1 |
commit: 9d152ea4454cd6ccffcb5738f232da5974d6a081 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Aug 24 11:46:20 2018 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 14 13:15:39 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9d152ea4 |
7 |
|
8 |
Linux patch 4.18.5 |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
0000_README | 4 + |
13 |
1004_linux-4.18.5.patch | 742 ++++++++++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 746 insertions(+) |
15 |
|
16 |
diff --git a/0000_README b/0000_README |
17 |
index c7d6cc0..8da0979 100644 |
18 |
--- a/0000_README |
19 |
+++ b/0000_README |
20 |
@@ -59,6 +59,10 @@ Patch: 1003_linux-4.18.4.patch |
21 |
From: http://www.kernel.org |
22 |
Desc: Linux 4.18.4 |
23 |
|
24 |
+Patch: 1004_linux-4.18.5.patch |
25 |
+From: http://www.kernel.org |
26 |
+Desc: Linux 4.18.5 |
27 |
+ |
28 |
Patch: 1500_XATTR_USER_PREFIX.patch |
29 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
30 |
Desc: Support for namespace user.pax.* on tmpfs. |
31 |
|
32 |
diff --git a/1004_linux-4.18.5.patch b/1004_linux-4.18.5.patch |
33 |
new file mode 100644 |
34 |
index 0000000..abf70a2 |
35 |
--- /dev/null |
36 |
+++ b/1004_linux-4.18.5.patch |
37 |
@@ -0,0 +1,742 @@ |
38 |
+diff --git a/Makefile b/Makefile |
39 |
+index ef0dd566c104..a41692c5827a 100644 |
40 |
+--- a/Makefile |
41 |
++++ b/Makefile |
42 |
+@@ -1,7 +1,7 @@ |
43 |
+ # SPDX-License-Identifier: GPL-2.0 |
44 |
+ VERSION = 4 |
45 |
+ PATCHLEVEL = 18 |
46 |
+-SUBLEVEL = 4 |
47 |
++SUBLEVEL = 5 |
48 |
+ EXTRAVERSION = |
49 |
+ NAME = Merciless Moray |
50 |
+ |
51 |
+diff --git a/arch/parisc/include/asm/spinlock.h b/arch/parisc/include/asm/spinlock.h |
52 |
+index 6f84b6acc86e..8a63515f03bf 100644 |
53 |
+--- a/arch/parisc/include/asm/spinlock.h |
54 |
++++ b/arch/parisc/include/asm/spinlock.h |
55 |
+@@ -20,7 +20,6 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *x, |
56 |
+ { |
57 |
+ volatile unsigned int *a; |
58 |
+ |
59 |
+- mb(); |
60 |
+ a = __ldcw_align(x); |
61 |
+ while (__ldcw(a) == 0) |
62 |
+ while (*a == 0) |
63 |
+@@ -30,17 +29,16 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *x, |
64 |
+ local_irq_disable(); |
65 |
+ } else |
66 |
+ cpu_relax(); |
67 |
+- mb(); |
68 |
+ } |
69 |
+ #define arch_spin_lock_flags arch_spin_lock_flags |
70 |
+ |
71 |
+ static inline void arch_spin_unlock(arch_spinlock_t *x) |
72 |
+ { |
73 |
+ volatile unsigned int *a; |
74 |
+- mb(); |
75 |
++ |
76 |
+ a = __ldcw_align(x); |
77 |
+- *a = 1; |
78 |
+ mb(); |
79 |
++ *a = 1; |
80 |
+ } |
81 |
+ |
82 |
+ static inline int arch_spin_trylock(arch_spinlock_t *x) |
83 |
+@@ -48,10 +46,8 @@ static inline int arch_spin_trylock(arch_spinlock_t *x) |
84 |
+ volatile unsigned int *a; |
85 |
+ int ret; |
86 |
+ |
87 |
+- mb(); |
88 |
+ a = __ldcw_align(x); |
89 |
+ ret = __ldcw(a) != 0; |
90 |
+- mb(); |
91 |
+ |
92 |
+ return ret; |
93 |
+ } |
94 |
+diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S |
95 |
+index 4886a6db42e9..5f7e57fcaeef 100644 |
96 |
+--- a/arch/parisc/kernel/syscall.S |
97 |
++++ b/arch/parisc/kernel/syscall.S |
98 |
+@@ -629,12 +629,12 @@ cas_action: |
99 |
+ stw %r1, 4(%sr2,%r20) |
100 |
+ #endif |
101 |
+ /* The load and store could fail */ |
102 |
+-1: ldw,ma 0(%r26), %r28 |
103 |
++1: ldw 0(%r26), %r28 |
104 |
+ sub,<> %r28, %r25, %r0 |
105 |
+-2: stw,ma %r24, 0(%r26) |
106 |
++2: stw %r24, 0(%r26) |
107 |
+ /* Free lock */ |
108 |
+ sync |
109 |
+- stw,ma %r20, 0(%sr2,%r20) |
110 |
++ stw %r20, 0(%sr2,%r20) |
111 |
+ #if ENABLE_LWS_DEBUG |
112 |
+ /* Clear thread register indicator */ |
113 |
+ stw %r0, 4(%sr2,%r20) |
114 |
+@@ -798,30 +798,30 @@ cas2_action: |
115 |
+ ldo 1(%r0),%r28 |
116 |
+ |
117 |
+ /* 8bit CAS */ |
118 |
+-13: ldb,ma 0(%r26), %r29 |
119 |
++13: ldb 0(%r26), %r29 |
120 |
+ sub,= %r29, %r25, %r0 |
121 |
+ b,n cas2_end |
122 |
+-14: stb,ma %r24, 0(%r26) |
123 |
++14: stb %r24, 0(%r26) |
124 |
+ b cas2_end |
125 |
+ copy %r0, %r28 |
126 |
+ nop |
127 |
+ nop |
128 |
+ |
129 |
+ /* 16bit CAS */ |
130 |
+-15: ldh,ma 0(%r26), %r29 |
131 |
++15: ldh 0(%r26), %r29 |
132 |
+ sub,= %r29, %r25, %r0 |
133 |
+ b,n cas2_end |
134 |
+-16: sth,ma %r24, 0(%r26) |
135 |
++16: sth %r24, 0(%r26) |
136 |
+ b cas2_end |
137 |
+ copy %r0, %r28 |
138 |
+ nop |
139 |
+ nop |
140 |
+ |
141 |
+ /* 32bit CAS */ |
142 |
+-17: ldw,ma 0(%r26), %r29 |
143 |
++17: ldw 0(%r26), %r29 |
144 |
+ sub,= %r29, %r25, %r0 |
145 |
+ b,n cas2_end |
146 |
+-18: stw,ma %r24, 0(%r26) |
147 |
++18: stw %r24, 0(%r26) |
148 |
+ b cas2_end |
149 |
+ copy %r0, %r28 |
150 |
+ nop |
151 |
+@@ -829,10 +829,10 @@ cas2_action: |
152 |
+ |
153 |
+ /* 64bit CAS */ |
154 |
+ #ifdef CONFIG_64BIT |
155 |
+-19: ldd,ma 0(%r26), %r29 |
156 |
++19: ldd 0(%r26), %r29 |
157 |
+ sub,*= %r29, %r25, %r0 |
158 |
+ b,n cas2_end |
159 |
+-20: std,ma %r24, 0(%r26) |
160 |
++20: std %r24, 0(%r26) |
161 |
+ copy %r0, %r28 |
162 |
+ #else |
163 |
+ /* Compare first word */ |
164 |
+@@ -851,7 +851,7 @@ cas2_action: |
165 |
+ cas2_end: |
166 |
+ /* Free lock */ |
167 |
+ sync |
168 |
+- stw,ma %r20, 0(%sr2,%r20) |
169 |
++ stw %r20, 0(%sr2,%r20) |
170 |
+ /* Enable interrupts */ |
171 |
+ ssm PSW_SM_I, %r0 |
172 |
+ /* Return to userspace, set no error */ |
173 |
+diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c |
174 |
+index a8b277362931..4cb8f1f7b593 100644 |
175 |
+--- a/arch/powerpc/kernel/security.c |
176 |
++++ b/arch/powerpc/kernel/security.c |
177 |
+@@ -117,25 +117,35 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha |
178 |
+ |
179 |
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) |
180 |
+ { |
181 |
+- if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) |
182 |
+- return sprintf(buf, "Not affected\n"); |
183 |
++ struct seq_buf s; |
184 |
++ |
185 |
++ seq_buf_init(&s, buf, PAGE_SIZE - 1); |
186 |
+ |
187 |
+- if (barrier_nospec_enabled) |
188 |
+- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); |
189 |
++ if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) { |
190 |
++ if (barrier_nospec_enabled) |
191 |
++ seq_buf_printf(&s, "Mitigation: __user pointer sanitization"); |
192 |
++ else |
193 |
++ seq_buf_printf(&s, "Vulnerable"); |
194 |
+ |
195 |
+- return sprintf(buf, "Vulnerable\n"); |
196 |
++ if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31)) |
197 |
++ seq_buf_printf(&s, ", ori31 speculation barrier enabled"); |
198 |
++ |
199 |
++ seq_buf_printf(&s, "\n"); |
200 |
++ } else |
201 |
++ seq_buf_printf(&s, "Not affected\n"); |
202 |
++ |
203 |
++ return s.len; |
204 |
+ } |
205 |
+ |
206 |
+ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) |
207 |
+ { |
208 |
+- bool bcs, ccd, ori; |
209 |
+ struct seq_buf s; |
210 |
++ bool bcs, ccd; |
211 |
+ |
212 |
+ seq_buf_init(&s, buf, PAGE_SIZE - 1); |
213 |
+ |
214 |
+ bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED); |
215 |
+ ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED); |
216 |
+- ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31); |
217 |
+ |
218 |
+ if (bcs || ccd) { |
219 |
+ seq_buf_printf(&s, "Mitigation: "); |
220 |
+@@ -151,9 +161,6 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c |
221 |
+ } else |
222 |
+ seq_buf_printf(&s, "Vulnerable"); |
223 |
+ |
224 |
+- if (ori) |
225 |
+- seq_buf_printf(&s, ", ori31 speculation barrier enabled"); |
226 |
+- |
227 |
+ seq_buf_printf(&s, "\n"); |
228 |
+ |
229 |
+ return s.len; |
230 |
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h |
231 |
+index 79e409974ccc..682286aca881 100644 |
232 |
+--- a/arch/x86/include/asm/processor.h |
233 |
++++ b/arch/x86/include/asm/processor.h |
234 |
+@@ -971,6 +971,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) |
235 |
+ |
236 |
+ extern unsigned long arch_align_stack(unsigned long sp); |
237 |
+ extern void free_init_pages(char *what, unsigned long begin, unsigned long end); |
238 |
++extern void free_kernel_image_pages(void *begin, void *end); |
239 |
+ |
240 |
+ void default_idle(void); |
241 |
+ #ifdef CONFIG_XEN |
242 |
+diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/include/asm/set_memory.h |
243 |
+index bd090367236c..34cffcef7375 100644 |
244 |
+--- a/arch/x86/include/asm/set_memory.h |
245 |
++++ b/arch/x86/include/asm/set_memory.h |
246 |
+@@ -46,6 +46,7 @@ int set_memory_np(unsigned long addr, int numpages); |
247 |
+ int set_memory_4k(unsigned long addr, int numpages); |
248 |
+ int set_memory_encrypted(unsigned long addr, int numpages); |
249 |
+ int set_memory_decrypted(unsigned long addr, int numpages); |
250 |
++int set_memory_np_noalias(unsigned long addr, int numpages); |
251 |
+ |
252 |
+ int set_memory_array_uc(unsigned long *addr, int addrinarray); |
253 |
+ int set_memory_array_wc(unsigned long *addr, int addrinarray); |
254 |
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c |
255 |
+index 83241eb71cd4..acfab322fbe0 100644 |
256 |
+--- a/arch/x86/mm/init.c |
257 |
++++ b/arch/x86/mm/init.c |
258 |
+@@ -775,13 +775,44 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) |
259 |
+ } |
260 |
+ } |
261 |
+ |
262 |
++/* |
263 |
++ * begin/end can be in the direct map or the "high kernel mapping" |
264 |
++ * used for the kernel image only. free_init_pages() will do the |
265 |
++ * right thing for either kind of address. |
266 |
++ */ |
267 |
++void free_kernel_image_pages(void *begin, void *end) |
268 |
++{ |
269 |
++ unsigned long begin_ul = (unsigned long)begin; |
270 |
++ unsigned long end_ul = (unsigned long)end; |
271 |
++ unsigned long len_pages = (end_ul - begin_ul) >> PAGE_SHIFT; |
272 |
++ |
273 |
++ |
274 |
++ free_init_pages("unused kernel image", begin_ul, end_ul); |
275 |
++ |
276 |
++ /* |
277 |
++ * PTI maps some of the kernel into userspace. For performance, |
278 |
++ * this includes some kernel areas that do not contain secrets. |
279 |
++ * Those areas might be adjacent to the parts of the kernel image |
280 |
++ * being freed, which may contain secrets. Remove the "high kernel |
281 |
++ * image mapping" for these freed areas, ensuring they are not even |
282 |
++ * potentially vulnerable to Meltdown regardless of the specific |
283 |
++ * optimizations PTI is currently using. |
284 |
++ * |
285 |
++ * The "noalias" prevents unmapping the direct map alias which is |
286 |
++ * needed to access the freed pages. |
287 |
++ * |
288 |
++ * This is only valid for 64bit kernels. 32bit has only one mapping |
289 |
++ * which can't be treated in this way for obvious reasons. |
290 |
++ */ |
291 |
++ if (IS_ENABLED(CONFIG_X86_64) && cpu_feature_enabled(X86_FEATURE_PTI)) |
292 |
++ set_memory_np_noalias(begin_ul, len_pages); |
293 |
++} |
294 |
++ |
295 |
+ void __ref free_initmem(void) |
296 |
+ { |
297 |
+ e820__reallocate_tables(); |
298 |
+ |
299 |
+- free_init_pages("unused kernel", |
300 |
+- (unsigned long)(&__init_begin), |
301 |
+- (unsigned long)(&__init_end)); |
302 |
++ free_kernel_image_pages(&__init_begin, &__init_end); |
303 |
+ } |
304 |
+ |
305 |
+ #ifdef CONFIG_BLK_DEV_INITRD |
306 |
+diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c |
307 |
+index a688617c727e..68c292cb1ebf 100644 |
308 |
+--- a/arch/x86/mm/init_64.c |
309 |
++++ b/arch/x86/mm/init_64.c |
310 |
+@@ -1283,12 +1283,8 @@ void mark_rodata_ro(void) |
311 |
+ set_memory_ro(start, (end-start) >> PAGE_SHIFT); |
312 |
+ #endif |
313 |
+ |
314 |
+- free_init_pages("unused kernel", |
315 |
+- (unsigned long) __va(__pa_symbol(text_end)), |
316 |
+- (unsigned long) __va(__pa_symbol(rodata_start))); |
317 |
+- free_init_pages("unused kernel", |
318 |
+- (unsigned long) __va(__pa_symbol(rodata_end)), |
319 |
+- (unsigned long) __va(__pa_symbol(_sdata))); |
320 |
++ free_kernel_image_pages((void *)text_end, (void *)rodata_start); |
321 |
++ free_kernel_image_pages((void *)rodata_end, (void *)_sdata); |
322 |
+ |
323 |
+ debug_checkwx(); |
324 |
+ |
325 |
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c |
326 |
+index 29505724202a..8d6c34fe49be 100644 |
327 |
+--- a/arch/x86/mm/pageattr.c |
328 |
++++ b/arch/x86/mm/pageattr.c |
329 |
+@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(cpa_lock); |
330 |
+ #define CPA_FLUSHTLB 1 |
331 |
+ #define CPA_ARRAY 2 |
332 |
+ #define CPA_PAGES_ARRAY 4 |
333 |
++#define CPA_NO_CHECK_ALIAS 8 /* Do not search for aliases */ |
334 |
+ |
335 |
+ #ifdef CONFIG_PROC_FS |
336 |
+ static unsigned long direct_pages_count[PG_LEVEL_NUM]; |
337 |
+@@ -1486,6 +1487,9 @@ static int change_page_attr_set_clr(unsigned long *addr, int numpages, |
338 |
+ |
339 |
+ /* No alias checking for _NX bit modifications */ |
340 |
+ checkalias = (pgprot_val(mask_set) | pgprot_val(mask_clr)) != _PAGE_NX; |
341 |
++ /* Has caller explicitly disabled alias checking? */ |
342 |
++ if (in_flag & CPA_NO_CHECK_ALIAS) |
343 |
++ checkalias = 0; |
344 |
+ |
345 |
+ ret = __change_page_attr_set_clr(&cpa, checkalias); |
346 |
+ |
347 |
+@@ -1772,6 +1776,15 @@ int set_memory_np(unsigned long addr, int numpages) |
348 |
+ return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_PRESENT), 0); |
349 |
+ } |
350 |
+ |
351 |
++int set_memory_np_noalias(unsigned long addr, int numpages) |
352 |
++{ |
353 |
++ int cpa_flags = CPA_NO_CHECK_ALIAS; |
354 |
++ |
355 |
++ return change_page_attr_set_clr(&addr, numpages, __pgprot(0), |
356 |
++ __pgprot(_PAGE_PRESENT), 0, |
357 |
++ cpa_flags, NULL); |
358 |
++} |
359 |
++ |
360 |
+ int set_memory_4k(unsigned long addr, int numpages) |
361 |
+ { |
362 |
+ return change_page_attr_set_clr(&addr, numpages, __pgprot(0), |
363 |
+diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c |
364 |
+index 3bb82e511eca..7d3edd713932 100644 |
365 |
+--- a/drivers/edac/edac_mc.c |
366 |
++++ b/drivers/edac/edac_mc.c |
367 |
+@@ -215,6 +215,7 @@ const char * const edac_mem_types[] = { |
368 |
+ [MEM_LRDDR3] = "Load-Reduced-DDR3-RAM", |
369 |
+ [MEM_DDR4] = "Unbuffered-DDR4", |
370 |
+ [MEM_RDDR4] = "Registered-DDR4", |
371 |
++ [MEM_LRDDR4] = "Load-Reduced-DDR4-RAM", |
372 |
+ [MEM_NVDIMM] = "Non-volatile-RAM", |
373 |
+ }; |
374 |
+ EXPORT_SYMBOL_GPL(edac_mem_types); |
375 |
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c |
376 |
+index fc818b4d849c..a44c3d58fef4 100644 |
377 |
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c |
378 |
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c |
379 |
+@@ -31,7 +31,7 @@ |
380 |
+ #include <linux/power_supply.h> |
381 |
+ #include <linux/hwmon.h> |
382 |
+ #include <linux/hwmon-sysfs.h> |
383 |
+- |
384 |
++#include <linux/nospec.h> |
385 |
+ |
386 |
+ static int amdgpu_debugfs_pm_init(struct amdgpu_device *adev); |
387 |
+ |
388 |
+@@ -393,6 +393,7 @@ static ssize_t amdgpu_set_pp_force_state(struct device *dev, |
389 |
+ count = -EINVAL; |
390 |
+ goto fail; |
391 |
+ } |
392 |
++ idx = array_index_nospec(idx, ARRAY_SIZE(data.states)); |
393 |
+ |
394 |
+ amdgpu_dpm_get_pp_num_states(adev, &data); |
395 |
+ state = data.states[idx]; |
396 |
+diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c |
397 |
+index df4e4a07db3d..14dce5c201d5 100644 |
398 |
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c |
399 |
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c |
400 |
+@@ -43,6 +43,8 @@ |
401 |
+ #include <linux/mdev.h> |
402 |
+ #include <linux/debugfs.h> |
403 |
+ |
404 |
++#include <linux/nospec.h> |
405 |
++ |
406 |
+ #include "i915_drv.h" |
407 |
+ #include "gvt.h" |
408 |
+ |
409 |
+@@ -1084,7 +1086,8 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd, |
410 |
+ } else if (cmd == VFIO_DEVICE_GET_REGION_INFO) { |
411 |
+ struct vfio_region_info info; |
412 |
+ struct vfio_info_cap caps = { .buf = NULL, .size = 0 }; |
413 |
+- int i, ret; |
414 |
++ unsigned int i; |
415 |
++ int ret; |
416 |
+ struct vfio_region_info_cap_sparse_mmap *sparse = NULL; |
417 |
+ size_t size; |
418 |
+ int nr_areas = 1; |
419 |
+@@ -1169,6 +1172,10 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd, |
420 |
+ if (info.index >= VFIO_PCI_NUM_REGIONS + |
421 |
+ vgpu->vdev.num_regions) |
422 |
+ return -EINVAL; |
423 |
++ info.index = |
424 |
++ array_index_nospec(info.index, |
425 |
++ VFIO_PCI_NUM_REGIONS + |
426 |
++ vgpu->vdev.num_regions); |
427 |
+ |
428 |
+ i = info.index - VFIO_PCI_NUM_REGIONS; |
429 |
+ |
430 |
+diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c |
431 |
+index 498c5e891649..ad6adefb64da 100644 |
432 |
+--- a/drivers/i2c/busses/i2c-imx.c |
433 |
++++ b/drivers/i2c/busses/i2c-imx.c |
434 |
+@@ -668,9 +668,6 @@ static int i2c_imx_dma_read(struct imx_i2c_struct *i2c_imx, |
435 |
+ struct imx_i2c_dma *dma = i2c_imx->dma; |
436 |
+ struct device *dev = &i2c_imx->adapter.dev; |
437 |
+ |
438 |
+- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); |
439 |
+- temp |= I2CR_DMAEN; |
440 |
+- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); |
441 |
+ |
442 |
+ dma->chan_using = dma->chan_rx; |
443 |
+ dma->dma_transfer_dir = DMA_DEV_TO_MEM; |
444 |
+@@ -783,6 +780,7 @@ static int i2c_imx_read(struct imx_i2c_struct *i2c_imx, struct i2c_msg *msgs, bo |
445 |
+ int i, result; |
446 |
+ unsigned int temp; |
447 |
+ int block_data = msgs->flags & I2C_M_RECV_LEN; |
448 |
++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data; |
449 |
+ |
450 |
+ dev_dbg(&i2c_imx->adapter.dev, |
451 |
+ "<%s> write slave address: addr=0x%x\n", |
452 |
+@@ -809,12 +807,14 @@ static int i2c_imx_read(struct imx_i2c_struct *i2c_imx, struct i2c_msg *msgs, bo |
453 |
+ */ |
454 |
+ if ((msgs->len - 1) || block_data) |
455 |
+ temp &= ~I2CR_TXAK; |
456 |
++ if (use_dma) |
457 |
++ temp |= I2CR_DMAEN; |
458 |
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); |
459 |
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */ |
460 |
+ |
461 |
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__); |
462 |
+ |
463 |
+- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data) |
464 |
++ if (use_dma) |
465 |
+ return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg); |
466 |
+ |
467 |
+ /* read data */ |
468 |
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c |
469 |
+index 7c3b4740b94b..b8f303dea305 100644 |
470 |
+--- a/drivers/i2c/i2c-core-acpi.c |
471 |
++++ b/drivers/i2c/i2c-core-acpi.c |
472 |
+@@ -482,11 +482,16 @@ static int acpi_gsb_i2c_write_bytes(struct i2c_client *client, |
473 |
+ msgs[0].buf = buffer; |
474 |
+ |
475 |
+ ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs)); |
476 |
+- if (ret < 0) |
477 |
+- dev_err(&client->adapter->dev, "i2c write failed\n"); |
478 |
+ |
479 |
+ kfree(buffer); |
480 |
+- return ret; |
481 |
++ |
482 |
++ if (ret < 0) { |
483 |
++ dev_err(&client->adapter->dev, "i2c write failed: %d\n", ret); |
484 |
++ return ret; |
485 |
++ } |
486 |
++ |
487 |
++ /* 1 transfer must have completed successfully */ |
488 |
++ return (ret == 1) ? 0 : -EIO; |
489 |
+ } |
490 |
+ |
491 |
+ static acpi_status |
492 |
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c |
493 |
+index 0fae816fba39..44604af23b3a 100644 |
494 |
+--- a/drivers/pci/controller/pci-aardvark.c |
495 |
++++ b/drivers/pci/controller/pci-aardvark.c |
496 |
+@@ -952,6 +952,7 @@ static int advk_pcie_probe(struct platform_device *pdev) |
497 |
+ |
498 |
+ bus = bridge->bus; |
499 |
+ |
500 |
++ pci_bus_size_bridges(bus); |
501 |
+ pci_bus_assign_resources(bus); |
502 |
+ |
503 |
+ list_for_each_entry(child, &bus->children, node) |
504 |
+diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c |
505 |
+index af92fed46ab7..fd93783a87b0 100644 |
506 |
+--- a/drivers/pci/hotplug/pci_hotplug_core.c |
507 |
++++ b/drivers/pci/hotplug/pci_hotplug_core.c |
508 |
+@@ -438,8 +438,17 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus, |
509 |
+ list_add(&slot->slot_list, &pci_hotplug_slot_list); |
510 |
+ |
511 |
+ result = fs_add_slot(pci_slot); |
512 |
++ if (result) |
513 |
++ goto err_list_del; |
514 |
++ |
515 |
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD); |
516 |
+ dbg("Added slot %s to the list\n", name); |
517 |
++ goto out; |
518 |
++ |
519 |
++err_list_del: |
520 |
++ list_del(&slot->slot_list); |
521 |
++ pci_slot->hotplug = NULL; |
522 |
++ pci_destroy_slot(pci_slot); |
523 |
+ out: |
524 |
+ mutex_unlock(&pci_hp_mutex); |
525 |
+ return result; |
526 |
+diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h |
527 |
+index 5f892065585e..fca87a1a2b22 100644 |
528 |
+--- a/drivers/pci/hotplug/pciehp.h |
529 |
++++ b/drivers/pci/hotplug/pciehp.h |
530 |
+@@ -119,6 +119,7 @@ int pciehp_unconfigure_device(struct slot *p_slot); |
531 |
+ void pciehp_queue_pushbutton_work(struct work_struct *work); |
532 |
+ struct controller *pcie_init(struct pcie_device *dev); |
533 |
+ int pcie_init_notification(struct controller *ctrl); |
534 |
++void pcie_shutdown_notification(struct controller *ctrl); |
535 |
+ int pciehp_enable_slot(struct slot *p_slot); |
536 |
+ int pciehp_disable_slot(struct slot *p_slot); |
537 |
+ void pcie_reenable_notification(struct controller *ctrl); |
538 |
+diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c |
539 |
+index 44a6a63802d5..2ba59fc94827 100644 |
540 |
+--- a/drivers/pci/hotplug/pciehp_core.c |
541 |
++++ b/drivers/pci/hotplug/pciehp_core.c |
542 |
+@@ -62,6 +62,12 @@ static int reset_slot(struct hotplug_slot *slot, int probe); |
543 |
+ */ |
544 |
+ static void release_slot(struct hotplug_slot *hotplug_slot) |
545 |
+ { |
546 |
++ struct slot *slot = hotplug_slot->private; |
547 |
++ |
548 |
++ /* queued work needs hotplug_slot name */ |
549 |
++ cancel_delayed_work(&slot->work); |
550 |
++ drain_workqueue(slot->wq); |
551 |
++ |
552 |
+ kfree(hotplug_slot->ops); |
553 |
+ kfree(hotplug_slot->info); |
554 |
+ kfree(hotplug_slot); |
555 |
+@@ -264,6 +270,7 @@ static void pciehp_remove(struct pcie_device *dev) |
556 |
+ { |
557 |
+ struct controller *ctrl = get_service_data(dev); |
558 |
+ |
559 |
++ pcie_shutdown_notification(ctrl); |
560 |
+ cleanup_slot(ctrl); |
561 |
+ pciehp_release_ctrl(ctrl); |
562 |
+ } |
563 |
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c |
564 |
+index 718b6073afad..aff191b4552c 100644 |
565 |
+--- a/drivers/pci/hotplug/pciehp_hpc.c |
566 |
++++ b/drivers/pci/hotplug/pciehp_hpc.c |
567 |
+@@ -539,8 +539,6 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id) |
568 |
+ { |
569 |
+ struct controller *ctrl = (struct controller *)dev_id; |
570 |
+ struct pci_dev *pdev = ctrl_dev(ctrl); |
571 |
+- struct pci_bus *subordinate = pdev->subordinate; |
572 |
+- struct pci_dev *dev; |
573 |
+ struct slot *slot = ctrl->slot; |
574 |
+ u16 status, events; |
575 |
+ u8 present; |
576 |
+@@ -588,14 +586,9 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id) |
577 |
+ wake_up(&ctrl->queue); |
578 |
+ } |
579 |
+ |
580 |
+- if (subordinate) { |
581 |
+- list_for_each_entry(dev, &subordinate->devices, bus_list) { |
582 |
+- if (dev->ignore_hotplug) { |
583 |
+- ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n", |
584 |
+- events, pci_name(dev)); |
585 |
+- return IRQ_HANDLED; |
586 |
+- } |
587 |
+- } |
588 |
++ if (pdev->ignore_hotplug) { |
589 |
++ ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", events); |
590 |
++ return IRQ_HANDLED; |
591 |
+ } |
592 |
+ |
593 |
+ /* Check Attention Button Pressed */ |
594 |
+@@ -765,7 +758,7 @@ int pcie_init_notification(struct controller *ctrl) |
595 |
+ return 0; |
596 |
+ } |
597 |
+ |
598 |
+-static void pcie_shutdown_notification(struct controller *ctrl) |
599 |
++void pcie_shutdown_notification(struct controller *ctrl) |
600 |
+ { |
601 |
+ if (ctrl->notification_enabled) { |
602 |
+ pcie_disable_notification(ctrl); |
603 |
+@@ -800,7 +793,7 @@ abort: |
604 |
+ static void pcie_cleanup_slot(struct controller *ctrl) |
605 |
+ { |
606 |
+ struct slot *slot = ctrl->slot; |
607 |
+- cancel_delayed_work(&slot->work); |
608 |
++ |
609 |
+ destroy_workqueue(slot->wq); |
610 |
+ kfree(slot); |
611 |
+ } |
612 |
+@@ -893,7 +886,6 @@ abort: |
613 |
+ |
614 |
+ void pciehp_release_ctrl(struct controller *ctrl) |
615 |
+ { |
616 |
+- pcie_shutdown_notification(ctrl); |
617 |
+ pcie_cleanup_slot(ctrl); |
618 |
+ kfree(ctrl); |
619 |
+ } |
620 |
+diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c |
621 |
+index 89ee6a2b6eb8..5d1698265da5 100644 |
622 |
+--- a/drivers/pci/pci-acpi.c |
623 |
++++ b/drivers/pci/pci-acpi.c |
624 |
+@@ -632,13 +632,11 @@ static bool acpi_pci_need_resume(struct pci_dev *dev) |
625 |
+ /* |
626 |
+ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over |
627 |
+ * system-wide suspend/resume confuses the platform firmware, so avoid |
628 |
+- * doing that, unless the bridge has a driver that should take care of |
629 |
+- * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint |
630 |
++ * doing that. According to Section 16.1.6 of ACPI 6.2, endpoint |
631 |
+ * devices are expected to be in D3 before invoking the S3 entry path |
632 |
+ * from the firmware, so they should not be affected by this issue. |
633 |
+ */ |
634 |
+- if (pci_is_bridge(dev) && !dev->driver && |
635 |
+- acpi_target_system_state() != ACPI_STATE_S0) |
636 |
++ if (pci_is_bridge(dev) && acpi_target_system_state() != ACPI_STATE_S0) |
637 |
+ return true; |
638 |
+ |
639 |
+ if (!adev || !acpi_device_power_manageable(adev)) |
640 |
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c |
641 |
+index 316496e99da9..0abe2865a3a5 100644 |
642 |
+--- a/drivers/pci/pci.c |
643 |
++++ b/drivers/pci/pci.c |
644 |
+@@ -1171,6 +1171,33 @@ static void pci_restore_config_space(struct pci_dev *pdev) |
645 |
+ } |
646 |
+ } |
647 |
+ |
648 |
++static void pci_restore_rebar_state(struct pci_dev *pdev) |
649 |
++{ |
650 |
++ unsigned int pos, nbars, i; |
651 |
++ u32 ctrl; |
652 |
++ |
653 |
++ pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_REBAR); |
654 |
++ if (!pos) |
655 |
++ return; |
656 |
++ |
657 |
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl); |
658 |
++ nbars = (ctrl & PCI_REBAR_CTRL_NBAR_MASK) >> |
659 |
++ PCI_REBAR_CTRL_NBAR_SHIFT; |
660 |
++ |
661 |
++ for (i = 0; i < nbars; i++, pos += 8) { |
662 |
++ struct resource *res; |
663 |
++ int bar_idx, size; |
664 |
++ |
665 |
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl); |
666 |
++ bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX; |
667 |
++ res = pdev->resource + bar_idx; |
668 |
++ size = order_base_2((resource_size(res) >> 20) | 1) - 1; |
669 |
++ ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE; |
670 |
++ ctrl |= size << 8; |
671 |
++ pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl); |
672 |
++ } |
673 |
++} |
674 |
++ |
675 |
+ /** |
676 |
+ * pci_restore_state - Restore the saved state of a PCI device |
677 |
+ * @dev: - PCI device that we're dealing with |
678 |
+@@ -1186,6 +1213,7 @@ void pci_restore_state(struct pci_dev *dev) |
679 |
+ pci_restore_pri_state(dev); |
680 |
+ pci_restore_ats_state(dev); |
681 |
+ pci_restore_vc_state(dev); |
682 |
++ pci_restore_rebar_state(dev); |
683 |
+ |
684 |
+ pci_cleanup_aer_error_status_regs(dev); |
685 |
+ |
686 |
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c |
687 |
+index 611adcd9c169..b2857865c0aa 100644 |
688 |
+--- a/drivers/pci/probe.c |
689 |
++++ b/drivers/pci/probe.c |
690 |
+@@ -1730,6 +1730,10 @@ static void pci_configure_mps(struct pci_dev *dev) |
691 |
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge)) |
692 |
+ return; |
693 |
+ |
694 |
++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */ |
695 |
++ if (dev->is_virtfn) |
696 |
++ return; |
697 |
++ |
698 |
+ mps = pcie_get_mps(dev); |
699 |
+ p_mps = pcie_get_mps(bridge); |
700 |
+ |
701 |
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c |
702 |
+index b0e2c4847a5d..678406e0948b 100644 |
703 |
+--- a/drivers/tty/pty.c |
704 |
++++ b/drivers/tty/pty.c |
705 |
+@@ -625,7 +625,7 @@ int ptm_open_peer(struct file *master, struct tty_struct *tty, int flags) |
706 |
+ if (tty->driver != ptm_driver) |
707 |
+ return -EIO; |
708 |
+ |
709 |
+- fd = get_unused_fd_flags(0); |
710 |
++ fd = get_unused_fd_flags(flags); |
711 |
+ if (fd < 0) { |
712 |
+ retval = fd; |
713 |
+ goto err; |
714 |
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c |
715 |
+index f7ab34088162..8b24d3d42cb3 100644 |
716 |
+--- a/fs/ext4/mballoc.c |
717 |
++++ b/fs/ext4/mballoc.c |
718 |
+@@ -14,6 +14,7 @@ |
719 |
+ #include <linux/log2.h> |
720 |
+ #include <linux/module.h> |
721 |
+ #include <linux/slab.h> |
722 |
++#include <linux/nospec.h> |
723 |
+ #include <linux/backing-dev.h> |
724 |
+ #include <trace/events/ext4.h> |
725 |
+ |
726 |
+@@ -2140,7 +2141,8 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) |
727 |
+ * This should tell if fe_len is exactly power of 2 |
728 |
+ */ |
729 |
+ if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0) |
730 |
+- ac->ac_2order = i - 1; |
731 |
++ ac->ac_2order = array_index_nospec(i - 1, |
732 |
++ sb->s_blocksize_bits + 2); |
733 |
+ } |
734 |
+ |
735 |
+ /* if stream allocation is enabled, use global goal */ |
736 |
+diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c |
737 |
+index ff94fad477e4..48cdfc81fe10 100644 |
738 |
+--- a/fs/reiserfs/xattr.c |
739 |
++++ b/fs/reiserfs/xattr.c |
740 |
+@@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_context *ctx, const char *name, |
741 |
+ return 0; |
742 |
+ size = namelen + 1; |
743 |
+ if (b->buf) { |
744 |
+- if (size > b->size) |
745 |
++ if (b->pos + size > b->size) { |
746 |
++ b->pos = -ERANGE; |
747 |
+ return -ERANGE; |
748 |
++ } |
749 |
+ memcpy(b->buf + b->pos, name, namelen); |
750 |
+ b->buf[b->pos + namelen] = 0; |
751 |
+ } |
752 |
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c |
753 |
+index a790ef4be74e..3222193c46c6 100644 |
754 |
+--- a/mm/page_alloc.c |
755 |
++++ b/mm/page_alloc.c |
756 |
+@@ -6939,9 +6939,21 @@ unsigned long free_reserved_area(void *start, void *end, int poison, char *s) |
757 |
+ start = (void *)PAGE_ALIGN((unsigned long)start); |
758 |
+ end = (void *)((unsigned long)end & PAGE_MASK); |
759 |
+ for (pos = start; pos < end; pos += PAGE_SIZE, pages++) { |
760 |
++ struct page *page = virt_to_page(pos); |
761 |
++ void *direct_map_addr; |
762 |
++ |
763 |
++ /* |
764 |
++ * 'direct_map_addr' might be different from 'pos' |
765 |
++ * because some architectures' virt_to_page() |
766 |
++ * work with aliases. Getting the direct map |
767 |
++ * address ensures that we get a _writeable_ |
768 |
++ * alias for the memset(). |
769 |
++ */ |
770 |
++ direct_map_addr = page_address(page); |
771 |
+ if ((unsigned int)poison <= 0xFF) |
772 |
+- memset(pos, poison, PAGE_SIZE); |
773 |
+- free_reserved_page(virt_to_page(pos)); |
774 |
++ memset(direct_map_addr, poison, PAGE_SIZE); |
775 |
++ |
776 |
++ free_reserved_page(page); |
777 |
+ } |
778 |
+ |
779 |
+ if (pages && s) |