MSRs */
#define MSR_F17H_IRPERF 0xc00000e9
......@@ -217,6 +217,14 @@ enum spectre_v2_mitigation {
/* The Speculative Store Bypass disable variants */
enum ssb_mitigation {
extern char __indirect_thunk_start[];
extern char __indirect_thunk_end[];
......@@ -241,22 +249,27 @@ static inline void vmexit_fill_RSB(void)
#define alternative_msr_write(_msr, _val, _feature) \
asm volatile(ALTERNATIVE("", \
"movl %[msr], %%ecx\n\t" \
"movl %[val], %%eax\n\t" \
"movl $0, %%edx\n\t" \
"wrmsr", \
_feature) \
: : [msr] "i" (_msr), [val] "i" (_val) \
: "eax", "ecx", "edx", "memory")
static __always_inline
void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
: : "c" (msr),
"a" ((u32)val),
"d" ((u32)(val >> 32)),
[feature] "i" (feature)
: "memory");
static inline void indirect_branch_prediction_barrier(void)
alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
u64 val = PRED_CMD_IBPB;
alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
/* The Intel SPEC CTRL MSR base value cache */
extern u64 x86_spec_ctrl_base;
* With retpoline, we must use IBRS to restrict branch prediction
* before calling into firmware.
......@@ -265,14 +278,18 @@ static inline void indirect_branch_prediction_barrier(void)
#define firmware_restrict_branch_speculation_start() \
do { \
u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \
preempt_disable(); \
alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \
alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
} while (0)
#define firmware_restrict_branch_speculation_end() \
do { \
alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \
u64 val = x86_spec_ctrl_base; \
alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
preempt_enable(); \
} while (0)
......@@ -2,6 +2,8 @@
#ifndef _ASM_X86_PKEYS_H
#define _ASM_X86_PKEYS_H
#define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1)
extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
......@@ -15,7 +17,7 @@ extern int __execute_only_pkey(struct mm_struct *mm);
static inline int execute_only_pkey(struct mm_struct *mm)
if (!boot_cpu_has(X86_FEATURE_OSPKE))
return 0;
return __execute_only_pkey(mm);
......@@ -49,13 +51,21 @@ bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey)
* "Allocated" pkeys are those that have been returned
* from pkey_alloc(). pkey 0 is special, and never
* returned from pkey_alloc().
* from pkey_alloc() or pkey 0 which is allocated
* implicitly when the mm is created.
if (pkey <= 0)
if (pkey < 0)
return false;
if (pkey >= arch_max_pkey())
return false;
* The exec-only pkey is set in the allocation map, but
* is not available to any of the user interfaces like
* mprotect_pkey().
if (pkey == mm->context.execute_only_pkey)
return false;
return mm_pkey_allocation_map(mm) & (1U << pkey);
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _ASM_X86_SPECCTRL_H_
#define _ASM_X86_SPECCTRL_H_
#include <linux/thread_info.h>
#include <asm/nospec-branch.h>
* On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
* the guest has, while on VMEXIT we restore the host view. This
* would be easier if SPEC_CTRL were architecturally maskable or
* shadowable for guests but this is not (currently) the case.
* Takes the guest view of SPEC_CTRL MSR as a parameter and also
* the guest's version of VIRT_SPEC_CTRL, if emulated.
extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest);
* x86_spec_ctrl_set_guest - Set speculation control registers for the guest
* @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
* @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
* (may get translated to MSR_AMD64_LS_CFG bits)
* Avoids writing to the MSR if the content/bits are the same
static inline
void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true);
* x86_spec_ctrl_restore_host - Restore host speculation control registers
* @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
* @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
* (may get translated to MSR_AMD64_LS_CFG bits)
* Avoids writing to the MSR if the content/bits are the same
static inline
void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false);
/* AMD specific Speculative Store Bypass MSR data */
extern u64 x86_amd_ls_cfg_base;
extern u64 x86_amd_ls_cfg_ssbd_mask;
static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
extern void speculative_store_bypass_ht_init(void);
static inline void speculative_store_bypass_ht_init(void) { }
extern void speculative_store_bypass_update(unsigned long tif);
static inline void speculative_store_bypass_update_current(void)
......@@ -79,6 +79,7 @@ struct thread_info {
#define TIF_SIGPENDING 2 /* signal pending */
#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
#define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/
#define TIF_SSBD 5 /* Reduced data speculation */
#define TIF_SYSCALL_EMU 6 /* syscall emulation active */
#define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
#define TIF_SECCOMP 8 /* secure computing */
......@@ -105,6 +106,7 @@ struct thread_info {
#define _TIF_SSBD (1 << TIF_SSBD)
......@@ -144,7 +146,7 @@ struct thread_info {
/* flags to check in __switch_to() */
#define _TIF_WORK_CTXSW \
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef __ASM_X64_MSGBUF_H
#define __ASM_X64_MSGBUF_H
#if !defined(__x86_64__) || !defined(__ILP32__)
#include <asm-generic/msgbuf.h>
* The msqid64_ds structure for x86 architecture with x32 ABI.
* On x86-32 and x86-64 we can just use the generic definition, but
* x32 uses the same binary layout as x86_64, which is differnet
* from other 32-bit architectures.
struct msqid64_ds {
struct ipc64_perm msg_perm;
__kernel_time_t msg_stime; /* last msgsnd time */
__kernel_time_t msg_rtime; /* last msgrcv time */
__kernel_time_t msg_ctime; /* last change time */
__kernel_ulong_t msg_cbytes; /* current number of bytes on queue */
__kernel_ulong_t msg_qnum; /* number of messages in queue */
__kernel_ulong_t msg_qbytes; /* max number of bytes on queue */
__kernel_pid_t msg_lspid; /* pid of last msgsnd */
__kernel_pid_t msg_lrpid; /* last receive pid */
__kernel_ulong_t __unused4;
__kernel_ulong_t __unused5;
#endif /* __ASM_GENERIC_MSGBUF_H */
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef __ASM_X86_SHMBUF_H
#define __ASM_X86_SHMBUF_H
#if !defined(__x86_64__) || !defined(__ILP32__)
#include <asm-generic/shmbuf.h>
* The shmid64_ds structure for x86 architecture with x32 ABI.
* On x86-32 and x86-64 we can just use the generic definition, but
* x32 uses the same binary layout as x86_64, which is differnet
* from other 32-bit architectures.
struct shmid64_ds {
struct ipc64_perm shm_perm; /* operation perms */
size_t shm_segsz; /* size of segment (bytes) */
__kernel_time_t shm_atime; /* last attach time */
__kernel_time_t shm_dtime; /* last detach time */
__kernel_time_t shm_ctime; /* last change time */
__kernel_pid_t shm_cpid; /* pid of creator */
__kernel_pid_t shm_lpid; /* pid of last operator */
__kernel_ulong_t shm_nattch; /* no. of current attaches */
__kernel_ulong_t __unused4;
__kernel_ulong_t __unused5;
struct shminfo64 {
__kernel_ulong_t shmmax;
__kernel_ulong_t shmmin;
__kernel_ulong_t shmmni;
__kernel_ulong_t shmseg;
__kernel_ulong_t shmall;
__kernel_ulong_t __unused1;
__kernel_ulong_t __unused2;
__kernel_ulong_t __unused3;
__kernel_ulong_t __unused4;
#endif /* __ASM_X86_SHMBUF_H */
......@@ -14,8 +14,11 @@
#include <asm/amd_nb.h>
#define PCI_DEVICE_ID_AMD_17H_ROOT 0x1450
#define PCI_DEVICE_ID_AMD_17H_M10H_ROOT 0x15d0
#define PCI_DEVICE_ID_AMD_17H_DF_F3 0x1463
#define PCI_DEVICE_ID_AMD_17H_DF_F4 0x1464
#define PCI_DEVICE_ID_AMD_17H_M10H_DF_F3 0x15eb
#define PCI_DEVICE_ID_AMD_17H_M10H_DF_F4 0x15ec
/* Protect the PCI config register pairs used for SMN and DF indirect access. */
static DEFINE_MUTEX(smn_mutex);
......@@ -24,6 +27,7 @@ static u32 *flush_words;
static const struct pci_device_id amd_root_ids[] = {
......@@ -39,6 +43,7 @@ const struct pci_device_id amd_nb_misc_ids[] = {
......@@ -51,6 +56,7 @@ static const struct pci_device_id amd_nb_link_ids[] = {
......@@ -116,6 +116,7 @@ static void init_x2apic_ldr(void)
goto update;
cmsk = cluster_hotplug_mask;
cmsk->clusterid = cluster;
cluster_hotplug_mask = NULL;
this_cpu_write(cluster_masks, cmsk);
......@@ -10,6 +10,7 @@
#include <asm/processor.h>
#include <asm/apic.h>
#include <asm/cpu.h>
#include <asm/spec-ctrl.h>
#include <asm/smp.h>
#include <asm/pci-direct.h>
#include <asm/delay.h>
......@@ -554,6 +555,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
rdmsrl(MSR_FAM10H_NODE_ID, value);
nodes_per_socket = ((value >> 3) & 7) + 1;
if (c->x86 >= 0x15 && c->x86 <= 0x17) {
unsigned int bit;
switch (c->x86) {
case 0x15: bit = 54; break;
case 0x16: bit = 33; break;
case 0x17: bit = 10; break;
default: return;
* Try to cache the base value so further operations can
* avoid RMW. If that faults, do not enable SSBD.
if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
......@@ -791,6 +812,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
static void init_amd_zn(struct cpuinfo_x86 *c)
set_cpu_cap(c, X86_FEATURE_ZEN);
* Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
* all up to and including B1.
......@@ -12,8 +12,10 @@
#include <linux/utsname.h>
#include <linux/cpu.h>
#include <linux/module.h>
#include <linux/nospec.h>
#include <linux/prctl.h>
#include <asm/nospec-branch.h>
#include <asm/spec-ctrl.h>
#include <asm/cmdline.h>
#include <asm/bugs.h>
#include <asm/processor.h>
......@@ -27,6 +29,27 @@
#include <asm/intel-family.h>
static void __init spectre_v2_select_mitigation(void);
static void __init ssb_select_mitigation(void);
* Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
* writes to SPEC_CTRL contain whatever reserved bits have been set.
u64 __ro_after_init x86_spec_ctrl_base;
* The vendor and possibly platform specific bits which can be modified in
* x86_spec_ctrl_base.
static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
* AMD specific MSR info for Speculative Store Bypass control.
* x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
u64 __ro_after_init x86_amd_ls_cfg_base;
u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
void __init check_bugs(void)
......@@ -37,9 +60,27 @@ void __init check_bugs(void)
* Read the SPEC_CTRL MSR to account for reserved bits which may
* have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
* init code as it is not enumerated and depends on the family.
if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
/* Allow STIBP in MSR_SPEC_CTRL if supported */
if (boot_cpu_has(X86_FEATURE_STIBP))
x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
/* Select the proper spectre mitigation before patching alternatives */
* Select proper mitigation for any exposure to the Speculative Store
* Bypass vulnerability.
#ifdef CONFIG_X86_32
* Check whether we are able to run this kernel safely on SMP.
......@@ -93,7 +134,76 @@ static const char *spectre_v2_strings[] = {
#undef pr_fmt
#define pr_fmt(fmt) "Spectre V2 : " fmt
static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
u64 msrval, guestval, hostval = x86_spec_ctrl_base;
struct thread_info *ti = current_thread_info();
/* Is MSR_SPEC_CTRL implemented ? */
if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
* Restrict guest_spec_ctrl to supported values. Clear the
* modifiable bits in the host base value and or the
* modifiable bits from the guest value.
guestval = hostval & ~x86_spec_ctrl_mask;
guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
/* SSBD controlled in MSR_SPEC_CTRL */
if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
if (hostval != guestval) {
msrval = setguest ? guestval : hostval;
wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
* If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
* MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.