Home Home > GIT Browse > SLE15-SP1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-07-30 13:50:10 +0200
committerTakashi Iwai <tiwai@suse.de>2019-07-30 13:50:10 +0200
commit5d42f4382f42c649d0c135842b526d9ccb286a66 (patch)
tree8ca9d3b02e6b775673a2daefe47d0f6b1581bbe2
parent3d141dca3191386e3e99b31c73dba7adbad62bf0 (diff)
parent1773cb431c16cf5c3eaa57cb09b7f30b8288974f (diff)
Merge branch 'SLE15' into users/tiwai/SLE15/bsc1139358
-rw-r--r--patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch118
-rw-r--r--patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch30
-rw-r--r--series.conf2
3 files changed, 150 insertions, 0 deletions
diff --git a/patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch b/patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch
new file mode 100644
index 0000000000..62069c7797
--- /dev/null
+++ b/patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch
@@ -0,0 +1,118 @@
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Subject: kernel: jump label transformation performance
+
+References: bsc#1137534 bsc#1137535 LTC#178058 LTC#178059
+Patch-mainline: v5.3-rc1
+Git-commit: a646ef398e72a2ac40bea974808ffcf1bea4e7f4
+
+Description: kernel: jump label transformation performance
+Symptom: Unresponsive systems together with huge amounts of observable
+ diagnose 0x44 calls.
+Problem: Jump label instruction patching is done in the context of
+ stop_machine_run, which synchronizes all CPUs of a system.
+ If this happens concurrently on many virtual systems and the
+ sum of all virtual CPUs is (significantly) higher than the
+ amount of pyhsical CPUs of the underlying hypervisor, this
+ may lead to long delays, when the kernel tries to synchronize
+ CPUs. In worst case scenarios this can lead to systems which
+ are unresponsive for several minutes.
+Solution: For jump label instruction patching it is not necessary to
+ synchronize all CPUs. Instead the mask bits of the used branch
+ instruction can simply be overwritten. To make the patched
+ instruction visible for all other CPUs in the configuration a
+ subsequent signal processor to all other CPUs is sufficient.
+Reproduction: -
+
+Upstream-Description:
+
+ s390/jump_label: replace stop_machine with smp_call_function
+
+ The use of stop_machine to replace the mask bits of the jump label branch
+ is a very heavy-weight operation. This is in fact not necessary, the
+ mask of the branch can simply be updated, followed by a signal processor
+ to all the other CPUs to force them to pick up the modified instruction.
+
+ Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+ [heiko.carstens@de.ibm.com]: Change jump_label_make_nop() so we get
+ brcl 0,offset instead of brcl 0,0. This
+ makes sure that only the mask part of the
+ instruction gets changed when updated.
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/s390/kernel/jump_label.c | 18 +++++-------------
+ arch/s390/mm/maccess.c | 9 +++++----
+ 2 files changed, 10 insertions(+), 17 deletions(-)
+
+--- a/arch/s390/kernel/jump_label.c
++++ b/arch/s390/kernel/jump_label.c
+@@ -23,9 +23,9 @@ struct insn_args {
+
+ static void jump_label_make_nop(struct jump_entry *entry, struct insn *insn)
+ {
+- /* brcl 0,0 */
++ /* brcl 0,offset */
+ insn->opcode = 0xc004;
+- insn->offset = 0;
++ insn->offset = (entry->target - entry->code) >> 1;
+ }
+
+ static void jump_label_make_branch(struct jump_entry *entry, struct insn *insn)
+@@ -77,23 +77,15 @@ static void __jump_label_transform(struc
+ s390_kernel_write((void *)entry->code, &new, sizeof(new));
+ }
+
+-static int __sm_arch_jump_label_transform(void *data)
++static void __jump_label_sync(void *dummy)
+ {
+- struct insn_args *args = data;
+-
+- __jump_label_transform(args->entry, args->type, 0);
+- return 0;
+ }
+
+ void arch_jump_label_transform(struct jump_entry *entry,
+ enum jump_label_type type)
+ {
+- struct insn_args args;
+-
+- args.entry = entry;
+- args.type = type;
+-
+- stop_machine_cpuslocked(__sm_arch_jump_label_transform, &args, NULL);
++ __jump_label_transform(entry, type, 0);
++ smp_call_function(__jump_label_sync, NULL, 1);
+ }
+
+ void arch_jump_label_transform_static(struct jump_entry *entry,
+--- a/arch/s390/mm/maccess.c
++++ b/arch/s390/mm/maccess.c
+@@ -50,21 +50,22 @@ static notrace long s390_kernel_write_od
+ * Therefore we have a read-modify-write sequence: the function reads eight
+ * bytes from destination at an eight byte boundary, modifies the bytes
+ * requested and writes the result back in a loop.
+- *
+- * Note: this means that this function may not be called concurrently on
+- * several cpus with overlapping words, since this may potentially
+- * cause data corruption.
+ */
++static DEFINE_SPINLOCK(s390_kernel_write_lock);
++
+ void notrace s390_kernel_write(void *dst, const void *src, size_t size)
+ {
++ unsigned long flags;
+ long copied;
+
++ spin_lock_irqsave(&s390_kernel_write_lock, flags);
+ while (size) {
+ copied = s390_kernel_write_odd(dst, src, size);
+ dst += copied;
+ src += copied;
+ size -= copied;
+ }
++ spin_unlock_irqrestore(&s390_kernel_write_lock, flags);
+ }
+
+ static int __memcpy_real(void *dest, void *src, size_t count)
diff --git a/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch b/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
new file mode 100644
index 0000000000..b9702b9a5b
--- /dev/null
+++ b/patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
@@ -0,0 +1,30 @@
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Tue, 14 Aug 2018 15:33:52 -0600
+Subject: IB/mlx5: Fix leaking stack memory to userspace
+Patch-mainline: v4.19-rc1
+Git-commit: 0625b4ba1a5d4703c7fb01c497bd6c156908af00
+References: bsc#1143045 CVE-2018-20855
+
+mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
+were written.
+
+Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
+Cc: <stable@vger.kernel.org>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1524,7 +1524,7 @@ static int create_qp_common(struct mlx5_
+ struct mlx5_ib_resources *devr = &dev->devr;
+ int inlen = MLX5_ST_SZ_BYTES(create_qp_in);
+ struct mlx5_core_dev *mdev = dev->mdev;
+- struct mlx5_ib_create_qp_resp resp;
++ struct mlx5_ib_create_qp_resp resp = {};
+ struct mlx5_ib_cq *send_cq;
+ struct mlx5_ib_cq *recv_cq;
+ unsigned long flags;
diff --git a/series.conf b/series.conf
index 5681ae7b80..ca128c6708 100644
--- a/series.conf
+++ b/series.conf
@@ -18738,6 +18738,7 @@
patches.drivers/rdma-cxgb4-Remove-a-set-but-not-used-variable.patch
patches.drivers/IB-IPoIB-Set-ah-valid-flag-in-multicast-send-flow.patch
patches.drivers/rdma-cxgb4-fix-some-info-leaks.patch
+ patches.fixes/IB-mlx5-Fix-leaking-stack-memory-to-userspace.patch
patches.fixes/dax-remove-VM_MIXEDMAP-for-fsdax-and-device-dax.patch
patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
patches.suse/mm-page_alloc-double-zone-s-batchsize.patch
@@ -22863,6 +22864,7 @@
patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch
patches.fixes/scsi-target-iblock-fix-overrun-in-write-same-emulation
patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
+ patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch
patches.fixes/crypto-ccp-fix-AES-CFB-error-exposed-by-new-test-vec.patch
patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
patches.fixes/crypto-talitos-rename-alternative-AEAD-algos.patch