The rtime compressor assumes that at least two bytes are
compressed.
If we try to compress just one byte, the loop condition will
wrap around and an out-of-bounds write happens.
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Richard Weinberger <richard(a)nod.at>
---
fs/jffs2/compr_rtime.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c
index 406d9cc84ba8..cbf700001fc9 100644
--- a/fs/jffs2/compr_rtime.c
+++ b/fs/jffs2/compr_rtime.c
@@ -39,6 +39,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,
memset(positions,0,sizeof(positions));
+ if (*dstlen < 2)
+ return -1;
+
while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
int backpos, runlen=0;
unsigned char value;
--
2.20.0
Hello,
I'm requesting this commit to be back-ported to v4.14:
---
commit 5b18f1289808fee5d04a7e6ecf200189f41a4db6
Author: Stephen Suryaputra <ssuryaextr(a)gmail.com>
Date: Wed Jun 26 02:21:16 2019 -0400
ipv4: reset rt_iif for recirculated mcast/bcast out pkts
Multicast or broadcast egress packets have rt_iif set to the oif. These
packets might be recirculated back as input and lookup to the raw
sockets may fail because they are bound to the incoming interface
(skb_iif). If rt_iif is not zero, during the lookup, inet_iif() function
returns rt_iif instead of skb_iif. Hence, the lookup fails.
v2: Make it non vrf specific (David Ahern). Reword the changelog to
reflect it.
Signed-off-by: Stephen Suryaputra <ssuryaextr(a)gmail.com>
Reviewed-by: David Ahern <dsahern(a)gmail.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
---
We found the issue in that release and the above commit is on
linux-stable. On the discussion behind this commit, please see:
https://www.spinics.net/lists/netdev/msg581045.html
I think after the following diff is needed on top of the above commit
for v4.14:
---
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 4d85a4fdfdb0..ad2718c1624e 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1623,11 +1623,8 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
new_rt->rt_iif = rt->rt_iif;
new_rt->rt_pmtu = rt->rt_pmtu;
new_rt->rt_mtu_locked = rt->rt_mtu_locked;
- new_rt->rt_gw_family = rt->rt_gw_family;
- if (rt->rt_gw_family == AF_INET)
- new_rt->rt_gw4 = rt->rt_gw4;
- else if (rt->rt_gw_family == AF_INET6)
- new_rt->rt_gw6 = rt->rt_gw6;
+ new_rt->rt_gateway = rt->rt_gateway;
+ new_rt->rt_table_id = rt->rt_table_id;
INIT_LIST_HEAD(&new_rt->rt_uncached);
new_rt->dst.flags |= DST_HOST;
---
Thank you,
Stephen.
This is the start of the stable review cycle for the 4.9.188 release.
There are 42 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed 07 Aug 2019 12:47:58 PM UTC.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.188-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.9.188-rc1
Vlastimil Babka <vbabka(a)suse.cz>
x86, mm, gup: prevent get_page() race with munmap in paravirt guest
Josh Poimboeuf <jpoimboe(a)redhat.com>
objtool: Support GCC 9 cold subfunction naming scheme
Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com>
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com>
Backport minimal compiler_attributes.h to support GCC 9
Jean Delvare <jdelvare(a)suse.de>
eeprom: at24: make spd world-readable again
Andrea Arcangeli <aarcange(a)redhat.com>
coredump: fix race condition between collapse_huge_page() and core dumping
Ajay Kaher <akaher(a)vmware.com>
infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
Andrea Arcangeli <aarcange(a)redhat.com>
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
Yishai Hadas <yishaih(a)mellanox.com>
IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
Juergen Gross <jgross(a)suse.com>
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
Will Deacon <will(a)kernel.org>
drivers/perf: arm_pmu: Fix failure path in PM notifier
Stefan Haberland <sth(a)linux.ibm.com>
s390/dasd: fix endless loop after read unit address configuration
Ondrej Mosnacek <omosnace(a)redhat.com>
selinux: fix memory leak in policydb_init()
Michael Wu <michael.wu(a)vatics.com>
gpiolib: fix incorrect IRQ requesting of an active-low lineevent
Douglas Anderson <dianders(a)chromium.org>
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
Filipe Manana <fdmanana(a)suse.com>
Btrfs: fix incremental send failure after deduplication
Masahiro Yamada <yamada.masahiro(a)socionext.com>
kbuild: initialize CLANG_FLAGS correctly in the top Makefile
Zhenzhong Duan <zhenzhong.duan(a)oracle.com>
x86, boot: Remove multiple copy of static function sanitize_boot_params()
Josh Poimboeuf <jpoimboe(a)redhat.com>
x86/kvm: Don't call kvm_spurious_fault() from .fixup
Kees Cook <keescook(a)chromium.org>
ipc/mqueue.c: only perform resource calculation if user valid
Dan Carpenter <dan.carpenter(a)oracle.com>
drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
Mikko Rapeli <mikko.rapeli(a)iki.fi>
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
Sam Protsenko <semen.protsenko(a)linaro.org>
coda: fix build using bare-metal toolchain
Zhouyang Jia <jiazhouyang09(a)gmail.com>
coda: add error handling for fget
Doug Berger <opendmb(a)gmail.com>
mm/cma.c: fail if fixed declaration can't be honored
Arnd Bergmann <arnd(a)arndb.de>
x86: math-emu: Hide clang warnings for 16-bit overflow
Qian Cai <cai(a)lca.pw>
x86/apic: Silence -Wtype-limits compiler warnings
Benjamin Poirier <bpoirier(a)suse.com>
be2net: Signal that the device cannot transmit during reconfiguration
Arnd Bergmann <arnd(a)arndb.de>
ACPI: fix false-positive -Wuninitialized warning
Benjamin Block <bblock(a)linux.ibm.com>
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
Jeff Layton <jlayton(a)kernel.org>
ceph: return -ERANGE if virtual xattr value didn't fit in buffer
Andrea Parri <andrea.parri(a)amarulasolutions.com>
ceph: fix improper use of smp_mb__before_atomic()
David Sterba <dsterba(a)suse.com>
btrfs: fix minimum number of chunk errors for DUP
Russell King <rmk+kernel(a)armlinux.org.uk>
fs/adfs: super: fix use-after-free bug
Geert Uytterhoeven <geert+renesas(a)glider.be>
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
Petr Cvek <petrcvekcz(a)gmail.com>
MIPS: lantiq: Fix bitfield masking
Prarit Bhargava <prarit(a)redhat.com>
kernel/module.c: Only return -EEXIST for modules that have finished loading
Cheng Jian <cj.chengjian(a)huawei.com>
ftrace: Enable trampoline when rec count returns back to one
Douglas Anderson <dianders(a)chromium.org>
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
Douglas Anderson <dianders(a)chromium.org>
ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
Douglas Anderson <dianders(a)chromium.org>
ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
Russell King <rmk+kernel(a)armlinux.org.uk>
ARM: riscpc: fix DMA
-------------
Diffstat:
Makefile | 7 +--
arch/arm/boot/dts/rk3288-veyron-mickey.dts | 4 --
arch/arm/boot/dts/rk3288-veyron-minnie.dts | 4 --
arch/arm/boot/dts/rk3288.dtsi | 1 +
arch/arm/mach-rpc/dma.c | 5 +-
arch/mips/lantiq/irq.c | 5 +-
arch/x86/boot/compressed/misc.c | 1 +
arch/x86/boot/compressed/misc.h | 1 -
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/kvm_host.h | 34 +++++++------
arch/x86/kernel/apic/apic.c | 2 +-
arch/x86/math-emu/fpu_emu.h | 2 +-
arch/x86/math-emu/reg_constant.c | 2 +-
arch/x86/mm/gup.c | 32 +++++++++++-
drivers/android/binder.c | 6 +++
drivers/dma/sh/rcar-dmac.c | 2 +-
drivers/gpio/gpiolib.c | 6 ++-
drivers/infiniband/hw/mlx4/main.c | 4 +-
drivers/infiniband/hw/mlx5/main.c | 3 ++
drivers/infiniband/hw/mlx5/qp.c | 1 -
drivers/misc/eeprom/at24.c | 2 +-
drivers/mmc/host/dw_mmc.c | 3 +-
drivers/net/ethernet/emulex/benet/be_main.c | 6 ++-
drivers/perf/arm_pmu.c | 2 +-
drivers/rapidio/devices/rio_mport_cdev.c | 2 +
drivers/s390/block/dasd_alias.c | 22 ++++++---
drivers/s390/scsi/zfcp_erp.c | 7 +++
drivers/xen/swiotlb-xen.c | 4 +-
fs/adfs/super.c | 5 +-
fs/btrfs/send.c | 77 ++++++-----------------------
fs/btrfs/volumes.c | 3 +-
fs/ceph/super.h | 7 ++-
fs/ceph/xattr.c | 14 +++---
fs/coda/psdev.c | 5 +-
fs/proc/task_mmu.c | 18 +++++++
fs/userfaultfd.c | 9 ++++
include/linux/acpi.h | 5 +-
include/linux/coda.h | 3 +-
include/linux/coda_psdev.h | 11 +++++
include/linux/compiler.h | 16 ++++++
include/linux/mm.h | 24 +++++++++
include/linux/module.h | 4 +-
include/uapi/linux/coda_psdev.h | 13 -----
ipc/mqueue.c | 19 +++----
kernel/module.c | 6 +--
kernel/trace/ftrace.c | 28 ++++++-----
mm/cma.c | 13 +++++
mm/khugepaged.c | 3 ++
mm/mmap.c | 6 ++-
security/selinux/ss/policydb.c | 6 ++-
tools/objtool/elf.c | 2 +-
51 files changed, 294 insertions(+), 175 deletions(-)
Hi,
As reported by Thorsten Knabe <linux(a)thorsten-knabe.de>.
commit 4f4fd7c5798b ("Don't jump to compute_result state from check_result state")
was back ported to v3.16+. However, this fix was wrong.
Please back port the following two commits to fix this issue.
commit a25d8c327bb4 ("Revert "Don't jump to compute_result state from check_result state"")
commit b2176a1dfb51 ("md/raid: raid5 preserve the writeback action after the parity check")
Thanks,
Song
Ensure that we flush any cache dirt out to main memory before the user
changes the cache-level as they may elect to bypass the cache (even after
declaring their access cache-coherent) via use of unprivileged MOCS.
Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com>
Cc: stable(a)vger.kernel.org
---
drivers/gpu/drm/i915/gem/i915_gem_domain.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_domain.c b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
index 2e3ce2a69653..5d41e769a428 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_domain.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
@@ -277,6 +277,11 @@ int i915_gem_object_set_cache_level(struct drm_i915_gem_object *obj,
list_for_each_entry(vma, &obj->vma.list, obj_link)
vma->node.color = cache_level;
+
+ /* Flush any previous cache dirt in case of cache bypass */
+ if (obj->cache_dirty & ~obj->cache_coherent)
+ i915_gem_clflush_object(obj, I915_CLFLUSH_SYNC);
+
i915_gem_object_set_cache_coherency(obj, cache_level);
obj->cache_dirty = true; /* Always invalidate stale cachelines */
--
2.22.0
The x86 version of get_user_pages_fast() relies on disabled interrupts to
synchronize gup_pte_range() between gup_get_pte(ptep); and get_page() against
a parallel munmap. The munmap side nulls the pte, then flushes TLBs, then
releases the page. As TLB flush is done synchronously via IPI disabling
interrupts blocks the page release, and get_page(), which assumes existing
reference on page, is thus safe.
However when TLB flush is done by a hypercall, e.g. in a Xen PV guest, there is
no blocking thanks to disabled interrupts, and get_page() can succeed on a page
that was already freed or even reused.
We have recently seen this happen with our 4.4 and 4.12 based kernels, with
userspace (java) that exits a thread, where mm_release() performs a futex_wake()
on tsk->clear_child_tid, and another thread in parallel unmaps the page where
tsk->clear_child_tid points to. The spurious get_page() succeeds, but futex code
immediately releases the page again, while it's already on a freelist. Symptoms
include a bad page state warning, general protection faults acessing a poisoned
list prev/next pointer in the freelist, or free page pcplists of two cpus joined
together in a single list. Oscar has also reproduced this scenario, with a
patch inserting delays before the get_page() to make the race window larger.
Fix this by removing the dependency on TLB flush interrupts the same way as the
generic get_user_pages_fast() code by using page_cache_add_speculative() and
revalidating the PTE contents after pinning the page. Mainline is safe since
4.13 where the x86 gup code was removed in favor of the common code. Accessing
the page table itself safely also relies on disabled interrupts and TLB flush
IPIs that don't happen with hypercalls, which was acknowledged in commit
9e52fc2b50de ("x86/mm: Enable RCU based page table freeing
(CONFIG_HAVE_RCU_TABLE_FREE=y)"). That commit with follups should also be
backported for full safety, although our reproducer didn't hit a problem
without that backport.
Reproduced-by: Oscar Salvador <osalvador(a)suse.de>
Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Juergen Gross <jgross(a)suse.com>
Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com>
Cc: Vitaly Kuznetsov <vkuznets(a)redhat.com>
Cc: Linus Torvalds <torvalds(a)linux-foundation.org>
Cc: Borislav Petkov <bp(a)alien8.de>
Cc: Dave Hansen <dave.hansen(a)linux.intel.com>
Cc: Andy Lutomirski <luto(a)kernel.org>
---
Hi, I'm sending this stable-only patch for consideration because it's probably
unrealistic to backport the 4.13 switch to generic GUP. I can look at 4.4 and
3.16 if accepted. The RCU page table freeing could be also considered.
Note the patch also includes page refcount protection. I found out that
8fde12ca79af ("mm: prevent get_user_pages() from overflowing page refcount")
backport to 4.9 missed the arch-specific gup implementations:
https://lore.kernel.org/lkml/6650323f-dbc9-f069-000b-f6b0f941a065@suse.cz/
arch/x86/mm/gup.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
index 1680768d392c..d7db45bdfb3b 100644
--- a/arch/x86/mm/gup.c
+++ b/arch/x86/mm/gup.c
@@ -97,6 +97,20 @@ static inline int pte_allows_gup(unsigned long pteval, int write)
return 1;
}
+/*
+ * Return the compund head page with ref appropriately incremented,
+ * or NULL if that failed.
+ */
+static inline struct page *try_get_compound_head(struct page *page, int refs)
+{
+ struct page *head = compound_head(page);
+ if (WARN_ON_ONCE(page_ref_count(head) < 0))
+ return NULL;
+ if (unlikely(!page_cache_add_speculative(head, refs)))
+ return NULL;
+ return head;
+}
+
/*
* The performance critical leaf functions are made noinline otherwise gcc
* inlines everything into a single function which results in too much
@@ -112,7 +126,7 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr,
ptep = pte_offset_map(&pmd, addr);
do {
pte_t pte = gup_get_pte(ptep);
- struct page *page;
+ struct page *head, *page;
/* Similar to the PMD case, NUMA hinting must take slow path */
if (pte_protnone(pte)) {
@@ -138,7 +152,21 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr,
}
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
page = pte_page(pte);
- get_page(page);
+
+ head = try_get_compound_head(page, 1);
+ if (!head) {
+ put_dev_pagemap(pgmap);
+ pte_unmap(ptep);
+ return 0;
+ }
+
+ if (unlikely(pte_val(pte) != pte_val(*ptep))) {
+ put_page(head);
+ put_dev_pagemap(pgmap);
+ pte_unmap(ptep);
+ return 0;
+ }
+
put_dev_pagemap(pgmap);
SetPageReferenced(page);
pages[*nr] = page;
--
2.22.0
Following a try_to_unmap() we may want to remove the userptr and so call
put_pages(). However, try_to_unmap() acquires the page lock and so we
must avoid recursively locking the pages ourselves -- which means that
we cannot safely acquire the lock around set_page_dirty(). Since we
can't be sure of the lock, we have to risk skip dirtying the page, or
else risk calling set_page_dirty() without a lock and so risk fs
corruption.
Reported-by: Lionel Landwerlin <lionel.g.landwerlin(a)intel.com>
Fixes: cb6d7c7dc7ff ("drm/i915/userptr: Acquire the page lock around set_page_dirty()")
Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk>
Cc: Lionel Landwerlin <lionel.g.landwerlin(a)intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com>
Cc: stable(a)vger.kernel.org
---
drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
index b9d2bb15e4a6..1ad2047a6dbd 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
@@ -672,7 +672,7 @@ i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj,
obj->mm.dirty = false;
for_each_sgt_page(page, sgt_iter, pages) {
- if (obj->mm.dirty)
+ if (obj->mm.dirty && trylock_page(page)) {
/*
* As this may not be anonymous memory (e.g. shmem)
* but exist on a real mapping, we have to lock
@@ -680,8 +680,20 @@ i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj,
* the page reference is not sufficient to
* prevent the inode from being truncated.
* Play safe and take the lock.
+ *
+ * However...!
+ *
+ * The mmu-notifier can be invalidated for a
+ * migrate_page, that is alreadying holding the lock
+ * on the page. Such a try_to_unmap() will result
+ * in us calling put_pages() and so recursively try
+ * to lock the page. We avoid that deadlock with
+ * a trylock_page() and in exchange we risk missing
+ * some page dirtying.
*/
- set_page_dirty_lock(page);
+ set_page_dirty(page);
+ unlock_page(page);
+ }
mark_page_accessed(page);
put_page(page);
--
2.22.0
Hello,
This series backports arm64 spectre patches to v4.4 stable kernel. I
have started this backport with Mark Rutland's backport of Spectre to
4.9 [1] and tried applying the upstream version of them over 4.4 and
resolved conflicts by checking how they have been resolved in 4.9.
The KVM changes are mostly dropped as the KVM code in v4.4 is quite
different and it makes backport more complex. This was suggested by the
ARM team.
I had to pick few extra upstream patches to avoid conflicts and to make
things work:
mm/kasan: add API to check memory regions
arm64: kasan: instrument user memory access API
arm64: cpufeature: Add scope for capability check
arm64: cputype info for Broadcom Vulcan
arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
ARM: 8478/2: arm/arm64: add arm-smccc
arm64: cpufeature: Test 'matches' pointer to find the end of the list
arm64: Introduce cpu_die_early
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: errata: Calling enable functions for CPU errata too
arm64: Rearrange CPU errata workaround checks
arm64: Add a helper for parking CPUs in a loop
I also had to drop few patches as they weren't getting applied properly
due to missing files/features or they were KVM related:
arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
arm64: KVM: Use per-CPU vector when BP hardening is enabled
arm64: KVM: Make PSCI_VERSION a fast path
mm: Introduce lm_alias
arm64: KVM: Increment PC after handling an SMC trap
arm/arm64: KVM: Consolidate the PSCI include files
arm/arm64: KVM: Add PSCI_VERSION helper
arm/arm64: KVM: Add smccc accessors to PSCI code
arm/arm64: KVM: Implement PSCI 1.0 support
arm/arm64: KVM: Turn kvm_psci_version into a static inline
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
The patches in this series are pushed here [2].
This is tested on Hikey board (octa A53) and I verified that BP
hardening code is getting hit for CPUs (had to hack a bit and enable
BP hardening support for A53 for this).
V2->V3:
- Included an extra patch and used the helper introduced by it:
arm64: Add a helper for parking CPUs in a loop
- Droped few extra blank lines added by mistake
- Avoid overlapping with SVE2 bits
V1->V2:
- Rebased over 4.4.184 (was 4.4.180 earlier).
- Fixed an build issue with CONFIG_KASAN (Julien).
- Dropped few patches, mostly KVM stuff (Julien):
arm64: remove duplicate macro __KERNEL__ check
mm: Introduce lm_alias
arm64: KVM: Increment PC after handling an SMC trap
arm/arm64: KVM: Consolidate the PSCI include files
arm/arm64: KVM: Add PSCI_VERSION helper
arm/arm64: KVM: Add smccc accessors to PSCI code
arm/arm64: KVM: Implement PSCI 1.0 support
arm/arm64: KVM: Turn kvm_psci_version into a static inline
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
- Added few patches to fix issues reported by Julien:
arm64: cpufeature: Test 'matches' pointer to find the end of the list
arm64: Introduce cpu_die_early
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: errata: Calling enable functions for CPU errata too
arm64: Rearrange CPU errata workaround checks
--
viresh
[1] https://patches.linaro.org/cover/133195/ with top commit in 4.9 stable tree:
a3b292fe0560 arm64: futex: Mask __user pointers prior to dereference
[2] https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/linux.git stable/arm64/v4.4.y/spectre
-------------------------8<-------------------------
Andre Przywara (1):
arm64: errata: Calling enable functions for CPU errata too
Andrey Ryabinin (1):
mm/kasan: add API to check memory regions
Catalin Marinas (1):
arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm
macro
James Morse (1):
arm64: cpufeature: Test 'matches' pointer to find the end of the list
Jayachandran C (3):
arm64: cputype info for Broadcom Vulcan
arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
arm64: Branch predictor hardening for Cavium ThunderX2
Jens Wiklander (1):
ARM: 8478/2: arm/arm64: add arm-smccc
Marc Zyngier (11):
arm64: Move post_ttbr_update_workaround to C code
arm64: Move BP hardening to check_and_switch_context
arm64: cpu_errata: Allow an erratum to be match for all revisions of a
core
arm/arm64: KVM: Advertise SMCCC v1.1
arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
firmware/psci: Expose PSCI conduit
firmware/psci: Expose SMCCC version through psci_ops
arm/arm64: smccc: Make function identifiers an unsigned quantity
arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
Robin Murphy (3):
arm64: Implement array_index_mask_nospec()
arm64: Make USER_DS an inclusive limit
arm64: Use pointer masking to limit uaccess speculation
Suzuki K Poulose (7):
arm64: cpufeature: Add scope for capability check
arm64: Introduce cpu_die_early
arm64: Add a helper for parking CPUs in a loop
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: Rearrange CPU errata workaround checks
arm64: Run enable method for errata work arounds on late CPUs
Will Deacon (13):
arm64: barrier: Add CSDB macros to control data-value prediction
arm64: entry: Ensure branch through syscall table is bounded under
speculation
arm64: uaccess: Prevent speculative use of the current addr_limit
arm64: uaccess: Don't bother eliding access_ok checks in __{get,
put}_user
arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user
arm64: cpufeature: Pass capability structure to ->enable callback
drivers/firmware: Expose psci_get_version through psci_ops structure
arm64: Add skeleton to harden the branch predictor against aliasing
attacks
arm64: entry: Apply BP hardening for high-priority synchronous
exceptions
arm64: entry: Apply BP hardening for suspicious interrupts from EL0
arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75
arm64: Implement branch predictor hardening for affected Cortex-A CPUs
arm64: futex: Mask __user pointers prior to dereference
Yang Shi (1):
arm64: kasan: instrument user memory access API
Yury Norov (1):
arm64: move TASK_* definitions to <asm/processor.h>
MAINTAINERS | 14 ++
arch/arm64/Kconfig | 17 ++
arch/arm64/include/asm/assembler.h | 18 ++
arch/arm64/include/asm/barrier.h | 23 +++
arch/arm64/include/asm/cpufeature.h | 24 ++-
arch/arm64/include/asm/cputype.h | 12 ++
arch/arm64/include/asm/futex.h | 9 +-
arch/arm64/include/asm/memory.h | 15 --
arch/arm64/include/asm/mmu.h | 39 ++++
arch/arm64/include/asm/processor.h | 24 +++
arch/arm64/include/asm/smp.h | 9 +
arch/arm64/include/asm/sysreg.h | 2 +
arch/arm64/include/asm/uaccess.h | 173 ++++++++++++------
arch/arm64/kernel/Makefile | 5 +
arch/arm64/kernel/arm64ksyms.c | 8 +-
arch/arm64/kernel/bpi.S | 75 ++++++++
arch/arm64/kernel/cpu_errata.c | 213 +++++++++++++++++++++-
arch/arm64/kernel/cpufeature.c | 186 +++++++++----------
arch/arm64/kernel/cpuinfo.c | 2 -
arch/arm64/kernel/entry.S | 26 ++-
arch/arm64/kernel/smp.c | 30 +++-
arch/arm64/lib/clear_user.S | 6 +-
arch/arm64/lib/copy_from_user.S | 4 +-
arch/arm64/lib/copy_in_user.S | 4 +-
arch/arm64/lib/copy_to_user.S | 4 +-
arch/arm64/mm/context.c | 12 ++
arch/arm64/mm/fault.c | 31 ++++
arch/arm64/mm/proc.S | 12 +-
drivers/firmware/Kconfig | 3 +
drivers/firmware/psci.c | 58 +++++-
include/linux/arm-smccc.h | 267 ++++++++++++++++++++++++++++
include/linux/kasan-checks.h | 12 ++
include/linux/psci.h | 14 ++
mm/kasan/kasan.c | 12 ++
34 files changed, 1150 insertions(+), 213 deletions(-)
create mode 100644 arch/arm64/kernel/bpi.S
create mode 100644 include/linux/arm-smccc.h
create mode 100644 include/linux/kasan-checks.h
--
2.21.0.rc0.269.g1a574e7a288b