From 29b1d10dc3bdc8d04b306d294b9b393b30c40ece Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Jan 2017 14:05:06 +0100 Subject: [PATCH] 4.9-stable patches added patches: bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch usb-musb-fix-runtime-pm-in-debugfs.patch usb-serial-ch341-fix-control-message-error-handling.patch usb-serial-ch341-fix-initial-modem-control-state.patch usb-serial-ch341-fix-open-and-resume-after-b0.patch usb-serial-ch341-fix-open-error-handling.patch usb-serial-ch341-fix-resume-after-reset.patch usb-serial-kl5kusb105-fix-line-state-error-handling.patch wusbcore-fix-one-more-crypto-on-the-stack-bug.patch x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch x86-cpu-amd-fix-bulldozer-topology.patch --- ...that-moving-through-bridge-interface.patch | 39 ++++++ queue-4.9/series | 12 ++ .../usb-musb-fix-runtime-pm-in-debugfs.patch | 106 ++++++++++++++++ ...1-fix-control-message-error-handling.patch | 98 +++++++++++++++ ...h341-fix-initial-modem-control-state.patch | 31 +++++ ...l-ch341-fix-open-and-resume-after-b0.patch | 38 ++++++ ...serial-ch341-fix-open-error-handling.patch | 53 ++++++++ ...-serial-ch341-fix-resume-after-reset.patch | 52 ++++++++ ...usb105-fix-line-state-error-handling.patch | 41 ++++++ ...fix-one-more-crypto-on-the-stack-bug.patch | 40 ++++++ ...eparate-amd-e400-erratum-and-c1e-bug.patch | 116 +++++++++++++++++ ...c_id-assignment-per-topology-feature.patch | 117 ++++++++++++++++++ .../x86-cpu-amd-fix-bulldozer-topology.patch | 61 +++++++++ 13 files changed, 804 insertions(+) create mode 100644 queue-4.9/bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch create mode 100644 queue-4.9/usb-musb-fix-runtime-pm-in-debugfs.patch create mode 100644 queue-4.9/usb-serial-ch341-fix-control-message-error-handling.patch create mode 100644 queue-4.9/usb-serial-ch341-fix-initial-modem-control-state.patch create mode 100644 queue-4.9/usb-serial-ch341-fix-open-and-resume-after-b0.patch create mode 100644 queue-4.9/usb-serial-ch341-fix-open-error-handling.patch create mode 100644 queue-4.9/usb-serial-ch341-fix-resume-after-reset.patch create mode 100644 queue-4.9/usb-serial-kl5kusb105-fix-line-state-error-handling.patch create mode 100644 queue-4.9/wusbcore-fix-one-more-crypto-on-the-stack-bug.patch create mode 100644 queue-4.9/x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch create mode 100644 queue-4.9/x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch create mode 100644 queue-4.9/x86-cpu-amd-fix-bulldozer-topology.patch diff --git a/queue-4.9/bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch b/queue-4.9/bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch new file mode 100644 index 00000000000..ffa439d5c70 --- /dev/null +++ b/queue-4.9/bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch @@ -0,0 +1,39 @@ +From 14221cc45caad2fcab3a8543234bb7eda9b540d5 Mon Sep 17 00:00:00 2001 +From: Artur Molchanov +Date: Fri, 30 Dec 2016 19:46:36 +0300 +Subject: bridge: netfilter: Fix dropping packets that moving through bridge interface + +From: Artur Molchanov + +commit 14221cc45caad2fcab3a8543234bb7eda9b540d5 upstream. + +Problem: +br_nf_pre_routing_finish() calls itself instead of +br_nf_pre_routing_finish_bridge(). Due to this bug reverse path filter drops +packets that go through bridge interface. + +User impact: +Local docker containers with bridge network can not communicate with each +other. + +Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") +Signed-off-by: Artur Molchanov +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_netfilter_hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -399,7 +399,7 @@ bridged_dnat: + br_nf_hook_thresh(NF_BR_PRE_ROUTING, + net, sk, skb, skb->dev, + NULL, +- br_nf_pre_routing_finish); ++ br_nf_pre_routing_finish_bridge); + return 0; + } + ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr); diff --git a/queue-4.9/series b/queue-4.9/series index c9545d18d18..64b1d60282f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -35,3 +35,15 @@ x86-efi-don-t-allocate-memmap-through-memblock-after-mm_init.patch nl80211-fix-sched-scan-netlink-socket-owner-destruction.patch gpio-move-freeing-of-gpio-hogs-before-numbing-of-the-device.patch xfs-timely-free-truncated-dirty-pages.patch +bridge-netfilter-fix-dropping-packets-that-moving-through-bridge-interface.patch +x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch +x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch +x86-cpu-amd-fix-bulldozer-topology.patch +wusbcore-fix-one-more-crypto-on-the-stack-bug.patch +usb-musb-fix-runtime-pm-in-debugfs.patch +usb-serial-kl5kusb105-fix-line-state-error-handling.patch +usb-serial-ch341-fix-initial-modem-control-state.patch +usb-serial-ch341-fix-resume-after-reset.patch +usb-serial-ch341-fix-open-error-handling.patch +usb-serial-ch341-fix-control-message-error-handling.patch +usb-serial-ch341-fix-open-and-resume-after-b0.patch diff --git a/queue-4.9/usb-musb-fix-runtime-pm-in-debugfs.patch b/queue-4.9/usb-musb-fix-runtime-pm-in-debugfs.patch new file mode 100644 index 00000000000..560c05ad2fd --- /dev/null +++ b/queue-4.9/usb-musb-fix-runtime-pm-in-debugfs.patch @@ -0,0 +1,106 @@ +From 7b6c1b4c0e1e44544aa18161dba6a741c080a7ef Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Tue, 10 Jan 2017 10:46:00 -0600 +Subject: usb: musb: fix runtime PM in debugfs + +From: Bin Liu + +commit 7b6c1b4c0e1e44544aa18161dba6a741c080a7ef upstream. + +MUSB driver now has runtime PM support, but the debugfs driver misses +the PM _get/_put() calls, which could cause MUSB register access +failure. + +Acked-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_debugfs.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_debugfs.c ++++ b/drivers/usb/musb/musb_debugfs.c +@@ -114,6 +114,7 @@ static int musb_regdump_show(struct seq_ + unsigned i; + + seq_printf(s, "MUSB (M)HDRC Register Dump\n"); ++ pm_runtime_get_sync(musb->controller); + + for (i = 0; i < ARRAY_SIZE(musb_regmap); i++) { + switch (musb_regmap[i].size) { +@@ -132,6 +133,8 @@ static int musb_regdump_show(struct seq_ + } + } + ++ pm_runtime_mark_last_busy(musb->controller); ++ pm_runtime_put_autosuspend(musb->controller); + return 0; + } + +@@ -145,7 +148,10 @@ static int musb_test_mode_show(struct se + struct musb *musb = s->private; + unsigned test; + ++ pm_runtime_get_sync(musb->controller); + test = musb_readb(musb->mregs, MUSB_TESTMODE); ++ pm_runtime_mark_last_busy(musb->controller); ++ pm_runtime_put_autosuspend(musb->controller); + + if (test & MUSB_TEST_FORCE_HOST) + seq_printf(s, "force host\n"); +@@ -194,11 +200,12 @@ static ssize_t musb_test_mode_write(stru + u8 test; + char buf[18]; + ++ pm_runtime_get_sync(musb->controller); + test = musb_readb(musb->mregs, MUSB_TESTMODE); + if (test) { + dev_err(musb->controller, "Error: test mode is already set. " + "Please do USB Bus Reset to start a new test.\n"); +- return count; ++ goto ret; + } + + memset(buf, 0x00, sizeof(buf)); +@@ -234,6 +241,9 @@ static ssize_t musb_test_mode_write(stru + + musb_writeb(musb->mregs, MUSB_TESTMODE, test); + ++ret: ++ pm_runtime_mark_last_busy(musb->controller); ++ pm_runtime_put_autosuspend(musb->controller); + return count; + } + +@@ -254,8 +264,13 @@ static int musb_softconnect_show(struct + switch (musb->xceiv->otg->state) { + case OTG_STATE_A_HOST: + case OTG_STATE_A_WAIT_BCON: ++ pm_runtime_get_sync(musb->controller); ++ + reg = musb_readb(musb->mregs, MUSB_DEVCTL); + connect = reg & MUSB_DEVCTL_SESSION ? 1 : 0; ++ ++ pm_runtime_mark_last_busy(musb->controller); ++ pm_runtime_put_autosuspend(musb->controller); + break; + default: + connect = -1; +@@ -284,6 +299,7 @@ static ssize_t musb_softconnect_write(st + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; + ++ pm_runtime_get_sync(musb->controller); + if (!strncmp(buf, "0", 1)) { + switch (musb->xceiv->otg->state) { + case OTG_STATE_A_HOST: +@@ -314,6 +330,8 @@ static ssize_t musb_softconnect_write(st + } + } + ++ pm_runtime_mark_last_busy(musb->controller); ++ pm_runtime_put_autosuspend(musb->controller); + return count; + } + diff --git a/queue-4.9/usb-serial-ch341-fix-control-message-error-handling.patch b/queue-4.9/usb-serial-ch341-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..c9a25aab763 --- /dev/null +++ b/queue-4.9/usb-serial-ch341-fix-control-message-error-handling.patch @@ -0,0 +1,98 @@ +From 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:18 +0100 +Subject: USB: serial: ch341: fix control-message error handling + +From: Johan Hovold + +commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream. + +A short control transfer would currently fail to be detected, something +which could lead to stale buffer data being used as valid input. + +Check for short transfers, and make sure to log any transfer errors. + +Note that this also avoids leaking heap data to user space (TIOCMGET) +and the remote device (break control). + +Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -99,6 +99,8 @@ static int ch341_control_out(struct usb_ + r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + value, index, NULL, 0, DEFAULT_TIMEOUT); ++ if (r < 0) ++ dev_err(&dev->dev, "failed to send control message: %d\n", r); + + return r; + } +@@ -116,7 +118,20 @@ static int ch341_control_in(struct usb_d + r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + value, index, buf, bufsize, DEFAULT_TIMEOUT); +- return r; ++ if (r < bufsize) { ++ if (r >= 0) { ++ dev_err(&dev->dev, ++ "short control message received (%d < %u)\n", ++ r, bufsize); ++ r = -EIO; ++ } ++ ++ dev_err(&dev->dev, "failed to receive control message: %d\n", ++ r); ++ return r; ++ } ++ ++ return 0; + } + + static int ch341_set_baudrate(struct usb_device *dev, +@@ -158,9 +173,9 @@ static int ch341_set_handshake(struct us + + static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv) + { ++ const unsigned int size = 2; + char *buffer; + int r; +- const unsigned size = 8; + unsigned long flags; + + buffer = kmalloc(size, GFP_KERNEL); +@@ -171,14 +186,9 @@ static int ch341_get_status(struct usb_d + if (r < 0) + goto out; + +- /* setup the private status if available */ +- if (r == 2) { +- r = 0; +- spin_lock_irqsave(&priv->lock, flags); +- priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT; +- spin_unlock_irqrestore(&priv->lock, flags); +- } else +- r = -EPROTO; ++ spin_lock_irqsave(&priv->lock, flags); ++ priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT; ++ spin_unlock_irqrestore(&priv->lock, flags); + + out: kfree(buffer); + return r; +@@ -188,9 +198,9 @@ out: kfree(buffer); + + static int ch341_configure(struct usb_device *dev, struct ch341_private *priv) + { ++ const unsigned int size = 2; + char *buffer; + int r; +- const unsigned size = 8; + + buffer = kmalloc(size, GFP_KERNEL); + if (!buffer) diff --git a/queue-4.9/usb-serial-ch341-fix-initial-modem-control-state.patch b/queue-4.9/usb-serial-ch341-fix-initial-modem-control-state.patch new file mode 100644 index 00000000000..923deae7a55 --- /dev/null +++ b/queue-4.9/usb-serial-ch341-fix-initial-modem-control-state.patch @@ -0,0 +1,31 @@ +From 4e2da44691cffbfffb1535f478d19bc2dca3e62b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:10 +0100 +Subject: USB: serial: ch341: fix initial modem-control state + +From: Johan Hovold + +commit 4e2da44691cffbfffb1535f478d19bc2dca3e62b upstream. + +DTR and RTS will be asserted by the tty-layer when the port is opened +and deasserted on close (if HUPCL is set). Make sure the initial state +is not-asserted before the port is first opened as well. + +Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -253,7 +253,6 @@ static int ch341_port_probe(struct usb_s + + spin_lock_init(&priv->lock); + priv->baud_rate = DEFAULT_BAUD_RATE; +- priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR; + + r = ch341_configure(port->serial->dev, priv); + if (r < 0) diff --git a/queue-4.9/usb-serial-ch341-fix-open-and-resume-after-b0.patch b/queue-4.9/usb-serial-ch341-fix-open-and-resume-after-b0.patch new file mode 100644 index 00000000000..1b0d0fea722 --- /dev/null +++ b/queue-4.9/usb-serial-ch341-fix-open-and-resume-after-b0.patch @@ -0,0 +1,38 @@ +From a20047f36e2f6a1eea4f1fd261aaa55882369868 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:11 +0100 +Subject: USB: serial: ch341: fix open and resume after B0 + +From: Johan Hovold + +commit a20047f36e2f6a1eea4f1fd261aaa55882369868 upstream. + +The private baud_rate variable is used to configure the port at open and +reset-resume and must never be set to (and left at) zero or reset-resume +and all further open attempts will fail. + +Fixes: aa91def41a7b ("USB: ch341: set tty baud speed according to tty struct") +Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -361,12 +361,11 @@ static void ch341_set_termios(struct tty + + baud_rate = tty_get_baud_rate(tty); + +- priv->baud_rate = baud_rate; +- + if (baud_rate) { + spin_lock_irqsave(&priv->lock, flags); + priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS); + spin_unlock_irqrestore(&priv->lock, flags); ++ priv->baud_rate = baud_rate; + ch341_set_baudrate(port->serial->dev, priv); + } else { + spin_lock_irqsave(&priv->lock, flags); diff --git a/queue-4.9/usb-serial-ch341-fix-open-error-handling.patch b/queue-4.9/usb-serial-ch341-fix-open-error-handling.patch new file mode 100644 index 00000000000..1c75ed522e4 --- /dev/null +++ b/queue-4.9/usb-serial-ch341-fix-open-error-handling.patch @@ -0,0 +1,53 @@ +From f2950b78547ffb8475297ada6b92bc2d774d5461 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:13 +0100 +Subject: USB: serial: ch341: fix open error handling + +From: Johan Hovold + +commit f2950b78547ffb8475297ada6b92bc2d774d5461 upstream. + +Make sure to stop the interrupt URB before returning on errors during +open. + +Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -314,7 +314,7 @@ static int ch341_open(struct tty_struct + + r = ch341_configure(serial->dev, priv); + if (r) +- goto out; ++ return r; + + if (tty) + ch341_set_termios(tty, port, NULL); +@@ -324,12 +324,19 @@ static int ch341_open(struct tty_struct + if (r) { + dev_err(&port->dev, "%s - failed to submit interrupt urb: %d\n", + __func__, r); +- goto out; ++ return r; + } + + r = usb_serial_generic_open(tty, port); ++ if (r) ++ goto err_kill_interrupt_urb; ++ ++ return 0; ++ ++err_kill_interrupt_urb: ++ usb_kill_urb(port->interrupt_in_urb); + +-out: return r; ++ return r; + } + + /* Old_termios contains the original termios settings and diff --git a/queue-4.9/usb-serial-ch341-fix-resume-after-reset.patch b/queue-4.9/usb-serial-ch341-fix-resume-after-reset.patch new file mode 100644 index 00000000000..b68542a4eab --- /dev/null +++ b/queue-4.9/usb-serial-ch341-fix-resume-after-reset.patch @@ -0,0 +1,52 @@ +From ce5e292828117d1b71cbd3edf9e9137cf31acd30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:14 +0100 +Subject: USB: serial: ch341: fix resume after reset + +From: Johan Hovold + +commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream. + +Fix reset-resume handling which failed to resubmit the read and +interrupt URBs, thereby leaving a port that was open before suspend in a +broken state until closed and reopened. + +Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after resume") +Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -538,14 +538,23 @@ static int ch341_tiocmget(struct tty_str + + static int ch341_reset_resume(struct usb_serial *serial) + { +- struct ch341_private *priv; +- +- priv = usb_get_serial_port_data(serial->port[0]); ++ struct usb_serial_port *port = serial->port[0]; ++ struct ch341_private *priv = usb_get_serial_port_data(port); ++ int ret; + + /* reconfigure ch341 serial port after bus-reset */ + ch341_configure(serial->dev, priv); + +- return 0; ++ if (tty_port_initialized(&port->port)) { ++ ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit interrupt urb: %d\n", ++ ret); ++ return ret; ++ } ++ } ++ ++ return usb_serial_generic_resume(serial); + } + + static struct usb_serial_driver ch341_device = { diff --git a/queue-4.9/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/queue-4.9/usb-serial-kl5kusb105-fix-line-state-error-handling.patch new file mode 100644 index 00000000000..b0969ef91b2 --- /dev/null +++ b/queue-4.9/usb-serial-kl5kusb105-fix-line-state-error-handling.patch @@ -0,0 +1,41 @@ +From 146cc8a17a3b4996f6805ee5c080e7101277c410 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Jan 2017 12:05:37 +0100 +Subject: USB: serial: kl5kusb105: fix line-state error handling + +From: Johan Hovold + +commit 146cc8a17a3b4996f6805ee5c080e7101277c410 upstream. + +The current implementation failed to detect short transfers when +attempting to read the line state, and also, to make things worse, +logged the content of the uninitialised heap transfer buffer. + +Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/kl5kusb105.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/kl5kusb105.c ++++ b/drivers/usb/serial/kl5kusb105.c +@@ -192,10 +192,11 @@ static int klsi_105_get_line_state(struc + status_buf, KLSI_STATUSBUF_LEN, + 10000 + ); +- if (rc < 0) +- dev_err(&port->dev, "Reading line status failed (error = %d)\n", +- rc); +- else { ++ if (rc != KLSI_STATUSBUF_LEN) { ++ dev_err(&port->dev, "reading line status failed: %d\n", rc); ++ if (rc >= 0) ++ rc = -EIO; ++ } else { + status = get_unaligned_le16(status_buf); + + dev_info(&port->serial->dev->dev, "read status %x %x\n", diff --git a/queue-4.9/wusbcore-fix-one-more-crypto-on-the-stack-bug.patch b/queue-4.9/wusbcore-fix-one-more-crypto-on-the-stack-bug.patch new file mode 100644 index 00000000000..e79336c8d64 --- /dev/null +++ b/queue-4.9/wusbcore-fix-one-more-crypto-on-the-stack-bug.patch @@ -0,0 +1,40 @@ +From 620f1a632ebcc9811c2f8009ba52297c7006f805 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Tue, 13 Dec 2016 18:50:13 -0800 +Subject: wusbcore: Fix one more crypto-on-the-stack bug + +From: Andy Lutomirski + +commit 620f1a632ebcc9811c2f8009ba52297c7006f805 upstream. + +The driver put a constant buffer of all zeros on the stack and +pointed a scatterlist entry at it. This doesn't work with virtual +stacks. Use ZERO_PAGE instead. + +Reported-by: Eric Biggers +Signed-off-by: Andy Lutomirski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/wusbcore/crypto.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/wusbcore/crypto.c ++++ b/drivers/usb/wusbcore/crypto.c +@@ -216,7 +216,6 @@ static int wusb_ccm_mac(struct crypto_sk + struct scatterlist sg[4], sg_dst; + void *dst_buf; + size_t dst_size; +- const u8 bzero[16] = { 0 }; + u8 iv[crypto_skcipher_ivsize(tfm_cbc)]; + size_t zero_padding; + +@@ -261,7 +260,7 @@ static int wusb_ccm_mac(struct crypto_sk + sg_set_buf(&sg[1], &scratch->b1, sizeof(scratch->b1)); + sg_set_buf(&sg[2], b, blen); + /* 0 if well behaved :) */ +- sg_set_buf(&sg[3], bzero, zero_padding); ++ sg_set_page(&sg[3], ZERO_PAGE(0), zero_padding, 0); + sg_init_one(&sg_dst, dst_buf, dst_size); + + skcipher_request_set_tfm(req, tfm_cbc); diff --git a/queue-4.9/x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch b/queue-4.9/x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch new file mode 100644 index 00000000000..af43a56e6c9 --- /dev/null +++ b/queue-4.9/x86-bugs-separate-amd-e400-erratum-and-c1e-bug.patch @@ -0,0 +1,116 @@ +From 3344ed30791af66dbbad5f375008f3d1863b6c99 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 9 Dec 2016 19:29:09 +0100 +Subject: x86/bugs: Separate AMD E400 erratum and C1E bug + +From: Thomas Gleixner + +commit 3344ed30791af66dbbad5f375008f3d1863b6c99 upstream. + +The workaround for the AMD Erratum E400 (Local APIC timer stops in C1E +state) is a two step process: + + - Selection of the E400 aware idle routine + + - Detection whether the platform is affected + +The idle routine selection happens for possibly affected CPUs depending on +family/model/stepping information. These range of CPUs is not necessarily +affected as the decision whether to enable the C1E feature is made by the +firmware. Unfortunately there is no way to query this at early boot. + +The current implementation polls a MSR in the E400 aware idle routine to +detect whether the CPU is affected. This is inefficient on non affected +CPUs because every idle entry has to do the MSR read. + +There is a better way to detect this before going idle for the first time +which requires to seperate the bug flags: + + X86_BUG_AMD_E400 - Selects the E400 aware idle routine and + enables the detection + + X86_BUG_AMD_APIC_C1E - Set when the platform is affected by E400 + +Replace the current X86_BUG_AMD_APIC_C1E usage by the new X86_BUG_AMD_E400 +bug bit to select the idle routine which currently does an unconditional +detection poll. X86_BUG_AMD_APIC_C1E is going to be used in later patches +to remove the MSR polling and simplify the handling of this misfeature. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/20161209182912.2726-3-bp@alien8.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/cpufeatures.h | 2 ++ + arch/x86/kernel/cpu/amd.c | 20 +++++++++++++------- + arch/x86/kernel/process.c | 3 +-- + 3 files changed, 16 insertions(+), 9 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -311,4 +311,6 @@ + #define X86_BUG_NULL_SEG X86_BUG(10) /* Nulling a selector preserves the base */ + #define X86_BUG_SWAPGS_FENCE X86_BUG(11) /* SWAPGS without input dep on GS */ + #define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */ ++#define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */ ++ + #endif /* _ASM_X86_CPUFEATURES_H */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -20,6 +20,10 @@ + + #include "cpu.h" + ++static const int amd_erratum_383[]; ++static const int amd_erratum_400[]; ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); ++ + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -592,11 +596,16 @@ static void early_init_amd(struct cpuinf + /* F16h erratum 793, CVE-2013-6885 */ + if (c->x86 == 0x16 && c->x86_model <= 0xf) + msr_set_bit(MSR_AMD64_LS_CFG, 15); +-} + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); ++ /* ++ * Check whether the machine is affected by erratum 400. This is ++ * used to select the proper idle routine and to enable the check ++ * whether the machine is affected in arch_post_acpi_init(), which ++ * sets the X86_BUG_AMD_APIC_C1E bug depending on the MSR check. ++ */ ++ if (cpu_has_amd_erratum(c, amd_erratum_400)) ++ set_cpu_bug(c, X86_BUG_AMD_E400); ++} + + static void init_amd_k8(struct cpuinfo_x86 *c) + { +@@ -777,9 +786,6 @@ static void init_amd(struct cpuinfo_x86 + if (c->x86 > 0x11) + set_cpu_cap(c, X86_FEATURE_ARAT); + +- if (cpu_has_amd_erratum(c, amd_erratum_400)) +- set_cpu_bug(c, X86_BUG_AMD_APIC_C1E); +- + rdmsr_safe(MSR_AMD64_PATCH_LEVEL, &c->microcode, &dummy); + + /* 3DNow or LM implies PREFETCHW */ +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -448,8 +448,7 @@ void select_idle_routine(const struct cp + if (x86_idle || boot_option_idle_override == IDLE_POLL) + return; + +- if (cpu_has_bug(c, X86_BUG_AMD_APIC_C1E)) { +- /* E400: APIC timer interrupt does not wake up CPU from C1e */ ++ if (boot_cpu_has_bug(X86_BUG_AMD_E400)) { + pr_info("using AMD E400 aware idle routine\n"); + x86_idle = amd_e400_idle; + } else if (prefer_mwait_c1_over_halt(c)) { diff --git a/queue-4.9/x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch b/queue-4.9/x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch new file mode 100644 index 00000000000..ed327baa9de --- /dev/null +++ b/queue-4.9/x86-cpu-amd-clean-up-cpu_llc_id-assignment-per-topology-feature.patch @@ -0,0 +1,117 @@ +From b6a50cddbcbda7105355898ead18f1a647c22520 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Tue, 8 Nov 2016 16:30:54 +0100 +Subject: x86/cpu/AMD: Clean up cpu_llc_id assignment per topology feature + +From: Yazen Ghannam + +commit b6a50cddbcbda7105355898ead18f1a647c22520 upstream. + +These changes do not affect current hw - just a cleanup: + +Currently, we assume that a system has a single Last Level Cache (LLC) +per node, and that the cpu_llc_id is thus equal to the node_id. This no +longer applies since Fam17h can have multiple last level caches within a +node. + +So group the cpu_llc_id assignment by topology feature and family in +order to make the computation of cpu_llc_id on the different families +more clear. + +Here is how the LLC ID is being computed on the different families: + +The NODEID_MSR feature only applies to Fam10h in which case the LLC is +at the node level. + +The TOPOEXT feature is used on families 15h, 16h and 17h. So far we only +see multiple last level caches if L3 caches are available. Otherwise, +the cpu_llc_id will default to be the phys_proc_id. + +We have L3 caches only on families 15h and 17h: + + - on Fam15h, the LLC is at the node level. + + - on Fam17h, the LLC is at the core complex level and can be found by + right shifting the APIC ID. Also, keep the family checks explicit so that + new families will fall back to the default, which will be node_id for + TOPOEXT systems. + +Single node systems in families 10h and 15h will have a Node ID of 0 +which will be the same as the phys_proc_id, so we don't need to check +for multiple nodes before using the node_id. + +Tested-by: Borislav Petkov +Signed-off-by: Yazen Ghannam +[ Rewrote the commit message. ] +Signed-off-by: Borislav Petkov +Acked-by: Thomas Gleixner +Cc: Aravind Gopalakrishnan +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20161108153054.bs3sajbyevq6a6uu@pd.tnic +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/amd.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -314,11 +314,30 @@ static void amd_get_topology(struct cpui + smp_num_siblings = ((ebx >> 8) & 3) + 1; + c->x86_max_cores /= smp_num_siblings; + c->cpu_core_id = ebx & 0xff; ++ ++ /* ++ * We may have multiple LLCs if L3 caches exist, so check if we ++ * have an L3 cache by looking at the L3 cache CPUID leaf. ++ */ ++ if (cpuid_edx(0x80000006)) { ++ if (c->x86 == 0x17) { ++ /* ++ * LLC is at the core complex level. ++ * Core complex id is ApicId[3]. ++ */ ++ per_cpu(cpu_llc_id, cpu) = c->apicid >> 3; ++ } else { ++ /* LLC is at the node level. */ ++ per_cpu(cpu_llc_id, cpu) = node_id; ++ } ++ } + } else if (cpu_has(c, X86_FEATURE_NODEID_MSR)) { + u64 value; + + rdmsrl(MSR_FAM10H_NODE_ID, value); + node_id = value & 7; ++ ++ per_cpu(cpu_llc_id, cpu) = node_id; + } else + return; + +@@ -329,9 +348,6 @@ static void amd_get_topology(struct cpui + set_cpu_cap(c, X86_FEATURE_AMD_DCM); + cus_per_node = c->x86_max_cores / nodes_per_socket; + +- /* store NodeID, use llc_shared_map to store sibling info */ +- per_cpu(cpu_llc_id, cpu) = node_id; +- + /* core id has to be in the [0 .. cores_per_node - 1] range */ + c->cpu_core_id %= cus_per_node; + } +@@ -356,15 +372,6 @@ static void amd_detect_cmp(struct cpuinf + /* use socket ID also for last level cache */ + per_cpu(cpu_llc_id, cpu) = c->phys_proc_id; + amd_get_topology(c); +- +- /* +- * Fix percpu cpu_llc_id here as LLC topology is different +- * for Fam17h systems. +- */ +- if (c->x86 != 0x17 || !cpuid_edx(0x80000006)) +- return; +- +- per_cpu(cpu_llc_id, cpu) = c->apicid >> 3; + #endif + } + diff --git a/queue-4.9/x86-cpu-amd-fix-bulldozer-topology.patch b/queue-4.9/x86-cpu-amd-fix-bulldozer-topology.patch new file mode 100644 index 00000000000..d62eb16815a --- /dev/null +++ b/queue-4.9/x86-cpu-amd-fix-bulldozer-topology.patch @@ -0,0 +1,61 @@ +From a33d331761bc5dd330499ca5ceceb67f0640a8e6 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 5 Jan 2017 10:26:38 +0100 +Subject: x86/CPU/AMD: Fix Bulldozer topology + +From: Borislav Petkov + +commit a33d331761bc5dd330499ca5ceceb67f0640a8e6 upstream. + +The following commit: + + 8196dab4fc15 ("x86/cpu: Get rid of compute_unit_id") + +... broke the initial strategy for Bulldozer-based cores' topology, +where we consider each thread of a compute unit a standalone core +and not a HT or SMT thread. + +Revert to the firmware-supplied core_id numbering and do not make +them thread siblings as we don't consider them for such even if they +technically are, more or less. + +Reported-and-tested-by: Brice Goglin +Tested-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 8196dab4fc15 ("x86/cpu: Get rid of compute_unit_id") +Link: http://lkml.kernel.org/r/20170105092638.5247-1-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/amd.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -309,15 +309,8 @@ static void amd_get_topology(struct cpui + + /* get information required for multi-node processors */ + if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { +- u32 eax, ebx, ecx, edx; + +- cpuid(0x8000001e, &eax, &ebx, &ecx, &edx); +- node_id = ecx & 7; +- +- /* get compute unit information */ +- smp_num_siblings = ((ebx >> 8) & 3) + 1; +- c->x86_max_cores /= smp_num_siblings; +- c->cpu_core_id = ebx & 0xff; ++ node_id = cpuid_ecx(0x8000001e) & 7; + + /* + * We may have multiple LLCs if L3 caches exist, so check if we -- 2.47.3