Hello,
This series backports arm64 spectre patches to v4.4 stable kernel. I
have started this backport with Mark Rutland's backport of Spectre to
4.9 [1] and tried applying the upstream version of them over 4.4 and
resolved conflicts by checking how they have been resolved in 4.9.
The KVM changes are mostly dropped as the KVM code in v4.4 is quite
different and it makes backport more complex. This was suggested by the
ARM team.
I had to pick few extra upstream patches to avoid conflicts and to make
things work:
mm/kasan: add API to check memory regions
arm64: kasan: instrument user memory access API
arm64: cpufeature: Add scope for capability check
arm64: cputype info for Broadcom Vulcan
arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
ARM: 8478/2: arm/arm64: add arm-smccc
arm64: cpufeature: Test 'matches' pointer to find the end of the list
arm64: Introduce cpu_die_early
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: errata: Calling enable functions for CPU errata too
arm64: Rearrange CPU errata workaround checks
arm64: Add a helper for parking CPUs in a loop
I also had to drop few patches as they weren't getting applied properly
due to missing files/features or they were KVM related:
arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
arm64: KVM: Use per-CPU vector when BP hardening is enabled
arm64: KVM: Make PSCI_VERSION a fast path
mm: Introduce lm_alias
arm64: KVM: Increment PC after handling an SMC trap
arm/arm64: KVM: Consolidate the PSCI include files
arm/arm64: KVM: Add PSCI_VERSION helper
arm/arm64: KVM: Add smccc accessors to PSCI code
arm/arm64: KVM: Implement PSCI 1.0 support
arm/arm64: KVM: Turn kvm_psci_version into a static inline
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
The patches in this series are pushed here [2].
This is tested on Hikey board (octa A53) and I verified that BP
hardening code is getting hit for CPUs (had to hack a bit and enable
BP hardening support for A53 for this).
V2->V3:
- Included an extra patch and used the helper introduced by it:
arm64: Add a helper for parking CPUs in a loop
- Droped few extra blank lines added by mistake
- Avoid overlapping with SVE2 bits
V1->V2:
- Rebased over 4.4.184 (was 4.4.180 earlier).
- Fixed an build issue with CONFIG_KASAN (Julien).
- Dropped few patches, mostly KVM stuff (Julien):
arm64: remove duplicate macro __KERNEL__ check
mm: Introduce lm_alias
arm64: KVM: Increment PC after handling an SMC trap
arm/arm64: KVM: Consolidate the PSCI include files
arm/arm64: KVM: Add PSCI_VERSION helper
arm/arm64: KVM: Add smccc accessors to PSCI code
arm/arm64: KVM: Implement PSCI 1.0 support
arm/arm64: KVM: Turn kvm_psci_version into a static inline
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
- Added few patches to fix issues reported by Julien:
arm64: cpufeature: Test 'matches' pointer to find the end of the list
arm64: Introduce cpu_die_early
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: errata: Calling enable functions for CPU errata too
arm64: Rearrange CPU errata workaround checks
--
viresh
[1] https://patches.linaro.org/cover/133195/ with top commit in 4.9 stable tree:
a3b292fe0560 arm64: futex: Mask __user pointers prior to dereference
[2] https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/linux.git stable/arm64/v4.4.y/spectre
-------------------------8<-------------------------
Andre Przywara (1):
arm64: errata: Calling enable functions for CPU errata too
Andrey Ryabinin (1):
mm/kasan: add API to check memory regions
Catalin Marinas (1):
arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm
macro
James Morse (1):
arm64: cpufeature: Test 'matches' pointer to find the end of the list
Jayachandran C (3):
arm64: cputype info for Broadcom Vulcan
arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
arm64: Branch predictor hardening for Cavium ThunderX2
Jens Wiklander (1):
ARM: 8478/2: arm/arm64: add arm-smccc
Marc Zyngier (11):
arm64: Move post_ttbr_update_workaround to C code
arm64: Move BP hardening to check_and_switch_context
arm64: cpu_errata: Allow an erratum to be match for all revisions of a
core
arm/arm64: KVM: Advertise SMCCC v1.1
arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
firmware/psci: Expose PSCI conduit
firmware/psci: Expose SMCCC version through psci_ops
arm/arm64: smccc: Make function identifiers an unsigned quantity
arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
Robin Murphy (3):
arm64: Implement array_index_mask_nospec()
arm64: Make USER_DS an inclusive limit
arm64: Use pointer masking to limit uaccess speculation
Suzuki K Poulose (7):
arm64: cpufeature: Add scope for capability check
arm64: Introduce cpu_die_early
arm64: Add a helper for parking CPUs in a loop
arm64: Move cpu_die_early to smp.c
arm64: Verify CPU errata work arounds on hotplugged CPU
arm64: Rearrange CPU errata workaround checks
arm64: Run enable method for errata work arounds on late CPUs
Will Deacon (13):
arm64: barrier: Add CSDB macros to control data-value prediction
arm64: entry: Ensure branch through syscall table is bounded under
speculation
arm64: uaccess: Prevent speculative use of the current addr_limit
arm64: uaccess: Don't bother eliding access_ok checks in __{get,
put}_user
arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user
arm64: cpufeature: Pass capability structure to ->enable callback
drivers/firmware: Expose psci_get_version through psci_ops structure
arm64: Add skeleton to harden the branch predictor against aliasing
attacks
arm64: entry: Apply BP hardening for high-priority synchronous
exceptions
arm64: entry: Apply BP hardening for suspicious interrupts from EL0
arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75
arm64: Implement branch predictor hardening for affected Cortex-A CPUs
arm64: futex: Mask __user pointers prior to dereference
Yang Shi (1):
arm64: kasan: instrument user memory access API
Yury Norov (1):
arm64: move TASK_* definitions to <asm/processor.h>
MAINTAINERS | 14 ++
arch/arm64/Kconfig | 17 ++
arch/arm64/include/asm/assembler.h | 18 ++
arch/arm64/include/asm/barrier.h | 23 +++
arch/arm64/include/asm/cpufeature.h | 24 ++-
arch/arm64/include/asm/cputype.h | 12 ++
arch/arm64/include/asm/futex.h | 9 +-
arch/arm64/include/asm/memory.h | 15 --
arch/arm64/include/asm/mmu.h | 39 ++++
arch/arm64/include/asm/processor.h | 24 +++
arch/arm64/include/asm/smp.h | 9 +
arch/arm64/include/asm/sysreg.h | 2 +
arch/arm64/include/asm/uaccess.h | 173 ++++++++++++------
arch/arm64/kernel/Makefile | 5 +
arch/arm64/kernel/arm64ksyms.c | 8 +-
arch/arm64/kernel/bpi.S | 75 ++++++++
arch/arm64/kernel/cpu_errata.c | 213 +++++++++++++++++++++-
arch/arm64/kernel/cpufeature.c | 186 +++++++++----------
arch/arm64/kernel/cpuinfo.c | 2 -
arch/arm64/kernel/entry.S | 26 ++-
arch/arm64/kernel/smp.c | 30 +++-
arch/arm64/lib/clear_user.S | 6 +-
arch/arm64/lib/copy_from_user.S | 4 +-
arch/arm64/lib/copy_in_user.S | 4 +-
arch/arm64/lib/copy_to_user.S | 4 +-
arch/arm64/mm/context.c | 12 ++
arch/arm64/mm/fault.c | 31 ++++
arch/arm64/mm/proc.S | 12 +-
drivers/firmware/Kconfig | 3 +
drivers/firmware/psci.c | 58 +++++-
include/linux/arm-smccc.h | 267 ++++++++++++++++++++++++++++
include/linux/kasan-checks.h | 12 ++
include/linux/psci.h | 14 ++
mm/kasan/kasan.c | 12 ++
34 files changed, 1150 insertions(+), 213 deletions(-)
create mode 100644 arch/arm64/kernel/bpi.S
create mode 100644 include/linux/arm-smccc.h
create mode 100644 include/linux/kasan-checks.h
--
2.21.0.rc0.269.g1a574e7a288b
Hello,
Here is an attempt to backport arm32 spectre patches to v4.4 stable
tree. This was last tried around an year back by David Long [1]. He was
backporting only a subset (18) of patches and this series include a lot
of other patches present in Russell's spectre branch.
Just like arm64 backport [2], KVM patches are dropped and they can be
backported separately if required.
Dropped patches (compared to Russell's spectre branch):
KVM related:
3f7e8e2e1ebd ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17
0c47ac8cd157 ARM: KVM: invalidate icache on guest exit for Cortex-A15
3c908e16396d ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15
b800acfc70d9 ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
add5609877c6 ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1
Dropped in 4.9 backport as well:
73839798af7e ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context
Additional patches picked to avoid rebase conflicts and build issues:
9f73bd8bb445 ARM: uaccess: remove put_user() code duplication
122e022eebb3 arch: Introduce post-init read-only memory
7b90ba3eb4af ARM: 8595/2: apply more __ro_after_init
SMCCC related patches, are part of arm64 backport [2] as well and all
KVM related changes are dropped from them:
56b35dfda10c ARM: 8478/2: arm/arm64: add arm-smccc
e6e9cc47cea9 arm/arm64: KVM: Advertise SMCCC v1.1
91958fe7a4eb arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
1b232ad7ca05 drivers/firmware: Expose psci_get_version through psci_ops structure
df2030616c6f firmware/psci: Expose PSCI conduit
30f8c32765fd firmware/psci: Expose SMCCC version through psci_ops
17f6f98d5069 arm/arm64: smccc: Make function identifiers an unsigned quantity
e6d9b2fef81e arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
All the patches are pushed here [3].
This is tested in Linaro Lava on Qemu_arm and X15 platforms and the
results are here [4]. Lava also check for some Spectre tests and one of
the test fails on x15 with this message:
CVE-2018-3640: VULN (an up-to-date CPU microcode is needed to mitigate
this vulnerability).
Perhaps this is an issue with x15 setup and not the patches themselves ?
I have also pushed this to be tested by kernel-ci, looks like my branch
isn't getting tested there currently. I am co-ordinating with them to
get it tested soon, we can start the review process until that time
though.
--
Viresh
[1] https://lore.kernel.org/stable/20181031140436.2964-1-dave.long@linaro.org/
[2] https://lore.kernel.org/stable/cover.1562908074.git.viresh.kumar@linaro.org/
[3] https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/linux.git stable/arm32/v4.4.y/spectre
[4] https://staging-qa-reports.linaro.org/lkft/vishal.bhoj-stable-arm32-v4.4.y-…
Ard Biesheuvel (1):
ARM: 8809/1: proc-v7: fix Thumb annotation of cpu_v7_hvc_switch_mm
Jens Wiklander (1):
ARM: 8478/2: arm/arm64: add arm-smccc
Julien Thierry (9):
ARM: 8789/1: signal: copy registers using __copy_to_user()
ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state
ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user()
ARM: 8793/1: signal: replace __put_user_error with __put_user
ARM: 8794/1: uaccess: Prevent speculative use of the current
addr_limit
ARM: 8795/1: spectre-v1.1: use put_user() for __put_user()
ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization
ARM: 8797/1: spectre-v1.1: harden __copy_to_user
ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc
Kees Cook (2):
arch: Introduce post-init read-only memory
ARM: 8595/2: apply more __ro_after_init
Marc Zyngier (6):
arm/arm64: KVM: Advertise SMCCC v1.1
arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
firmware/psci: Expose PSCI conduit
firmware/psci: Expose SMCCC version through psci_ops
arm/arm64: smccc: Make function identifiers an unsigned quantity
arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
Russell King (27):
ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs
ARM: bugs: prepare processor bug infrastructure
ARM: bugs: hook processor bug checking into SMP and suspend paths
ARM: bugs: add support for per-processor bug checking
ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre
ARM: spectre-v2: harden branch predictor on context switches
ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit
ARM: spectre-v2: harden user aborts in kernel space
ARM: spectre-v2: add firmware based hardening
ARM: spectre-v2: warn about incorrect context switching functions
ARM: spectre-v1: add speculation barrier (csdb) macros
ARM: spectre-v1: add array_index_mask_nospec() implementation
ARM: spectre-v1: fix syscall entry
ARM: signal: copy registers using __copy_from_user()
ARM: vfp: use __copy_from_user() when restoring VFP state
ARM: oabi-compat: copy semops using __copy_from_user()
ARM: use __inttype() in get_user()
ARM: spectre-v1: use get_user() for __get_user()
ARM: spectre-v1: mitigate user accesses
ARM: uaccess: remove put_user() code duplication
ARM: make lookup_processor_type() non-__init
ARM: split out processor lookup
ARM: clean up per-processor check_bugs method call
ARM: add PROC_VTABLE and PROC_TABLE macros
ARM: spectre-v2: per-CPU vtables to work around big.Little systems
ARM: ensure that processor vtables is not lost after boot
ARM: fix the cockup in the previous patch
Will Deacon (1):
drivers/firmware: Expose psci_get_version through psci_ops structure
arch/arm/include/asm/assembler.h | 23 +++
arch/arm/include/asm/barrier.h | 32 ++++
arch/arm/include/asm/bugs.h | 6 +-
arch/arm/include/asm/cp15.h | 18 ++
arch/arm/include/asm/cputype.h | 9 +
arch/arm/include/asm/proc-fns.h | 65 +++++--
arch/arm/include/asm/system_misc.h | 15 ++
arch/arm/include/asm/thread_info.h | 8 +-
arch/arm/include/asm/uaccess.h | 176 +++++++++++--------
arch/arm/kernel/Makefile | 1 +
arch/arm/kernel/bugs.c | 18 ++
arch/arm/kernel/cpuidle.c | 2 +-
arch/arm/kernel/entry-common.S | 18 +-
arch/arm/kernel/entry-header.S | 25 +++
arch/arm/kernel/head-common.S | 6 +-
arch/arm/kernel/setup.c | 50 +++---
arch/arm/kernel/signal.c | 126 +++++++-------
arch/arm/kernel/smp.c | 38 +++-
arch/arm/kernel/suspend.c | 2 +
arch/arm/kernel/sys_oabi-compat.c | 16 +-
arch/arm/lib/copy_from_user.S | 5 +
arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/delay.c | 2 +-
arch/arm/lib/uaccess_with_memcpy.c | 3 +-
arch/arm/mm/Kconfig | 23 +++
arch/arm/mm/Makefile | 2 +-
arch/arm/mm/fault.c | 3 +
arch/arm/mm/mmu.c | 2 +-
arch/arm/mm/proc-macros.S | 13 +-
arch/arm/mm/proc-v7-2level.S | 6 -
arch/arm/mm/proc-v7-bugs.c | 161 +++++++++++++++++
arch/arm/mm/proc-v7.S | 154 +++++++++++++----
arch/arm/vfp/vfpmodule.c | 37 ++--
arch/parisc/include/asm/cache.h | 3 +
drivers/firmware/Kconfig | 3 +
drivers/firmware/psci.c | 58 ++++++-
include/asm-generic/vmlinux.lds.h | 1 +
include/linux/arm-smccc.h | 267 +++++++++++++++++++++++++++++
include/linux/cache.h | 14 ++
include/linux/psci.h | 14 ++
40 files changed, 1174 insertions(+), 257 deletions(-)
create mode 100644 arch/arm/kernel/bugs.c
create mode 100644 arch/arm/mm/proc-v7-bugs.c
create mode 100644 include/linux/arm-smccc.h
--
2.21.0.rc0.269.g1a574e7a288b
We got a null pointer deference BUG_ON in blk_mq_rq_timed_out()
as following:
[ 108.825472] BUG: kernel NULL pointer dereference, address: 0000000000000040
[ 108.827059] PGD 0 P4D 0
[ 108.827313] Oops: 0000 [#1] SMP PTI
[ 108.827657] CPU: 6 PID: 198 Comm: kworker/6:1H Not tainted 5.3.0-rc8+ #431
[ 108.829503] Workqueue: kblockd blk_mq_timeout_work
[ 108.829913] RIP: 0010:blk_mq_check_expired+0x258/0x330
[ 108.838191] Call Trace:
[ 108.838406] bt_iter+0x74/0x80
[ 108.838665] blk_mq_queue_tag_busy_iter+0x204/0x450
[ 108.839074] ? __switch_to_asm+0x34/0x70
[ 108.839405] ? blk_mq_stop_hw_queue+0x40/0x40
[ 108.839823] ? blk_mq_stop_hw_queue+0x40/0x40
[ 108.840273] ? syscall_return_via_sysret+0xf/0x7f
[ 108.840732] blk_mq_timeout_work+0x74/0x200
[ 108.841151] process_one_work+0x297/0x680
[ 108.841550] worker_thread+0x29c/0x6f0
[ 108.841926] ? rescuer_thread+0x580/0x580
[ 108.842344] kthread+0x16a/0x1a0
[ 108.842666] ? kthread_flush_work+0x170/0x170
[ 108.843100] ret_from_fork+0x35/0x40
The bug is caused by the race between timeout handle and completion for
flush request.
When timeout handle function blk_mq_rq_timed_out() try to read
'req->q->mq_ops', the 'req' have completed and reinitiated by next
flush request, which would call blk_rq_init() to clear 'req' as 0.
After commit 12f5b93145 ("blk-mq: Remove generation seqeunce"),
normal requests lifetime are protected by refcount. Until 'rq->ref'
drop to zero, the request can really be free. Thus, these requests
cannot been reused before timeout handle finish.
However, flush request has defined .end_io and rq->end_io() is still
called even if 'rq->ref' doesn't drop to zero. After that, the 'flush_rq'
can be reused by the next flush request handle, resulting in null
pointer deference BUG ON.
We fix this problem by covering flush request with 'rq->ref'.
If the refcount is not zero, flush_end_io() return and wait the
last holder recall it. To record the request status, we add a new
entry 'rq_status', which will be used in flush_end_io().
Cc: Ming Lei <ming.lei(a)redhat.com>
Cc: Christoph Hellwig <hch(a)infradead.org>
Cc: Keith Busch <keith.busch(a)intel.com>
Cc: Bart Van Assche <bvanassche(a)acm.org>
Cc: stable(a)vger.kernel.org # v4.18+
Signed-off-by: Yufen Yu <yuyufen(a)huawei.com>
-------
v2:
- move rq_status from struct request to struct blk_flush_queue
v3:
- remove unnecessary '{}' pair.
v4:
- let spinlock to protect 'fq->rq_status'
---
block/blk-flush.c | 10 ++++++++++
block/blk-mq.c | 5 ++++-
block/blk.h | 7 +++++++
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/block/blk-flush.c b/block/blk-flush.c
index aedd9320e605..1eec9cbe5a0a 100644
--- a/block/blk-flush.c
+++ b/block/blk-flush.c
@@ -214,6 +214,16 @@ static void flush_end_io(struct request *flush_rq, blk_status_t error)
/* release the tag's ownership to the req cloned from */
spin_lock_irqsave(&fq->mq_flush_lock, flags);
+
+ if (!refcount_dec_and_test(&flush_rq->ref)) {
+ fq->rq_status = error;
+ spin_unlock_irqrestore(&fq->mq_flush_lock, flags);
+ return;
+ }
+
+ if (fq->rq_status != BLK_STS_OK)
+ error = fq->rq_status;
+
hctx = flush_rq->mq_hctx;
if (!q->elevator) {
blk_mq_tag_set_rq(hctx, flush_rq->tag, fq->orig_rq);
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 20a49be536b5..e04fa9ab5574 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -912,7 +912,10 @@ static bool blk_mq_check_expired(struct blk_mq_hw_ctx *hctx,
*/
if (blk_mq_req_expired(rq, next))
blk_mq_rq_timed_out(rq, reserved);
- if (refcount_dec_and_test(&rq->ref))
+
+ if (is_flush_rq(rq, hctx))
+ rq->end_io(rq, 0);
+ else if (refcount_dec_and_test(&rq->ref))
__blk_mq_free_request(rq);
return true;
diff --git a/block/blk.h b/block/blk.h
index ed347f7a97b1..de258e7b9db8 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -30,6 +30,7 @@ struct blk_flush_queue {
*/
struct request *orig_rq;
spinlock_t mq_flush_lock;
+ blk_status_t rq_status;
};
extern struct kmem_cache *blk_requestq_cachep;
@@ -47,6 +48,12 @@ static inline void __blk_get_queue(struct request_queue *q)
kobject_get(&q->kobj);
}
+static inline bool
+is_flush_rq(struct request *req, struct blk_mq_hw_ctx *hctx)
+{
+ return hctx->fq->flush_rq == req;
+}
+
struct blk_flush_queue *blk_alloc_flush_queue(struct request_queue *q,
int node, int cmd_size, gfp_t flags);
void blk_free_flush_queue(struct blk_flush_queue *q);
--
2.17.2
memcpy() in phy_ConfigBBWithParaFile() and PHY_ConfigRFWithParaFile() is
called with "src == NULL && len == 0". This is an undefined behavior.
Moreover this if pre-condition "pBufLen && (*pBufLen == 0) && !pBuf"
is constantly false because it is a nested if in the else brach, i.e.,
"if (cond) { ... } else { if (cond) {...} }". This patch alters the
if condition to check "pBufLen && pBuf" pointers are not NULL.
Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Cc: Hans de Goede <hdegoede(a)redhat.com>
Cc: Bastien Nocera <hadess(a)hadess.net>
Cc: Larry Finger <Larry.Finger(a)lwfinger.net>
Cc: Jes Sorensen <jes.sorensen(a)gmail.com>
Cc: stable(a)vger.kernel.org
Signed-off-by: Denis Efremov <efremov(a)linux.com>
---
Not tested. I don't have the hardware. The fix is based on my guess.
drivers/staging/rtl8723bs/hal/hal_com_phycfg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/hal_com_phycfg.c b/drivers/staging/rtl8723bs/hal/hal_com_phycfg.c
index 6539bee9b5ba..0902dc3c1825 100644
--- a/drivers/staging/rtl8723bs/hal/hal_com_phycfg.c
+++ b/drivers/staging/rtl8723bs/hal/hal_com_phycfg.c
@@ -2320,7 +2320,7 @@ int phy_ConfigBBWithParaFile(
}
}
} else {
- if (pBufLen && (*pBufLen == 0) && !pBuf) {
+ if (pBufLen && pBuf) {
memcpy(pHalData->para_file_buf, pBuf, *pBufLen);
rtStatus = _SUCCESS;
} else
@@ -2752,7 +2752,7 @@ int PHY_ConfigRFWithParaFile(
}
}
} else {
- if (pBufLen && (*pBufLen == 0) && !pBuf) {
+ if (pBufLen && pBuf) {
memcpy(pHalData->para_file_buf, pBuf, *pBufLen);
rtStatus = _SUCCESS;
} else
--
2.21.0
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: c49a0a80137c7ca7d6ced4c812c9e07a949f6f24
Gitweb: https://git.kernel.org/tip/c49a0a80137c7ca7d6ced4c812c9e07a949f6f24
Author: Tom Lendacky <thomas.lendacky(a)amd.com>
AuthorDate: Mon, 19 Aug 2019 15:52:35
Committer: Borislav Petkov <bp(a)suse.de>
CommitterDate: Mon, 19 Aug 2019 19:42:52 +02:00
x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
There have been reports of RDRAND issues after resuming from suspend on
some AMD family 15h and family 16h systems. This issue stems from a BIOS
not performing the proper steps during resume to ensure RDRAND continues
to function properly.
RDRAND support is indicated by CPUID Fn00000001_ECX[30]. This bit can be
reset by clearing MSR C001_1004[62]. Any software that checks for RDRAND
support using CPUID, including the kernel, will believe that RDRAND is
not supported.
Update the CPU initialization to clear the RDRAND CPUID bit for any family
15h and 16h processor that supports RDRAND. If it is known that the family
15h or family 16h system does not have an RDRAND resume issue or that the
system will not be placed in suspend, the "rdrand=force" kernel parameter
can be used to stop the clearing of the RDRAND CPUID bit.
Additionally, update the suspend and resume path to save and restore the
MSR C001_1004 value to ensure that the RDRAND CPUID setting remains in
place after resuming from suspend.
Note, that clearing the RDRAND CPUID bit does not prevent a processor
that normally supports the RDRAND instruction from executing it. So any
code that determined the support based on family and model won't #UD.
Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com>
Signed-off-by: Borislav Petkov <bp(a)suse.de>
Cc: Andrew Cooper <andrew.cooper3(a)citrix.com>
Cc: Andrew Morton <akpm(a)linux-foundation.org>
Cc: Chen Yu <yu.c.chen(a)intel.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: Jonathan Corbet <corbet(a)lwn.net>
Cc: Josh Poimboeuf <jpoimboe(a)redhat.com>
Cc: Juergen Gross <jgross(a)suse.com>
Cc: Kees Cook <keescook(a)chromium.org>
Cc: "linux-doc(a)vger.kernel.org" <linux-doc(a)vger.kernel.org>
Cc: "linux-pm(a)vger.kernel.org" <linux-pm(a)vger.kernel.org>
Cc: Nathan Chancellor <natechancellor(a)gmail.com>
Cc: Paolo Bonzini <pbonzini(a)redhat.com>
Cc: Pavel Machek <pavel(a)ucw.cz>
Cc: "Rafael J. Wysocki" <rjw(a)rjwysocki.net>
Cc: <stable(a)vger.kernel.org>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: "x86(a)kernel.org" <x86(a)kernel.org>
Link: https://lkml.kernel.org/r/7543af91666f491547bd86cebb1e17c66824ab9f.15662299…
---
Documentation/admin-guide/kernel-parameters.txt | 7 +-
arch/x86/include/asm/msr-index.h | 1 +-
arch/x86/kernel/cpu/amd.c | 66 +------------
arch/x86/power/cpu.c | 86 ++--------------
4 files changed, 13 insertions(+), 147 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 4c19719..47d981a 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4090,13 +4090,6 @@
Run specified binary instead of /init from the ramdisk,
used for early userspace startup. See initrd.
- rdrand= [X86]
- force - Override the decision by the kernel to hide the
- advertisement of RDRAND support (this affects
- certain AMD processors because of buggy BIOS
- support, specifically around the suspend/resume
- path).
-
rdt= [HW,X86,RDT]
Turn on/off individual RDT features. List is:
cmt, mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp,
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 271d837..6b4fc27 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -381,7 +381,6 @@
#define MSR_AMD64_PATCH_LEVEL 0x0000008b
#define MSR_AMD64_TSC_RATIO 0xc0000104
#define MSR_AMD64_NB_CFG 0xc001001f
-#define MSR_AMD64_CPUID_FN_1 0xc0011004
#define MSR_AMD64_PATCH_LOADER 0xc0010020
#define MSR_AMD64_OSVW_ID_LENGTH 0xc0010140
#define MSR_AMD64_OSVW_STATUS 0xc0010141
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 68c363c..8d4e504 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -804,64 +804,6 @@ static void init_amd_ln(struct cpuinfo_x86 *c)
msr_set_bit(MSR_AMD64_DE_CFG, 31);
}
-static bool rdrand_force;
-
-static int __init rdrand_cmdline(char *str)
-{
- if (!str)
- return -EINVAL;
-
- if (!strcmp(str, "force"))
- rdrand_force = true;
- else
- return -EINVAL;
-
- return 0;
-}
-early_param("rdrand", rdrand_cmdline);
-
-static void clear_rdrand_cpuid_bit(struct cpuinfo_x86 *c)
-{
- /*
- * Saving of the MSR used to hide the RDRAND support during
- * suspend/resume is done by arch/x86/power/cpu.c, which is
- * dependent on CONFIG_PM_SLEEP.
- */
- if (!IS_ENABLED(CONFIG_PM_SLEEP))
- return;
-
- /*
- * The nordrand option can clear X86_FEATURE_RDRAND, so check for
- * RDRAND support using the CPUID function directly.
- */
- if (!(cpuid_ecx(1) & BIT(30)) || rdrand_force)
- return;
-
- msr_clear_bit(MSR_AMD64_CPUID_FN_1, 62);
-
- /*
- * Verify that the CPUID change has occurred in case the kernel is
- * running virtualized and the hypervisor doesn't support the MSR.
- */
- if (cpuid_ecx(1) & BIT(30)) {
- pr_info_once("BIOS may not properly restore RDRAND after suspend, but hypervisor does not support hiding RDRAND via CPUID.\n");
- return;
- }
-
- clear_cpu_cap(c, X86_FEATURE_RDRAND);
- pr_info_once("BIOS may not properly restore RDRAND after suspend, hiding RDRAND via CPUID. Use rdrand=force to reenable.\n");
-}
-
-static void init_amd_jg(struct cpuinfo_x86 *c)
-{
- /*
- * Some BIOS implementations do not restore proper RDRAND support
- * across suspend and resume. Check on whether to hide the RDRAND
- * instruction support via CPUID.
- */
- clear_rdrand_cpuid_bit(c);
-}
-
static void init_amd_bd(struct cpuinfo_x86 *c)
{
u64 value;
@@ -876,13 +818,6 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
wrmsrl_safe(MSR_F15H_IC_CFG, value);
}
}
-
- /*
- * Some BIOS implementations do not restore proper RDRAND support
- * across suspend and resume. Check on whether to hide the RDRAND
- * instruction support via CPUID.
- */
- clear_rdrand_cpuid_bit(c);
}
static void init_amd_zn(struct cpuinfo_x86 *c)
@@ -925,7 +860,6 @@ static void init_amd(struct cpuinfo_x86 *c)
case 0x10: init_amd_gh(c); break;
case 0x12: init_amd_ln(c); break;
case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
case 0x17: init_amd_zn(c); break;
}
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index c9ef6a7..24b079e 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -12,7 +12,6 @@
#include <linux/smp.h>
#include <linux/perf_event.h>
#include <linux/tboot.h>
-#include <linux/dmi.h>
#include <asm/pgtable.h>
#include <asm/proto.h>
@@ -24,7 +23,7 @@
#include <asm/debugreg.h>
#include <asm/cpu.h>
#include <asm/mmu_context.h>
-#include <asm/cpu_device_id.h>
+#include <linux/dmi.h>
#ifdef CONFIG_X86_32
__visible unsigned long saved_context_ebx;
@@ -398,14 +397,15 @@ static int __init bsp_pm_check_init(void)
core_initcall(bsp_pm_check_init);
-static int msr_build_context(const u32 *msr_id, const int num)
+static int msr_init_context(const u32 *msr_id, const int total_num)
{
- struct saved_msrs *saved_msrs = &saved_context.saved_msrs;
+ int i = 0;
struct saved_msr *msr_array;
- int total_num;
- int i, j;
- total_num = saved_msrs->num + num;
+ if (saved_context.saved_msrs.array || saved_context.saved_msrs.num > 0) {
+ pr_err("x86/pm: MSR quirk already applied, please check your DMI match table.\n");
+ return -EINVAL;
+ }
msr_array = kmalloc_array(total_num, sizeof(struct saved_msr), GFP_KERNEL);
if (!msr_array) {
@@ -413,30 +413,19 @@ static int msr_build_context(const u32 *msr_id, const int num)
return -ENOMEM;
}
- if (saved_msrs->array) {
- /*
- * Multiple callbacks can invoke this function, so copy any
- * MSR save requests from previous invocations.
- */
- memcpy(msr_array, saved_msrs->array,
- sizeof(struct saved_msr) * saved_msrs->num);
-
- kfree(saved_msrs->array);
- }
-
- for (i = saved_msrs->num, j = 0; i < total_num; i++, j++) {
- msr_array[i].info.msr_no = msr_id[j];
+ for (i = 0; i < total_num; i++) {
+ msr_array[i].info.msr_no = msr_id[i];
msr_array[i].valid = false;
msr_array[i].info.reg.q = 0;
}
- saved_msrs->num = total_num;
- saved_msrs->array = msr_array;
+ saved_context.saved_msrs.num = total_num;
+ saved_context.saved_msrs.array = msr_array;
return 0;
}
/*
- * The following sections are a quirk framework for problematic BIOSen:
+ * The following section is a quirk framework for problematic BIOSen:
* Sometimes MSRs are modified by the BIOSen after suspended to
* RAM, this might cause unexpected behavior after wakeup.
* Thus we save/restore these specified MSRs across suspend/resume
@@ -451,7 +440,7 @@ static int msr_initialize_bdw(const struct dmi_system_id *d)
u32 bdw_msr_id[] = { MSR_IA32_THERM_CONTROL };
pr_info("x86/pm: %s detected, MSR saving is needed during suspending.\n", d->ident);
- return msr_build_context(bdw_msr_id, ARRAY_SIZE(bdw_msr_id));
+ return msr_init_context(bdw_msr_id, ARRAY_SIZE(bdw_msr_id));
}
static const struct dmi_system_id msr_save_dmi_table[] = {
@@ -466,58 +455,9 @@ static const struct dmi_system_id msr_save_dmi_table[] = {
{}
};
-static int msr_save_cpuid_features(const struct x86_cpu_id *c)
-{
- u32 cpuid_msr_id[] = {
- MSR_AMD64_CPUID_FN_1,
- };
-
- pr_info("x86/pm: family %#hx cpu detected, MSR saving is needed during suspending.\n",
- c->family);
-
- return msr_build_context(cpuid_msr_id, ARRAY_SIZE(cpuid_msr_id));
-}
-
-static const struct x86_cpu_id msr_save_cpu_table[] = {
- {
- .vendor = X86_VENDOR_AMD,
- .family = 0x15,
- .model = X86_MODEL_ANY,
- .feature = X86_FEATURE_ANY,
- .driver_data = (kernel_ulong_t)msr_save_cpuid_features,
- },
- {
- .vendor = X86_VENDOR_AMD,
- .family = 0x16,
- .model = X86_MODEL_ANY,
- .feature = X86_FEATURE_ANY,
- .driver_data = (kernel_ulong_t)msr_save_cpuid_features,
- },
- {}
-};
-
-typedef int (*pm_cpu_match_t)(const struct x86_cpu_id *);
-static int pm_cpu_check(const struct x86_cpu_id *c)
-{
- const struct x86_cpu_id *m;
- int ret = 0;
-
- m = x86_match_cpu(msr_save_cpu_table);
- if (m) {
- pm_cpu_match_t fn;
-
- fn = (pm_cpu_match_t)m->driver_data;
- ret = fn(m);
- }
-
- return ret;
-}
-
static int pm_check_save_msr(void)
{
dmi_check_system(msr_save_dmi_table);
- pm_cpu_check(msr_save_cpu_table);
-
return 0;
}
From: Sean Paul <seanpaul(a)chromium.org>
Since the dirtyfb ioctl doesn't give us any hints as to which plane is
scanning out the fb it's marking as damaged, we need to loop through
planes to find it.
Currently we just reach into plane state and check, but that can race
with another commit changing the fb out from under us. This patch locks
the plane before checking the fb and will release the lock if the plane
is not displaying the dirty fb.
Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
Cc: Rob Clark <robdclark(a)gmail.com>
Cc: Deepak Rawat <drawat(a)vmware.com>
Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch>
Cc: Thomas Hellstrom <thellstrom(a)vmware.com>
Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com>
Cc: Maxime Ripard <maxime.ripard(a)bootlin.com>
Cc: Sean Paul <sean(a)poorly.run>
Cc: David Airlie <airlied(a)linux.ie>
Cc: Daniel Vetter <daniel(a)ffwll.ch>
Cc: dri-devel(a)lists.freedesktop.org
Cc: <stable(a)vger.kernel.org> # v5.0+
Reported-by: Daniel Vetter <daniel(a)ffwll.ch>
Signed-off-by: Sean Paul <seanpaul(a)chromium.org>
---
drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
index 8230dac01a89..3a4126dc2520 100644
--- a/drivers/gpu/drm/drm_damage_helper.c
+++ b/drivers/gpu/drm/drm_damage_helper.c
@@ -212,8 +212,14 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
drm_for_each_plane(plane, fb->dev) {
struct drm_plane_state *plane_state;
- if (plane->state->fb != fb)
+ ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
+ if (ret)
+ goto out;
+
+ if (plane->state->fb != fb) {
+ drm_modeset_unlock(&plane->mutex);
continue;
+ }
plane_state = drm_atomic_get_plane_state(state, plane);
if (IS_ERR(plane_state)) {
--
Sean Paul, Software Engineer, Google / Chromium OS