From: Greg Kroah-Hartman Date: Sat, 10 Nov 2018 18:44:59 +0000 (-0800) Subject: 4.9-stable patches X-Git-Tag: v4.19.2~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ce849778915a2c05cff59f5b14c62faafc8bd85;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch alsa-hda-add-quirk-for-asus-g751-laptop.patch alsa-hda-fix-headphone-pin-config-for-asus-g751.patch parisc-fix-address-in-hpmc-iva.patch parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch x86-speculation-support-enhanced-ibrs-on-future-cpus.patch --- diff --git a/queue-4.9/alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch b/queue-4.9/alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch new file mode 100644 index 00000000000..84ec205a382 --- /dev/null +++ b/queue-4.9/alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch @@ -0,0 +1,51 @@ +From ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 Mon Sep 17 00:00:00 2001 +From: Alex Stanoev +Date: Sun, 28 Oct 2018 16:55:12 +0000 +Subject: ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops + +From: Alex Stanoev + +commit ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 upstream. + +The Creative Audigy SE (SB0570) card currently exhibits an audible pop +whenever playback is stopped or resumed, or during silent periods of an +audio stream. Initialise the IZD bit to the 0 to eliminate these pops. + +The Infinite Zero Detection (IZD) feature on the DAC causes the output +to be shunted to Vcap after 2048 samples of silence. This discharges the +AC coupling capacitor through the output and causes the aforementioned +pop/click noise. + +The behaviour of the IZD bit is described on page 15 of the WM8768GEDS +datasheet: "With IZD=1, applying MUTE for 1024 consecutive input samples +will cause all outputs to be connected directly to VCAP. This also +happens if 2048 consecutive zero input samples are applied to all 6 +channels, and IZD=0. It will be removed as soon as any channel receives +a non-zero input". I believe the second sentence might be referring to +IZD=1 instead of IZD=0 given the observed behaviour of the card. + +This change should make the DAC initialisation consistent with +Creative's Windows driver, as this popping persists when initialising +the card in Linux and soft rebooting into Windows, but is not present on +a cold boot to Windows. + +Signed-off-by: Alex Stanoev +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ca0106/ca0106.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ca0106/ca0106.h ++++ b/sound/pci/ca0106/ca0106.h +@@ -582,7 +582,7 @@ + #define SPI_PL_BIT_R_R (2<<7) /* right channel = right */ + #define SPI_PL_BIT_R_C (3<<7) /* right channel = (L+R)/2 */ + #define SPI_IZD_REG 2 +-#define SPI_IZD_BIT (1<<4) /* infinite zero detect */ ++#define SPI_IZD_BIT (0<<4) /* infinite zero detect */ + + #define SPI_FMT_REG 3 + #define SPI_FMT_BIT_RJ (0<<0) /* right justified mode */ diff --git a/queue-4.9/alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch b/queue-4.9/alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch new file mode 100644 index 00000000000..e8d57f94cb2 --- /dev/null +++ b/queue-4.9/alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch @@ -0,0 +1,34 @@ +From e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Thu, 11 Oct 2018 15:49:17 -0400 +Subject: ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) + +From: Jeremy Cline + +commit e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b upstream. + +The Lenovo G50-30, like other G50 models, has a Conexant codec that +requires a quirk for its inverted stereo dmic. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249364 +Reported-by: Alexander Ploumistos +Tested-by: Alexander Ploumistos +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -867,6 +867,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), ++ SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), diff --git a/queue-4.9/alsa-hda-add-quirk-for-asus-g751-laptop.patch b/queue-4.9/alsa-hda-add-quirk-for-asus-g751-laptop.patch new file mode 100644 index 00000000000..515b99597bf --- /dev/null +++ b/queue-4.9/alsa-hda-add-quirk-for-asus-g751-laptop.patch @@ -0,0 +1,57 @@ +From 11ba6111160290ccd35562f4e05cec08942a6c4c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 7 Oct 2018 09:44:17 +0200 +Subject: ALSA: hda - Add quirk for ASUS G751 laptop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 11ba6111160290ccd35562f4e05cec08942a6c4c upstream. + +ASUS G751 requires the extra COEF initialization to make it microphone +working properly. + +Reported-and-tested-by: HÃ¥vard +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6811,6 +6811,7 @@ enum { + ALC662_FIXUP_ASUS_Nx50, + ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + ALC668_FIXUP_ASUS_Nx51, ++ ALC668_FIXUP_ASUS_G751, + ALC891_FIXUP_HEADSET_MODE, + ALC891_FIXUP_DELL_MIC_NO_PRESENCE, + ALC662_FIXUP_ACER_VERITON, +@@ -7077,6 +7078,14 @@ static const struct hda_fixup alc662_fix + .chained = true, + .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + }, ++ [ALC668_FIXUP_ASUS_G751] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0xc3 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x4000 }, ++ {} ++ }, ++ }, + [ALC891_FIXUP_HEADSET_MODE] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_mode, +@@ -7132,6 +7141,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50), ++ SND_PCI_QUIRK(0x1043, 0x12ff, "ASUS G751", ALC668_FIXUP_ASUS_G751), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16), + SND_PCI_QUIRK(0x1043, 0x177d, "ASUS N551", ALC668_FIXUP_ASUS_Nx51), diff --git a/queue-4.9/alsa-hda-fix-headphone-pin-config-for-asus-g751.patch b/queue-4.9/alsa-hda-fix-headphone-pin-config-for-asus-g751.patch new file mode 100644 index 00000000000..56bc1553405 --- /dev/null +++ b/queue-4.9/alsa-hda-fix-headphone-pin-config-for-asus-g751.patch @@ -0,0 +1,60 @@ +From 5b7c5e1f4c36b99d0f694f38b9ad910f520cb7ef Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Oct 2018 14:20:17 +0200 +Subject: ALSA: hda - Fix headphone pin config for ASUS G751 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 5b7c5e1f4c36b99d0f694f38b9ad910f520cb7ef upstream. + +BIOS on ASUS G751 doesn't seem to map the headphone pin (NID 0x16) +correctly. Add a quirk to address it, as well as chaining to the +previous fix for the microphone. + +Reported-by: HÃ¥vard +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6811,6 +6811,7 @@ enum { + ALC662_FIXUP_ASUS_Nx50, + ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + ALC668_FIXUP_ASUS_Nx51, ++ ALC668_FIXUP_MIC_COEF, + ALC668_FIXUP_ASUS_G751, + ALC891_FIXUP_HEADSET_MODE, + ALC891_FIXUP_DELL_MIC_NO_PRESENCE, +@@ -7078,7 +7079,7 @@ static const struct hda_fixup alc662_fix + .chained = true, + .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + }, +- [ALC668_FIXUP_ASUS_G751] = { ++ [ALC668_FIXUP_MIC_COEF] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { + { 0x20, AC_VERB_SET_COEF_INDEX, 0xc3 }, +@@ -7086,6 +7087,15 @@ static const struct hda_fixup alc662_fix + {} + }, + }, ++ [ALC668_FIXUP_ASUS_G751] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x16, 0x0421101f }, /* HP */ ++ {} ++ }, ++ .chained = true, ++ .chain_id = ALC668_FIXUP_MIC_COEF ++ }, + [ALC891_FIXUP_HEADSET_MODE] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_mode, diff --git a/queue-4.9/parisc-fix-address-in-hpmc-iva.patch b/queue-4.9/parisc-fix-address-in-hpmc-iva.patch new file mode 100644 index 00000000000..da525a12dd1 --- /dev/null +++ b/queue-4.9/parisc-fix-address-in-hpmc-iva.patch @@ -0,0 +1,93 @@ +From 1138b6718ff74d2a934459643e3754423d23b5e2 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sat, 6 Oct 2018 13:11:30 -0400 +Subject: parisc: Fix address in HPMC IVA + +From: John David Anglin + +commit 1138b6718ff74d2a934459643e3754423d23b5e2 upstream. + +Helge noticed that the address of the os_hpmc handler was not being +correctly calculated in the hpmc macro. As a result, PDCE_CHECK would +fail to call os_hpmc: + + e800009802e00000 0000000000000000 CC_ERR_CHECK_HPMC + 37000f7302e00000 8040004000000000 CC_ERR_CPU_CHECK_SUMMARY + f600105e02e00000 fffffff0f0c00000 CC_MC_HPMC_MONARCH_SELECTED + 140003b202e00000 000000000000000b CC_ERR_HPMC_STATE_ENTRY + 5600100b02e00000 00000000000001a0 CC_MC_OS_HPMC_LEN_ERR + 5600106402e00000 fffffff0f0438e70 CC_MC_BR_TO_OS_HPMC_FAILED + e800009802e00000 0000000000000000 CC_ERR_CHECK_HPMC + 37000f7302e00000 8040004000000000 CC_ERR_CPU_CHECK_SUMMARY + 4000109f02e00000 0000000000000000 CC_MC_HPMC_INITIATED + 4000101902e00000 0000000000000000 CC_MC_MULTIPLE_HPMCS + 030010d502e00000 0000000000000000 CC_CPU_STOP + +The address problem can be seen by dumping the fault vector: + +0000000040159000 : + 40159000: 63 6f 77 73 stb r15,-2447(dp) + 40159004: 20 63 61 6e ldil L%b747000,r3 + 40159008: 20 66 6c 79 ldil L%-1c3b3000,r3 + ... + 40159020: 08 00 02 40 nop + 40159024: 20 6e 60 02 ldil L%15d000,r3 + 40159028: 34 63 00 00 ldo 0(r3),r3 + 4015902c: e8 60 c0 02 bv,n r0(r3) + 40159030: 08 00 02 40 nop + 40159034: 00 00 00 00 break 0,0 + 40159038: c0 00 70 00 bb,*< r0,sar,40159840 + 4015903c: 00 00 00 00 break 0,0 + +Location 40159038 should contain the physical address of os_hpmc: + +000000004015d000 : + 4015d000: 08 1a 02 43 copy r26,r3 + 4015d004: 01 c0 08 a4 mfctl iva,r4 + 4015d008: 48 85 00 68 ldw 34(r4),r5 + +This patch moves the address setup into initialize_ivt to resolve the +above problem. I tested the change by dumping the HPMC entry after setup: + +0000000040209020: 8000240 +0000000040209024: 206a2004 +0000000040209028: 34630ac0 +000000004020902c: e860c002 +0000000040209030: 8000240 +0000000040209034: 1bdddce6 +0000000040209038: 15d000 +000000004020903c: 1a0 + +Signed-off-by: John David Anglin +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/entry.S | 2 +- + arch/parisc/kernel/traps.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -185,7 +185,7 @@ + bv,n 0(%r3) + nop + .word 0 /* checksum (will be patched) */ +- .word PA(os_hpmc) /* address of handler */ ++ .word 0 /* address of handler */ + .word 0 /* length of handler */ + .endm + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -826,7 +826,8 @@ void __init initialize_ivt(const void *i + for (i = 0; i < 8; i++) + *ivap++ = 0; + +- /* Compute Checksum for HPMC handler */ ++ /* Setup IVA and compute checksum for HPMC handler */ ++ ivap[6] = (u32)__pa(os_hpmc); + length = os_hpmc_size; + ivap[7] = length; + diff --git a/queue-4.9/parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch b/queue-4.9/parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch new file mode 100644 index 00000000000..3b5a5dec46b --- /dev/null +++ b/queue-4.9/parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch @@ -0,0 +1,41 @@ +From 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 12 Oct 2018 22:37:46 +0200 +Subject: parisc: Fix map_pages() to not overwrite existing pte entries + +From: Helge Deller + +commit 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 upstream. + +Fix a long-existing small nasty bug in the map_pages() implementation which +leads to overwriting already written pte entries with zero, *if* map_pages() is +called a second time with an end address which isn't aligned on a pmd boundry. +This happens for example if we want to remap only the text segment read/write +in order to run alternative patching on the code. Exiting the loop when we +reach the end address fixes this. + +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/mm/init.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -491,12 +491,8 @@ static void __init map_pages(unsigned lo + pte = pte_mkhuge(pte); + } + +- if (address >= end_paddr) { +- if (force) +- break; +- else +- pte_val(pte) = 0; +- } ++ if (address >= end_paddr) ++ break; + + set_pte(pg_table, pte); + diff --git a/queue-4.9/series b/queue-4.9/series index 7a754e5644e..fdcbd66d3ed 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -4,3 +4,12 @@ jffs2-free-jffs2_sb_info-through-jffs2_kill_sb.patch pcmcia-implement-clkrun-protocol-disabling-for-ricoh-bridges.patch acpica-aml-interpreter-add-region-addresses-in-global-list-during-initialization.patch ipmi-fix-timer-race-with-module-unload.patch +parisc-fix-address-in-hpmc-iva.patch +parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch +alsa-hda-add-quirk-for-asus-g751-laptop.patch +alsa-hda-fix-headphone-pin-config-for-asus-g751.patch +alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch +alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch +x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch +x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch +x86-speculation-support-enhanced-ibrs-on-future-cpus.patch diff --git a/queue-4.9/x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch b/queue-4.9/x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch new file mode 100644 index 00000000000..a64239f4fcb --- /dev/null +++ b/queue-4.9/x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch @@ -0,0 +1,87 @@ +From ccde460b9ae5c2bd5e4742af0a7f623c2daad566 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Tue, 14 Aug 2018 23:33:42 +0800 +Subject: x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided + +From: He Zhe + +commit ccde460b9ae5c2bd5e4742af0a7f623c2daad566 upstream. + +memory_corruption_check[{_period|_size}]()'s handlers do not check input +argument before passing it to kstrtoul() or simple_strtoull(). The argument +would be a NULL pointer if each of the kernel parameters, without its +value, is set in command line and thus cause the following panic. + +PANIC: early exception 0xe3 IP 10:ffffffff73587c22 error 0 cr2 0x0 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #2 +[ 0.000000] RIP: 0010:kstrtoull+0x2/0x10 +... +[ 0.000000] Call Trace +[ 0.000000] ? set_corruption_check+0x21/0x49 +[ 0.000000] ? do_early_param+0x4d/0x82 +[ 0.000000] ? parse_args+0x212/0x330 +[ 0.000000] ? rdinit_setup+0x26/0x26 +[ 0.000000] ? parse_early_options+0x20/0x23 +[ 0.000000] ? rdinit_setup+0x26/0x26 +[ 0.000000] ? parse_early_param+0x2d/0x39 +[ 0.000000] ? setup_arch+0x2f7/0xbf4 +[ 0.000000] ? start_kernel+0x5e/0x4c2 +[ 0.000000] ? load_ucode_bsp+0x113/0x12f +[ 0.000000] ? secondary_startup_64+0xa5/0xb0 + +This patch adds checks to prevent the panic. + +Signed-off-by: He Zhe +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: gregkh@linuxfoundation.org +Cc: kstewart@linuxfoundation.org +Cc: pombredanne@nexb.com +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/1534260823-87917-1-git-send-email-zhe.he@windriver.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/check.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/x86/kernel/check.c ++++ b/arch/x86/kernel/check.c +@@ -30,6 +30,11 @@ static __init int set_corruption_check(c + ssize_t ret; + unsigned long val; + ++ if (!arg) { ++ pr_err("memory_corruption_check config string not provided\n"); ++ return -EINVAL; ++ } ++ + ret = kstrtoul(arg, 10, &val); + if (ret) + return ret; +@@ -44,6 +49,11 @@ static __init int set_corruption_check_p + ssize_t ret; + unsigned long val; + ++ if (!arg) { ++ pr_err("memory_corruption_check_period config string not provided\n"); ++ return -EINVAL; ++ } ++ + ret = kstrtoul(arg, 10, &val); + if (ret) + return ret; +@@ -58,6 +68,11 @@ static __init int set_corruption_check_s + char *end; + unsigned size; + ++ if (!arg) { ++ pr_err("memory_corruption_check_size config string not provided\n"); ++ return -EINVAL; ++ } ++ + size = memparse(arg, &end); + + if (*end == '\0') diff --git a/queue-4.9/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch b/queue-4.9/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch new file mode 100644 index 00000000000..a36c560c5ed --- /dev/null +++ b/queue-4.9/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch @@ -0,0 +1,180 @@ +From 53c613fe6349994f023245519265999eed75957f Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Tue, 25 Sep 2018 14:38:55 +0200 +Subject: x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation + +From: Jiri Kosina + +commit 53c613fe6349994f023245519265999eed75957f upstream. + +STIBP is a feature provided by certain Intel ucodes / CPUs. This feature +(once enabled) prevents cross-hyperthread control of decisions made by +indirect branch predictors. + +Enable this feature if + +- the CPU is vulnerable to spectre v2 +- the CPU supports SMT and has SMT siblings online +- spectre_v2 mitigation autoselection is enabled (default) + +After some previous discussion, this leaves STIBP on all the time, as wrmsr +on crossing kernel boundary is a no-no. This could perhaps later be a bit +more optimized (like disabling it in NOHZ, experiment with disabling it in +idle, etc) if needed. + +Note that the synchronization of the mask manipulation via newly added +spec_ctrl_mutex is currently not strictly needed, as the only updater is +already being serialized by cpu_add_remove_lock, but let's make this a +little bit more future-proof. + +Signed-off-by: Jiri Kosina +Signed-off-by: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Andrea Arcangeli +Cc: "WoodhouseDavid" +Cc: Andi Kleen +Cc: Tim Chen +Cc: "SchauflerCasey" +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251438240.15880@cbobk.fhfr.pm +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 57 ++++++++++++++++++++++++++++++++++++++++----- + kernel/cpu.c | 11 +++++++- + 2 files changed, 61 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -33,12 +33,10 @@ static void __init spectre_v2_select_mit + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); + +-/* +- * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any +- * writes to SPEC_CTRL contain whatever reserved bits have been set. +- */ +-u64 __ro_after_init x86_spec_ctrl_base; ++/* The base value of the SPEC_CTRL MSR that always has to be preserved. */ ++u64 x86_spec_ctrl_base; + EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); ++static DEFINE_MUTEX(spec_ctrl_mutex); + + /* + * The vendor and possibly platform specific bits which can be modified in +@@ -321,6 +319,46 @@ static enum spectre_v2_mitigation_cmd __ + return cmd; + } + ++static bool stibp_needed(void) ++{ ++ if (spectre_v2_enabled == SPECTRE_V2_NONE) ++ return false; ++ ++ if (!boot_cpu_has(X86_FEATURE_STIBP)) ++ return false; ++ ++ return true; ++} ++ ++static void update_stibp_msr(void *info) ++{ ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++} ++ ++void arch_smt_update(void) ++{ ++ u64 mask; ++ ++ if (!stibp_needed()) ++ return; ++ ++ mutex_lock(&spec_ctrl_mutex); ++ mask = x86_spec_ctrl_base; ++ if (cpu_smt_control == CPU_SMT_ENABLED) ++ mask |= SPEC_CTRL_STIBP; ++ else ++ mask &= ~SPEC_CTRL_STIBP; ++ ++ if (mask != x86_spec_ctrl_base) { ++ pr_info("Spectre v2 cross-process SMT mitigation: %s STIBP\n", ++ cpu_smt_control == CPU_SMT_ENABLED ? ++ "Enabling" : "Disabling"); ++ x86_spec_ctrl_base = mask; ++ on_each_cpu(update_stibp_msr, NULL, 1); ++ } ++ mutex_unlock(&spec_ctrl_mutex); ++} ++ + static void __init spectre_v2_select_mitigation(void) + { + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); +@@ -405,6 +443,9 @@ retpoline_auto: + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); + pr_info("Enabling Restricted Speculation for firmware calls\n"); + } ++ ++ /* Enable STIBP if appropriate */ ++ arch_smt_update(); + } + + #undef pr_fmt +@@ -797,6 +838,8 @@ static ssize_t l1tf_show_state(char *buf + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, + char *buf, unsigned int bug) + { ++ int ret; ++ + if (!boot_cpu_has_bug(bug)) + return sprintf(buf, "Not affected\n"); + +@@ -811,10 +854,12 @@ static ssize_t cpu_show_common(struct de + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); + + case X86_BUG_SPECTRE_V2: +- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ++ ret = sprintf(buf, "%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], + boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", ++ (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "", + spectre_v2_module_string()); ++ return ret; + + case X86_BUG_SPEC_STORE_BYPASS: + return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1970,6 +1970,12 @@ static void cpuhp_online_cpu_device(unsi + kobject_uevent(&dev->kobj, KOBJ_ONLINE); + } + ++/* ++ * Architectures that need SMT-specific errata handling during SMT hotplug ++ * should override this. ++ */ ++void __weak arch_smt_update(void) { }; ++ + static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) + { + int cpu, ret = 0; +@@ -1996,8 +2002,10 @@ static int cpuhp_smt_disable(enum cpuhp_ + */ + cpuhp_offline_cpu_device(cpu); + } +- if (!ret) ++ if (!ret) { + cpu_smt_control = ctrlval; ++ arch_smt_update(); ++ } + cpu_maps_update_done(); + return ret; + } +@@ -2008,6 +2016,7 @@ static int cpuhp_smt_enable(void) + + cpu_maps_update_begin(); + cpu_smt_control = CPU_SMT_ENABLED; ++ arch_smt_update(); + for_each_present_cpu(cpu) { + /* Skip online CPUs and CPUs on offline nodes */ + if (cpu_online(cpu) || !node_online(cpu_to_node(cpu))) diff --git a/queue-4.9/x86-speculation-support-enhanced-ibrs-on-future-cpus.patch b/queue-4.9/x86-speculation-support-enhanced-ibrs-on-future-cpus.patch new file mode 100644 index 00000000000..7f6b1304572 --- /dev/null +++ b/queue-4.9/x86-speculation-support-enhanced-ibrs-on-future-cpus.patch @@ -0,0 +1,152 @@ +From 706d51681d636a0c4a5ef53395ec3b803e45ed4d Mon Sep 17 00:00:00 2001 +From: Sai Praneeth +Date: Wed, 1 Aug 2018 11:42:25 -0700 +Subject: x86/speculation: Support Enhanced IBRS on future CPUs + +From: Sai Praneeth + +commit 706d51681d636a0c4a5ef53395ec3b803e45ed4d upstream. + +Future Intel processors will support "Enhanced IBRS" which is an "always +on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never +disabled. + +From the specification [1]: + + "With enhanced IBRS, the predicted targets of indirect branches + executed cannot be controlled by software that was executed in a less + privileged predictor mode or on another logical processor. As a + result, software operating on a processor with enhanced IBRS need not + use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more + privileged predictor mode. Software can isolate predictor modes + effectively simply by setting the bit once. Software need not disable + enhanced IBRS prior to entering a sleep state such as MWAIT or HLT." + +If Enhanced IBRS is supported by the processor then use it as the +preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's +Retpoline white paper [2] states: + + "Retpoline is known to be an effective branch target injection (Spectre + variant 2) mitigation on Intel processors belonging to family 6 + (enumerated by the CPUID instruction) that do not have support for + enhanced IBRS. On processors that support enhanced IBRS, it should be + used for mitigation instead of retpoline." + +The reason why Enhanced IBRS is the recommended mitigation on processors +which support it is that these processors also support CET which +provides a defense against ROP attacks. Retpoline is very similar to ROP +techniques and might trigger false positives in the CET defense. + +If Enhanced IBRS is selected as the mitigation technique for spectre v2, +the IBRS bit in SPEC_CTRL MSR is set once at boot time and never +cleared. Kernel also has to make sure that IBRS bit remains set after +VMEXIT because the guest might have cleared the bit. This is already +covered by the existing x86_spec_ctrl_set_guest() and +x86_spec_ctrl_restore_host() speculation control functions. + +Enhanced IBRS still requires IBPB for full mitigation. + +[1] Speculative-Execution-Side-Channel-Mitigations.pdf +[2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf +Both documents are available at: +https://bugzilla.kernel.org/show_bug.cgi?id=199511 + +Originally-by: David Woodhouse +Signed-off-by: Sai Praneeth Prakhya +Signed-off-by: Thomas Gleixner +Cc: Tim C Chen +Cc: Dave Hansen +Cc: Ravi Shankar +Link: https://lkml.kernel.org/r/1533148945-24095-1-git-send-email-sai.praneeth.prakhya@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/include/asm/nospec-branch.h | 1 + + arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++-- + arch/x86/kernel/cpu/common.c | 3 +++ + 4 files changed, 23 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -213,6 +213,7 @@ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ + #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ ++#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + + /* Virtualization flags: Linux defined, word 8 */ + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -215,6 +215,7 @@ enum spectre_v2_mitigation { + SPECTRE_V2_RETPOLINE_GENERIC, + SPECTRE_V2_RETPOLINE_AMD, + SPECTRE_V2_IBRS, ++ SPECTRE_V2_IBRS_ENHANCED, + }; + + /* The Speculative Store Bypass disable variants */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -137,6 +137,7 @@ static const char *spectre_v2_strings[] + [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline", + [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", + [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", ++ [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", + }; + + #undef pr_fmt +@@ -378,6 +379,13 @@ static void __init spectre_v2_select_mit + + case SPECTRE_V2_CMD_FORCE: + case SPECTRE_V2_CMD_AUTO: ++ if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { ++ mode = SPECTRE_V2_IBRS_ENHANCED; ++ /* Force it so VMEXIT will restore correctly */ ++ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ goto specv2_set_mode; ++ } + if (IS_ENABLED(CONFIG_RETPOLINE)) + goto retpoline_auto; + break; +@@ -415,6 +423,7 @@ retpoline_auto: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + } + ++specv2_set_mode: + spectre_v2_enabled = mode; + pr_info("%s\n", spectre_v2_strings[mode]); + +@@ -437,9 +446,16 @@ retpoline_auto: + + /* + * Retpoline means the kernel is safe because it has no indirect +- * branches. But firmware isn't, so use IBRS to protect that. ++ * branches. Enhanced IBRS protects firmware too, so, enable restricted ++ * speculation around firmware calls only when Enhanced IBRS isn't ++ * supported. ++ * ++ * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because ++ * the user might select retpoline on the kernel command line and if ++ * the CPU supports Enhanced IBRS, kernel might un-intentionally not ++ * enable IBRS around firmware calls. + */ +- if (boot_cpu_has(X86_FEATURE_IBRS)) { ++ if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) { + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); + pr_info("Enabling Restricted Speculation for firmware calls\n"); + } +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -959,6 +959,9 @@ static void __init cpu_set_bug_bits(stru + setup_force_cpu_bug(X86_BUG_SPECTRE_V1); + setup_force_cpu_bug(X86_BUG_SPECTRE_V2); + ++ if (ia32_cap & ARCH_CAP_IBRS_ALL) ++ setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); ++ + if (x86_match_cpu(cpu_no_meltdown)) + return; +