Changes representative of linux-3.10.0-1160.83.1.el7.tar.xz

Documentation/kernel-parameters.txt

@@ -3529,6 +3529,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Specific mitigations can also be selected manually:
 
 			retpoline[,force] - replace indirect branches
+			retpoline,amd     - AMD-specific minimal thunk
 			ibrs		  - Intel: Indirect Branch Restricted Speculation (kernel)
 			ibrs_always	  - Intel: Indirect Branch Restricted Speculation (kernel and user space)
 

Makefile

@@ -5,7 +5,7 @@ EXTRAVERSION =
 NAME = Unicycling Gorilla
 RHEL_MAJOR = 7
 RHEL_MINOR = 9
-RHEL_RELEASE = 1160.81.1
+RHEL_RELEASE = 1160.83.1
 
 #
 # DRM backport version

arch/x86/include/asm/nospec-branch.h

@@ -220,6 +220,7 @@ enum spectre_v2_mitigation {
 	SPECTRE_V2_RETPOLINE_MINIMAL,
 	SPECTRE_V2_RETPOLINE_NO_IBPB,
 	SPECTRE_V2_RETPOLINE_UNSAFE_MODULE,
+	SPECTRE_V2_RETPOLINE_AMD,
 	SPECTRE_V2_RETPOLINE,
 	SPECTRE_V2_RETPOLINE_IBRS_USER,
 	SPECTRE_V2_IBRS,

arch/x86/include/asm/spec_ctrl.h

@@ -204,6 +204,7 @@ void spec_ctrl_enable_ibrs_enhanced(void);
 bool spec_ctrl_force_enable_ibp_disabled(void);
 bool spec_ctrl_cond_enable_ibp_disabled(void);
 void spec_ctrl_enable_retpoline(void);
+void spec_ctrl_enable_retpoline_amd(void);
 bool spec_ctrl_enable_retpoline_ibrs_user(void);
 void spec_ctrl_set_ssbd(bool ssbd_on);
 

arch/x86/kernel/cpu/amd.c

@@ -903,8 +903,6 @@ static void init_amd(struct cpuinfo_x86 *c)
 
 	if (c->x86 == 0x10 || c->x86 == 0x12)
 		set_cpu_cap(c, X86_FEATURE_IBP_DISABLE);
-
-	set_cpu_cap(c, X86_FEATURE_RETPOLINE_AMD);
 }
 
 #ifdef CONFIG_X86_32

arch/x86/kernel/cpu/bugs.c

@@ -149,6 +149,7 @@ enum spectre_v2_mitigation_cmd {
 	SPECTRE_V2_CMD_FORCE,
 	SPECTRE_V2_CMD_AUTO,
 	SPECTRE_V2_CMD_RETPOLINE,
+	SPECTRE_V2_CMD_RETPOLINE_AMD,
 	SPECTRE_V2_CMD_RETPOLINE_FORCE,
 	SPECTRE_V2_CMD_RETPOLINE_IBRS_USER,
 	SPECTRE_V2_CMD_IBRS,
@@ -160,6 +161,7 @@ static const char *spectre_v2_strings[] = {
 	[SPECTRE_V2_RETPOLINE_MINIMAL]		= "Vulnerable: Minimal ASM retpoline",
 	[SPECTRE_V2_RETPOLINE_NO_IBPB]		= "Vulnerable: Retpoline without IBPB",
 	[SPECTRE_V2_RETPOLINE_UNSAFE_MODULE]	= "Vulnerable: Retpoline with unsafe module(s)",
+	[SPECTRE_V2_RETPOLINE_AMD]		= "Vulnerable: AMD retpoline (LFENCE/JMP)",
 	[SPECTRE_V2_RETPOLINE]			= "Mitigation: Full retpoline",
 	[SPECTRE_V2_RETPOLINE_IBRS_USER]	= "Mitigation: Full retpoline and IBRS (user space)",
 	[SPECTRE_V2_IBRS]			= "Mitigation: IBRS (kernel)",
@@ -813,6 +815,8 @@ static void __init retbleed_select_mitigation(void)
 #undef pr_fmt
 #define pr_fmt(fmt)     "Spectre V2 : " fmt
 
+#define SPECTRE_V2_LFENCE_MSG "WARNING: AMD retpoline (LFENCE/JMP) is not a recommended mitigation for this CPU, data leaks possible!\n"
+
 static inline bool match_option(const char *arg, int arglen, const char *opt)
 {
 	int len = strlen(opt);
@@ -828,6 +832,7 @@ static const struct {
 	{ "off",		SPECTRE_V2_CMD_NONE,		   false },
 	{ "on",			SPECTRE_V2_CMD_FORCE,		   true },
 	{ "retpoline",		SPECTRE_V2_CMD_RETPOLINE,	   false },
+	{ "retpoline,amd",	SPECTRE_V2_CMD_RETPOLINE_AMD,	   false },
 	{ "retpoline,force",	SPECTRE_V2_CMD_RETPOLINE_FORCE,	   false },
 	{ "retpoline,ibrs_user",SPECTRE_V2_CMD_RETPOLINE_IBRS_USER,false },
 	{ "ibrs",		SPECTRE_V2_CMD_IBRS,		   false },
@@ -877,13 +882,37 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
 	}
 
 	if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
+	     cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
+	     cmd == SPECTRE_V2_CMD_RETPOLINE_FORCE ||
 	     cmd == SPECTRE_V2_CMD_RETPOLINE_IBRS_USER) &&
 	    !IS_ENABLED(CONFIG_RETPOLINE)) {
 		pr_err("%s selected but not compiled in. Switching to AUTO select\n",
 		       mitigation_options[i].option);
 		return SPECTRE_V2_CMD_AUTO;
 	}
 
+	if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD) {
+		/*
+		 * Originally, RHEL7 would unconditionally set the capability
+		 * X86_FEATURE_RETPOLINE_AMD in init_amd() to alternatively
+		 * patch over its retpoline code with a single LFENCE call
+		 * before the indirect jump.
+		 *
+		 * With that becoming a command line option now, we need to
+		 * select SPECTRE_V2_CMD_AUTO in case "retpoline,amd" gets
+		 * parsed on non-AMD systems.
+		 */
+		if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
+			return SPECTRE_V2_CMD_AUTO;
+
+		if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
+			pr_warn("%s selected, but CPU doesn't have a serializing LFENCE. " \
+				"Switching to AUTO select\n",
+				mitigation_options[i].option);
+			return SPECTRE_V2_CMD_AUTO;
+		}
+	}
+
 	/*
 	 * RETBleed affected CPUs (Intel) depend on IBRS as an effective
 	 * mitigation mechanism. We'll override spectre_v2=retpoline with
@@ -952,6 +981,11 @@ void __spectre_v2_select_mitigation(void)
 		spec_ctrl_enable_retpoline();
 		return;
 
+	case SPECTRE_V2_CMD_RETPOLINE_AMD:
+		pr_warn(SPECTRE_V2_LFENCE_MSG);
+		spec_ctrl_enable_retpoline_amd();
+		return;
+
 	case SPECTRE_V2_CMD_IBRS:
 		if (spec_ctrl_force_enable_ibrs())
 			return;

arch/x86/kernel/spec_ctrl.c

@@ -21,6 +21,7 @@ static DEFINE_MUTEX(spec_ctrl_mutex);
 static bool noibrs_cmdline __read_mostly;
 static bool ibp_disabled __read_mostly;
 static bool unsafe_module __read_mostly;
+static bool retpoline_amd_mode __read_mostly;
 static unsigned int ibrs_mode __read_mostly;
 
 /*
@@ -490,6 +491,13 @@ void spec_ctrl_enable_retpoline(void)
 	set_spec_ctrl_retp(true);
 }
 
+void spec_ctrl_enable_retpoline_amd(void)
+{
+	retpoline_amd_mode = true;
+	setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
+	set_spec_ctrl_retp(true);
+}
+
 bool spec_ctrl_enable_retpoline_ibrs_user(void)
 {
 	if (!cpu_has_spec_ctrl())
@@ -535,6 +543,8 @@ enum spectre_v2_mitigation spec_ctrl_get_mitigation(void)
 			mode = SPECTRE_V2_RETPOLINE_UNSAFE_MODULE;
 		else if (ibrs_mode == IBRS_ENABLED_USER)
 			mode = SPECTRE_V2_RETPOLINE_IBRS_USER;
+		else if (retpoline_amd_mode)
+			mode = SPECTRE_V2_RETPOLINE_AMD;
 		else
 			mode = SPECTRE_V2_RETPOLINE;
 	}

arch/x86/mm/mem_encrypt_boot.S

@@ -66,7 +66,8 @@ ENTRY(sme_encrypt_execute)
 	movq	%rbp, %rsp		/* Restore original stack pointer */
 	pop	%rbp
 
-	RET
+	ret
+	int3
 ENDPROC(sme_encrypt_execute)
 
 ENTRY(__enc_copy)
@@ -152,6 +153,7 @@ ENTRY(__enc_copy)
 	pop	%r12
 	pop	%r15
 
-	RET
+	ret
+	int3
 .L__enc_copy_end:
 ENDPROC(__enc_copy)

drivers/net/ethernet/intel/i40e/i40e_main.c

@@ -4784,7 +4784,8 @@ static void i40e_clear_interrupt_scheme(struct i40e_pf *pf)
 {
 	int i;
 
-	i40e_free_misc_vector(pf);
+	if (test_bit(__I40E_MISC_IRQ_REQUESTED, pf->state))
+		i40e_free_misc_vector(pf);
 
 	i40e_put_lump(pf->irq_pile, pf->iwarp_base_vector,
 		      I40E_IWARP_IRQ_PILE_ID);

drivers/net/usb/ax88179_178a.c

@@ -1375,58 +1375,119 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 	u16 hdr_off;
 	u32 *pkt_hdr;
 
-	/* This check is no longer done by usbnet */
-	if (skb->len < dev->net->hard_header_len)
+	/* At the end of the SKB, there's a header telling us how many packets
+	 * are bundled into this buffer and where we can find an array of
+	 * per-packet metadata (which contains elements encoded into u16).
+	 */
+
+	/* SKB contents for current firmware:
+	 *   <packet 1> <padding>
+	 *   ...
+	 *   <packet N> <padding>
+	 *   <per-packet metadata entry 1> <dummy header>
+	 *   ...
+	 *   <per-packet metadata entry N> <dummy header>
+	 *   <padding2> <rx_hdr>
+	 *
+	 * where:
+	 *   <packet N> contains pkt_len bytes:
+	 *		2 bytes of IP alignment pseudo header
+	 *		packet received
+	 *   <per-packet metadata entry N> contains 4 bytes:
+	 *		pkt_len and fields AX_RXHDR_*
+	 *   <padding>	0-7 bytes to terminate at
+	 *		8 bytes boundary (64-bit).
+	 *   <padding2> 4 bytes to make rx_hdr terminate at
+	 *		8 bytes boundary (64-bit)
+	 *   <dummy-header> contains 4 bytes:
+	 *		pkt_len=0 and AX_RXHDR_DROP_ERR
+	 *   <rx-hdr>	contains 4 bytes:
+	 *		pkt_cnt and hdr_off (offset of
+	 *		  <per-packet metadata entry 1>)
+	 *
+	 * pkt_cnt is number of entrys in the per-packet metadata.
+	 * In current firmware there is 2 entrys per packet.
+	 * The first points to the packet and the
+	 *  second is a dummy header.
+	 * This was done probably to align fields in 64-bit and
+	 *  maintain compatibility with old firmware.
+	 * This code assumes that <dummy header> and <padding2> are
+	 *  optional.
+	 */
+
+	if (skb->len < 4)
 		return 0;
-
 	skb_trim(skb, skb->len - 4);
-	memcpy(&rx_hdr, skb_tail_pointer(skb), 4);
-	le32_to_cpus(&rx_hdr);
-
+	rx_hdr = get_unaligned_le32(skb_tail_pointer(skb));
 	pkt_cnt = (u16)rx_hdr;
 	hdr_off = (u16)(rx_hdr >> 16);
+
+	if (pkt_cnt == 0)
+		return 0;
+
+	/* Make sure that the bounds of the metadata array are inside the SKB
+	 * (and in front of the counter at the end).
+	 */
+	if (pkt_cnt * 4 + hdr_off > skb->len)
+		return 0;
 	pkt_hdr = (u32 *)(skb->data + hdr_off);
 
-	while (pkt_cnt--) {
+	/* Packets must not overlap the metadata array */
+	skb_trim(skb, hdr_off);
+
+	for (; pkt_cnt > 0; pkt_cnt--, pkt_hdr++) {
+		u16 pkt_len_plus_padd;
 		u16 pkt_len;
 
 		le32_to_cpus(pkt_hdr);
 		pkt_len = (*pkt_hdr >> 16) & 0x1fff;
+		pkt_len_plus_padd = (pkt_len + 7) & 0xfff8;
+
+		/* Skip dummy header used for alignment
+		 */
+		if (pkt_len == 0)
+			continue;
+
+		if (pkt_len_plus_padd > skb->len)
+			return 0;
 
 		/* Check CRC or runt packet */
-		if ((*pkt_hdr & AX_RXHDR_CRC_ERR) ||
-		    (*pkt_hdr & AX_RXHDR_DROP_ERR)) {
-			skb_pull(skb, (pkt_len + 7) & 0xFFF8);
-			pkt_hdr++;
+		if ((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) ||
+		    pkt_len < 2 + ETH_HLEN) {
+			dev->net->stats.rx_errors++;
+			skb_pull(skb, pkt_len_plus_padd);
 			continue;
 		}
 
-		if (pkt_cnt == 0) {
-			/* Skip IP alignment psudo header */
+		/* last packet */
+		if (pkt_len_plus_padd == skb->len) {
+			skb_trim(skb, pkt_len);
+
+			/* Skip IP alignment pseudo header */
 			skb_pull(skb, 2);
-			skb->len = pkt_len;
-			skb_set_tail_pointer(skb, pkt_len);
-			skb->truesize = pkt_len + sizeof(struct sk_buff);
+
+			skb->truesize = SKB_TRUESIZE(pkt_len_plus_padd);
 			ax88179_rx_checksum(skb, pkt_hdr);
 			return 1;
 		}
 
 		ax_skb = skb_clone(skb, GFP_ATOMIC);
-		if (ax_skb) {
-			ax_skb->len = pkt_len;
-			ax_skb->data = skb->data + 2;
-			skb_set_tail_pointer(ax_skb, pkt_len);
-			ax_skb->truesize = pkt_len + sizeof(struct sk_buff);
-			ax88179_rx_checksum(ax_skb, pkt_hdr);
-			usbnet_skb_return(dev, ax_skb);
-		} else {
+		if (!ax_skb)
 			return 0;
-		}
+		skb_trim(ax_skb, pkt_len);
 
-		skb_pull(skb, (pkt_len + 7) & 0xFFF8);
-		pkt_hdr++;
+		/* Skip IP alignment pseudo header */
+		skb_pull(ax_skb, 2);
+
+		skb->truesize = pkt_len_plus_padd +
+				SKB_DATA_ALIGN(sizeof(struct sk_buff));
+		ax88179_rx_checksum(ax_skb, pkt_hdr);
+		usbnet_skb_return(dev, ax_skb);
+
+		skb_pull(skb, pkt_len_plus_padd);
 	}
-	return 1;
+
+	return 0;
 }
 
 static struct sk_buff *
@@ -1436,6 +1497,7 @@ ax88179_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
 	int frame_size = dev->maxpacket;
 	int mss = skb_shinfo(skb)->gso_size;
 	int headroom;
+	void *ptr;
 
 	tx_hdr1 = skb->len;
 	tx_hdr2 = mss;
@@ -1450,13 +1512,9 @@ ax88179_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
 		return NULL;
 	}
 
-	skb_push(skb, 4);
-	cpu_to_le32s(&tx_hdr2);
-	skb_copy_to_linear_data(skb, &tx_hdr2, 4);
-
-	skb_push(skb, 4);
-	cpu_to_le32s(&tx_hdr1);
-	skb_copy_to_linear_data(skb, &tx_hdr1, 4);
+	ptr = skb_push(skb, 8);
+	put_unaligned_le32(tx_hdr1, ptr);
+	put_unaligned_le32(tx_hdr2, ptr + 4);
 
 	return skb;
 }

drivers/scsi/hosts.c

@@ -405,6 +405,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
 	shost->shost_state = SHOST_CREATED;
 	INIT_LIST_HEAD(&shost->__devices);
 	INIT_LIST_HEAD(&shost->__targets);
+	INIT_LIST_HEAD(&shost->eh_abort_list);
 	INIT_LIST_HEAD(&shost->eh_cmd_q);
 	INIT_LIST_HEAD(&shost->starved_list);
 	init_waitqueue_head(&shost->host_wait);

drivers/scsi/scsi.c

@@ -273,6 +273,7 @@ struct scsi_cmnd *scsi_get_command(struct scsi_device *dev, gfp_t gfp_mask)
 
 	cmd->device = dev;
 	INIT_LIST_HEAD(&cmd->list);
+	INIT_LIST_HEAD(&cmd->eh_entry);
 	INIT_DELAYED_WORK(&cmd->abort_work, scmd_eh_abort_handler);
 	spin_lock_irqsave(&dev->list_lock, flags);
 	list_add_tail(&cmd->list, &dev->cmd_list);