1 |
commit: c2f777431f1ea3ef9542c59135755ed220881237 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Aug 6 19:16:44 2019 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Oct 29 13:59:02 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=c2f77743 |
7 |
|
8 |
Linuxpatch 4.14.137 |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
0000_README | 4 + |
13 |
1136_linux-4.14.137.patch | 1988 +++++++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 1992 insertions(+) |
15 |
|
16 |
diff --git a/0000_README b/0000_README |
17 |
index 45bebaa..5aa7458 100644 |
18 |
--- a/0000_README |
19 |
+++ b/0000_README |
20 |
@@ -587,6 +587,10 @@ Patch: 1135_linux-4.14.136.patch |
21 |
From: https://www.kernel.org |
22 |
Desc: Linux 4.14.136 |
23 |
|
24 |
+Patch: 1136_linux-4.14.137.patch |
25 |
+From: https://www.kernel.org |
26 |
+Desc: Linux 4.14.137 |
27 |
+ |
28 |
Patch: 1500_XATTR_USER_PREFIX.patch |
29 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
30 |
Desc: Support for namespace user.pax.* on tmpfs. |
31 |
|
32 |
diff --git a/1136_linux-4.14.137.patch b/1136_linux-4.14.137.patch |
33 |
new file mode 100644 |
34 |
index 0000000..eea0bc4 |
35 |
--- /dev/null |
36 |
+++ b/1136_linux-4.14.137.patch |
37 |
@@ -0,0 +1,1988 @@ |
38 |
+diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst |
39 |
+index 25f3b2532198..e05e581af5cf 100644 |
40 |
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst |
41 |
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst |
42 |
+@@ -41,10 +41,11 @@ Related CVEs |
43 |
+ |
44 |
+ The following CVE entries describe Spectre variants: |
45 |
+ |
46 |
+- ============= ======================= ================= |
47 |
++ ============= ======================= ========================== |
48 |
+ CVE-2017-5753 Bounds check bypass Spectre variant 1 |
49 |
+ CVE-2017-5715 Branch target injection Spectre variant 2 |
50 |
+- ============= ======================= ================= |
51 |
++ CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs) |
52 |
++ ============= ======================= ========================== |
53 |
+ |
54 |
+ Problem |
55 |
+ ------- |
56 |
+@@ -78,6 +79,13 @@ There are some extensions of Spectre variant 1 attacks for reading data |
57 |
+ over the network, see :ref:`[12] <spec_ref12>`. However such attacks |
58 |
+ are difficult, low bandwidth, fragile, and are considered low risk. |
59 |
+ |
60 |
++Note that, despite "Bounds Check Bypass" name, Spectre variant 1 is not |
61 |
++only about user-controlled array bounds checks. It can affect any |
62 |
++conditional checks. The kernel entry code interrupt, exception, and NMI |
63 |
++handlers all have conditional swapgs checks. Those may be problematic |
64 |
++in the context of Spectre v1, as kernel code can speculatively run with |
65 |
++a user GS. |
66 |
++ |
67 |
+ Spectre variant 2 (Branch Target Injection) |
68 |
+ ------------------------------------------- |
69 |
+ |
70 |
+@@ -132,6 +140,9 @@ not cover all possible attack vectors. |
71 |
+ 1. A user process attacking the kernel |
72 |
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
73 |
+ |
74 |
++Spectre variant 1 |
75 |
++~~~~~~~~~~~~~~~~~ |
76 |
++ |
77 |
+ The attacker passes a parameter to the kernel via a register or |
78 |
+ via a known address in memory during a syscall. Such parameter may |
79 |
+ be used later by the kernel as an index to an array or to derive |
80 |
+@@ -144,7 +155,40 @@ not cover all possible attack vectors. |
81 |
+ potentially be influenced for Spectre attacks, new "nospec" accessor |
82 |
+ macros are used to prevent speculative loading of data. |
83 |
+ |
84 |
+- Spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch |
85 |
++Spectre variant 1 (swapgs) |
86 |
++~~~~~~~~~~~~~~~~~~~~~~~~~~ |
87 |
++ |
88 |
++ An attacker can train the branch predictor to speculatively skip the |
89 |
++ swapgs path for an interrupt or exception. If they initialize |
90 |
++ the GS register to a user-space value, if the swapgs is speculatively |
91 |
++ skipped, subsequent GS-related percpu accesses in the speculation |
92 |
++ window will be done with the attacker-controlled GS value. This |
93 |
++ could cause privileged memory to be accessed and leaked. |
94 |
++ |
95 |
++ For example: |
96 |
++ |
97 |
++ :: |
98 |
++ |
99 |
++ if (coming from user space) |
100 |
++ swapgs |
101 |
++ mov %gs:<percpu_offset>, %reg |
102 |
++ mov (%reg), %reg1 |
103 |
++ |
104 |
++ When coming from user space, the CPU can speculatively skip the |
105 |
++ swapgs, and then do a speculative percpu load using the user GS |
106 |
++ value. So the user can speculatively force a read of any kernel |
107 |
++ value. If a gadget exists which uses the percpu value as an address |
108 |
++ in another load/store, then the contents of the kernel value may |
109 |
++ become visible via an L1 side channel attack. |
110 |
++ |
111 |
++ A similar attack exists when coming from kernel space. The CPU can |
112 |
++ speculatively do the swapgs, causing the user GS to get used for the |
113 |
++ rest of the speculative window. |
114 |
++ |
115 |
++Spectre variant 2 |
116 |
++~~~~~~~~~~~~~~~~~ |
117 |
++ |
118 |
++ A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch |
119 |
+ target buffer (BTB) before issuing syscall to launch an attack. |
120 |
+ After entering the kernel, the kernel could use the poisoned branch |
121 |
+ target buffer on indirect jump and jump to gadget code in speculative |
122 |
+@@ -280,11 +324,18 @@ The sysfs file showing Spectre variant 1 mitigation status is: |
123 |
+ |
124 |
+ The possible values in this file are: |
125 |
+ |
126 |
+- ======================================= ================================= |
127 |
+- 'Mitigation: __user pointer sanitation' Protection in kernel on a case by |
128 |
+- case base with explicit pointer |
129 |
+- sanitation. |
130 |
+- ======================================= ================================= |
131 |
++ .. list-table:: |
132 |
++ |
133 |
++ * - 'Not affected' |
134 |
++ - The processor is not vulnerable. |
135 |
++ * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers' |
136 |
++ - The swapgs protections are disabled; otherwise it has |
137 |
++ protection in the kernel on a case by case base with explicit |
138 |
++ pointer sanitation and usercopy LFENCE barriers. |
139 |
++ * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization' |
140 |
++ - Protection in the kernel on a case by case base with explicit |
141 |
++ pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE |
142 |
++ barriers. |
143 |
+ |
144 |
+ However, the protections are put in place on a case by case basis, |
145 |
+ and there is no guarantee that all possible attack vectors for Spectre |
146 |
+@@ -366,12 +417,27 @@ Turning on mitigation for Spectre variant 1 and Spectre variant 2 |
147 |
+ 1. Kernel mitigation |
148 |
+ ^^^^^^^^^^^^^^^^^^^^ |
149 |
+ |
150 |
++Spectre variant 1 |
151 |
++~~~~~~~~~~~~~~~~~ |
152 |
++ |
153 |
+ For the Spectre variant 1, vulnerable kernel code (as determined |
154 |
+ by code audit or scanning tools) is annotated on a case by case |
155 |
+ basis to use nospec accessor macros for bounds clipping :ref:`[2] |
156 |
+ <spec_ref2>` to avoid any usable disclosure gadgets. However, it may |
157 |
+ not cover all attack vectors for Spectre variant 1. |
158 |
+ |
159 |
++ Copy-from-user code has an LFENCE barrier to prevent the access_ok() |
160 |
++ check from being mis-speculated. The barrier is done by the |
161 |
++ barrier_nospec() macro. |
162 |
++ |
163 |
++ For the swapgs variant of Spectre variant 1, LFENCE barriers are |
164 |
++ added to interrupt, exception and NMI entry where needed. These |
165 |
++ barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and |
166 |
++ FENCE_SWAPGS_USER_ENTRY macros. |
167 |
++ |
168 |
++Spectre variant 2 |
169 |
++~~~~~~~~~~~~~~~~~ |
170 |
++ |
171 |
+ For Spectre variant 2 mitigation, the compiler turns indirect calls or |
172 |
+ jumps in the kernel into equivalent return trampolines (retpolines) |
173 |
+ :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` to go to the target |
174 |
+@@ -473,6 +539,12 @@ Mitigation control on the kernel command line |
175 |
+ Spectre variant 2 mitigation can be disabled or force enabled at the |
176 |
+ kernel command line. |
177 |
+ |
178 |
++ nospectre_v1 |
179 |
++ |
180 |
++ [X86,PPC] Disable mitigations for Spectre Variant 1 |
181 |
++ (bounds check bypass). With this option data leaks are |
182 |
++ possible in the system. |
183 |
++ |
184 |
+ nospectre_v2 |
185 |
+ |
186 |
+ [X86] Disable all mitigations for the Spectre variant 2 |
187 |
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt |
188 |
+index 9240b2caa0b1..13d80111bc1f 100644 |
189 |
+--- a/Documentation/admin-guide/kernel-parameters.txt |
190 |
++++ b/Documentation/admin-guide/kernel-parameters.txt |
191 |
+@@ -2401,6 +2401,7 @@ |
192 |
+ Equivalent to: nopti [X86,PPC] |
193 |
+ nospectre_v1 [PPC] |
194 |
+ nobp=0 [S390] |
195 |
++ nospectre_v1 [X86] |
196 |
+ nospectre_v2 [X86,PPC,S390] |
197 |
+ spectre_v2_user=off [X86] |
198 |
+ spec_store_bypass_disable=off [X86,PPC] |
199 |
+@@ -2740,9 +2741,9 @@ |
200 |
+ nosmt=force: Force disable SMT, cannot be undone |
201 |
+ via the sysfs control file. |
202 |
+ |
203 |
+- nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds |
204 |
+- check bypass). With this option data leaks are possible |
205 |
+- in the system. |
206 |
++ nospectre_v1 [X66, PPC] Disable mitigations for Spectre Variant 1 |
207 |
++ (bounds check bypass). With this option data leaks |
208 |
++ are possible in the system. |
209 |
+ |
210 |
+ nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2 |
211 |
+ (indirect branch prediction) vulnerability. System may |
212 |
+diff --git a/Makefile b/Makefile |
213 |
+index a798f4777ae2..ff604059b6a8 100644 |
214 |
+--- a/Makefile |
215 |
++++ b/Makefile |
216 |
+@@ -1,7 +1,7 @@ |
217 |
+ # SPDX-License-Identifier: GPL-2.0 |
218 |
+ VERSION = 4 |
219 |
+ PATCHLEVEL = 14 |
220 |
+-SUBLEVEL = 136 |
221 |
++SUBLEVEL = 137 |
222 |
+ EXTRAVERSION = |
223 |
+ NAME = Petit Gorille |
224 |
+ |
225 |
+@@ -427,6 +427,7 @@ KBUILD_AFLAGS_MODULE := -DMODULE |
226 |
+ KBUILD_CFLAGS_MODULE := -DMODULE |
227 |
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds |
228 |
+ GCC_PLUGINS_CFLAGS := |
229 |
++CLANG_FLAGS := |
230 |
+ |
231 |
+ export ARCH SRCARCH CONFIG_SHELL HOSTCC HOSTCFLAGS CROSS_COMPILE AS LD CC |
232 |
+ export CPP AR NM STRIP OBJCOPY OBJDUMP HOSTLDFLAGS HOST_LOADLIBES |
233 |
+@@ -479,7 +480,7 @@ endif |
234 |
+ |
235 |
+ ifeq ($(cc-name),clang) |
236 |
+ ifneq ($(CROSS_COMPILE),) |
237 |
+-CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%)) |
238 |
++CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) |
239 |
+ GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) |
240 |
+ CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR) |
241 |
+ GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) |
242 |
+diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts |
243 |
+index f0994f0e5774..d6ca67866bc0 100644 |
244 |
+--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts |
245 |
++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts |
246 |
+@@ -161,10 +161,6 @@ |
247 |
+ }; |
248 |
+ }; |
249 |
+ |
250 |
+-&emmc { |
251 |
+- /delete-property/mmc-hs200-1_8v; |
252 |
+-}; |
253 |
+- |
254 |
+ &i2c2 { |
255 |
+ status = "disabled"; |
256 |
+ }; |
257 |
+diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts |
258 |
+index 544de6027aaa..6000dca1cf05 100644 |
259 |
+--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts |
260 |
++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts |
261 |
+@@ -125,10 +125,6 @@ |
262 |
+ power-supply = <&backlight_regulator>; |
263 |
+ }; |
264 |
+ |
265 |
+-&emmc { |
266 |
+- /delete-property/mmc-hs200-1_8v; |
267 |
+-}; |
268 |
+- |
269 |
+ &gpio_keys { |
270 |
+ pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>; |
271 |
+ |
272 |
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi |
273 |
+index 5a7888581eea..23907d9ce89a 100644 |
274 |
+--- a/arch/arm/boot/dts/rk3288.dtsi |
275 |
++++ b/arch/arm/boot/dts/rk3288.dtsi |
276 |
+@@ -213,6 +213,7 @@ |
277 |
+ <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>, |
278 |
+ <GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>; |
279 |
+ clock-frequency = <24000000>; |
280 |
++ arm,no-tick-in-suspend; |
281 |
+ }; |
282 |
+ |
283 |
+ timer: timer@ff810000 { |
284 |
+diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c |
285 |
+index fb48f3141fb4..c4c96661eb89 100644 |
286 |
+--- a/arch/arm/mach-rpc/dma.c |
287 |
++++ b/arch/arm/mach-rpc/dma.c |
288 |
+@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) |
289 |
+ } while (1); |
290 |
+ |
291 |
+ idma->state = ~DMA_ST_AB; |
292 |
+- disable_irq(irq); |
293 |
++ disable_irq_nosync(irq); |
294 |
+ |
295 |
+ return IRQ_HANDLED; |
296 |
+ } |
297 |
+@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) |
298 |
+ DMA_FROM_DEVICE : DMA_TO_DEVICE); |
299 |
+ } |
300 |
+ |
301 |
++ idma->dma_addr = idma->dma.sg->dma_address; |
302 |
++ idma->dma_len = idma->dma.sg->length; |
303 |
++ |
304 |
+ iomd_writeb(DMA_CR_C, dma_base + CR); |
305 |
+ idma->state = DMA_ST_AB; |
306 |
+ } |
307 |
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c |
308 |
+index c4ef1c31e0c4..37caeadb2964 100644 |
309 |
+--- a/arch/mips/lantiq/irq.c |
310 |
++++ b/arch/mips/lantiq/irq.c |
311 |
+@@ -156,8 +156,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) |
312 |
+ if (edge) |
313 |
+ irq_set_handler(d->hwirq, handle_edge_irq); |
314 |
+ |
315 |
+- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | |
316 |
+- (val << (i * 4)), LTQ_EIU_EXIN_C); |
317 |
++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & |
318 |
++ (~(7 << (i * 4)))) | (val << (i * 4)), |
319 |
++ LTQ_EIU_EXIN_C); |
320 |
+ } |
321 |
+ } |
322 |
+ |
323 |
+diff --git a/arch/parisc/boot/compressed/vmlinux.lds.S b/arch/parisc/boot/compressed/vmlinux.lds.S |
324 |
+index a4ce3314e78e..b658f77d6369 100644 |
325 |
+--- a/arch/parisc/boot/compressed/vmlinux.lds.S |
326 |
++++ b/arch/parisc/boot/compressed/vmlinux.lds.S |
327 |
+@@ -40,8 +40,8 @@ SECTIONS |
328 |
+ #endif |
329 |
+ _startcode_end = .; |
330 |
+ |
331 |
+- /* bootloader code and data starts behind area of extracted kernel */ |
332 |
+- . = (SZ_end - SZparisc_kernel_start + KERNEL_BINARY_TEXT_START); |
333 |
++ /* bootloader code and data starts at least behind area of extracted kernel */ |
334 |
++ . = MAX(ABSOLUTE(.), (SZ_end - SZparisc_kernel_start + KERNEL_BINARY_TEXT_START)); |
335 |
+ |
336 |
+ /* align on next page boundary */ |
337 |
+ . = ALIGN(4096); |
338 |
+diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c |
339 |
+index 252fee320816..fb07cfa3f2f9 100644 |
340 |
+--- a/arch/x86/boot/compressed/misc.c |
341 |
++++ b/arch/x86/boot/compressed/misc.c |
342 |
+@@ -16,6 +16,7 @@ |
343 |
+ #include "error.h" |
344 |
+ #include "../string.h" |
345 |
+ #include "../voffset.h" |
346 |
++#include <asm/bootparam_utils.h> |
347 |
+ |
348 |
+ /* |
349 |
+ * WARNING!! |
350 |
+diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h |
351 |
+index 32d4ec2e0243..5380d45b1c6e 100644 |
352 |
+--- a/arch/x86/boot/compressed/misc.h |
353 |
++++ b/arch/x86/boot/compressed/misc.h |
354 |
+@@ -19,7 +19,6 @@ |
355 |
+ #include <asm/page.h> |
356 |
+ #include <asm/boot.h> |
357 |
+ #include <asm/bootparam.h> |
358 |
+-#include <asm/bootparam_utils.h> |
359 |
+ |
360 |
+ #define BOOT_BOOT_H |
361 |
+ #include "../ctype.h" |
362 |
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h |
363 |
+index 5d10b7a85cad..557c1bdda311 100644 |
364 |
+--- a/arch/x86/entry/calling.h |
365 |
++++ b/arch/x86/entry/calling.h |
366 |
+@@ -332,6 +332,23 @@ For 32-bit we have the following conventions - kernel is built with |
367 |
+ |
368 |
+ #endif |
369 |
+ |
370 |
++/* |
371 |
++ * Mitigate Spectre v1 for conditional swapgs code paths. |
372 |
++ * |
373 |
++ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to |
374 |
++ * prevent a speculative swapgs when coming from kernel space. |
375 |
++ * |
376 |
++ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path, |
377 |
++ * to prevent the swapgs from getting speculatively skipped when coming from |
378 |
++ * user space. |
379 |
++ */ |
380 |
++.macro FENCE_SWAPGS_USER_ENTRY |
381 |
++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER |
382 |
++.endm |
383 |
++.macro FENCE_SWAPGS_KERNEL_ENTRY |
384 |
++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL |
385 |
++.endm |
386 |
++ |
387 |
+ #endif /* CONFIG_X86_64 */ |
388 |
+ |
389 |
+ /* |
390 |
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S |
391 |
+index e09ba4bc8b98..5ec66fafde4e 100644 |
392 |
+--- a/arch/x86/entry/entry_64.S |
393 |
++++ b/arch/x86/entry/entry_64.S |
394 |
+@@ -531,9 +531,12 @@ END(irq_entries_start) |
395 |
+ testb $3, CS-ORIG_RAX(%rsp) |
396 |
+ jz 1f |
397 |
+ SWAPGS |
398 |
++ FENCE_SWAPGS_USER_ENTRY |
399 |
+ call switch_to_thread_stack |
400 |
++ jmp 2f |
401 |
+ 1: |
402 |
+- |
403 |
++ FENCE_SWAPGS_KERNEL_ENTRY |
404 |
++2: |
405 |
+ PUSH_AND_CLEAR_REGS |
406 |
+ ENCODE_FRAME_POINTER |
407 |
+ |
408 |
+@@ -1113,7 +1116,6 @@ idtentry stack_segment do_stack_segment has_error_code=1 |
409 |
+ #ifdef CONFIG_XEN |
410 |
+ idtentry xennmi do_nmi has_error_code=0 |
411 |
+ idtentry xendebug do_debug has_error_code=0 |
412 |
+-idtentry xenint3 do_int3 has_error_code=0 |
413 |
+ #endif |
414 |
+ |
415 |
+ idtentry general_protection do_general_protection has_error_code=1 |
416 |
+@@ -1147,6 +1149,12 @@ ENTRY(paranoid_entry) |
417 |
+ |
418 |
+ 1: |
419 |
+ SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 |
420 |
++ /* |
421 |
++ * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an |
422 |
++ * unconditional CR3 write, even in the PTI case. So do an lfence |
423 |
++ * to prevent GS speculation, regardless of whether PTI is enabled. |
424 |
++ */ |
425 |
++ FENCE_SWAPGS_KERNEL_ENTRY |
426 |
+ |
427 |
+ ret |
428 |
+ END(paranoid_entry) |
429 |
+@@ -1196,6 +1204,7 @@ ENTRY(error_entry) |
430 |
+ * from user mode due to an IRET fault. |
431 |
+ */ |
432 |
+ SWAPGS |
433 |
++ FENCE_SWAPGS_USER_ENTRY |
434 |
+ /* We have user CR3. Change to kernel CR3. */ |
435 |
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax |
436 |
+ |
437 |
+@@ -1217,6 +1226,8 @@ ENTRY(error_entry) |
438 |
+ CALL_enter_from_user_mode |
439 |
+ ret |
440 |
+ |
441 |
++.Lerror_entry_done_lfence: |
442 |
++ FENCE_SWAPGS_KERNEL_ENTRY |
443 |
+ .Lerror_entry_done: |
444 |
+ TRACE_IRQS_OFF |
445 |
+ ret |
446 |
+@@ -1235,7 +1246,7 @@ ENTRY(error_entry) |
447 |
+ cmpq %rax, RIP+8(%rsp) |
448 |
+ je .Lbstep_iret |
449 |
+ cmpq $.Lgs_change, RIP+8(%rsp) |
450 |
+- jne .Lerror_entry_done |
451 |
++ jne .Lerror_entry_done_lfence |
452 |
+ |
453 |
+ /* |
454 |
+ * hack: .Lgs_change can fail with user gsbase. If this happens, fix up |
455 |
+@@ -1243,6 +1254,7 @@ ENTRY(error_entry) |
456 |
+ * .Lgs_change's error handler with kernel gsbase. |
457 |
+ */ |
458 |
+ SWAPGS |
459 |
++ FENCE_SWAPGS_USER_ENTRY |
460 |
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax |
461 |
+ jmp .Lerror_entry_done |
462 |
+ |
463 |
+@@ -1257,6 +1269,7 @@ ENTRY(error_entry) |
464 |
+ * gsbase and CR3. Switch to kernel gsbase and CR3: |
465 |
+ */ |
466 |
+ SWAPGS |
467 |
++ FENCE_SWAPGS_USER_ENTRY |
468 |
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax |
469 |
+ |
470 |
+ /* |
471 |
+@@ -1348,6 +1361,7 @@ ENTRY(nmi) |
472 |
+ |
473 |
+ swapgs |
474 |
+ cld |
475 |
++ FENCE_SWAPGS_USER_ENTRY |
476 |
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx |
477 |
+ movq %rsp, %rdx |
478 |
+ movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp |
479 |
+diff --git a/arch/x86/entry/vdso/vclock_gettime.c b/arch/x86/entry/vdso/vclock_gettime.c |
480 |
+index 9c35dc0a9d64..9f4b1081dee0 100644 |
481 |
+--- a/arch/x86/entry/vdso/vclock_gettime.c |
482 |
++++ b/arch/x86/entry/vdso/vclock_gettime.c |
483 |
+@@ -29,12 +29,12 @@ extern int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz); |
484 |
+ extern time_t __vdso_time(time_t *t); |
485 |
+ |
486 |
+ #ifdef CONFIG_PARAVIRT_CLOCK |
487 |
+-extern u8 pvclock_page |
488 |
++extern u8 pvclock_page[PAGE_SIZE] |
489 |
+ __attribute__((visibility("hidden"))); |
490 |
+ #endif |
491 |
+ |
492 |
+ #ifdef CONFIG_HYPERV_TSCPAGE |
493 |
+-extern u8 hvclock_page |
494 |
++extern u8 hvclock_page[PAGE_SIZE] |
495 |
+ __attribute__((visibility("hidden"))); |
496 |
+ #endif |
497 |
+ |
498 |
+@@ -191,13 +191,24 @@ notrace static inline u64 vgetsns(int *mode) |
499 |
+ |
500 |
+ if (gtod->vclock_mode == VCLOCK_TSC) |
501 |
+ cycles = vread_tsc(); |
502 |
++ |
503 |
++ /* |
504 |
++ * For any memory-mapped vclock type, we need to make sure that gcc |
505 |
++ * doesn't cleverly hoist a load before the mode check. Otherwise we |
506 |
++ * might end up touching the memory-mapped page even if the vclock in |
507 |
++ * question isn't enabled, which will segfault. Hence the barriers. |
508 |
++ */ |
509 |
+ #ifdef CONFIG_PARAVIRT_CLOCK |
510 |
+- else if (gtod->vclock_mode == VCLOCK_PVCLOCK) |
511 |
++ else if (gtod->vclock_mode == VCLOCK_PVCLOCK) { |
512 |
++ barrier(); |
513 |
+ cycles = vread_pvclock(mode); |
514 |
++ } |
515 |
+ #endif |
516 |
+ #ifdef CONFIG_HYPERV_TSCPAGE |
517 |
+- else if (gtod->vclock_mode == VCLOCK_HVCLOCK) |
518 |
++ else if (gtod->vclock_mode == VCLOCK_HVCLOCK) { |
519 |
++ barrier(); |
520 |
+ cycles = vread_hvclock(mode); |
521 |
++ } |
522 |
+ #endif |
523 |
+ else |
524 |
+ return 0; |
525 |
+diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h |
526 |
+index a1ed92aae12a..25a5a5c6ae90 100644 |
527 |
+--- a/arch/x86/include/asm/apic.h |
528 |
++++ b/arch/x86/include/asm/apic.h |
529 |
+@@ -48,7 +48,7 @@ static inline void generic_apic_probe(void) |
530 |
+ |
531 |
+ #ifdef CONFIG_X86_LOCAL_APIC |
532 |
+ |
533 |
+-extern unsigned int apic_verbosity; |
534 |
++extern int apic_verbosity; |
535 |
+ extern int local_apic_timer_c2_ok; |
536 |
+ |
537 |
+ extern int disable_apic; |
538 |
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h |
539 |
+index 70eddb3922ff..4e2d03135854 100644 |
540 |
+--- a/arch/x86/include/asm/cpufeature.h |
541 |
++++ b/arch/x86/include/asm/cpufeature.h |
542 |
+@@ -22,8 +22,8 @@ enum cpuid_leafs |
543 |
+ CPUID_LNX_3, |
544 |
+ CPUID_7_0_EBX, |
545 |
+ CPUID_D_1_EAX, |
546 |
+- CPUID_F_0_EDX, |
547 |
+- CPUID_F_1_EDX, |
548 |
++ CPUID_LNX_4, |
549 |
++ CPUID_DUMMY, |
550 |
+ CPUID_8000_0008_EBX, |
551 |
+ CPUID_6_EAX, |
552 |
+ CPUID_8000_000A_EDX, |
553 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
554 |
+index 4cb8315c521f..14357354cd28 100644 |
555 |
+--- a/arch/x86/include/asm/cpufeatures.h |
556 |
++++ b/arch/x86/include/asm/cpufeatures.h |
557 |
+@@ -271,13 +271,18 @@ |
558 |
+ #define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 instruction */ |
559 |
+ #define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS instructions */ |
560 |
+ |
561 |
+-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (EDX), word 11 */ |
562 |
+-#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ |
563 |
+- |
564 |
+-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (EDX), word 12 */ |
565 |
+-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring */ |
566 |
+-#define X86_FEATURE_CQM_MBM_TOTAL (12*32+ 1) /* LLC Total MBM monitoring */ |
567 |
+-#define X86_FEATURE_CQM_MBM_LOCAL (12*32+ 2) /* LLC Local MBM monitoring */ |
568 |
++/* |
569 |
++ * Extended auxiliary flags: Linux defined - for features scattered in various |
570 |
++ * CPUID levels like 0xf, etc. |
571 |
++ * |
572 |
++ * Reuse free bits when adding new feature flags! |
573 |
++ */ |
574 |
++#define X86_FEATURE_CQM_LLC (11*32+ 0) /* LLC QoS if 1 */ |
575 |
++#define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */ |
576 |
++#define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */ |
577 |
++#define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ |
578 |
++#define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ |
579 |
++#define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ |
580 |
+ |
581 |
+ /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ |
582 |
+ #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ |
583 |
+@@ -382,5 +387,6 @@ |
584 |
+ #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ |
585 |
+ #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ |
586 |
+ #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ |
587 |
++#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ |
588 |
+ |
589 |
+ #endif /* _ASM_X86_CPUFEATURES_H */ |
590 |
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h |
591 |
+index f9a4b85d7309..9f3eb334c818 100644 |
592 |
+--- a/arch/x86/include/asm/kvm_host.h |
593 |
++++ b/arch/x86/include/asm/kvm_host.h |
594 |
+@@ -1353,25 +1353,29 @@ enum { |
595 |
+ #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) |
596 |
+ #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) |
597 |
+ |
598 |
++asmlinkage void __noreturn kvm_spurious_fault(void); |
599 |
++ |
600 |
+ /* |
601 |
+ * Hardware virtualization extension instructions may fault if a |
602 |
+ * reboot turns off virtualization while processes are running. |
603 |
+- * Trap the fault and ignore the instruction if that happens. |
604 |
++ * Usually after catching the fault we just panic; during reboot |
605 |
++ * instead the instruction is ignored. |
606 |
+ */ |
607 |
+-asmlinkage void kvm_spurious_fault(void); |
608 |
+- |
609 |
+-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ |
610 |
+- "666: " insn "\n\t" \ |
611 |
+- "668: \n\t" \ |
612 |
+- ".pushsection .fixup, \"ax\" \n" \ |
613 |
+- "667: \n\t" \ |
614 |
+- cleanup_insn "\n\t" \ |
615 |
+- "cmpb $0, kvm_rebooting \n\t" \ |
616 |
+- "jne 668b \n\t" \ |
617 |
+- __ASM_SIZE(push) " $666b \n\t" \ |
618 |
+- "jmp kvm_spurious_fault \n\t" \ |
619 |
+- ".popsection \n\t" \ |
620 |
+- _ASM_EXTABLE(666b, 667b) |
621 |
++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ |
622 |
++ "666: \n\t" \ |
623 |
++ insn "\n\t" \ |
624 |
++ "jmp 668f \n\t" \ |
625 |
++ "667: \n\t" \ |
626 |
++ "call kvm_spurious_fault \n\t" \ |
627 |
++ "668: \n\t" \ |
628 |
++ ".pushsection .fixup, \"ax\" \n\t" \ |
629 |
++ "700: \n\t" \ |
630 |
++ cleanup_insn "\n\t" \ |
631 |
++ "cmpb $0, kvm_rebooting\n\t" \ |
632 |
++ "je 667b \n\t" \ |
633 |
++ "jmp 668b \n\t" \ |
634 |
++ ".popsection \n\t" \ |
635 |
++ _ASM_EXTABLE(666b, 700b) |
636 |
+ |
637 |
+ #define __kvm_handle_fault_on_reboot(insn) \ |
638 |
+ ____kvm_handle_fault_on_reboot(insn, "") |
639 |
+diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h |
640 |
+index c83a2f418cea..4471f0da6ed7 100644 |
641 |
+--- a/arch/x86/include/asm/paravirt.h |
642 |
++++ b/arch/x86/include/asm/paravirt.h |
643 |
+@@ -758,6 +758,7 @@ static __always_inline bool pv_vcpu_is_preempted(long cpu) |
644 |
+ PV_RESTORE_ALL_CALLER_REGS \ |
645 |
+ FRAME_END \ |
646 |
+ "ret;" \ |
647 |
++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \ |
648 |
+ ".popsection") |
649 |
+ |
650 |
+ /* Get a reference to a callee-save function */ |
651 |
+diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h |
652 |
+index afbc87206886..b771bb3d159b 100644 |
653 |
+--- a/arch/x86/include/asm/traps.h |
654 |
++++ b/arch/x86/include/asm/traps.h |
655 |
+@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void); |
656 |
+ asmlinkage void xen_divide_error(void); |
657 |
+ asmlinkage void xen_xennmi(void); |
658 |
+ asmlinkage void xen_xendebug(void); |
659 |
+-asmlinkage void xen_xenint3(void); |
660 |
++asmlinkage void xen_int3(void); |
661 |
+ asmlinkage void xen_overflow(void); |
662 |
+ asmlinkage void xen_bounds(void); |
663 |
+ asmlinkage void xen_invalid_op(void); |
664 |
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c |
665 |
+index 2e64178f284d..ae410f7585f1 100644 |
666 |
+--- a/arch/x86/kernel/apic/apic.c |
667 |
++++ b/arch/x86/kernel/apic/apic.c |
668 |
+@@ -182,7 +182,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok); |
669 |
+ /* |
670 |
+ * Debug level, exported for io_apic.c |
671 |
+ */ |
672 |
+-unsigned int apic_verbosity; |
673 |
++int apic_verbosity; |
674 |
+ |
675 |
+ int pic_mode; |
676 |
+ |
677 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
678 |
+index 64b6180ce162..8bf21bc7a190 100644 |
679 |
+--- a/arch/x86/kernel/cpu/bugs.c |
680 |
++++ b/arch/x86/kernel/cpu/bugs.c |
681 |
+@@ -32,6 +32,7 @@ |
682 |
+ #include <asm/intel-family.h> |
683 |
+ #include <asm/e820/api.h> |
684 |
+ |
685 |
++static void __init spectre_v1_select_mitigation(void); |
686 |
+ static void __init spectre_v2_select_mitigation(void); |
687 |
+ static void __init ssb_select_mitigation(void); |
688 |
+ static void __init l1tf_select_mitigation(void); |
689 |
+@@ -96,17 +97,11 @@ void __init check_bugs(void) |
690 |
+ if (boot_cpu_has(X86_FEATURE_STIBP)) |
691 |
+ x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; |
692 |
+ |
693 |
+- /* Select the proper spectre mitigation before patching alternatives */ |
694 |
++ /* Select the proper CPU mitigations before patching alternatives: */ |
695 |
++ spectre_v1_select_mitigation(); |
696 |
+ spectre_v2_select_mitigation(); |
697 |
+- |
698 |
+- /* |
699 |
+- * Select proper mitigation for any exposure to the Speculative Store |
700 |
+- * Bypass vulnerability. |
701 |
+- */ |
702 |
+ ssb_select_mitigation(); |
703 |
+- |
704 |
+ l1tf_select_mitigation(); |
705 |
+- |
706 |
+ mds_select_mitigation(); |
707 |
+ |
708 |
+ arch_smt_update(); |
709 |
+@@ -271,6 +266,98 @@ static int __init mds_cmdline(char *str) |
710 |
+ } |
711 |
+ early_param("mds", mds_cmdline); |
712 |
+ |
713 |
++#undef pr_fmt |
714 |
++#define pr_fmt(fmt) "Spectre V1 : " fmt |
715 |
++ |
716 |
++enum spectre_v1_mitigation { |
717 |
++ SPECTRE_V1_MITIGATION_NONE, |
718 |
++ SPECTRE_V1_MITIGATION_AUTO, |
719 |
++}; |
720 |
++ |
721 |
++static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init = |
722 |
++ SPECTRE_V1_MITIGATION_AUTO; |
723 |
++ |
724 |
++static const char * const spectre_v1_strings[] = { |
725 |
++ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers", |
726 |
++ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", |
727 |
++}; |
728 |
++ |
729 |
++/* |
730 |
++ * Does SMAP provide full mitigation against speculative kernel access to |
731 |
++ * userspace? |
732 |
++ */ |
733 |
++static bool smap_works_speculatively(void) |
734 |
++{ |
735 |
++ if (!boot_cpu_has(X86_FEATURE_SMAP)) |
736 |
++ return false; |
737 |
++ |
738 |
++ /* |
739 |
++ * On CPUs which are vulnerable to Meltdown, SMAP does not |
740 |
++ * prevent speculative access to user data in the L1 cache. |
741 |
++ * Consider SMAP to be non-functional as a mitigation on these |
742 |
++ * CPUs. |
743 |
++ */ |
744 |
++ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN)) |
745 |
++ return false; |
746 |
++ |
747 |
++ return true; |
748 |
++} |
749 |
++ |
750 |
++static void __init spectre_v1_select_mitigation(void) |
751 |
++{ |
752 |
++ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) { |
753 |
++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; |
754 |
++ return; |
755 |
++ } |
756 |
++ |
757 |
++ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) { |
758 |
++ /* |
759 |
++ * With Spectre v1, a user can speculatively control either |
760 |
++ * path of a conditional swapgs with a user-controlled GS |
761 |
++ * value. The mitigation is to add lfences to both code paths. |
762 |
++ * |
763 |
++ * If FSGSBASE is enabled, the user can put a kernel address in |
764 |
++ * GS, in which case SMAP provides no protection. |
765 |
++ * |
766 |
++ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the |
767 |
++ * FSGSBASE enablement patches have been merged. ] |
768 |
++ * |
769 |
++ * If FSGSBASE is disabled, the user can only put a user space |
770 |
++ * address in GS. That makes an attack harder, but still |
771 |
++ * possible if there's no SMAP protection. |
772 |
++ */ |
773 |
++ if (!smap_works_speculatively()) { |
774 |
++ /* |
775 |
++ * Mitigation can be provided from SWAPGS itself or |
776 |
++ * PTI as the CR3 write in the Meltdown mitigation |
777 |
++ * is serializing. |
778 |
++ * |
779 |
++ * If neither is there, mitigate with an LFENCE to |
780 |
++ * stop speculation through swapgs. |
781 |
++ */ |
782 |
++ if (boot_cpu_has_bug(X86_BUG_SWAPGS) && |
783 |
++ !boot_cpu_has(X86_FEATURE_PTI)) |
784 |
++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); |
785 |
++ |
786 |
++ /* |
787 |
++ * Enable lfences in the kernel entry (non-swapgs) |
788 |
++ * paths, to prevent user entry from speculatively |
789 |
++ * skipping swapgs. |
790 |
++ */ |
791 |
++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL); |
792 |
++ } |
793 |
++ } |
794 |
++ |
795 |
++ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]); |
796 |
++} |
797 |
++ |
798 |
++static int __init nospectre_v1_cmdline(char *str) |
799 |
++{ |
800 |
++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; |
801 |
++ return 0; |
802 |
++} |
803 |
++early_param("nospectre_v1", nospectre_v1_cmdline); |
804 |
++ |
805 |
+ #undef pr_fmt |
806 |
+ #define pr_fmt(fmt) "Spectre V2 : " fmt |
807 |
+ |
808 |
+@@ -1255,7 +1342,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr |
809 |
+ break; |
810 |
+ |
811 |
+ case X86_BUG_SPECTRE_V1: |
812 |
+- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); |
813 |
++ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); |
814 |
+ |
815 |
+ case X86_BUG_SPECTRE_V2: |
816 |
+ return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], |
817 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
818 |
+index ebe547b1ffce..551c6bed7c8c 100644 |
819 |
+--- a/arch/x86/kernel/cpu/common.c |
820 |
++++ b/arch/x86/kernel/cpu/common.c |
821 |
+@@ -768,6 +768,30 @@ static void init_speculation_control(struct cpuinfo_x86 *c) |
822 |
+ } |
823 |
+ } |
824 |
+ |
825 |
++static void init_cqm(struct cpuinfo_x86 *c) |
826 |
++{ |
827 |
++ if (!cpu_has(c, X86_FEATURE_CQM_LLC)) { |
828 |
++ c->x86_cache_max_rmid = -1; |
829 |
++ c->x86_cache_occ_scale = -1; |
830 |
++ return; |
831 |
++ } |
832 |
++ |
833 |
++ /* will be overridden if occupancy monitoring exists */ |
834 |
++ c->x86_cache_max_rmid = cpuid_ebx(0xf); |
835 |
++ |
836 |
++ if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC) || |
837 |
++ cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL) || |
838 |
++ cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)) { |
839 |
++ u32 eax, ebx, ecx, edx; |
840 |
++ |
841 |
++ /* QoS sub-leaf, EAX=0Fh, ECX=1 */ |
842 |
++ cpuid_count(0xf, 1, &eax, &ebx, &ecx, &edx); |
843 |
++ |
844 |
++ c->x86_cache_max_rmid = ecx; |
845 |
++ c->x86_cache_occ_scale = ebx; |
846 |
++ } |
847 |
++} |
848 |
++ |
849 |
+ void get_cpu_cap(struct cpuinfo_x86 *c) |
850 |
+ { |
851 |
+ u32 eax, ebx, ecx, edx; |
852 |
+@@ -799,33 +823,6 @@ void get_cpu_cap(struct cpuinfo_x86 *c) |
853 |
+ c->x86_capability[CPUID_D_1_EAX] = eax; |
854 |
+ } |
855 |
+ |
856 |
+- /* Additional Intel-defined flags: level 0x0000000F */ |
857 |
+- if (c->cpuid_level >= 0x0000000F) { |
858 |
+- |
859 |
+- /* QoS sub-leaf, EAX=0Fh, ECX=0 */ |
860 |
+- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); |
861 |
+- c->x86_capability[CPUID_F_0_EDX] = edx; |
862 |
+- |
863 |
+- if (cpu_has(c, X86_FEATURE_CQM_LLC)) { |
864 |
+- /* will be overridden if occupancy monitoring exists */ |
865 |
+- c->x86_cache_max_rmid = ebx; |
866 |
+- |
867 |
+- /* QoS sub-leaf, EAX=0Fh, ECX=1 */ |
868 |
+- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); |
869 |
+- c->x86_capability[CPUID_F_1_EDX] = edx; |
870 |
+- |
871 |
+- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) || |
872 |
+- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) || |
873 |
+- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) { |
874 |
+- c->x86_cache_max_rmid = ecx; |
875 |
+- c->x86_cache_occ_scale = ebx; |
876 |
+- } |
877 |
+- } else { |
878 |
+- c->x86_cache_max_rmid = -1; |
879 |
+- c->x86_cache_occ_scale = -1; |
880 |
+- } |
881 |
+- } |
882 |
+- |
883 |
+ /* AMD-defined flags: level 0x80000001 */ |
884 |
+ eax = cpuid_eax(0x80000000); |
885 |
+ c->extended_cpuid_level = eax; |
886 |
+@@ -863,6 +860,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) |
887 |
+ |
888 |
+ init_scattered_cpuid_features(c); |
889 |
+ init_speculation_control(c); |
890 |
++ init_cqm(c); |
891 |
+ |
892 |
+ /* |
893 |
+ * Clear/Set all flags overridden by options, after probe. |
894 |
+@@ -905,6 +903,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) |
895 |
+ #define NO_L1TF BIT(3) |
896 |
+ #define NO_MDS BIT(4) |
897 |
+ #define MSBDS_ONLY BIT(5) |
898 |
++#define NO_SWAPGS BIT(6) |
899 |
+ |
900 |
+ #define VULNWL(_vendor, _family, _model, _whitelist) \ |
901 |
+ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } |
902 |
+@@ -928,29 +927,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { |
903 |
+ VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), |
904 |
+ VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), |
905 |
+ |
906 |
+- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), |
907 |
+- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY), |
908 |
+- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY), |
909 |
+- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), |
910 |
+- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY), |
911 |
+- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY), |
912 |
++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
913 |
++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
914 |
++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
915 |
++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
916 |
++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
917 |
++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
918 |
+ |
919 |
+ VULNWL_INTEL(CORE_YONAH, NO_SSB), |
920 |
+ |
921 |
+- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY), |
922 |
++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS), |
923 |
+ |
924 |
+- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), |
925 |
+- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), |
926 |
+- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF), |
927 |
++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS), |
928 |
++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS), |
929 |
++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS), |
930 |
++ |
931 |
++ /* |
932 |
++ * Technically, swapgs isn't serializing on AMD (despite it previously |
933 |
++ * being documented as such in the APM). But according to AMD, %gs is |
934 |
++ * updated non-speculatively, and the issuing of %gs-relative memory |
935 |
++ * operands will be blocked until the %gs update completes, which is |
936 |
++ * good enough for our purposes. |
937 |
++ */ |
938 |
+ |
939 |
+ /* AMD Family 0xf - 0x12 */ |
940 |
+- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), |
941 |
+- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), |
942 |
+- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), |
943 |
+- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), |
944 |
++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), |
945 |
++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), |
946 |
++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), |
947 |
++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), |
948 |
+ |
949 |
+ /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ |
950 |
+- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), |
951 |
++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS), |
952 |
+ {} |
953 |
+ }; |
954 |
+ |
955 |
+@@ -987,6 +994,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
956 |
+ setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); |
957 |
+ } |
958 |
+ |
959 |
++ if (!cpu_matches(NO_SWAPGS)) |
960 |
++ setup_force_cpu_bug(X86_BUG_SWAPGS); |
961 |
++ |
962 |
+ if (cpu_matches(NO_MELTDOWN)) |
963 |
+ return; |
964 |
+ |
965 |
+diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c |
966 |
+index 904b0a3c4e53..4c9fc6a4d1ea 100644 |
967 |
+--- a/arch/x86/kernel/cpu/cpuid-deps.c |
968 |
++++ b/arch/x86/kernel/cpu/cpuid-deps.c |
969 |
+@@ -59,6 +59,9 @@ const static struct cpuid_dep cpuid_deps[] = { |
970 |
+ { X86_FEATURE_AVX512_4VNNIW, X86_FEATURE_AVX512F }, |
971 |
+ { X86_FEATURE_AVX512_4FMAPS, X86_FEATURE_AVX512F }, |
972 |
+ { X86_FEATURE_AVX512_VPOPCNTDQ, X86_FEATURE_AVX512F }, |
973 |
++ { X86_FEATURE_CQM_OCCUP_LLC, X86_FEATURE_CQM_LLC }, |
974 |
++ { X86_FEATURE_CQM_MBM_TOTAL, X86_FEATURE_CQM_LLC }, |
975 |
++ { X86_FEATURE_CQM_MBM_LOCAL, X86_FEATURE_CQM_LLC }, |
976 |
+ {} |
977 |
+ }; |
978 |
+ |
979 |
+diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c |
980 |
+index df11f5d604be..ed7ce5184a77 100644 |
981 |
+--- a/arch/x86/kernel/cpu/scattered.c |
982 |
++++ b/arch/x86/kernel/cpu/scattered.c |
983 |
+@@ -21,6 +21,10 @@ struct cpuid_bit { |
984 |
+ static const struct cpuid_bit cpuid_bits[] = { |
985 |
+ { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, |
986 |
+ { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, |
987 |
++ { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, |
988 |
++ { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, |
989 |
++ { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, |
990 |
++ { X86_FEATURE_CQM_MBM_LOCAL, CPUID_EDX, 2, 0x0000000f, 1 }, |
991 |
+ { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 }, |
992 |
+ { X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 }, |
993 |
+ { X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 }, |
994 |
+diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c |
995 |
+index 652bdd867782..5853eb50138e 100644 |
996 |
+--- a/arch/x86/kernel/kvm.c |
997 |
++++ b/arch/x86/kernel/kvm.c |
998 |
+@@ -631,6 +631,7 @@ asm( |
999 |
+ "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);" |
1000 |
+ "setne %al;" |
1001 |
+ "ret;" |
1002 |
++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;" |
1003 |
+ ".popsection"); |
1004 |
+ |
1005 |
+ #endif |
1006 |
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h |
1007 |
+index 9a327d5b6d1f..d78a61408243 100644 |
1008 |
+--- a/arch/x86/kvm/cpuid.h |
1009 |
++++ b/arch/x86/kvm/cpuid.h |
1010 |
+@@ -47,8 +47,6 @@ static const struct cpuid_reg reverse_cpuid[] = { |
1011 |
+ [CPUID_8000_0001_ECX] = {0x80000001, 0, CPUID_ECX}, |
1012 |
+ [CPUID_7_0_EBX] = { 7, 0, CPUID_EBX}, |
1013 |
+ [CPUID_D_1_EAX] = { 0xd, 1, CPUID_EAX}, |
1014 |
+- [CPUID_F_0_EDX] = { 0xf, 0, CPUID_EDX}, |
1015 |
+- [CPUID_F_1_EDX] = { 0xf, 1, CPUID_EDX}, |
1016 |
+ [CPUID_8000_0008_EBX] = {0x80000008, 0, CPUID_EBX}, |
1017 |
+ [CPUID_6_EAX] = { 6, 0, CPUID_EAX}, |
1018 |
+ [CPUID_8000_000A_EDX] = {0x8000000a, 0, CPUID_EDX}, |
1019 |
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c |
1020 |
+index f97b533bc6e6..87a0601b1c20 100644 |
1021 |
+--- a/arch/x86/kvm/mmu.c |
1022 |
++++ b/arch/x86/kvm/mmu.c |
1023 |
+@@ -4313,11 +4313,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, |
1024 |
+ */ |
1025 |
+ |
1026 |
+ /* Faults from writes to non-writable pages */ |
1027 |
+- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; |
1028 |
++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; |
1029 |
+ /* Faults from user mode accesses to supervisor pages */ |
1030 |
+- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; |
1031 |
++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; |
1032 |
+ /* Faults from fetches of non-executable pages*/ |
1033 |
+- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; |
1034 |
++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; |
1035 |
+ /* Faults from kernel mode fetches of user pages */ |
1036 |
+ u8 smepf = 0; |
1037 |
+ /* Faults from kernel mode accesses of user pages */ |
1038 |
+diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h |
1039 |
+index a5a41ec58072..0c122226ca56 100644 |
1040 |
+--- a/arch/x86/math-emu/fpu_emu.h |
1041 |
++++ b/arch/x86/math-emu/fpu_emu.h |
1042 |
+@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) |
1043 |
+ #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ |
1044 |
+ ((y) + EXTENDED_Ebias) & 0x7fff; } |
1045 |
+ #define exponent16(x) (*(short *)&((x)->exp)) |
1046 |
+-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } |
1047 |
++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } |
1048 |
+ #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } |
1049 |
+ #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } |
1050 |
+ |
1051 |
+diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c |
1052 |
+index 8dc9095bab22..742619e94bdf 100644 |
1053 |
+--- a/arch/x86/math-emu/reg_constant.c |
1054 |
++++ b/arch/x86/math-emu/reg_constant.c |
1055 |
+@@ -18,7 +18,7 @@ |
1056 |
+ #include "control_w.h" |
1057 |
+ |
1058 |
+ #define MAKE_REG(s, e, l, h) { l, h, \ |
1059 |
+- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } |
1060 |
++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } |
1061 |
+ |
1062 |
+ FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); |
1063 |
+ #if 0 |
1064 |
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c |
1065 |
+index 481d7920ea24..f79a0cdc6b4e 100644 |
1066 |
+--- a/arch/x86/xen/enlighten_pv.c |
1067 |
++++ b/arch/x86/xen/enlighten_pv.c |
1068 |
+@@ -598,12 +598,12 @@ struct trap_array_entry { |
1069 |
+ |
1070 |
+ static struct trap_array_entry trap_array[] = { |
1071 |
+ { debug, xen_xendebug, true }, |
1072 |
+- { int3, xen_xenint3, true }, |
1073 |
+ { double_fault, xen_double_fault, true }, |
1074 |
+ #ifdef CONFIG_X86_MCE |
1075 |
+ { machine_check, xen_machine_check, true }, |
1076 |
+ #endif |
1077 |
+ { nmi, xen_xennmi, true }, |
1078 |
++ { int3, xen_int3, false }, |
1079 |
+ { overflow, xen_overflow, false }, |
1080 |
+ #ifdef CONFIG_IA32_EMULATION |
1081 |
+ { entry_INT80_compat, xen_entry_INT80_compat, false }, |
1082 |
+diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S |
1083 |
+index 417b339e5c8e..3a6feed76dfc 100644 |
1084 |
+--- a/arch/x86/xen/xen-asm_64.S |
1085 |
++++ b/arch/x86/xen/xen-asm_64.S |
1086 |
+@@ -30,7 +30,6 @@ xen_pv_trap divide_error |
1087 |
+ xen_pv_trap debug |
1088 |
+ xen_pv_trap xendebug |
1089 |
+ xen_pv_trap int3 |
1090 |
+-xen_pv_trap xenint3 |
1091 |
+ xen_pv_trap xennmi |
1092 |
+ xen_pv_trap overflow |
1093 |
+ xen_pv_trap bounds |
1094 |
+diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c |
1095 |
+index 995c4d8922b1..761f0c19a451 100644 |
1096 |
+--- a/drivers/acpi/blacklist.c |
1097 |
++++ b/drivers/acpi/blacklist.c |
1098 |
+@@ -30,7 +30,9 @@ |
1099 |
+ |
1100 |
+ #include "internal.h" |
1101 |
+ |
1102 |
++#ifdef CONFIG_DMI |
1103 |
+ static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; |
1104 |
++#endif |
1105 |
+ |
1106 |
+ /* |
1107 |
+ * POLICY: If *anything* doesn't work, put it on the blacklist. |
1108 |
+@@ -74,7 +76,9 @@ int __init acpi_blacklisted(void) |
1109 |
+ } |
1110 |
+ |
1111 |
+ (void)early_acpi_osi_init(); |
1112 |
++#ifdef CONFIG_DMI |
1113 |
+ dmi_check_system(acpi_rev_dmi_table); |
1114 |
++#endif |
1115 |
+ |
1116 |
+ return blacklisted; |
1117 |
+ } |
1118 |
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c |
1119 |
+index d32cd943dff2..b77e9281c039 100644 |
1120 |
+--- a/drivers/block/nbd.c |
1121 |
++++ b/drivers/block/nbd.c |
1122 |
+@@ -1207,7 +1207,7 @@ static void nbd_clear_sock_ioctl(struct nbd_device *nbd, |
1123 |
+ struct block_device *bdev) |
1124 |
+ { |
1125 |
+ sock_shutdown(nbd); |
1126 |
+- kill_bdev(bdev); |
1127 |
++ __invalidate_device(bdev, true); |
1128 |
+ nbd_bdev_reset(bdev); |
1129 |
+ if (test_and_clear_bit(NBD_HAS_CONFIG_REF, |
1130 |
+ &nbd->config->runtime_flags)) |
1131 |
+diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c |
1132 |
+index b92867814e2d..cb2be154db3b 100644 |
1133 |
+--- a/drivers/clk/tegra/clk-tegra210.c |
1134 |
++++ b/drivers/clk/tegra/clk-tegra210.c |
1135 |
+@@ -2057,9 +2057,9 @@ static struct div_nmp pllu_nmp = { |
1136 |
+ }; |
1137 |
+ |
1138 |
+ static struct tegra_clk_pll_freq_table pll_u_freq_table[] = { |
1139 |
+- { 12000000, 480000000, 40, 1, 0, 0 }, |
1140 |
+- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */ |
1141 |
+- { 38400000, 480000000, 25, 2, 0, 0 }, |
1142 |
++ { 12000000, 480000000, 40, 1, 1, 0 }, |
1143 |
++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */ |
1144 |
++ { 38400000, 480000000, 25, 2, 1, 0 }, |
1145 |
+ { 0, 0, 0, 0, 0, 0 }, |
1146 |
+ }; |
1147 |
+ |
1148 |
+@@ -2983,6 +2983,7 @@ static struct tegra_clk_init_table init_table[] __initdata = { |
1149 |
+ { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 }, |
1150 |
+ { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 }, |
1151 |
+ { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 }, |
1152 |
++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, |
1153 |
+ { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 }, |
1154 |
+ { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 }, |
1155 |
+ { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 }, |
1156 |
+@@ -3008,7 +3009,6 @@ static struct tegra_clk_init_table init_table[] __initdata = { |
1157 |
+ { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 }, |
1158 |
+ { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 }, |
1159 |
+ { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 }, |
1160 |
+- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, |
1161 |
+ { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 }, |
1162 |
+ /* This MUST be the last entry. */ |
1163 |
+ { TEGRA210_CLK_CLK_MAX, TEGRA210_CLK_CLK_MAX, 0, 0 }, |
1164 |
+diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c |
1165 |
+index 77b126525dac..19c7433e8309 100644 |
1166 |
+--- a/drivers/dma/sh/rcar-dmac.c |
1167 |
++++ b/drivers/dma/sh/rcar-dmac.c |
1168 |
+@@ -1129,7 +1129,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, |
1169 |
+ struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan); |
1170 |
+ |
1171 |
+ /* Someone calling slave DMA on a generic channel? */ |
1172 |
+- if (rchan->mid_rid < 0 || !sg_len) { |
1173 |
++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { |
1174 |
+ dev_warn(chan->device->dev, |
1175 |
+ "%s: bad parameter: len=%d, id=%d\n", |
1176 |
+ __func__, sg_len, rchan->mid_rid); |
1177 |
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c |
1178 |
+index 3db0a9b0d259..25351b6b1e34 100644 |
1179 |
+--- a/drivers/gpio/gpiolib.c |
1180 |
++++ b/drivers/gpio/gpiolib.c |
1181 |
+@@ -835,9 +835,11 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) |
1182 |
+ } |
1183 |
+ |
1184 |
+ if (eflags & GPIOEVENT_REQUEST_RISING_EDGE) |
1185 |
+- irqflags |= IRQF_TRIGGER_RISING; |
1186 |
++ irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? |
1187 |
++ IRQF_TRIGGER_FALLING : IRQF_TRIGGER_RISING; |
1188 |
+ if (eflags & GPIOEVENT_REQUEST_FALLING_EDGE) |
1189 |
+- irqflags |= IRQF_TRIGGER_FALLING; |
1190 |
++ irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? |
1191 |
++ IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING; |
1192 |
+ irqflags |= IRQF_ONESHOT; |
1193 |
+ irqflags |= IRQF_SHARED; |
1194 |
+ |
1195 |
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c |
1196 |
+index 2c6d19683688..4a7d50a96d36 100644 |
1197 |
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.c |
1198 |
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c |
1199 |
+@@ -251,7 +251,7 @@ nouveau_conn_reset(struct drm_connector *connector) |
1200 |
+ return; |
1201 |
+ |
1202 |
+ if (connector->state) |
1203 |
+- __drm_atomic_helper_connector_destroy_state(connector->state); |
1204 |
++ nouveau_conn_atomic_destroy_state(connector, connector->state); |
1205 |
+ __drm_atomic_helper_connector_reset(connector, &asyc->state); |
1206 |
+ asyc->dither.mode = DITHERING_MODE_AUTO; |
1207 |
+ asyc->dither.depth = DITHERING_DEPTH_AUTO; |
1208 |
+diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c |
1209 |
+index 69a79fdfa23e..9dcdc0a8685e 100644 |
1210 |
+--- a/drivers/infiniband/hw/hfi1/chip.c |
1211 |
++++ b/drivers/infiniband/hw/hfi1/chip.c |
1212 |
+@@ -14566,7 +14566,7 @@ void hfi1_deinit_vnic_rsm(struct hfi1_devdata *dd) |
1213 |
+ clear_rcvctrl(dd, RCV_CTRL_RCV_RSM_ENABLE_SMASK); |
1214 |
+ } |
1215 |
+ |
1216 |
+-static void init_rxe(struct hfi1_devdata *dd) |
1217 |
++static int init_rxe(struct hfi1_devdata *dd) |
1218 |
+ { |
1219 |
+ struct rsm_map_table *rmt; |
1220 |
+ u64 val; |
1221 |
+@@ -14575,6 +14575,9 @@ static void init_rxe(struct hfi1_devdata *dd) |
1222 |
+ write_csr(dd, RCV_ERR_MASK, ~0ull); |
1223 |
+ |
1224 |
+ rmt = alloc_rsm_map_table(dd); |
1225 |
++ if (!rmt) |
1226 |
++ return -ENOMEM; |
1227 |
++ |
1228 |
+ /* set up QOS, including the QPN map table */ |
1229 |
+ init_qos(dd, rmt); |
1230 |
+ init_user_fecn_handling(dd, rmt); |
1231 |
+@@ -14599,6 +14602,7 @@ static void init_rxe(struct hfi1_devdata *dd) |
1232 |
+ val = read_csr(dd, RCV_BYPASS); |
1233 |
+ val |= (4ull << 16); |
1234 |
+ write_csr(dd, RCV_BYPASS, val); |
1235 |
++ return 0; |
1236 |
+ } |
1237 |
+ |
1238 |
+ static void init_other(struct hfi1_devdata *dd) |
1239 |
+@@ -15154,7 +15158,10 @@ struct hfi1_devdata *hfi1_init_dd(struct pci_dev *pdev, |
1240 |
+ goto bail_cleanup; |
1241 |
+ |
1242 |
+ /* set initial RXE CSRs */ |
1243 |
+- init_rxe(dd); |
1244 |
++ ret = init_rxe(dd); |
1245 |
++ if (ret) |
1246 |
++ goto bail_cleanup; |
1247 |
++ |
1248 |
+ /* set initial TXE CSRs */ |
1249 |
+ init_txe(dd); |
1250 |
+ /* set initial non-RXE, non-TXE CSRs */ |
1251 |
+diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c |
1252 |
+index f4372afa0e81..ad78b471c112 100644 |
1253 |
+--- a/drivers/infiniband/hw/hfi1/verbs.c |
1254 |
++++ b/drivers/infiniband/hw/hfi1/verbs.c |
1255 |
+@@ -54,6 +54,7 @@ |
1256 |
+ #include <linux/mm.h> |
1257 |
+ #include <linux/vmalloc.h> |
1258 |
+ #include <rdma/opa_addr.h> |
1259 |
++#include <linux/nospec.h> |
1260 |
+ |
1261 |
+ #include "hfi.h" |
1262 |
+ #include "common.h" |
1263 |
+@@ -1587,6 +1588,7 @@ static int hfi1_check_ah(struct ib_device *ibdev, struct rdma_ah_attr *ah_attr) |
1264 |
+ sl = rdma_ah_get_sl(ah_attr); |
1265 |
+ if (sl >= ARRAY_SIZE(ibp->sl_to_sc)) |
1266 |
+ return -EINVAL; |
1267 |
++ sl = array_index_nospec(sl, ARRAY_SIZE(ibp->sl_to_sc)); |
1268 |
+ |
1269 |
+ sc5 = ibp->sl_to_sc[sl]; |
1270 |
+ if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf) |
1271 |
+diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h |
1272 |
+index 754103372faa..89c7e391a834 100644 |
1273 |
+--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h |
1274 |
++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h |
1275 |
+@@ -427,6 +427,7 @@ struct mlx5_umr_wr { |
1276 |
+ u64 length; |
1277 |
+ int access_flags; |
1278 |
+ u32 mkey; |
1279 |
++ u8 ignore_free_state:1; |
1280 |
+ }; |
1281 |
+ |
1282 |
+ static inline struct mlx5_umr_wr *umr_wr(struct ib_send_wr *wr) |
1283 |
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c |
1284 |
+index e88bb71056cd..cfddca850cb4 100644 |
1285 |
+--- a/drivers/infiniband/hw/mlx5/mr.c |
1286 |
++++ b/drivers/infiniband/hw/mlx5/mr.c |
1287 |
+@@ -538,14 +538,17 @@ void mlx5_mr_cache_free(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr) |
1288 |
+ int c; |
1289 |
+ |
1290 |
+ c = order2idx(dev, mr->order); |
1291 |
+- if (c < 0 || c >= MAX_MR_CACHE_ENTRIES) { |
1292 |
+- mlx5_ib_warn(dev, "order %d, cache index %d\n", mr->order, c); |
1293 |
++ WARN_ON(c < 0 || c >= MAX_MR_CACHE_ENTRIES); |
1294 |
++ |
1295 |
++ if (unreg_umr(dev, mr)) { |
1296 |
++ mr->allocated_from_cache = false; |
1297 |
++ destroy_mkey(dev, mr); |
1298 |
++ ent = &cache->ent[c]; |
1299 |
++ if (ent->cur < ent->limit) |
1300 |
++ queue_work(cache->wq, &ent->work); |
1301 |
+ return; |
1302 |
+ } |
1303 |
+ |
1304 |
+- if (unreg_umr(dev, mr)) |
1305 |
+- return; |
1306 |
+- |
1307 |
+ ent = &cache->ent[c]; |
1308 |
+ spin_lock_irq(&ent->lock); |
1309 |
+ list_add_tail(&mr->list, &ent->head); |
1310 |
+@@ -1303,9 +1306,11 @@ static int unreg_umr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr) |
1311 |
+ return 0; |
1312 |
+ |
1313 |
+ umrwr.wr.send_flags = MLX5_IB_SEND_UMR_DISABLE_MR | |
1314 |
+- MLX5_IB_SEND_UMR_FAIL_IF_FREE; |
1315 |
++ MLX5_IB_SEND_UMR_UPDATE_PD_ACCESS; |
1316 |
+ umrwr.wr.opcode = MLX5_IB_WR_UMR; |
1317 |
++ umrwr.pd = dev->umrc.pd; |
1318 |
+ umrwr.mkey = mr->mmkey.key; |
1319 |
++ umrwr.ignore_free_state = 1; |
1320 |
+ |
1321 |
+ return mlx5_ib_post_send_wait(dev, &umrwr); |
1322 |
+ } |
1323 |
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c |
1324 |
+index 964c3a0bbf16..5a7dcb5afe6e 100644 |
1325 |
+--- a/drivers/infiniband/hw/mlx5/qp.c |
1326 |
++++ b/drivers/infiniband/hw/mlx5/qp.c |
1327 |
+@@ -1425,7 +1425,6 @@ static int create_rss_raw_qp_tir(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp, |
1328 |
+ } |
1329 |
+ |
1330 |
+ MLX5_SET(tirc, tirc, rx_hash_fn, MLX5_RX_HASH_FN_TOEPLITZ); |
1331 |
+- MLX5_SET(tirc, tirc, rx_hash_symmetric, 1); |
1332 |
+ memcpy(rss_key, ucmd.rx_hash_key, len); |
1333 |
+ break; |
1334 |
+ } |
1335 |
+@@ -3265,10 +3264,14 @@ static void set_reg_umr_segment(struct mlx5_wqe_umr_ctrl_seg *umr, |
1336 |
+ |
1337 |
+ memset(umr, 0, sizeof(*umr)); |
1338 |
+ |
1339 |
+- if (wr->send_flags & MLX5_IB_SEND_UMR_FAIL_IF_FREE) |
1340 |
+- umr->flags = MLX5_UMR_CHECK_FREE; /* fail if free */ |
1341 |
+- else |
1342 |
+- umr->flags = MLX5_UMR_CHECK_NOT_FREE; /* fail if not free */ |
1343 |
++ if (!umrwr->ignore_free_state) { |
1344 |
++ if (wr->send_flags & MLX5_IB_SEND_UMR_FAIL_IF_FREE) |
1345 |
++ /* fail if free */ |
1346 |
++ umr->flags = MLX5_UMR_CHECK_FREE; |
1347 |
++ else |
1348 |
++ /* fail if not free */ |
1349 |
++ umr->flags = MLX5_UMR_CHECK_NOT_FREE; |
1350 |
++ } |
1351 |
+ |
1352 |
+ umr->xlt_octowords = cpu_to_be16(get_xlt_octo(umrwr->xlt_size)); |
1353 |
+ if (wr->send_flags & MLX5_IB_SEND_UMR_UPDATE_XLT) { |
1354 |
+diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c |
1355 |
+index 6b58ee2e2a25..f8cfcd063649 100644 |
1356 |
+--- a/drivers/misc/eeprom/at24.c |
1357 |
++++ b/drivers/misc/eeprom/at24.c |
1358 |
+@@ -834,7 +834,7 @@ static int at24_probe(struct i2c_client *client, const struct i2c_device_id *id) |
1359 |
+ at24->nvmem_config.name = dev_name(&client->dev); |
1360 |
+ at24->nvmem_config.dev = &client->dev; |
1361 |
+ at24->nvmem_config.read_only = !writable; |
1362 |
+- at24->nvmem_config.root_only = true; |
1363 |
++ at24->nvmem_config.root_only = !(chip.flags & AT24_FLAG_IRUGO); |
1364 |
+ at24->nvmem_config.owner = THIS_MODULE; |
1365 |
+ at24->nvmem_config.compat = true; |
1366 |
+ at24->nvmem_config.base_dev = &client->dev; |
1367 |
+diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c |
1368 |
+index 5252885e5cda..32001d43e453 100644 |
1369 |
+--- a/drivers/mmc/host/dw_mmc.c |
1370 |
++++ b/drivers/mmc/host/dw_mmc.c |
1371 |
+@@ -2046,8 +2046,7 @@ static void dw_mci_tasklet_func(unsigned long priv) |
1372 |
+ * delayed. Allowing the transfer to take place |
1373 |
+ * avoids races and keeps things simple. |
1374 |
+ */ |
1375 |
+- if ((err != -ETIMEDOUT) && |
1376 |
+- (cmd->opcode == MMC_SEND_TUNING_BLOCK)) { |
1377 |
++ if (err != -ETIMEDOUT) { |
1378 |
+ state = STATE_SENDING_DATA; |
1379 |
+ continue; |
1380 |
+ } |
1381 |
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c |
1382 |
+index 39f399741647..cabeb1790db7 100644 |
1383 |
+--- a/drivers/net/ethernet/emulex/benet/be_main.c |
1384 |
++++ b/drivers/net/ethernet/emulex/benet/be_main.c |
1385 |
+@@ -4600,8 +4600,12 @@ int be_update_queues(struct be_adapter *adapter) |
1386 |
+ struct net_device *netdev = adapter->netdev; |
1387 |
+ int status; |
1388 |
+ |
1389 |
+- if (netif_running(netdev)) |
1390 |
++ if (netif_running(netdev)) { |
1391 |
++ /* device cannot transmit now, avoid dev_watchdog timeouts */ |
1392 |
++ netif_carrier_off(netdev); |
1393 |
++ |
1394 |
+ be_close(netdev); |
1395 |
++ } |
1396 |
+ |
1397 |
+ be_cancel_worker(adapter); |
1398 |
+ |
1399 |
+diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c |
1400 |
+index 5e06917b4cef..22e365fa440c 100644 |
1401 |
+--- a/drivers/perf/arm_pmu.c |
1402 |
++++ b/drivers/perf/arm_pmu.c |
1403 |
+@@ -751,8 +751,8 @@ static int cpu_pm_pmu_notify(struct notifier_block *b, unsigned long cmd, |
1404 |
+ cpu_pm_pmu_setup(armpmu, cmd); |
1405 |
+ break; |
1406 |
+ case CPU_PM_EXIT: |
1407 |
+- cpu_pm_pmu_setup(armpmu, cmd); |
1408 |
+ case CPU_PM_ENTER_FAILED: |
1409 |
++ cpu_pm_pmu_setup(armpmu, cmd); |
1410 |
+ armpmu->start(armpmu); |
1411 |
+ break; |
1412 |
+ default: |
1413 |
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c |
1414 |
+index 76afe1449cab..ecd71efe8ea0 100644 |
1415 |
+--- a/drivers/rapidio/devices/rio_mport_cdev.c |
1416 |
++++ b/drivers/rapidio/devices/rio_mport_cdev.c |
1417 |
+@@ -1742,6 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, |
1418 |
+ |
1419 |
+ if (copy_from_user(&dev_info, arg, sizeof(dev_info))) |
1420 |
+ return -EFAULT; |
1421 |
++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; |
1422 |
+ |
1423 |
+ rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, |
1424 |
+ dev_info.comptag, dev_info.destid, dev_info.hopcount); |
1425 |
+@@ -1873,6 +1874,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg) |
1426 |
+ |
1427 |
+ if (copy_from_user(&dev_info, arg, sizeof(dev_info))) |
1428 |
+ return -EFAULT; |
1429 |
++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; |
1430 |
+ |
1431 |
+ mport = priv->md->mport; |
1432 |
+ |
1433 |
+diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c |
1434 |
+index 5e963fe0e38d..fd1dff2bed21 100644 |
1435 |
+--- a/drivers/s390/block/dasd_alias.c |
1436 |
++++ b/drivers/s390/block/dasd_alias.c |
1437 |
+@@ -383,6 +383,20 @@ suborder_not_supported(struct dasd_ccw_req *cqr) |
1438 |
+ char msg_format; |
1439 |
+ char msg_no; |
1440 |
+ |
1441 |
++ /* |
1442 |
++ * intrc values ENODEV, ENOLINK and EPERM |
1443 |
++ * will be optained from sleep_on to indicate that no |
1444 |
++ * IO operation can be started |
1445 |
++ */ |
1446 |
++ if (cqr->intrc == -ENODEV) |
1447 |
++ return 1; |
1448 |
++ |
1449 |
++ if (cqr->intrc == -ENOLINK) |
1450 |
++ return 1; |
1451 |
++ |
1452 |
++ if (cqr->intrc == -EPERM) |
1453 |
++ return 1; |
1454 |
++ |
1455 |
+ sense = dasd_get_sense(&cqr->irb); |
1456 |
+ if (!sense) |
1457 |
+ return 0; |
1458 |
+@@ -447,12 +461,8 @@ static int read_unit_address_configuration(struct dasd_device *device, |
1459 |
+ lcu->flags &= ~NEED_UAC_UPDATE; |
1460 |
+ spin_unlock_irqrestore(&lcu->lock, flags); |
1461 |
+ |
1462 |
+- do { |
1463 |
+- rc = dasd_sleep_on(cqr); |
1464 |
+- if (rc && suborder_not_supported(cqr)) |
1465 |
+- return -EOPNOTSUPP; |
1466 |
+- } while (rc && (cqr->retries > 0)); |
1467 |
+- if (rc) { |
1468 |
++ rc = dasd_sleep_on(cqr); |
1469 |
++ if (rc && !suborder_not_supported(cqr)) { |
1470 |
+ spin_lock_irqsave(&lcu->lock, flags); |
1471 |
+ lcu->flags |= NEED_UAC_UPDATE; |
1472 |
+ spin_unlock_irqrestore(&lcu->lock, flags); |
1473 |
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c |
1474 |
+index 6d5065f679ac..64d70de98cdb 100644 |
1475 |
+--- a/drivers/s390/scsi/zfcp_erp.c |
1476 |
++++ b/drivers/s390/scsi/zfcp_erp.c |
1477 |
+@@ -11,6 +11,7 @@ |
1478 |
+ #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt |
1479 |
+ |
1480 |
+ #include <linux/kthread.h> |
1481 |
++#include <linux/bug.h> |
1482 |
+ #include "zfcp_ext.h" |
1483 |
+ #include "zfcp_reqlist.h" |
1484 |
+ |
1485 |
+@@ -245,6 +246,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status, |
1486 |
+ struct zfcp_erp_action *erp_action; |
1487 |
+ struct zfcp_scsi_dev *zfcp_sdev; |
1488 |
+ |
1489 |
++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && |
1490 |
++ need != ZFCP_ERP_ACTION_REOPEN_PORT && |
1491 |
++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && |
1492 |
++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) |
1493 |
++ return NULL; |
1494 |
++ |
1495 |
+ switch (need) { |
1496 |
+ case ZFCP_ERP_ACTION_REOPEN_LUN: |
1497 |
+ zfcp_sdev = sdev_to_zfcp(sdev); |
1498 |
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c |
1499 |
+index 95dbee89b758..021b5e7f4b7a 100644 |
1500 |
+--- a/drivers/xen/swiotlb-xen.c |
1501 |
++++ b/drivers/xen/swiotlb-xen.c |
1502 |
+@@ -371,8 +371,8 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr, |
1503 |
+ /* Convert the size to actually allocated. */ |
1504 |
+ size = 1UL << (order + XEN_PAGE_SHIFT); |
1505 |
+ |
1506 |
+- if (((dev_addr + size - 1 <= dma_mask)) || |
1507 |
+- range_straddles_page_boundary(phys, size)) |
1508 |
++ if (!WARN_ON((dev_addr + size - 1 > dma_mask) || |
1509 |
++ range_straddles_page_boundary(phys, size))) |
1510 |
+ xen_destroy_contiguous_region(phys, order); |
1511 |
+ |
1512 |
+ xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs); |
1513 |
+diff --git a/fs/adfs/super.c b/fs/adfs/super.c |
1514 |
+index c9fdfb112933..e42c30001509 100644 |
1515 |
+--- a/fs/adfs/super.c |
1516 |
++++ b/fs/adfs/super.c |
1517 |
+@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) |
1518 |
+ struct buffer_head *bh; |
1519 |
+ struct object_info root_obj; |
1520 |
+ unsigned char *b_data; |
1521 |
++ unsigned int blocksize; |
1522 |
+ struct adfs_sb_info *asb; |
1523 |
+ struct inode *root; |
1524 |
+ int ret = -EINVAL; |
1525 |
+@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) |
1526 |
+ goto error_free_bh; |
1527 |
+ } |
1528 |
+ |
1529 |
++ blocksize = 1 << dr->log2secsize; |
1530 |
+ brelse(bh); |
1531 |
+- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { |
1532 |
++ |
1533 |
++ if (sb_set_blocksize(sb, blocksize)) { |
1534 |
+ bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); |
1535 |
+ if (!bh) { |
1536 |
+ adfs_error(sb, "couldn't read superblock on " |
1537 |
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c |
1538 |
+index 14c4062a6e58..a5905f97b3db 100644 |
1539 |
+--- a/fs/btrfs/send.c |
1540 |
++++ b/fs/btrfs/send.c |
1541 |
+@@ -6130,68 +6130,21 @@ static int changed_extent(struct send_ctx *sctx, |
1542 |
+ { |
1543 |
+ int ret = 0; |
1544 |
+ |
1545 |
+- if (sctx->cur_ino != sctx->cmp_key->objectid) { |
1546 |
+- |
1547 |
+- if (result == BTRFS_COMPARE_TREE_CHANGED) { |
1548 |
+- struct extent_buffer *leaf_l; |
1549 |
+- struct extent_buffer *leaf_r; |
1550 |
+- struct btrfs_file_extent_item *ei_l; |
1551 |
+- struct btrfs_file_extent_item *ei_r; |
1552 |
+- |
1553 |
+- leaf_l = sctx->left_path->nodes[0]; |
1554 |
+- leaf_r = sctx->right_path->nodes[0]; |
1555 |
+- ei_l = btrfs_item_ptr(leaf_l, |
1556 |
+- sctx->left_path->slots[0], |
1557 |
+- struct btrfs_file_extent_item); |
1558 |
+- ei_r = btrfs_item_ptr(leaf_r, |
1559 |
+- sctx->right_path->slots[0], |
1560 |
+- struct btrfs_file_extent_item); |
1561 |
+- |
1562 |
+- /* |
1563 |
+- * We may have found an extent item that has changed |
1564 |
+- * only its disk_bytenr field and the corresponding |
1565 |
+- * inode item was not updated. This case happens due to |
1566 |
+- * very specific timings during relocation when a leaf |
1567 |
+- * that contains file extent items is COWed while |
1568 |
+- * relocation is ongoing and its in the stage where it |
1569 |
+- * updates data pointers. So when this happens we can |
1570 |
+- * safely ignore it since we know it's the same extent, |
1571 |
+- * but just at different logical and physical locations |
1572 |
+- * (when an extent is fully replaced with a new one, we |
1573 |
+- * know the generation number must have changed too, |
1574 |
+- * since snapshot creation implies committing the current |
1575 |
+- * transaction, and the inode item must have been updated |
1576 |
+- * as well). |
1577 |
+- * This replacement of the disk_bytenr happens at |
1578 |
+- * relocation.c:replace_file_extents() through |
1579 |
+- * relocation.c:btrfs_reloc_cow_block(). |
1580 |
+- */ |
1581 |
+- if (btrfs_file_extent_generation(leaf_l, ei_l) == |
1582 |
+- btrfs_file_extent_generation(leaf_r, ei_r) && |
1583 |
+- btrfs_file_extent_ram_bytes(leaf_l, ei_l) == |
1584 |
+- btrfs_file_extent_ram_bytes(leaf_r, ei_r) && |
1585 |
+- btrfs_file_extent_compression(leaf_l, ei_l) == |
1586 |
+- btrfs_file_extent_compression(leaf_r, ei_r) && |
1587 |
+- btrfs_file_extent_encryption(leaf_l, ei_l) == |
1588 |
+- btrfs_file_extent_encryption(leaf_r, ei_r) && |
1589 |
+- btrfs_file_extent_other_encoding(leaf_l, ei_l) == |
1590 |
+- btrfs_file_extent_other_encoding(leaf_r, ei_r) && |
1591 |
+- btrfs_file_extent_type(leaf_l, ei_l) == |
1592 |
+- btrfs_file_extent_type(leaf_r, ei_r) && |
1593 |
+- btrfs_file_extent_disk_bytenr(leaf_l, ei_l) != |
1594 |
+- btrfs_file_extent_disk_bytenr(leaf_r, ei_r) && |
1595 |
+- btrfs_file_extent_disk_num_bytes(leaf_l, ei_l) == |
1596 |
+- btrfs_file_extent_disk_num_bytes(leaf_r, ei_r) && |
1597 |
+- btrfs_file_extent_offset(leaf_l, ei_l) == |
1598 |
+- btrfs_file_extent_offset(leaf_r, ei_r) && |
1599 |
+- btrfs_file_extent_num_bytes(leaf_l, ei_l) == |
1600 |
+- btrfs_file_extent_num_bytes(leaf_r, ei_r)) |
1601 |
+- return 0; |
1602 |
+- } |
1603 |
+- |
1604 |
+- inconsistent_snapshot_error(sctx, result, "extent"); |
1605 |
+- return -EIO; |
1606 |
+- } |
1607 |
++ /* |
1608 |
++ * We have found an extent item that changed without the inode item |
1609 |
++ * having changed. This can happen either after relocation (where the |
1610 |
++ * disk_bytenr of an extent item is replaced at |
1611 |
++ * relocation.c:replace_file_extents()) or after deduplication into a |
1612 |
++ * file in both the parent and send snapshots (where an extent item can |
1613 |
++ * get modified or replaced with a new one). Note that deduplication |
1614 |
++ * updates the inode item, but it only changes the iversion (sequence |
1615 |
++ * field in the inode item) of the inode, so if a file is deduplicated |
1616 |
++ * the same amount of times in both the parent and send snapshots, its |
1617 |
++ * iversion becames the same in both snapshots, whence the inode item is |
1618 |
++ * the same on both snapshots. |
1619 |
++ */ |
1620 |
++ if (sctx->cur_ino != sctx->cmp_key->objectid) |
1621 |
++ return 0; |
1622 |
+ |
1623 |
+ if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) { |
1624 |
+ if (result != BTRFS_COMPARE_TREE_DELETED) |
1625 |
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c |
1626 |
+index 73c1fbca0c35..fa8f56e6f665 100644 |
1627 |
+--- a/fs/btrfs/transaction.c |
1628 |
++++ b/fs/btrfs/transaction.c |
1629 |
+@@ -2052,6 +2052,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) |
1630 |
+ } |
1631 |
+ } else { |
1632 |
+ spin_unlock(&fs_info->trans_lock); |
1633 |
++ /* |
1634 |
++ * The previous transaction was aborted and was already removed |
1635 |
++ * from the list of transactions at fs_info->trans_list. So we |
1636 |
++ * abort to prevent writing a new superblock that reflects a |
1637 |
++ * corrupt state (pointing to trees with unwritten nodes/leafs). |
1638 |
++ */ |
1639 |
++ if (test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) { |
1640 |
++ ret = -EROFS; |
1641 |
++ goto cleanup_transaction; |
1642 |
++ } |
1643 |
+ } |
1644 |
+ |
1645 |
+ extwriter_counter_dec(cur_trans, trans->type); |
1646 |
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c |
1647 |
+index 85294fef1051..358e930df4ac 100644 |
1648 |
+--- a/fs/btrfs/volumes.c |
1649 |
++++ b/fs/btrfs/volumes.c |
1650 |
+@@ -5019,8 +5019,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) |
1651 |
+ |
1652 |
+ if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | |
1653 |
+ BTRFS_BLOCK_GROUP_RAID10 | |
1654 |
+- BTRFS_BLOCK_GROUP_RAID5 | |
1655 |
+- BTRFS_BLOCK_GROUP_DUP)) { |
1656 |
++ BTRFS_BLOCK_GROUP_RAID5)) { |
1657 |
+ max_errors = 1; |
1658 |
+ } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { |
1659 |
+ max_errors = 2; |
1660 |
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h |
1661 |
+index 3e27a28aa44a..60b70f0985f6 100644 |
1662 |
+--- a/fs/ceph/super.h |
1663 |
++++ b/fs/ceph/super.h |
1664 |
+@@ -517,7 +517,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, |
1665 |
+ long long release_count, |
1666 |
+ long long ordered_count) |
1667 |
+ { |
1668 |
+- smp_mb__before_atomic(); |
1669 |
++ /* |
1670 |
++ * Makes sure operations that setup readdir cache (update page |
1671 |
++ * cache and i_size) are strongly ordered w.r.t. the following |
1672 |
++ * atomic64_set() operations. |
1673 |
++ */ |
1674 |
++ smp_mb(); |
1675 |
+ atomic64_set(&ci->i_complete_seq[0], release_count); |
1676 |
+ atomic64_set(&ci->i_complete_seq[1], ordered_count); |
1677 |
+ } |
1678 |
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c |
1679 |
+index e1c4e0b12b4c..0376db8a74f8 100644 |
1680 |
+--- a/fs/ceph/xattr.c |
1681 |
++++ b/fs/ceph/xattr.c |
1682 |
+@@ -75,7 +75,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, |
1683 |
+ const char *ns_field = " pool_namespace="; |
1684 |
+ char buf[128]; |
1685 |
+ size_t len, total_len = 0; |
1686 |
+- int ret; |
1687 |
++ ssize_t ret; |
1688 |
+ |
1689 |
+ pool_ns = ceph_try_get_string(ci->i_layout.pool_ns); |
1690 |
+ |
1691 |
+@@ -99,11 +99,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, |
1692 |
+ if (pool_ns) |
1693 |
+ total_len += strlen(ns_field) + pool_ns->len; |
1694 |
+ |
1695 |
+- if (!size) { |
1696 |
+- ret = total_len; |
1697 |
+- } else if (total_len > size) { |
1698 |
+- ret = -ERANGE; |
1699 |
+- } else { |
1700 |
++ ret = total_len; |
1701 |
++ if (size >= total_len) { |
1702 |
+ memcpy(val, buf, len); |
1703 |
+ ret = len; |
1704 |
+ if (pool_name) { |
1705 |
+@@ -761,8 +758,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value, |
1706 |
+ if (err) |
1707 |
+ return err; |
1708 |
+ err = -ENODATA; |
1709 |
+- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) |
1710 |
++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) { |
1711 |
+ err = vxattr->getxattr_cb(ci, value, size); |
1712 |
++ if (size && size < err) |
1713 |
++ err = -ERANGE; |
1714 |
++ } |
1715 |
+ return err; |
1716 |
+ } |
1717 |
+ |
1718 |
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c |
1719 |
+index 33cd844579ae..57c62ff4e8d6 100644 |
1720 |
+--- a/fs/cifs/connect.c |
1721 |
++++ b/fs/cifs/connect.c |
1722 |
+@@ -554,10 +554,10 @@ static bool |
1723 |
+ server_unresponsive(struct TCP_Server_Info *server) |
1724 |
+ { |
1725 |
+ /* |
1726 |
+- * We need to wait 2 echo intervals to make sure we handle such |
1727 |
++ * We need to wait 3 echo intervals to make sure we handle such |
1728 |
+ * situations right: |
1729 |
+ * 1s client sends a normal SMB request |
1730 |
+- * 2s client gets a response |
1731 |
++ * 3s client gets a response |
1732 |
+ * 30s echo workqueue job pops, and decides we got a response recently |
1733 |
+ * and don't need to send another |
1734 |
+ * ... |
1735 |
+@@ -566,9 +566,9 @@ server_unresponsive(struct TCP_Server_Info *server) |
1736 |
+ */ |
1737 |
+ if ((server->tcpStatus == CifsGood || |
1738 |
+ server->tcpStatus == CifsNeedNegotiate) && |
1739 |
+- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) { |
1740 |
++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) { |
1741 |
+ cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n", |
1742 |
+- server->hostname, (2 * server->echo_interval) / HZ); |
1743 |
++ server->hostname, (3 * server->echo_interval) / HZ); |
1744 |
+ cifs_reconnect(server); |
1745 |
+ wake_up(&server->response_q); |
1746 |
+ return true; |
1747 |
+diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c |
1748 |
+index f40e3953e7fe..a6d9e841a375 100644 |
1749 |
+--- a/fs/coda/psdev.c |
1750 |
++++ b/fs/coda/psdev.c |
1751 |
+@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, |
1752 |
+ if (req->uc_opcode == CODA_OPEN_BY_FD) { |
1753 |
+ struct coda_open_by_fd_out *outp = |
1754 |
+ (struct coda_open_by_fd_out *)req->uc_data; |
1755 |
+- if (!outp->oh.result) |
1756 |
++ if (!outp->oh.result) { |
1757 |
+ outp->fh = fget(outp->fd); |
1758 |
++ if (!outp->fh) |
1759 |
++ return -EBADF; |
1760 |
++ } |
1761 |
+ } |
1762 |
+ |
1763 |
+ wake_up(&req->uc_sleep); |
1764 |
+diff --git a/include/linux/acpi.h b/include/linux/acpi.h |
1765 |
+index 13c105121a18..d7a9700b9333 100644 |
1766 |
+--- a/include/linux/acpi.h |
1767 |
++++ b/include/linux/acpi.h |
1768 |
+@@ -324,7 +324,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, |
1769 |
+ #ifdef CONFIG_X86_IO_APIC |
1770 |
+ extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); |
1771 |
+ #else |
1772 |
+-#define acpi_get_override_irq(gsi, trigger, polarity) (-1) |
1773 |
++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) |
1774 |
++{ |
1775 |
++ return -1; |
1776 |
++} |
1777 |
+ #endif |
1778 |
+ /* |
1779 |
+ * This function undoes the effect of one call to acpi_register_gsi(). |
1780 |
+diff --git a/include/linux/coda.h b/include/linux/coda.h |
1781 |
+index d30209b9cef8..0ca0c83fdb1c 100644 |
1782 |
+--- a/include/linux/coda.h |
1783 |
++++ b/include/linux/coda.h |
1784 |
+@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. |
1785 |
+ #ifndef _CODA_HEADER_ |
1786 |
+ #define _CODA_HEADER_ |
1787 |
+ |
1788 |
+-#if defined(__linux__) |
1789 |
+ typedef unsigned long long u_quad_t; |
1790 |
+-#endif |
1791 |
++ |
1792 |
+ #include <uapi/linux/coda.h> |
1793 |
+ #endif |
1794 |
+diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h |
1795 |
+index 15170954aa2b..57d2b2faf6a3 100644 |
1796 |
+--- a/include/linux/coda_psdev.h |
1797 |
++++ b/include/linux/coda_psdev.h |
1798 |
+@@ -19,6 +19,17 @@ struct venus_comm { |
1799 |
+ struct mutex vc_mutex; |
1800 |
+ }; |
1801 |
+ |
1802 |
++/* messages between coda filesystem in kernel and Venus */ |
1803 |
++struct upc_req { |
1804 |
++ struct list_head uc_chain; |
1805 |
++ caddr_t uc_data; |
1806 |
++ u_short uc_flags; |
1807 |
++ u_short uc_inSize; /* Size is at most 5000 bytes */ |
1808 |
++ u_short uc_outSize; |
1809 |
++ u_short uc_opcode; /* copied from data to save lookup */ |
1810 |
++ int uc_unique; |
1811 |
++ wait_queue_head_t uc_sleep; /* process' wait queue */ |
1812 |
++}; |
1813 |
+ |
1814 |
+ static inline struct venus_comm *coda_vcp(struct super_block *sb) |
1815 |
+ { |
1816 |
+diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h |
1817 |
+index aa6623efd2dd..d50d51a57fe4 100644 |
1818 |
+--- a/include/uapi/linux/coda_psdev.h |
1819 |
++++ b/include/uapi/linux/coda_psdev.h |
1820 |
+@@ -7,19 +7,6 @@ |
1821 |
+ #define CODA_PSDEV_MAJOR 67 |
1822 |
+ #define MAX_CODADEVS 5 /* how many do we allow */ |
1823 |
+ |
1824 |
+- |
1825 |
+-/* messages between coda filesystem in kernel and Venus */ |
1826 |
+-struct upc_req { |
1827 |
+- struct list_head uc_chain; |
1828 |
+- caddr_t uc_data; |
1829 |
+- u_short uc_flags; |
1830 |
+- u_short uc_inSize; /* Size is at most 5000 bytes */ |
1831 |
+- u_short uc_outSize; |
1832 |
+- u_short uc_opcode; /* copied from data to save lookup */ |
1833 |
+- int uc_unique; |
1834 |
+- wait_queue_head_t uc_sleep; /* process' wait queue */ |
1835 |
+-}; |
1836 |
+- |
1837 |
+ #define CODA_REQ_ASYNC 0x1 |
1838 |
+ #define CODA_REQ_READ 0x2 |
1839 |
+ #define CODA_REQ_WRITE 0x4 |
1840 |
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c |
1841 |
+index 5c0ae912f2f2..dccd4ecb786a 100644 |
1842 |
+--- a/ipc/mqueue.c |
1843 |
++++ b/ipc/mqueue.c |
1844 |
+@@ -372,7 +372,6 @@ static void mqueue_evict_inode(struct inode *inode) |
1845 |
+ { |
1846 |
+ struct mqueue_inode_info *info; |
1847 |
+ struct user_struct *user; |
1848 |
+- unsigned long mq_bytes, mq_treesize; |
1849 |
+ struct ipc_namespace *ipc_ns; |
1850 |
+ struct msg_msg *msg, *nmsg; |
1851 |
+ LIST_HEAD(tmp_msg); |
1852 |
+@@ -395,16 +394,18 @@ static void mqueue_evict_inode(struct inode *inode) |
1853 |
+ free_msg(msg); |
1854 |
+ } |
1855 |
+ |
1856 |
+- /* Total amount of bytes accounted for the mqueue */ |
1857 |
+- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + |
1858 |
+- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * |
1859 |
+- sizeof(struct posix_msg_tree_node); |
1860 |
+- |
1861 |
+- mq_bytes = mq_treesize + (info->attr.mq_maxmsg * |
1862 |
+- info->attr.mq_msgsize); |
1863 |
+- |
1864 |
+ user = info->user; |
1865 |
+ if (user) { |
1866 |
++ unsigned long mq_bytes, mq_treesize; |
1867 |
++ |
1868 |
++ /* Total amount of bytes accounted for the mqueue */ |
1869 |
++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + |
1870 |
++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * |
1871 |
++ sizeof(struct posix_msg_tree_node); |
1872 |
++ |
1873 |
++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg * |
1874 |
++ info->attr.mq_msgsize); |
1875 |
++ |
1876 |
+ spin_lock(&mq_lock); |
1877 |
+ user->mq_bytes -= mq_bytes; |
1878 |
+ /* |
1879 |
+diff --git a/kernel/module.c b/kernel/module.c |
1880 |
+index 94528b891027..4b372c14d9a1 100644 |
1881 |
+--- a/kernel/module.c |
1882 |
++++ b/kernel/module.c |
1883 |
+@@ -3391,8 +3391,7 @@ static bool finished_loading(const char *name) |
1884 |
+ sched_annotate_sleep(); |
1885 |
+ mutex_lock(&module_mutex); |
1886 |
+ mod = find_module_all(name, strlen(name), true); |
1887 |
+- ret = !mod || mod->state == MODULE_STATE_LIVE |
1888 |
+- || mod->state == MODULE_STATE_GOING; |
1889 |
++ ret = !mod || mod->state == MODULE_STATE_LIVE; |
1890 |
+ mutex_unlock(&module_mutex); |
1891 |
+ |
1892 |
+ return ret; |
1893 |
+@@ -3560,8 +3559,7 @@ again: |
1894 |
+ mutex_lock(&module_mutex); |
1895 |
+ old = find_module_all(mod->name, strlen(mod->name), true); |
1896 |
+ if (old != NULL) { |
1897 |
+- if (old->state == MODULE_STATE_COMING |
1898 |
+- || old->state == MODULE_STATE_UNFORMED) { |
1899 |
++ if (old->state != MODULE_STATE_LIVE) { |
1900 |
+ /* Wait in case it fails to load. */ |
1901 |
+ mutex_unlock(&module_mutex); |
1902 |
+ err = wait_event_interruptible(module_wq, |
1903 |
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c |
1904 |
+index c4a0ad18c859..7420f5f36094 100644 |
1905 |
+--- a/kernel/trace/ftrace.c |
1906 |
++++ b/kernel/trace/ftrace.c |
1907 |
+@@ -1712,6 +1712,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec) |
1908 |
+ return keep_regs; |
1909 |
+ } |
1910 |
+ |
1911 |
++static struct ftrace_ops * |
1912 |
++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); |
1913 |
++static struct ftrace_ops * |
1914 |
++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); |
1915 |
++ |
1916 |
+ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, |
1917 |
+ int filter_hash, |
1918 |
+ bool inc) |
1919 |
+@@ -1840,15 +1845,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, |
1920 |
+ } |
1921 |
+ |
1922 |
+ /* |
1923 |
+- * If the rec had TRAMP enabled, then it needs to |
1924 |
+- * be cleared. As TRAMP can only be enabled iff |
1925 |
+- * there is only a single ops attached to it. |
1926 |
+- * In otherwords, always disable it on decrementing. |
1927 |
+- * In the future, we may set it if rec count is |
1928 |
+- * decremented to one, and the ops that is left |
1929 |
+- * has a trampoline. |
1930 |
++ * The TRAMP needs to be set only if rec count |
1931 |
++ * is decremented to one, and the ops that is |
1932 |
++ * left has a trampoline. As TRAMP can only be |
1933 |
++ * enabled if there is only a single ops attached |
1934 |
++ * to it. |
1935 |
+ */ |
1936 |
+- rec->flags &= ~FTRACE_FL_TRAMP; |
1937 |
++ if (ftrace_rec_count(rec) == 1 && |
1938 |
++ ftrace_find_tramp_ops_any(rec)) |
1939 |
++ rec->flags |= FTRACE_FL_TRAMP; |
1940 |
++ else |
1941 |
++ rec->flags &= ~FTRACE_FL_TRAMP; |
1942 |
+ |
1943 |
+ /* |
1944 |
+ * flags will be cleared in ftrace_check_record() |
1945 |
+@@ -2041,11 +2048,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) |
1946 |
+ printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); |
1947 |
+ } |
1948 |
+ |
1949 |
+-static struct ftrace_ops * |
1950 |
+-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); |
1951 |
+-static struct ftrace_ops * |
1952 |
+-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); |
1953 |
+- |
1954 |
+ enum ftrace_bug_type ftrace_bug_type; |
1955 |
+ const void *ftrace_expected; |
1956 |
+ |
1957 |
+diff --git a/mm/cma.c b/mm/cma.c |
1958 |
+index 56761e40d191..c4a34c813d47 100644 |
1959 |
+--- a/mm/cma.c |
1960 |
++++ b/mm/cma.c |
1961 |
+@@ -277,6 +277,12 @@ int __init cma_declare_contiguous(phys_addr_t base, |
1962 |
+ */ |
1963 |
+ alignment = max(alignment, (phys_addr_t)PAGE_SIZE << |
1964 |
+ max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); |
1965 |
++ if (fixed && base & (alignment - 1)) { |
1966 |
++ ret = -EINVAL; |
1967 |
++ pr_err("Region at %pa must be aligned to %pa bytes\n", |
1968 |
++ &base, &alignment); |
1969 |
++ goto err; |
1970 |
++ } |
1971 |
+ base = ALIGN(base, alignment); |
1972 |
+ size = ALIGN(size, alignment); |
1973 |
+ limit &= ~(alignment - 1); |
1974 |
+@@ -307,6 +313,13 @@ int __init cma_declare_contiguous(phys_addr_t base, |
1975 |
+ if (limit == 0 || limit > memblock_end) |
1976 |
+ limit = memblock_end; |
1977 |
+ |
1978 |
++ if (base + size > limit) { |
1979 |
++ ret = -EINVAL; |
1980 |
++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", |
1981 |
++ &size, &base, &limit); |
1982 |
++ goto err; |
1983 |
++ } |
1984 |
++ |
1985 |
+ /* Reserve memory */ |
1986 |
+ if (fixed) { |
1987 |
+ if (memblock_is_region_reserved(base, size) || |
1988 |
+diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c |
1989 |
+index 524068d71bc1..9d9f6bb1e56e 100644 |
1990 |
+--- a/security/selinux/ss/policydb.c |
1991 |
++++ b/security/selinux/ss/policydb.c |
1992 |
+@@ -275,6 +275,8 @@ static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2) |
1993 |
+ return v; |
1994 |
+ } |
1995 |
+ |
1996 |
++static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap); |
1997 |
++ |
1998 |
+ /* |
1999 |
+ * Initialize a policy database structure. |
2000 |
+ */ |
2001 |
+@@ -322,8 +324,10 @@ static int policydb_init(struct policydb *p) |
2002 |
+ out: |
2003 |
+ hashtab_destroy(p->filename_trans); |
2004 |
+ hashtab_destroy(p->range_tr); |
2005 |
+- for (i = 0; i < SYM_NUM; i++) |
2006 |
++ for (i = 0; i < SYM_NUM; i++) { |
2007 |
++ hashtab_map(p->symtab[i].table, destroy_f[i], NULL); |
2008 |
+ hashtab_destroy(p->symtab[i].table); |
2009 |
++ } |
2010 |
+ return rc; |
2011 |
+ } |
2012 |
+ |
2013 |
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c |
2014 |
+index e6cef5a160e7..d089c711355a 100644 |
2015 |
+--- a/tools/objtool/elf.c |
2016 |
++++ b/tools/objtool/elf.c |
2017 |
+@@ -305,7 +305,7 @@ static int read_symbols(struct elf *elf) |
2018 |
+ if (sym->type != STT_FUNC) |
2019 |
+ continue; |
2020 |
+ sym->pfunc = sym->cfunc = sym; |
2021 |
+- coldstr = strstr(sym->name, ".cold."); |
2022 |
++ coldstr = strstr(sym->name, ".cold"); |
2023 |
+ if (!coldstr) |
2024 |
+ continue; |
2025 |
+ |