diff --git a/blacklist.conf b/blacklist.conf index 9d0058a..df691de 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -2169,3 +2169,21 @@ e583b5c472bd23d450e06f148dc1f37be74f7666 # Theoretical problem on non-existent H 623af4f538b5df9b416e1b82f720af7371b4c771 # Lockdep annotation fix 14362a2541797cf9df0e86fb12dcd7950baf566e # Prerequisite for e730558adffb e730558adffb88a52e562db089e969ee9510184a # Intrusive fix for obscure cornercase +54f0bad6686cdc50a3f4c5f7c4252c5018511459 # net: sungem_phy: fix code indentation +ea8146c6845799142aa4ee2660741c215e340cdf # cxgb4: Fix the -Wmisleading-indentation warning +af8f3fb7fb077c9df9fed97113a031e792163def # net: stmmac: no such code +1c93fb45761e79b3c00080e71523886cefaf351c # no phy driver +e0fce6f945a26d4e953a147fe7ca11410322c9fe # there is no icmp_ndo_send helper +67c9a7e1e3ac491b5df018803639addc36f154ba # there is no icmp_ndo_send helper +af8f3fb7fb077c9df9fed97113a031e792163def # net: stmmac: no such code +349bff48ae0f5f8aa2075d0bdc2091a30bd634f6 # relevant only if CONFIG_ACPI=n +c8994b30d71d64d5dcc9bc0edbfdf367171aa96f # SPARC is not supported in SLE12 +1c93fb45761e79b3c00080e71523886cefaf351c # no such functions +3b83b6c2e024d85b770ddb1e19a513b5d7587f6f # no such functions +e0fce6f945a26d4e953a147fe7ca11410322c9fe # there is no icmp_ndo_send +67c9a7e1e3ac491b5df018803639addc36f154ba # there is no icmp_ndo_send +4caae58406f8ceb741603eee460d79bacca9b1b5 # dm target version doesn't match +1e1b6d63d6340764e00356873e5794225a2a03ea # It's for LLVM, and breaks kABI +6fb9e1d94789e8ee5a258a23bc588693f743fd6c # this adds an uevent the udev of SLE12 is not prepared to handle, hence pointless +6071a6c0fba2d747742cadcbb3ba26ed756ed73b # cosmetic fix to comments not in kernel-doc +6a2d90ba027adba528509ffa27097cffd3879257 # rectifies behavior of a deprecated operation diff --git a/config/x86_64/rt b/config/x86_64/rt index 8972d8e..a86e9ff 100644 --- a/config/x86_64/rt +++ b/config/x86_64/rt @@ -465,6 +465,8 @@ CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set CONFIG_RETPOLINE=y +CONFIG_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y CONFIG_X86_CPU_RESCTRL=y CONFIG_X86_EXTENDED_PLATFORM=y # CONFIG_X86_NUMACHIP is not set diff --git a/config/x86_64/rt_debug b/config/x86_64/rt_debug index 570173c..fb178e0 100644 --- a/config/x86_64/rt_debug +++ b/config/x86_64/rt_debug @@ -466,6 +466,8 @@ CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set CONFIG_RETPOLINE=y +CONFIG_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y CONFIG_X86_CPU_RESCTRL=y CONFIG_X86_EXTENDED_PLATFORM=y # CONFIG_X86_NUMACHIP is not set diff --git a/patches.suse/0001-lib-hexdump.c-return-EINVAL-in-case-of-error-in-hex2.patch b/patches.suse/0001-lib-hexdump.c-return-EINVAL-in-case-of-error-in-hex2.patch new file mode 100644 index 0000000..7fcbd2b --- /dev/null +++ b/patches.suse/0001-lib-hexdump.c-return-EINVAL-in-case-of-error-in-hex2.patch @@ -0,0 +1,57 @@ +From 9888a588ea96ba2804f955bbc2667346719da887 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 8 Sep 2017 16:15:28 -0700 +Subject: [PATCH] lib/hexdump.c: return -EINVAL in case of error in hex2bin() +Git-commit: 9888a588ea96ba2804f955bbc2667346719da887 +Patch-mainline: v4.14-rc1 +References: git-fixes + +In some cases caller would like to use error code directly without +shadowing. + +-EINVAL feels a rightful code to return in case of error in hex2bin(). + +Link: http://lkml.kernel.org/r/20170731135510.68023-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Andy Shevchenko +Cc: Arnd Bergmann +Cc: Rasmus Villemoes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Coly Li +--- + lib/hexdump.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/hexdump.c b/lib/hexdump.c +index 992457b1284c..81b70ed37209 100644 +--- a/lib/hexdump.c ++++ b/lib/hexdump.c +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -42,7 +43,7 @@ EXPORT_SYMBOL(hex_to_bin); + * @src: ascii hexadecimal string + * @count: result length + * +- * Return 0 on success, -1 in case of bad input. ++ * Return 0 on success, -EINVAL in case of bad input. + */ + int hex2bin(u8 *dst, const char *src, size_t count) + { +@@ -51,7 +52,7 @@ int hex2bin(u8 *dst, const char *src, size_t count) + int lo = hex_to_bin(*src++); + + if ((hi < 0) || (lo < 0)) +- return -1; ++ return -EINVAL; + + *dst++ = (hi << 4) | lo; + } +-- +2.35.3 + diff --git a/patches.suse/0002-blk-zoned-allow-zone-management-send-operations-with.patch b/patches.suse/0002-blk-zoned-allow-zone-management-send-operations-with.patch new file mode 100644 index 0000000..b5d70ec --- /dev/null +++ b/patches.suse/0002-blk-zoned-allow-zone-management-send-operations-with.patch @@ -0,0 +1,57 @@ +From ead3b768bb51259e3a5f2287ff5fc9041eb6f450 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Wed, 11 Aug 2021 11:05:18 +0000 +Subject: [PATCH] blk-zoned: allow zone management send operations without + CAP_SYS_ADMIN +Git-commit: ead3b768bb51259e3a5f2287ff5fc9041eb6f450 +Patch-mainline: v5.15-rc1 +References: git-fixes + +Zone management send operations (BLKRESETZONE, BLKOPENZONE, BLKCLOSEZONE +and BLKFINISHZONE) should be allowed under the same permissions as write(). +(write() does not require CAP_SYS_ADMIN). + +Additionally, other ioctls like BLKSECDISCARD and BLKZEROOUT only check if +the fd was successfully opened with FMODE_WRITE. +(They do not require CAP_SYS_ADMIN). + +Currently, zone management send operations require both CAP_SYS_ADMIN +and that the fd was successfully opened with FMODE_WRITE. + +Remove the CAP_SYS_ADMIN requirement, so that zone management send +operations match the access control requirement of write(), BLKSECDISCARD +and BLKZEROOUT. + +Fixes: 3ed05a987e0f ("blk-zoned: implement ioctls") +Signed-off-by: Niklas Cassel +Reviewed-by: Damien Le Moal +Reviewed-by: Aravind Ramesh +Reviewed-by: Adam Manzanares +Reviewed-by: Himanshu Madhani +Reviewed-by: Johannes Thumshirn +Cc: stable@vger.kernel.org # v4.10+ +Link: https://lore.kernel.org/r/20210811110505.29649-2-Niklas.Cassel@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Coly Li + +--- + block/blk-zoned.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index 86fce751bb17..8a60dbeb44be 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -421,9 +421,6 @@ int blkdev_zone_mgmt_ioctl(struct block_device *bdev, fmode_t mode, + if (!blk_queue_is_zoned(q)) + return -ENOTTY; + +- if (!capable(CAP_SYS_ADMIN)) +- return -EACCES; +- + if (!(mode & FMODE_WRITE)) + return -EBADF; + +-- +2.35.3 + diff --git a/patches.suse/0003-blk-zoned-allow-BLKREPORTZONE-without-CAP_SYS_ADMIN.patch b/patches.suse/0003-blk-zoned-allow-BLKREPORTZONE-without-CAP_SYS_ADMIN.patch new file mode 100644 index 0000000..f61c834 --- /dev/null +++ b/patches.suse/0003-blk-zoned-allow-BLKREPORTZONE-without-CAP_SYS_ADMIN.patch @@ -0,0 +1,50 @@ +From 4d643b66089591b4769bcdb6fd1bfeff2fe301b8 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Wed, 11 Aug 2021 11:05:19 +0000 +Subject: [PATCH] blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN +Git-commit: 4d643b66089591b4769bcdb6fd1bfeff2fe301b8 +Patch-mainline: v5.15-rc1 +References: git-fixes + +A user space process should not need the CAP_SYS_ADMIN capability set +in order to perform a BLKREPORTZONE ioctl. + +Getting the zone report is required in order to get the write pointer. +Neither read() nor write() requires CAP_SYS_ADMIN, so it is reasonable +that a user space process that can read/write from/to the device, also +can get the write pointer. (Since e.g. writes have to be at the write +pointer.) + +Fixes: 3ed05a987e0f ("blk-zoned: implement ioctls") +Signed-off-by: Niklas Cassel +Reviewed-by: Damien Le Moal +Reviewed-by: Aravind Ramesh +Reviewed-by: Adam Manzanares +Reviewed-by: Himanshu Madhani +Reviewed-by: Johannes Thumshirn +Cc: stable@vger.kernel.org # v4.10+ +Link: https://lore.kernel.org/r/20210811110505.29649-3-Niklas.Cassel@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Coly Li + +--- + block/blk-zoned.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index 8a60dbeb44be..1d0c76c18fc5 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -360,9 +360,6 @@ int blkdev_report_zones_ioctl(struct block_device *bdev, fmode_t mode, + if (!blk_queue_is_zoned(q)) + return -ENOTTY; + +- if (!capable(CAP_SYS_ADMIN)) +- return -EACCES; +- + if (copy_from_user(&rep, argp, sizeof(struct blk_zone_report))) + return -EFAULT; + +-- +2.35.3 + diff --git a/patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch b/patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch new file mode 100644 index 0000000..e7853b4 --- /dev/null +++ b/patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch @@ -0,0 +1,145 @@ +From d208b89401e073de986dc891037c5a668f5d5d95 Mon Sep 17 00:00:00 2001 +From: Jiazi Li +Date: Wed, 29 Sep 2021 19:59:28 +0800 +Subject: [PATCH] dm: fix mempool NULL pointer race when completing IO +Git-commit: d208b89401e073de986dc891037c5a668f5d5d95 +Patch-mainline: v5.15-rc6 +References: git-fixes + +dm_io_dec_pending() calls end_io_acct() first and will then dec md +in-flight pending count. But if a task is swapping DM table at same +time this can result in a crash due to mempool->elements being NULL: + +task1 task2 +do_resume + ->do_suspend + ->dm_wait_for_completion + bio_endio + ->clone_endio + ->dm_io_dec_pending + ->end_io_acct + ->wakeup task1 + ->dm_swap_table + ->__bind + ->__bind_mempools + ->bioset_exit + ->mempool_exit + ->free_io + +[ 67.330330] Unable to handle kernel NULL pointer dereference at +virtual address 0000000000000000 +...... +[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) +[ 67.330510] pc : mempool_free+0x70/0xa0 +[ 67.330515] lr : mempool_free+0x4c/0xa0 +[ 67.330520] sp : ffffff8008013b20 +[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 +[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 +[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 +[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 +[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 +[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c +[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd +[ 67.330563] x15: 000000000093b41e x14: 0000000000000010 +[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 +[ 67.330574] x11: 0000000000000001 x10: 0000000000000001 +[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 +[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a +[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 +[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 +[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 +[ 67.330609] Call trace: +[ 67.330616] mempool_free+0x70/0xa0 +[ 67.330627] bio_put+0xf8/0x110 +[ 67.330638] dec_pending+0x13c/0x230 +[ 67.330644] clone_endio+0x90/0x180 +[ 67.330649] bio_endio+0x198/0x1b8 +[ 67.330655] dec_pending+0x190/0x230 +[ 67.330660] clone_endio+0x90/0x180 +[ 67.330665] bio_endio+0x198/0x1b8 +[ 67.330673] blk_update_request+0x214/0x428 +[ 67.330683] scsi_end_request+0x2c/0x300 +[ 67.330688] scsi_io_completion+0xa0/0x710 +[ 67.330695] scsi_finish_command+0xd8/0x110 +[ 67.330700] scsi_softirq_done+0x114/0x148 +[ 67.330708] blk_done_softirq+0x74/0xd0 +[ 67.330716] __do_softirq+0x18c/0x374 +[ 67.330724] irq_exit+0xb4/0xb8 +[ 67.330732] __handle_domain_irq+0x84/0xc0 +[ 67.330737] gic_handle_irq+0x148/0x1b0 +[ 67.330744] el1_irq+0xe8/0x190 +[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 +[ 67.330759] cpuidle_enter_state+0x1fc/0x398 +[ 67.330764] cpuidle_enter+0x18/0x20 +[ 67.330772] do_idle+0x1b4/0x290 +[ 67.330778] cpu_startup_entry+0x20/0x28 +[ 67.330786] secondary_start_kernel+0x160/0x170 + +Fix this by: +1) Establishing pointers to 'struct dm_io' members in +dm_io_dec_pending() so that they may be passed into end_io_acct() +_after_ free_io() is called. +2) Moving end_io_acct() after free_io(). + +(Coly Li: rebased for Linux 4.12 based SUSE kernel) + +Cc: stable@vger.kernel.org +Signed-off-by: Jiazi Li +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -630,21 +630,19 @@ static void start_io_acct(struct dm_io * + false, 0, &io->stats_aux); + } + +-static void end_io_acct(struct dm_io *io) ++static void end_io_acct(struct mapped_device *md, struct bio *bio, ++ unsigned long start_time, struct dm_stats_aux *stats_aux) + { +- struct mapped_device *md = io->md; +- struct bio *bio = io->orig_bio; +- unsigned long duration = jiffies - io->start_time; ++ unsigned long duration = jiffies - start_time; + int pending; + int rw = bio_data_dir(bio); + +- generic_end_io_acct(md->queue, rw, &dm_disk(md)->part0, io->start_time); ++ generic_end_io_acct(md->queue, rw, &dm_disk(md)->part0, start_time); + + if (unlikely(dm_stats_used(&md->stats))) + dm_stats_account_io(&md->stats, bio_data_dir(bio), + bio->bi_iter.bi_sector, bio_sectors(bio), +- true, duration, &io->stats_aux); +- ++ true, duration, stats_aux); + /* + * After this is decremented the bio must not be touched if it is + * a flush. +@@ -870,6 +868,8 @@ static void dec_pending(struct dm_io *io + blk_status_t io_error; + struct bio *bio; + struct mapped_device *md = io->md; ++ unsigned long start_time = 0; ++ struct dm_stats_aux stats_aux; + + /* Push-back supersedes any I/O errors */ + if (unlikely(error)) { +@@ -895,9 +895,11 @@ static void dec_pending(struct dm_io *io + } + + io_error = io->status; ++ start_time = io->start_time; ++ stats_aux = io->stats_aux; + bio = io->orig_bio; +- end_io_acct(io); + free_io(md, io); ++ end_io_acct(md, bio, start_time, &stats_aux); + + if (io_error == BLK_STS_DM_REQUEUE) + return; diff --git a/patches.suse/0005-blk-cgroup-synchronize-blkg-creation-against-policy-.patch b/patches.suse/0005-blk-cgroup-synchronize-blkg-creation-against-policy-.patch new file mode 100644 index 0000000..a751d93 --- /dev/null +++ b/patches.suse/0005-blk-cgroup-synchronize-blkg-creation-against-policy-.patch @@ -0,0 +1,158 @@ +From 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Wed, 20 Oct 2021 09:40:36 +0800 +Subject: [PATCH] blk-cgroup: synchronize blkg creation against policy + deactivation +Git-commit: 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f +Patch-mainline: v5.16-rc1 +References: git-fixes + +Our test reports a null pointer dereference: + +[ 168.534653] ================================================================== +[ 168.535614] Disabling lock debugging due to kernel taint +[ 168.536346] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 168.537274] #PF: supervisor read access in kernel mode +[ 168.537964] #PF: error_code(0x0000) - not-present page +[ 168.538667] PGD 0 P4D 0 +[ 168.539025] Oops: 0000 [#1] PREEMPT SMP KASAN +[ 168.539656] CPU: 13 PID: 759 Comm: bash Tainted: G B 5.15.0-rc2-next-202100 +[ 168.540954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_0738364 +[ 168.542736] RIP: 0010:bfq_pd_init+0x88/0x1e0 +[ 168.543318] Code: 98 00 00 00 e8 c9 e4 5b ff 4c 8b 65 00 49 8d 7c 24 08 e8 bb e4 5b ff 4d0 +[ 168.545803] RSP: 0018:ffff88817095f9c0 EFLAGS: 00010002 +[ 168.546497] RAX: 0000000000000001 RBX: ffff888101a1c000 RCX: 0000000000000000 +[ 168.547438] RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff888106553428 +[ 168.548402] RBP: ffff888106553400 R08: ffffffff961bcaf4 R09: 0000000000000001 +[ 168.549365] R10: ffffffffa2e16c27 R11: fffffbfff45c2d84 R12: 0000000000000000 +[ 168.550291] R13: ffff888101a1c098 R14: ffff88810c7a08c8 R15: ffffffffa55541a0 +[ 168.551221] FS: 00007fac75227700(0000) GS:ffff88839ba80000(0000) knlGS:0000000000000000 +[ 168.552278] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 168.553040] CR2: 0000000000000008 CR3: 0000000165ce7000 CR4: 00000000000006e0 +[ 168.554000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 168.554929] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 168.555888] Call Trace: +[ 168.556221] +[ 168.556510] blkg_create+0x1c0/0x8c0 +[ 168.556989] blkg_conf_prep+0x574/0x650 +[ 168.557502] ? stack_trace_save+0x99/0xd0 +[ 168.558033] ? blkcg_conf_open_bdev+0x1b0/0x1b0 +[ 168.558629] tg_set_conf.constprop.0+0xb9/0x280 +[ 168.559231] ? kasan_set_track+0x29/0x40 +[ 168.559758] ? kasan_set_free_info+0x30/0x60 +[ 168.560344] ? tg_set_limit+0xae0/0xae0 +[ 168.560853] ? do_sys_openat2+0x33b/0x640 +[ 168.561383] ? do_sys_open+0xa2/0x100 +[ 168.561877] ? __x64_sys_open+0x4e/0x60 +[ 168.562383] ? __kasan_check_write+0x20/0x30 +[ 168.562951] ? copyin+0x48/0x70 +[ 168.563390] ? _copy_from_iter+0x234/0x9e0 +[ 168.563948] tg_set_conf_u64+0x17/0x20 +[ 168.564467] cgroup_file_write+0x1ad/0x380 +[ 168.565014] ? cgroup_file_poll+0x80/0x80 +[ 168.565568] ? __mutex_lock_slowpath+0x30/0x30 +[ 168.566165] ? pgd_free+0x100/0x160 +[ 168.566649] kernfs_fop_write_iter+0x21d/0x340 +[ 168.567246] ? cgroup_file_poll+0x80/0x80 +[ 168.567796] new_sync_write+0x29f/0x3c0 +[ 168.568314] ? new_sync_read+0x410/0x410 +[ 168.568840] ? __handle_mm_fault+0x1c97/0x2d80 +[ 168.569425] ? copy_page_range+0x2b10/0x2b10 +[ 168.570007] ? _raw_read_lock_bh+0xa0/0xa0 +[ 168.570622] vfs_write+0x46e/0x630 +[ 168.571091] ksys_write+0xcd/0x1e0 +[ 168.571563] ? __x64_sys_read+0x60/0x60 +[ 168.572081] ? __kasan_check_write+0x20/0x30 +[ 168.572659] ? do_user_addr_fault+0x446/0xff0 +[ 168.573264] __x64_sys_write+0x46/0x60 +[ 168.573774] do_syscall_64+0x35/0x80 +[ 168.574264] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 168.574960] RIP: 0033:0x7fac74915130 +[ 168.575456] Code: 73 01 c3 48 8b 0d 58 ed 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 444 +[ 168.577969] RSP: 002b:00007ffc3080e288 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 168.578986] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007fac74915130 +[ 168.579937] RDX: 0000000000000009 RSI: 000056007669f080 RDI: 0000000000000001 +[ 168.580884] RBP: 000056007669f080 R08: 000000000000000a R09: 00007fac75227700 +[ 168.581841] R10: 000056007655c8f0 R11: 0000000000000246 R12: 0000000000000009 +[ 168.582796] R13: 0000000000000001 R14: 00007fac74be55e0 R15: 00007fac74be08c0 +[ 168.583757] +[ 168.584063] Modules linked in: +[ 168.584494] CR2: 0000000000000008 +[ 168.584964] ---[ end trace 2475611ad0f77a1a ]--- + +This is because blkg_alloc() is called from blkg_conf_prep() without +holding 'q->queue_lock', and elevator is exited before blkg_create(): + +thread 1 thread 2 +blkg_conf_prep + spin_lock_irq(&q->queue_lock); + blkg_lookup_check -> return NULL + spin_unlock_irq(&q->queue_lock); + + blkg_alloc + blkcg_policy_enabled -> true + pd = ->pd_alloc_fn + blkg->pd[i] = pd + blk_mq_exit_sched + bfq_exit_queue + blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock); + __clear_bit(pol->plid, q->blkcg_pols); + spin_unlock_irq(&q->queue_lock); + q->elevator = NULL; + spin_lock_irq(&q->queue_lock); + blkg_create + if (blkg->pd[i]) + ->pd_init_fn -> q->elevator is NULL + spin_unlock_irq(&q->queue_lock); + +Because blkcg_deactivate_policy() requires queue to be frozen, we can +grab q_usage_counter to synchoronize blkg_conf_prep() against +blkcg_deactivate_policy(). + +(Coly Li: rebased for Linux 4.12 based SUSE kernel) + +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20211020014036.2141723-1-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Coly Li + +--- + block/blk-cgroup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -835,6 +835,14 @@ int blkg_conf_prep(struct blkcg *blkcg, + + q = disk->queue; + ++ /* ++ * blkcg_deactivate_policy() requires queue to be frozen, we can grab ++ * q_usage_counter to prevent concurrent with blkcg_deactivate_policy(). ++ */ ++ ret = blk_queue_enter(q, 0); ++ if (ret) ++ return ret; ++ + rcu_read_lock(); + spin_lock_irq(q->queue_lock); + +@@ -895,6 +903,7 @@ int blkg_conf_prep(struct blkcg *blkcg, + goto success; + } + success: ++ blk_queue_exit(q); + ctx->disk = disk; + ctx->blkg = blkg; + ctx->body = body; +@@ -905,6 +914,7 @@ fail_unlock: + rcu_read_unlock(); + fail: + put_disk_and_module(disk); ++ blk_queue_exit(q); + /* + * If queue was bypassing, we should retry. Do so after a + * short msleep(). It isn't strictly necessary but queue diff --git a/patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch b/patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch new file mode 100644 index 0000000..7cd3cf7 --- /dev/null +++ b/patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch @@ -0,0 +1,37 @@ +From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 24 Nov 2021 12:07:39 -0500 +Subject: [PATCH] dm btree remove: fix use after free in rebalance_children() +Git-commit: 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da +Patch-mainline: v5.16-rc6 +References: git-fixes + +Move dm_tm_unlock() after dm_tm_dec(). + +Cc: stable@vger.kernel.org +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/persistent-data/dm-btree-remove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c +index 70532335c7c7..cb670f16e98e 100644 +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -423,9 +423,9 @@ static int rebalance_children(struct shadow_spine *s, + + memcpy(n, dm_block_data(child), + dm_bm_block_size(dm_tm_get_bm(info->tm))); +- dm_tm_unlock(info->tm, child); + + dm_tm_dec(info->tm, dm_block_location(child)); ++ dm_tm_unlock(info->tm, child); + return 0; + } + +-- +2.35.3 + diff --git a/patches.suse/0007-dm-crypt-fix-get_key_size-compiler-warning-if-CONFIG.patch b/patches.suse/0007-dm-crypt-fix-get_key_size-compiler-warning-if-CONFIG.patch new file mode 100644 index 0000000..1f51676 --- /dev/null +++ b/patches.suse/0007-dm-crypt-fix-get_key_size-compiler-warning-if-CONFIG.patch @@ -0,0 +1,35 @@ +From 6fc51504388c1a1a53db8faafe9fff78fccc7c87 Mon Sep 17 00:00:00 2001 +From: Aashish Sharma +Date: Fri, 11 Feb 2022 12:15:38 +0000 +Subject: [PATCH] dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS +Git-commit: 6fc51504388c1a1a53db8faafe9fff78fccc7c87 +Patch-mainline: v5.18-rc1 +References: git-fixes + +Explicitly convert unsigned int in the right of the conditional +expression to int to match the left side operand and the return type, +fixing the following compiler warning: + +drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned +type in conditional expression [-Wsign-compare] + +Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") +Signed-off-by: Aashish Sharma +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2105,7 +2105,7 @@ static int crypt_set_keyring_key(struct + + static int get_key_size(char **key_string) + { +- return (*key_string[0] == ':') ? -EINVAL : strlen(*key_string) >> 1; ++ return (*key_string[0] == ':') ? -EINVAL : (int)(strlen(*key_string) >> 1); + } + + #endif diff --git a/patches.suse/0008-hex2bin-make-the-function-hex_to_bin-constant-time.patch b/patches.suse/0008-hex2bin-make-the-function-hex_to_bin-constant-time.patch new file mode 100644 index 0000000..1fd17d1 --- /dev/null +++ b/patches.suse/0008-hex2bin-make-the-function-hex_to_bin-constant-time.patch @@ -0,0 +1,86 @@ +From d2a2757cc38adeedec829b7d88d13b57b839ed6a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 25 Apr 2022 08:07:48 -0400 +Subject: [PATCH] hex2bin: make the function hex_to_bin constant-time +Git-commit: e5be15767e7e284351853cbaba80cde8620341fb +Patch-mainline: v5.18-rc5 +References: git-fixes + +The function hex2bin is used to load cryptographic keys into device +mapper targets dm-crypt and dm-integrity. It should take constant time +independent on the processed data, so that concurrently running +unprivileged code can't infer any information about the keys via +microarchitectural convert channels. + +This patch changes the function hex_to_bin so that it contains no +branches and no memory accesses. + +Note that this shouldn't cause performance degradation because the size +of the new function is the same as the size of the old function (on +x86-64) - and the new function causes no branch misprediction penalties. + +I compile-tested this function with gcc on aarch64 alpha arm hppa hppa64 +i386 ia64 m68k mips32 mips64 powerpc powerpc64 riscv sh4 s390x sparc32 +sparc64 x86_64 and with clang on aarch64 arm hexagon i386 mips32 mips64 +powerpc powerpc64 s390x sparc32 sparc64 x86_64 to verify that there are +no branches in the generated code. + +(Coly Li: rebased for 4.12 based SUSE kernel) + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Coly Li +--- + lib/hexdump.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/lib/hexdump.c b/lib/hexdump.c +index 992457b1284c..cb0bac4f9c01 100644 +--- a/lib/hexdump.c ++++ b/lib/hexdump.c +@@ -24,15 +24,34 @@ EXPORT_SYMBOL(hex_asc_upper); + * + * hex_to_bin() converts one hex digit to its actual value or -1 in case of bad + * input. ++ * ++ * This function is used to load cryptographic keys, so it is coded in such a ++ * way that there are no conditions or memory accesses that depend on data. ++ * ++ * Explanation of the logic: ++ * (ch - '9' - 1) is negative if ch <= '9' ++ * ('0' - 1 - ch) is negative if ch >= '0' ++ * we "and" these two values, so the result is negative if ch is in the range ++ * '0' ... '9' ++ * we are only interested in the sign, so we do a shift ">> 8"; note that right ++ * shift of a negative value is implementation-defined, so we cast the ++ * value to (unsigned) before the shift --- we have 0xffffff if ch is in ++ * the range '0' ... '9', 0 otherwise ++ * we "and" this value with (ch - '0' + 1) --- we have a value 1 ... 10 if ch is ++ * in the range '0' ... '9', 0 otherwise ++ * we add this value to -1 --- we have a value 0 ... 9 if ch is in the range '0' ++ * ... '9', -1 otherwise ++ * the next line is similar to the previous one, but we need to decode both ++ * uppercase and lowercase letters, so we use (ch & 0xdf), which converts ++ * lowercase to uppercase + */ +-int hex_to_bin(char ch) ++int hex_to_bin(char _ch) + { +- if ((ch >= '0') && (ch <= '9')) +- return ch - '0'; +- ch = tolower(ch); +- if ((ch >= 'a') && (ch <= 'f')) +- return ch - 'a' + 10; +- return -1; ++ unsigned char ch = (unsigned char)_ch; ++ unsigned char cu = ch & 0xdf; ++ return -1 + ++ ((ch - '0' + 1) & (unsigned)((ch - '9' - 1) & ('0' - 1 - ch)) >> 8) + ++ ((cu - 'A' + 11) & (unsigned)((cu - 'F' - 1) & ('A' - 1 - cu)) >> 8); + } + EXPORT_SYMBOL(hex_to_bin); + +-- +2.35.3 + diff --git a/patches.suse/0009-hex2bin-fix-access-beyond-string-end.patch b/patches.suse/0009-hex2bin-fix-access-beyond-string-end.patch new file mode 100644 index 0000000..a432236 --- /dev/null +++ b/patches.suse/0009-hex2bin-fix-access-beyond-string-end.patch @@ -0,0 +1,48 @@ +From e4d8a29997731b3bb14059024b24df9f784288d0 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 27 Apr 2022 11:26:40 -0400 +Subject: [PATCH] hex2bin: fix access beyond string end +Git-commit: e4d8a29997731b3bb14059024b24df9f784288d0 +Patch-mainline: v5.18-rc5 +References: git-fixes + +If we pass too short string to "hex2bin" (and the string size without +the terminating NUL character is even), "hex2bin" reads one byte after +the terminating NUL character. This patch fixes it. + +Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on +error - so we can't just return the variable "hi" or "lo" on error. +This inconsistency may be fixed in the next merge window, but for the +purpose of fixing this bug, we just preserve the existing behavior and +return -1 and -EINVAL. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Andy Shevchenko +Fixes: b78049831ffe ("lib: add error checking to hex2bin") +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Coly Li + +--- + lib/hexdump.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/lib/hexdump.c ++++ b/lib/hexdump.c +@@ -66,10 +66,13 @@ EXPORT_SYMBOL(hex_to_bin); + int hex2bin(u8 *dst, const char *src, size_t count) + { + while (count--) { +- int hi = hex_to_bin(*src++); +- int lo = hex_to_bin(*src++); ++ int hi, lo; + +- if ((hi < 0) || (lo < 0)) ++ hi = hex_to_bin(*src++); ++ if (unlikely(hi < 0)) ++ return -EINVAL; ++ lo = hex_to_bin(*src++); ++ if (unlikely(lo < 0)) + return -EINVAL; + + *dst++ = (hi << 4) | lo; diff --git a/patches.suse/0010-dm-stats-add-cond_resched-when-looping-over-entries.patch b/patches.suse/0010-dm-stats-add-cond_resched-when-looping-over-entries.patch new file mode 100644 index 0000000..29123d3 --- /dev/null +++ b/patches.suse/0010-dm-stats-add-cond_resched-when-looping-over-entries.patch @@ -0,0 +1,85 @@ +From bfe2b0146c4d0230b68f5c71a64380ff8d361f8b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Apr 2022 16:43:00 -0400 +Subject: [PATCH] dm stats: add cond_resched when looping over entries +Git-commit: bfe2b0146c4d0230b68f5c71a64380ff8d361f8b +Patch-mainline: v5.19-rc1 +References: git-fixes + +dm-stats can be used with a very large number of entries (it is only +limited by 1/4 of total system memory), so add rescheduling points to +the loops that iterate over the entries. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-stats.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/md/dm-stats.c b/drivers/md/dm-stats.c +index 86e0697330e8..8326f9fe0e91 100644 +--- a/drivers/md/dm-stats.c ++++ b/drivers/md/dm-stats.c +@@ -225,6 +225,7 @@ void dm_stats_cleanup(struct dm_stats *stats) + atomic_read(&shared->in_flight[READ]), + atomic_read(&shared->in_flight[WRITE])); + } ++ cond_resched(); + } + dm_stat_free(&s->rcu_head); + } +@@ -330,6 +331,7 @@ static int dm_stats_create(struct dm_stats *stats, sector_t start, sector_t end, + for (ni = 0; ni < n_entries; ni++) { + atomic_set(&s->stat_shared[ni].in_flight[READ], 0); + atomic_set(&s->stat_shared[ni].in_flight[WRITE], 0); ++ cond_resched(); + } + + if (s->n_histogram_entries) { +@@ -342,6 +344,7 @@ static int dm_stats_create(struct dm_stats *stats, sector_t start, sector_t end, + for (ni = 0; ni < n_entries; ni++) { + s->stat_shared[ni].tmp.histogram = hi; + hi += s->n_histogram_entries + 1; ++ cond_resched(); + } + } + +@@ -362,6 +365,7 @@ static int dm_stats_create(struct dm_stats *stats, sector_t start, sector_t end, + for (ni = 0; ni < n_entries; ni++) { + p[ni].histogram = hi; + hi += s->n_histogram_entries + 1; ++ cond_resched(); + } + } + } +@@ -500,6 +504,7 @@ static int dm_stats_list(struct dm_stats *stats, const char *program, + } + DMEMIT("\n"); + } ++ cond_resched(); + } + mutex_unlock(&stats->mutex); + +@@ -777,6 +782,7 @@ static void __dm_stat_clear(struct dm_stat *s, size_t idx_start, size_t idx_end, + local_irq_enable(); + } + } ++ cond_resched(); + } + } + +@@ -892,6 +898,8 @@ static int dm_stats_print(struct dm_stats *stats, int id, + + if (unlikely(sz + 1 >= maxlen)) + goto buffer_overflow; ++ ++ cond_resched(); + } + + if (clear) +-- +2.35.3 + diff --git a/patches.suse/0011-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch b/patches.suse/0011-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch new file mode 100644 index 0000000..d94d16d --- /dev/null +++ b/patches.suse/0011-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch @@ -0,0 +1,42 @@ +From d3f2a14b8906df913cb04a706367b012db94a6e8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 25 Apr 2022 14:56:48 +0300 +Subject: [PATCH] dm integrity: fix error code in dm_integrity_ctr() +Git-commit: d3f2a14b8906df913cb04a706367b012db94a6e8 +Patch-mainline: v5.19-rc1 +References: git-fixes + +The "r" variable shadows an earlier "r" that has function scope. It +means that we accidentally return success instead of an error code. +Smatch has a warning for this: + + drivers/md/dm-integrity.c:4503 dm_integrity_ctr() + warn: missing error code 'r' + +Fixes: 7eada909bfd7 ("dm: add integrity target") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Reviewed-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-integrity.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c +index 36ae30b73a6e..3d5a0ce123c9 100644 +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4494,8 +4494,6 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned argc, char **argv) + } + + if (should_write_sb) { +- int r; +- + init_journal(ic, 0, ic->journal_sections, 0); + r = dm_integrity_failed(ic); + if (unlikely(r)) { +-- +2.35.3 + diff --git a/patches.suse/0012-dm-crypt-make-printing-of-the-key-constant-time.patch b/patches.suse/0012-dm-crypt-make-printing-of-the-key-constant-time.patch new file mode 100644 index 0000000..4e07a09 --- /dev/null +++ b/patches.suse/0012-dm-crypt-make-printing-of-the-key-constant-time.patch @@ -0,0 +1,63 @@ +From 567dd8f34560fa221a6343729474536aa7ede4fd Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 25 Apr 2022 08:53:29 -0400 +Subject: [PATCH] dm crypt: make printing of the key constant-time +Git-commit: 567dd8f34560fa221a6343729474536aa7ede4fd +Patch-mainline: v5.19-rc1 +References: git-fixes + +The device mapper dm-crypt target is using scnprintf("%02x", cc->key[i]) to +report the current key to userspace. However, this is not a constant-time +operation and it may leak information about the key via timing, via cache +access patterns or via the branch predictor. + +Change dm-crypt's key printing to use "%c" instead of "%02x". Also +introduce hex2asc() that carefully avoids any branching or memory +accesses when converting a number in the range 0 ... 15 to an ascii +character. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Tested-by: Milan Broz +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-crypt.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index fb80539865d7..159c6806c19b 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -3439,6 +3439,11 @@ static int crypt_map(struct dm_target *ti, struct bio *bio) + return DM_MAPIO_SUBMITTED; + } + ++static char hex2asc(unsigned char c) ++{ ++ return c + '0' + ((unsigned)(9 - c) >> 4 & 0x27); ++} ++ + static void crypt_status(struct dm_target *ti, status_type_t type, + unsigned status_flags, char *result, unsigned maxlen) + { +@@ -3457,9 +3462,12 @@ static void crypt_status(struct dm_target *ti, status_type_t type, + if (cc->key_size > 0) { + if (cc->key_string) + DMEMIT(":%u:%s", cc->key_size, cc->key_string); +- else +- for (i = 0; i < cc->key_size; i++) +- DMEMIT("%02x", cc->key[i]); ++ else { ++ for (i = 0; i < cc->key_size; i++) { ++ DMEMIT("%c%c", hex2asc(cc->key[i] >> 4), ++ hex2asc(cc->key[i] & 0xf)); ++ } ++ } + } else + DMEMIT("-"); + +-- +2.35.3 + diff --git a/patches.suse/0013-dm-mirror-log-round-up-region-bitmap-size-to-BITS_PE.patch b/patches.suse/0013-dm-mirror-log-round-up-region-bitmap-size-to-BITS_PE.patch new file mode 100644 index 0000000..8f6d2cb --- /dev/null +++ b/patches.suse/0013-dm-mirror-log-round-up-region-bitmap-size-to-BITS_PE.patch @@ -0,0 +1,44 @@ +From 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 16 Jun 2022 13:28:57 -0400 +Subject: [PATCH] dm mirror log: round up region bitmap size to BITS_PER_LONG +Git-commit: 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 +Patch-mainline: v5.19-rc3 +References: git-fixes + +The code in dm-log rounds up bitset_size to 32 bits. It then uses +find_next_zero_bit_le on the allocated region. find_next_zero_bit_le +accesses the bitmap using unsigned long pointers. So, on 64-bit +architectures, it may access 4 bytes beyond the allocated size. + +Fix this bug by rounding up bitset_size to BITS_PER_LONG. + +This bug was found by running the lvm2 testsuite with kasan. + +Fixes: 29121bd0b00e ("[PATCH] dm mirror log: bitset_size fix") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Coly Li + +--- + drivers/md/dm-log.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c +index 06f328928a7f..2dda05aada23 100644 +--- a/drivers/md/dm-log.c ++++ b/drivers/md/dm-log.c +@@ -415,8 +415,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti, + /* + * Work out how many "unsigned long"s we need to hold the bitset. + */ +- bitset_size = dm_round_up(region_count, +- sizeof(*lc->clean_bits) << BYTE_SHIFT); ++ bitset_size = dm_round_up(region_count, BITS_PER_LONG); + bitset_size >>= BYTE_SHIFT; + + lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits); +-- +2.35.3 + diff --git a/patches.suse/CVE-Mitigation-for-CVE-2022-29900-and-CVE-2022-29901.patch b/patches.suse/CVE-Mitigation-for-CVE-2022-29900-and-CVE-2022-29901.patch new file mode 100644 index 0000000..348abf6 --- /dev/null +++ b/patches.suse/CVE-Mitigation-for-CVE-2022-29900-and-CVE-2022-29901.patch @@ -0,0 +1,164 @@ +From: Joerg Roedel +Date: Fri, 8 Jul 2022 16:15:16 +0200 +Subject: [PATCH] CVE Mitigation for CVE-2022-29900 and CVE-2022-29901 +Patch-mainline: Never, downstream CVE mitigation +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Necessary changes to implement changes from upstream patches: + + KVM: VMX: Prevent RSB underflow before vmenter + x86/speculation: Fill RSB on vmexit for IBRS + KVM: VMX: Fix IBRS handling after vmexit + KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS + KVM: VMX: Convert launched argument to flags + KVM: VMX: Flatten __vmx_vcpu_run() + +Into the SLE12-SP5 code base. + +Signed-off-by: Joerg Roedel +--- + arch/x86/include/asm/spec-ctrl.h | 20 ++++++++++++++++++++ + arch/x86/kernel/cpu/bugs.c | 9 +-------- + arch/x86/kvm/vmx.c | 22 +++++++++++----------- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 4 files changed, 34 insertions(+), 28 deletions(-) + +diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h +index 5393babc0598..87bd2dd863e9 100644 +--- a/arch/x86/include/asm/spec-ctrl.h ++++ b/arch/x86/include/asm/spec-ctrl.h +@@ -27,6 +27,17 @@ static inline + void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) + { + x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true); ++ ++ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { ++ u64 guestval = guest_spec_ctrl, hostval = spec_ctrl_current(); ++ if (hostval != guestval) { ++ u32 low = (u32)guest_spec_ctrl, high = (u32)(guest_spec_ctrl >> 32); ++ ++ asm volatile("wrmsr\n" : ++ : "c" (MSR_IA32_SPEC_CTRL), "a"(low), "d"(high) ++ : "memory"); ++ } ++ } + } + + /** +@@ -40,6 +51,15 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) + static inline + void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) + { ++ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { ++ u64 hostval = spec_ctrl_current(); ++ u32 low = (u32)hostval, high = (u32)(hostval >> 32); ++ ++ asm volatile("wrmsr\n" : ++ : "c" (MSR_IA32_SPEC_CTRL), "a"(low), "d"(high) ++ : "memory"); ++ } ++ + x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false); + } + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 8997b466d803..323253e44c19 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -187,16 +187,9 @@ void __init check_bugs(void) + void + x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) + { +- u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current(); ++ u64 guestval = guest_spec_ctrl, hostval; + struct thread_info *ti = current_thread_info(); + +- if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { +- if (hostval != guestval) { +- msrval = setguest ? guestval : hostval; +- wrmsrl(MSR_IA32_SPEC_CTRL, msrval); +- } +- } +- + /* + * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update + * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 2352a6534a35..f03f15f72797 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9910,14 +9910,6 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + + vmx_arm_hv_timer(vcpu); + +- /* +- * If this vCPU has touched SPEC_CTRL, restore the guest's value if +- * it's non-zero. Since vmentry is serialising on affected CPUs, there +- * is no need to worry about the conditional branch over the wrmsr +- * being speculatively taken. +- */ +- x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0); +- + vmx->__launched = vmx->loaded_vmcs->launched; + + /* L1D Flush includes CPU buffer clear to mitigate MDS */ +@@ -9931,6 +9923,14 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + + vmx_disable_fb_clear(vmx); + ++ /* ++ * If this vCPU has touched SPEC_CTRL, restore the guest's value if ++ * it's non-zero. Since vmentry is serialising on affected CPUs, there ++ * is no need to worry about the conditional branch over the wrmsr ++ * being speculatively taken. ++ */ ++ x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0); ++ + asm( + /* Store host registers */ + "push %%" _ASM_DX "; push %%" _ASM_BP ";" +@@ -10060,7 +10060,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + #endif + ); + +- vmx_enable_fb_clear(vmx); ++ /* Eliminate branch target predictions from guest mode */ ++ vmexit_fill_RSB(); + + /* + * We do not use IBRS in the kernel. If this vCPU has used the +@@ -10082,8 +10083,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + + x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0); + +- /* Eliminate branch target predictions from guest mode */ +- vmexit_fill_RSB(); ++ vmx_enable_fb_clear(vmx); + + /* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */ + if (debugctlmsr) +diff --git a/tools/lib/subcmd/subcmd-util.h b/tools/lib/subcmd/subcmd-util.h +index 8fa5f036eff0..8a34305448d0 100644 +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -49,15 +49,8 @@ static NORETURN inline void die(const char *err, ...) + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + +-- +2.36.1 + diff --git a/patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch b/patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch new file mode 100644 index 0000000..e6d644d --- /dev/null +++ b/patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch @@ -0,0 +1,59 @@ +From c42e65664390be7c1ef3838cd84956d3a2739d60 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 7 Jun 2022 12:11:33 -0700 +Subject: [PATCH] Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag +Git-commit: c42e65664390be7c1ef3838cd84956d3a2739d60 +References: git-fixes +Patch-mainline: v5.19-rc2 + +The bcm5974 driver does the allocation and dma mapping of the usb urb +data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag +to let usb core know the buffer is already mapped. + +usb core tries to map the already mapped buffer, causing a warning: +"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory" + +Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core +know buffer is already mapped by bcm5974 driver + +Signed-off-by: Mathias Nyman +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890 +Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/mouse/bcm5974.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/bcm5974.c b/drivers/input/mouse/bcm5974.c +index 59a14505b9cd..ca150618d32f 100644 +--- a/drivers/input/mouse/bcm5974.c ++++ b/drivers/input/mouse/bcm5974.c +@@ -942,17 +942,22 @@ static int bcm5974_probe(struct usb_interface *iface, + if (!dev->tp_data) + goto err_free_bt_buffer; + +- if (dev->bt_urb) ++ if (dev->bt_urb) { + usb_fill_int_urb(dev->bt_urb, udev, + usb_rcvintpipe(udev, cfg->bt_ep), + dev->bt_data, dev->cfg.bt_datalen, + bcm5974_irq_button, dev, 1); + ++ dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ } ++ + usb_fill_int_urb(dev->tp_urb, udev, + usb_rcvintpipe(udev, cfg->tp_ep), + dev->tp_data, dev->cfg.tp_datalen, + bcm5974_irq_trackpad, dev, 1); + ++ dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ + /* create bcm5974 device */ + usb_make_path(udev, dev->phys, sizeof(dev->phys)); + strlcat(dev->phys, "/input0", sizeof(dev->phys)); +-- +2.35.3 + diff --git a/patches.suse/Input-elan_i2c-fix-regulator-enable-count-imbalance-.patch b/patches.suse/Input-elan_i2c-fix-regulator-enable-count-imbalance-.patch new file mode 100644 index 0000000..507695e --- /dev/null +++ b/patches.suse/Input-elan_i2c-fix-regulator-enable-count-imbalance-.patch @@ -0,0 +1,61 @@ +From 04b7762e37c95d9b965d16bb0e18dbd1fa2e2861 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 28 Feb 2022 23:39:50 -0800 +Subject: [PATCH] Input: elan_i2c - fix regulator enable count imbalance after + suspend/resume +Git-commit: 04b7762e37c95d9b965d16bb0e18dbd1fa2e2861 +References: git-fixes +Patch-mainline: v5.17-rc7 + +Before these changes elan_suspend() would only disable the regulator +when device_may_wakeup() returns false; whereas elan_resume() would +unconditionally enable it, leading to an enable count imbalance when +device_may_wakeup() returns true. + +This triggers the "WARN_ON(regulator->enable_count)" in regulator_put() +when the elan_i2c driver gets unbound, this happens e.g. with the +hot-plugable dock with Elan I2C touchpad for the Asus TF103C 2-in-1. + +Fix this by making the regulator_enable() call also be conditional +on device_may_wakeup() returning false. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220131135436.29638-2-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/mouse/elan_i2c_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 185191b86fad..e1758d5ffe42 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1388,17 +1388,17 @@ static int __maybe_unused elan_resume(struct device *dev) + struct elan_tp_data *data = i2c_get_clientdata(client); + int error; + +- if (device_may_wakeup(dev) && data->irq_wake) { ++ if (!device_may_wakeup(dev)) { ++ error = regulator_enable(data->vcc); ++ if (error) { ++ dev_err(dev, "error %d enabling regulator\n", error); ++ goto err; ++ } ++ } else if (data->irq_wake) { + disable_irq_wake(client->irq); + data->irq_wake = false; + } + +- error = regulator_enable(data->vcc); +- if (error) { +- dev_err(dev, "error %d enabling regulator\n", error); +- goto err; +- } +- + error = elan_set_power(data, true); + if (error) { + dev_err(dev, "power up when resuming failed: %d\n", error); +-- +2.35.3 + diff --git a/patches.suse/Input-elan_i2c-move-regulator_-en-dis-able-out-of-el.patch b/patches.suse/Input-elan_i2c-move-regulator_-en-dis-able-out-of-el.patch new file mode 100644 index 0000000..9ab4261 --- /dev/null +++ b/patches.suse/Input-elan_i2c-move-regulator_-en-dis-able-out-of-el.patch @@ -0,0 +1,130 @@ +From 81a36d8ce554b82b0a08e2b95d0bd44fcbff339b Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 28 Feb 2022 23:39:38 -0800 +Subject: [PATCH] Input: elan_i2c - move regulator_[en|dis]able() out of + elan_[en|dis]able_power() +Git-commit: 81a36d8ce554b82b0a08e2b95d0bd44fcbff339b +References: git-fixes +Patch-mainline: v5.17-rc7 + +elan_disable_power() is called conditionally on suspend, where as +elan_enable_power() is always called on resume. This leads to +an imbalance in the regulator's enable count. + +Move the regulator_[en|dis]able() calls out of elan_[en|dis]able_power() +in preparation of fixing this. + +No functional changes intended. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220131135436.29638-1-hdegoede@redhat.com +[dtor: consolidate elan_[en|dis]able() into elan_set_power()] +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/mouse/elan_i2c_core.c | 62 ++++++++++------------------- + 1 file changed, 22 insertions(+), 40 deletions(-) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 47af62c12267..185191b86fad 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -186,55 +186,21 @@ static int elan_get_fwinfo(u16 ic_type, u8 iap_version, u16 *validpage_count, + return 0; + } + +-static int elan_enable_power(struct elan_tp_data *data) ++static int elan_set_power(struct elan_tp_data *data, bool on) + { + int repeat = ETP_RETRY_COUNT; + int error; + +- error = regulator_enable(data->vcc); +- if (error) { +- dev_err(&data->client->dev, +- "failed to enable regulator: %d\n", error); +- return error; +- } +- + do { +- error = data->ops->power_control(data->client, true); ++ error = data->ops->power_control(data->client, on); + if (error >= 0) + return 0; + + msleep(30); + } while (--repeat > 0); + +- dev_err(&data->client->dev, "failed to enable power: %d\n", error); +- return error; +-} +- +-static int elan_disable_power(struct elan_tp_data *data) +-{ +- int repeat = ETP_RETRY_COUNT; +- int error; +- +- do { +- error = data->ops->power_control(data->client, false); +- if (!error) { +- error = regulator_disable(data->vcc); +- if (error) { +- dev_err(&data->client->dev, +- "failed to disable regulator: %d\n", +- error); +- /* Attempt to power the chip back up */ +- data->ops->power_control(data->client, true); +- break; +- } +- +- return 0; +- } +- +- msleep(30); +- } while (--repeat > 0); +- +- dev_err(&data->client->dev, "failed to disable power: %d\n", error); ++ dev_err(&data->client->dev, "failed to set power %s: %d\n", ++ on ? "on" : "off", error); + return error; + } + +@@ -1399,9 +1365,19 @@ static int __maybe_unused elan_suspend(struct device *dev) + /* Enable wake from IRQ */ + data->irq_wake = (enable_irq_wake(client->irq) == 0); + } else { +- ret = elan_disable_power(data); ++ ret = elan_set_power(data, false); ++ if (ret) ++ goto err; ++ ++ ret = regulator_disable(data->vcc); ++ if (ret) { ++ dev_err(dev, "error %d disabling regulator\n", ret); ++ /* Attempt to power the chip back up */ ++ elan_set_power(data, true); ++ } + } + ++err: + mutex_unlock(&data->sysfs_mutex); + return ret; + } +@@ -1417,7 +1393,13 @@ static int __maybe_unused elan_resume(struct device *dev) + data->irq_wake = false; + } + +- error = elan_enable_power(data); ++ error = regulator_enable(data->vcc); ++ if (error) { ++ dev_err(dev, "error %d enabling regulator\n", error); ++ goto err; ++ } ++ ++ error = elan_set_power(data, true); + if (error) { + dev_err(dev, "power up when resuming failed: %d\n", error); + goto err; +-- +2.35.3 + diff --git a/patches.suse/Input-omap4-keypad-fix-pm_runtime_get_sync-error-che.patch b/patches.suse/Input-omap4-keypad-fix-pm_runtime_get_sync-error-che.patch new file mode 100644 index 0000000..af0db7c --- /dev/null +++ b/patches.suse/Input-omap4-keypad-fix-pm_runtime_get_sync-error-che.patch @@ -0,0 +1,33 @@ +From 81022a170462d38ea10612cb67e8e2c529d58abe Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Sun, 17 Apr 2022 13:03:31 -0700 +Subject: [PATCH] Input: omap4-keypad - fix pm_runtime_get_sync() error + checking +Git-commit: 81022a170462d38ea10612cb67e8e2c529d58abe +References: git-fixes +Patch-mainline: v5.18-rc4 + +If the device is already in a runtime PM enabled state +pm_runtime_get_sync() will return 1, so a test for negative +value should be used to check for errors. + +Fixes: f77621cc640a ("Input: omap-keypad - dynamically handle register offsets") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220412070131.19848-1-linmq006@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Oliver Neukum +--- + drivers/input/keyboard/omap4-keypad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -317,7 +317,7 @@ static int omap4_keypad_probe(struct pla + * revision register. + */ + error = pm_runtime_get_sync(&pdev->dev); +- if (error) { ++ if (error < 0) { + dev_err(&pdev->dev, "pm_runtime_get_sync() failed\n"); + pm_runtime_put_noidle(&pdev->dev); + } else { diff --git a/patches.suse/KVM-x86-Trace-the-original-requested-CPUID-function-.patch b/patches.suse/KVM-x86-Trace-the-original-requested-CPUID-function-.patch new file mode 100644 index 0000000..624819c --- /dev/null +++ b/patches.suse/KVM-x86-Trace-the-original-requested-CPUID-function-.patch @@ -0,0 +1,51 @@ +Patch-mainline: v5.7-rc1 +Git-commit: b7fb8488c85f2b5304e90d954a54d980adde60a4 +References: git-fixes +From: Jan Kiszka +Date: Wed, 4 Mar 2020 17:34:31 -0800 +Subject: [PATCH] KVM: x86: Trace the original requested CPUID function in + kvm_cpuid() + +Trace the requested CPUID function instead of the effective function, +e.g. if the requested function is out-of-range and KVM is emulating an +Intel CPU, as the intent of the tracepoint is to show if the output came +from the actual leaf as opposed to the max basic leaf via redirection. + +Similarly, leave "found" as is, i.e. report that an entry was found if +and only if the requested entry was found. + +Fixes: 43561123ab37 ("kvm: x86: Improve emulation of CPUID leaves 0BH and 1FH") +Signed-off-by: Jan Kiszka +[Sean: Drop "found" semantic change, reword changelong accordingly ] +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Juergen Gross +--- + arch/x86/kvm/cpuid.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index 78d461be2102..a25b520d26c9 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -933,7 +933,7 @@ static bool cpuid_function_in_range(struct kvm_vcpu *vcpu, u32 function) + bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx, + u32 *ecx, u32 *edx, bool check_limit) + { +- u32 function = *eax, index = *ecx; ++ u32 orig_function = *eax, function = *eax, index = *ecx; + struct kvm_cpuid_entry2 *entry; + struct kvm_cpuid_entry2 *max; + bool found; +@@ -982,7 +982,7 @@ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx, + } + } + } +- trace_kvm_cpuid(function, *eax, *ebx, *ecx, *edx, found); ++ trace_kvm_cpuid(orig_function, *eax, *ebx, *ecx, *edx, found); + return found; + } + EXPORT_SYMBOL_GPL(kvm_cpuid); +-- +2.35.3 + diff --git a/patches.suse/NFS-flush-dirty-data-on-fput-fix.patch b/patches.suse/NFS-flush-dirty-data-on-fput-fix.patch new file mode 100644 index 0000000..e3809f7 --- /dev/null +++ b/patches.suse/NFS-flush-dirty-data-on-fput-fix.patch @@ -0,0 +1,37 @@ +From: NeilBrown +Subject: don't call utsname() after ->nsproxy is NULL. +References: bsc#1201196 +Patch-mainline: Never, not needed + +Our patch 0001-NFS-flush-out-dirty-data-on-file-fput.patch calls fsync() +from nfs_file_release(). This can be called late in do_exit() +when the final delayed fput() is called. +At this point ->nsproxy is already NULL, so utsname() cannot safely +be used. + +The string constucted with utsname() calls is optional - it is present +in the protocol for debugging only. It is perfectly safe not to include +it. + +So if current->nsproxy is NULL, skip generation of this string. + +Signed-off-by: NeilBrown + +--- + fs/nfs/nfs4xdr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -1785,7 +1785,10 @@ static void encode_exchange_id(struct xd + break; + } + +- if (send_implementation_id && ++ /* ->nsproxy is null during final fput() in do_exit(), ++ * in which case utsname() is not usable. ++ */ ++ if (send_implementation_id && current->nsproxy && + sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) > 1 && + sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) + <= sizeof(impl_name) + 1) diff --git a/patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch b/patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch new file mode 100644 index 0000000..e48c15e --- /dev/null +++ b/patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch @@ -0,0 +1,101 @@ +From dff6139015dc68e93be3822a7bd406a1d138628b Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 31 Mar 2022 22:40:03 -0500 +Subject: [PATCH] PCI/ACPI: Allow D3 only if Root Port can signal and wake from + D3 +Git-commit: dff6139015dc68e93be3822a7bd406a1d138628b +References: git-fixes +Patch-mainline: v5.19-rc1 + +acpi_pci_bridge_d3(dev) returns "true" if "dev" is a hotplug bridge that +can handle hotplug events while in D3. Previously this meant either: + + - "dev" has a _PS0 or _PR0 method (acpi_pci_power_manageable()), or + + - The Root Port above "dev" has a _DSD with a "HotPlugSupportInD3" + property with value 1. + +This did not consider _PRW, which tells us about wakeup GPEs (ACPI v6.4, +sec 7.3.13). Without a wakeup GPE, from an ACPI perspective the Root Port +has no way of generating wakeup signals, so hotplug events will be lost if +we use D3. + +Similarly, it did not consider _S0W, which tells us the deepest D-state +from which a device can wake itself (sec 7.3.20). If _S0W tells us the +device cannot wake from D3, hotplug events will again be lost if we use D3. + +Some platforms, e.g., AMD Yellow Carp, supply "HotPlugSupportInD3" without +_PRW or with an _S0W that says the Root Port cannot wake from D3. On those +platforms, we previously put bridges in D3hot, hotplug events were lost, +and hotplugged devices would not be recognized without manually rescanning. + +Allow bridges to be put in D3 only if the Root Port can generate wakeup +GPEs (wakeup.flags.valid), it can wake from D3 (_S0W), AND it has the +"HotPlugSupportInD3" property. + +Neither Windows 10 nor Windows 11 puts the bridge in D3 when the firmware +is configured this way, and this change aligns the handling of the +situation to be the same. + +[bhelgaas: commit log, tidy "HotPlugSupportInD3" check and comment] +Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/07_Power_and_Performance_Mgmt/device-power-management-objects.html?highlight=s0w#s0w-s0-device-wake-state +Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-pcie-root-ports-supporting-hot-plug-in-d3 +Link: https://lore.kernel.org/r/20220401034003.3166-1-mario.limonciello@amd.com +Fixes: 26ad34d510a87 ("PCI / ACPI: Whitelist D3 for more PCIe hotplug ports") +Signed-off-by: Mario Limonciello +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Oliver Neukum +--- + drivers/pci/pci-acpi.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -542,6 +542,9 @@ static bool acpi_pci_bridge_d3(struct pc + { + const struct fwnode_handle *fwnode; + struct acpi_device *adev; ++ acpi_status status; ++ unsigned long long state; ++ const union acpi_object *obj; + struct pci_dev *root; + u8 val; + +@@ -570,10 +573,34 @@ static bool acpi_pci_bridge_d3(struct pc + return false; + + fwnode = acpi_fwnode_handle(adev); +- if (fwnode_property_read_u8(fwnode, "HotPlugSupportInD3", &val)) ++ /* ++ * If the Root Port cannot signal wakeup signals at all, i.e., it ++ * doesn't supply a wakeup GPE via _PRW, it cannot signal hotplug ++ * events from low-power states including D3hot and D3cold. ++ */ ++ if (!adev->wakeup.flags.valid) + return false; + +- return val == 1; ++ /* ++ * If the Root Port cannot wake itself from D3hot or D3cold, we ++ * can't use D3. ++ */ ++ status = acpi_evaluate_integer(adev->handle, "_S0W", NULL, &state); ++ if (ACPI_SUCCESS(status) && state < ACPI_STATE_D3_HOT) ++ return false; ++ ++ /* ++ * The "HotPlugSupportInD3" property in a Root Port _DSD indicates ++ * the Port can signal hotplug events while in D3. We assume any ++ * bridges *below* that Root Port can also signal hotplug events ++ * while in D3. ++ */ ++ if (!acpi_dev_get_property(adev, "HotPlugSupportInD3", ++ ACPI_TYPE_INTEGER, &obj) && ++ obj->integer.value == 1) ++ return true; ++ ++ return false; + } + + static bool acpi_pci_power_manageable(struct pci_dev *dev) diff --git a/patches.suse/USB-serial-option-add-Quectel-BG95-modem.patch b/patches.suse/USB-serial-option-add-Quectel-BG95-modem.patch new file mode 100644 index 0000000..688c4b4 --- /dev/null +++ b/patches.suse/USB-serial-option-add-Quectel-BG95-modem.patch @@ -0,0 +1,119 @@ +From 33b7af2f459df453feb0d44628d820c47fefe7a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Carl=20Yin=28=E6=AE=B7=E5=BC=A0=E6=88=90=29?= + +Date: Thu, 19 May 2022 02:34:43 +0000 +Subject: [PATCH] USB: serial: option: add Quectel BG95 modem +Git-commit: 33b7af2f459df453feb0d44628d820c47fefe7a8 +References: git-fixes +Patch-mainline: v5.19-rc1 + +The BG95 modem has 3 USB configurations that are configurable via the AT +command AT+QCFGEXT="usbnet",["ecm"|"modem"|"rmnet"] which make the modem +enumerate with the following interfaces, respectively: + +"modem": Diag + GNSS + Modem + Modem +"ecm" : Diag + GNSS + Modem + ECM +"rmnet": Diag + GNSS + Modem + QMI + Don't support Full QMI messages (e.g WDS_START_NETWORK_INTERFACE) + +A detailed description of the USB configuration for each mode follows: + ++QCFGEXT: "usbnet","modem" +-------------------------- +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0700 Rev= 0.00 +S: Manufacturer=Quectel, Incorporated +S: Product=Quectel LPWA Module +S: SerialNumber=884328a2 +C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + ++QCFGEXT: "usbnet","ecm" +------------------------ +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0700 Rev= 0.00 +S: Manufacturer=Quectel, Incorporated +S: Product=Quectel LPWA Module +S: SerialNumber=884328a2 +C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +A: FirstIf#= 3 IfCount= 2 Cls=02(comm.) Sub=00 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +I: If#= 4 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I:* If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + ++QCFGEXT: "usbnet","rmnet" +-------------------------- +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0700 Rev= 0.00 +S: Manufacturer=Quectel, Incorporated +S: Product=Quectel LPWA Module +S: SerialNumber=884328a2 +C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Carl Yin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Oliver Neukum +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 1364ce7f0abf..ac444a66e781 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1137,6 +1137,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0620, 0xff, 0xff, 0x30) }, /* EM160R-GL */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0620, 0xff, 0, 0) }, ++ { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, 0x0700, 0xff), /* BG95 */ ++ .driver_info = RSVD(3) | ZLP }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), +-- +2.35.3 + diff --git a/patches.suse/audit-fix-a-race-condition-with-the-auditd-tracking-code.patch b/patches.suse/audit-fix-a-race-condition-with-the-auditd-tracking-code.patch new file mode 100644 index 0000000..2ff25eb --- /dev/null +++ b/patches.suse/audit-fix-a-race-condition-with-the-auditd-tracking-code.patch @@ -0,0 +1,148 @@ +From: Paul Moore +Date: Mon, 12 Jun 2017 09:35:24 -0400 +Subject: [PATCH] audit: fix a race condition with the auditd tracking code +Git-commit: c81be52a3ac0267aa830a2c4cb769030ea3483c9 +References: bsc#1197170 +Patch-mainline: v4.12-rc6 + +Originally reported by Adam and Dusty, it appears we have a small +race window in kauditd_thread(), as documented in the Fedora BZ: + + * https://bugzilla.redhat.com/show_bug.cgi?id=1459326#c35 + + "This issue is partly due to the read-copy nature of RCU, and + partly due to how we sync the auditd_connection state across + kauditd_thread and the audit control channel. The kauditd_thread + thread is always running so it can service the record queues and + emit the multicast messages, if it happens to be just past the + "main_queue" label, but before the "if (sk == NULL || ...)" + if-statement which calls auditd_reset() when the new auditd + connection is registered it could end up resetting the auditd + connection, regardless of if it is valid or not. This is a rather + small window and the variable nature of multi-core scheduling + explains why this is proving rather difficult to reproduce." + +The fix is to have functions only call auditd_reset() when they +believe that the kernel/auditd connection is still valid, e.g. +non-NULL, and to have these callers pass their local copy of the +auditd_connection pointer to auditd_reset() where it can be compared +with the current connection state before resetting. If the caller +has a stale state tracking pointer then the reset is ignored. + +We also make a small change to kauditd_thread() so that if the +kernel/auditd connection is dead we skip the retry queue and send the +records straight to the hold queue. This is necessary as we used to +rely on auditd_reset() to occasionally purge the retry queue but we +are going to be calling the reset function much less now and we want +to make sure the retry queue doesn't grow unbounded. + +Reported-by: Adam Williamson +Reported-by: Dusty Mabe +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Acked-by: Enzo Matsumiya +--- + kernel/audit.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index b2e877100242..e1e2b3abfb93 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -575,12 +575,16 @@ static void kauditd_retry_skb(struct sk_buff *skb) + + /** + * auditd_reset - Disconnect the auditd connection ++ * @ac: auditd connection state + * + * Description: + * Break the auditd/kauditd connection and move all the queued records into the +- * hold queue in case auditd reconnects. ++ * hold queue in case auditd reconnects. It is important to note that the @ac ++ * pointer should never be dereferenced inside this function as it may be NULL ++ * or invalid, you can only compare the memory address! If @ac is NULL then ++ * the connection will always be reset. + */ +-static void auditd_reset(void) ++static void auditd_reset(const struct auditd_connection *ac) + { + unsigned long flags; + struct sk_buff *skb; +@@ -590,6 +594,11 @@ static void auditd_reset(void) + spin_lock_irqsave(&auditd_conn_lock, flags); + ac_old = rcu_dereference_protected(auditd_conn, + lockdep_is_held(&auditd_conn_lock)); ++ if (ac && ac != ac_old) { ++ /* someone already registered a new auditd connection */ ++ spin_unlock_irqrestore(&auditd_conn_lock, flags); ++ return; ++ } + rcu_assign_pointer(auditd_conn, NULL); + spin_unlock_irqrestore(&auditd_conn_lock, flags); + +@@ -649,8 +658,8 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) + return rc; + + err: +- if (rc == -ECONNREFUSED) +- auditd_reset(); ++ if (ac && rc == -ECONNREFUSED) ++ auditd_reset(ac); + return rc; + } + +@@ -795,9 +804,9 @@ static int kauditd_thread(void *dummy) + rc = kauditd_send_queue(sk, portid, + &audit_hold_queue, UNICAST_RETRIES, + NULL, kauditd_rehold_skb); +- if (rc < 0) { ++ if (ac && rc < 0) { + sk = NULL; +- auditd_reset(); ++ auditd_reset(ac); + goto main_queue; + } + +@@ -805,9 +814,9 @@ static int kauditd_thread(void *dummy) + rc = kauditd_send_queue(sk, portid, + &audit_retry_queue, UNICAST_RETRIES, + NULL, kauditd_hold_skb); +- if (rc < 0) { ++ if (ac && rc < 0) { + sk = NULL; +- auditd_reset(); ++ auditd_reset(ac); + goto main_queue; + } + +@@ -815,12 +824,13 @@ static int kauditd_thread(void *dummy) + /* process the main queue - do the multicast send and attempt + * unicast, dump failed record sends to the retry queue; if + * sk == NULL due to previous failures we will just do the +- * multicast send and move the record to the retry queue */ ++ * multicast send and move the record to the hold queue */ + rc = kauditd_send_queue(sk, portid, &audit_queue, 1, + kauditd_send_multicast_skb, +- kauditd_retry_skb); +- if (sk == NULL || rc < 0) +- auditd_reset(); ++ (sk ? ++ kauditd_retry_skb : kauditd_hold_skb)); ++ if (ac && rc < 0) ++ auditd_reset(ac); + sk = NULL; + + /* drop our netns reference, no auditd sends past this line */ +@@ -1230,7 +1240,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + auditd_pid, 1); + + /* unregister the auditd connection */ +- auditd_reset(); ++ auditd_reset(NULL); + } + } + if (s.mask & AUDIT_STATUS_RATE_LIMIT) { +-- +2.35.3 + + diff --git a/patches.suse/bnxt_en-Remove-the-setting-of-dev_port.patch b/patches.suse/bnxt_en-Remove-the-setting-of-dev_port.patch new file mode 100644 index 0000000..5f0e5cd --- /dev/null +++ b/patches.suse/bnxt_en-Remove-the-setting-of-dev_port.patch @@ -0,0 +1,35 @@ +From 8691809d9390c3cdb94785e18488e6315075e0ba Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Mon, 27 Jan 2020 04:56:15 -0500 +Subject: [PATCH 1/2] bnxt_en: Remove the setting of dev_port. +References: git-fixes +Git-commit: 1d86859fdf31a0d50cc82b5d0d6bfb5fe98f6c00 +Patch-mainline: v5.6-rc1 + +The dev_port is meant to distinguish the network ports belonging to +the same PCI function. Our devices only have one network port +associated with each PCI function and so we should not set it for +correctness. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 0f6ba7b412a0..b1dbacc8d6d5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6581,7 +6581,6 @@ static int __bnxt_hwrm_func_qcaps(struct bnxt *bp) + + pf->fw_fid = le16_to_cpu(resp->fid); + pf->port_id = le16_to_cpu(resp->port_id); +- bp->dev->dev_port = pf->port_id; + memcpy(pf->mac_addr, resp->mac_address, ETH_ALEN); + pf->first_vf_id = le16_to_cpu(resp->first_vf_id); + pf->max_vfs = le16_to_cpu(resp->max_vfs); +-- +2.16.4 + diff --git a/patches.suse/bonding-fix-bond_neigh_init.patch b/patches.suse/bonding-fix-bond_neigh_init.patch new file mode 100644 index 0000000..41ac810 --- /dev/null +++ b/patches.suse/bonding-fix-bond_neigh_init.patch @@ -0,0 +1,180 @@ +From 858367675a2cfdfebdf644c288f5f12d27b894e0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 7 Dec 2019 14:10:34 -0800 +Subject: [PATCH] bonding: fix bond_neigh_init() +Git-commit: 9e99bfefdbce2e23ef37487a3bcb4adf90a791d1 +References: git-fixes +Patch-mainline: v5.5-rc3 + +1) syzbot reported an uninit-value in bond_neigh_setup() [1] + + bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms', + but only clears parms.neigh_setup field. + + A stacked bonding device would then enter bond_neigh_setup() + and read garbage from parms->dev. + + If we get really unlucky and garbage is matching @dev, then we + could recurse and eventually crash. + + Let's make sure the whole structure is cleared to avoid surprises. + +2) bond_neigh_setup() can be called while another cpu manipulates + the master device, removing or adding a slave. + We need at least rcu protection to prevent use-after-free. + +Note: Prior code does not support a stack of bonding devices, + this patch does not attempt to fix this, and leave a comment instead. + +[1] + +BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655 +CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245 + bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655 + bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626 + ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613 + __neigh_create+0xbd/0xd0 net/core/neighbour.c:674 + ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113 + __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142 + ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682 + mld_send_cr net/ipv6/mcast.c:1978 [inline] + mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477 + call_timer_fn+0x232/0x530 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers+0xd60/0x1270 kernel/time/timer.c:1773 + run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786 + __do_softirq+0x4a1/0x83a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:375 [inline] + irq_exit+0x230/0x280 kernel/softirq.c:416 + exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536 + smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138 + apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835 + +RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439 +Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f +RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000 +RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104 +RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0 + free_pages_prepare mm/page_alloc.c:1138 [inline] + free_pcp_prepare mm/page_alloc.c:1230 [inline] + free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025 + free_unref_page mm/page_alloc.c:3074 [inline] + free_the_page mm/page_alloc.c:4832 [inline] + __free_pages+0x154/0x230 mm/page_alloc.c:4840 + __vunmap+0xdac/0xf20 mm/vmalloc.c:2277 + __vfree mm/vmalloc.c:2325 [inline] + vfree+0x7c/0x170 mm/vmalloc.c:2355 + copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline] + get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline] + do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709 + nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] + nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122 + ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400 + tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688 + sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110 + __sys_getsockopt+0x533/0x7b0 net/socket.c:2129 + __do_sys_getsockopt net/socket.c:2144 [inline] + __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141 + __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d20a +Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00 +RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a +RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003 +RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000 +R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003 +R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00 + +Local variable description: ----parms@bond_neigh_init +Variable was created at: + bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617 + bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617 + +Fixes: 9918d5bf329d ("bonding: modify only neigh_parms owned by us") +Fixes: 234bcf8a499e ("net/bonding: correctly proxy slave neigh param setup ndo function") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/bonding/bond_main.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a40d4d035777..023f15b4b205 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3654,20 +3654,26 @@ static int bond_neigh_init(struct neighbour *n) + const struct net_device_ops *slave_ops; + struct neigh_parms parms; + struct slave *slave; +- int ret; ++ int ret = 0; + +- slave = bond_first_slave(bond); ++ rcu_read_lock(); ++ slave = bond_first_slave_rcu(bond); + if (!slave) +- return 0; ++ goto out; + slave_ops = slave->dev->netdev_ops; + if (!slave_ops->ndo_neigh_setup) +- return 0; ++ goto out; + +- parms.neigh_setup = NULL; +- parms.neigh_cleanup = NULL; ++ /* TODO: find another way [1] to implement this. ++ * Passing a zeroed structure is fragile, ++ * but at least we do not pass garbage. ++ * ++ * [1] One way would be that ndo_neigh_setup() never touch ++ * struct neigh_parms, but propagate the new neigh_setup() ++ * back to ___neigh_create() / neigh_parms_alloc() ++ */ ++ memset(&parms, 0, sizeof(parms)); + ret = slave_ops->ndo_neigh_setup(slave->dev, &parms); +- if (ret) +- return ret; + + /* Assign slave's neigh_cleanup to neighbour in case cleanup is called + * after the last slave has been detached. Assumes that all slaves +@@ -3678,8 +3684,14 @@ static int bond_neigh_init(struct neighbour *n) + + if (!parms.neigh_setup) + return 0; ++ if (ret) ++ goto out; + +- return parms.neigh_setup(n); ++ if (parms.neigh_setup) ++ ret = parms.neigh_setup(n); ++out: ++ rcu_read_unlock(); ++ return ret; + } + + /* The bonding ndo_neigh_setup is called at init time beofre any +-- +2.16.4 + diff --git a/patches.suse/crypto-qat-disable-registration-of-algorithms.patch b/patches.suse/crypto-qat-disable-registration-of-algorithms.patch new file mode 100644 index 0000000..59fa196 --- /dev/null +++ b/patches.suse/crypto-qat-disable-registration-of-algorithms.patch @@ -0,0 +1,44 @@ +From 8893d27ffcaf6ec6267038a177cb87bcde4dd3de Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Fri, 4 Mar 2022 17:54:47 +0000 +Subject: [PATCH] crypto: qat - disable registration of algorithms +Git-commit: 8893d27ffcaf6ec6267038a177cb87bcde4dd3de +Patch-mainline: v5.18-rc1 +References: git-fixes + +The implementations of aead and skcipher in the QAT driver do not +support properly requests with the CRYPTO_TFM_REQ_MAY_BACKLOG flag set. +If the HW queue is full, the driver returns -EBUSY but does not enqueue +the request. +This can result in applications like dm-crypt waiting indefinitely for a +completion of a request that was never submitted to the hardware. + +To avoid this problem, disable the registration of all crypto algorithms +in the QAT driver by setting the number of crypto instances to 0 at +configuration time. + +Cc: stable@vger.kernel.org +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe + +--- + drivers/crypto/qat/qat_common/qat_crypto.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +--- a/drivers/crypto/qat/qat_common/qat_crypto.c ++++ b/drivers/crypto/qat/qat_common/qat_crypto.c +@@ -170,6 +170,13 @@ int qat_crypto_dev_config(struct adf_acc + goto err; + if (adf_cfg_section_add(accel_dev, "Accelerator0")) + goto err; ++ /* Temporarily set the number of crypto instances to zero to avoid ++ * registering the crypto algorithms. ++ * This will be removed when the algorithms will support the ++ * CRYPTO_TFM_REQ_MAY_BACKLOG flag ++ */ ++ instances = 0; ++ + for (i = 0; i < instances; i++) { + val = i; + snprintf(key, sizeof(key), ADF_CY "%d" ADF_RING_BANK_NUM, i); diff --git a/patches.suse/crypto-qat-fix-memory-leak-in-RSA.patch b/patches.suse/crypto-qat-fix-memory-leak-in-RSA.patch new file mode 100644 index 0000000..95d97f3 --- /dev/null +++ b/patches.suse/crypto-qat-fix-memory-leak-in-RSA.patch @@ -0,0 +1,49 @@ +From 80a52e1ee7757b742f96bfb0d58f0c14eb6583d0 Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 9 May 2022 14:34:11 +0100 +Subject: [PATCH] crypto: qat - fix memory leak in RSA +Git-commit: 80a52e1ee7757b742f96bfb0d58f0c14eb6583d0 +Patch-mainline: v5.19-rc1 +References: git-fixes + +When an RSA key represented in form 2 (as defined in PKCS #1 V2.1) is +used, some components of the private key persist even after the TFM is +released. +Replace the explicit calls to free the buffers in qat_rsa_exit_tfm() +with a call to qat_rsa_clear_ctx() which frees all buffers referenced in +the TFM context. + +Cc: stable@vger.kernel.org +Fixes: 879f77e9071f ("crypto: qat - Add RSA CRT mode") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Adam Guerin +Reviewed-by: Wojciech Ziemba +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe + +--- + drivers/crypto/qat/qat_common/qat_asym_algs.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_asym_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c +@@ -1286,18 +1286,8 @@ static void qat_rsa_exit_tfm(struct cryp + struct qat_rsa_ctx *ctx = akcipher_tfm_ctx(tfm); + struct device *dev = &GET_DEV(ctx->inst->accel_dev); + +- if (ctx->n) +- dma_free_coherent(dev, ctx->key_sz, ctx->n, ctx->dma_n); +- if (ctx->e) +- dma_free_coherent(dev, ctx->key_sz, ctx->e, ctx->dma_e); +- if (ctx->d) { +- memset(ctx->d, '\0', ctx->key_sz); +- dma_free_coherent(dev, ctx->key_sz, ctx->d, ctx->dma_d); +- } ++ qat_rsa_clear_ctx(dev, ctx); + qat_crypto_put_instance(ctx->inst); +- ctx->n = NULL; +- ctx->e = NULL; +- ctx->d = NULL; + } + + static struct akcipher_alg rsa = { diff --git a/patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch b/patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch new file mode 100644 index 0000000..e0d3e34 --- /dev/null +++ b/patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch @@ -0,0 +1,176 @@ +From 029aa4624a7fe35233bdd3d1354dc7be260380bf Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 9 May 2022 14:34:13 +0100 +Subject: [PATCH] crypto: qat - remove dma_free_coherent() for DH +Git-commit: 029aa4624a7fe35233bdd3d1354dc7be260380bf +Patch-mainline: v5.19-rc1 +References: git-fixes + +The functions qat_dh_compute_value() allocates memory with +dma_alloc_coherent() if the source or the destination buffers are made +of multiple flat buffers or of a size that is not compatible with the +hardware. +This memory is then freed with dma_free_coherent() in the context of a +tasklet invoked to handle the response for the corresponding request. + +According to Documentation/core-api/dma-api-howto.rst, the function +dma_free_coherent() cannot be called in an interrupt context. + +Replace allocations with dma_alloc_coherent() in the function +qat_dh_compute_value() with kmalloc() + dma_map_single(). + +Cc: stable@vger.kernel.org +Fixes: c9839143ebbf ("crypto: qat - Add DH support") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Adam Guerin +Reviewed-by: Wojciech Ziemba +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe + +--- + drivers/crypto/qat/qat_common/qat_asym_algs.c | 83 ++++++++----------- + 1 file changed, 34 insertions(+), 49 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_asym_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c +@@ -193,26 +193,21 @@ static void qat_dh_cb(struct icp_qat_fw_ + err = (err == ICP_QAT_FW_COMN_STATUS_FLAG_OK) ? 0 : -EINVAL; + + if (areq->src) { +- if (req->src_align) +- dma_free_coherent(dev, req->ctx.dh->p_size, +- req->src_align, req->in.dh.in.b); +- else +- dma_unmap_single(dev, req->in.dh.in.b, +- req->ctx.dh->p_size, DMA_TO_DEVICE); ++ dma_unmap_single(dev, req->in.dh.in.b, req->ctx.dh->p_size, ++ DMA_TO_DEVICE); ++ kzfree(req->src_align); + } + + areq->dst_len = req->ctx.dh->p_size; + if (req->dst_align) { + scatterwalk_map_and_copy(req->dst_align, areq->dst, 0, + areq->dst_len, 1); +- +- dma_free_coherent(dev, req->ctx.dh->p_size, req->dst_align, +- req->out.dh.r); +- } else { +- dma_unmap_single(dev, req->out.dh.r, req->ctx.dh->p_size, +- DMA_FROM_DEVICE); ++ kzfree(req->dst_align); + } + ++ dma_unmap_single(dev, req->out.dh.r, req->ctx.dh->p_size, ++ DMA_FROM_DEVICE); ++ + dma_unmap_single(dev, req->phy_in, sizeof(struct qat_dh_input_params), + DMA_TO_DEVICE); + dma_unmap_single(dev, req->phy_out, +@@ -265,6 +260,7 @@ static int qat_dh_compute_value(struct k + struct icp_qat_fw_pke_request *msg = &qat_req->req; + int ret, ctr = 0; + int n_input_params = 0; ++ u8 *vaddr; + + if (unlikely(!ctx->xa)) + return -EINVAL; +@@ -321,27 +317,24 @@ static int qat_dh_compute_value(struct k + */ + if (sg_is_last(req->src) && req->src_len == ctx->p_size) { + qat_req->src_align = NULL; +- qat_req->in.dh.in.b = dma_map_single(dev, +- sg_virt(req->src), +- req->src_len, +- DMA_TO_DEVICE); +- if (unlikely(dma_mapping_error(dev, +- qat_req->in.dh.in.b))) +- return ret; +- ++ vaddr = sg_virt(req->src); + } else { + int shift = ctx->p_size - req->src_len; + +- qat_req->src_align = dma_zalloc_coherent(dev, +- ctx->p_size, +- &qat_req->in.dh.in.b, +- GFP_KERNEL); ++ qat_req->src_align = kzalloc(ctx->p_size, GFP_KERNEL); + if (unlikely(!qat_req->src_align)) + return ret; + + scatterwalk_map_and_copy(qat_req->src_align + shift, + req->src, 0, req->src_len, 0); ++ ++ vaddr = qat_req->src_align; + } ++ ++ qat_req->in.dh.in.b = dma_map_single(dev, vaddr, ctx->p_size, ++ DMA_TO_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->in.dh.in.b))) ++ goto unmap_src; + } + /* + * dst can be of any size in valid range, but HW expects it to be the +@@ -352,20 +345,18 @@ static int qat_dh_compute_value(struct k + */ + if (sg_is_last(req->dst) && req->dst_len == ctx->p_size) { + qat_req->dst_align = NULL; +- qat_req->out.dh.r = dma_map_single(dev, sg_virt(req->dst), +- req->dst_len, +- DMA_FROM_DEVICE); +- +- if (unlikely(dma_mapping_error(dev, qat_req->out.dh.r))) +- goto unmap_src; +- ++ vaddr = sg_virt(req->dst); + } else { +- qat_req->dst_align = dma_zalloc_coherent(dev, ctx->p_size, +- &qat_req->out.dh.r, +- GFP_KERNEL); ++ qat_req->dst_align = kzalloc(ctx->p_size, GFP_KERNEL); + if (unlikely(!qat_req->dst_align)) + goto unmap_src; ++ ++ vaddr = qat_req->dst_align; + } ++ qat_req->out.dh.r = dma_map_single(dev, vaddr, ctx->p_size, ++ DMA_FROM_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->out.dh.r))) ++ goto unmap_dst; + + qat_req->in.dh.in_tab[n_input_params] = 0; + qat_req->out.dh.out_tab[1] = 0; +@@ -405,23 +396,17 @@ unmap_in_params: + sizeof(struct qat_dh_input_params), + DMA_TO_DEVICE); + unmap_dst: +- if (qat_req->dst_align) +- dma_free_coherent(dev, ctx->p_size, qat_req->dst_align, +- qat_req->out.dh.r); +- else +- if (!dma_mapping_error(dev, qat_req->out.dh.r)) +- dma_unmap_single(dev, qat_req->out.dh.r, ctx->p_size, +- DMA_FROM_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->out.dh.r)) ++ dma_unmap_single(dev, qat_req->out.dh.r, ctx->p_size, ++ DMA_FROM_DEVICE); ++ kzfree(qat_req->dst_align); + unmap_src: + if (req->src) { +- if (qat_req->src_align) +- dma_free_coherent(dev, ctx->p_size, qat_req->src_align, +- qat_req->in.dh.in.b); +- else +- if (!dma_mapping_error(dev, qat_req->in.dh.in.b)) +- dma_unmap_single(dev, qat_req->in.dh.in.b, +- ctx->p_size, +- DMA_TO_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->in.dh.in.b)) ++ dma_unmap_single(dev, qat_req->in.dh.in.b, ++ ctx->p_size, ++ DMA_TO_DEVICE); ++ kzfree(qat_req->src_align); + } + return ret; + } diff --git a/patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch b/patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch new file mode 100644 index 0000000..0f47cc4 --- /dev/null +++ b/patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch @@ -0,0 +1,264 @@ +From 3dfaf0071ed74d7a9c6b3c9ea4df7a6f8e423c2a Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 9 May 2022 14:34:12 +0100 +Subject: [PATCH] crypto: qat - remove dma_free_coherent() for RSA +Git-commit: 3dfaf0071ed74d7a9c6b3c9ea4df7a6f8e423c2a +Patch-mainline: v5.19-rc1 +References: git-fixes + +After commit f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP"), if +the algorithms are enabled, the driver crashes with a BUG_ON while +executing vunmap() in the context of a tasklet. This is due to the fact +that the function dma_free_coherent() cannot be called in an interrupt +context (see Documentation/core-api/dma-api-howto.rst). + +The functions qat_rsa_enc() and qat_rsa_dec() allocate memory with +dma_alloc_coherent() if the source or the destination buffers are made +of multiple flat buffers or of a size that is not compatible with the +hardware. +This memory is then freed with dma_free_coherent() in the context of a +tasklet invoked to handle the response for the corresponding request. + +Replace allocations with dma_alloc_coherent() in the functions +qat_rsa_enc() and qat_rsa_dec() with kmalloc() + dma_map_single(). + +Cc: stable@vger.kernel.org +Fixes: a990532023b9 ("crypto: qat - Add support for RSA algorithm") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Adam Guerin +Reviewed-by: Wojciech Ziemba +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe + +--- + drivers/crypto/qat/qat_common/qat_asym_algs.c | 137 ++++++++---------- + 1 file changed, 60 insertions(+), 77 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_asym_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c +@@ -563,25 +563,22 @@ static void qat_rsa_cb(struct icp_qat_fw + + err = (err == ICP_QAT_FW_COMN_STATUS_FLAG_OK) ? 0 : -EINVAL; + +- if (req->src_align) +- dma_free_coherent(dev, req->ctx.rsa->key_sz, req->src_align, +- req->in.rsa.enc.m); +- else +- dma_unmap_single(dev, req->in.rsa.enc.m, req->ctx.rsa->key_sz, +- DMA_TO_DEVICE); ++ kzfree(req->src_align); ++ ++ dma_unmap_single(dev, req->in.rsa.enc.m, req->ctx.rsa->key_sz, ++ DMA_TO_DEVICE); + + areq->dst_len = req->ctx.rsa->key_sz; + if (req->dst_align) { + scatterwalk_map_and_copy(req->dst_align, areq->dst, 0, + areq->dst_len, 1); + +- dma_free_coherent(dev, req->ctx.rsa->key_sz, req->dst_align, +- req->out.rsa.enc.c); +- } else { +- dma_unmap_single(dev, req->out.rsa.enc.c, req->ctx.rsa->key_sz, +- DMA_FROM_DEVICE); ++ kzfree(req->dst_align); + } + ++ dma_unmap_single(dev, req->out.rsa.enc.c, req->ctx.rsa->key_sz, ++ DMA_FROM_DEVICE); ++ + dma_unmap_single(dev, req->phy_in, sizeof(struct qat_rsa_input_params), + DMA_TO_DEVICE); + dma_unmap_single(dev, req->phy_out, +@@ -695,6 +692,7 @@ static int qat_rsa_enc(struct akcipher_r + struct qat_asym_request *qat_req = + PTR_ALIGN(akcipher_request_ctx(req), 64); + struct icp_qat_fw_pke_request *msg = &qat_req->req; ++ u8 *vaddr; + int ret, ctr = 0; + + if (unlikely(!ctx->n || !ctx->e)) +@@ -732,40 +730,39 @@ static int qat_rsa_enc(struct akcipher_r + */ + if (sg_is_last(req->src) && req->src_len == ctx->key_sz) { + qat_req->src_align = NULL; +- qat_req->in.rsa.enc.m = dma_map_single(dev, sg_virt(req->src), +- req->src_len, DMA_TO_DEVICE); +- if (unlikely(dma_mapping_error(dev, qat_req->in.rsa.enc.m))) +- return ret; +- ++ vaddr = sg_virt(req->src); + } else { + int shift = ctx->key_sz - req->src_len; + +- qat_req->src_align = dma_zalloc_coherent(dev, ctx->key_sz, +- &qat_req->in.rsa.enc.m, +- GFP_KERNEL); ++ qat_req->src_align = kzalloc(ctx->key_sz, GFP_KERNEL); + if (unlikely(!qat_req->src_align)) + return ret; + + scatterwalk_map_and_copy(qat_req->src_align + shift, req->src, + 0, req->src_len, 0); ++ vaddr = qat_req->src_align; + } +- if (sg_is_last(req->dst) && req->dst_len == ctx->key_sz) { +- qat_req->dst_align = NULL; +- qat_req->out.rsa.enc.c = dma_map_single(dev, sg_virt(req->dst), +- req->dst_len, +- DMA_FROM_DEVICE); + +- if (unlikely(dma_mapping_error(dev, qat_req->out.rsa.enc.c))) +- goto unmap_src; ++ qat_req->in.rsa.enc.m = dma_map_single(dev, vaddr, ctx->key_sz, ++ DMA_TO_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->in.rsa.enc.m))) ++ goto unmap_src; + ++ if (sg_is_last(req->dst) && req->dst_len == ctx->key_sz) { ++ qat_req->dst_align = NULL; ++ vaddr = sg_virt(req->dst); + } else { +- qat_req->dst_align = dma_zalloc_coherent(dev, ctx->key_sz, +- &qat_req->out.rsa.enc.c, +- GFP_KERNEL); ++ qat_req->dst_align = kzalloc(ctx->key_sz, GFP_KERNEL); + if (unlikely(!qat_req->dst_align)) + goto unmap_src; +- ++ vaddr = qat_req->dst_align; + } ++ ++ qat_req->out.rsa.enc.c = dma_map_single(dev, vaddr, ctx->key_sz, ++ DMA_FROM_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->out.rsa.enc.c))) ++ goto unmap_dst; ++ + qat_req->in.rsa.in_tab[3] = 0; + qat_req->out.rsa.out_tab[1] = 0; + qat_req->phy_in = dma_map_single(dev, &qat_req->in.rsa.enc.m, +@@ -802,21 +799,15 @@ unmap_in_params: + sizeof(struct qat_rsa_input_params), + DMA_TO_DEVICE); + unmap_dst: +- if (qat_req->dst_align) +- dma_free_coherent(dev, ctx->key_sz, qat_req->dst_align, +- qat_req->out.rsa.enc.c); +- else +- if (!dma_mapping_error(dev, qat_req->out.rsa.enc.c)) +- dma_unmap_single(dev, qat_req->out.rsa.enc.c, +- ctx->key_sz, DMA_FROM_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->out.rsa.enc.c)) ++ dma_unmap_single(dev, qat_req->out.rsa.enc.c, ++ ctx->key_sz, DMA_FROM_DEVICE); ++ kzfree(qat_req->dst_align); + unmap_src: +- if (qat_req->src_align) +- dma_free_coherent(dev, ctx->key_sz, qat_req->src_align, +- qat_req->in.rsa.enc.m); +- else +- if (!dma_mapping_error(dev, qat_req->in.rsa.enc.m)) +- dma_unmap_single(dev, qat_req->in.rsa.enc.m, +- ctx->key_sz, DMA_TO_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->in.rsa.enc.m)) ++ dma_unmap_single(dev, qat_req->in.rsa.enc.m, ctx->key_sz, ++ DMA_TO_DEVICE); ++ kzfree(qat_req->src_align); + return ret; + } + +@@ -829,6 +820,7 @@ static int qat_rsa_dec(struct akcipher_r + struct qat_asym_request *qat_req = + PTR_ALIGN(akcipher_request_ctx(req), 64); + struct icp_qat_fw_pke_request *msg = &qat_req->req; ++ u8 *vaddr; + int ret, ctr = 0; + + if (unlikely(!ctx->n || !ctx->d)) +@@ -876,40 +868,37 @@ static int qat_rsa_dec(struct akcipher_r + */ + if (sg_is_last(req->src) && req->src_len == ctx->key_sz) { + qat_req->src_align = NULL; +- qat_req->in.rsa.dec.c = dma_map_single(dev, sg_virt(req->src), +- req->dst_len, DMA_TO_DEVICE); +- if (unlikely(dma_mapping_error(dev, qat_req->in.rsa.dec.c))) +- return ret; +- ++ vaddr = sg_virt(req->src); + } else { + int shift = ctx->key_sz - req->src_len; + +- qat_req->src_align = dma_zalloc_coherent(dev, ctx->key_sz, +- &qat_req->in.rsa.dec.c, +- GFP_KERNEL); ++ qat_req->src_align = kzalloc(ctx->key_sz, GFP_KERNEL); + if (unlikely(!qat_req->src_align)) + return ret; + + scatterwalk_map_and_copy(qat_req->src_align + shift, req->src, + 0, req->src_len, 0); ++ vaddr = qat_req->src_align; + } +- if (sg_is_last(req->dst) && req->dst_len == ctx->key_sz) { +- qat_req->dst_align = NULL; +- qat_req->out.rsa.dec.m = dma_map_single(dev, sg_virt(req->dst), +- req->dst_len, +- DMA_FROM_DEVICE); + +- if (unlikely(dma_mapping_error(dev, qat_req->out.rsa.dec.m))) +- goto unmap_src; ++ qat_req->in.rsa.dec.c = dma_map_single(dev, vaddr, ctx->key_sz, ++ DMA_TO_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->in.rsa.dec.c))) ++ goto unmap_src; + ++ if (sg_is_last(req->dst) && req->dst_len == ctx->key_sz) { ++ qat_req->dst_align = NULL; ++ vaddr = sg_virt(req->dst); + } else { +- qat_req->dst_align = dma_zalloc_coherent(dev, ctx->key_sz, +- &qat_req->out.rsa.dec.m, +- GFP_KERNEL); ++ qat_req->dst_align = kzalloc(ctx->key_sz, GFP_KERNEL); + if (unlikely(!qat_req->dst_align)) + goto unmap_src; +- ++ vaddr = qat_req->dst_align; + } ++ qat_req->out.rsa.dec.m = dma_map_single(dev, vaddr, ctx->key_sz, ++ DMA_FROM_DEVICE); ++ if (unlikely(dma_mapping_error(dev, qat_req->out.rsa.dec.m))) ++ goto unmap_dst; + + if (ctx->crt_mode) + qat_req->in.rsa.in_tab[6] = 0; +@@ -954,21 +943,15 @@ unmap_in_params: + sizeof(struct qat_rsa_input_params), + DMA_TO_DEVICE); + unmap_dst: +- if (qat_req->dst_align) +- dma_free_coherent(dev, ctx->key_sz, qat_req->dst_align, +- qat_req->out.rsa.dec.m); +- else +- if (!dma_mapping_error(dev, qat_req->out.rsa.dec.m)) +- dma_unmap_single(dev, qat_req->out.rsa.dec.m, +- ctx->key_sz, DMA_FROM_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->out.rsa.dec.m)) ++ dma_unmap_single(dev, qat_req->out.rsa.dec.m, ++ ctx->key_sz, DMA_FROM_DEVICE); ++ kzfree(qat_req->dst_align); + unmap_src: +- if (qat_req->src_align) +- dma_free_coherent(dev, ctx->key_sz, qat_req->src_align, +- qat_req->in.rsa.dec.c); +- else +- if (!dma_mapping_error(dev, qat_req->in.rsa.dec.c)) +- dma_unmap_single(dev, qat_req->in.rsa.dec.c, +- ctx->key_sz, DMA_TO_DEVICE); ++ if (!dma_mapping_error(dev, qat_req->in.rsa.dec.c)) ++ dma_unmap_single(dev, qat_req->in.rsa.dec.c, ctx->key_sz, ++ DMA_TO_DEVICE); ++ kzfree(qat_req->src_align); + return ret; + } + diff --git a/patches.suse/crypto-qat-set-to-zero-DH-parameters-before-free.patch b/patches.suse/crypto-qat-set-to-zero-DH-parameters-before-free.patch new file mode 100644 index 0000000..98c90ff --- /dev/null +++ b/patches.suse/crypto-qat-set-to-zero-DH-parameters-before-free.patch @@ -0,0 +1,46 @@ +From 1731160ff7c7bbb11bb1aacb14dd25e18d522779 Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 9 May 2022 14:19:27 +0100 +Subject: [PATCH] crypto: qat - set to zero DH parameters before free +Git-commit: 1731160ff7c7bbb11bb1aacb14dd25e18d522779 +Patch-mainline: v5.19-rc1 +References: git-fixes + +Set to zero the context buffers containing the DH key before they are +freed. +This is a defense in depth measure that avoids keys to be recovered from +memory in case the system is compromised between the free of the buffer +and when that area of memory (containing keys) gets overwritten. + +Cc: stable@vger.kernel.org +Fixes: c9839143ebbf ("crypto: qat - Add DH support") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Adam Guerin +Reviewed-by: Wojciech Ziemba +Signed-off-by: Herbert Xu +Signed-off-by: Torsten Duwe + +--- + drivers/crypto/qat/qat_common/qat_asym_algs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/crypto/qat/qat_common/qat_asym_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c +@@ -470,14 +470,17 @@ static int qat_dh_set_params(struct qat_ + static void qat_dh_clear_ctx(struct device *dev, struct qat_dh_ctx *ctx) + { + if (ctx->g) { ++ memset(ctx->g, 0, ctx->p_size); + dma_free_coherent(dev, ctx->p_size, ctx->g, ctx->dma_g); + ctx->g = NULL; + } + if (ctx->xa) { ++ memset(ctx->xa, 0, ctx->p_size); + dma_free_coherent(dev, ctx->p_size, ctx->xa, ctx->dma_xa); + ctx->xa = NULL; + } + if (ctx->p) { ++ memset(ctx->p, 0, ctx->p_size); + dma_free_coherent(dev, ctx->p_size, ctx->p, ctx->dma_p); + ctx->p = NULL; + } diff --git a/patches.suse/ibmvnic-Properly-dispose-of-all-skbs-during-a-failov.patch b/patches.suse/ibmvnic-Properly-dispose-of-all-skbs-during-a-failov.patch new file mode 100644 index 0000000..bd49f52 --- /dev/null +++ b/patches.suse/ibmvnic-Properly-dispose-of-all-skbs-during-a-failov.patch @@ -0,0 +1,45 @@ +From 1b18f09d31cfa7148df15a7d5c5e0e86f105f7d1 Mon Sep 17 00:00:00 2001 +From: Rick Lindsley +Date: Sat, 2 Jul 2022 03:37:12 -0700 +Subject: [PATCH] ibmvnic: Properly dispose of all skbs during a failover. +References: bsc#1200925 +Git-commit: 1b18f09d31cfa7148df15a7d5c5e0e86f105f7d1 +Patch-mainline: v5.19-rc1 + +During a reset, there may have been transmits in flight that are no +longer valid and cannot be fulfilled. Resetting and clearing the +queues is insufficient; each skb also needs to be explicitly freed +so that upper levels are not left waiting for confirmation of a +transmit that will never happen. If this happens frequently enough, +the apparent backlog will cause TCP to begin "congestion control" +unnecessarily, culminating in permanently decreased throughput. + +Fixes: d7c0ef36bde03 ("ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change") +Tested-by: Nick Child +Reviewed-by: Brian King +Signed-off-by: Rick Lindsley +Signed-off-by: David S. Miller +Acked-by: Ali Abdallah +Acked-by: Michal Suchanek +--- + drivers/net/ethernet/ibm/ibmvnic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -5772,6 +5772,15 @@ static int ibmvnic_reset_init(struct ibm + release_sub_crqs(adapter, 0); + rc = init_sub_crqs(adapter); + } else { ++ /* no need to reinitialize completely, but we do ++ * need to clean up transmits that were in flight ++ * when we processed the reset. Failure to do so ++ * will confound the upper layer, usually TCP, by ++ * creating the illusion of transmits that are ++ * awaiting completion. ++ */ ++ clean_tx_pools(adapter); ++ + rc = reset_sub_crq_queues(adapter); + } + } else { diff --git a/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch b/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch new file mode 100644 index 0000000..13433c2 --- /dev/null +++ b/patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch @@ -0,0 +1,199 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:58 +0200 +Subject: intel_idle: Disable IBRS during long idle +Git-commit: bf5835bcdb9635c97f85120dba9bfa21e111130f +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Having IBRS enabled while the SMT sibling is idle unnecessarily slows +down the running sibling. OTOH, disabling IBRS around idle takes two +MSR writes, which will increase the idle latency. + +Therefore, only disable IBRS around deeper idle states. Shallow idle +states are bounded by the tick in duration, since NOHZ is not allowed +for them by virtue of their short target residency. + +Only do this for mwait-driven idle, since that keeps interrupts disabled +across idle, which makes disabling IBRS vs IRQ-entry a non-issue. + +Note: C6 is a random threshold, most importantly C1 probably shouldn't +disable IBRS, benchmarking needed. + +Suggested-by: Tim Chen +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/nospec-branch.h | 1 + arch/x86/kernel/cpu/bugs.c | 6 +++ + drivers/idle/intel_idle.c | 64 +++++++++++++++++++++++++++++++---- + 3 files changed, 65 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -345,6 +345,7 @@ static inline void unrestrict_branch_spe + /* The Intel SPEC CTRL MSR base value cache */ + extern u64 x86_spec_ctrl_base; + extern void write_spec_ctrl_current(u64 val, bool force); ++extern u64 spec_ctrl_current(void); + + /* + * With retpoline, we must use IBRS to restrict branch prediction +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -76,6 +76,12 @@ void write_spec_ctrl_current(u64 val, bo + wrmsrl(MSR_IA32_SPEC_CTRL, val); + } + ++u64 spec_ctrl_current(void) ++{ ++ return this_cpu_read(x86_spec_ctrl_current); ++} ++EXPORT_SYMBOL_GPL(spec_ctrl_current); ++ + /* + * The vendor and possibly platform specific bits which can be modified in + * x86_spec_ctrl_base. +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -56,11 +56,13 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + #include ++#include + #include + #include + +@@ -101,6 +103,12 @@ static void intel_idle_freeze(struct cpu + static struct cpuidle_state *cpuidle_state_table; + + /* ++ * Disable IBRS across idle (when KERNEL_IBRS), is exclusive vs IRQ_ENABLE ++ * above. ++ */ ++#define CPUIDLE_FLAG_IBRS BIT(16) ++ ++/* + * Set this flag for states where the HW flushes the TLB for us + * and so we don't need cross-calls to keep it consistent. + * If this flag is set, SW flushes the TLB, so even if the +@@ -616,7 +624,7 @@ static struct cpuidle_state skl_cstates[ + { + .name = "C6", + .desc = "MWAIT 0x20", +- .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 85, + .target_residency = 200, + .enter = &intel_idle, +@@ -624,7 +632,7 @@ static struct cpuidle_state skl_cstates[ + { + .name = "C7s", + .desc = "MWAIT 0x33", +- .flags = MWAIT2flg(0x33) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x33) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 124, + .target_residency = 800, + .enter = &intel_idle, +@@ -632,7 +640,7 @@ static struct cpuidle_state skl_cstates[ + { + .name = "C8", + .desc = "MWAIT 0x40", +- .flags = MWAIT2flg(0x40) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x40) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 200, + .target_residency = 800, + .enter = &intel_idle, +@@ -640,7 +648,7 @@ static struct cpuidle_state skl_cstates[ + { + .name = "C9", + .desc = "MWAIT 0x50", +- .flags = MWAIT2flg(0x50) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x50) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 480, + .target_residency = 5000, + .enter = &intel_idle, +@@ -648,7 +656,7 @@ static struct cpuidle_state skl_cstates[ + { + .name = "C10", + .desc = "MWAIT 0x60", +- .flags = MWAIT2flg(0x60) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x60) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 890, + .target_residency = 5000, + .enter = &intel_idle, +@@ -677,7 +685,7 @@ static struct cpuidle_state skx_cstates[ + { + .name = "C6", + .desc = "MWAIT 0x20", +- .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED, ++ .flags = MWAIT2flg(0x20) | CPUIDLE_FLAG_TLB_FLUSHED | CPUIDLE_FLAG_IBRS, + .exit_latency = 133, + .target_residency = 600, + .enter = &intel_idle, +@@ -934,6 +942,46 @@ static __cpuidle int intel_idle(struct c + return index; + } + ++/* ++ * MWAIT takes an 8-bit "hint" in EAX "suggesting" ++ * the C-state (top nibble) and sub-state (bottom nibble) ++ * 0x00 means "MWAIT(C1)", 0x10 means "MWAIT(C2)" etc. ++ * ++ * We store the hint at the top of our "flags" for each state. ++ */ ++#define flg2MWAIT(flags) (((flags) >> 24) & 0xFF) ++#define MWAIT2flg(eax) ((eax & 0xFF) << 24) ++ ++static __always_inline int __intel_idle(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, int index) ++{ ++ struct cpuidle_state *state = &drv->states[index]; ++ unsigned long eax = flg2MWAIT(state->flags); ++ unsigned long ecx = 1; /* break on interrupt flag */ ++ ++ mwait_idle_with_hints(eax, ecx); ++ ++ return index; ++} ++ ++static __cpuidle int intel_idle_ibrs(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, int index) ++{ ++ bool smt_active = sched_smt_active(); ++ u64 spec_ctrl = spec_ctrl_current(); ++ int ret; ++ ++ if (smt_active) ++ wrmsrl(MSR_IA32_SPEC_CTRL, 0); ++ ++ ret = __intel_idle(dev, drv, index); ++ ++ if (smt_active) ++ wrmsrl(MSR_IA32_SPEC_CTRL, spec_ctrl); ++ ++ return ret; ++} ++ + /** + * intel_idle_freeze - simplified "enter" callback routine for suspend-to-idle + * @dev: cpuidle_device +@@ -1366,6 +1414,10 @@ static void __init intel_idle_cpuidle_dr + continue; + } + ++ if (cpu_feature_enabled(X86_FEATURE_USE_IBRS) && ++ cpuidle_state_table[cstate].flags & CPUIDLE_FLAG_IBRS) { ++ drv->states[drv->state_count].enter = intel_idle_ibrs; ++ } + + if (((mwait_cstate + 1) > 2) && + !boot_cpu_has(X86_FEATURE_NONSTOP_TSC)) diff --git a/patches.suse/net-Rename-and-export-copy_skb_header.patch b/patches.suse/net-Rename-and-export-copy_skb_header.patch index 4f1d720..69f29e0 100644 --- a/patches.suse/net-Rename-and-export-copy_skb_header.patch +++ b/patches.suse/net-Rename-and-export-copy_skb_header.patch @@ -3,7 +3,7 @@ Date: Mon, 30 Apr 2018 10:16:11 +0300 Subject: net: Rename and export copy_skb_header Patch-mainline: v4.18-rc1 Git-commit: 08303c189581c985e60f588ad92a041e46b6e307 -References: bsc#1109837 +References: bsc#1200762, CVE-2022-33741, XSA-403 copy_skb_header is renamed to skb_copy_header and exported. Exposing this function give more flexibility diff --git a/patches.suse/net-ll_temac-Fix-TX-BD-buffer-overwrite.patch b/patches.suse/net-ll_temac-Fix-TX-BD-buffer-overwrite.patch new file mode 100644 index 0000000..9358519 --- /dev/null +++ b/patches.suse/net-ll_temac-Fix-TX-BD-buffer-overwrite.patch @@ -0,0 +1,40 @@ +From b17e852f839620fb4d7e45f5f16688d01b5d3dc0 Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Fri, 18 Jun 2021 12:52:33 +0200 +Subject: [PATCH 3/3] net: ll_temac: Fix TX BD buffer overwrite +References: git-fixes +Git-commit: c364df2489b8ef2f5e3159b1dff1ff1fdb16040d +Patch-mainline: v5.13-rc7 + +Just as the initial check, we need to ensure num_frag+1 buffers available, +as that is the number of buffers we are going to use. + +This fixes a buffer overflow, which might be seen during heavy network +load. Complete lockup of TEMAC was reproducible within about 10 minutes of +a particular load. + +Fixes: 84823ff80f74 ("net: ll_temac: Fix race condition causing TX hang") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 1fbebdeb513f..37ad5a58ee07 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -701,7 +701,7 @@ static int temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + smp_mb(); + + /* Space might have just been freed - check again */ +- if (temac_check_tx_bd_space(lp, num_frag)) ++ if (temac_check_tx_bd_space(lp, num_frag + 1)) + return NETDEV_TX_BUSY; + + netif_wake_queue(ndev); +-- +2.16.4 + diff --git a/patches.suse/net-ll_temac-Fix-bug-causing-buffer-descriptor-overr.patch b/patches.suse/net-ll_temac-Fix-bug-causing-buffer-descriptor-overr.patch new file mode 100644 index 0000000..346422a --- /dev/null +++ b/patches.suse/net-ll_temac-Fix-bug-causing-buffer-descriptor-overr.patch @@ -0,0 +1,35 @@ +From a0a4f75c7da0fb5894de92947a632a18966922a1 Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Tue, 30 Apr 2019 09:17:56 +0200 +Subject: [PATCH 1/3] net: ll_temac: Fix bug causing buffer descriptor overrun +References: git-fixes +Git-commit: 2c9938e738a273ba315679781a9990c7d3b1831b +Patch-mainline: v5.2-rc1 + +As we are actually using a BD for both the skb and each frag contained in +it, the oldest TX BD would be overwritten when there was exactly one BD +less than needed. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index d73da8afe08e..83a1b46bafb7 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -688,7 +688,7 @@ static int temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + start_p = lp->tx_bd_p + sizeof(*lp->tx_bd_v) * lp->tx_bd_tail; + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + +- if (temac_check_tx_bd_space(lp, num_frag)) { ++ if (temac_check_tx_bd_space(lp, num_frag + 1)) { + if (!netif_queue_stopped(ndev)) + netif_stop_queue(ndev); + return NETDEV_TX_BUSY; +-- +2.16.4 + diff --git a/patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch b/patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch new file mode 100644 index 0000000..547ec8f --- /dev/null +++ b/patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch @@ -0,0 +1,68 @@ +From ab4e577ee31a052ec2a95c00cdc14fa18b4a214d Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Fri, 21 Feb 2020 07:47:21 +0100 +Subject: [PATCH 2/3] net: ll_temac: Fix race condition causing TX hang +References: git-fixes +Git-commit: 84823ff80f7403752b59e00bb198724100dc611c +Patch-mainline: v5.6-rc4 + +It is possible that the interrupt handler fires and frees up space in +the TX ring in between checking for sufficient TX ring space and +stopping the TX queue in temac_start_xmit. If this happens, the +queue wake from the interrupt handler will occur before the queue is +stopped, causing a lost wakeup and the adapter's transmit hanging. + +To avoid this, after stopping the queue, check again whether there is +sufficient space in the TX ring. If so, wake up the queue again. + +This is a port of the similar fix in axienet driver, +commit 7de44285c1f6 ("net: axienet: Fix race condition causing TX hang"). + +Fixes: 23ecc4bde21f ("net: ll_temac: fix checksum offload logic") +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 83a1b46bafb7..1fbebdeb513f 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -648,6 +648,9 @@ static void temac_start_xmit_done(struct net_device *ndev) + stat = cur_p->app0; + } + ++ /* Matches barrier in temac_start_xmit */ ++ smp_mb(); ++ + netif_wake_queue(ndev); + } + +@@ -689,9 +692,19 @@ static int temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + + if (temac_check_tx_bd_space(lp, num_frag + 1)) { +- if (!netif_queue_stopped(ndev)) +- netif_stop_queue(ndev); +- return NETDEV_TX_BUSY; ++ if (netif_queue_stopped(ndev)) ++ return NETDEV_TX_BUSY; ++ ++ netif_stop_queue(ndev); ++ ++ /* Matches barrier in temac_start_xmit_done */ ++ smp_mb(); ++ ++ /* Space might have just been freed - check again */ ++ if (temac_check_tx_bd_space(lp, num_frag)) ++ return NETDEV_TX_BUSY; ++ ++ netif_wake_queue(ndev); + } + + cur_p->app0 = 0; +-- +2.16.4 + diff --git a/patches.suse/net-mlx5-Avoid-double-free-of-root-ns-in-the-error-f.patch b/patches.suse/net-mlx5-Avoid-double-free-of-root-ns-in-the-error-f.patch new file mode 100644 index 0000000..768c569 --- /dev/null +++ b/patches.suse/net-mlx5-Avoid-double-free-of-root-ns-in-the-error-f.patch @@ -0,0 +1,64 @@ +From 0e48dad5d222ded06b83c3cb25d2421eeaf7a997 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Thu, 9 May 2019 17:23:24 -0500 +Subject: [PATCH] net/mlx5: Avoid double free of root ns in the error flow path +Git-commit: 905f6bd30bb6c244f97cdf5fb5d55cf263844490 +References: git-fixes +Patch-mainline: v5.2-rc3 + +When root ns setup for rdma, sniffer tx and sniffer rx fails, +such root ns cleanup is done by the error unwinding path of +mlx5_cleanup_fs(). +Below call graph shows an example for sniffer_rx_root_ns. + +mlx5_init_fs() + init_sniffer_rx_root_ns() + cleanup_root_ns(steering->sniffer_rx_root_ns); +mlx5_cleanup_fs() + cleanup_root_ns(steering->sniffer_rx_root_ns); + /* double free of sniffer_rx_root_ns */ + +Hence, use the existing cleanup_fs to cleanup. + +Fixes: d83eb50e29de3 ("net/mlx5: Add support in RDMA RX steering") +Fixes: 87d22483ce68e ("net/mlx5: Add sniffer namespaces") +Signed-off-by: Parav Pandit +Signed-off-by: Saeed Mahameed +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index c617e800e113..a91b0f1bfd69 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2447,11 +2447,7 @@ static int init_sniffer_tx_root_ns(struct mlx5_flow_steering *steering) + + /* Create single prio */ + prio = fs_create_prio(&steering->sniffer_tx_root_ns->ns, 0, 1); +- if (IS_ERR(prio)) { +- cleanup_root_ns(steering->sniffer_tx_root_ns); +- return PTR_ERR(prio); +- } +- return 0; ++ return PTR_ERR_OR_ZERO(prio); + } + + static int init_sniffer_rx_root_ns(struct mlx5_flow_steering *steering) +@@ -2464,11 +2460,7 @@ static int init_sniffer_rx_root_ns(struct mlx5_flow_steering *steering) + + /* Create single prio */ + prio = fs_create_prio(&steering->sniffer_rx_root_ns->ns, 0, 1); +- if (IS_ERR(prio)) { +- cleanup_root_ns(steering->sniffer_rx_root_ns); +- return PTR_ERR(prio); +- } +- return 0; ++ return PTR_ERR_OR_ZERO(prio); + } + + static int init_fdb_root_ns(struct mlx5_flow_steering *steering) +-- +2.16.4 + diff --git a/patches.suse/net-mlx5e-Switch-to-Toeplitz-RSS-hash-by-default.patch b/patches.suse/net-mlx5e-Switch-to-Toeplitz-RSS-hash-by-default.patch new file mode 100644 index 0000000..7c99f60 --- /dev/null +++ b/patches.suse/net-mlx5e-Switch-to-Toeplitz-RSS-hash-by-default.patch @@ -0,0 +1,45 @@ +From 207628d844e94af4d0434b470dd0ecac0d412c78 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Fri, 31 Aug 2018 14:29:16 +0300 +Subject: [PATCH] net/mlx5e: Switch to Toeplitz RSS hash by default +Git-commit: 7ee2ace9c544a0886e02b54b625e521df8692d20 +References: git-fixes +Patch-mainline: v5.1-rc6 + +Although XOR hash function can perform very well on some special use +cases, to align with all drivers, mlx5 driver should use Toeplitz hash +by default. +Toeplitz is more stable for the general use case and it is more standard +and reliable. + +On top of that, since XOR (MLX5_RX_HASH_FN_INVERTED_XOR8) gives only a +repeated 8 bits pattern. When used for udp tunneling RSS source port +manipulation it results in fixed source port, which will cause bad RSS +spread. + +Fixes: 2be6967cdbc9 ("net/mlx5e: Support ETH_RSS_HASH_XOR") +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Tariq Toukan +Signed-off-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 6a2fd035d943..ed862fa63c57 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4558,7 +4558,7 @@ void mlx5e_build_rq_params(struct mlx5_core_dev *mdev, + + void mlx5e_build_rss_params(struct mlx5e_params *params) + { +- params->rss_hfunc = ETH_RSS_HASH_XOR; ++ params->rss_hfunc = ETH_RSS_HASH_TOP; + netdev_rss_key_fill(params->toeplitz_hash_key, sizeof(params->toeplitz_hash_key)); + mlx5e_build_default_indir_rqt(params->indirection_rqt, + MLX5E_INDIR_RQT_SIZE, params->num_channels); +-- +2.16.4 + diff --git a/patches.suse/net-rose-fix-UAF-bugs-caused-by-timer-handler.patch b/patches.suse/net-rose-fix-UAF-bugs-caused-by-timer-handler.patch new file mode 100644 index 0000000..93752fe --- /dev/null +++ b/patches.suse/net-rose-fix-UAF-bugs-caused-by-timer-handler.patch @@ -0,0 +1,257 @@ +From 9cc02ede696272c5271a401e4f27c262359bc2f6 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 29 Jun 2022 08:26:40 +0800 +Subject: [PATCH] net: rose: fix UAF bugs caused by timer handler +Git-commit: 9cc02ede696272c5271a401e4f27c262359bc2f6 +Patch-mainline: v5.19-rc5 +References: CVE-2022-2318 bsc#1201251 + +There are UAF bugs in rose_heartbeat_expiry(), rose_timer_expiry() +and rose_idletimer_expiry(). The root cause is that del_timer() +could not stop the timer handler that is running and the refcount +of sock is not managed properly. + +One of the UAF bugs is shown below: + + (thread 1) | (thread 2) + | rose_bind + | rose_connect + | rose_start_heartbeat +rose_release | (wait a time) + case ROSE_STATE_0 | + rose_destroy_socket | rose_heartbeat_expiry + rose_stop_heartbeat | + sock_put(sk) | ... + sock_put(sk) // FREE | + | bh_lock_sock(sk) // USE + +The sock is deallocated by sock_put() in rose_release() and +then used by bh_lock_sock() in rose_heartbeat_expiry(). + +Although rose_destroy_socket() calls rose_stop_heartbeat(), +it could not stop the timer that is running. + +The KASAN report triggered by POC is shown below: + +Bug: KASAN: use-after-free in _raw_spin_lock+0x5a/0x110 +Write of size 4 at addr ffff88800ae59098 by task swapper/3/0 +... +Call Trace: + + dump_stack_lvl+0xbf/0xee + print_address_description+0x7b/0x440 + print_report+0x101/0x230 + ? irq_work_single+0xbb/0x140 + ? _raw_spin_lock+0x5a/0x110 + kasan_report+0xed/0x120 + ? _raw_spin_lock+0x5a/0x110 + kasan_check_range+0x2bd/0x2e0 + _raw_spin_lock+0x5a/0x110 + rose_heartbeat_expiry+0x39/0x370 + ? rose_start_heartbeat+0xb0/0xb0 + call_timer_fn+0x2d/0x1c0 + ? rose_start_heartbeat+0xb0/0xb0 + expire_timers+0x1f3/0x320 + __run_timers+0x3ff/0x4d0 + run_timer_softirq+0x41/0x80 + __do_softirq+0x233/0x544 + irq_exit_rcu+0x41/0xa0 + sysvec_apic_timer_interrupt+0x8c/0xb0 + + + asm_sysvec_apic_timer_interrupt+0x1b/0x20 +Rip: 0010:default_idle+0xb/0x10 +Rsp: 0018:ffffc9000012fea0 EFLAGS: 00000202 +Rax: 000000000000bcae RBX: ffff888006660f00 RCX: 000000000000bcae +Rdx: 0000000000000001 RSI: ffffffff843a11c0 RDI: ffffffff843a1180 +Rbp: dffffc0000000000 R08: dffffc0000000000 R09: ffffed100da36d46 +R10: dfffe9100da36d47 R11: ffffffff83cf0950 R12: 0000000000000000 +R13: 1ffff11000ccc1e0 R14: ffffffff8542af28 R15: dffffc0000000000 +... +Allocated by task 146: + __kasan_kmalloc+0xc4/0xf0 + sk_prot_alloc+0xdd/0x1a0 + sk_alloc+0x2d/0x4e0 + rose_create+0x7b/0x330 + __sock_create+0x2dd/0x640 + __sys_socket+0xc7/0x270 + __x64_sys_socket+0x71/0x80 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 152: + kasan_set_track+0x4c/0x70 + kasan_set_free_info+0x1f/0x40 + ____kasan_slab_free+0x124/0x190 + kfree+0xd3/0x270 + __sk_destruct+0x314/0x460 + rose_release+0x2fa/0x3b0 + sock_close+0xcb/0x230 + __fput+0x2d9/0x650 + task_work_run+0xd6/0x160 + exit_to_user_mode_loop+0xc7/0xd0 + exit_to_user_mode_prepare+0x4e/0x80 + syscall_exit_to_user_mode+0x20/0x40 + do_syscall_64+0x4f/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +This patch adds refcount of sock when we use functions +such as rose_start_heartbeat() and so on to start timer, +and decreases the refcount of sock when timer is finished +or deleted by functions such as rose_stop_heartbeat() +and so on. As a result, the UAF bugs could be mitigated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Tested-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220629002640.5693-1-duoming@zju.edu.cn +Signed-off-by: Paolo Abeni +Acked-by: Takashi Iwai + +--- + net/rose/rose_timer.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +--- a/net/rose/rose_timer.c ++++ b/net/rose/rose_timer.c +@@ -34,95 +34,95 @@ static void rose_idletimer_expiry(unsign + + void rose_start_heartbeat(struct sock *sk) + { +- del_timer(&sk->sk_timer); ++ sk_stop_timer(sk, &sk->sk_timer); + + sk->sk_timer.data = (unsigned long)sk; + sk->sk_timer.function = &rose_heartbeat_expiry; + sk->sk_timer.expires = jiffies + 5 * HZ; + +- add_timer(&sk->sk_timer); ++ sk_reset_timer(sk, &sk->sk_timer, sk->sk_timer.expires); + } + + void rose_start_t1timer(struct sock *sk) + { + struct rose_sock *rose = rose_sk(sk); + +- del_timer(&rose->timer); ++ sk_stop_timer(sk, &rose->timer); + + rose->timer.data = (unsigned long)sk; + rose->timer.function = &rose_timer_expiry; + rose->timer.expires = jiffies + rose->t1; + +- add_timer(&rose->timer); ++ sk_reset_timer(sk, &rose->timer, rose->timer.expires); + } + + void rose_start_t2timer(struct sock *sk) + { + struct rose_sock *rose = rose_sk(sk); + +- del_timer(&rose->timer); ++ sk_stop_timer(sk, &rose->timer); + + rose->timer.data = (unsigned long)sk; + rose->timer.function = &rose_timer_expiry; + rose->timer.expires = jiffies + rose->t2; + +- add_timer(&rose->timer); ++ sk_reset_timer(sk, &rose->timer, rose->timer.expires); + } + + void rose_start_t3timer(struct sock *sk) + { + struct rose_sock *rose = rose_sk(sk); + +- del_timer(&rose->timer); ++ sk_stop_timer(sk, &rose->timer); + + rose->timer.data = (unsigned long)sk; + rose->timer.function = &rose_timer_expiry; + rose->timer.expires = jiffies + rose->t3; + +- add_timer(&rose->timer); ++ sk_reset_timer(sk, &rose->timer, rose->timer.expires); + } + + void rose_start_hbtimer(struct sock *sk) + { + struct rose_sock *rose = rose_sk(sk); + +- del_timer(&rose->timer); ++ sk_stop_timer(sk, &rose->timer); + + rose->timer.data = (unsigned long)sk; + rose->timer.function = &rose_timer_expiry; + rose->timer.expires = jiffies + rose->hb; + +- add_timer(&rose->timer); ++ sk_reset_timer(sk, &rose->timer, rose->timer.expires); + } + + void rose_start_idletimer(struct sock *sk) + { + struct rose_sock *rose = rose_sk(sk); + +- del_timer(&rose->idletimer); ++ sk_stop_timer(sk, &rose->idletimer); + + if (rose->idle > 0) { + rose->idletimer.data = (unsigned long)sk; + rose->idletimer.function = &rose_idletimer_expiry; + rose->idletimer.expires = jiffies + rose->idle; + +- add_timer(&rose->idletimer); ++ sk_reset_timer(sk, &rose->idletimer, rose->idletimer.expires); + } + } + + void rose_stop_heartbeat(struct sock *sk) + { +- del_timer(&sk->sk_timer); ++ sk_stop_timer(sk, &sk->sk_timer); + } + + void rose_stop_timer(struct sock *sk) + { +- del_timer(&rose_sk(sk)->timer); ++ sk_stop_timer(sk, &rose_sk(sk)->timer); + } + + void rose_stop_idletimer(struct sock *sk) + { +- del_timer(&rose_sk(sk)->idletimer); ++ sk_stop_timer(sk, &rose_sk(sk)->idletimer); + } + + static void rose_heartbeat_expiry(unsigned long param) +@@ -139,6 +139,7 @@ static void rose_heartbeat_expiry(unsign + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { + bh_unlock_sock(sk); + rose_destroy_socket(sk); ++ sock_put(sk); + return; + } + break; +@@ -161,6 +162,7 @@ static void rose_heartbeat_expiry(unsign + + rose_start_heartbeat(sk); + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void rose_timer_expiry(unsigned long param) +@@ -190,6 +192,7 @@ static void rose_timer_expiry(unsigned l + break; + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void rose_idletimer_expiry(unsigned long param) +@@ -213,4 +216,5 @@ static void rose_idletimer_expiry(unsign + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } diff --git a/patches.suse/net-stmmac-fix-missing-IFF_MULTICAST-check-in-dwmac4.patch b/patches.suse/net-stmmac-fix-missing-IFF_MULTICAST-check-in-dwmac4.patch new file mode 100644 index 0000000..923cc8b --- /dev/null +++ b/patches.suse/net-stmmac-fix-missing-IFF_MULTICAST-check-in-dwmac4.patch @@ -0,0 +1,41 @@ +From eb3b7d9ed388c0057cfd877d4e4dd86dfb733070 Mon Sep 17 00:00:00 2001 +From: "Verma, Aashish" +Date: Fri, 7 Feb 2020 15:33:54 +0800 +Subject: [PATCH 2/2] net: stmmac: fix missing IFF_MULTICAST check in + dwmac4_set_filter +References: git-fixes +Git-commit: 2ba31cd93784b61813226d259fd94a221ecd9d61 +Patch-mainline: v5.6-rc1 + +Without checking for IFF_MULTICAST flag, it is wrong to assume multicast +filtering is always enabled. By checking against IFF_MULTICAST, now +the driver behaves correctly when the multicast support is toggled by below +command:- + ip link set multicast off|on + +Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") +Signed-off-by: Verma, Aashish +Tested-by: Tan, Tee Min +Signed-off-by: Ong Boon Leong +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index f4c60a98fc48..899c9c0b17ae 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -410,7 +410,7 @@ static void dwmac4_set_filter(struct mac_device_info *hw, + */ + writel(0xffffffff, ioaddr + GMAC_HASH_TAB_0_31); + writel(0xffffffff, ioaddr + GMAC_HASH_TAB_32_63); +- } else if (!netdev_mc_empty(dev)) { ++ } else if (!netdev_mc_empty(dev) && (dev->flags & IFF_MULTICAST)) { + u32 mc_filter[2]; + struct netdev_hw_addr *ha; + +-- +2.16.4 + diff --git a/patches.suse/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch b/patches.suse/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch new file mode 100644 index 0000000..19e9825 --- /dev/null +++ b/patches.suse/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch @@ -0,0 +1,39 @@ +From c2e6acb44c6a85de10544a6d6be3237bb3e87c98 Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Fri, 1 Jul 2022 17:28:33 +0300 +Subject: [PATCH] net: stmmac: update rx tail pointer register to fix rx dma + hang issue. +Git-commit: 4523a5611526709ec9b4e2574f1bb7818212651e +References: git-fixes +Patch-mainline: v5.2-rc3 + +Currently we will not update the receive descriptor tail pointer in +stmmac_rx_refill. Rx dma will think no available descriptors and stop +once received packets exceed DMA_RX_SIZE, so that the rx only test will fail. + +Update the receive tail pointer in stmmac_rx_refill to add more descriptors +to the rx channel, so packets can be received continually + +Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx") +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 23fd6c22778c..b2a313ef33ec 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3334,6 +3334,7 @@ static inline void stmmac_rx_refill(struct stmmac_priv *priv, u32 queue) + entry = STMMAC_GET_ENTRY(entry, DMA_RX_SIZE); + } + rx_q->dirty_rx = entry; ++ priv->hw->dma->set_rx_tail_ptr(priv->ioaddr, rx_q->rx_tail_addr, queue); + } + + /** +-- +2.16.4 + diff --git a/patches.suse/net-usb-ax88179_178a-Fix-packet-receiving.patch b/patches.suse/net-usb-ax88179_178a-Fix-packet-receiving.patch new file mode 100644 index 0000000..2205bad --- /dev/null +++ b/patches.suse/net-usb-ax88179_178a-Fix-packet-receiving.patch @@ -0,0 +1,234 @@ +From f8ebb3ac881b17712e1d5967c97ab1806b16d3d6 Mon Sep 17 00:00:00 2001 +From: Jose Alonso +Date: Tue, 28 Jun 2022 12:13:02 -0300 +Subject: [PATCH] net: usb: ax88179_178a: Fix packet receiving +Git-commit: f8ebb3ac881b17712e1d5967c97ab1806b16d3d6 +References: git-fixes +Patch-mainline: v5.19-rc5 + +This patch corrects packet receiving in ax88179_rx_fixup. + +- problem observed: + ifconfig shows allways a lot of 'RX Errors' while packets + are received normally. + + This occurs because ax88179_rx_fixup does not recognise properly + the usb urb received. + The packets are normally processed and at the end, the code exits + with 'return 0', generating RX Errors. + (pkt_cnt==-2 and ptk_hdr over field rx_hdr trying to identify + another packet there) + + This is a usb urb received by "tcpdump -i usbmon2 -X" on a + little-endian CPU: + 0x0000: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ^ packet 1 start (pkt_len = 0x05ec) + ^^^^ IP alignment pseudo header + ^ ethernet packet start + last byte ethernet packet v + padding (8-bytes aligned) vvvv vvvv + 0x05e0: c92d d444 1420 8a69 83dd 272f e82b 9811 + 0x05f0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... ^ packet 2 + 0x0be0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... + 0x1130: 9d41 9171 8a38 0ec5 eeee f8e3 3b19 87a0 + ... + 0x1720: 8cfc 15ff 5e4c e85c eeee f8e3 3b19 87a0 + ... + 0x1d10: ecfa 2a3a 19ab c78c eeee f8e3 3b19 87a0 + ... + 0x2070: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... ^ packet 7 + 0x2120: 7c88 4ca5 5c57 7dcc 0d34 7577 f778 7e0a + 0x2130: f032 e093 7489 0740 3008 ec05 0000 0080 + ====1==== ====2==== + hdr_off ^ + pkt_len = 0x05ec ^^^^ + AX_RXHDR_*=0x00830 ^^^^ ^ + pkt_len = 0 ^^^^ + AX_RXHDR_DROP_ERR=0x80000000 ^^^^ ^ + 0x2140: 3008 ec05 0000 0080 3008 5805 0000 0080 + 0x2150: 3008 ec05 0000 0080 3008 ec05 0000 0080 + 0x2160: 3008 5803 0000 0080 3008 c800 0000 0080 + ===11==== ===12==== ===13==== ===14==== + 0x2170: 0000 0000 0e00 3821 + ^^^^ ^^^^ rx_hdr + ^^^^ pkt_cnt=14 + ^^^^ hdr_off=0x2138 + ^^^^ ^^^^ padding + + The dump shows that pkt_cnt is the number of entrys in the + per-packet metadata. It is "2 * packet count". + Each packet have two entrys. The first have a valid + value (pkt_len and AX_RXHDR_*) and the second have a + dummy-header 0x80000000 (pkt_len=0 with AX_RXHDR_DROP_ERR). + Why exists dummy-header for each packet?!? + My guess is that this was done probably to align the + entry for each packet to 64-bits and maintain compatibility + with old firmware. + There is also a padding (0x00000000) before the rx_hdr to + align the end of rx_hdr to 64-bit. + Note that packets have a alignment of 64-bits (8-bytes). + + This patch assumes that the dummy-header and the last + padding are optional. So it preserves semantics and + recognises the same valid packets as the current code. + + This patch was made using only the dumpfile information and + tested with only one device: + 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet + +Fixes: 57bc3d3ae8c1 ("net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup") +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Signed-off-by: Jose Alonso +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/d6970bb04bf67598af4d316eaeb1792040b18cfd.camel@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/ax88179_178a.c | 101 +++++++++++++++++++++++++-------- + 1 file changed, 76 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 4704ed6f00ef..ac2d400d1d6c 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1472,6 +1472,42 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + * are bundled into this buffer and where we can find an array of + * per-packet metadata (which contains elements encoded into u16). + */ ++ ++ /* SKB contents for current firmware: ++ * ++ * ... ++ * ++ * ++ * ... ++ * ++ * ++ * ++ * where: ++ * contains pkt_len bytes: ++ * 2 bytes of IP alignment pseudo header ++ * packet received ++ * contains 4 bytes: ++ * pkt_len and fields AX_RXHDR_* ++ * 0-7 bytes to terminate at ++ * 8 bytes boundary (64-bit). ++ * 4 bytes to make rx_hdr terminate at ++ * 8 bytes boundary (64-bit) ++ * contains 4 bytes: ++ * pkt_len=0 and AX_RXHDR_DROP_ERR ++ * contains 4 bytes: ++ * pkt_cnt and hdr_off (offset of ++ * ) ++ * ++ * pkt_cnt is number of entrys in the per-packet metadata. ++ * In current firmware there is 2 entrys per packet. ++ * The first points to the packet and the ++ * second is a dummy header. ++ * This was done probably to align fields in 64-bit and ++ * maintain compatibility with old firmware. ++ * This code assumes that and are ++ * optional. ++ */ ++ + if (skb->len < 4) + return 0; + skb_trim(skb, skb->len - 4); +@@ -1485,51 +1521,66 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + /* Make sure that the bounds of the metadata array are inside the SKB + * (and in front of the counter at the end). + */ +- if (pkt_cnt * 2 + hdr_off > skb->len) ++ if (pkt_cnt * 4 + hdr_off > skb->len) + return 0; + pkt_hdr = (u32 *)(skb->data + hdr_off); + + /* Packets must not overlap the metadata array */ + skb_trim(skb, hdr_off); + +- for (; ; pkt_cnt--, pkt_hdr++) { ++ for (; pkt_cnt > 0; pkt_cnt--, pkt_hdr++) { ++ u16 pkt_len_plus_padd; + u16 pkt_len; + + le32_to_cpus(pkt_hdr); + pkt_len = (*pkt_hdr >> 16) & 0x1fff; ++ pkt_len_plus_padd = (pkt_len + 7) & 0xfff8; + +- if (pkt_len > skb->len) ++ /* Skip dummy header used for alignment ++ */ ++ if (pkt_len == 0) ++ continue; ++ ++ if (pkt_len_plus_padd > skb->len) + return 0; + + /* Check CRC or runt packet */ +- if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) == 0) && +- pkt_len >= 2 + ETH_HLEN) { +- bool last = (pkt_cnt == 0); +- +- if (last) { +- ax_skb = skb; +- } else { +- ax_skb = skb_clone(skb, GFP_ATOMIC); +- if (!ax_skb) +- return 0; +- } +- ax_skb->len = pkt_len; +- /* Skip IP alignment pseudo header */ +- skb_pull(ax_skb, 2); +- skb_set_tail_pointer(ax_skb, ax_skb->len); +- ax_skb->truesize = pkt_len + sizeof(struct sk_buff); +- ax88179_rx_checksum(ax_skb, pkt_hdr); ++ if ((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) || ++ pkt_len < 2 + ETH_HLEN) { ++ dev->net->stats.rx_errors++; ++ skb_pull(skb, pkt_len_plus_padd); ++ continue; ++ } + +- if (last) +- return 1; ++ /* last packet */ ++ if (pkt_len_plus_padd == skb->len) { ++ skb_trim(skb, pkt_len); + +- usbnet_skb_return(dev, ax_skb); ++ /* Skip IP alignment pseudo header */ ++ skb_pull(skb, 2); ++ ++ skb->truesize = SKB_TRUESIZE(pkt_len_plus_padd); ++ ax88179_rx_checksum(skb, pkt_hdr); ++ return 1; + } + +- /* Trim this packet away from the SKB */ +- if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8)) ++ ax_skb = skb_clone(skb, GFP_ATOMIC); ++ if (!ax_skb) + return 0; ++ skb_trim(ax_skb, pkt_len); ++ ++ /* Skip IP alignment pseudo header */ ++ skb_pull(ax_skb, 2); ++ ++ skb->truesize = pkt_len_plus_padd + ++ SKB_DATA_ALIGN(sizeof(struct sk_buff)); ++ ax88179_rx_checksum(ax_skb, pkt_hdr); ++ usbnet_skb_return(dev, ax_skb); ++ ++ skb_pull(skb, pkt_len_plus_padd); + } ++ ++ return 0; + } + + static struct sk_buff * +-- +2.35.3 + diff --git a/patches.suse/net-usb-qmi_wwan-add-Telit-0x1060-composition.patch b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1060-composition.patch new file mode 100644 index 0000000..7c31467 --- /dev/null +++ b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1060-composition.patch @@ -0,0 +1,34 @@ +From 8d17a33b076d24aa4861f336a125c888fb918605 Mon Sep 17 00:00:00 2001 +From: Carlo Lobrano +Date: Fri, 3 Sep 2021 14:09:53 +0200 +Subject: [PATCH] net: usb: qmi_wwan: add Telit 0x1060 composition +Git-commit: 8d17a33b076d24aa4861f336a125c888fb918605 +References: git-fixes +Patch-mainline: v5.15-rc1 + +This patch adds support for Telit LN920 0x1060 composition + +0x1060: tty, adb, rmnet, tty, tty, tty, tty + +Signed-off-by: Carlo Lobrano +Signed-off-by: David S. Miller +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 6a2e4f884b12..33ada2c59952 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1354,6 +1354,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.35.3 + diff --git a/patches.suse/net-usb-qmi_wwan-add-Telit-0x1070-composition.patch b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1070-composition.patch new file mode 100644 index 0000000..8752204 --- /dev/null +++ b/patches.suse/net-usb-qmi_wwan-add-Telit-0x1070-composition.patch @@ -0,0 +1,39 @@ +From 94f2a444f28a649926c410eb9a38afb13a83ebe0 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Fri, 10 Dec 2021 10:57:22 +0100 +Subject: [PATCH] net: usb: qmi_wwan: add Telit 0x1070 composition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Git-commit: 94f2a444f28a649926c410eb9a38afb13a83ebe0 +References: git-fixes +Patch-mainline: v5.16-rc6 + +Add the following Telit FN990 composition: + +0x1070: tty, adb, rmnet, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20211210095722.22269-1-dnlplm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 86b814e99224..f510e8219470 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1358,6 +1358,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.35.3 + diff --git a/patches.suse/powerpc-64-Move-paca-allocation-later-in-boot.patch b/patches.suse/powerpc-64-Move-paca-allocation-later-in-boot.patch new file mode 100644 index 0000000..833af60 --- /dev/null +++ b/patches.suse/powerpc-64-Move-paca-allocation-later-in-boot.patch @@ -0,0 +1,131 @@ +From 2e7f1e2b30b5b8aa5de6547407c68670fd227ad8 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Thu, 20 Jan 2022 12:33:20 +1100 +Subject: [PATCH] powerpc/64: Move paca allocation later in boot + +References: bsc#1190812 +Patch-mainline: v5.18-rc1 +Git-commit: 2e7f1e2b30b5b8aa5de6547407c68670fd227ad8 + +Mahesh & Sourabh identified two problems[1][2] with ppc64_bolted_size() +and paca allocation. + +The first is that on a Radix capable machine but with "disable_radix" on +the command line, there is a window during early boot where +early_radix_enabled() is true, even though it will later become false. + + early_init_devtree: <- early_radix_enabled() = false + early_init_dt_scan_cpus: <- early_radix_enabled() = false + ... + check_cpu_pa_features: <- early_radix_enabled() = false + ... ^ <- early_radix_enabled() = TRUE + allocate_paca: | <- early_radix_enabled() = TRUE + ... | + ppc64_bolted_size: | <- early_radix_enabled() = TRUE + if (early_radix_enabled())| <- early_radix_enabled() = TRUE + return ULONG_MAX; | + ... | + ... | <- early_radix_enabled() = TRUE + ... | <- early_radix_enabled() = TRUE + mmu_early_init_devtree() V + ... <- early_radix_enabled() = false + +This causes ppc64_bolted_size() to return ULONG_MAX for the boot CPU's +paca allocation, even though later it will return a different value. +This is not currently a bug because the paca allocation is also limited +by the RMA size, but that is very fragile. + +The second issue is that when using the Hash MMU, when we call +ppc64_bolted_size() for the boot CPU's paca allocation, we have not yet +detected whether 1T segments are available. That causes +ppc64_bolted_size() to return 256MB, even if the machine can actually +support up to 1T. This is usually OK, we generally have space below +256MB for one paca, but for a kdump kernel placed above 256MB it causes +the boot to fail. + +At boot we cannot discover all the features of the machine +instantaneously, so there will always be some periods where we have +incomplete knowledge of the system. However both the above problems stem +from the fact that we allocate the boot CPU's paca (and paca pointers +array) before we decide which MMU we are using, or discover its exact +features. + +Moving the paca allocation slightly later still can solve both the +issues described above, and means for a normal boot we don't do any +permanent allocations until after we've discovered the MMU. + +Note that although we move the boot CPU's paca allocation later, we +still have a temporary paca (boot_paca) accessible via r13, so code that +does read only access to paca fields is safe. The only risk is that some +code writes to the boot_paca, and that write will then be lost when we +switch away from the boot_paca later in early_setup(). + +The additional code that runs before the paca allocation is primarily +mmu_early_init_devtree(), which is scanning the device tree and +populating globals and cur_cpu_spec with MMU related flags. I do not see +any additional code that writes to paca fields. + +[1]: https://lore.kernel.org/r/20211018084434.217772-2-sourabhjain@linux.ibm.com +[2]: https://lore.kernel.org/r/20211018084434.217772-3-sourabhjain@linux.ibm.com + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220124130544.408675-1-mpe@ellerman.id.au +[Backport adjusted for missing commit 59f577743d71 ("powerpc/64: Defer +paca allocation until memory topology is discovered") provided by IBM] +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/prom.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index ed3b17dd01a1..3bcb28e37b06 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -365,7 +365,9 @@ static int __init early_init_dt_scan_cpus(unsigned long node, + DBG("boot cpu: logical %d physical %d\n", found, + be32_to_cpu(intserv[found_thread])); + boot_cpuid = found; +- set_hard_smp_processor_id(found, be32_to_cpu(intserv[found_thread])); ++ ++ // Pass the boot CPU's hard CPU id back to our caller ++ *((u32 *)data) = be32_to_cpu(intserv[found_thread]); + + /* + * PAPR defines "logical" PVR values for cpus that +@@ -727,6 +729,7 @@ static inline void save_fscr_to_task(void) {}; + + void __init early_init_devtree(void *params) + { ++ u32 boot_cpu_hwid; + phys_addr_t limit; + + DBG(" -> early_init_devtree(%p)\n", params); +@@ -795,8 +798,6 @@ void __init early_init_devtree(void *params) + * FIXME .. and the initrd too? */ + move_device_tree(); + +- allocate_pacas(); +- + DBG("Scanning CPUs ...\n"); + + dt_cpu_ftrs_scan(); +@@ -804,7 +805,7 @@ void __init early_init_devtree(void *params) + /* Retrieve CPU related informations from the flat tree + * (altivec support, boot CPU ID, ...) + */ +- of_scan_flat_dt(early_init_dt_scan_cpus, NULL); ++ of_scan_flat_dt(early_init_dt_scan_cpus, &boot_cpu_hwid); + if (boot_cpuid < 0) { + printk("Failed to identify boot CPU !\n"); + BUG(); +@@ -821,6 +822,10 @@ void __init early_init_devtree(void *params) + + mmu_early_init_devtree(); + ++ // NB. paca is not installed until later in early_setup() ++ allocate_pacas(); ++ set_hard_smp_processor_id(boot_cpuid, boot_cpu_hwid); ++ + #ifdef CONFIG_PPC_POWERNV + /* Scan and build the list of machine check recoverable ranges */ + of_scan_flat_dt(early_init_dt_scan_recoverable_ranges, NULL); diff --git a/patches.suse/powerpc-Set-crashkernel-offset-to-mid-of-RMA-region.patch b/patches.suse/powerpc-Set-crashkernel-offset-to-mid-of-RMA-region.patch new file mode 100644 index 0000000..c22f470 --- /dev/null +++ b/patches.suse/powerpc-Set-crashkernel-offset-to-mid-of-RMA-region.patch @@ -0,0 +1,90 @@ +From 7c5ed82b800d8615cdda00729e7b62e5899f0b13 Mon Sep 17 00:00:00 2001 +From: Sourabh Jain +Date: Fri, 4 Feb 2022 14:26:01 +0530 +Subject: [PATCH] powerpc: Set crashkernel offset to mid of RMA region + +References: bsc#1190812 +Patch-mainline: v5.18-rc1 +Git-commit: 7c5ed82b800d8615cdda00729e7b62e5899f0b13 + +On large config LPARs (having 192 and more cores), Linux fails to boot +due to insufficient memory in the first memblock. It is due to the +memory reservation for the crash kernel which starts at 128MB offset of +the first memblock. This memory reservation for the crash kernel doesn't +leave enough space in the first memblock to accommodate other essential +system resources. + +The crash kernel start address was set to 128MB offset by default to +ensure that the crash kernel get some memory below the RMA region which +is used to be of size 256MB. But given that the RMA region size can be +512MB or more, setting the crash kernel offset to mid of RMA size will +leave enough space for the kernel to allocate memory for other system +resources. + +Since the above crash kernel offset change is only applicable to the LPAR +platform, the LPAR feature detection is pushed before the crash kernel +reservation. The rest of LPAR specific initialization will still +be done during pseries_probe_fw_features as usual. + +This patch is dependent on changes to paca allocation for boot CPU. It +expect boot CPU to discover 1T segment support which is introduced by +the patch posted here: +https://lists.ozlabs.org/pipermail/linuxppc-dev/2022-January/239175.html + +Reported-by: Abdul haleem +Signed-off-by: Sourabh Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220204085601.107257-1-sourabhjain@linux.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/rtas.c | 6 ++++++ + arch/powerpc/kexec/core.c | 15 +++++++++++---- + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 733e6ef36758..1f42aabbbab3 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1313,6 +1313,12 @@ int __init early_init_dt_scan_rtas(unsigned long node, + entryp = of_get_flat_dt_prop(node, "linux,rtas-entry", NULL); + sizep = of_get_flat_dt_prop(node, "rtas-size", NULL); + ++#ifdef CONFIG_PPC64 ++ /* need this feature to decide the crashkernel offset */ ++ if (of_get_flat_dt_prop(node, "ibm,hypertas-functions", NULL)) ++ powerpc_firmware_features |= FW_FEATURE_LPAR; ++#endif ++ + if (basep && entryp && sizep) { + rtas.base = *basep; + rtas.entry = *entryp; +diff --git a/arch/powerpc/kexec/core.c b/arch/powerpc/kexec/core.c +index 8b68d9f91a03..abf5897ae88c 100644 +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -134,11 +134,18 @@ void __init reserve_crashkernel(void) + if (!crashk_res.start) { + #ifdef CONFIG_PPC64 + /* +- * On 64bit we split the RMO in half but cap it at half of +- * a small SLB (128MB) since the crash kernel needs to place +- * itself and some stacks to be in the first segment. ++ * On the LPAR platform place the crash kernel to mid of ++ * RMA size (512MB or more) to ensure the crash kernel ++ * gets enough space to place itself and some stack to be ++ * in the first segment. At the same time normal kernel ++ * also get enough space to allocate memory for essential ++ * system resource in the first segment. Keep the crash ++ * kernel starts at 128MB offset on other platforms. + */ +- crashk_res.start = min(0x8000000ULL, (ppc64_rma_size / 2)); ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ crashk_res.start = ppc64_rma_size / 2; ++ else ++ crashk_res.start = min(0x8000000ULL, (ppc64_rma_size / 2)); + #else + crashk_res.start = KDUMP_KERNELBASE; + #endif +-- +2.31.1 + diff --git a/patches.suse/qed-Enable-automatic-recovery-on-error-condition.patch b/patches.suse/qed-Enable-automatic-recovery-on-error-condition.patch new file mode 100644 index 0000000..2c30b31 --- /dev/null +++ b/patches.suse/qed-Enable-automatic-recovery-on-error-condition.patch @@ -0,0 +1,55 @@ +From 755f905340802e2efb1ea96b9ce0f442916c2645 Mon Sep 17 00:00:00 2001 +From: Alok Prasad +Date: Tue, 24 Aug 2021 04:02:46 +0000 +Subject: [PATCH] qed: Enable automatic recovery on error condition. +Git-commit: 755f905340802e2efb1ea96b9ce0f442916c2645 +Patch-mainline: v5.15-rc1 +References: bsc#1196964 + +This patch enables automatic recovery by default in case of various +error condition like fw assert , hardware error etc. +This also ensure driver can handle multiple iteration of assertion +conditions. + +IMPORTANT: backported to SLE12-SP5 (partial patch) + +Signed-off-by: Ariel Elior +Signed-off-by: Shai Malin +Signed-off-by: Igor Russkikh +Signed-off-by: Alok Prasad +Signed-off-by: David S. Miller +Signed-off-by: Luis Galdos + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index d400e9b235bf..4877cb88c31a 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -1898,6 +1898,12 @@ static int qede_req_msix_irqs(struct qede_dev *edev) + &edev->fp_array[i]); + if (rc) { + DP_ERR(edev, "Request fp %d irq failed\n", i); ++#ifdef CONFIG_RFS_ACCEL ++ if (edev->ndev->rx_cpu_rmap) ++ free_irq_cpu_rmap(edev->ndev->rx_cpu_rmap); ++ ++ edev->ndev->rx_cpu_rmap = NULL; ++#endif + qede_sync_free_irqs(edev); + return rc; + } +@@ -2290,6 +2296,15 @@ static void qede_unload(struct qede_dev *edev, enum qede_unload_mode mode, + + rc = qede_stop_queues(edev); + if (rc) { ++#ifdef CONFIG_RFS_ACCEL ++ if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { ++ qede_poll_for_freeing_arfs_filters(edev); ++ if (edev->ndev->rx_cpu_rmap) ++ free_irq_cpu_rmap(edev->ndev->rx_cpu_rmap); ++ ++ edev->ndev->rx_cpu_rmap = NULL; ++ } ++#endif + qede_sync_free_irqs(edev); + goto out; + } diff --git a/patches.suse/usbnet-fix-memory-allocation-in-helpers.patch b/patches.suse/usbnet-fix-memory-allocation-in-helpers.patch new file mode 100644 index 0000000..4e670d2 --- /dev/null +++ b/patches.suse/usbnet-fix-memory-allocation-in-helpers.patch @@ -0,0 +1,48 @@ +From e65af5403e462ccd7dff6a045a886c64da598c2e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 28 Jun 2022 11:35:17 +0200 +Subject: [PATCH] usbnet: fix memory allocation in helpers +Git-commit: e65af5403e462ccd7dff6a045a886c64da598c2e +REferences: git-fixes +Patch-mainline: v5.19-rc5 + +usbnet provides some helper functions that are also used in +the context of reset() operations. During a reset the other +drivers on a device are unable to operate. As that can be block +drivers, a driver for another interface cannot use paging +in its memory allocations without risking a deadlock. +Use GFP_NOIO in the helpers. + +Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers") +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20220628093517.7469-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/usb/usbnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 1cb6dab3e2d0..e2135ab87a6e 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -2004,7 +2004,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype, + cmd, reqtype, value, index, size); + + if (size) { +- buf = kmalloc(size, GFP_KERNEL); ++ buf = kmalloc(size, GFP_NOIO); + if (!buf) + goto out; + } +@@ -2036,7 +2036,7 @@ static int __usbnet_write_cmd(struct usbnet *dev, u8 cmd, u8 reqtype, + cmd, reqtype, value, index, size); + + if (data) { +- buf = kmemdup(data, size, GFP_KERNEL); ++ buf = kmemdup(data, size, GFP_NOIO); + if (!buf) + goto out; + } else { +-- +2.35.3 + diff --git a/patches.suse/usbnet-fix-memory-leak-in-error-case.patch b/patches.suse/usbnet-fix-memory-leak-in-error-case.patch new file mode 100644 index 0000000..b4e70f6 --- /dev/null +++ b/patches.suse/usbnet-fix-memory-leak-in-error-case.patch @@ -0,0 +1,72 @@ +From b55a21b764c1e182014630fa5486d717484ac58f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 5 Jul 2022 14:53:51 +0200 +Subject: [PATCH] usbnet: fix memory leak in error case +Git-commit: b55a21b764c1e182014630fa5486d717484ac58f +References: git-fixes +Patch-mainline: v5.19-rc6 + +usbnet_write_cmd_async() mixed up which buffers +need to be freed in which error case. + +v2: add Fixes tag +v3: fix uninitialized buf pointer + +Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers") +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20220705125351.17309-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/usb/usbnet.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index e2135ab87a6e..78a92751ce4c 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -2137,7 +2137,7 @@ static void usbnet_async_cmd_cb(struct urb *urb) + int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, + u16 value, u16 index, const void *data, u16 size) + { +- struct usb_ctrlrequest *req = NULL; ++ struct usb_ctrlrequest *req; + struct urb *urb; + int err = -ENOMEM; + void *buf = NULL; +@@ -2155,7 +2155,7 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, + if (!buf) { + netdev_err(dev->net, "Error allocating buffer" + " in %s!\n", __func__); +- goto fail_free; ++ goto fail_free_urb; + } + } + +@@ -2179,14 +2179,21 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, + if (err < 0) { + netdev_err(dev->net, "Error submitting the control" + " message: status=%d\n", err); +- goto fail_free; ++ goto fail_free_all; + } + return 0; + ++fail_free_all: ++ kfree(req); + fail_free_buf: + kfree(buf); +-fail_free: +- kfree(req); ++ /* ++ * avoid a double free ++ * needed because the flag can be set only ++ * after filling the URB ++ */ ++ urb->transfer_flags = 0; ++fail_free_urb: + usb_free_urb(urb); + fail: + return err; +-- +2.35.3 + diff --git a/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch b/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch index 3328ae9..6fe6fb1 100644 --- a/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch +++ b/patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch @@ -2,7 +2,8 @@ From cfd04a840941a4aa59174ad14f04a37b53eeb16a Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Fri, 3 May 2019 21:54:46 +0200 Subject: [PATCH v5] crypto: DRBG - add FIPS 140-2 CTRNG for noise source -Patch-mainline: Never, handled differently +Git-commit: db07cd26ac6a418dc2823187958edcfdb415fa83 +Patch-mainline: v5.3-rc1 References: bsc#1155334 FIPS 140-2 section 4.9.2 requires a continuous self test of the noise diff --git a/patches.suse/x86-Add-magic-AMD-return-thunk.patch b/patches.suse/x86-Add-magic-AMD-return-thunk.patch new file mode 100644 index 0000000..63642de --- /dev/null +++ b/patches.suse/x86-Add-magic-AMD-return-thunk.patch @@ -0,0 +1,289 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:48 +0200 +Subject: x86: Add magic AMD return-thunk +Git-commit: a149180fbcf336e97ce4eb2cdc13672727feb94d +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Note: needs to be in a section distinct from Retpolines such that the +Retpoline RET substitution cannot possibly use immediate jumps. + +ORC unwinding for zen_untrain_ret() and __x86_return_thunk() is a +little tricky but works due to the fact that zen_untrain_ret() doesn't +have any stack ops and as such will emit a single ORC entry at the +start (+0x3f). + +Meanwhile, unwinding an IP, including the __x86_return_thunk() one +(+0x40) will search for the largest ORC entry smaller or equal to the +IP, these will find the one ORC entry (+0x3f) and all works. + + [ Alexandre: SVM part. ] + [ bp: Build fix, massages. ] + +Suggested-by: Andrew Cooper +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/entry/entry_64.S | 11 ++++++ + arch/x86/entry/entry_64_compat.S | 7 +++ + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/nospec-branch.h | 17 +++++++++ + arch/x86/kernel/vmlinux.lds.S | 2 - + arch/x86/kvm/svm.c | 4 ++ + arch/x86/lib/retpoline.S | 64 +++++++++++++++++++++++++++++++++-- + 7 files changed, 103 insertions(+), 3 deletions(-) + +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -107,6 +108,8 @@ ENTRY(entry_SYSENTER_compat) + xorl %r15d, %r15d /* nospec r15 */ + cld + ++ UNTRAIN_RET ++ + /* + * SYSENTER doesn't filter flags, so we need to clear NT and AC + * ourselves. To save a few cycles, we can check whether +@@ -248,6 +251,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + /* Restrict Indirect Branch Speculation. All registers are saved already */ + RESTRICT_IB_SPEC_CLOBBER + ++ UNTRAIN_RET ++ + /* User mode is traced as though IRQs are on, and SYSENTER + * turned them off. + */ +@@ -433,6 +438,8 @@ ENTRY(entry_INT80_compat) + */ + TRACE_IRQS_OFF + ++ UNTRAIN_RET ++ + movq %rsp, %rdi + call do_int80_syscall_32 + .Lsyscall_32_done: +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -233,6 +233,9 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + + /* IRQs are off. */ + movq %rsp, %rdi ++ ++ UNTRAIN_RET ++ + call do_syscall_64 /* returns with IRQs disabled */ + + TRACE_IRQS_IRETQ /* we're about to change IF */ +@@ -716,6 +719,7 @@ native_irq_return_ldt: + pushq %rdi /* Stash user RDI */ + SWAPGS /* to kernel GS */ + SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */ ++ UNTRAIN_RET + + /* + * There is no point in disabling Indirect Branch Speculation +@@ -870,8 +874,11 @@ ENTRY(switch_to_thread_stack) + SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi + movq %rsp, %rdi + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp ++ + /* Restrict Indirect Branch Speculation */ + RESTRICT_IB_SPEC ++ UNTRAIN_RET ++ + UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI + + pushq 7*8(%rdi) /* regs->ss */ +@@ -1250,6 +1257,7 @@ ENTRY(error_entry) + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + /* Restrict Indirect Branch Speculation */ + RESTRICT_IB_SPEC_CLOBBER ++ UNTRAIN_RET + + .Lerror_entry_from_usermode_after_swapgs: + /* Put us onto the real thread stack. */ +@@ -1301,6 +1309,7 @@ ENTRY(error_entry) + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + /* Restrict Indirect Branch Speculation */ + RESTRICT_IB_SPEC_CLOBBER ++ UNTRAIN_RET + jmp .Lerror_entry_done + + .Lbstep_iret: +@@ -1318,6 +1327,7 @@ ENTRY(error_entry) + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax + /* Restrict Indirect Branch Speculation */ + RESTRICT_IB_SPEC ++ UNTRAIN_RET + + /* + * Pretend that the exception came from user mode: set up pt_regs +@@ -1415,6 +1425,7 @@ ENTRY(nmi) + + /* Restrict Indirect Branch Speculation */ + RESTRICT_IB_SPEC ++ UNTRAIN_RET + + UNWIND_HINT_IRET_REGS base=%rdx offset=8 + pushq 5*8(%rdx) /* pt_regs->ss */ +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -288,6 +288,7 @@ + #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ ++#define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -150,6 +150,22 @@ + #endif + .endm + ++/* ++ * Mitigate RETBleed for AMD/Hygon Zen uarch. Requires KERNEL CR3 because the ++ * return thunk isn't mapped into the userspace tables (then again, AMD ++ * typically has NO_MELTDOWN). ++ * ++ * Doesn't clobber any registers but does require a stable stack. ++ * ++ * As such, this must be placed after every *SWITCH_TO_KERNEL_CR3 at a point ++ * where we have a stack but before any RET instruction. ++ */ ++.macro UNTRAIN_RET ++#ifdef CONFIG_RETPOLINE ++ ALTERNATIVE "", "call zen_untrain_ret", X86_FEATURE_UNRET ++#endif ++.endm ++ + #else /* __ASSEMBLY__ */ + + #define ANNOTATE_NOSPEC_ALTERNATIVE \ +@@ -168,6 +184,7 @@ + #ifdef CONFIG_X86_64 + + extern void __x86_return_thunk(void); ++extern void zen_untrain_ret(void); + + /* + * Inline asm uses the %V modifier which is only in newer GCC +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -127,7 +127,7 @@ SECTIONS + + #ifdef CONFIG_RETPOLINE + __indirect_thunk_start = .; +- *(.text.__x86.indirect_thunk) ++ *(.text.__x86.*) + __indirect_thunk_end = .; + #endif + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + + #include + #include "trace.h" +@@ -5682,6 +5683,9 @@ static void svm_vcpu_run(struct kvm_vcpu + "mov %%r14, %c[r14](%[svm]) \n\t" + "mov %%r15, %c[r15](%[svm]) \n\t" + #endif ++ ++ ALTERNATIVE("", "call zen_untrain_ret", X86_FEATURE_UNRET) ++ + /* + * Clear host registers marked as clobbered to prevent + * speculative use. +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -53,11 +53,71 @@ GENERATE_THUNK(r15) + * This function name is magical and is used by -mfunction-return=thunk-extern + * for the compiler to generate JMPs to it. + */ ++ ++ .section .text.__x86.return_thunk ++ ++/* ++ * Safety details here pertain to the AMD Zen{1,2} microarchitecture: ++ * 1) The RET at __x86_return_thunk must be on a 64 byte boundary, for ++ * alignment within the BTB. ++ * 2) The instruction at zen_untrain_ret must contain, and not ++ * end with, the 0xc3 byte of the RET. ++ * 3) STIBP must be enabled, or SMT disabled, to prevent the sibling thread ++ * from re-poisioning the BTB prediction. ++ */ ++ .align 64 ++ .skip 63, 0xcc ++.globl zen_untrain_ret; ++zen_untrain_ret: ++ ++ /* ++ * As executed from zen_untrain_ret, this is: ++ * ++ * TEST $0xcc, %bl ++ * LFENCE ++ * JMP __x86_return_thunk ++ * ++ * Executing the TEST instruction has a side effect of evicting any BTB ++ * prediction (potentially attacker controlled) attached to the RET, as ++ * __x86_return_thunk + 1 isn't an instruction boundary at the moment. ++ */ ++ .byte 0xf6 ++ ++ /* ++ * As executed from __x86_return_thunk, this is a plain RET. ++ * ++ * As part of the TEST above, RET is the ModRM byte, and INT3 the imm8. ++ * ++ * We subsequently jump backwards and architecturally execute the RET. ++ * This creates a correct BTB prediction (type=ret), but in the ++ * meantime we suffer Straight Line Speculation (because the type was ++ * no branch) which is halted by the INT3. ++ * ++ * With SMT enabled and STIBP active, a sibling thread cannot poison ++ * RET's prediction to a type of its choice, but can evict the ++ * prediction due to competitive sharing. If the prediction is ++ * evicted, __x86_return_thunk will suffer Straight Line Speculation ++ * which will be contained safely by the INT3. ++ */ ++ + ENTRY(__x86_return_thunk) + ret + int3 +-ENDPROC(__x86_return_thunk) + +-__EXPORT_THUNK(__x86_return_thunk) ++ /* ++ * Ensure the TEST decoding / BTB invalidation is complete. ++ */ ++ lfence ++ ++ /* ++ * Jump back and execute the RET in the middle of the TEST instruction. ++ * INT3 is for SLS protection. ++ */ ++ jmp __x86_return_thunk ++ int3 ++ENDPROC(zen_untrain_ret) ++__EXPORT_THUNK(zen_untrain_ret) ++ ++EXPORT_SYMBOL(__x86_return_thunk) + #endif /* CONFIG_RETPOLINE */ + diff --git a/patches.suse/x86-Undo-return-thunk-damage.patch b/patches.suse/x86-Undo-return-thunk-damage.patch new file mode 100644 index 0000000..b81a31a --- /dev/null +++ b/patches.suse/x86-Undo-return-thunk-damage.patch @@ -0,0 +1,30 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:37 +0200 +Subject: x86: Undo return-thunk damage +Git-commit: 15e67227c49a57837108acfe1c80570e1bd9f962 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Introduce X86_FEATURE_RETHUNK for those afflicted with needing this. + + [ bp: Do only INT3 padding - simpler. ] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/cpufeatures.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -293,6 +293,7 @@ + /* FREE! (11*32+11) */ + #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ ++#define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ diff --git a/patches.suse/x86-Use-return-thunk-in-asm-code.patch b/patches.suse/x86-Use-return-thunk-in-asm-code.patch new file mode 100644 index 0000000..0e55b79 --- /dev/null +++ b/patches.suse/x86-Use-return-thunk-in-asm-code.patch @@ -0,0 +1,120 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:45 +0200 +Subject: x86: Use return-thunk in asm code +Git-commit: aa3d480315ba6c3025a60958e1981072ea37c3df +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Use the return thunk in asm code. If the thunk isn't needed, it will +get patched into a RET instruction during boot by apply_returns(). + +Since alternatives can't handle relocations outside of the first +instruction, putting a 'jmp __x86_return_thunk' in one is not valid, +therefore carve out the memmove ERMS path into a separate label and jump +to it. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf + + [ Add the -D__DISABLE_EXPORTS guard from + + 156ff4a544ae ("x86/ibt: Base IBT bits") + + so that the realmode/ trampoline doesn't see __x86_return_thunk and the linker + fails the build. ] + +Signed-off-by: Borislav Petkov +--- + arch/x86/Makefile | 2 +- + arch/x86/boot/compressed/Makefile | 1 + + arch/x86/entry/vdso/Makefile | 1 + + arch/x86/include/asm/linkage.h | 8 ++++++++ + arch/x86/lib/memmove_64.S | 7 ++++++- + 5 files changed, 17 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -34,6 +34,7 @@ KBUILD_CFLAGS += $(cflags-y) + KBUILD_CFLAGS += -mno-mmx -mno-sse + KBUILD_CFLAGS += $(call cc-option,-ffreestanding) + KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) ++KBUILD_CFLAGS += -D__DISABLE_EXPORTS + + KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ + GCOV_PROFILE := n +--- a/arch/x86/entry/vdso/Makefile ++++ b/arch/x86/entry/vdso/Makefile +@@ -77,6 +77,7 @@ CFL := $(PROFILING) -mcmodel=small -fPIC + -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO $(RETPOLINE_VDSO_CFLAGS) + + $(vobjs): KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) ++$(vobjs): KBUILD_AFLAGS += -DBUILD_VDSO + + # + # vDSO code runs in userspace and -pg doesn't help with profiling anyway. +--- a/arch/x86/include/asm/linkage.h ++++ b/arch/x86/include/asm/linkage.h +@@ -21,19 +21,27 @@ + #define __ALIGN_STR __stringify(__ALIGN) + #endif + ++#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO) ++#define RET jmp __x86_return_thunk ++#else /* CONFIG_RETPOLINE */ + #ifdef CONFIG_SLS + #define RET ret; int3 + #else + #define RET ret + #endif ++#endif /* CONFIG_RETPOLINE */ + + #else /* __ASSEMBLY__ */ + ++#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO) ++#define ASM_RET "jmp __x86_return_thunk\n\t" ++#else /* CONFIG_RETPOLINE */ + #ifdef CONFIG_SLS + #define ASM_RET "ret; int3\n\t" + #else + #define ASM_RET "ret\n\t" + #endif ++#endif /* CONFIG_RETPOLINE */ + + #endif /* __ASSEMBLY__ */ + +--- a/arch/x86/lib/memmove_64.S ++++ b/arch/x86/lib/memmove_64.S +@@ -42,7 +42,7 @@ ENTRY(__memmove) + jg 2f + + .Lmemmove_begin_forward: +- ALTERNATIVE "", __stringify(movq %rdx, %rcx; rep movsb; RET), X86_FEATURE_ERMS ++ ALTERNATIVE "", "jmp .Lmemmove_erms", X86_FEATURE_ERMS + + /* + * movsq instruction have many startup latency +@@ -206,6 +206,11 @@ ENTRY(__memmove) + movb %r11b, (%rdi) + 13: + RET ++ ++.Lmemmove_erms: ++ movq %rdx, %rcx ++ rep movsb ++ RET + ENDPROC(__memmove) + ENDPROC(memmove) + EXPORT_SYMBOL(__memmove) +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -21,7 +21,7 @@ CODE16GCC_CFLAGS := -m32 -Wa,$(srctree)/ + M16_CFLAGS := $(call cc-option, -m16, $(CODE16GCC_CFLAGS)) + + REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \ +- -DDISABLE_BRANCH_PROFILING \ ++ -DDISABLE_BRANCH_PROFILING -D__DISABLE_EXPORTS \ + -Wall -Wstrict-prototypes -march=i386 -mregparm=3 \ + -fno-strict-aliasing -fomit-frame-pointer -fno-pic \ + -mno-mmx -mno-sse \ diff --git a/patches.suse/x86-add-straight-line-speculation-mitigation.patch b/patches.suse/x86-add-straight-line-speculation-mitigation.patch new file mode 100644 index 0000000..867f28e --- /dev/null +++ b/patches.suse/x86-add-straight-line-speculation-mitigation.patch @@ -0,0 +1,113 @@ +From: Peter Zijlstra +Date: Sat, 4 Dec 2021 14:43:44 +0100 +Subject: x86: Add straight-line-speculation mitigation +Git-commit: e463a09af2f0677b9485a7e8e4e70b396b2ffb6f +Patch-mainline: v5.17-rc1 +References: bsc#1201050 CVE-2021-26341 + +Make use of an upcoming GCC feature to mitigate +straight-line-speculation for x86: + + https://gcc.gnu.org/g:53a643f8568067d7700a9f2facc8ba39974973d3 + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102952 + https://bugs.llvm.org/show_bug.cgi?id=52323 + +It's built tested on x86_64-allyesconfig using GCC-12 and GCC-11. + +Maintenance overhead of this should be fairly low due to objtool +validation. + +Size overhead of all these additional int3 instructions comes to: + + text data bss dec hex filename + 22267751 6933356 2011368 31212475 1dc43bb defconfig-build/vmlinux + 22804126 6933356 1470696 31208178 1dc32f2 defconfig-build/vmlinux.sls + +Or roughly 2.4% additional text. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211204134908.140103474@infradead.org +--- + arch/x86/Kconfig | 9 +++++++++ + arch/x86/Makefile | 4 ++++ + arch/x86/include/asm/linkage.h | 10 ++++++++++ + arch/x86/include/asm/nospec-branch.h | 2 +- + arch/x86/lib/memmove_64.S | 2 +- + 5 files changed, 25 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/linkage.h ++++ b/arch/x86/include/asm/linkage.h +@@ -21,9 +21,19 @@ + #define __ALIGN_STR __stringify(__ALIGN) + #endif + ++#ifdef CONFIG_SLS ++#define RET ret; int3 ++#else ++#define RET ret ++#endif ++ + #else /* __ASSEMBLY__ */ + ++#ifdef CONFIG_SLS ++#define ASM_RET "ret; int3\n\t" ++#else + #define ASM_RET "ret\n\t" ++#endif + + #endif /* __ASSEMBLY__ */ + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -119,7 +119,7 @@ + ANNOTATE_NOSPEC_ALTERNATIVE + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *\reg), \ + __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg; int3), X86_FEATURE_RETPOLINE_AMD + #else + jmp *\reg + #endif +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -433,6 +433,15 @@ config RETPOLINE + branches. Requires a compiler with -mindirect-branch=thunk-extern + support for full protection. The kernel may run slower. + ++config SLS ++ bool "Mitigate Straight-Line-Speculation" ++ depends on X86_64 ++ default n ++ help ++ Compile the kernel with straight-line-speculation options to guard ++ against straight line speculation. The kernel image might be slightly ++ larger. ++ + config X86_CPU_RESCTRL + bool "x86 CPU resource control support" + depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD) +--- a/arch/x86/lib/memmove_64.S ++++ b/arch/x86/lib/memmove_64.S +@@ -42,7 +42,7 @@ ENTRY(__memmove) + jg 2f + + .Lmemmove_begin_forward: +- ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; RET", X86_FEATURE_ERMS ++ ALTERNATIVE "", __stringify(movq %rdx, %rcx; rep movsb; RET), X86_FEATURE_ERMS + + /* + * movsq instruction have many startup latency +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -233,6 +233,10 @@ ifdef CONFIG_RETPOLINE + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE + endif + ++ifdef CONFIG_SLS ++ KBUILD_CFLAGS += $(call cc-option,-mharden-sls=all) ++endif ++ + archscripts: scripts_basic + $(Q)$(MAKE) $(build)=arch/x86/tools relocs + diff --git a/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch new file mode 100644 index 0000000..576310f --- /dev/null +++ b/patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch @@ -0,0 +1,217 @@ +From: Alexandre Chartre +Date: Tue, 14 Jun 2022 23:15:50 +0200 +Subject: x86/bugs: Add AMD retbleed= boot parameter +Git-commit: 7fbf47c7ce50b38a64576b150e7011ae73d54669 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Add the "retbleed=" boot parameter to select a mitigation for +RETBleed. Possible values are "off", "auto" and "unret" +(JMP2RET mitigation). The default value is "auto". + +Currently, "retbleed=auto" will select the unret mitigation on +AMD and Hygon and no mitigation on Intel (JMP2RET is not effective on +Intel). + + [peterz: rebase; add hygon] + [jpoimboe: cleanups] + +Signed-off-by: Alexandre Chartre +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +[ Enable CC_HAS_RETURN_THUNK unconditionally as our compilers support it. ] +Signed-off-by: Borislav Petkov +--- + Documentation/admin-guide/kernel-parameters.txt | 14 +++ + arch/x86/Kconfig | 3 + arch/x86/Makefile | 3 + arch/x86/kernel/cpu/bugs.c | 108 +++++++++++++++++++++++- + 4 files changed, 127 insertions(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -442,6 +442,9 @@ config SLS + against straight line speculation. The kernel image might be slightly + larger. + ++config CC_HAS_RETURN_THUNK ++ def_bool y ++ + config X86_CPU_RESCTRL + bool "x86 CPU resource control support" + depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD) +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -35,6 +35,7 @@ + #include "cpu.h" + + static void __init spectre_v1_select_mitigation(void); ++static void __init retbleed_select_mitigation(void); + static void __init spectre_v2_select_mitigation(void); + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); +@@ -110,6 +111,12 @@ void __init check_bugs(void) + + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); ++ retbleed_select_mitigation(); ++ /* ++ * spectre_v2_select_mitigation() relies on the state set by ++ * retbleed_select_mitigation(); specifically the STIBP selection is ++ * forced for UNRET. ++ */ + spectre_v2_select_mitigation(); + ssb_select_mitigation(); + l1tf_select_mitigation(); +@@ -826,6 +833,100 @@ static int __init nospectre_v1_cmdline(c + early_param("nospectre_v1", nospectre_v1_cmdline); + + #undef pr_fmt ++#define pr_fmt(fmt) "RETBleed: " fmt ++ ++enum retbleed_mitigation { ++ RETBLEED_MITIGATION_NONE, ++ RETBLEED_MITIGATION_UNRET, ++}; ++ ++enum retbleed_mitigation_cmd { ++ RETBLEED_CMD_OFF, ++ RETBLEED_CMD_AUTO, ++ RETBLEED_CMD_UNRET, ++}; ++ ++const char * const retbleed_strings[] = { ++ [RETBLEED_MITIGATION_NONE] = "Vulnerable", ++ [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk", ++}; ++ ++static enum retbleed_mitigation retbleed_mitigation __ro_after_init = ++ RETBLEED_MITIGATION_NONE; ++static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init = ++ RETBLEED_CMD_AUTO; ++ ++static int __init retbleed_parse_cmdline(char *str) ++{ ++ if (!str) ++ return -EINVAL; ++ ++ if (!strcmp(str, "off")) ++ ; ++ else if (!strcmp(str, "auto")) ++ retbleed_cmd = RETBLEED_CMD_AUTO; ++ else if (!strcmp(str, "unret")) ++ retbleed_cmd = RETBLEED_CMD_UNRET; ++ else ++ pr_err("Unknown retbleed option (%s). Defaulting to 'auto'\n", str); ++ ++ return 0; ++} ++early_param("retbleed", retbleed_parse_cmdline); ++ ++#define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n" ++#define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler!\n" ++ ++static void __init retbleed_select_mitigation(void) ++{ ++ if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) ++ return; ++ ++ switch (retbleed_cmd) { ++ case RETBLEED_CMD_OFF: ++ return; ++ ++ case RETBLEED_CMD_UNRET: ++ retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ break; ++ ++ case RETBLEED_CMD_AUTO: ++ default: ++ if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) ++ break; ++ ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) ++ retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ break; ++ } ++ ++ switch (retbleed_mitigation) { ++ case RETBLEED_MITIGATION_UNRET: ++ ++ if (!IS_ENABLED(CONFIG_RETPOLINE) || ++ !IS_ENABLED(CONFIG_CC_HAS_RETURN_THUNK)) { ++ pr_err(RETBLEED_COMPILER_MSG); ++ retbleed_mitigation = RETBLEED_MITIGATION_NONE; ++ break; ++ } ++ ++ setup_force_cpu_cap(X86_FEATURE_RETHUNK); ++ setup_force_cpu_cap(X86_FEATURE_UNRET); ++ ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && ++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) ++ pr_err(RETBLEED_UNTRAIN_MSG); ++ break; ++ ++ default: ++ break; ++ } ++ ++ pr_info("%s\n", retbleed_strings[retbleed_mitigation]); ++} ++ ++#undef pr_fmt + #define pr_fmt(fmt) "Spectre V2 : " fmt + + static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = +@@ -1884,7 +1985,12 @@ static ssize_t srbds_show_state(char *bu + + static ssize_t retbleed_show_state(char *buf) + { +- return sprintf(buf, "Vulnerable\n"); ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET && ++ (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && ++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)) ++ return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); ++ ++ return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]); + } + + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -241,6 +241,9 @@ ifdef CONFIG_SLS + KBUILD_CFLAGS += $(call cc-option,-mharden-sls=all) + endif + ++# RETHUNK ++KBUILD_CFLAGS += $(call cc-option,-mfunction-return=thunk-extern) ++ + archscripts: scripts_basic + $(Q)$(MAKE) $(build)=arch/x86/tools relocs + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3977,6 +3977,20 @@ + + retain_initrd [RAM] Keep initrd memory after extraction + ++ retbleed= [X86] Control mitigation of RETBleed (Arbitrary ++ Speculative Code Execution with Return Instructions) ++ vulnerability. ++ ++ auto - automatically select a migitation ++ unret - force enable untrained return thunks, ++ only effective on AMD Zen {1,2} ++ based systems. ++ ++ Selecting 'auto' will choose a mitigation method at run ++ time according to the CPU. ++ ++ Not specifying this option is equivalent to retbleed=auto. ++ + rfkill.default_state= + 0 "airplane mode". All wifi, bluetooth, wimax, gps, fm, + etc. communication is blocked by default. diff --git a/patches.suse/x86-bugs-Add-retbleed-ibpb.patch b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch new file mode 100644 index 0000000..4dd3300 --- /dev/null +++ b/patches.suse/x86-bugs-Add-retbleed-ibpb.patch @@ -0,0 +1,259 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:16:02 +0200 +Subject: x86/bugs: Add retbleed=ibpb +Git-commit: 3ebc170068885b6fc7bedda6c667bb2c4d533159 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +jmp2ret mitigates the easy-to-attack case at relatively low overhead. +It mitigates the long speculation windows after a mispredicted RET, but +it does not mitigate the short speculation window from arbitrary +instruction boundaries. + +On Zen2, there is a chicken bit which needs setting, which mitigates +"arbitrary instruction boundaries" down to just "basic block boundaries". + +But there is no fix for the short speculation window on basic block +boundaries, other than to flush the entire BTB to evict all attacker +predictions. + +On the spectrum of "fast & blurry" -> "safe", there is (on top of STIBP +or no-SMT): + + 1) Nothing System wide open + 2) jmp2ret May stop a script kiddy + 3) jmp2ret+chickenbit Raises the bar rather further + 4) IBPB Only thing which can count as "safe". + +Tentative numbers put IBPB-on-entry at a 2.5x hit on Zen2, and a 10x hit +on Zen1 according to lmbench. + + [ bp: Fixup feature bit comments, document option, 32-bit build fix. ] + +Suggested-by: Andrew Cooper +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + Documentation/admin-guide/kernel-parameters.txt | 3 + + arch/x86/entry/Makefile | 2 - + arch/x86/entry/entry.S | 32 +++++++++++++++++ + arch/x86/include/asm/cpufeatures.h | 2 - + arch/x86/include/asm/nospec-branch.h | 8 +++- + arch/x86/kernel/cpu/bugs.c | 43 ++++++++++++++++++------ + 6 files changed, 77 insertions(+), 13 deletions(-) + +--- /dev/null ++++ b/arch/x86/entry/entry.S +@@ -0,0 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Common place for both 32- and 64-bit entry routines. ++ */ ++ ++#include ++#include ++#include ++ ++.pushsection .noinstr.text, "ax" ++ ++ENTRY(entry_ibpb) ++ ++ push %rax ++ push %rcx ++ push %rdx ++ ++ movl $MSR_IA32_PRED_CMD, %ecx ++ movl $PRED_CMD_IBPB, %eax ++ xorl %edx, %edx ++ wrmsr ++ ++ pop %rdx ++ pop %rcx ++ pop %rax ++ ++ RET ++END(entry_ibpb) ++/* For KVM */ ++EXPORT_SYMBOL_GPL(entry_ibpb); ++ ++.popsection +--- a/arch/x86/entry/Makefile ++++ b/arch/x86/entry/Makefile +@@ -6,7 +6,7 @@ OBJECT_FILES_NON_STANDARD_entry_64_compa + + CFLAGS_syscall_64.o += $(call cc-option,-Wno-override-init,) + CFLAGS_syscall_32.o += $(call cc-option,-Wno-override-init,) +-obj-y := entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o ++obj-y := entry.o entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o + obj-y += common.o + + obj-y += vdso/ +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -283,7 +283,7 @@ + #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ + #define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ + #define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ +-/* FREE! (11*32+10) */ ++#define X86_FEATURE_ENTRY_IBPB (11*32+10) /* "" Issue an IBPB on kernel entry */ + /* FREE! (11*32+11) */ + #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -155,14 +155,17 @@ + * return thunk isn't mapped into the userspace tables (then again, AMD + * typically has NO_MELTDOWN). + * +- * Doesn't clobber any registers but does require a stable stack. ++ * While zen_untrain_ret() doesn't clobber anything but requires stack, ++ * entry_ibpb() will clobber AX, CX, DX. + * + * As such, this must be placed after every *SWITCH_TO_KERNEL_CR3 at a point + * where we have a stack but before any RET instruction. + */ + .macro UNTRAIN_RET + #ifdef CONFIG_RETPOLINE +- ALTERNATIVE "", "call zen_untrain_ret", X86_FEATURE_UNRET ++ ALTERNATIVE_2 "", \ ++ "call zen_untrain_ret", X86_FEATURE_UNRET, \ ++ "call entry_ibpb", X86_FEATURE_ENTRY_IBPB + #endif + .endm + +@@ -185,6 +188,7 @@ + + extern void __x86_return_thunk(void); + extern void zen_untrain_ret(void); ++extern void entry_ibpb(void); + + /* + * Inline asm uses the %V modifier which is only in newer GCC +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -878,6 +878,7 @@ static enum spectre_v2_mitigation spectr + enum retbleed_mitigation { + RETBLEED_MITIGATION_NONE, + RETBLEED_MITIGATION_UNRET, ++ RETBLEED_MITIGATION_IBPB, + RETBLEED_MITIGATION_IBRS, + RETBLEED_MITIGATION_EIBRS, + }; +@@ -886,11 +887,13 @@ enum retbleed_mitigation_cmd { + RETBLEED_CMD_OFF, + RETBLEED_CMD_AUTO, + RETBLEED_CMD_UNRET, ++ RETBLEED_CMD_IBPB, + }; + + const char * const retbleed_strings[] = { + [RETBLEED_MITIGATION_NONE] = "Vulnerable", + [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk", ++ [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB", + [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS", + [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS", + }; +@@ -920,6 +923,8 @@ static int __init retbleed_parse_cmdline + retbleed_cmd = RETBLEED_CMD_AUTO; + } else if (!strcmp(str, "unret")) { + retbleed_cmd = RETBLEED_CMD_UNRET; ++ } else if (!strcmp(str, "ibpb")) { ++ retbleed_cmd = RETBLEED_CMD_IBPB; + } else if (!strcmp(str, "nosmt")) { + retbleed_nosmt = true; + } else { +@@ -934,11 +939,13 @@ static int __init retbleed_parse_cmdline + early_param("retbleed", retbleed_parse_cmdline); + + #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n" +-#define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler!\n" ++#define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler; falling back to IBPB!\n" + #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n" + + static void __init retbleed_select_mitigation(void) + { ++ bool mitigate_smt = false; ++ + if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) + return; + +@@ -950,11 +957,21 @@ static void __init retbleed_select_mitig + retbleed_mitigation = RETBLEED_MITIGATION_UNRET; + break; + ++ case RETBLEED_CMD_IBPB: ++ retbleed_mitigation = RETBLEED_MITIGATION_IBPB; ++ break; ++ + case RETBLEED_CMD_AUTO: + default: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) +- retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { ++ ++ if (IS_ENABLED(CONFIG_RETPOLINE) && ++ IS_ENABLED(CONFIG_CC_HAS_RETURN_THUNK)) ++ retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ else ++ retbleed_mitigation = RETBLEED_MITIGATION_IBPB; ++ } + + /* + * The Intel mitigation (IBRS) was already selected in +@@ -970,26 +987,34 @@ static void __init retbleed_select_mitig + if (!IS_ENABLED(CONFIG_RETPOLINE) || + !IS_ENABLED(CONFIG_CC_HAS_RETURN_THUNK)) { + pr_err(RETBLEED_COMPILER_MSG); +- retbleed_mitigation = RETBLEED_MITIGATION_NONE; +- break; ++ retbleed_mitigation = RETBLEED_MITIGATION_IBPB; ++ goto retbleed_force_ibpb; + } + + setup_force_cpu_cap(X86_FEATURE_RETHUNK); + setup_force_cpu_cap(X86_FEATURE_UNRET); + +- if (!boot_cpu_has(X86_FEATURE_STIBP) && +- (retbleed_nosmt || cpu_mitigations_auto_nosmt())) +- cpu_smt_disable(false); +- + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && + boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) + pr_err(RETBLEED_UNTRAIN_MSG); ++ ++ mitigate_smt = true; ++ break; ++ ++ case RETBLEED_MITIGATION_IBPB: ++retbleed_force_ibpb: ++ setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB); ++ mitigate_smt = true; + break; + + default: + break; + } + ++ if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) && ++ (retbleed_nosmt || cpu_mitigations_auto_nosmt())) ++ cpu_smt_disable(false); ++ + /* + * Let IBRS trump all on Intel without affecting the effects of the + * retbleed= cmdline option. +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3986,6 +3986,9 @@ + disabling SMT if necessary for + the full mitigation (only on Zen1 + and older without STIBP). ++ ibpb - mitigate short speculation windows on ++ basic block boundaries too. Safe, highest ++ perf impact. + unret - force enable untrained return thunks, + only effective on AMD f15h-f17h + based systems. diff --git a/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch b/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch new file mode 100644 index 0000000..5191fac --- /dev/null +++ b/patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch @@ -0,0 +1,48 @@ +From: Josh Poimboeuf +Date: Tue, 14 Jun 2022 15:07:19 -0700 +Subject: x86/bugs: Do IBPB fallback check only once +Git-commit: 0fe4aeea9c01baabecc8c3afc7889c809d939bc2 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +When booting with retbleed=auto, if the kernel wasn't built with +CONFIG_CC_HAS_RETURN_THUNK, the mitigation falls back to IBPB. Make +sure a warning is printed in that case. The IBPB fallback check is done +twice, but it really only needs to be done once. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 04077d13b3ae..108bd74289c5 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -891,18 +891,13 @@ static void __init retbleed_select_mitigation(void) + case RETBLEED_CMD_AUTO: + default: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- +- if (IS_ENABLED(CONFIG_RETPOLINE) && +- IS_ENABLED(CONFIG_CC_HAS_RETURN_THUNK)) +- retbleed_mitigation = RETBLEED_MITIGATION_UNRET; +- else +- retbleed_mitigation = RETBLEED_MITIGATION_IBPB; +- } ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) ++ retbleed_mitigation = RETBLEED_MITIGATION_UNRET; + + /* +- * The Intel mitigation (IBRS) was already selected in +- * spectre_v2_select_mitigation(). ++ * The Intel mitigation (IBRS or eIBRS) was already selected in ++ * spectre_v2_select_mitigation(). 'retbleed_mitigation' will ++ * be set accordingly below. + */ + + break; + diff --git a/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch b/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch new file mode 100644 index 0000000..ac19510 --- /dev/null +++ b/patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch @@ -0,0 +1,46 @@ +From: Thadeu Lima de Souza Cascardo +Date: Thu, 7 Jul 2022 13:41:52 -0300 +Subject: [PATCH] x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported +Patch-mainline: Queued in tip for 5.19 +Git-commit: 31b74c1dfb6cb530920fdcd047614e2b5eb72f74 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +There are some VM configurations which have Skylake model but do not +support IBPB. In those cases, when using retbleed=ibpb, userspace is going +to be killed and kernel is going to panic. + +If the CPU does not support IBPB, warn and proceed with the auto option. Also, +do not fallback to IBPB on AMD/Hygon systems if it is not supported. + +Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -930,14 +930,21 @@ static void __init retbleed_select_mitig + break; + + case RETBLEED_CMD_IBPB: ++ if (!boot_cpu_has(X86_FEATURE_IBPB)) { ++ pr_err("WARNING: CPU does not support IBPB.\n"); ++ goto do_cmd_auto; ++ } + retbleed_mitigation = RETBLEED_MITIGATION_IBPB; + break; + ++do_cmd_auto: + case RETBLEED_CMD_AUTO: + default: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || + boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) + retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ else if (boot_cpu_has(X86_FEATURE_IBPB)) ++ retbleed_mitigation = RETBLEED_MITIGATION_IBPB; + + /* + * The Intel mitigation (IBRS or eIBRS) was already selected in diff --git a/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch new file mode 100644 index 0000000..652f968 --- /dev/null +++ b/patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch @@ -0,0 +1,125 @@ +From: Kim Phillips +Date: Tue, 14 Jun 2022 23:15:51 +0200 +Subject: x86/bugs: Enable STIBP for JMP2RET +Git-commit: e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +For untrained return thunks to be fully effective, STIBP must be enabled +or SMT disabled. + +Co-developed-by: Josh Poimboeuf +Signed-off-by: Josh Poimboeuf +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) + + [ bp: No SPECTRE_V2_USER_STRICT_PREFERRED ] + +Signed-off-by: Borislav Petkov +--- + Documentation/admin-guide/kernel-parameters.txt | 14 ++++-- + arch/x86/kernel/cpu/bugs.c | 50 ++++++++++++++++++------ + 2 files changed, 48 insertions(+), 16 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -856,19 +856,34 @@ static enum retbleed_mitigation retbleed + static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init = + RETBLEED_CMD_AUTO; + ++static int __ro_after_init retbleed_nosmt = false; ++ + static int __init retbleed_parse_cmdline(char *str) + { + if (!str) + return -EINVAL; + +- if (!strcmp(str, "off")) +- ; +- else if (!strcmp(str, "auto")) +- retbleed_cmd = RETBLEED_CMD_AUTO; +- else if (!strcmp(str, "unret")) +- retbleed_cmd = RETBLEED_CMD_UNRET; +- else +- pr_err("Unknown retbleed option (%s). Defaulting to 'auto'\n", str); ++ while (str) { ++ char *next = strchr(str, ','); ++ if (next) { ++ *next = 0; ++ next++; ++ } ++ ++ if (!strcmp(str, "off")) { ++ return -EINVAL; ++ } else if (!strcmp(str, "auto")) { ++ retbleed_cmd = RETBLEED_CMD_AUTO; ++ } else if (!strcmp(str, "unret")) { ++ retbleed_cmd = RETBLEED_CMD_UNRET; ++ } else if (!strcmp(str, "nosmt")) { ++ retbleed_nosmt = true; ++ } else { ++ pr_err("Ignoring unknown retbleed option (%s).", str); ++ } ++ ++ str = next; ++ } + + return 0; + } +@@ -914,6 +929,10 @@ static void __init retbleed_select_mitig + setup_force_cpu_cap(X86_FEATURE_RETHUNK); + setup_force_cpu_cap(X86_FEATURE_UNRET); + ++ if (!boot_cpu_has(X86_FEATURE_STIBP) && ++ (retbleed_nosmt || cpu_mitigations_auto_nosmt())) ++ cpu_smt_disable(false); ++ + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && + boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) + pr_err(RETBLEED_UNTRAIN_MSG); +@@ -1985,10 +2004,17 @@ static ssize_t srbds_show_state(char *bu + + static ssize_t retbleed_show_state(char *buf) + { +- if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET && +- (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && +- boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)) +- return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && ++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) ++ return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); ++ ++ return sprintf(buf, "%s; SMT %s\n", ++ retbleed_strings[retbleed_mitigation], ++ !sched_smt_active() ? "disabled" : ++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ? ++ "enabled with STIBP protection" : "vulnerable"); ++ } + + return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]); + } +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3981,10 +3981,16 @@ + Speculative Code Execution with Return Instructions) + vulnerability. + +- auto - automatically select a migitation +- unret - force enable untrained return thunks, +- only effective on AMD Zen {1,2} +- based systems. ++ auto - automatically select a migitation ++ auto,nosmt - automatically select a mitigation, ++ disabling SMT if necessary for ++ the full mitigation (only on Zen1 ++ and older without STIBP). ++ unret - force enable untrained return thunks, ++ only effective on AMD f15h-f17h ++ based systems. ++ unret,nosmt - like unret, will disable SMT when STIBP ++ is not available. + + Selecting 'auto' will choose a mitigation method at run + time according to the CPU. diff --git a/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch b/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch new file mode 100644 index 0000000..304217c --- /dev/null +++ b/patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch @@ -0,0 +1,115 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:52 +0200 +Subject: x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value +Git-commit: caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Due to TIF_SSBD and TIF_SPEC_IB the actual IA32_SPEC_CTRL value can +differ from x86_spec_ctrl_base. As such, keep a per-CPU value +reflecting the current task's MSR content. + + [jpoimboe: rename] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/nospec-branch.h | 1 + + arch/x86/kernel/cpu/bugs.c | 28 +++++++++++++++++++++++----- + arch/x86/kernel/process.c | 2 +- + 3 files changed, 25 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -253,6 +253,7 @@ static inline void indirect_branch_predi + + /* The Intel SPEC CTRL MSR base value cache */ + extern u64 x86_spec_ctrl_base; ++extern void write_spec_ctrl_current(u64 val); + + /* + * With retpoline, we must use IBRS to restrict branch prediction +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -48,12 +48,30 @@ static void __init taa_select_mitigation + static void __init mmio_select_mitigation(void); + static void __init srbds_select_mitigation(void); + +-/* The base value of the SPEC_CTRL MSR that always has to be preserved. */ ++/* The base value of the SPEC_CTRL MSR without task-specific bits set */ + u64 x86_spec_ctrl_base; + EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); ++ ++/* The current value of the SPEC_CTRL MSR with task-specific bits set */ ++DEFINE_PER_CPU(u64, x86_spec_ctrl_current); ++EXPORT_SYMBOL_GPL(x86_spec_ctrl_current); ++ + static DEFINE_MUTEX(spec_ctrl_mutex); + + /* ++ * Keep track of the SPEC_CTRL MSR value for the current task, which may differ ++ * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update(). ++ */ ++void write_spec_ctrl_current(u64 val) ++{ ++ if (this_cpu_read(x86_spec_ctrl_current) == val) ++ return; ++ ++ this_cpu_write(x86_spec_ctrl_current, val); ++ wrmsrl(MSR_IA32_SPEC_CTRL, val); ++} ++ ++/* + * The vendor and possibly platform specific bits which can be modified in + * x86_spec_ctrl_base. + */ +@@ -1235,7 +1253,7 @@ static void __init spectre_v2_select_mit + if (spectre_v2_in_eibrs_mode(mode)) { + /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base); + } + + switch (mode) { +@@ -1290,7 +1308,7 @@ static void __init spectre_v2_select_mit + + static void update_stibp_msr(void * __unused) + { +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base); + } + + /* Update x86_spec_ctrl_base in case SMT state changed. */ +@@ -1522,7 +1540,7 @@ static enum ssb_mitigation __init __ssb_ + x86_amd_ssb_disable(); + } else { + x86_spec_ctrl_base |= SPEC_CTRL_SSBD; +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base); + } + } + +@@ -1740,7 +1758,7 @@ int arch_prctl_spec_ctrl_get(struct task + void x86_spec_ctrl_setup_ap(void) + { + if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base); + + if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) + x86_amd_ssb_disable(); +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -599,7 +599,7 @@ static __always_inline void __speculatio + } + + if (updmsr) +- wrmsrl(MSR_IA32_SPEC_CTRL, msr); ++ write_spec_ctrl_current(msr); + } + + static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) diff --git a/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch b/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch new file mode 100644 index 0000000..5de05a8 --- /dev/null +++ b/patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch @@ -0,0 +1,105 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:54 +0200 +Subject: x86/bugs: Optimize SPEC_CTRL MSR writes +Git-commit: c779bc1a9002fa474175b80e72b85c9bf628abb0 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +When changing SPEC_CTRL for user control, the WRMSR can be delayed +until return-to-user when KERNEL_IBRS has been enabled. + +This avoids an MSR write during context switch. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/nospec-branch.h | 2 +- + arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++------ + arch/x86/kernel/process.c | 2 +- + 3 files changed, 14 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -344,7 +344,7 @@ static inline void unrestrict_branch_spe + + /* The Intel SPEC CTRL MSR base value cache */ + extern u64 x86_spec_ctrl_base; +-extern void write_spec_ctrl_current(u64 val); ++extern void write_spec_ctrl_current(u64 val, bool force); + + /* + * With retpoline, we must use IBRS to restrict branch prediction +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -60,13 +60,19 @@ static DEFINE_MUTEX(spec_ctrl_mutex); + * Keep track of the SPEC_CTRL MSR value for the current task, which may differ + * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update(). + */ +-void write_spec_ctrl_current(u64 val) ++void write_spec_ctrl_current(u64 val, bool force) + { + if (this_cpu_read(x86_spec_ctrl_current) == val) + return; + + this_cpu_write(x86_spec_ctrl_current, val); +- wrmsrl(MSR_IA32_SPEC_CTRL, val); ++ ++ /* ++ * When KERNEL_IBRS this MSR is written on return-to-user, unless ++ * forced the update can be delayed until that time. ++ */ ++ if (force || !cpu_feature_enabled(X86_FEATURE_USE_IBRS)) ++ wrmsrl(MSR_IA32_SPEC_CTRL, val); + } + + /* +@@ -1364,7 +1370,7 @@ static void __init spectre_v2_select_mit + if (spectre_v2_in_eibrs_mode(mode)) { + /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +- write_spec_ctrl_current(x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base, true); + } + + switch (mode) { +@@ -1423,7 +1429,7 @@ specv2_set_mode: + + static void update_stibp_msr(void * __unused) + { +- write_spec_ctrl_current(x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base, true); + } + + /* Update x86_spec_ctrl_base in case SMT state changed. */ +@@ -1654,7 +1660,7 @@ static enum ssb_mitigation __init __ssb_ + x86_amd_ssb_disable(); + } else { + x86_spec_ctrl_base |= SPEC_CTRL_SSBD; +- write_spec_ctrl_current(x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base, true); + } + } + +@@ -1862,7 +1868,7 @@ int arch_prctl_spec_ctrl_get(struct task + void x86_spec_ctrl_setup_ap(void) + { + if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) +- write_spec_ctrl_current(x86_spec_ctrl_base); ++ write_spec_ctrl_current(x86_spec_ctrl_base, true); + + if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) + x86_amd_ssb_disable(); +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -436,7 +436,7 @@ static __always_inline void __speculatio + } + + if (updmsr) +- write_spec_ctrl_current(msr); ++ write_spec_ctrl_current(msr, false); + } + + static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) diff --git a/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch b/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch new file mode 100644 index 0000000..1360e26 --- /dev/null +++ b/patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch @@ -0,0 +1,166 @@ +From: Alexandre Chartre +Date: Tue, 14 Jun 2022 23:15:49 +0200 +Subject: x86/bugs: Report AMD retbleed vulnerability +Git-commit: 6b80b59b3555706508008f1f127b5412c89c7fd8 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Report that AMD x86 CPUs are vulnerable to the RETBleed (Arbitrary +Speculative Code Execution with Return Instructions) attack. + + [peterz: add hygon] + [kim: invert parity; fam15h] + +Co-developed-by: Kim Phillips +Signed-off-by: Kim Phillips +Signed-off-by: Alexandre Chartre +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/bugs.c | 13 +++++++++++++ + arch/x86/kernel/cpu/common.c | 19 +++++++++++++++++++ + drivers/base/cpu.c | 8 ++++++++ + include/linux/cpu.h | 2 ++ + 5 files changed, 43 insertions(+) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -407,5 +407,6 @@ + #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ + #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ + #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */ ++#define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1882,6 +1882,11 @@ static ssize_t srbds_show_state(char *bu + return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); + } + ++static ssize_t retbleed_show_state(char *buf) ++{ ++ return sprintf(buf, "Vulnerable\n"); ++} ++ + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, + char *buf, unsigned int bug) + { +@@ -1929,6 +1934,9 @@ static ssize_t cpu_show_common(struct de + case X86_BUG_MMIO_STALE_DATA: + return mmio_stale_data_show_state(buf); + ++ case X86_BUG_RETBLEED: ++ return retbleed_show_state(buf); ++ + default: + break; + } +@@ -1985,4 +1993,9 @@ ssize_t cpu_show_mmio_stale_data(struct + { + return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); + } ++ ++ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED); ++} + #endif +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -997,16 +997,27 @@ static const __initconst struct x86_cpu_ + {} + }; + ++#define VULNBL(vendor, family, model, blacklist) \ ++ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, blacklist) ++ + #define VULNBL_INTEL_STEPPINGS(model, steppings, issues) \ + X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, \ + INTEL_FAM6_##model, steppings, \ + X86_FEATURE_ANY, issues) + ++#define VULNBL_AMD(family, blacklist) \ ++ VULNBL(AMD, family, X86_MODEL_ANY, blacklist) ++ ++#define VULNBL_HYGON(family, blacklist) \ ++ VULNBL(HYGON, family, X86_MODEL_ANY, blacklist) ++ + #define SRBDS BIT(0) + /* CPU is affected by X86_BUG_MMIO_STALE_DATA */ + #define MMIO BIT(1) + /* CPU is affected by Shared Buffers Data Sampling (SBDS), a variant of X86_BUG_MMIO_STALE_DATA */ + #define MMIO_SBDS BIT(2) ++/* CPU is affected by RETbleed, speculating where you would not expect it */ ++#define RETBLEED BIT(3) + + static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { + VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), +@@ -1032,6 +1043,11 @@ static const struct x86_cpu_id cpu_vuln_ + VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), + VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), + VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), ++ ++ VULNBL_AMD(0x15, RETBLEED), ++ VULNBL_AMD(0x16, RETBLEED), ++ VULNBL_AMD(0x17, RETBLEED), ++ VULNBL_HYGON(0x18, RETBLEED), + {} + }; + +@@ -1131,6 +1147,9 @@ static void __init cpu_set_bug_bits(stru + !arch_cap_mmio_immune(ia32_cap)) + setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); + ++ if (cpu_matches(cpu_vuln_blacklist, RETBLEED)) ++ setup_force_cpu_bug(X86_BUG_RETBLEED); ++ + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) + return; + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -564,6 +564,12 @@ ssize_t __weak cpu_show_mmio_stale_data( + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_retbleed(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); +@@ -574,6 +580,7 @@ static DEVICE_ATTR(tsx_async_abort, 0444 + static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); + static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL); + static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL); ++static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -586,6 +593,7 @@ static struct attribute *cpu_root_vulner + &dev_attr_itlb_multihit.attr, + &dev_attr_srbds.attr, + &dev_attr_mmio_stale_data.attr, ++ &dev_attr_retbleed.attr, + NULL + }; + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -66,6 +66,8 @@ extern ssize_t cpu_show_itlb_multihit(st + extern ssize_t cpu_show_mmio_stale_data(struct device *dev, + struct device_attribute *attr, + char *buf); ++extern ssize_t cpu_show_retbleed(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch b/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch new file mode 100644 index 0000000..f004843 --- /dev/null +++ b/patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch @@ -0,0 +1,159 @@ +From: Peter Zijlstra +Date: Fri, 24 Jun 2022 13:48:58 +0200 +Subject: x86/bugs: Report Intel retbleed vulnerability +Git-commit: 6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Skylake suffers from RSB underflow speculation issues; report this +vulnerability and it's mitigation (spectre_v2=ibrs). + + [jpoimboe: cleanups, eibrs] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/bugs.c | 39 +++++++++++++++++++++++++++++++++------ + arch/x86/kernel/cpu/common.c | 14 +++++++------- + 3 files changed, 41 insertions(+), 13 deletions(-) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -81,6 +81,7 @@ + #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a + #define ARCH_CAP_RDCL_NO BIT(0) /* Not susceptible to Meltdown */ + #define ARCH_CAP_IBRS_ALL BIT(1) /* Enhanced IBRS support */ ++#define ARCH_CAP_RSBA BIT(2) /* RET may use alternative branch predictors */ + #define ARCH_CAP_SKIP_VMENTRY_L1DFLUSH BIT(3) /* Skip L1D flush on vmentry */ + #define ARCH_CAP_SSB_NO BIT(4) /* + * Not susceptible to Speculative Store Bypass +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -863,12 +863,17 @@ static int __init nospectre_v1_cmdline(c + } + early_param("nospectre_v1", nospectre_v1_cmdline); + ++static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = ++ SPECTRE_V2_NONE; ++ + #undef pr_fmt + #define pr_fmt(fmt) "RETBleed: " fmt + + enum retbleed_mitigation { + RETBLEED_MITIGATION_NONE, + RETBLEED_MITIGATION_UNRET, ++ RETBLEED_MITIGATION_IBRS, ++ RETBLEED_MITIGATION_EIBRS, + }; + + enum retbleed_mitigation_cmd { +@@ -880,6 +885,8 @@ enum retbleed_mitigation_cmd { + const char * const retbleed_strings[] = { + [RETBLEED_MITIGATION_NONE] = "Vulnerable", + [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk", ++ [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS", ++ [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS", + }; + + static enum retbleed_mitigation retbleed_mitigation __ro_after_init = +@@ -922,6 +929,7 @@ early_param("retbleed", retbleed_parse_c + + #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n" + #define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler!\n" ++#define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n" + + static void __init retbleed_select_mitigation(void) + { +@@ -938,12 +946,15 @@ static void __init retbleed_select_mitig + + case RETBLEED_CMD_AUTO: + default: +- if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) +- break; +- + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || + boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) + retbleed_mitigation = RETBLEED_MITIGATION_UNRET; ++ ++ /* ++ * The Intel mitigation (IBRS) was already selected in ++ * spectre_v2_select_mitigation(). ++ */ ++ + break; + } + +@@ -973,15 +984,31 @@ static void __init retbleed_select_mitig + break; + } + ++ /* ++ * Let IBRS trump all on Intel without affecting the effects of the ++ * retbleed= cmdline option. ++ */ ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) { ++ switch (spectre_v2_enabled) { ++ case SPECTRE_V2_IBRS: ++ retbleed_mitigation = RETBLEED_MITIGATION_IBRS; ++ break; ++ case SPECTRE_V2_EIBRS: ++ case SPECTRE_V2_EIBRS_RETPOLINE: ++ case SPECTRE_V2_EIBRS_LFENCE: ++ retbleed_mitigation = RETBLEED_MITIGATION_EIBRS; ++ break; ++ default: ++ pr_err(RETBLEED_INTEL_MSG); ++ } ++ } ++ + pr_info("%s\n", retbleed_strings[retbleed_mitigation]); + } + + #undef pr_fmt + #define pr_fmt(fmt) "Spectre V2 : " fmt + +-static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = +- SPECTRE_V2_NONE; +- + static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init = + SPECTRE_V2_USER_NONE; + static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init = +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1029,17 +1029,17 @@ static const struct x86_cpu_id cpu_vuln_ + VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(SKYLAKE_X, BIT(3) | BIT(4) | BIT(6) | +- BIT(7) | BIT(0xB), MMIO), +- VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), ++ BIT(7) | BIT(0xB), MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0x8), SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0x8), SRBDS), +- VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS | RETBLEED), + VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), + VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), + VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), +@@ -1147,7 +1147,7 @@ static void __init cpu_set_bug_bits(stru + !arch_cap_mmio_immune(ia32_cap)) + setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); + +- if (cpu_matches(cpu_vuln_blacklist, RETBLEED)) ++ if ((cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))) + setup_force_cpu_bug(X86_BUG_RETBLEED); + + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) diff --git a/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch b/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch new file mode 100644 index 0000000..c204225 --- /dev/null +++ b/patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch @@ -0,0 +1,103 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:56 +0200 +Subject: x86/bugs: Split spectre_v2_select_mitigation() and + spectre_v2_user_select_mitigation() +Git-commit: 166115c08a9b0b846b783088808a27d739be6e8d +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +retbleed will depend on spectre_v2, while spectre_v2_user depends on +retbleed. Break this cycle. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 2d7896493220..c546a9e4ed17 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -37,8 +37,9 @@ + #include "cpu.h" + + static void __init spectre_v1_select_mitigation(void); +-static void __init retbleed_select_mitigation(void); + static void __init spectre_v2_select_mitigation(void); ++static void __init retbleed_select_mitigation(void); ++static void __init spectre_v2_user_select_mitigation(void); + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); + static void __init mds_select_mitigation(void); +@@ -145,13 +146,19 @@ void __init check_bugs(void) + + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); ++ spectre_v2_select_mitigation(); ++ /* ++ * retbleed_select_mitigation() relies on the state set by ++ * spectre_v2_select_mitigation(); specifically it wants to know about ++ * spectre_v2=ibrs. ++ */ + retbleed_select_mitigation(); + /* +- * spectre_v2_select_mitigation() relies on the state set by ++ * spectre_v2_user_select_mitigation() relies on the state set by + * retbleed_select_mitigation(); specifically the STIBP selection is + * forced for UNRET. + */ +- spectre_v2_select_mitigation(); ++ spectre_v2_user_select_mitigation(); + ssb_select_mitigation(); + l1tf_select_mitigation(); + md_clear_select_mitigation(); +@@ -1013,13 +1020,15 @@ static void __init spec_v2_user_print_cond(const char *reason, bool secure) + pr_info("spectre_v2_user=%s forced on command line.\n", reason); + } + ++static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd; ++ + static enum spectre_v2_user_cmd __init +-spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd) ++spectre_v2_parse_user_cmdline(void) + { + char arg[20]; + int ret, i; + +- switch (v2_cmd) { ++ switch (spectre_v2_cmd) { + case SPECTRE_V2_CMD_NONE: + return SPECTRE_V2_USER_CMD_NONE; + case SPECTRE_V2_CMD_FORCE: +@@ -1054,7 +1063,7 @@ static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) + } + + static void __init +-spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) ++spectre_v2_user_select_mitigation(void) + { + enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE; + bool smt_possible = IS_ENABLED(CONFIG_SMP); +@@ -1067,7 +1076,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) + cpu_smt_control == CPU_SMT_NOT_SUPPORTED) + smt_possible = false; + +- cmd = spectre_v2_parse_user_cmdline(v2_cmd); ++ cmd = spectre_v2_parse_user_cmdline(); + switch (cmd) { + case SPECTRE_V2_USER_CMD_NONE: + goto set_mode; +@@ -1391,7 +1400,7 @@ static void __init spectre_v2_select_mitigation(void) + } + + /* Set up IBPB and STIBP depending on the general spectre V2 command */ +- spectre_v2_user_select_mitigation(cmd); ++ spectre_v2_cmd = cmd; + } + + static void update_stibp_msr(void * __unused) + diff --git a/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch b/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch new file mode 100644 index 0000000..cfe5893 --- /dev/null +++ b/patches.suse/x86-common-Stamp-out-the-stepping-madness.patch @@ -0,0 +1,60 @@ +From: Peter Zijlstra +Date: Fri, 24 Jun 2022 14:03:25 +0200 +Subject: x86/common: Stamp out the stepping madness +Git-commit: 7a05bc95ed1c5a59e47aaade9fb4083c27de9e62 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +The whole MMIO/RETBLEED enumeration went overboard on steppings. Get +rid of all that and simply use ANY. + +If a future stepping of these models would not be affected, it had +better set the relevant ARCH_CAP_$FOO_NO bit in +IA32_ARCH_CAPABILITIES. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Acked-by: Dave Hansen +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/common.c | 25 ++++++++++--------------- + 1 file changed, 10 insertions(+), 15 deletions(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1024,24 +1024,19 @@ static const struct x86_cpu_id cpu_vuln_ + VULNBL_INTEL_STEPPINGS(HASWELL, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(HASWELL_L, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(HASWELL_G, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(HASWELL_X, BIT(2) | BIT(4), MMIO), +- VULNBL_INTEL_STEPPINGS(BROADWELL_D, X86_STEPPINGS(0x3, 0x5), MMIO), ++ VULNBL_INTEL_STEPPINGS(HASWELL_X, X86_STEPPING_ANY, MMIO), ++ VULNBL_INTEL_STEPPINGS(BROADWELL_D, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_X, BIT(3) | BIT(4) | BIT(6) | +- BIT(7) | BIT(0xB), MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0x8), SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0x8), SRBDS), +- VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS | RETBLEED), +- VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), +- VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPING_ANY, MMIO), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), + + VULNBL_AMD(0x15, RETBLEED), diff --git a/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch b/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch new file mode 100644 index 0000000..65561a2 --- /dev/null +++ b/patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch @@ -0,0 +1,107 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:16:04 +0200 +Subject: x86/cpu/amd: Add Spectral Chicken +Git-commit: d7caac991feeef1b871ee6988fd2c9725df09039 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Zen2 uarchs have an undocumented, unnamed, MSR that contains a chicken +bit for some speculation behaviour. It needs setting. + +Note: very belatedly AMD released naming; it's now officially called + MSR_AMD64_DE_CFG2 and MSR_AMD64_DE_CFG2_SUPPRESS_NOBR_PRED_BIT + but shall remain the SPECTRAL CHICKEN. + +Suggested-by: Andrew Cooper +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/msr-index.h | 3 +++ + arch/x86/kernel/cpu/amd.c | 26 +++++++++++++++++++++++++- + arch/x86/kernel/cpu/cpu.h | 2 ++ + arch/x86/kernel/cpu/hygon.c | 6 ++++++ + 4 files changed, 36 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -425,6 +425,9 @@ + /* Fam 17h MSRs */ + #define MSR_F17H_IRPERF 0xc00000e9 + ++#define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 ++#define MSR_ZEN2_SPECTRAL_CHICKEN_BIT BIT_ULL(1) ++ + /* Fam 16h MSRs */ + #define MSR_F16H_L2I_PERF_CTL 0xc0010230 + #define MSR_F16H_L2I_PERF_CTR 0xc0010231 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -875,6 +875,26 @@ static void init_amd_bd(struct cpuinfo_x + clear_rdrand_cpuid_bit(c); + } + ++void init_spectral_chicken(struct cpuinfo_x86 *c) ++{ ++ u64 value; ++ ++ /* ++ * On Zen2 we offer this chicken (bit) on the altar of Speculation. ++ * ++ * This suppresses speculation from the middle of a basic block, i.e. it ++ * suppresses non-branch predictions. ++ * ++ * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H ++ */ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { ++ if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { ++ value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; ++ wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); ++ } ++ } ++} ++ + static void init_amd_zn(struct cpuinfo_x86 *c) + { + set_cpu_cap(c, X86_FEATURE_ZEN); +@@ -920,7 +940,11 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: init_amd_zn(c); break; ++ case 0x17: ++ init_spectral_chicken(c); ++ init_amd_zn(c); ++ break; ++ + } + + /* +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -60,6 +60,8 @@ extern void tsx_disable(void); + static inline void tsx_init(void) { } + #endif /* CONFIG_CPU_SUP_INTEL */ + ++extern void init_spectral_chicken(struct cpuinfo_x86 *c); ++ + extern void get_cpu_cap(struct cpuinfo_x86 *c); + extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c); + extern void x86_spec_ctrl_setup_ap(void); +--- a/arch/x86/kernel/cpu/hygon.c ++++ b/arch/x86/kernel/cpu/hygon.c +@@ -318,6 +318,12 @@ static void init_hygon(struct cpuinfo_x8 + /* get apicid instead of initial apic id from cpuid */ + c->apicid = hard_smp_processor_id(); + ++ /* ++ * XXX someone from Hygon needs to confirm this DTRT ++ * ++ init_spectral_chicken(c); ++ */ ++ + set_cpu_cap(c, X86_FEATURE_ZEN); + set_cpu_cap(c, X86_FEATURE_CPB); + diff --git a/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch b/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch new file mode 100644 index 0000000..3bef428 --- /dev/null +++ b/patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch @@ -0,0 +1,80 @@ +From: Andrew Cooper +Date: Fri, 24 Jun 2022 14:41:21 +0100 +Subject: x86/cpu/amd: Enumerate BTC_NO +Git-commit: 26aae8ccbc1972233afd08fb3f368947c0314265 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +BTC_NO indicates that hardware is not susceptible to Branch Type Confusion. + +Zen3 CPUs don't suffer BTC. + +Hypervisors are expected to synthesise BTC_NO when it is appropriate +given the migration pool, to prevent kernels using heuristics. + + [ bp: Massage. ] + +Signed-off-by: Andrew Cooper +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/amd.c | 21 +++++++++++++++------ + arch/x86/kernel/cpu/common.c | 6 ++++-- + 3 files changed, 20 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -304,6 +304,7 @@ + #define X86_FEATURE_AMD_SSBD (13*32+24) /* "" Speculative Store Bypass Disable */ + #define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ + #define X86_FEATURE_AMD_SSB_NO (13*32+26) /* "" Speculative Store Bypass is fixed in hardware. */ ++#define X86_FEATURE_BTC_NO (13*32+29) /* "" Not vulnerable to Branch Type Confusion */ + + /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ + #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -903,12 +903,21 @@ static void init_amd_zn(struct cpuinfo_x + node_reclaim_distance = 32; + #endif + +- /* +- * Fix erratum 1076: CPB feature bit not being set in CPUID. +- * Always set it, except when running under a hypervisor. +- */ +- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && !cpu_has(c, X86_FEATURE_CPB)) +- set_cpu_cap(c, X86_FEATURE_CPB); ++ /* Fix up CPUID bits, but only if not virtualised. */ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { ++ ++ /* Erratum 1076: CPB feature bit not being set in CPUID. */ ++ if (!cpu_has(c, X86_FEATURE_CPB)) ++ set_cpu_cap(c, X86_FEATURE_CPB); ++ ++ /* ++ * Zen3 (Fam19 model < 0x10) parts are not susceptible to ++ * Branch Type Confusion, but predate the allocation of the ++ * BTC_NO bit. ++ */ ++ if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO)) ++ set_cpu_cap(c, X86_FEATURE_BTC_NO); ++ } + } + + static void init_amd(struct cpuinfo_x86 *c) +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1142,8 +1142,10 @@ static void __init cpu_set_bug_bits(stru + !arch_cap_mmio_immune(ia32_cap)) + setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); + +- if ((cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))) +- setup_force_cpu_bug(X86_BUG_RETBLEED); ++ if (!cpu_has(c, X86_FEATURE_BTC_NO)) { ++ if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA)) ++ setup_force_cpu_bug(X86_BUG_RETBLEED); ++ } + + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) + return; diff --git a/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch b/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch new file mode 100644 index 0000000..967fc39 --- /dev/null +++ b/patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch @@ -0,0 +1,44 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:33 +0200 +Subject: x86/cpufeatures: Move RETPOLINE flags to word 11 +Git-commit: a883d624aed463c84c22596006e5a96f5b44db31 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +In order to extend the RETPOLINE features to 4, move them to word 11 +where there is still room. This mostly keeps DISABLE_RETPOLINE +simple. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/cpufeatures.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -203,8 +203,8 @@ + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ + #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */ + #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ +-#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_LFENCE ( 7*32+13) /* "" Use LFENCE for Spectre variant 2 */ ++/* FREE! ( 7*32+12) */ ++/* FREE! ( 7*32+13) */ + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ + #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ +@@ -282,6 +282,10 @@ + #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ + #define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */ + #define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */ ++/* FREE! (11*32+10) */ ++/* FREE! (11*32+11) */ ++#define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ diff --git a/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch b/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch new file mode 100644 index 0000000..b7ed0fc --- /dev/null +++ b/patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch @@ -0,0 +1,126 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:53 +0200 +Subject: x86/entry: Add kernel IBRS implementation +Git-commit: 2dbb887e875b1de3ca8f40ddf26bcfe55798c609 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Implement Kernel IBRS - currently the only known option to mitigate RSB +underflow speculation issues on Skylake hardware. + +Note: since IBRS_ENTER requires fuller context established than +UNTRAIN_RET, it must be placed after it. However, since UNTRAIN_RET +itself implies a RET, it must come after IBRS_ENTER. This means +IBRS_ENTER needs to also move UNTRAIN_RET. + +Note 2: KERNEL_IBRS is sub-optimal for XenPV. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf + + [ bp: Use the IBRS implementation which is already present in the SLE kernel ] + +Signed-off-by: Borislav Petkov +--- + arch/x86/entry/entry_64.S | 14 ++++++++------ + arch/x86/entry/entry_64_compat.S | 8 ++++---- + 2 files changed, 12 insertions(+), 10 deletions(-) + +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -3,7 +3,6 @@ + * + * Copyright 2000-2002 Andi Kleen, SuSE Labs. + */ +-#include "calling.h" + #include + #include + #include +@@ -17,6 +16,8 @@ + #include + #include + ++#include "calling.h" ++ + .section .entry.text, "ax" + + /* +@@ -54,8 +55,6 @@ ENTRY(entry_SYSENTER_compat) + SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp + + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp +- /* Restrict Indirect Branch Speculation */ +- RESTRICT_IB_SPEC + + /* + * User tracing code (ptrace or signal handlers) might assume that +@@ -108,6 +107,8 @@ ENTRY(entry_SYSENTER_compat) + xorl %r15d, %r15d /* nospec r15 */ + cld + ++ ++ RESTRICT_IB_SPEC + UNTRAIN_RET + + /* +@@ -250,7 +251,6 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram + + /* Restrict Indirect Branch Speculation. All registers are saved already */ + RESTRICT_IB_SPEC_CLOBBER +- + UNTRAIN_RET + + /* User mode is traced as though IRQs are on, and SYSENTER +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -215,8 +215,6 @@ ENTRY(entry_SYSCALL_64) + */ + movq %rsp, PER_CPU_VAR(rsp_scratch) + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp +- /* Restrict Indirect Branch Speculation */ +- RESTRICT_IB_SPEC + + /* Construct struct pt_regs on stack */ + pushq $__USER_DS /* pt_regs->ss */ +@@ -234,6 +232,9 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) + /* IRQs are off. */ + movq %rsp, %rdi + ++ /* Restrict Indirect Branch Speculation */ ++ RESTRICT_IB_SPEC ++ + UNTRAIN_RET + + call do_syscall_64 /* returns with IRQs disabled */ +@@ -1192,6 +1193,7 @@ ENTRY(paranoid_entry) + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 + /* Restrict Indirect Branch speculation */ + RESTRICT_IB_SPEC_SAVE_AND_CLOBBER save_reg=%r13d ++ UNTRAIN_RET + /* + * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an + * unconditional CR3 write, even in the PTI case. So do an lfence +@@ -1420,10 +1422,6 @@ ENTRY(nmi) + movq %rsp, %rdx + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp + +- /* Restrict Indirect Branch Speculation */ +- RESTRICT_IB_SPEC +- UNTRAIN_RET +- + UNWIND_HINT_IRET_REGS base=%rdx offset=8 + pushq 5*8(%rdx) /* pt_regs->ss */ + pushq 4*8(%rdx) /* pt_regs->rsp */ +@@ -1435,6 +1433,10 @@ ENTRY(nmi) + PUSH_AND_CLEAR_REGS rdx=(%rdx) + ENCODE_FRAME_POINTER + ++ /* Restrict Indirect Branch Speculation */ ++ RESTRICT_IB_SPEC ++ UNTRAIN_RET ++ + /* + * At this point we no longer need to worry about stack damage + * due to nesting -- we're on the normal thread stack and we're diff --git a/patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch b/patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch deleted file mode 100644 index 14fc7da..0000000 --- a/patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Thomas Gleixner -Date: Mon, 15 Jan 2018 14:07:23 +0100 -Subject: x86/idle: Control Indirect Branch Speculation in idle -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git -Git-commit: ec3bf60dd38f67dace74986b31177892884bb787 -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1068032 CVE-2017-5753 - -Indirect Branch Speculation (IBS) is controlled per physical core. If one -thread disables it then it's disabled for the core. If a thread enters idle -it makes sense to reenable IBS so the sibling thread can run with full -speculation enabled in user space. - -This makes only sense in mwait_idle_with_hints() because mwait_idle() can -serve an interrupt immediately before speculation can be stopped again. SKL -which requires IBRS should use mwait_idle_with_hints() so this is a non -issue and in the worst case a missed optimization. - -Originally-by: Tim Chen -Signed-off-by: Thomas Gleixner -Signed-off-by: Jiri Slaby ---- - arch/x86/include/asm/mwait.h | 13 +++++++++++++ - arch/x86/kernel/process.c | 14 ++++++++++++++ - 2 files changed, 27 insertions(+) - ---- a/arch/x86/include/asm/mwait.h -+++ b/arch/x86/include/asm/mwait.h -@@ -112,7 +112,20 @@ static inline void mwait_idle_with_hints - mb(); - } - -+ /* -+ * Indirect Branch Speculation (IBS) is controlled per -+ * physical core. If one thread disables it, then it's -+ * disabled on all threads of the core. The kernel disables -+ * it on entry from user space. Reenable it on the thread -+ * which goes idle so the other thread has a chance to run -+ * with full speculation enabled in userspace. -+ */ -+ unrestrict_branch_speculation(); - __monitor((void *)¤t_thread_info()->flags, 0, 0); -+ /* -+ * Restrict IBS again to protect kernel execution. -+ */ -+ restrict_branch_speculation(); - if (!need_resched()) - __mwait(eax, ecx); - } ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -674,6 +674,20 @@ static __cpuidle void mwait_idle(void) - mb(); /* quirk */ - } - -+ /* -+ * Indirect Branch Speculation (IBS) is controlled per -+ * physical core. If one thread disables it, then it's -+ * disabled on all threads of the core. The kernel disables -+ * it on entry from user space. For __sti_mwait() it's -+ * wrong to reenable it because an interrupt can be served -+ * before speculation can be stopped again. -+ * -+ * To plug that hole the interrupt entry code would need to -+ * save current state and restore. Not worth the trouble as -+ * SKL should not use mwait_idle(). It should use -+ * mwait_idle_with_hints() which can do speculation control -+ * safely. -+ */ - __monitor((void *)¤t_thread_info()->flags, 0, 0); - if (!need_resched()) - __sti_mwait(0, 0); diff --git a/patches.suse/x86-kexec-Disable-RET-on-kexec.patch b/patches.suse/x86-kexec-Disable-RET-on-kexec.patch new file mode 100644 index 0000000..f4455be --- /dev/null +++ b/patches.suse/x86-kexec-Disable-RET-on-kexec.patch @@ -0,0 +1,144 @@ +From: Konrad Rzeszutek Wilk +Date: Fri, 8 Jul 2022 19:10:11 +0200 +Subject: [PATCH] x86/kexec: Disable RET on kexec +Git-commit: 4c5d5e03fbcc1ebfee05498edc7b47915921c76c +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +All the invocations unroll to __x86_return_thunk and this file +must be PIC independent. + +This fixes kexec on 64-bit AMD boxes. + +Reported-by: Edward Tran +Reported-by: Awais Tanveer +Suggested-by: Ankur Arora +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Alexandre Chartre +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/relocate_kernel_32.S | 16 +++++++++++----- + arch/x86/kernel/relocate_kernel_64.S | 18 ++++++++++++------ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/arch/x86/kernel/relocate_kernel_32.S ++++ b/arch/x86/kernel/relocate_kernel_32.S +@@ -12,7 +12,8 @@ + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 2) +@@ -94,7 +95,8 @@ relocate_kernel: + movl %edi, %eax + addl $(identity_mapped - relocate_kernel), %eax + pushl %eax +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -161,12 +163,14 @@ identity_mapped: + xorl %edx, %edx + xorl %esi, %esi + xorl %ebp, %ebp +- RET ++ ret ++ int3 + 1: + popl %edx + movl CP_PA_SWAP_PAGE(%edi), %esp + addl $PAGE_SIZE, %esp + 2: ++ ANNOTATE_RETPOLINE_SAFE + call *%edx + + /* get the re-entry point of the peer system */ +@@ -209,7 +213,8 @@ virtual_mapped: + popl %edi + popl %esi + popl %ebx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -271,7 +276,8 @@ swap_pages: + popl %edi + popl %ebx + popl %ebp +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -13,7 +13,8 @@ + #include + + /* +- * Must be relocatable PIC code callable as a C function ++ * Must be relocatable PIC code callable as a C function, in particular ++ * there must be a plain RET and not jump to return thunk. + */ + + #define PTR(x) (x << 3) +@@ -104,7 +105,8 @@ relocate_kernel: + /* jump to identity mapped page */ + addq $(identity_mapped - relocate_kernel), %r8 + pushq %r8 +- RET ++ ret ++ int3 + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -189,7 +191,8 @@ identity_mapped: + xorl %r14d, %r14d + xorl %r15d, %r15d + +- RET ++ ret ++ int3 + + 1: + popq %rdx +@@ -210,7 +213,8 @@ identity_mapped: + call swap_pages + movq $virtual_mapped, %rax + pushq %rax +- RET ++ ret ++ int3 + + virtual_mapped: + movq RSP(%r8), %rsp +@@ -229,7 +233,8 @@ virtual_mapped: + popq %r12 + popq %rbp + popq %rbx +- RET ++ ret ++ int3 + + /* Do the copies */ + swap_pages: +@@ -284,7 +289,8 @@ swap_pages: + lea PAGE_SIZE(%rax), %rsi + jmp 0b + 3: +- RET ++ ret ++ int3 + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel diff --git a/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch b/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch new file mode 100644 index 0000000..ab5d1ba --- /dev/null +++ b/patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch @@ -0,0 +1,93 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:42 +0200 +Subject: x86/kvm: Fix SETcc emulation for return thunks +Git-commit: af2e140f34208a5dfb6b7a8ad2d56bda88f0524d +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Prepare the SETcc fastop stuff for when RET can be larger still. + +The tricky bit here is that the expressions should not only be +constant C expressions, but also absolute GAS expressions. This means +no ?: and 'true' is ~0. + +Also ensure em_setcc() has the same alignment as the actual FOP_SETCC() +ops, this ensures there cannot be an alignment hole between em_setcc() +and the first op. + +Additionally, add a .skip directive to the FOP_SETCC() macro to fill +any remaining space with INT3 traps; however the primary purpose of +this directive is to generate AS warnings when the remaining space +goes negative. Which is a very good indication the alignment magic +went side-ways. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kvm/emulate.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -321,11 +321,18 @@ static int fastop(struct x86_emulate_ctx + + #define FOP_RET "ret \n\t" + +-#define FOP_START(op) \ ++#define __FOP_RET(name) \ ++ "11: " ASM_RET \ ++ ".size " name ", .-" name "\n\t" ++ ++#define __FOP_START(op, align) \ + extern void em_##op(struct fastop *fake); \ + asm(".pushsection .text, \"ax\" \n\t" \ + ".global em_" #op " \n\t" \ +- FOP_FUNC("em_" #op) ++ ".align " __stringify(align) " \n\t" \ ++ "em_" #op ":\n\t" ++ ++#define FOP_START(op) __FOP_START(op, FASTOP_SIZE) + + #define FOP_END \ + ".popsection") +@@ -419,20 +426,34 @@ static int fastop(struct x86_emulate_ctx + ON64(FOP3E(op##q, rax, rdx, cl)) \ + FOP_END + ++/* ++ * Depending on .config the SETcc functions look like: ++ * ++ * ENDBR [4 bytes; CONFIG_X86_KERNEL_IBT] ++ * SETcc %al [3 bytes] ++ * RET | JMP __x86_return_thunk [1,5 bytes; CONFIG_RETPOLINE] ++ * INT3 [1 byte; CONFIG_SLS] ++ */ ++#define RET_LENGTH (1 + (4 * IS_ENABLED(CONFIG_RETPOLINE)) + \ ++ IS_ENABLED(CONFIG_SLS)) ++#define SETCC_LENGTH (3 + RET_LENGTH) ++#define SETCC_ALIGN (4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1)) ++ + /* Special case for SETcc - 1 instruction per cc */ + #define FOP_SETCC(op) \ +- ".align 4 \n\t" \ ++ ".align " __stringify(SETCC_ALIGN) " \n\t" \ + ".type " #op ", @function \n\t" \ + #op ": \n\t" \ + #op " %al \n\t" \ +- FOP_RET ++ __FOP_RET(#op) \ ++ ".skip " __stringify(SETCC_ALIGN) " - (.-" #op "), 0xcc \n\t" + + asm(".pushsection .fixup, \"ax\"\n" + ".global kvm_fastop_exception \n" + "kvm_fastop_exception: xor %esi, %esi; " ASM_RET + ".popsection"); + +-FOP_START(setcc) ++__FOP_START(setcc, SETCC_ALIGN) + FOP_SETCC(seto) + FOP_SETCC(setno) + FOP_SETCC(setc) diff --git a/patches.suse/x86-lib-atomic64_386_32-rename-things.patch b/patches.suse/x86-lib-atomic64_386_32-rename-things.patch new file mode 100644 index 0000000..4782bf6 --- /dev/null +++ b/patches.suse/x86-lib-atomic64_386_32-rename-things.patch @@ -0,0 +1,242 @@ +From: Peter Zijlstra +Date: Sat, 4 Dec 2021 14:43:39 +0100 +Subject: x86/lib/atomic64_386_32: Rename things +Git-commit: 22da5a07c75e1104caf6a42f189c97b83d070073 +Patch-mainline: v5.17-rc1 +References: bsc#1201050 CVE-2021-26341 + +Principally, in order to get rid of #define RET in this code to make +place for a new RET, but also to clarify the code, rename a bunch of +things: + + s/UNLOCK/IRQ_RESTORE/ + s/LOCK/IRQ_SAVE/ + s/BEGIN/BEGIN_IRQ_SAVE/ + s/\/RET_IRQ_RESTORE/ + s/RET_ENDP/\tRET_IRQ_RESTORE\rENDP/ + +which then leaves RET unused so it can be removed. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211204134907.841623970@infradead.org +--- + arch/x86/lib/atomic64_386_32.S | 84 ++++++++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 38 deletions(-) + +--- a/arch/x86/lib/atomic64_386_32.S ++++ b/arch/x86/lib/atomic64_386_32.S +@@ -9,81 +9,83 @@ + #include + + /* if you want SMP support, implement these with real spinlocks */ +-.macro LOCK reg ++.macro IRQ_SAVE reg + pushfl + cli + .endm + +-.macro UNLOCK reg ++.macro IRQ_RESTORE reg + popfl + .endm + +-#define BEGIN(op) \ ++#define BEGIN_IRQ_SAVE(op) \ + .macro endp; \ + ENDPROC(atomic64_##op##_386); \ + .purgem endp; \ + .endm; \ + ENTRY(atomic64_##op##_386); \ +- LOCK v; ++ IRQ_SAVE v; + + #define ENDP endp + +-#define RET \ +- UNLOCK v; \ ++#define RET_IRQ_RESTORE \ ++ IRQ_RESTORE v; \ + ret + +-#define RET_ENDP \ +- RET; \ +- ENDP +- + #define v %ecx +-BEGIN(read) ++BEGIN_IRQ_SAVE(read) + movl (v), %eax + movl 4(v), %edx +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(set) ++BEGIN_IRQ_SAVE(set) + movl %ebx, (v) + movl %ecx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(xchg) ++BEGIN_IRQ_SAVE(xchg) + movl (v), %eax + movl 4(v), %edx + movl %ebx, (v) + movl %ecx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %ecx +-BEGIN(add) ++BEGIN_IRQ_SAVE(add) + addl %eax, (v) + adcl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %ecx +-BEGIN(add_return) ++BEGIN_IRQ_SAVE(add_return) + addl (v), %eax + adcl 4(v), %edx + movl %eax, (v) + movl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %ecx +-BEGIN(sub) ++BEGIN_IRQ_SAVE(sub) + subl %eax, (v) + sbbl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %ecx +-BEGIN(sub_return) ++BEGIN_IRQ_SAVE(sub_return) + negl %edx + negl %eax + sbbl $0, %edx +@@ -91,47 +93,52 @@ BEGIN(sub_return) + adcl 4(v), %edx + movl %eax, (v) + movl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(inc) ++BEGIN_IRQ_SAVE(inc) + addl $1, (v) + adcl $0, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(inc_return) ++BEGIN_IRQ_SAVE(inc_return) + movl (v), %eax + movl 4(v), %edx + addl $1, %eax + adcl $0, %edx + movl %eax, (v) + movl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(dec) ++BEGIN_IRQ_SAVE(dec) + subl $1, (v) + sbbl $0, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(dec_return) ++BEGIN_IRQ_SAVE(dec_return) + movl (v), %eax + movl 4(v), %edx + subl $1, %eax + sbbl $0, %edx + movl %eax, (v) + movl %edx, 4(v) +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v + + #define v %esi +-BEGIN(add_unless) ++BEGIN_IRQ_SAVE(add_unless) + addl %eax, %ecx + adcl %edx, %edi + addl (v), %eax +@@ -143,7 +150,7 @@ BEGIN(add_unless) + movl %edx, 4(v) + movl $1, %eax + 2: +- RET ++ RET_IRQ_RESTORE + 3: + cmpl %edx, %edi + jne 1b +@@ -153,7 +160,7 @@ ENDP + #undef v + + #define v %esi +-BEGIN(inc_not_zero) ++BEGIN_IRQ_SAVE(inc_not_zero) + movl (v), %eax + movl 4(v), %edx + testl %eax, %eax +@@ -165,7 +172,7 @@ BEGIN(inc_not_zero) + movl %edx, 4(v) + movl $1, %eax + 2: +- RET ++ RET_IRQ_RESTORE + 3: + testl %edx, %edx + jne 1b +@@ -174,7 +181,7 @@ ENDP + #undef v + + #define v %esi +-BEGIN(dec_if_positive) ++BEGIN_IRQ_SAVE(dec_if_positive) + movl (v), %eax + movl 4(v), %edx + subl $1, %eax +@@ -183,5 +190,6 @@ BEGIN(dec_if_positive) + movl %eax, (v) + movl %edx, 4(v) + 1: +-RET_ENDP ++ RET_IRQ_RESTORE ++ENDP + #undef v diff --git a/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch b/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch new file mode 100644 index 0000000..85d8d2c --- /dev/null +++ b/patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch @@ -0,0 +1,1881 @@ +From: Peter Zijlstra +Date: Sat, 4 Dec 2021 14:43:40 +0100 +Subject: x86: Prepare asm files for straight-line-speculation +Git-commit: f94909ceb1ed4bfdb2ada72f93236305e6d6951f +Patch-mainline: v5.17-rc1 +References: bsc#1201050 CVE-2021-26341 + +Replace all ret/retq instructions with RET in preparation of making +RET a macro. Since AS is case insensitive it's a big no-op without +RET defined. + + find arch/x86/ -name \*.S | while read file + do + sed -i 's/\/RET/' $file + done + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211204134907.905503893@infradead.org +--- + arch/x86/boot/compressed/efi_thunk_64.S | 2 - + arch/x86/boot/compressed/mem_encrypt.S | 4 +- + arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 2 - + arch/x86/crypto/aesni-intel_asm.S | 42 +++++++++++++-------------- + arch/x86/crypto/blowfish-x86_64-asm_64.S | 12 +++---- + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 14 ++++----- + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 14 ++++----- + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 12 +++---- + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 10 +++--- + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 - + arch/x86/crypto/crct10dif-pcl-asm_64.S | 2 - + arch/x86/crypto/des3_ede-asm_64.S | 4 +- + arch/x86/crypto/ghash-clmulni-intel_asm.S | 6 +-- + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 10 +++--- + arch/x86/crypto/serpent-avx2-asm_64.S | 10 +++--- + arch/x86/crypto/sha512-avx-asm.S | 2 - + arch/x86/crypto/sha512-avx2-asm.S | 2 - + arch/x86/crypto/sha512-ssse3-asm.S | 2 - + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 10 +++--- + arch/x86/crypto/twofish-i586-asm_32.S | 4 +- + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 6 +-- + arch/x86/crypto/twofish-x86_64-asm_64.S | 4 +- + arch/x86/entry/entry_32.S | 2 - + arch/x86/entry/entry_64.S | 8 ++--- + arch/x86/entry/thunk_64.S | 2 - + arch/x86/entry/vdso/vdso32/system_call.S | 2 - + arch/x86/entry/vsyscall/vsyscall_emu_64.S | 6 +-- + arch/x86/kernel/acpi/wakeup_32.S | 6 +-- + arch/x86/kernel/relocate_kernel_32.S | 10 +++--- + arch/x86/kernel/relocate_kernel_64.S | 10 +++--- + arch/x86/kernel/verify_cpu.S | 4 +- + arch/x86/lib/atomic64_386_32.S | 2 - + arch/x86/lib/atomic64_cx8_32.S | 16 +++++----- + arch/x86/lib/cmpxchg8b_emu.S | 4 +- + arch/x86/lib/copy_page_64.S | 4 +- + arch/x86/lib/copy_user_64.S | 8 ++--- + arch/x86/lib/getuser.S | 14 ++++----- + arch/x86/lib/hweight.S | 6 +-- + arch/x86/lib/memcpy_64.S | 12 +++---- + arch/x86/lib/memmove_64.S | 4 +- + arch/x86/lib/memset_64.S | 6 +-- + arch/x86/lib/msr-reg.S | 4 +- + arch/x86/math-emu/div_Xsig.S | 2 - + arch/x86/math-emu/mul_Xsig.S | 6 +-- + arch/x86/math-emu/polynom_Xsig.S | 2 - + arch/x86/math-emu/reg_norm.S | 6 +-- + arch/x86/math-emu/reg_round.S | 2 - + arch/x86/math-emu/reg_u_div.S | 2 - + arch/x86/math-emu/reg_u_mul.S | 2 - + arch/x86/math-emu/reg_u_sub.S | 2 - + arch/x86/math-emu/round_Xsig.S | 4 +- + arch/x86/math-emu/shr_Xsig.S | 8 ++--- + arch/x86/math-emu/wm_shrx.S | 16 +++++----- + arch/x86/mm/mem_encrypt_boot.S | 4 +- + arch/x86/platform/efi/efi_stub_32.S | 2 - + arch/x86/platform/efi/efi_stub_64.S | 2 - + arch/x86/platform/efi/efi_thunk_64.S | 2 - + arch/x86/platform/olpc/xo1-wakeup.S | 6 +-- + arch/x86/power/hibernate_asm_64.S | 4 +- + arch/x86/um/checksum_32.S | 4 +- + arch/x86/um/setjmp_32.S | 2 - + arch/x86/um/setjmp_64.S | 2 - + 62 files changed, 193 insertions(+), 193 deletions(-) + +--- a/arch/x86/boot/compressed/efi_thunk_64.S ++++ b/arch/x86/boot/compressed/efi_thunk_64.S +@@ -95,7 +95,7 @@ ENTRY(efi64_thunk) + addq $8, %rsp + pop %rbx + pop %rbp +- ret ++ RET + ENDPROC(efi64_thunk) + + ENTRY(efi_exit32) +--- a/arch/x86/boot/compressed/mem_encrypt.S ++++ b/arch/x86/boot/compressed/mem_encrypt.S +@@ -67,7 +67,7 @@ ENTRY(get_sev_encryption_bit) + + #endif /* CONFIG_AMD_MEM_ENCRYPT */ + +- ret ++ RET + ENDPROC(get_sev_encryption_bit) + + .code64 +@@ -95,7 +95,7 @@ ENTRY(get_sev_encryption_mask) + pop %rbp + #endif + +- ret ++ RET + ENDPROC(get_sev_encryption_mask) + + .data +--- a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S ++++ b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S +@@ -534,7 +534,7 @@ ddq_add_8: + /* return updated IV */ + vpshufb xbyteswap, xcounter, xcounter + vmovdqu xcounter, (p_iv) +- ret ++ RET + .endm + + /* +--- a/arch/x86/crypto/aesni-intel_asm.S ++++ b/arch/x86/crypto/aesni-intel_asm.S +@@ -1475,7 +1475,7 @@ _return_T_done_decrypt: + pop %r14 + pop %r13 + pop %r12 +- ret ++ RET + ENDPROC(aesni_gcm_dec) + + +@@ -1739,7 +1739,7 @@ _return_T_done_encrypt: + pop %r14 + pop %r13 + pop %r12 +- ret ++ RET + ENDPROC(aesni_gcm_enc) + + #endif +@@ -1756,7 +1756,7 @@ _key_expansion_256a: + pxor %xmm1, %xmm0 + movaps %xmm0, (TKEYP) + add $0x10, TKEYP +- ret ++ RET + ENDPROC(_key_expansion_128) + ENDPROC(_key_expansion_256a) + +@@ -1782,7 +1782,7 @@ _key_expansion_192a: + shufps $0b01001110, %xmm2, %xmm1 + movaps %xmm1, 0x10(TKEYP) + add $0x20, TKEYP +- ret ++ RET + ENDPROC(_key_expansion_192a) + + .align 4 +@@ -1802,7 +1802,7 @@ _key_expansion_192b: + + movaps %xmm0, (TKEYP) + add $0x10, TKEYP +- ret ++ RET + ENDPROC(_key_expansion_192b) + + .align 4 +@@ -1815,7 +1815,7 @@ _key_expansion_256b: + pxor %xmm1, %xmm2 + movaps %xmm2, (TKEYP) + add $0x10, TKEYP +- ret ++ RET + ENDPROC(_key_expansion_256b) + + /* +@@ -1930,7 +1930,7 @@ ENTRY(aesni_set_key) + popl KEYP + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_set_key) + + /* +@@ -1954,7 +1954,7 @@ ENTRY(aesni_enc) + popl KEYP + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_enc) + + /* +@@ -2012,7 +2012,7 @@ _aesni_enc1: + AESENC KEY STATE + movaps 0x70(TKEYP), KEY + AESENCLAST KEY STATE +- ret ++ RET + ENDPROC(_aesni_enc1) + + /* +@@ -2121,7 +2121,7 @@ _aesni_enc4: + AESENCLAST KEY STATE2 + AESENCLAST KEY STATE3 + AESENCLAST KEY STATE4 +- ret ++ RET + ENDPROC(_aesni_enc4) + + /* +@@ -2146,7 +2146,7 @@ ENTRY(aesni_dec) + popl KEYP + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_dec) + + /* +@@ -2204,7 +2204,7 @@ _aesni_dec1: + AESDEC KEY STATE + movaps 0x70(TKEYP), KEY + AESDECLAST KEY STATE +- ret ++ RET + ENDPROC(_aesni_dec1) + + /* +@@ -2313,7 +2313,7 @@ _aesni_dec4: + AESDECLAST KEY STATE2 + AESDECLAST KEY STATE3 + AESDECLAST KEY STATE4 +- ret ++ RET + ENDPROC(_aesni_dec4) + + /* +@@ -2373,7 +2373,7 @@ ENTRY(aesni_ecb_enc) + popl LEN + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_ecb_enc) + + /* +@@ -2434,7 +2434,7 @@ ENTRY(aesni_ecb_dec) + popl LEN + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_ecb_dec) + + /* +@@ -2478,7 +2478,7 @@ ENTRY(aesni_cbc_enc) + popl IVP + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_cbc_enc) + + /* +@@ -2571,7 +2571,7 @@ ENTRY(aesni_cbc_dec) + popl IVP + #endif + FRAME_END +- ret ++ RET + ENDPROC(aesni_cbc_dec) + + #ifdef __x86_64__ +@@ -2600,7 +2600,7 @@ _aesni_inc_init: + mov $1, TCTR_LOW + MOVQ_R64_XMM TCTR_LOW INC + MOVQ_R64_XMM CTR TCTR_LOW +- ret ++ RET + ENDPROC(_aesni_inc_init) + + /* +@@ -2629,7 +2629,7 @@ _aesni_inc: + .Linc_low: + movaps CTR, IV + PSHUFB_XMM BSWAP_MASK IV +- ret ++ RET + ENDPROC(_aesni_inc) + + /* +@@ -2692,7 +2692,7 @@ ENTRY(aesni_ctr_enc) + movups IV, (IVP) + .Lctr_enc_just_ret: + FRAME_END +- ret ++ RET + ENDPROC(aesni_ctr_enc) + + /* +@@ -2845,7 +2845,7 @@ ENTRY(aesni_xts_decrypt) + movups IV, (IVP) + + FRAME_END +- ret ++ RET + ENDPROC(aesni_xts_decrypt) + + #endif +--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S ++++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S +@@ -150,10 +150,10 @@ ENTRY(__blowfish_enc_blk) + jnz .L__enc_xor; + + write_block(); +- ret; ++ RET; + .L__enc_xor: + xor_block(); +- ret; ++ RET; + ENDPROC(__blowfish_enc_blk) + + ENTRY(blowfish_dec_blk) +@@ -185,7 +185,7 @@ ENTRY(blowfish_dec_blk) + + movq %r11, %r12; + +- ret; ++ RET; + ENDPROC(blowfish_dec_blk) + + /********************************************************************** +@@ -337,14 +337,14 @@ ENTRY(__blowfish_enc_blk_4way) + + popq %rbx; + popq %r12; +- ret; ++ RET; + + .L__enc_xor4: + xor_block4(); + + popq %rbx; + popq %r12; +- ret; ++ RET; + ENDPROC(__blowfish_enc_blk_4way) + + ENTRY(blowfish_dec_blk_4way) +@@ -379,5 +379,5 @@ ENTRY(blowfish_dec_blk_4way) + popq %rbx; + popq %r12; + +- ret; ++ RET; + ENDPROC(blowfish_dec_blk_4way) +--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +@@ -232,7 +232,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_ + roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7, + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, + %rcx, (%r9)); +- ret; ++ RET; + ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + + .align 8 +@@ -240,7 +240,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_ + roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3, + %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11, + %rax, (%r9)); +- ret; ++ RET; + ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + + /* +@@ -830,7 +830,7 @@ __camellia_enc_blk32: + %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax)); + + FRAME_END +- ret; ++ RET; + + .align 8 + .Lenc_max32: +@@ -917,7 +917,7 @@ __camellia_dec_blk32: + %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax)); + + FRAME_END +- ret; ++ RET; + + .align 8 + .Ldec_max32: +@@ -962,7 +962,7 @@ ENTRY(camellia_ecb_enc_32way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ecb_enc_32way) + + ENTRY(camellia_ecb_dec_32way) +@@ -996,7 +996,7 @@ ENTRY(camellia_ecb_dec_32way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ecb_dec_32way) + + ENTRY(camellia_cbc_dec_32way) +@@ -1064,7 +1064,7 @@ ENTRY(camellia_cbc_dec_32way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_cbc_dec_32way) + + #define inc_le128(x, minus_one, tmp) \ +--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +@@ -193,7 +193,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_ + roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, + %rcx, (%r9)); +- ret; ++ RET; + ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + + .align 8 +@@ -201,7 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_ + roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3, + %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11, + %rax, (%r9)); +- ret; ++ RET; + ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + + /* +@@ -787,7 +787,7 @@ __camellia_enc_blk16: + %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax)); + + FRAME_END +- ret; ++ RET; + + .align 8 + .Lenc_max32: +@@ -874,7 +874,7 @@ __camellia_dec_blk16: + %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax)); + + FRAME_END +- ret; ++ RET; + + .align 8 + .Ldec_max32: +@@ -915,7 +915,7 @@ ENTRY(camellia_ecb_enc_16way) + %xmm8, %rsi); + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ecb_enc_16way) + + ENTRY(camellia_ecb_dec_16way) +@@ -945,7 +945,7 @@ ENTRY(camellia_ecb_dec_16way) + %xmm8, %rsi); + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_ecb_dec_16way) + + ENTRY(camellia_cbc_dec_16way) +@@ -996,7 +996,7 @@ ENTRY(camellia_cbc_dec_16way) + %xmm8, %rsi); + + FRAME_END +- ret; ++ RET; + ENDPROC(camellia_cbc_dec_16way) + + #define inc_le128(x, minus_one, tmp) \ +--- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S +@@ -294,7 +294,7 @@ __cast5_enc_blk16: + outunpack_blocks(RR3, RL3, RTMP, RX, RKM); + outunpack_blocks(RR4, RL4, RTMP, RX, RKM); + +- ret; ++ RET; + ENDPROC(__cast5_enc_blk16) + + .align 16 +@@ -367,7 +367,7 @@ __cast5_dec_blk16: + outunpack_blocks(RR3, RL3, RTMP, RX, RKM); + outunpack_blocks(RR4, RL4, RTMP, RX, RKM); + +- ret; ++ RET; + + .L__skip_dec: + vpsrldq $4, RKR, RKR; +@@ -408,7 +408,7 @@ ENTRY(cast5_ecb_enc_16way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast5_ecb_enc_16way) + + ENTRY(cast5_ecb_dec_16way) +@@ -446,7 +446,7 @@ ENTRY(cast5_ecb_dec_16way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast5_ecb_dec_16way) + + ENTRY(cast5_cbc_dec_16way) +@@ -498,7 +498,7 @@ ENTRY(cast5_cbc_dec_16way) + popq %r15; + popq %r12; + FRAME_END +- ret; ++ RET; + ENDPROC(cast5_cbc_dec_16way) + + ENTRY(cast5_ctr_16way) +@@ -574,5 +574,5 @@ ENTRY(cast5_ctr_16way) + popq %r15; + popq %r12; + FRAME_END +- ret; ++ RET; + ENDPROC(cast5_ctr_16way) +--- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S +@@ -306,7 +306,7 @@ __cast6_enc_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); + outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); + +- ret; ++ RET; + ENDPROC(__cast6_enc_blk8) + + .align 8 +@@ -353,7 +353,7 @@ __cast6_dec_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); + outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); + +- ret; ++ RET; + ENDPROC(__cast6_dec_blk8) + + ENTRY(cast6_ecb_enc_8way) +@@ -376,7 +376,7 @@ ENTRY(cast6_ecb_enc_8way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_ecb_enc_8way) + + ENTRY(cast6_ecb_dec_8way) +@@ -399,7 +399,7 @@ ENTRY(cast6_ecb_dec_8way) + + popq %r15; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_ecb_dec_8way) + + ENTRY(cast6_cbc_dec_8way) +@@ -425,7 +425,7 @@ ENTRY(cast6_cbc_dec_8way) + popq %r15; + popq %r12; + FRAME_END +- ret; ++ RET; + ENDPROC(cast6_cbc_dec_8way) + + ENTRY(cast6_ctr_8way) +--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S ++++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +@@ -310,7 +310,7 @@ do_return: + popq %rsi + popq %rdi + popq %rbx +- ret ++ RET + ENDPROC(crc_pcl) + + .section .rodata, "a", @progbits +--- a/arch/x86/crypto/crct10dif-pcl-asm_64.S ++++ b/arch/x86/crypto/crct10dif-pcl-asm_64.S +@@ -367,7 +367,7 @@ _cleanup: + # scale the result back to 16 bits + shr $16, %eax + mov %rcx, %rsp +- ret ++ RET + + ######################################################################## + +--- a/arch/x86/crypto/des3_ede-asm_64.S ++++ b/arch/x86/crypto/des3_ede-asm_64.S +@@ -252,7 +252,7 @@ ENTRY(des3_ede_x86_64_crypt_blk) + popq %r12; + popq %rbx; + +- ret; ++ RET; + ENDPROC(des3_ede_x86_64_crypt_blk) + + /*********************************************************************** +@@ -537,7 +537,7 @@ ENTRY(des3_ede_x86_64_crypt_blk_3way) + popq %r12; + popq %rbx; + +- ret; ++ RET; + ENDPROC(des3_ede_x86_64_crypt_blk_3way) + + .section .rodata, "a", @progbits +--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S ++++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S +@@ -89,7 +89,7 @@ __clmul_gf128mul_ble: + psrlq $1, T2 + pxor T2, T1 + pxor T1, DATA +- ret ++ RET + ENDPROC(__clmul_gf128mul_ble) + + /* void clmul_ghash_mul(char *dst, const u128 *shash) */ +@@ -103,7 +103,7 @@ ENTRY(clmul_ghash_mul) + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) + FRAME_END +- ret ++ RET + ENDPROC(clmul_ghash_mul) + + /* +@@ -132,5 +132,5 @@ ENTRY(clmul_ghash_update) + movups DATA, (%rdi) + .Lupdate_just_ret: + FRAME_END +- ret ++ RET + ENDPROC(clmul_ghash_update) +--- a/arch/x86/crypto/serpent-avx2-asm_64.S ++++ b/arch/x86/crypto/serpent-avx2-asm_64.S +@@ -616,7 +616,7 @@ __serpent_enc_blk16: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(__serpent_enc_blk16) + + .align 8 +@@ -670,7 +670,7 @@ __serpent_dec_blk16: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(__serpent_dec_blk16) + + ENTRY(serpent_ecb_enc_16way) +@@ -692,7 +692,7 @@ ENTRY(serpent_ecb_enc_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ecb_enc_16way) + + ENTRY(serpent_ecb_dec_16way) +@@ -714,7 +714,7 @@ ENTRY(serpent_ecb_dec_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ecb_dec_16way) + + ENTRY(serpent_cbc_dec_16way) +@@ -737,7 +737,7 @@ ENTRY(serpent_cbc_dec_16way) + vzeroupper; + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_cbc_dec_16way) + + ENTRY(serpent_ctr_16way) +--- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S +@@ -620,7 +620,7 @@ __serpent_enc_blk8_avx: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(__serpent_enc_blk8_avx) + + .align 8 +@@ -674,7 +674,7 @@ __serpent_dec_blk8_avx: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + +- ret; ++ RET; + ENDPROC(__serpent_dec_blk8_avx) + + ENTRY(serpent_ecb_enc_8way_avx) +@@ -692,7 +692,7 @@ ENTRY(serpent_ecb_enc_8way_avx) + store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ecb_enc_8way_avx) + + ENTRY(serpent_ecb_dec_8way_avx) +@@ -710,7 +710,7 @@ ENTRY(serpent_ecb_dec_8way_avx) + store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_ecb_dec_8way_avx) + + ENTRY(serpent_cbc_dec_8way_avx) +@@ -728,7 +728,7 @@ ENTRY(serpent_cbc_dec_8way_avx) + store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + + FRAME_END +- ret; ++ RET; + ENDPROC(serpent_cbc_dec_8way_avx) + + ENTRY(serpent_ctr_8way_avx) +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -681,7 +681,7 @@ done_hash: + + # Restore Stack Pointer + mov frame_RSPSAVE(%rsp), %rsp +- ret ++ RET + ENDPROC(sha512_transform_rorx) + + ######################################################################## +--- a/arch/x86/crypto/sha512-avx-asm.S ++++ b/arch/x86/crypto/sha512-avx-asm.S +@@ -364,7 +364,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: +- ret ++ RET + ENDPROC(sha512_transform_avx) + + ######################################################################## +--- a/arch/x86/crypto/sha512-ssse3-asm.S ++++ b/arch/x86/crypto/sha512-ssse3-asm.S +@@ -363,7 +363,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: +- ret ++ RET + ENDPROC(sha512_transform_ssse3) + + ######################################################################## +--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +@@ -287,7 +287,7 @@ __twofish_enc_blk8: + outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); + outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); + +- ret; ++ RET; + ENDPROC(__twofish_enc_blk8) + + .align 8 +@@ -327,7 +327,7 @@ __twofish_dec_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2); + outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2); + +- ret; ++ RET; + ENDPROC(__twofish_dec_blk8) + + ENTRY(twofish_ecb_enc_8way) +@@ -347,7 +347,7 @@ ENTRY(twofish_ecb_enc_8way) + store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_ecb_enc_8way) + + ENTRY(twofish_ecb_dec_8way) +@@ -367,7 +367,7 @@ ENTRY(twofish_ecb_dec_8way) + store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_ecb_dec_8way) + + ENTRY(twofish_cbc_dec_8way) +@@ -392,7 +392,7 @@ ENTRY(twofish_cbc_dec_8way) + popq %r12; + + FRAME_END +- ret; ++ RET; + ENDPROC(twofish_cbc_dec_8way) + + ENTRY(twofish_ctr_8way) +--- a/arch/x86/crypto/twofish-i586-asm_32.S ++++ b/arch/x86/crypto/twofish-i586-asm_32.S +@@ -273,7 +273,7 @@ ENTRY(twofish_enc_blk) + pop %ebx + pop %ebp + mov $1, %eax +- ret ++ RET + ENDPROC(twofish_enc_blk) + + ENTRY(twofish_dec_blk) +@@ -330,5 +330,5 @@ ENTRY(twofish_dec_blk) + pop %ebx + pop %ebp + mov $1, %eax +- ret ++ RET + ENDPROC(twofish_dec_blk) +--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S ++++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +@@ -273,7 +273,7 @@ ENTRY(__twofish_enc_blk_3way) + popq %rbx; + popq %r12; + popq %r13; +- ret; ++ RET; + + .L__enc_xor3: + outunpack_enc3(xor); +@@ -281,7 +281,7 @@ ENTRY(__twofish_enc_blk_3way) + popq %rbx; + popq %r12; + popq %r13; +- ret; ++ RET; + ENDPROC(__twofish_enc_blk_3way) + + ENTRY(twofish_dec_blk_3way) +@@ -316,5 +316,5 @@ ENTRY(twofish_dec_blk_3way) + popq %rbx; + popq %r12; + popq %r13; +- ret; ++ RET; + ENDPROC(twofish_dec_blk_3way) +--- a/arch/x86/crypto/twofish-x86_64-asm_64.S ++++ b/arch/x86/crypto/twofish-x86_64-asm_64.S +@@ -265,7 +265,7 @@ ENTRY(twofish_enc_blk) + + popq R1 + movl $1,%eax +- ret ++ RET + ENDPROC(twofish_enc_blk) + + ENTRY(twofish_dec_blk) +@@ -317,5 +317,5 @@ ENTRY(twofish_dec_blk) + + popq R1 + movl $1,%eax +- ret ++ RET + ENDPROC(twofish_dec_blk) +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -280,7 +280,7 @@ ENTRY(schedule_tail_wrapper) + popl %eax + + FRAME_END +- ret ++ RET + ENDPROC(schedule_tail_wrapper) + /* + * A newly forked process directly context switches into this address. +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -868,7 +868,7 @@ ENTRY(switch_to_thread_stack) + UNWIND_HINT_FUNC + + movq (%rdi), %rdi +- ret ++ RET + END(switch_to_thread_stack) + + .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1 create_gap=0 +@@ -1002,7 +1002,7 @@ ENTRY(native_load_gs_index) + SWAPGS + popfq + FRAME_END +- ret ++ RET + ENDPROC(native_load_gs_index) + EXPORT_SYMBOL(native_load_gs_index) + +@@ -1245,13 +1245,13 @@ ENTRY(error_entry) + */ + TRACE_IRQS_OFF + CALL_enter_from_user_mode +- ret ++ RET + + .Lerror_entry_done_lfence: + FENCE_SWAPGS_KERNEL_ENTRY + .Lerror_entry_done: + TRACE_IRQS_OFF +- ret ++ RET + + /* + * There are two places in the kernel that can potentially fault with +--- a/arch/x86/entry/thunk_64.S ++++ b/arch/x86/entry/thunk_64.S +@@ -68,6 +68,6 @@ + popq %rsi + popq %rdi + popq %rbp +- ret ++ RET + _ASM_NOKPROBE(.L_restore) + #endif +--- a/arch/x86/entry/vdso/vdso32/system_call.S ++++ b/arch/x86/entry/vdso/vdso32/system_call.S +@@ -77,7 +77,7 @@ GLOBAL(int80_landing_pad) + popl %ecx + CFI_RESTORE ecx + CFI_ADJUST_CFA_OFFSET -4 +- ret ++ RET + CFI_ENDPROC + + .size __kernel_vsyscall,.-__kernel_vsyscall +--- a/arch/x86/entry/vsyscall/vsyscall_emu_64.S ++++ b/arch/x86/entry/vsyscall/vsyscall_emu_64.S +@@ -20,17 +20,17 @@ __vsyscall_page: + + mov $__NR_gettimeofday, %rax + syscall +- ret ++ RET + + .balign 1024, 0xcc + mov $__NR_time, %rax + syscall +- ret ++ RET + + .balign 1024, 0xcc + mov $__NR_getcpu, %rax + syscall +- ret ++ RET + + .balign 4096, 0xcc + +--- a/arch/x86/kernel/acpi/wakeup_32.S ++++ b/arch/x86/kernel/acpi/wakeup_32.S +@@ -59,7 +59,7 @@ save_registers: + popl saved_context_eflags + + movl $ret_point, saved_eip +- ret ++ RET + + + restore_registers: +@@ -69,7 +69,7 @@ restore_registers: + movl saved_context_edi, %edi + pushl saved_context_eflags + popfl +- ret ++ RET + + ENTRY(do_suspend_lowlevel) + call save_processor_state +@@ -85,7 +85,7 @@ ENTRY(do_suspend_lowlevel) + ret_point: + call restore_registers + call restore_processor_state +- ret ++ RET + + .data + ALIGN +--- a/arch/x86/kernel/relocate_kernel_32.S ++++ b/arch/x86/kernel/relocate_kernel_32.S +@@ -94,7 +94,7 @@ relocate_kernel: + movl %edi, %eax + addl $(identity_mapped - relocate_kernel), %eax + pushl %eax +- ret ++ RET + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -161,7 +161,7 @@ identity_mapped: + xorl %edx, %edx + xorl %esi, %esi + xorl %ebp, %ebp +- ret ++ RET + 1: + popl %edx + movl CP_PA_SWAP_PAGE(%edi), %esp +@@ -192,7 +192,7 @@ identity_mapped: + movl %edi, %eax + addl $(virtual_mapped - relocate_kernel), %eax + pushl %eax +- ret ++ RET + + virtual_mapped: + movl CR4(%edi), %eax +@@ -209,7 +209,7 @@ virtual_mapped: + popl %edi + popl %esi + popl %ebx +- ret ++ RET + + /* Do the copies */ + swap_pages: +@@ -271,7 +271,7 @@ swap_pages: + popl %edi + popl %ebx + popl %ebp +- ret ++ RET + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -104,7 +104,7 @@ relocate_kernel: + /* jump to identity mapped page */ + addq $(identity_mapped - relocate_kernel), %r8 + pushq %r8 +- ret ++ RET + + identity_mapped: + /* set return address to 0 if not preserving context */ +@@ -189,7 +189,7 @@ identity_mapped: + xorl %r14d, %r14d + xorl %r15d, %r15d + +- ret ++ RET + + 1: + popq %rdx +@@ -210,7 +210,7 @@ identity_mapped: + call swap_pages + movq $virtual_mapped, %rax + pushq %rax +- ret ++ RET + + virtual_mapped: + movq RSP(%r8), %rsp +@@ -229,7 +229,7 @@ virtual_mapped: + popq %r12 + popq %rbp + popq %rbx +- ret ++ RET + + /* Do the copies */ + swap_pages: +@@ -284,7 +284,7 @@ swap_pages: + lea PAGE_SIZE(%rax), %rsi + jmp 0b + 3: +- ret ++ RET + + .globl kexec_control_code_size + .set kexec_control_code_size, . - relocate_kernel +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -134,9 +134,9 @@ ENTRY(verify_cpu) + .Lverify_cpu_no_longmode: + popf # Restore caller passed flags + movl $1,%eax +- ret ++ RET + .Lverify_cpu_sse_ok: + popf # Restore caller passed flags + xorl %eax, %eax +- ret ++ RET + ENDPROC(verify_cpu) +--- a/arch/x86/lib/atomic64_386_32.S ++++ b/arch/x86/lib/atomic64_386_32.S +@@ -34,7 +34,7 @@ ENTRY(atomic64_##op##_386); \ + + #define RET_IRQ_RESTORE \ + IRQ_RESTORE v; \ +- ret ++ RET + + #define v %ecx + BEGIN_IRQ_SAVE(read) +--- a/arch/x86/lib/atomic64_cx8_32.S ++++ b/arch/x86/lib/atomic64_cx8_32.S +@@ -22,7 +22,7 @@ + + ENTRY(atomic64_read_cx8) + read64 %ecx +- ret ++ RET + ENDPROC(atomic64_read_cx8) + + ENTRY(atomic64_set_cx8) +@@ -32,7 +32,7 @@ ENTRY(atomic64_set_cx8) + cmpxchg8b (%esi) + jne 1b + +- ret ++ RET + ENDPROC(atomic64_set_cx8) + + ENTRY(atomic64_xchg_cx8) +@@ -41,7 +41,7 @@ ENTRY(atomic64_xchg_cx8) + cmpxchg8b (%esi) + jne 1b + +- ret ++ RET + ENDPROC(atomic64_xchg_cx8) + + .macro addsub_return func ins insc +@@ -72,7 +72,7 @@ ENTRY(atomic64_\func\()_return_cx8) + popl %esi + popl %ebx + popl %ebp +- ret ++ RET + ENDPROC(atomic64_\func\()_return_cx8) + .endm + +@@ -97,7 +97,7 @@ ENTRY(atomic64_\func\()_return_cx8) + movl %ebx, %eax + movl %ecx, %edx + popl %ebx +- ret ++ RET + ENDPROC(atomic64_\func\()_return_cx8) + .endm + +@@ -122,7 +122,7 @@ ENTRY(atomic64_dec_if_positive_cx8) + movl %ebx, %eax + movl %ecx, %edx + popl %ebx +- ret ++ RET + ENDPROC(atomic64_dec_if_positive_cx8) + + ENTRY(atomic64_add_unless_cx8) +@@ -153,7 +153,7 @@ ENTRY(atomic64_add_unless_cx8) + addl $8, %esp + popl %ebx + popl %ebp +- ret ++ RET + 4: + cmpl %edx, 4(%esp) + jne 2b +@@ -180,5 +180,5 @@ ENTRY(atomic64_inc_not_zero_cx8) + movl $1, %eax + 3: + popl %ebx +- ret ++ RET + ENDPROC(atomic64_inc_not_zero_cx8) +--- a/arch/x86/lib/cmpxchg8b_emu.S ++++ b/arch/x86/lib/cmpxchg8b_emu.S +@@ -38,7 +38,7 @@ ENTRY(cmpxchg8b_emu) + movl %ecx, 4(%esi) + + popfl +- ret ++ RET + + .Lnot_same: + movl (%esi), %eax +@@ -46,7 +46,7 @@ ENTRY(cmpxchg8b_emu) + movl 4(%esi), %edx + + popfl +- ret ++ RET + + ENDPROC(cmpxchg8b_emu) + EXPORT_SYMBOL(cmpxchg8b_emu) +--- a/arch/x86/lib/copy_page_64.S ++++ b/arch/x86/lib/copy_page_64.S +@@ -16,7 +16,7 @@ ENTRY(copy_page) + ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD + movl $4096/8, %ecx + rep movsq +- ret ++ RET + ENDPROC(copy_page) + EXPORT_SYMBOL(copy_page) + +@@ -84,5 +84,5 @@ ENTRY(copy_page_regs) + movq (%rsp), %rbx + movq 1*8(%rsp), %r12 + addq $2*8, %rsp +- ret ++ RET + ENDPROC(copy_page_regs) +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -80,7 +80,7 @@ ENTRY(copy_user_generic_unrolled) + jnz 21b + 23: xor %eax,%eax + ASM_CLAC +- ret ++ RET + + .section .fixup,"ax" + 30: shll $6,%ecx +@@ -148,7 +148,7 @@ ENTRY(copy_user_generic_string) + movsb + xorl %eax,%eax + ASM_CLAC +- ret ++ RET + + .section .fixup,"ax" + 11: leal (%rdx,%rcx,8),%ecx +@@ -182,7 +182,7 @@ ENTRY(copy_user_enhanced_fast_string) + movsb + xorl %eax,%eax + ASM_CLAC +- ret ++ RET + + .section .fixup,"ax" + 12: movl %ecx,%edx /* ecx is zerorest also */ +@@ -299,7 +299,7 @@ ENTRY(__copy_user_nocache) + xorl %eax,%eax + ASM_CLAC + sfence +- ret ++ RET + + .section .fixup,"ax" + .L_fixup_4x8b_copy: +--- a/arch/x86/lib/getuser.S ++++ b/arch/x86/lib/getuser.S +@@ -45,7 +45,7 @@ ENTRY(__get_user_1) + 1: movzbl (%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC +- ret ++ RET + ENDPROC(__get_user_1) + EXPORT_SYMBOL(__get_user_1) + +@@ -61,7 +61,7 @@ ENTRY(__get_user_2) + 2: movzwl -1(%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC +- ret ++ RET + ENDPROC(__get_user_2) + EXPORT_SYMBOL(__get_user_2) + +@@ -77,7 +77,7 @@ ENTRY(__get_user_4) + 3: movl -3(%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC +- ret ++ RET + ENDPROC(__get_user_4) + EXPORT_SYMBOL(__get_user_4) + +@@ -94,7 +94,7 @@ ENTRY(__get_user_8) + 4: movq -7(%_ASM_AX),%rdx + xor %eax,%eax + ASM_CLAC +- ret ++ RET + #else + add $7,%_ASM_AX + jc bad_get_user_8 +@@ -108,7 +108,7 @@ ENTRY(__get_user_8) + 5: movl -3(%_ASM_AX),%ecx + xor %eax,%eax + ASM_CLAC +- ret ++ RET + #endif + ENDPROC(__get_user_8) + EXPORT_SYMBOL(__get_user_8) +@@ -118,7 +118,7 @@ bad_get_user: + xor %edx,%edx + mov $(-EFAULT),%_ASM_AX + ASM_CLAC +- ret ++ RET + END(bad_get_user) + + #ifdef CONFIG_X86_32 +@@ -127,7 +127,7 @@ bad_get_user_8: + xor %ecx,%ecx + mov $(-EFAULT),%_ASM_AX + ASM_CLAC +- ret ++ RET + END(bad_get_user_8) + #endif + +--- a/arch/x86/lib/hweight.S ++++ b/arch/x86/lib/hweight.S +@@ -31,7 +31,7 @@ ENTRY(__sw_hweight32) + imull $0x01010101, %eax, %eax # w_tmp *= 0x01010101 + shrl $24, %eax # w = w_tmp >> 24 + __ASM_SIZE(pop,) %__ASM_REG(dx) +- ret ++ RET + ENDPROC(__sw_hweight32) + EXPORT_SYMBOL(__sw_hweight32) + +@@ -64,7 +64,7 @@ ENTRY(__sw_hweight64) + + popq %rdx + popq %rdi +- ret ++ RET + #else /* CONFIG_X86_32 */ + /* We're getting an u64 arg in (%eax,%edx): unsigned long hweight64(__u64 w) */ + pushl %ecx +@@ -76,7 +76,7 @@ ENTRY(__sw_hweight64) + addl %ecx, %eax # result + + popl %ecx +- ret ++ RET + #endif + ENDPROC(__sw_hweight64) + EXPORT_SYMBOL(__sw_hweight64) +--- a/arch/x86/lib/memcpy_64.S ++++ b/arch/x86/lib/memcpy_64.S +@@ -39,7 +39,7 @@ ENTRY(memcpy) + rep movsq + movl %edx, %ecx + rep movsb +- ret ++ RET + ENDPROC(memcpy) + ENDPROC(__memcpy) + EXPORT_SYMBOL(memcpy) +@@ -53,7 +53,7 @@ ENTRY(memcpy_erms) + movq %rdi, %rax + movq %rdx, %rcx + rep movsb +- ret ++ RET + ENDPROC(memcpy_erms) + + ENTRY(memcpy_orig) +@@ -137,7 +137,7 @@ ENTRY(memcpy_orig) + movq %r9, 1*8(%rdi) + movq %r10, -2*8(%rdi, %rdx) + movq %r11, -1*8(%rdi, %rdx) +- retq ++ RET + .p2align 4 + .Lless_16bytes: + cmpl $8, %edx +@@ -149,7 +149,7 @@ ENTRY(memcpy_orig) + movq -1*8(%rsi, %rdx), %r9 + movq %r8, 0*8(%rdi) + movq %r9, -1*8(%rdi, %rdx) +- retq ++ RET + .p2align 4 + .Lless_8bytes: + cmpl $4, %edx +@@ -162,7 +162,7 @@ ENTRY(memcpy_orig) + movl -4(%rsi, %rdx), %r8d + movl %ecx, (%rdi) + movl %r8d, -4(%rdi, %rdx) +- retq ++ RET + .p2align 4 + .Lless_3bytes: + subl $1, %edx +@@ -180,7 +180,7 @@ ENTRY(memcpy_orig) + movb %cl, (%rdi) + + .Lend: +- retq ++ RET + ENDPROC(memcpy_orig) + + #ifndef CONFIG_UML +--- a/arch/x86/lib/memmove_64.S ++++ b/arch/x86/lib/memmove_64.S +@@ -42,7 +42,7 @@ ENTRY(__memmove) + jg 2f + + .Lmemmove_begin_forward: +- ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; retq", X86_FEATURE_ERMS ++ ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; RET", X86_FEATURE_ERMS + + /* + * movsq instruction have many startup latency +@@ -205,7 +205,7 @@ ENTRY(__memmove) + movb (%rsi), %r11b + movb %r11b, (%rdi) + 13: +- retq ++ RET + ENDPROC(__memmove) + ENDPROC(memmove) + EXPORT_SYMBOL(__memmove) +--- a/arch/x86/lib/memset_64.S ++++ b/arch/x86/lib/memset_64.S +@@ -41,7 +41,7 @@ ENTRY(__memset) + movl %edx,%ecx + rep stosb + movq %r9,%rax +- ret ++ RET + ENDPROC(memset) + ENDPROC(__memset) + EXPORT_SYMBOL(memset) +@@ -64,7 +64,7 @@ ENTRY(memset_erms) + movq %rdx,%rcx + rep stosb + movq %r9,%rax +- ret ++ RET + ENDPROC(memset_erms) + + ENTRY(memset_orig) +@@ -126,7 +126,7 @@ ENTRY(memset_orig) + + .Lende: + movq %r10,%rax +- ret ++ RET + + .Lbad_alignment: + cmpq $7,%rdx +--- a/arch/x86/lib/msr-reg.S ++++ b/arch/x86/lib/msr-reg.S +@@ -34,7 +34,7 @@ ENTRY(\op\()_safe_regs) + movl %edi, 28(%r10) + popq %r12 + popq %rbx +- ret ++ RET + 3: + movl $-EIO, %r11d + jmp 2b +@@ -76,7 +76,7 @@ ENTRY(\op\()_safe_regs) + popl %esi + popl %ebp + popl %ebx +- ret ++ RET + 3: + movl $-EIO, 4(%esp) + jmp 2b +--- a/arch/x86/math-emu/div_Xsig.S ++++ b/arch/x86/math-emu/div_Xsig.S +@@ -340,7 +340,7 @@ L_exit: + popl %esi + + leave +- ret ++ RET + + + #ifdef PARANOID +--- a/arch/x86/math-emu/mul_Xsig.S ++++ b/arch/x86/math-emu/mul_Xsig.S +@@ -61,7 +61,7 @@ ENTRY(mul32_Xsig) + + popl %esi + leave +- ret ++ RET + + + ENTRY(mul64_Xsig) +@@ -113,7 +113,7 @@ ENTRY(mul64_Xsig) + + popl %esi + leave +- ret ++ RET + + + +@@ -172,5 +172,5 @@ ENTRY(mul_Xsig_Xsig) + + popl %esi + leave +- ret ++ RET + +--- a/arch/x86/math-emu/polynom_Xsig.S ++++ b/arch/x86/math-emu/polynom_Xsig.S +@@ -132,4 +132,4 @@ L_accum_done: + popl %edi + popl %esi + leave +- ret ++ RET +--- a/arch/x86/math-emu/reg_norm.S ++++ b/arch/x86/math-emu/reg_norm.S +@@ -71,7 +71,7 @@ L_exit_valid: + L_exit: + popl %ebx + leave +- ret ++ RET + + + L_zero: +@@ -136,7 +136,7 @@ L_exit_nuo_valid: + + popl %ebx + leave +- ret ++ RET + + L_exit_nuo_zero: + movl TAG_Zero,%eax +@@ -144,4 +144,4 @@ L_exit_nuo_zero: + + popl %ebx + leave +- ret ++ RET +--- a/arch/x86/math-emu/reg_round.S ++++ b/arch/x86/math-emu/reg_round.S +@@ -436,7 +436,7 @@ fpu_Arith_exit: + popl %edi + popl %esi + leave +- ret ++ RET + + + /* +--- a/arch/x86/math-emu/reg_u_div.S ++++ b/arch/x86/math-emu/reg_u_div.S +@@ -467,5 +467,5 @@ L_exit: + popl %esi + + leave +- ret ++ RET + #endif /* PARANOID */ +--- a/arch/x86/math-emu/reg_u_mul.S ++++ b/arch/x86/math-emu/reg_u_mul.S +@@ -143,6 +143,6 @@ L_exit: + popl %edi + popl %esi + leave +- ret ++ RET + #endif /* PARANOID */ + +--- a/arch/x86/math-emu/reg_u_sub.S ++++ b/arch/x86/math-emu/reg_u_sub.S +@@ -269,4 +269,4 @@ L_exit: + popl %edi + popl %esi + leave +- ret ++ RET +--- a/arch/x86/math-emu/round_Xsig.S ++++ b/arch/x86/math-emu/round_Xsig.S +@@ -77,7 +77,7 @@ L_exit: + popl %esi + popl %ebx + leave +- ret ++ RET + + + +@@ -137,5 +137,5 @@ L_n_exit: + popl %esi + popl %ebx + leave +- ret ++ RET + +--- a/arch/x86/math-emu/shr_Xsig.S ++++ b/arch/x86/math-emu/shr_Xsig.S +@@ -44,7 +44,7 @@ ENTRY(shr_Xsig) + popl %ebx + popl %esi + leave +- ret ++ RET + + L_more_than_31: + cmpl $64,%ecx +@@ -60,7 +60,7 @@ L_more_than_31: + movl $0,8(%esi) + popl %esi + leave +- ret ++ RET + + L_more_than_63: + cmpl $96,%ecx +@@ -75,7 +75,7 @@ L_more_than_63: + movl %edx,8(%esi) + popl %esi + leave +- ret ++ RET + + L_more_than_95: + xorl %eax,%eax +@@ -84,4 +84,4 @@ L_more_than_95: + movl %eax,8(%esi) + popl %esi + leave +- ret ++ RET +--- a/arch/x86/math-emu/wm_shrx.S ++++ b/arch/x86/math-emu/wm_shrx.S +@@ -54,7 +54,7 @@ ENTRY(FPU_shrx) + popl %ebx + popl %esi + leave +- ret ++ RET + + L_more_than_31: + cmpl $64,%ecx +@@ -69,7 +69,7 @@ L_more_than_31: + movl $0,4(%esi) + popl %esi + leave +- ret ++ RET + + L_more_than_63: + cmpl $96,%ecx +@@ -83,7 +83,7 @@ L_more_than_63: + movl %edx,4(%esi) + popl %esi + leave +- ret ++ RET + + L_more_than_95: + xorl %eax,%eax +@@ -91,7 +91,7 @@ L_more_than_95: + movl %eax,4(%esi) + popl %esi + leave +- ret ++ RET + + + /*---------------------------------------------------------------------------+ +@@ -144,7 +144,7 @@ ENTRY(FPU_shrxs) + popl %ebx + popl %esi + leave +- ret ++ RET + + /* Shift by [0..31] bits */ + Ls_less_than_32: +@@ -161,7 +161,7 @@ Ls_less_than_32: + popl %ebx + popl %esi + leave +- ret ++ RET + + /* Shift by [64..95] bits */ + Ls_more_than_63: +@@ -187,7 +187,7 @@ Ls_more_than_63: + popl %ebx + popl %esi + leave +- ret ++ RET + + Ls_more_than_95: + /* Shift by [96..inf) bits */ +@@ -201,4 +201,4 @@ Ls_more_than_95: + popl %ebx + popl %esi + leave +- ret ++ RET +--- a/arch/x86/mm/mem_encrypt_boot.S ++++ b/arch/x86/mm/mem_encrypt_boot.S +@@ -68,7 +68,7 @@ ENTRY(sme_encrypt_execute) + movq %rbp, %rsp /* Restore original stack pointer */ + pop %rbp + +- ret ++ RET + ENDPROC(sme_encrypt_execute) + + ENTRY(__enc_copy) +@@ -154,6 +154,6 @@ ENTRY(__enc_copy) + pop %r12 + pop %r15 + +- ret ++ RET + .L__enc_copy_end: + ENDPROC(__enc_copy) +--- a/arch/x86/platform/efi/efi_stub_32.S ++++ b/arch/x86/platform/efi/efi_stub_32.S +@@ -112,7 +112,7 @@ ENTRY(efi_call_phys) + leal saved_return_addr, %edx + movl (%edx), %ecx + pushl %ecx +- ret ++ RET + ENDPROC(efi_call_phys) + .previous + +--- a/arch/x86/platform/efi/efi_stub_64.S ++++ b/arch/x86/platform/efi/efi_stub_64.S +@@ -53,5 +53,5 @@ ENTRY(efi_call) + addq $48, %rsp + RESTORE_XMM + popq %rbp +- ret ++ RET + ENDPROC(efi_call) +--- a/arch/x86/platform/efi/efi_thunk_64.S ++++ b/arch/x86/platform/efi/efi_thunk_64.S +@@ -58,7 +58,7 @@ ENTRY(efi64_thunk) + movq efi_saved_sp(%rip), %rsp + pop %rbx + pop %rbp +- retq ++ RET + ENDPROC(efi64_thunk) + + /* +--- a/arch/x86/platform/olpc/xo1-wakeup.S ++++ b/arch/x86/platform/olpc/xo1-wakeup.S +@@ -76,7 +76,7 @@ save_registers: + pushfl + popl saved_context_eflags + +- ret ++ RET + + restore_registers: + movl saved_context_ebp, %ebp +@@ -87,7 +87,7 @@ restore_registers: + pushl saved_context_eflags + popfl + +- ret ++ RET + + ENTRY(do_olpc_suspend_lowlevel) + call save_processor_state +@@ -108,7 +108,7 @@ ret_point: + + call restore_registers + call restore_processor_state +- ret ++ RET + + .data + saved_gdt: .long 0,0 +--- a/arch/x86/power/hibernate_asm_64.S ++++ b/arch/x86/power/hibernate_asm_64.S +@@ -50,7 +50,7 @@ ENTRY(swsusp_arch_suspend) + FRAME_BEGIN + call swsusp_save + FRAME_END +- ret ++ RET + ENDPROC(swsusp_arch_suspend) + + ENTRY(restore_image) +@@ -142,5 +142,5 @@ ENTRY(restore_registers) + /* tell the hibernation core that we've just restored the memory */ + movq %rax, in_suspend(%rip) + +- ret ++ RET + ENDPROC(restore_registers) +--- a/arch/x86/um/checksum_32.S ++++ b/arch/x86/um/checksum_32.S +@@ -114,7 +114,7 @@ csum_partial: + 7: + popl %ebx + popl %esi +- ret ++ RET + + #else + +@@ -212,7 +212,7 @@ csum_partial: + 80: + popl %ebx + popl %esi +- ret ++ RET + + #endif + EXPORT_SYMBOL(csum_partial) +--- a/arch/x86/um/setjmp_32.S ++++ b/arch/x86/um/setjmp_32.S +@@ -33,7 +33,7 @@ setjmp: + movl %esi,12(%edx) + movl %edi,16(%edx) + movl %ecx,20(%edx) # Return address +- ret ++ RET + + .size setjmp,.-setjmp + +--- a/arch/x86/um/setjmp_64.S ++++ b/arch/x86/um/setjmp_64.S +@@ -32,7 +32,7 @@ setjmp: + movq %r14,40(%rdi) + movq %r15,48(%rdi) + movq %rsi,56(%rdi) # Return address +- ret ++ RET + + .size setjmp,.-setjmp + diff --git a/patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch b/patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch new file mode 100644 index 0000000..04ede02 --- /dev/null +++ b/patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch @@ -0,0 +1,111 @@ +From: Peter Zijlstra +Date: Sat, 4 Dec 2021 14:43:41 +0100 +Subject: x86: Prepare inline-asm for straight-line-speculation +Git-commit: b17c2baa305cccbd16bafa289fd743cc2db77966 +Patch-mainline: v5.17-rc1 +References: bsc#1201050 CVE-2021-26341 + +Replace all ret/retq instructions with ASM_RET in preparation of +making it more than a single instruction. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211204134907.964635458@infradead.org +--- + arch/x86/include/asm/linkage.h | 4 ++++ + arch/x86/include/asm/paravirt.h | 2 +- + arch/x86/include/asm/qspinlock_paravirt.h | 4 ++-- + arch/x86/kernel/alternative.c | 2 +- + arch/x86/kernel/kprobes/core.c | 2 +- + arch/x86/kernel/paravirt.c | 2 +- + arch/x86/kvm/emulate.c | 2 +- + 7 files changed, 11 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/linkage.h ++++ b/arch/x86/include/asm/linkage.h +@@ -21,6 +21,10 @@ + #define __ALIGN_STR __stringify(__ALIGN) + #endif + ++#else /* __ASSEMBLY__ */ ++ ++#define ASM_RET "ret\n\t" ++ + #endif /* __ASSEMBLY__ */ + + #endif /* _ASM_X86_LINKAGE_H */ +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -793,7 +793,7 @@ static __always_inline bool pv_vcpu_is_p + "call " #func ";" \ + PV_RESTORE_ALL_CALLER_REGS \ + FRAME_END \ +- "ret;" \ ++ ASM_RET \ + ".popsection") + + /* Get a reference to a callee-save function */ +--- a/arch/x86/include/asm/qspinlock_paravirt.h ++++ b/arch/x86/include/asm/qspinlock_paravirt.h +@@ -47,7 +47,7 @@ asm (".pushsection .text;" + "jne .slowpath;" + "pop %rdx;" + FRAME_END +- "ret;" ++ ASM_RET + ".slowpath: " + "push %rsi;" + "movzbl %al,%esi;" +@@ -55,7 +55,7 @@ asm (".pushsection .text;" + "pop %rsi;" + "pop %rdx;" + FRAME_END +- "ret;" ++ ASM_RET + ".size " PV_UNLOCK ", .-" PV_UNLOCK ";" + ".popsection"); + +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -635,7 +635,7 @@ asm ( + " .type int3_magic, @function\n" + "int3_magic:\n" + " movl $1, (%" _ASM_ARG1 ")\n" +-" ret\n" ++ ASM_RET + " .size int3_magic, .-int3_magic\n" + " .popsection\n" + ); +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -736,7 +736,7 @@ asm( + RESTORE_REGS_STRING + " popf\n" + #endif +- " ret\n" ++ ASM_RET + ".size kretprobe_trampoline, .-kretprobe_trampoline\n" + ); + NOKPROBE_SYMBOL(kretprobe_trampoline); +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -50,7 +50,7 @@ extern void _paravirt_nop(void); + asm (".pushsection .entry.text, \"ax\"\n" + ".global _paravirt_nop\n" + "_paravirt_nop:\n\t" +- "ret\n\t" ++ ASM_RET + ".size _paravirt_nop, . - _paravirt_nop\n\t" + ".type _paravirt_nop, @function\n\t" + ".popsection"); +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -429,7 +429,7 @@ static int fastop(struct x86_emulate_ctx + + asm(".pushsection .fixup, \"ax\"\n" + ".global kvm_fastop_exception \n" +- "kvm_fastop_exception: xor %esi, %esi; ret\n" ++ "kvm_fastop_exception: xor %esi, %esi; " ASM_RET + ".popsection"); + + FOP_START(setcc) diff --git a/patches.suse/x86-retpoline-Use-mfunction-return.patch b/patches.suse/x86-retpoline-Use-mfunction-return.patch new file mode 100644 index 0000000..33c5451 --- /dev/null +++ b/patches.suse/x86-retpoline-Use-mfunction-return.patch @@ -0,0 +1,85 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:36 +0200 +Subject: x86/retpoline: Use -mfunction-return +Git-commit: 0b53c374b9eff2255a386f1f1cfb9a928e52a5ae +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Utilize -mfunction-return=thunk-extern when available to have the +compiler replace RET instructions with direct JMPs to the symbol +__x86_return_thunk. This does not affect assembler (.S) sources, only C +sources. + +-mfunction-return=thunk-extern has been available since gcc 7.3 and +clang 15. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Nick Desaulniers +Reviewed-by: Josh Poimboeuf +Tested-by: Nick Desaulniers +Signed-off-by: Borislav Petkov +--- + arch/x86/Makefile | 6 +++++- + arch/x86/entry/vdso/Makefile | 1 + + arch/x86/include/asm/nospec-branch.h | 2 ++ + arch/x86/lib/retpoline.S | 10 ++++++++++ + 4 files changed, 18 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/vdso/Makefile ++++ b/arch/x86/entry/vdso/Makefile +@@ -66,6 +66,7 @@ endef + $(obj)/vdso-image-%.c: $(obj)/vdso%.so.dbg $(obj)/vdso%.so $(obj)/vdso2c FORCE + $(call if_changed,vdso2c) + ++RETPOLINE_VDSO_CFLAGS := $(call cc-option,-mindirect-branch=thunk-inline -mindirect-branch-register) + # + # Don't omit frame pointers for ease of userspace debugging, but do + # optimize sibling calls. +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -167,6 +167,8 @@ + #ifdef CONFIG_RETPOLINE + #ifdef CONFIG_X86_64 + ++extern void __x86_return_thunk(void); ++ + /* + * Inline asm uses the %V modifier which is only in newer GCC + * which is ensured when CONFIG_RETPOLINE is defined. +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -49,5 +49,15 @@ GENERATE_THUNK(r14) + GENERATE_THUNK(r15) + #endif + ++/* ++ * This function name is magical and is used by -mfunction-return=thunk-extern ++ * for the compiler to generate JMPs to it. ++ */ ++ENTRY(__x86_return_thunk) ++ ret ++ int3 ++ENDPROC(__x86_return_thunk) ++ ++__EXPORT_THUNK(__x86_return_thunk) + #endif /* CONFIG_RETPOLINE */ + +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -230,9 +230,13 @@ KBUILD_AFLAGS += $(mflags-y) + # Avoid indirect branches in kernel to deal with Spectre + ifdef CONFIG_RETPOLINE + RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) +- KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE ++ RETPOLINE_CFLAGS += $(call cc-option,-mfunction-return=thunk-extern) ++ KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE + endif + ++# for vdso Makefile to exclude ++export RETPOLINE_CFLAGS ++ + ifdef CONFIG_SLS + KBUILD_CFLAGS += $(call cc-option,-mharden-sls=all) + endif diff --git a/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch b/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch new file mode 100644 index 0000000..eac41e7 --- /dev/null +++ b/patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch @@ -0,0 +1,44 @@ +From: Kim Phillips +Date: Tue, 14 Jun 2022 23:15:44 +0200 +Subject: x86/sev: Avoid using __x86_return_thunk +Git-commit: 0ee9073000e8791f8b134a8ded31bcc767f7f232 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Specifically, it's because __enc_copy() encrypts the kernel after +being relocated outside the kernel in sme_encrypt_execute(), and the +RET macro's jmp offset isn't amended prior to execution. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/mm/mem_encrypt_boot.S | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/mem_encrypt_boot.S ++++ b/arch/x86/mm/mem_encrypt_boot.S +@@ -65,7 +65,9 @@ ENTRY(sme_encrypt_execute) + movq %rbp, %rsp /* Restore original stack pointer */ + pop %rbp + +- RET ++ /* Offset to __x86_return_thunk would be wrong here */ ++ ret ++ int3 + ENDPROC(sme_encrypt_execute) + + ENTRY(__enc_copy) +@@ -151,6 +153,8 @@ ENTRY(__enc_copy) + pop %r12 + pop %r15 + +- RET ++ /* Offset to __x86_return_thunk would be wrong here */ ++ ret ++ int3 + .L__enc_copy_end: + ENDPROC(__enc_copy) diff --git a/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch b/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch new file mode 100644 index 0000000..60152fa --- /dev/null +++ b/patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch @@ -0,0 +1,148 @@ +From: Pawan Gupta +Date: Tue, 14 Jun 2022 23:15:55 +0200 +Subject: x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS +Git-commit: 7c693f54c873691a4b7da05c7e0f74e67745d144 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +Extend spectre_v2= boot option with Kernel IBRS. + + [jpoimboe: no STIBP with IBRS] + +Signed-off-by: Pawan Gupta +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 59 ++++++++++++++++++++++++++++++++++----------- + 1 file changed, 45 insertions(+), 14 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1117,11 +1117,12 @@ spectre_v2_parse_user_cmdline(enum spect + return SPECTRE_V2_USER_CMD_AUTO; + } + +-static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) ++static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) + { +- return (mode == SPECTRE_V2_EIBRS || +- mode == SPECTRE_V2_EIBRS_RETPOLINE || +- mode == SPECTRE_V2_EIBRS_LFENCE); ++ return mode == SPECTRE_V2_IBRS || ++ mode == SPECTRE_V2_EIBRS || ++ mode == SPECTRE_V2_EIBRS_RETPOLINE || ++ mode == SPECTRE_V2_EIBRS_LFENCE; + } + + static void __init +@@ -1186,12 +1187,12 @@ spectre_v2_user_select_mitigation(enum s + } + + /* +- * If no STIBP, enhanced IBRS is enabled or SMT impossible, STIBP is not +- * required. ++ * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, ++ * STIBP is not required. + */ + if (!boot_cpu_has(X86_FEATURE_STIBP) || + !smt_possible || +- spectre_v2_in_eibrs_mode(spectre_v2_enabled)) ++ spectre_v2_in_ibrs_mode(spectre_v2_enabled)) + return; + + spectre_v2_user_stibp = mode; +@@ -1288,6 +1289,24 @@ static enum spectre_v2_mitigation_cmd __ + return SPECTRE_V2_CMD_AUTO; + } + ++ if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) { ++ pr_err("%s selected but not Intel CPU. Switching to AUTO select\n", ++ mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ ++ if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) { ++ pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n", ++ mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ ++ if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_has(X86_FEATURE_XENPV)) { ++ pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n", ++ mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ + spec_v2_print_cond(mitigation_options[i].option, + mitigation_options[i].secure); + return cmd; +@@ -1335,6 +1354,14 @@ static void __init spectre_v2_select_mit + break; + } + ++ if (boot_cpu_has_bug(X86_BUG_RETBLEED) && ++ retbleed_cmd != RETBLEED_CMD_OFF && ++ boot_cpu_has(X86_FEATURE_IBRS) && ++ boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) { ++ mode = SPECTRE_V2_IBRS; ++ break; ++ } ++ + mode = spectre_v2_select_retpoline(); + break; + +@@ -1367,7 +1394,7 @@ static void __init spectre_v2_select_mit + if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); + +- if (spectre_v2_in_eibrs_mode(mode)) { ++ if (spectre_v2_in_ibrs_mode(mode)) { + /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; + write_spec_ctrl_current(x86_spec_ctrl_base, true); +@@ -1378,6 +1405,10 @@ static void __init spectre_v2_select_mit + case SPECTRE_V2_EIBRS: + break; + ++ case SPECTRE_V2_IBRS: ++ setup_force_cpu_cap(X86_FEATURE_USE_IBRS); ++ break; ++ + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_EIBRS_LFENCE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); +@@ -1408,17 +1439,17 @@ specv2_set_mode: + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); + + /* +- * Retpoline means the kernel is safe because it has no indirect +- * branches. Enhanced IBRS protects firmware too, so, enable restricted +- * speculation around firmware calls only when Enhanced IBRS isn't +- * supported. ++ * Retpoline protects the kernel, but doesn't protect firmware. IBRS ++ * and Enhanced IBRS protect firmware too, so enable IBRS around ++ * firmware calls only when IBRS / Enhanced IBRS aren't otherwise ++ * enabled. + * + * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because + * the user might select retpoline on the kernel command line and if + * the CPU supports Enhanced IBRS, kernel might un-intentionally not + * enable IBRS around firmware calls. + */ +- if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_eibrs_mode(mode)) { ++ if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) { + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); + pr_info("Enabling Restricted Speculation for firmware calls\n"); + } +@@ -1972,7 +2003,7 @@ static ssize_t mmio_stale_data_show_stat + + static char *stibp_state(void) + { +- if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) ++ if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) + return ""; + + switch (spectre_v2_user_stibp) { diff --git a/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch b/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch new file mode 100644 index 0000000..5ea97f5 --- /dev/null +++ b/patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch @@ -0,0 +1,33 @@ +From: Josh Poimboeuf +Date: Tue, 14 Jun 2022 23:16:07 +0200 +Subject: x86/speculation: Fix SPEC_CTRL write on SMT state change +Git-commit: 56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +If the SMT state changes, SSBD might get accidentally disabled. Fix +that. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 108bd74289c5..9b80059c4e02 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1458,7 +1458,8 @@ static void __init spectre_v2_select_mitigation(void) + + static void update_stibp_msr(void * __unused) + { +- write_spec_ctrl_current(x86_spec_ctrl_base, true); ++ u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP); ++ write_spec_ctrl_current(val, true); + } + + /* Update x86_spec_ctrl_base in case SMT state changed. */ + diff --git a/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch b/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch new file mode 100644 index 0000000..c1b5e65 --- /dev/null +++ b/patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch @@ -0,0 +1,45 @@ +From: Josh Poimboeuf +Date: Tue, 14 Jun 2022 23:16:06 +0200 +Subject: x86/speculation: Fix firmware entry SPEC_CTRL handling +Git-commit: e6aa13622ea8283cc699cac5d018cc40a2ba2010 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +The firmware entry code may accidentally clear STIBP or SSBD. Fix that. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/nospec-branch.h | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 08b03c12e6c2..dee9ef77af13 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -285,18 +285,16 @@ extern u64 spec_ctrl_current(void); + */ + #define firmware_restrict_branch_speculation_start() \ + do { \ +- u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \ +- \ + preempt_disable(); \ +- alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, \ ++ spec_ctrl_current() | SPEC_CTRL_IBRS, \ + X86_FEATURE_USE_IBRS_FW); \ + } while (0) + + #define firmware_restrict_branch_speculation_end() \ + do { \ +- u64 val = x86_spec_ctrl_base; \ +- \ +- alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, \ ++ spec_ctrl_current(), \ + X86_FEATURE_USE_IBRS_FW); \ + preempt_enable(); \ + } while (0) + diff --git a/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch b/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch new file mode 100644 index 0000000..e3aad1e --- /dev/null +++ b/patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch @@ -0,0 +1,87 @@ +From: Josh Poimboeuf +Date: Fri, 17 Jun 2022 12:12:48 -0700 +Subject: x86/speculation: Remove x86_spec_ctrl_mask +Git-commit: acac5e98ef8d638a411cfa2ee676c87e1973f126 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +This mask has been made redundant by kvm_spec_ctrl_test_value(). And it +doesn't even work when MSR interception is disabled, as the guest can +just write to SPEC_CTRL directly. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Reviewed-by: Paolo Bonzini +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 31 +------------------------------ + 1 file changed, 1 insertion(+), 30 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index f884f9497666..efff8b9f1bbd 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -85,12 +85,6 @@ u64 spec_ctrl_current(void) + } + EXPORT_SYMBOL_GPL(spec_ctrl_current); + +-/* +- * The vendor and possibly platform specific bits which can be modified in +- * x86_spec_ctrl_base. +- */ +-static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS; +- + /* + * AMD specific MSR info for Speculative Store Bypass control. + * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). +@@ -146,10 +140,6 @@ void __init check_bugs(void) + if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) + rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); + +- /* Allow STIBP in MSR_SPEC_CTRL if supported */ +- if (boot_cpu_has(X86_FEATURE_STIBP)) +- x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; +- + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); + spectre_v2_select_mitigation(); +@@ -208,19 +198,10 @@ void __init check_bugs(void) + void + x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) + { +- u64 msrval, guestval, hostval = spec_ctrl_current(); ++ u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current(); + struct thread_info *ti = current_thread_info(); + +- /* Is MSR_SPEC_CTRL implemented ? */ + if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { +- /* +- * Restrict guest_spec_ctrl to supported values. Clear the +- * modifiable bits in the host base value and or the +- * modifiable bits from the guest value. +- */ +- guestval = hostval & ~x86_spec_ctrl_mask; +- guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; +- + if (hostval != guestval) { + msrval = setguest ? guestval : hostval; + wrmsrl(MSR_IA32_SPEC_CTRL, msrval); +@@ -1665,16 +1646,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) + break; + } + +- /* +- * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper +- * bit in the mask to allow guests to use the mitigation even in the +- * case where the host does not enable it. +- */ +- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || +- static_cpu_has(X86_FEATURE_AMD_SSBD)) { +- x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; +- } +- + /* + * We have three CPU feature flags that are in play here: + * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. + diff --git a/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch b/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch new file mode 100644 index 0000000..986cc12 --- /dev/null +++ b/patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch @@ -0,0 +1,56 @@ +From: Josh Poimboeuf +Date: Tue, 14 Jun 2022 23:16:08 +0200 +Subject: x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit +Git-commit: bbb69e8bee1bd882784947095ffb2bfe0f7c9470 +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +There's no need to recalculate the host value for every entry/exit. +Just use the cached value in spec_ctrl_current(). + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 9b80059c4e02..f884f9497666 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -208,7 +208,7 @@ void __init check_bugs(void) + void + x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) + { +- u64 msrval, guestval, hostval = x86_spec_ctrl_base; ++ u64 msrval, guestval, hostval = spec_ctrl_current(); + struct thread_info *ti = current_thread_info(); + + /* Is MSR_SPEC_CTRL implemented ? */ +@@ -221,15 +221,6 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) + guestval = hostval & ~x86_spec_ctrl_mask; + guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; + +- /* SSBD controlled in MSR_SPEC_CTRL */ +- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || +- static_cpu_has(X86_FEATURE_AMD_SSBD)) +- hostval |= ssbd_tif_to_spec_ctrl(ti->flags); +- +- /* Conditional STIBP enabled? */ +- if (static_branch_unlikely(&switch_to_cond_stibp)) +- hostval |= stibp_tif_to_spec_ctrl(ti->flags); +- + if (hostval != guestval) { + msrval = setguest ? guestval : hostval; + wrmsrl(MSR_IA32_SPEC_CTRL, msrval); +@@ -1397,7 +1388,6 @@ static void __init spectre_v2_select_mitigation(void) + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); + + if (spectre_v2_in_ibrs_mode(mode)) { +- /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; + write_spec_ctrl_current(x86_spec_ctrl_base, true); + } + diff --git a/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch b/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch index c89c13b..4c9187a 100644 --- a/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch +++ b/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch @@ -44,8 +44,8 @@ Reviewed-by: Thomas Gleixner ANNOTATE_NOSPEC_ALTERNATIVE ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *\reg), \ __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ -- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_AMD -+ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_LFENCE +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg; int3), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg; int3), X86_FEATURE_RETPOLINE_LFENCE #else jmp *\reg #endif diff --git a/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch b/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch new file mode 100644 index 0000000..11ef0b5 --- /dev/null +++ b/patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch @@ -0,0 +1,47 @@ +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:43 +0200 +Subject: x86/vsyscall_emu/64: Don't use RET in vsyscall emulation +Git-commit: 15583e514eb16744b80be85dea0774ece153177d +Patch-mainline: Queued in tip for 5.19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +References: bsc#1199657 CVE-2022-29900 CVE-2022-29901 + +This is userspace code and doesn't play by the normal kernel rules. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/entry/vsyscall/vsyscall_emu_64.S | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/entry/vsyscall/vsyscall_emu_64.S b/arch/x86/entry/vsyscall/vsyscall_emu_64.S +index 15e35159ebb6..ef2dd1827243 100644 +--- a/arch/x86/entry/vsyscall/vsyscall_emu_64.S ++++ b/arch/x86/entry/vsyscall/vsyscall_emu_64.S +@@ -19,17 +19,20 @@ __vsyscall_page: + + mov $__NR_gettimeofday, %rax + syscall +- RET ++ ret ++ int3 + + .balign 1024, 0xcc + mov $__NR_time, %rax + syscall +- RET ++ ret ++ int3 + + .balign 1024, 0xcc + mov $__NR_getcpu, %rax + syscall +- RET ++ ret ++ int3 + + .balign 4096, 0xcc + + diff --git a/patches.suse/xen-blkfront-fix-leaking-data-in-shared-pages.patch b/patches.suse/xen-blkfront-fix-leaking-data-in-shared-pages.patch new file mode 100644 index 0000000..99ac247 --- /dev/null +++ b/patches.suse/xen-blkfront-fix-leaking-data-in-shared-pages.patch @@ -0,0 +1,49 @@ +Patch-mainline: 5.19-rc6 +Git-commit: 2f446ffe9d737e9a844b97887919c4fda18246e7 +References: bsc#1200762, CVE-2022-26365, XSA-403 +From: Roger Pau Monne +Date: Fri, 1 Jul 2022 08:23:54 +0200 +Subject: [PATCH] xen/blkfront: fix leaking data in shared pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When allocating pages to be used for shared communication with the +backend always zero them, this avoids leaking unintended data present +on the pages. + +This is CVE-2022-26365, part of XSA-403. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +Reviewed-by: Juergen Gross +--- + drivers/block/xen-blkfront.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c +index 33f04ef78984..4b3bef6ace68 100644 +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -311,7 +311,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) + goto out_of_memory; + + if (info->feature_persistent) { +- granted_page = alloc_page(GFP_NOIO); ++ granted_page = alloc_page(GFP_NOIO | __GFP_ZERO); + if (!granted_page) { + kfree(gnt_list_entry); + goto out_of_memory; +@@ -2286,7 +2286,8 @@ static int blkfront_setup_indirect(struc + + BUG_ON(!list_empty(&rinfo->indirect_pages)); + for (i = 0; i < num; i++) { +- struct page *indirect_page = alloc_page(GFP_KERNEL); ++ struct page *indirect_page = alloc_page(GFP_NOIO | ++ __GFP_ZERO); + if (!indirect_page) + goto out_of_memory; + list_add(&indirect_page->lru, &rinfo->indirect_pages); +-- +2.35.3 + diff --git a/patches.suse/xen-blkfront-force-data-bouncing-when-backend-is-unt.patch b/patches.suse/xen-blkfront-force-data-bouncing-when-backend-is-unt.patch new file mode 100644 index 0000000..286d0fa --- /dev/null +++ b/patches.suse/xen-blkfront-force-data-bouncing-when-backend-is-unt.patch @@ -0,0 +1,207 @@ +Patch-mainline: 5.19-rc6 +Git-commit: 2400617da7eebf9167d71a46122828bc479d64c9 +References: bsc#1200762, CVE-2022-33742, XSA-403 +From: Roger Pau Monne +Date: Thu, 7 Apr 2022 13:04:24 +0200 +Subject: [PATCH] xen/blkfront: force data bouncing when backend is untrusted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Split the current bounce buffering logic used with persistent grants +into it's own option, and allow enabling it independently of +persistent grants. This allows to reuse the same code paths to +perform the bounce buffering required to avoid leaking contiguous data +in shared pages not part of the request fragments. + +Reporting whether the backend is to be trusted can be done using a +module parameter, or from the xenstore frontend path as set by the +toolstack when adding the device. + +This is CVE-2022-33742, part of XSA-403. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +--- + drivers/block/xen-blkfront.c | 49 +++++++++++++++++++++++++----------- + 1 file changed, 34 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c +index 4b3bef6ace68..3646c0cae672 100644 +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -151,6 +151,10 @@ static unsigned int xen_blkif_max_ring_o + module_param_named(max_ring_page_order, xen_blkif_max_ring_order, int, 0444); + MODULE_PARM_DESC(max_ring_page_order, "Maximum order of pages to be used for the shared ring"); + ++static bool __read_mostly xen_blkif_trusted = true; ++module_param_named(trusted, xen_blkif_trusted, bool, 0644); ++MODULE_PARM_DESC(trusted, "Is the backend trusted"); ++ + #define BLK_RING_SIZE(info) \ + __CONST_RING_SIZE(blkif, XEN_PAGE_SIZE * (info)->nr_ring_pages) + +@@ -210,6 +214,7 @@ struct blkfront_info + unsigned int feature_discard:1; + unsigned int feature_secdiscard:1; + unsigned int feature_persistent:1; ++ unsigned int bounce:1; + unsigned int discard_granularity; + unsigned int discard_alignment; + /* Number of 4KB segments handled */ +@@ -310,7 +315,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) + if (!gnt_list_entry) + goto out_of_memory; + +- if (info->feature_persistent) { ++ if (info->bounce) { + granted_page = alloc_page(GFP_NOIO | __GFP_ZERO); + if (!granted_page) { + kfree(gnt_list_entry); +@@ -330,7 +335,7 @@ static int fill_grant_buffer(struct blkfront_ring_info *rinfo, int num) + list_for_each_entry_safe(gnt_list_entry, n, + &rinfo->grants, node) { + list_del(&gnt_list_entry->node); +- if (info->feature_persistent) ++ if (info->bounce) + __free_page(gnt_list_entry->page); + kfree(gnt_list_entry); + i--; +@@ -376,7 +381,7 @@ static struct grant *get_grant(grant_ref_t *gref_head, + /* Assign a gref to this page */ + gnt_list_entry->gref = gnttab_claim_grant_reference(gref_head); + BUG_ON(gnt_list_entry->gref == -ENOSPC); +- if (info->feature_persistent) ++ if (info->bounce) + grant_foreign_access(gnt_list_entry, info); + else { + /* Grant access to the GFN passed by the caller */ +@@ -400,7 +405,7 @@ static struct grant *get_indirect_grant(grant_ref_t *gref_head, + /* Assign a gref to this page */ + gnt_list_entry->gref = gnttab_claim_grant_reference(gref_head); + BUG_ON(gnt_list_entry->gref == -ENOSPC); +- if (!info->feature_persistent) { ++ if (!info->bounce) { + struct page *indirect_page; + + /* Fetch a pre-allocated page to use for indirect grefs */ +@@ -703,7 +708,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri + .grant_idx = 0, + .segments = NULL, + .rinfo = rinfo, +- .need_copy = rq_data_dir(req) && info->feature_persistent, ++ .need_copy = rq_data_dir(req) && info->bounce, + }; + + /* +@@ -981,11 +986,12 @@ static void xlvbd_flush(struct blkfront_info *info) + { + blk_queue_write_cache(info->rq, info->feature_flush ? true : false, + info->feature_fua ? true : false); +- pr_info("blkfront: %s: %s %s %s %s %s\n", ++ pr_info("blkfront: %s: %s %s %s %s %s %s %s\n", + info->gd->disk_name, flush_info(info), + "persistent grants:", info->feature_persistent ? + "enabled;" : "disabled;", "indirect descriptors:", +- info->max_indirect_segments ? "enabled;" : "disabled;"); ++ info->max_indirect_segments ? "enabled;" : "disabled;", ++ "bounce buffer:", info->bounce ? "enabled" : "disabled;"); + } + + static int xen_translate_vdev(int vdevice, int *minor, unsigned int *offset) +@@ -1207,7 +1213,7 @@ static void blkif_free_ring(struct blkfront_ring_info *rinfo) + if (!list_empty(&rinfo->indirect_pages)) { + struct page *indirect_page, *n; + +- BUG_ON(info->feature_persistent); ++ BUG_ON(info->bounce); + list_for_each_entry_safe(indirect_page, n, &rinfo->indirect_pages, lru) { + list_del(&indirect_page->lru); + __free_page(indirect_page); +@@ -1224,7 +1230,7 @@ static void blkif_free_ring(struct blkfront_ring_info *rinfo) + 0, 0UL); + rinfo->persistent_gnts_c--; + } +- if (info->feature_persistent) ++ if (info->bounce) + __free_page(persistent_gnt->page); + kfree(persistent_gnt); + } +@@ -1245,7 +1251,7 @@ static void blkif_free_ring(struct blkfront_ring_info *rinfo) + for (j = 0; j < segs; j++) { + persistent_gnt = rinfo->shadow[i].grants_used[j]; + gnttab_end_foreign_access(persistent_gnt->gref, 0, 0UL); +- if (info->feature_persistent) ++ if (info->bounce) + __free_page(persistent_gnt->page); + kfree(persistent_gnt); + } +@@ -1428,7 +1434,7 @@ static int blkif_completion(unsigned long *id, + data.s = s; + num_sg = s->num_sg; + +- if (bret->operation == BLKIF_OP_READ && info->feature_persistent) { ++ if (bret->operation == BLKIF_OP_READ && info->bounce) { + for_each_sg(s->sg, sg, num_sg, i) { + BUG_ON(sg->offset + sg->length > PAGE_SIZE); + +@@ -1487,7 +1493,7 @@ static int blkif_completion(unsigned long *id, + * Add the used indirect page back to the list of + * available pages for indirect grefs. + */ +- if (!info->feature_persistent) { ++ if (!info->bounce) { + indirect_page = s->indirect_grants[i]->page; + list_add(&indirect_page->lru, &rinfo->indirect_pages); + } +@@ -1852,6 +1852,10 @@ static int talk_to_blkback(struct xenbus + if (!info) + return -ENODEV; + ++ /* Check if backend is trusted. */ ++ info->bounce = !xen_blkif_trusted || ++ !xenbus_read_unsigned(dev->nodename, "trusted", 1); ++ + max_page_order = xenbus_read_unsigned(info->xbdev->otherend, + "max-ring-page-order", 0); + ring_page_order = min(xen_blkif_max_ring_order, max_page_order); +@@ -2173,10 +2183,10 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) + if (err) + goto out_of_memory; + +- if (!info->feature_persistent && info->max_indirect_segments) { ++ if (!info->bounce && info->max_indirect_segments) { + /* +- * We are using indirect descriptors but not persistent +- * grants, we need to allocate a set of pages that can be ++ * We are using indirect descriptors but don't have a bounce ++ * buffer, we need to allocate a set of pages that can be + * used for mapping indirect grefs + */ + int num = INDIRECT_GREFS(grants) * BLK_RING_SIZE(info); +@@ -2277,6 +2287,8 @@ static void blkfront_gather_backend_features(struct blkfront_info *info) + info->feature_persistent = + !!xenbus_read_unsigned(info->xbdev->otherend, + "feature-persistent", 0); ++ if (info->feature_persistent) ++ info->bounce = true; + + indirect_segments = xenbus_read_unsigned(info->xbdev->otherend, + "feature-max-indirect-segments", 0); +@@ -2548,6 +2560,13 @@ static void blkfront_delay_work(struct work_struct *work) + struct blkfront_info *info; + bool need_schedule_work = false; + ++ /* ++ * Note that when using bounce buffers but not persistent grants ++ * there's no need to run blkfront_delay_work because grants are ++ * revoked in blkif_completion or else an error is reported and the ++ * connection is closed. ++ */ ++ + mutex_lock(&blkfront_mutex); + + list_for_each_entry(info, &info_list, info_list) { +-- +2.35.3 + diff --git a/patches.suse/xen-netback-avoid-entering-xenvif_rx_next_skb-with-a.patch b/patches.suse/xen-netback-avoid-entering-xenvif_rx_next_skb-with-a.patch new file mode 100644 index 0000000..cea6cb2 --- /dev/null +++ b/patches.suse/xen-netback-avoid-entering-xenvif_rx_next_skb-with-a.patch @@ -0,0 +1,63 @@ +Patch-mainline: 5.19-rc7 +Git-commit: 94e8100678889ab428e68acadf042de723f094b9 +References: bsc#1201381 +From: Juergen Gross +Date: Wed, 13 Jul 2022 15:53:22 +0200 +Subject: [PATCH] xen/netback: avoid entering xenvif_rx_next_skb() with an + empty rx queue + +xenvif_rx_next_skb() is expecting the rx queue not being empty, but +in case the loop in xenvif_rx_action() is doing multiple iterations, +the availability of another skb in the rx queue is not being checked. + +This can lead to crashes: + +[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.537534] PGD 0 P4D 0 +[40072.537644] Oops: 0000 [#1] SMP NOPTI +[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5 +[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021 +[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000 +[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246 +[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7 +[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8 +[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008 +[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708 +[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0 +[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000 +[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660 +[40072.539211] Call Trace: +[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback] +[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback] + +Fix that by stopping the loop in case the rx queue becomes empty. + +Cc: stable@vger.kernel.org +Fixes: 98f6d57ced73 ("xen-netback: process guest rx packets in batches") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/xen-netback/rx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c +index dbac4c03d21a..a0335407be42 100644 +--- a/drivers/net/xen-netback/rx.c ++++ b/drivers/net/xen-netback/rx.c +@@ -495,6 +495,7 @@ void xenvif_rx_action(struct xenvif_queue *queue) + queue->rx_copy.completed = &completed_skbs; + + while (xenvif_rx_ring_slots_available(queue) && ++ !skb_queue_empty(&queue->rx_queue) && + work_done < RX_BATCH_SIZE) { + xenvif_rx_skb(queue); + work_done++; +-- +2.35.3 + diff --git a/patches.suse/xen-netfront-fix-leaking-data-in-shared-pages.patch b/patches.suse/xen-netfront-fix-leaking-data-in-shared-pages.patch new file mode 100644 index 0000000..cc12318 --- /dev/null +++ b/patches.suse/xen-netfront-fix-leaking-data-in-shared-pages.patch @@ -0,0 +1,39 @@ +Patch-mainline: 5.19-rc6 +Git-commit: 307c8de2b02344805ebead3440d8feed28f2f010 +References: bsc#1200762, CVE-2022-33740, XSA-403 +From: Roger Pau Monne +Date: Wed, 6 Apr 2022 17:38:04 +0200 +Subject: [PATCH] xen/netfront: fix leaking data in shared pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When allocating pages to be used for shared communication with the +backend always zero them, this avoids leaking unintended data present +on the pages. + +This is CVE-2022-33740, part of XSA-403. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +Reviewed-by: Juergen Gross +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 8c0b9546d5a2..e3165139629d 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -271,7 +271,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) + if (unlikely(!skb)) + return NULL; + +- page = alloc_page(GFP_ATOMIC | __GFP_NOWARN); ++ page = alloc_page(GFP_ATOMIC | __GFP_NOWARN | __GFP_ZERO); + if (!page) { + kfree_skb(skb); + return NULL; +-- +2.35.3 + diff --git a/patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch b/patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch new file mode 100644 index 0000000..710fde7 --- /dev/null +++ b/patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch @@ -0,0 +1,129 @@ +Patch-mainline: 5.19-rc6 +Git-commit: 4491001c2e0fa69efbb748c96ec96b100a5cdb7e +References: bsc#1200762, CVE-2022-33741, XSA-403 +From: Roger Pau Monne +Date: Thu, 7 Apr 2022 12:20:06 +0200 +Subject: [PATCH] xen/netfront: force data bouncing when backend is untrusted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bounce all data on the skbs to be transmitted into zeroed pages if the +backend is untrusted. This avoids leaking data present in the pages +shared with the backend but not part of the skb fragments. This +requires introducing a new helper in order to allocate skbs with a +size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the +granted pages. + +Reporting whether the backend is to be trusted can be done using a +module parameter, or from the xenstore frontend path as set by the +toolstack when adding the device. + +This is CVE-2022-33741, part of XSA-403. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +--- + drivers/net/xen-netfront.c | 49 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 47 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index e3165139629d..87f6df77bfbf 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -66,6 +66,10 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644); + MODULE_PARM_DESC(max_queues, + "Maximum number of queues per virtual interface"); + ++static bool __read_mostly xennet_trusted = true; ++module_param_named(trusted, xennet_trusted, bool, 0644); ++MODULE_PARM_DESC(trusted, "Is the backend trusted"); ++ + static const struct ethtool_ops xennet_ethtool_ops; + + struct netfront_cb { +@@ -173,6 +177,9 @@ struct netfront_info { + /* Is device behaving sane? */ + bool broken; + ++ /* Should skbs be bounced into a zeroed buffer? */ ++ bool bounce; ++ + atomic_t rx_gso_checksum_fixup; + }; + +@@ -666,6 +673,34 @@ static int xennet_xdp_xmit(struct net_device *dev, int n, + queue->tx_link[i] = TX_PENDING; + } + ++struct sk_buff *bounce_skb(const struct sk_buff *skb) ++{ ++ unsigned int headerlen = skb_headroom(skb); ++ /* Align size to allocate full pages and avoid contiguous data leaks */ ++ unsigned int size = ALIGN(skb_end_offset(skb) + skb->data_len, ++ XEN_PAGE_SIZE); ++ struct sk_buff *n = alloc_skb(size, GFP_ATOMIC | __GFP_ZERO); ++ ++ if (!n) ++ return NULL; ++ ++ if (!IS_ALIGNED((uintptr_t)n->head, XEN_PAGE_SIZE)) { ++ WARN_ONCE(1, "misaligned skb allocated\n"); ++ kfree_skb(n); ++ return NULL; ++ } ++ ++ /* Set the data pointer */ ++ skb_reserve(n, headerlen); ++ /* Set the tail pointer and length */ ++ skb_put(n, skb->len); ++ ++ BUG_ON(skb_copy_bits(skb, -headerlen, n->head, headerlen + skb->len)); ++ ++ skb_copy_header(n, skb); ++ return n; ++} ++ + #define MAX_XEN_SKB_FRAGS (65536 / XEN_PAGE_SIZE + 1) + + static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) +@@ -719,9 +753,13 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev + + /* The first req should be at least ETH_HLEN size or the packet will be + * dropped by netback. ++ * ++ * If the backend is not trusted bounce all data to zeroed pages to ++ * avoid exposing contiguous data on the granted page not belonging to ++ * the skb. + */ +- if (unlikely(PAGE_SIZE - offset < ETH_HLEN)) { +- nskb = skb_copy(skb, GFP_ATOMIC); ++ if (np->bounce || unlikely(PAGE_SIZE - offset < ETH_HLEN)) { ++ nskb = bounce_skb(skb); + if (!nskb) + goto drop; + dev_kfree_skb_any(skb); +@@ -2215,6 +2253,10 @@ static int talk_to_netback(struct xenbus_device *dev, + + info->netdev->irq = 0; + ++ /* Check if backend is trusted. */ ++ info->bounce = !xennet_trusted || ++ !xenbus_read_unsigned(dev->nodename, "trusted", 1); ++ + /* Check if backend supports multiple queues */ + max_queues = xenbus_read_unsigned(info->xbdev->otherend, + "multi-queue-max-queues", 1); +@@ -2382,6 +2424,9 @@ static int xennet_connect(struct net_device *dev) + err = talk_to_netback(np->xbdev, np); + if (err) + return err; ++ if (np->bounce) ++ dev_info(&np->xbdev->dev, ++ "bouncing transmitted data to zeroed pages\n"); + + /* talk_to_netback() sets the correct number of queues */ + num_queues = dev->real_num_tx_queues; +-- +2.35.3 + diff --git a/series.conf b/series.conf index c05d1a4..c7d6024 100644 --- a/series.conf +++ b/series.conf @@ -1630,6 +1630,7 @@ patches.suse/firmware-tegra-Fix-locking-bugs-in-BPMP patches.suse/0019-arm64-marvell-enable-the-Armada-7K-8K-pinctrl-driver.patch patches.suse/0020-arm64-marvell-enable-ICU-and-GICP-drivers.patch + patches.suse/audit-fix-a-race-condition-with-the-auditd-tracking-code.patch patches.suse/tpm-move-endianness-conversion-of-TPM_TAG_RQU_COMMAN.patch patches.suse/tpm-move-endianness-conversion-of-ordinals-to-tpm_in.patch patches.suse/tpm-177-tis-Fix-IRQ-autoprobing-when-using-platform_devi.patch @@ -10247,6 +10248,7 @@ patches.suse/0014-fs-epoll-use-faster-rb_first_cached.patch patches.suse/0015-mem-memcg-cache-rightmost-node.patch patches.suse/0016-block-cfq-cache-rightmost-rb_node.patch + patches.suse/0001-lib-hexdump.c-return-EINVAL-in-case-of-error-in-hex2.patch patches.suse/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch patches.suse/0050-lib-test_bitmap.c-add-test-for-bitmap_parselist.patch patches.suse/bitmap-introduce-BITMAP_FROM_U64.patch @@ -48574,6 +48576,7 @@ patches.suse/net-mlx5e-Rx-Fixup-skb-checksum-for-packets-with-tai.patch patches.suse/net-mlx5e-Rx-Check-ip-headers-sanity.patch patches.suse/Revert-net-mlx5e-Enable-reporting-checksum-unnecessa.patch + patches.suse/net-mlx5e-Switch-to-Toeplitz-RSS-hash-by-default.patch patches.suse/rt2x00-do-not-increment-sequence-number-while-re-tra.patch patches.suse/bonding-fix-event-handling-for-stacked-bonds.patch patches.suse/bnx2x-fix-spelling-mistake-dicline-decline.patch @@ -49262,6 +49265,7 @@ patches.suse/ibmvnic-Add-device-identification-to-requested-IRQs.patch patches.suse/cxgb4-Delete-all-hash-and-TCAM-filters-before-resour.patch patches.suse/0006-net-phy-micrel-make-sure-the-factory-test-bit-is-cle.patch + patches.suse/net-ll_temac-Fix-bug-causing-buffer-descriptor-overr.patch patches.suse/i40e-Fix-for-allowing-too-many-MDD-events-on-VF.patch patches.suse/i40e-change-behavior-on-PF-in-response-to-MDD-event.patch patches.suse/i40e-remove-error-msg-when-vf-with-port-vlan-tries-t.patch @@ -50124,6 +50128,7 @@ patches.suse/cxgb4-offload-VLAN-flows-regardless-of-VLAN-ethtype.patch patches.suse/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch patches.suse/cxgb4-Revert-cxgb4-Remove-SGE_HOST_PAGE_SIZE-depende.patch + patches.suse/net-stmmac-update-rx-tail-pointer-register-to-fix-rx.patch patches.suse/0007-net-stmmac-fix-csr_clk-can-t-be-zero-issue.patch patches.suse/bonding-802.3ad-fix-slave-link-initialization-transi.patch patches.suse/net-tulip-de4x5-Drop-redundant-MODULE_DEVICE_TABLE.patch @@ -50135,6 +50140,7 @@ patches.suse/msft-hv-1880-netvsc-unshare-skb-in-VF-rx-handler.patch patches.suse/net-core-support-XDP-generic-on-stacked-devices.patch patches.suse/net-mlx5-Fix-error-handling-in-mlx5_load.patch + patches.suse/net-mlx5-Avoid-double-free-of-root-ns-in-the-error-f.patch patches.suse/net-mlx5-Avoid-double-free-in-fs-init-error-unwindin.patch patches.suse/net-mlx5-Allocate-root-ns-memory-using-kzalloc-to-ma.patch patches.suse/net-mlx5e-Disable-rxhash-when-CQE-compress-is-enable.patch @@ -54043,6 +54049,7 @@ patches.suse/s390-unwind-stop-gracefully-at-user-mode-pt_regs-in-irq-stack.patch patches.suse/s390-ftrace-save-traced-function-caller.patch patches.suse/tracing-have-the-histogram-compare-functions-convert-to-u64-first.patch + patches.suse/bonding-fix-bond_neigh_init.patch patches.suse/sctp-fully-initialize-v4-addr-in-some-functions.patch patches.suse/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch patches.suse/netfilter-nf_queue-enqueue-skbs-with-NULL-dst.patch @@ -54433,6 +54440,7 @@ patches.suse/Revert-ath10k-fix-DMA-related-firmware-crashes-on-mu.patch patches.suse/ath10k-Correct-the-DMA-direction-for-management-tx-b.patch patches.suse/ar5523-Add-USB-ID-of-SMCWUSBT-G2-wireless-adapter.patch + patches.suse/bnxt_en-Remove-the-setting-of-dev_port.patch patches.suse/ALSA-control-remove-useless-assignment-in-.info-call.patch patches.suse/ALSA-usx2y-Adjust-indentation-in-snd_usX2Y_hwdep_dsp.patch patches.suse/ALSA-ctl-allow-TLV-read-operation-for-callback-type-.patch @@ -54739,6 +54747,7 @@ patches.suse/net-mlx5-IPsec-fix-memory-leak-at-mlx5_fpga_ipsec_de.patch patches.suse/0001-net-dsa-b53-Always-use-dev-vlan_enabled-in-b53_confi.patch patches.suse/msft-hv-2023-hv_netvsc-Fix-XDP-refcnt-for-synthetic-and-VF-NICs.patch + patches.suse/net-stmmac-fix-missing-IFF_MULTICAST-check-in-dwmac4.patch patches.suse/mlxsw-spectrum_dpipe-Add-missing-error-path.patch patches.suse/mwifiex-fix-unbalanced-locking-in-mwifiex_process_co.patch patches.suse/mwifiex-Fix-possible-buffer-overflows-in-mwifiex_ret.patch @@ -54921,6 +54930,7 @@ patches.suse/ipv4-ensure-rcu_read_lock-in-cipso_v4_error.patch patches.suse/msft-hv-2027-hv_netvsc-Fix-unwanted-wakeup-in-netvsc_attach.patch patches.suse/net-phy-Avoid-multiple-suspends.patch + patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch patches.suse/cfg80211-check-reg_rule-for-NULL-in-handle_channel_c.patch patches.suse/mac80211-rx-avoid-RCU-list-traversal-under-mutex.patch patches.suse/net-Fix-Tx-hash-bound-checking.patch @@ -55373,6 +55383,7 @@ patches.suse/xfs-clear-PF_MEMALLOC-before-exiting-xfsaild-thread.patch patches.suse/xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch patches.suse/KVM-x86-Allocate-new-rmap-and-large-page-tracking-wh.patch + patches.suse/KVM-x86-Trace-the-original-requested-CPUID-function-.patch patches.suse/kvm-x86-extend-amd-specific-guest-behavior-to-hygon-virtual-cpus.patch patches.suse/s390-kernel-uv-handle-length-extension-properly patches.suse/s390-gmap-return-proper-error-code-on-ksm-unsharing @@ -59946,6 +59957,7 @@ patches.suse/be2net-Fix-an-error-handling-path-in-be_probe.patch patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch patches.suse/cxgb4-fix-wrong-shift.patch + patches.suse/net-ll_temac-Fix-TX-BD-buffer-overwrite.patch patches.suse/s390-sles12sp5-zcrypt-fix-hanging-ioctl-caused-by-wrong-msg-counter.patch patches.suse/powerpc-perf-Fix-crash-in-perf_instruction_pointer-w.patch patches.suse/x86-fpu-Reset-state-for-all-signal-restore-failures.patch @@ -60427,6 +60439,8 @@ patches.suse/edac-i10nm-fix-nvdimm-detection.patch patches.suse/x86-reboot-limit-dell-optiplex-990-quirk-to-early-bios-versions.patch patches.suse/block-bfq-fix-bfq_set_next_ioprio_data.patch + patches.suse/0002-blk-zoned-allow-zone-management-send-operations-with.patch + patches.suse/0003-blk-zoned-allow-BLKREPORTZONE-without-CAP_SYS_ADMIN.patch patches.suse/CIFS-Fix-a-potencially-linear-read-overflow.patch patches.suse/cifs-fix-wrong-release-in-sess_alloc_buffer-failed-path.patch patches.suse/cifs-Do-not-leak-EDEADLK-to-dgetents64-for-STATUS_USER_SESSION_DELE.patch @@ -60451,6 +60465,7 @@ patches.suse/Bluetooth-Move-shutdown-callback-before-flushing-tx-.patch patches.suse/Bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch patches.suse/mac80211-Fix-insufficient-headroom-issue-for-AMSDU.patch + patches.suse/qed-Enable-automatic-recovery-on-error-condition.patch patches.suse/xen-netfront-read-response-from-backend-only-once.patch patches.suse/xen-netfront-don-t-read-data-from-request-on-the-rin.patch patches.suse/xen-netfront-disentangle-tx_skb_freelist.patch @@ -60611,6 +60626,7 @@ patches.suse/KVM-s390-index-kvm-arch.idle_mask-by-vcpu_idx patches.suse/KVM-x86-Update-vCPU-s-hv_clock-before-back-to-guest-.patch patches.suse/net-hso-add-failure-handler-for-add_net_device.patch + patches.suse/net-usb-qmi_wwan-add-Telit-0x1060-composition.patch patches.suse/qlcnic-Remove-redundant-unlock-in-qlcnic_pinit_from_.patch patches.suse/profiling-fix-shift-out-of-bounds-bugs.patch patches.suse/prctl-allow-to-setup-brk-for-et_dyn-executables.patch @@ -60699,6 +60715,7 @@ patches.suse/msft-hv-2444-net-mana-Fix-error-handling-in-mana_create_rxq.patch patches.suse/sctp-account-stream-padding-length-for-reconf-chunk.patch patches.suse/s390-fix-strrchr-implementation + patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch patches.suse/Input-xpad-add-support-for-another-USB-ID-of-Nacon-G.patch patches.suse/USB-xhci-dbc-fix-tty-registration-race.patch patches.suse/xhci-Enable-trust-tx-length-quirk-for-Fresco-FL11-US.patch @@ -60732,6 +60749,7 @@ patches.suse/bpf-Fix-potential-race-in-tail-call-compatibility-ch.patch patches.suse/usbnet-fix-error-return-code-in-usbnet_probe.patch patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch + patches.suse/0005-blk-cgroup-synchronize-blkg-creation-against-policy-.patch patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch patches.suse/x86-xen-Mark-cpu_bringup_and_idle-as-dead_end_functi.patch patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch @@ -60959,7 +60977,9 @@ patches.suse/usb-core-config-fix-validation-of-wMaxPacketValue-en.patch patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch + patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch patches.suse/phonet-refcount-leak-in-pep_sock_accep.patch + patches.suse/net-usb-qmi_wwan-add-Telit-0x1070-composition.patch patches.suse/netdevsim-Zero-initialize-memory-for-new-map-s-value.patch patches.suse/net-usb-lan78xx-add-Allied-Telesis-AT29M2-AF.patch patches.suse/igb-Fix-removal-of-unicast-MAC-filters-of-VFs.patch @@ -61053,6 +61073,10 @@ patches.suse/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch patches.suse/USB-Fix-slab-out-of-bounds-Write-bug-in-usb_hcd_poll.patch patches.suse/USB-core-Fix-bug-in-resuming-hub-s-handling-of-wakeu.patch + patches.suse/x86-lib-atomic64_386_32-rename-things.patch + patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch + patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch + patches.suse/x86-add-straight-line-speculation-mitigation.patch patches.suse/RDMA-bnxt_re-Scan-the-whole-bitmap-when-checking-if-.patch patches.suse/RDMA-hns-Validate-the-pkey-index.patch patches.suse/RDMA-core-Let-ib_find_gid-continue-search-even-after.patch @@ -61161,6 +61185,8 @@ patches.suse/ibmvnic-init-init_done_rc-earlier.patch patches.suse/ibmvnic-clear-fop-when-retrying-probe.patch patches.suse/ibmvnic-Allow-queueing-resets-during-probe.patch + patches.suse/Input-elan_i2c-move-regulator_-en-dis-able-out-of-el.patch + patches.suse/Input-elan_i2c-fix-regulator-enable-count-imbalance-.patch patches.suse/tracing-Fix-return-value-of-__setup-handlers.patch patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch patches.suse/x86-speculation-add-eibrs-retpoline-options.patch @@ -61192,6 +61218,7 @@ patches.suse/crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_.patch patches.suse/crypto-qat-don-t-cast-parameter-in-bit-operations.patch patches.suse/hwrng-atmel-disable-trng-on-failure-path.patch + patches.suse/crypto-qat-disable-registration-of-algorithms.patch patches.suse/exec-Force-single-empty-string-when-argv-is-empty.patch patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch patches.suse/sched-debug-Remove-mpol_get-put-and-task_lock-unlock.patch @@ -61226,6 +61253,7 @@ patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch patches.suse/netfilter-nf_tables-initialize-registers-in-nft_do_c.patch patches.suse/0006-drm-fb-helper-Mark-screen-buffers-in-system-memory-w.patch + patches.suse/0007-dm-crypt-fix-get_key_size-compiler-warning-if-CONFIG.patch patches.suse/scsi-qla2xxx-Refactor-asynchronous-command-initializ.patch patches.suse/scsi-qla2xxx-Implement-ref-count-for-SRB.patch patches.suse/scsi-qla2xxx-Fix-stuck-session-in-gpdb.patch @@ -61286,8 +61314,10 @@ patches.suse/scsi-lpfc-Use-kcalloc.patch patches.suse/powerpc-add-link-stack-flush-mitigation-status-in-de.patch patches.suse/powerpc-pseries-read-the-lpar-name-from-the-firmware.patch + patches.suse/powerpc-64-Move-paca-allocation-later-in-boot.patch patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch patches.suse/powerpc-xive-Add-some-error-handling-code-to-xive_sp.patch + patches.suse/powerpc-Set-crashkernel-offset-to-mid-of-RMA-region.patch patches.suse/powerpc-sysdev-fix-incorrect-use-to-determine-if-lis.patch patches.suse/powerpc-xive-fix-return-value-of-__setup-handler.patch patches.suse/powerpc-tm-Fix-more-userspace-r13-corruption.patch @@ -61329,11 +61359,14 @@ patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch patches.suse/ext4-force-overhead-calculation-if-the-s_overhead_cl.patch + patches.suse/Input-omap4-keypad-fix-pm_runtime_get_sync-error-che.patch patches.suse/scsi-sr-Do-not-leak-information-in-ioctl patches.suse/KVM-PPC-Fix-TCE-handling-for-VFIO.patch patches.suse/powerpc-perf-Fix-power9-event-alternatives.patch patches.suse/0014-video-fbdev-udlfb-properly-check-endpoint-type.patch patches.suse/0001-floppy-disable-FDRAWCMD-by-default.patch + patches.suse/0008-hex2bin-make-the-function-hex_to_bin-constant-time.patch + patches.suse/0009-hex2bin-fix-access-beyond-string-end.patch patches.suse/bnx2x-fix-napi-API-usage-sequence.patch patches.suse/Revert-ibmvnic-Add-ethtool-private-flag-for-driver-d.patch patches.suse/netfilter-nf_conntrack_tcp-re-init-for-syn-packets-o.patch @@ -61402,6 +61435,14 @@ patches.suse/scsi-fnic-Replace-DMA-mask-of-64-bits-with-47-bits patches.suse/inotify-show-inotify-mask-flags-in-proc-fdinfo.patch patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch + patches.suse/0010-dm-stats-add-cond_resched-when-looping-over-entries.patch + patches.suse/0011-dm-integrity-fix-error-code-in-dm_integrity_ctr.patch + patches.suse/0012-dm-crypt-make-printing-of-the-key-constant-time.patch + patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch + patches.suse/crypto-qat-set-to-zero-DH-parameters-before-free.patch + patches.suse/crypto-qat-fix-memory-leak-in-RSA.patch + patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch + patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch patches.suse/powerpc-idle-Fix-return-value-of-__setup-handler.patch patches.suse/powerpc-perf-Fix-the-threshold-compare-group-constra.patch patches.suse/powerpc-xive-Fix-refcount-leak-in-xive_spapr_init.patch @@ -61418,12 +61459,25 @@ patches.suse/usb-usbip-add-missing-device-lock-on-tweak-configura.patch patches.suse/USB-storage-karma-fix-rio_karma_init-return.patch patches.suse/usb-musb-Fix-missing-of_node_put-in-omap2430_probe.patch + patches.suse/USB-serial-option-add-Quectel-BG95-modem.patch + patches.suse/Input-bcm5974-set-missing-URB_NO_TRANSFER_DMA_MAP-ur.patch patches.suse/writeback-Fix-inode-i_io_list-not-be-protected-by-in.patch patches.suse/SUNRPC-Fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch + patches.suse/0013-dm-mirror-log-round-up-region-bitmap-size-to-BITS_PE.patch patches.suse/init-Initialize-noop_backing_dev_info-early.patch patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch patches.suse/ext4-make-variable-count-signed.patch patches.suse/powerpc-rtas-Allow-ibm-platform-dump-RTAS-call-with-.patch + patches.suse/usbnet-fix-memory-allocation-in-helpers.patch + patches.suse/net-usb-ax88179_178a-Fix-packet-receiving.patch + patches.suse/net-rose-fix-UAF-bugs-caused-by-timer-handler.patch + patches.suse/xen-blkfront-fix-leaking-data-in-shared-pages.patch + patches.suse/xen-netfront-fix-leaking-data-in-shared-pages.patch + patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch + patches.suse/xen-blkfront-force-data-bouncing-when-backend-is-unt.patch + patches.suse/ibmvnic-Properly-dispose-of-all-skbs-during-a-failov.patch + patches.suse/usbnet-fix-memory-leak-in-error-case.patch + patches.suse/xen-netback-avoid-entering-xenvif_rx_next_skb-with-a.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -61534,7 +61588,6 @@ patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch - patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch patches.suse/IBRS-forbid-shooting-in-foot.patch @@ -61584,6 +61637,38 @@ patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch + # tip + patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch + patches.suse/x86-retpoline-Use-mfunction-return.patch + patches.suse/x86-Undo-return-thunk-damage.patch + patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch + patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch + patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch + patches.suse/x86-Use-return-thunk-in-asm-code.patch + patches.suse/x86-Add-magic-AMD-return-thunk.patch + patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch + patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch + patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch + patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch + patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch + patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch + patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch + patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch + patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch + patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch + patches.suse/x86-bugs-Add-retbleed-ibpb.patch + patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch + patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch + patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch + patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch + patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch + patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch + patches.suse/x86-common-Stamp-out-the-stepping-madness.patch + patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch + patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch + patches.suse/CVE-Mitigation-for-CVE-2022-29900-and-CVE-2022-29901.patch + patches.suse/x86-kexec-Disable-RET-on-kexec.patch + ######################################################## # S/390 ######################################################## @@ -61848,6 +61933,7 @@ ######################################################## patches.suse/nfs-set-acl-perm.patch patches.suse/0001-NFS-flush-out-dirty-data-on-file-fput.patch + patches.suse/NFS-flush-dirty-data-on-fput-fix.patch patches.suse/mvfs-workaround.patch patches.suse/0001-SUNRPC-Allow-creation-of-RPC-clients-with-multiple-c.patch patches.suse/0002-NFS-Add-a-mount-option-to-specify-number-of-TCP-conn.patch