dgit.raspbian.org Git - linux.git/log

scsi: hisi_sas: Fix NULL pointer dereference

There is a NULL pointer dereference in case *slot* happens to be NULL at
lines 1053 and 1878:

struct hisi_sas_cq *cq =
&hisi_hba->cq[slot->dlvry_queue];

Notice that *slot* is being NULL checked at lines 1057 and 1881:
if (slot), which implies it may be NULL.

Fix this by placing the declaration and definition of variable cq, which
contains the pointer dereference slot->dlvry_queue, after slot has been
properly NULL checked.

Addresses-Coverity-ID: 1474515 ("Dereference before null check")
Addresses-Coverity-ID: 1474520 ("Dereference before null check")
Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0032-scsi-hisi_sas-Fix-NULL-pointer-dereference.patch

RDMA/hns: RDMA/hns: Assign rq head pointer when enable rq record db

When flush cqe, it needs to get the pointer of rq and sq from db address
space of user and update it into qp context by modified qp. if rq does not
exist, it will not get the value from db address space of user.

Signed-off-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0031-RDMA-hns-RDMA-hns-Assign-rq-head-pointer-when-enable.patch

RDMA/hns: Modify the pbl ba page size for hip08

Modify the pbl ba page size to 16K for in order to support 4G MR size.

Signed-off-by: Wei Hu (Xavier) <xavier.huwei@huawei.com>
Signed-off-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0030-RDMA-hns-Modify-the-pbl-ba-page-size-for-hip08.patch

RDMA/hns: Add constraint on the setting of local ACK timeout

According to IB protocol, local ACK timeout shall be a 5 bit
value. Currently, hip08 could not support the possible max value 31. Fail
the request in this case.

Signed-off-by: Yixian Liu <liuyixian@huawei.com>
Signed-off-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0029-RDMA-hns-Add-constraint-on-the-setting-of-local-ACK-.patch

RDMA/hns: Bugfix for the scene without receiver queue

In some application scenario, the user could not have receive queue when
run rdma write or read operation.

Signed-off-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0028-RDMA-hns-Bugfix-for-the-scene-without-receiver-queue.patch

RDMA/hns: Fix the bug with updating rq head pointer when flush cqe

When flush cqe with srq, the driver disable to update the rq head pointer
into the hardware.

Signed-off-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0027-RDMA-hns-Fix-the-bug-with-updating-rq-head-pointer-w.patch

net: hns3: call hns3_nic_net_open() while doing HNAE3_UP_CLIENT

For HNAE3_DOWN_CLIENT calling hns3_nic_net_stop(), HNAE3_UP_CLIENT
should call hns3_nic_net_open(), since if the number of queue or
the map of TC has is changed before HHAE3_UP_CLIENT is called,
it will cause problem.

Also the HNS3_NIC_STATE_RESETTING flag needs to be cleared before
hns3_nic_net_open() called, and set it back while hns3_nic_net_open()
failed.

Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0026-net-hns3-call-hns3_nic_net_open-while-doing-HNAE3_UP.patch

net: hns3: remove redundant variable initialization

This patch removes the redundant variable initialization,
as driver will devm_kzalloc to set value to hdev soon.

Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0025-net-hns3-remove-redundant-variable-initialization.patch

net: hns3: fix a bug caused by udelay

udelay() in driver may always occupancy processor. If there is only
one cpu in system, the VF driver may initialize fail when insmod
PF and VF driver in the same system. This patch use msleep() to free
cpu when VF wait PF message.

Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0024-net-hns3-fix-a-bug-caused-by-udelay.patch

net: hns3: change default tc state to close

In original codes, default tc value is set to the max tc. It's more
reasonable to close tc by changing default tc value to 1. Users can
enable it with lldp tool when they want to use tc.

Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0023-net-hns3-change-default-tc-state-to-close.patch

net: hns3: fix a SSU buffer checking bug

When caculating the SSU buffer, it first allocate tx and
rx private buffer, then the remaining buffer is for rx
shared buffer. The remaining buffer size should be at
least bigger than or equal to the shared_std, which is the
minimum shared buffer size required by the driver, but
currently if the remaining buffer size is equal to the
shared_std, it returns failure, which causes SSU buffer
allocation failure problem.

This patch fixes this problem by rounding up shared_std before
checking the the remaining buffer size bigger than or equal to
the shared_std.

Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0022-net-hns3-fix-a-SSU-buffer-checking-bug.patch

net: hns3: aligning buffer size in SSU to 256 bytes

The hardware expects the buffer size set to SSU is aligned to
256 bytes, this patch aligns the buffer size to 256 byte using
roundup or rounddown function.

Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0021-net-hns3-aligning-buffer-size-in-SSU-to-256-bytes.patch

net: hns3: getting tx and dv buffer size through firmware

This patch adds support of getting tx and dv buffer size through
firmware, because different version of hardware requires different
size of tx and dv buffer.

This patch also add dv_buf_size to tc' private buffer size even if
pfc is not enable for the tc.

Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0020-net-hns3-getting-tx-and-dv-buffer-size-through-firmw.patch

net: hns3: synchronize speed and duplex from phy when phy link up

Driver calls phy_connect_direct and registers hclge_mac_adjust_link
to synchronize mac speed and duplex from phy. It is better to
synchronize mac speed and duplex from phy when phy link up.

Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0019-net-hns3-synchronize-speed-and-duplex-from-phy-when-.patch

net: hns3: remove 1000M/half support of phy

Our phy does not support 1000M/half, this patch removes 1000M/half from
PHY_SUPPORTED_FEATURES.

Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0018-net-hns3-remove-1000M-half-support-of-phy.patch

net: hns3: remove unnecessary configuration recapture while resetting

When doing reset, it is unnecessary to get the hardware's default
configuration again, otherwise, the user's configuration will be
overwritten.

Fixes: 4ed340ab8f49 ("net: hns3: Add reset process in hclge_main")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0017-net-hns3-remove-unnecessary-configuration-recapture-.patch

scsi: hisi_sas: Make sg_tablesize consistent value

Sht->sg_tablesize is set in the driver, and it will be assigned to
shost->sg_tablesize in SCSI mid-layer. So it is not necessary to assign
shost->sg_table one more time in the driver.

In addition to the change, change each scsi_host_template.sg_tablesize
to HISI_SAS_SGE_PAGE_CNT instead of SG_ALL.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0016-scsi-hisi_sas-Make-sg_tablesize-consistent-value.patch

scsi: hisi_sas: Relocate some code to reduce complexity

Relocate the codes related to dma_map/unmap in hisi_sas_task_prep() to
reduce complexity, with a view to add DIF/DIX support.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0015-scsi-hisi_sas-Relocate-some-code-to-reduce-complexit.patch

scsi: hisi_sas: Fix warnings detected by sparse

This patchset fixes some warnings detected by the sparse tool, like these:
drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52: warning: incorrect type in assignment (different base types)
drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52:    expected unsigned short [unsigned] [assigned] [usertype] tag_of_task_to_be_managed
drivers/scsi/hisi_sas/hisi_sas_main.c:1469:52:    got restricted __le16 [usertype] <noident>
drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52: warning: incorrect type in assignment (different base types)
drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52:    expected unsigned short [unsigned] [assigned] [usertype] tag_of_task_to_be_managed
drivers/scsi/hisi_sas/hisi_sas_main.c:1723:52:    got restricted __le16 [usertype] <noident>

Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0014-scsi-hisi_sas-Fix-warnings-detected-by-sparse.patch

scsi: hisi_sas: Relocate some codes to avoid an unused check

In function hisi_sas_task_prep(), we check asd_sas_port, but in function
hisi_sas_task_exec(), we already refer to asd_sas_port by using function
dev_to_hisi_hba() implicitly. So to avoid this possible invalid
dereference, relocate the check to function hisi_sas_task_prep().

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0013-scsi-hisi_sas-Relocate-some-codes-to-avoid-an-unused.patch

scsi: hisi_sas: Add support for interrupt coalescing for v3 hw

If INT_COAL_EN is enabled, configure time and count of interrupt
coalescing. Then if CQ collects count of CQ entries in time, it will
report the interrupt. Or if CQ doesn't collect enough CQ entries in time,
it will report the interrupt at timeout.

As all the registers are not supported to be changed dynamically, we need
to config those register between disable and enable PHYs.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0012-scsi-hisi_sas-Add-support-for-interrupt-coalescing-f.patch

scsi: hisi_sas: Add support for interrupt converge for v3 hw

If CQ_INT_CONVERGE_EN is enabled, the interrupts of all the 16 CQ queues
will be reported by CQ0.

So we need to change the process of CQ tasklet for this situation.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0011-scsi-hisi_sas-Add-support-for-interrupt-converge-for.patch

scsi: hisi_sas: Create separate host attributes per HBA

Currently all the three HBA (v1/v2/v3 HW) share the same host attributes.

To support each HBA having separate attributes in future, create per-HBA
attributes.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0010-scsi-hisi_sas-Create-separate-host-attributes-per-HB.patch

scsi: hisi_sas: use dma_set_mask_and_coherent

The driver currently uses pci_set_dma_mask despite otherwise using the
generic DMA API. Switch it over to the better generic DMA API.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0009-scsi-hisi_sas-use-dma_set_mask_and_coherent.patch

scsi: hisi_sas: Fix spin lock management in slot_index_alloc_quirk_v2_hw()

Currently a spin_unlock_irqrestore() call is missing on the error path,
so add it.

Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0008-scsi-hisi_sas-Fix-spin-lock-management-in-slot_index.patch

scsi: hisi_sas: Update v3 hw AIP_LIMIT and CFG_AGING_TIME register values

Update registers as follows:
- Default value of AIP timer is 1ms, and it is easy for some expanders to
  cause IO error. Change the value to max value 65ms to avoid IO error for
  those expanders.

- A CQ completion will be reported by HW when 4 CQs have occurred or the
  aging timer expires, whichever happens first. Sor serial IO scenario, it
  will still wait 8us for every IO before it is reported. So in the
  situation, the performance is poor. So to improve it, change the limit
  time to the least value.
  For other scenario, it does little affect to the performance.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0007-scsi-hisi_sas-Update-v3-hw-AIP_LIMIT-and-CFG_AGING_T.patch

scsi: hisi_sas: Use block layer tag instead for IPTT

Currently we use the IPTT defined in LLDD to identify IOs. Actually for
IOs which are from the block layer, they have tags to identify them. So
for those IOs, use tag of the block layer directly, and for IOs which is
not from the block layer (such as internal IOs from libsas/LLDD), reserve
96 IPTTs for them.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0006-scsi-hisi_sas-Use-block-layer-tag-instead-for-IPTT.patch

scsi: hisi_sas: unmask interrupts ent72 and ent74

The interrupts of ent72 and ent74 are not processed by PCIe AER handling,
so we need to unmask the interrupts and process them first in the driver.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0005-scsi-hisi_sas-unmask-interrupts-ent72-and-ent74.patch

scsi: hisi_sas: Free slot later in slot_complete_vx_hw()

If an SSP/SMP IO times out, it may be actually in reality be
simultaneously processing completion of the slot in
slot_complete_vx_hw().

Then if the slot is freed in slot_complete_vx_hw() (this IPTT is freed
and it may be re-used by other slot), and we may abort the wrong slot in
hisi_sas_abort_task().

So to solve the issue, free the slot after the check of
SAS_TASK_STATE_ABORTED in slot_complete_vx_hw().

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0004-scsi-hisi_sas-Free-slot-later-in-slot_complete_vx_hw.patch

scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO

If SMP/internal IO times out, we will possibly free the task immediately.

However if the IO actually completes at the same time, the IO completion
may refer to task which has been freed.

So to solve the issue, flush the tasklet to finish IO completion before
free'ing slot/task.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0003-scsi-hisi_sas-Fix-the-race-between-IO-completion-and.patch

scsi: hisi_sas: Move evaluation of hisi_hba in hisi_sas_task_prep()

In evaluating hisi_hba, the sas_port may be NULL, so for safety relocate
the the check to value possible NULL deference.

Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0002-scsi-hisi_sas-Move-evaluation-of-hisi_hba-in-hisi_sa.patch

scsi: hisi_sas: Feed back linkrate(max/min) when re-attached

At directly attached situation, if the user modifies the sysfs interface
of maximum_linkrate and minimum_linkrate to renegotiate the linkrate
between SAS controller and target, the value of both files mentioned
above should have change to user setting after renegotiate is over, but
it remains unchanged.

To fix this bug, maximum_linkrate and minimum_linkrate will be directly
fed back to relevant sas_phy structure.

Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Gbp-Pq: Topic bugfix/arm64/huawei-taishan
Gbp-Pq: Name 0001-scsi-hisi_sas-Feed-back-linkrate-max-min-when-re-att.patch

net: ena: update driver version from 2.0.1 to 2.0.2

Update driver version due to critical bug fixes.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch

net: ena: fix crash during ena_remove()

In ena_remove() we have the following stack call:
ena_remove()
  unregister_netdev()
  ena_destroy_device()
    netif_carrier_off()

Calling netif_carrier_off() causes linkwatch to try to handle the
link change event on the already unregistered netdev, which leads
to a read from an unreadable memory address.

This patch switches the order of the two functions, so that
netif_carrier_off() is called on a regiestered netdev.

To accomplish this fix we also had to:
1. Remove the set bit ENA_FLAG_TRIGGER_RESET
2. Add a sanitiy check in ena_close()
both to prevent double device reset (when calling unregister_netdev()
ena_close is called, but the device was already deleted in
ena_destroy_device()).
3. Set the admin_queue running state to false to avoid using it after
device was reset (for example when calling ena_destroy_all_io_queues()
right after ena_com_dev_reset() in ena_down)

Fixes: 944b28aa2982 ("net: ena: fix missing lock during device destruction")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0017-net-ena-fix-crash-during-ena_remove.patch

net: ena: fix compilation error in xtensa architecture

linux/prefetch.h is never explicitly included in ena_com, although
functions from it, such as prefetchw(), are used throughout ena_com.
This is an inclusion bug, and we fix it here by explicitly including
linux/prefetch.h. The bug was exposed when the driver was compiled
for the xtensa architecture.

Fixes: 689b2bdaaa14 ("net: ena: add functions for handling Low Latency Queues in ena_com")
Fixes: 8c590f977638 ("ena: Fix Kconfig dependency on X86")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0016-net-ena-fix-compilation-error-in-xtensa-architecture.patch

net: ena: enable Low Latency Queues

Use the new API to enable usage of LLQ.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0015-net-ena-enable-Low-Latency-Queues.patch

net: ena: Fix Kconfig dependency on X86

The Kconfig limitation of X86 is to too wide.
The ENA driver only requires a little endian dependency.

Change the dependency to be on little endian CPU.

Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0014-net-ena-Fix-Kconfig-dependency-on-X86.patch

net: ena: fix indentations in ena_defs for better readability

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0013-net-ena-fix-indentations-in-ena_defs-for-better-read.patch

net: ena: update driver version to 2.0.1

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0012-net-ena-update-driver-version-to-2.0.1.patch

net: ena: remove redundant parameter in ena_com_admin_init()

Remove redundant spinlock acquire parameter from ena_com_admin_init()

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0011-net-ena-remove-redundant-parameter-in-ena_com_admin_.patch

net: ena: change rx copybreak default to reduce kernel memory pressure

Improves socket memory utilization when receiving packets larger
than 128 bytes (the previous rx copybreak) and smaller than 256 bytes.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0010-net-ena-change-rx-copybreak-default-to-reduce-kernel.patch

net: ena: limit refill Rx threshold to 256 to avoid latency issues

Currently Rx refill is done when the number of required descriptors is
above 1/8 queue size. With a default of 1024 entries per queue the
threshold is 128 descriptors.
There is intention to increase the queue size to 8196 entries.
In this case threshold of 1024 descriptors is too large and can hurt
latency.
Add another limitation to Rx threshold to be at most 256 descriptors.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0009-net-ena-limit-refill-Rx-threshold-to-256-to-avoid-la.patch

net: ena: explicit casting and initialization, and clearer error handling

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0008-net-ena-explicit-casting-and-initialization-and-clea.patch

net: ena: use CSUM_CHECKED device indication to report skb's checksum status

Set skb->ip_summed to the correct value as reported by the device.
Add counter for the case where rx csum offload is enabled but
device didn't check it.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0007-net-ena-use-CSUM_CHECKED-device-indication-to-report.patch

net: ena: add functions for handling Low Latency Queues in ena_netdev

This patch includes all code changes necessary in ena_netdev to enable
packet sending via the LLQ placemnt mode.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0006-net-ena-add-functions-for-handling-Low-Latency-Queue.patch

net: ena: add functions for handling Low Latency Queues in ena_com

This patch introduces APIs for detection, initialization, configuration
and actual usage of low latency queues(LLQ). It extends transmit API with
creation of LLQ descriptors in device memory (which include host buffers
descriptors as well as packet header)

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0005-net-ena-add-functions-for-handling-Low-Latency-Queue.patch

net: ena: introduce Low Latency Queues data structures according to ENA spec

Low Latency Queues(LLQ) allow usage of device's memory for descriptors
and headers. Such queues decrease processing time since data is already
located on the device when driver rings the doorbell.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0004-net-ena-introduce-Low-Latency-Queues-data-structures.patch

net: ena: complete host info to match latest ENA spec

Add new fields and definitions to host info and fill them
according to the latest ENA spec version.

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0003-net-ena-complete-host-info-to-match-latest-ENA-spec.patch

net: ena: minor performance improvement

Reduce fastpath overhead by making ena_com_tx_comp_req_id_get() inline.
Also move it to ena_eth_com.h file with its dependency function
ena_com_cq_inc_head().

Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0002-net-ena-minor-performance-improvement.patch

net: ethernet: remove redundant include

Manual cherry-pick from e641e99f261f5203a911a9e0db54a214460d2cc4:

    module.h already contained moduleparam.h,  so it is safe to remove
    the redundant include.

    The issue is detected with the help of Coccinelle.

Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
limited only to the amazon/ena driver

Signed-off-by: Noah Meyerhans <noahm@debian.org>
Gbp-Pq: Topic features/all/ena
Gbp-Pq: Name 0001-net-ethernet-remove-redundant-include.patch

ovl: permit overlayfs mounts in user namespaces (taints kernel)

Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.

Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels.  For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.

Testable with:

    sudo modprobe overlay permit_mounts_in_userns=1
    sudo sysctl -w kernel.unprivileged_userns_clone=1
    mkdir -p lower upper work mnt
    unshare --map-root-user --mount \
        mount -t overlay none mnt \
              -o lowerdir=lower,upperdir=upper,workdir=work

[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html

[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/

Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Gbp-Pq: Topic debian
Gbp-Pq: Name overlayfs-permit-mounts-in-userns.patch

media: Documentation/media: uapi: Explicitly say there are no Invariant Sections

The GNU Free Documentation License allows for a work to specify
Invariant Sections that are not allowed to be modified. (Debian
considers that this makes such works non-free.)

The Linux Media Infrastructure userspace API documentation does not
specify any such sections, but it also doesn't say there are none (as
is recommended by the license text). Make it explicit that there are
none.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Johannes Stezenbach <js@linuxtv.org>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Marcus Metzler <mocm@metzlerbros.de>
Signed-off-by: Michael Ira Krufky <mkrufky@gmail.com>
Signed-off-by: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Sylwester Nawrocki <snawrocki@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name documentation-media-uapi-explicitly-say-there-are-no-invariant-sections.patch

wireless: Disable regulatory.db direct loading

Don't complain about being unable to load regulatory.db directly.
This is expected until we generate a signing key and update
wireless-regdb to be signed with it.

Gbp-Pq: Topic debian
Gbp-Pq: Name wireless-disable-regulatory.db-direct-loading.patch

libbpf-generate-pkg-config

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name libbpf-generate-pkg-config.patch

libbpf: link shared object with libelf

libbpf.so needs to be linked against libelf to avoid missing symbols.

Signed-off-by: Hilko Bengen <bengen@debian.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name libbpf-link-shared-object-with-libelf.patch

libbpf: add SONAME to shared object

tools/lib/bpf/libbpf: Add proper version to the shared object.

Add versioning to the shared object to make it easier on distros to
distribute the library without having to watch for API/ABI versioning.

This is similar to the change made to tools/lib/lockdep/Makefile in
be227b45fb228adff4371b8de9e3989904209ff4.

Signed-off-by: Hilko Bengen <bengen@debian.org>
[bwh: Drop unnecessary changes]

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name libbpf-add-soname-to-shared-object.patch

tools: turbostat: Add checks for failure of fgets() and fscanf()

Most calls to fgets() and fscanf() are followed by error checks.
Add an exit-on-error in the remaining cases.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/x86
Gbp-Pq: Name tools-turbostat-Add-checks-for-failure-of-fgets-and-.patch

tools: x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2

x86_energy_perf_policy first uses __get_cpuid() to check the maximum
CPUID level and exits if it is too low.  It then assumes that later
calls will succeed (which I think is architecturally guaranteed).  It
also assumes that CPUID works at all (which is not guaranteed on
x86_32).

If optimisations are enabled, gcc warns about potentially
uninitialized variables.  Fix this by adding an exit-on-error after
every call to __get_cpuid() instead of just checking the maximum
level.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/x86
Gbp-Pq: Name tools-x86_energy_perf_policy-fix-uninitialized-varia.patch

usbip: Fix misuse of strncpy()

gcc 8 reports:

usbip_device_driver.c: In function ‘read_usb_vudc_device’:
usbip_device_driver.c:106:2: error: ‘strncpy’ specified bound 256 equals destination size [-Werror=stringop-truncation]
  strncpy(dev->path, path, SYSFS_PATH_MAX);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usbip_device_driver.c:125:2: error: ‘strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
  strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'm not convinced it makes sense to truncate the copied strings here,
but since we're already doing so let's ensure they're still null-
terminated.  We can't easily use strlcpy() here, so use snprintf().

usbip_common.c has the same problem.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name usbip-fix-misuse-of-strncpy.patch

tools/lib/api/fs/fs.c: Fix misuse of strncpy()

gcc 8 reports:

In function 'fs__env_override',
    inlined from 'fs__get_mountpoint' at fs/fs.c:228:6:
fs/fs.c:222:2: error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
  strncpy(fs->path, override_path, sizeof(fs->path));
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'm not convinced it makes sense to truncate the copied string here,
but since we're already doing so let's ensure it's still null-
terminated.  Use strlcpy() instead.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tools-lib-api-fs-fs.c-fix-misuse-of-strncpy.patch

cpupower: Fix checks for CPU existence

Calls to cpufreq_cpu_exists(cpu) were converted to
cpupower_is_cpu_online(cpu) when libcpupower was introduced and the
former function was deleted. However, cpupower_is_cpu_online() does
not distinguish physically absent and offline CPUs, and does not set
errno.

cpufreq-set has already been fixed (commit c25badc9ceb6).

In cpufreq-bench, which prints an error message for offline CPUs,
properly distinguish and report the zero and negative cases.

Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
Fixes: 53d1cd6b125f ("cpupowerutils: bench - Fix cpu online check")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[carnil: Update/Refresh patch for 4.14.17: The issue with the
incorrect check has been fixed with upstream commit 53d1cd6b125f.
Keep in the patch the distinction and report for the zero and
negative cases.]

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name cpupower-fix-checks-for-cpu-existence.patch

libcpupower: Hide private function

cpupower_read_sysfs() (previously known as sysfs_read_file()) is an
internal function in libcpupower and should not be exported when
libcpupower is a shared library. Change its visibility to "hidden".

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name libcpupower-hide-private-function.patch

cpupower: Bump soname version

Several functions in the libcpupower API are renamed or removed in
Linux 4.7. This is an backward-incompatible ABI change, so the
library soname should change from libcpupower.so.0 to
libcpupower.so.1.

Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name cpupower-bump-soname-version.patch

tools/build: Remove bpf() run-time check at build time

It is not correct to test that a syscall works on the build system's
kernel. We might be building on an earlier kernel version or with
security restrictions that block bpf().

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tools-build-remove-bpf-run-time-check-at-build-time.patch

Revert "perf build: Fix libunwind feature detection on 32-bit x86"

This reverts commit 05b41775e2edd69a83f592e3534930c934d4038e.
It broke feature detection that was working just fine for us.

Gbp-Pq: Topic bugfix/x86
Gbp-Pq: Name revert-perf-build-fix-libunwind-feature-detection-on.patch

tools/lib/traceevent: Use LDFLAGS

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tools-lib-traceevent-use-ldflags.patch

tools/perf: Remove shebang lines from perf scripts

perf scripts need to be invoked through perf, not directly through
perl (or other language interpreter). So including shebang lines in
them is useless and possibly misleading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tools-perf-remove-shebangs.patch

perf tools: Use $KBUILD_BUILD_TIMESTAMP as man page date

This allows man pages to be built reproducibly.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tools-perf-man-date.patch

kbuild: Fix recordmcount dependency for OOT modules

We never rebuild anything in-tree when building an out-of-tree
modules, so external modules should not depend on the recordmcount
sources.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name kbuild-fix-recordmcount-dependency.patch

usbip: Document TCP wrappers

Add references to TCP wrappers configuration in the manual page.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name usbip-document-tcp-wrappers.patch

module: Disable matching missing version CRC

This partly reverts commit cd3caefb4663e3811d37cc2afad3cce642d60061.
We want to fail closed if a symbol version CRC is missing, as the
alternative may allow subverting module signing.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name module-disable-matching-missing-version-crc.patch

ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME

Fix two issues:

When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
reference to the parent's objective credentials, then give that pointer
to get_cred(). However, the object lifetime rules for things like
struct cred do not permit unconditionally turning an RCU reference into
a stable reference.

PTRACE_TRACEME records the parent's credentials as if the parent was
acting as the subject, but that's not the case. If a malicious
unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
at a later point, the parent process becomes attacker-controlled
(because it drops privileges and calls execve()), the attacker ends up
with control over two processes with a privileged ptrace relationship,
which can be abused to ptrace a suid binary and obtain root privileges.

Fix both of these by always recording the credentials of the process
that is requesting the creation of the ptrace relationship:
current_cred() can't change under us, and current is the proper subject
for access control.

This change is theoretically userspace-visible, but I am not aware of
any code that it will actually break.

Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch

tcp: refine memory limit test in tcp_fragment()

tcp_fragment() might be called for skbs in the write queue.

Memory limits might have been exceeded because tcp_sendmsg() only
checks limits at full skb (64KB) boundaries.

Therefore, we need to make sure tcp_fragment() wont punish applications
that might have setup very low SO_SNDBUF values.

Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Christoph Paasch <cpaasch@apple.com>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tcp-refine-memory-limit-test-in-tcp_fragment.patch

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()

If mtu probing is enabled tcp_mtu_probing() could very well end up
with a too small MSS.

Use the new sysctl tcp_min_snd_mss to make sure MSS search
is performed in an acceptable range.

CVE-2019-11479 -- tcp mss hardcoded to 48

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch

tcp: add tcp_min_snd_mss sysctl

Some TCP peers announce a very small MSS option in their SYN and/or
SYN/ACK messages.

This forces the stack to send packets with a very high network/cpu
overhead.

Linux has enforced a minimal value of 48. Since this value includes
the size of TCP options, and that the options can consume up to 40
bytes, this means that each segment can include only 8 bytes of payload.

In some cases, it can be useful to increase the minimal value
to a saner value.

We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
reasons.

Note that TCP_MAXSEG socket option enforces a minimal value
of (TCP_MIN_MSS). David Miller increased this minimal value
in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
from 64 to 88.

We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.

CVE-2019-11479 -- tcp mss hardcoded to 48

Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tcp-add-tcp_min_snd_mss-sysctl.patch

tcp: tcp_fragment() should apply sane memory limits

Jonathan Looney reported that a malicious peer can force a sender
to fragment its retransmit queue into tiny skbs, inflating memory
usage and/or overflow 32bit counters.

TCP allows an application to queue up to sk_sndbuf bytes,
so we need to give some allowance for non malicious splitting
of retransmit queue.

A new SNMP counter is added to monitor how many times TCP
did not allow to split an skb if the allowance was exceeded.

Note that this counter might increase in the case applications
use SO_SNDBUF socket option to lower sk_sndbuf.

CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
socket is already using more than half the allowed space

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tcp-tcp_fragment-should-apply-sane-memory-limits.patch

tcp: limit payload size of sacked skbs

Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :

BUG_ON(tcp_skb_pcount(skb) < pcount);

This can happen if the remote peer has advertized the smallest
MSS that linux TCP accepts : 48

An skb can hold 17 fragments, and each fragment can hold 32KB
on x86, or 64KB on PowerPC.

This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
can overflow.

Note that tcp_sendmsg() builds skbs with less than 64KB
of payload, so this problem needs SACK to be enabled.
SACK blocks allow TCP to coalesce multiple skbs in the retransmit
queue, thus filling the 17 fragments to maximal capacity.

CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs

Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name tcp-limit-payload-size-of-sacked-skbs.patch

mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()

A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
unconditionally, which may lead to either buffer overflow or read over
boundary.

This patch addresses the issues by checking the read size and the
destination size at each place more properly. Along with the fixes,
the patch cleans up the code slightly by introducing a temporary
variable for the token size, and unifies the error path with the
standard goto statement.

Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.19: adjust context]

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch

mm/mincore.c: make mincore() more conservative

commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.

The semantics of what mincore() considers to be resident is not
completely clear, but Linux has always (since 2.3.52, which is when
mincore() was initially done) treated it as "page is available in page
cache".

That's potentially a problem, as that [in]directly exposes
meta-information about pagecache / memory mapping state even about
memory not strictly belonging to the process executing the syscall,
opening possibilities for sidechannel attacks.

Change the semantics of mincore() so that it only reveals pagecache
information for non-anonymous mappings that belog to files that the
calling process could (if it tried to) successfully open for writing;
otherwise we'd be including shared non-exclusive mappings, which

- is the sidechannel

- is not the usecase for mincore(), as that's primarily used for data,
not (shared) text

[jkosina@suse.cz: v2]
Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
[mhocko@suse.com: restructure can_do_mincore() conditions]
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Josh Snyder <joshs@netflix.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
Originally-by: Dominique Martinet <asmadeus@codewreck.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Kevin Easton <kevin@guarana.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Cyril Hrubis <chrubis@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Daniel Gruss <daniel@gruss.cc>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name mm-mincore.c-make-mincore-more-conservative.patch

mwifiex: Don't abort on small, spec-compliant vendor IEs

Per the 802.11 specification, vendor IEs are (at minimum) only required
to contain an OUI. A type field is also included in ieee80211.h (struct
ieee80211_vendor_ie) but doesn't appear in the specification. The
remaining fields (subtype, version) are a convention used in WMM
headers.

Thus, we should not reject vendor-specific IEs that have only the
minimum length (3 bytes) -- we should skip over them (since we only want
to match longer IEs, that match either WMM or WPA formats). We can
reject elements that don't have the minimum-required 3 byte OUI.

While we're at it, move the non-standard subtype and version fields into
the WMM structs, to avoid this confusion in the future about generic
"vendor header" attributes.

Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element")
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch

mwifiex: Abort at too short BSS descriptor element

Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
the source descriptor entries contain the enough size for each type
and performs copying without checking the source size. This may lead
to read over boundary.

Fix this by putting the source size check in appropriate places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name mwifiex-abort-at-too-short-bss-descriptor-element.patch

mwifiex: Fix possible buffer overflows at parsing bss descriptor

mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.

Fix it by putting the length check before performing memcpy().

This fix addresses CVE-2019-3846.

Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch

Bluetooth: hidp: fix buffer overflow

Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name Bluetooth-hidp-fix-buffer-overflow.patch

ext4: zero out the unused memory region in the extent tree block

This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.

This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.

This fixes CVE-2019-11833.

Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ext4-zero-out-the-unused-memory-region-in-the-extent.patch

brcmfmac: add subtype check for event handling in data path

For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name brcmfmac-add-subtype-check-for-event-handling-in-dat.patch

brcmfmac: assure SSID length from firmware is limited

The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name brcmfmac-assure-SSID-length-from-firmware-is-limited.patch

powerpc/64s: Include cpu header

Current powerpc security.c file is defining functions, as
cpu_show_meltdown(), cpu_show_spectre_v{1,2} and others, that are being
declared at linux/cpu.h header without including the header file that
contains these declarations.

This is being reported by sparse, which thinks that these functions are
static, due to the lack of declaration:

arch/powerpc/kernel/security.c:105:9: warning: symbol 'cpu_show_meltdown' was not declared. Should it be static?
arch/powerpc/kernel/security.c:139:9: warning: symbol 'cpu_show_spectre_v1' was not declared. Should it be static?
arch/powerpc/kernel/security.c:161:9: warning: symbol 'cpu_show_spectre_v2' was not declared. Should it be static?
arch/powerpc/kernel/security.c:209:6: warning: symbol 'stf_barrier' was not declared. Should it be static?
arch/powerpc/kernel/security.c:289:9: warning: symbol 'cpu_show_spec_store_bypass' was not declared. Should it be static?

This patch simply includes the proper header (linux/cpu.h) to match
function definition and declaration.

Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name powerpc-64s-include-cpu-header.patch

x86/speculation/mds: Fix documentation typo

commit 95310e348a321b45fb746c176961d4da72344282 upstream

Fix a minor typo in the MDS documentation: "eanbled" -> "enabled".

Reported-by: Jeff Bastian <jbastian@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0030-x86-speculation-mds-Fix-documentation-typo.patch

Documentation: Correct the possible MDS sysfs values

commit ea01668f9f43021b28b3f4d5ffad50106a1e1301 upstream

Adjust the last two rows in the table that display possible values when
MDS mitigation is enabled. They both were slightly innacurate.

In addition, convert the table of possible values and their descriptions
to a list-table. The simple table format uses the top border of equals
signs to determine cell width which resulted in the first column being
far too wide in comparison to the second column that contained the
majority of the text.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch

x86/mds: Add MDSUM variant to the MDS documentation

commit e672f8bf71c66253197e503f75c771dd28ada4a0 upstream

Updated the documentation for a new CVE-2019-11091 Microarchitectural Data
Sampling Uncacheable Memory (MDSUM) which is a variant of
Microarchitectural Data Sampling (MDS). MDS is a family of side channel
attacks on internal buffers in Intel CPUs.

MDSUM is a special case of MSBDS, MFBDS and MLPDS. An uncacheable load from
memory that takes a fault or assist can leave data in a microarchitectural
structure that may later be observed using one of the same methods used by
MSBDS, MFBDS or MLPDS. There are no new code changes expected for MDSUM.
The existing mitigation for MDS applies to MDSUM as well.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Jon Masters <jcm@redhat.com>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch

x86/speculation/mds: Add 'mitigations=' support for MDS

commit 5c14068f87d04adc73ba3f41c2a303d3c3d1fa12 upstream

Add MDS to the new 'mitigations=' cmdline option.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0027-x86-speculation-mds-Add-mitigations-support-for-MDS.patch

s390/speculation: Support 'mitigations=' cmdline option

commit 0336e04a6520bdaefdb0769d2a70084fa52e81ed upstream

Configure s390 runtime CPU speculation bug mitigations in accordance
with the 'mitigations=' cmdline option. This affects Spectre v1 and
Spectre v2.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/e4a161805458a5ec88812aac0307ae3908a030fc.1555085500.git.jpoimboe@redhat.com
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0026-s390-speculation-Support-mitigations-cmdline-option.patch

powerpc/speculation: Support 'mitigations=' cmdline option

commit 782e69efb3dfed6e8360bc612e8c7827a901a8f9 upstream

Configure powerpc CPU runtime speculation bug mitigations in accordance
with the 'mitigations=' cmdline option. This affects Meltdown, Spectre
v1, Spectre v2, and Speculative Store Bypass.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/245a606e1a42a558a310220312d9b6adb9159df6.1555085500.git.jpoimboe@redhat.com
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0025-powerpc-speculation-Support-mitigations-cmdline-opti.patch

x86/speculation: Support 'mitigations=' cmdline option

commit d68be4c4d31295ff6ae34a8ddfaa4c1a8ff42812 upstream

Configure x86 runtime CPU speculation bug mitigations in accordance with
the 'mitigations=' cmdline option. This affects Meltdown, Spectre v2,
Speculative Store Bypass, and L1TF.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/6616d0ae169308516cfdf5216bedd169f8a8291b.1555085500.git.jpoimboe@redhat.com
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0024-x86-speculation-Support-mitigations-cmdline-option.patch

cpu/speculation: Add 'mitigations=' cmdline option

commit 98af8452945c55652de68536afdde3b520fec429 upstream

Keeping track of the number of mitigations for all the CPU speculation
bugs has become overwhelming for many users.  It's getting more and more
complicated to decide which mitigations are needed for a given
architecture.  Complicating matters is the fact that each arch tends to
have its own custom way to mitigate the same vulnerability.

Most users fall into a few basic categories:

a) they want all mitigations off;

b) they want all reasonable mitigations on, with SMT enabled even if
   it's vulnerable; or

c) they want all reasonable mitigations on, with SMT disabled if
   vulnerable.

Define a set of curated, arch-independent options, each of which is an
aggregation of existing options:

- mitigations=off: Disable all mitigations.

- mitigations=auto: [default] Enable all the default mitigations, but
  leave SMT enabled, even if it's vulnerable.

- mitigations=auto,nosmt: Enable all the default mitigations, disabling
  SMT if needed by a mitigation.

Currently, these options are placeholders which don't actually do
anything.  They will be fleshed out in upcoming patches.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/b07a8ef9b7c5055c3a4637c87d07c296d5016fe0.1555085500.git.jpoimboe@redhat.com
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0023-cpu-speculation-Add-mitigations-cmdline-option.patch

x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off

commit e2c3c94788b08891dcf3dbe608f9880523ecd71b upstream

This code is only for CPUs which are affected by MSBDS, but are *not*
affected by the other two MDS issues.

For such CPUs, enabling the mds_idle_clear mitigation is enough to
mitigate SMT.

However if user boots with 'mds=off' and still has SMT enabled, we should
not report that SMT is mitigated:

$cat /sys//devices/system/cpu/vulnerabilities/mds
Vulnerable; SMT mitigated

But rather:
Vulnerable; SMT vulnerable

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lkml.kernel.org/r/20190412215118.294906495@localhost.localdomain
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0022-x86-speculation-mds-Print-SMT-vulnerable-on-MSBDS-wi.patch

x86/speculation/mds: Fix comment

commit cae5ec342645746d617dd420d206e1588d47768a upstream

s/L1TF/MDS/

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0021-x86-speculation-mds-Fix-comment.patch

x86/speculation/mds: Add SMT warning message

commit 39226ef02bfb43248b7db12a4fdccb39d95318e3 upstream

MDS is vulnerable with SMT. Make that clear with a one-time printk
whenever SMT first gets enabled.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0020-x86-speculation-mds-Add-SMT-warning-message.patch

x86/speculation: Move arch_smt_update() call to after mitigation decisions

commit 7c3658b20194a5b3209a143f63bc9c643c6a3ae2 upstream

arch_smt_update() now has a dependency on both Spectre v2 and MDS
mitigations. Move its initial call to after all the mitigation decisions
have been made.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0019-x86-speculation-Move-arch_smt_update-call-to-after-m.patch

x86/speculation/mds: Add mds=full,nosmt cmdline option

commit d71eb0ce109a124b0fa714832823b9452f2762cf upstream

Add the mds=full,nosmt cmdline option. This is like mds=full, but with
SMT disabled if the CPU is vulnerable.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Gbp-Pq: Topic bugfix/all/spec
Gbp-Pq: Name 0018-x86-speculation-mds-Add-mds-full-nosmt-cmdline-optio.patch