Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-06-18 15:48:42 +0200
committerTakashi Iwai <tiwai@suse.de>2018-06-18 15:48:42 +0200
commitf0b8f6ba5bc34878a9cd53e5f4a30e0c86a6c072 (patch)
tree56c1e9eca8576007dfa37acf5ca508cdf546f660
parent5a895c7954d0015560dfb7f5e36b1870a4e740d4 (diff)
parentbaa07f9df91b6684c4581228137bcabdcc4dc66c (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3rpm-4.4.138-59
-rw-r--r--patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch56
-rw-r--r--patches.suse/ibrs-avoid-lfence-when-runtime-disabled.patch171
-rw-r--r--patches.suse/jfs-Fix-buffer-overrun-in-ea_get.patch45
-rw-r--r--patches.suse/nospec-fix-forced-cpucaps-ordering.patch6
-rw-r--r--series.conf4
5 files changed, 106 insertions, 176 deletions
diff --git a/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch b/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
new file mode 100644
index 0000000000..afdf67d992
--- /dev/null
+++ b/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
@@ -0,0 +1,56 @@
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 12 Jun 2018 08:57:53 +0200
+Patch-mainline: v4.18-rc1
+Git-commit: 57f230ab04d2910a06d17d988f1c4d7586a59113
+References: bnc#1076049
+Subject: xen/netfront: raise max number of slots in xennet_get_responses()
+
+The max number of slots used in xennet_get_responses() is set to
+MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD).
+
+In old kernel-xen MAX_SKB_FRAGS was 18, while nowadays it is 17. This
+difference is resulting in frequent messages "too many slots" and a
+reduced network throughput for some workloads (factor 10 below that of
+a kernel-xen based guest).
+
+Replacing MAX_SKB_FRAGS by XEN_NETIF_NR_SLOTS_MIN for calculation of
+the max number of slots to use solves that problem (tests showed no
+more messages "too many slots" and throughput was as high as with the
+kernel-xen based guest system).
+
+Replace MAX_SKB_FRAGS-2 by XEN_NETIF_NR_SLOTS_MIN-1 in
+netfront_tx_slot_available() for making it clearer what is really being
+tested without actually modifying the tested value.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/xen-netfront.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 679da1a..922ce0a 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -239,7 +239,7 @@ static void rx_refill_timeout(struct timer_list *t)
+ static int netfront_tx_slot_available(struct netfront_queue *queue)
+ {
+ return (queue->tx.req_prod_pvt - queue->tx.rsp_cons) <
+- (NET_TX_RING_SIZE - MAX_SKB_FRAGS - 2);
++ (NET_TX_RING_SIZE - XEN_NETIF_NR_SLOTS_MIN - 1);
+ }
+
+ static void xennet_maybe_wake_tx(struct netfront_queue *queue)
+@@ -790,7 +790,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+ RING_IDX cons = queue->rx.rsp_cons;
+ struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
+ grant_ref_t ref = xennet_get_rx_ref(queue, cons);
+- int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD);
++ int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
+ int slots = 1;
+ int err = 0;
+ unsigned long ret;
+--
+cgit v1.1
+
diff --git a/patches.suse/ibrs-avoid-lfence-when-runtime-disabled.patch b/patches.suse/ibrs-avoid-lfence-when-runtime-disabled.patch
deleted file mode 100644
index 0fb76cb1e4..0000000000
--- a/patches.suse/ibrs-avoid-lfence-when-runtime-disabled.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From: Jiri Kosina <jkosina@suse.cz>
-Subject: x86/bugs: IBRS: make runtime disabling fully dynamic
-References: bsc#1068032
-Patch-mainline: Never, SUSE-specific
-
-Currently, if IBRS MSR is provided by ucode in SPEC_CTRL, we still call
-x86_ibrs_enabled() in ENABLE_IBRS (therefore on every kernel entry) to
-check whether IBRS has been runtime disabled (either by cmdline, or by
-detecting pre-SKL architecture).
-
-This means, that every kernel entry still contains lfence, which is there
-to prevent speculative execution of any subsequent kernel code which is
-already in the pipeline, before ibrs_enabled gets evaluated and tested in
-in-line execution.
-
-This is of course far from optimal wrt. performance.
-
-Introduce X86_FEATURE_IBRS_OFF, and make sure it's set in cases when IBRS
-is being forced-off on kernel entry (and let ALTERNATIVE patch-out the
-complete enabling codepath in case it's turned off, removing the need for
-the lfence).
-
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- arch/x86/include/asm/cpufeature.h | 1
- arch/x86/include/asm/spec_ctrl.h | 44 +++-----------------------------------
- arch/x86/kernel/cpu/bugs.c | 2 -
- arch/x86/kernel/cpu/spec_ctrl.c | 16 ++++++++++++-
- 4 files changed, 20 insertions(+), 43 deletions(-)
-
---- a/arch/x86/include/asm/cpufeature.h
-+++ b/arch/x86/include/asm/cpufeature.h
-@@ -77,6 +77,7 @@
- * word 7 und we not even attempting to do a nasty kABI breakage.
- */
- #define X86_FEATURE_ZEN ( 2*32+ 4) /* "" CPU is AMD family 0x17 (Zen) */
-+#define X86_FEATURE_IBRS_OFF ( 2*32+ 5) /* "" Force-disabled IBRS usage on kernel entry */
-
- /* Other features, Linux-defined mapping, word 3 */
- /* This range is used for feature bits which conflict or are synthesized */
---- a/arch/x86/include/asm/spec_ctrl.h
-+++ b/arch/x86/include/asm/spec_ctrl.h
-@@ -16,55 +16,27 @@
- .endm
-
- .macro ENABLE_IBRS_CLOBBER
-- ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_SPEC_CTRL
-- call x86_ibrs_enabled
-- test %eax, %eax
-- jz .Llfence_\@
-+ ALTERNATIVE "", "jmp .Lend_\@", X86_FEATURE_IBRS_OFF
-
- __ENABLE_IBRS_CLOBBER
-- jmp .Lend_\@
--
--.Llfence_\@:
-- lfence
- .Lend_\@:
- .endm
-
-
- .macro ENABLE_IBRS
-- ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_SPEC_CTRL
--
-- pushq %rax
--
-- call x86_ibrs_enabled
-- test %eax, %eax
-- jz .Llfence_\@
-+ ALTERNATIVE "", "jmp .Lend_\@", X86_FEATURE_IBRS_OFF
-
- pushq %rcx
- pushq %rdx
- __ENABLE_IBRS_CLOBBER
- popq %rdx
- popq %rcx
--
-- jmp .Lpop_\@
--
--.Llfence_\@:
-- lfence
--
--.Lpop_\@:
-- popq %rax
--
- .Lend_\@:
- .endm
-
-
- .macro DISABLE_IBRS
-- ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_SPEC_CTRL
--
-- pushq %rax
--
-- call x86_ibrs_enabled
-- test %eax, %eax
-- jz .Llfence_\@
-+ ALTERNATIVE "", "jmp .Lend_\@", X86_FEATURE_IBRS_OFF
-
- pushq %rcx
- pushq %rdx
-@@ -74,15 +46,6 @@
- wrmsr
- popq %rdx
- popq %rcx
--
-- jmp .Lpop_\@
--
--.Llfence_\@:
-- lfence
--
--.Lpop_\@:
-- popq %rax
--
- .Lend_\@:
- .endm
-
-@@ -95,6 +58,7 @@ void x86_disable_ibrs(void);
- unsigned int x86_ibrs_enabled(void);
- unsigned int x86_ibpb_enabled(void);
- void x86_spec_check(void);
-+void noibrs(void);
- int nospec(char *str);
-
- static inline void x86_ibp_barrier(void)
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -423,7 +423,7 @@ retpoline_auto:
-
- if (!is_skylake_era()) {
- pr_info("Retpolines enabled, force-disabling IBRS due to !SKL-era core\n");
-- ibrs_state = 0;
-+ noibrs();
- }
- }
-
---- a/arch/x86/kernel/cpu/spec_ctrl.c
-+++ b/arch/x86/kernel/cpu/spec_ctrl.c
-@@ -59,6 +59,7 @@ void x86_spec_check(void)
- if (ibrs_state == -1) {
- /* noone force-disabled IBRS */
- ibrs_state = 1;
-+ setup_clear_cpu_cap(X86_FEATURE_IBRS_OFF);
- printk_once(KERN_INFO "IBRS: initialized\n");
- }
- printk_once(KERN_INFO "IBPB: initialized\n");
-@@ -78,11 +79,22 @@ void x86_spec_check(void)
- }
- EXPORT_SYMBOL_GPL(x86_spec_check);
-
--int nospec(char *str)
-+void noibrs(void)
- {
-- setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
-+ setup_force_cpu_cap(X86_FEATURE_IBRS_OFF);
- ibrs_state = 0;
-+}
-+
-+static void noibpb(void)
-+{
-+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
- ibpb_state = 0;
-+}
-+
-+int nospec(char *str)
-+{
-+ noibrs();
-+ noibpb();
-
- return 0;
- }
diff --git a/patches.suse/jfs-Fix-buffer-overrun-in-ea_get.patch b/patches.suse/jfs-Fix-buffer-overrun-in-ea_get.patch
new file mode 100644
index 0000000000..46d2077761
--- /dev/null
+++ b/patches.suse/jfs-Fix-buffer-overrun-in-ea_get.patch
@@ -0,0 +1,45 @@
+From d1ea2f287f28d1aeaa2da8b615a26a591f156483 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Mon, 18 Jun 2018 11:24:52 +0300
+Subject: [PATCH] jfs: Fix buffer overrun in ea_get
+References: bsc#1097234, CVE-2018-12233
+Patch-mainline: Submitted, 18.06.2018 lkml
+
+Currently ea_buf->xattr buffer is allocated with min(min_size, ea_size).
+This is wrong since after the xattr buffer is allocated the ->max_size
+variable is actually rounded up to th next ->s_blocksize size. Fix this
+by using the rounded up max_size as input to the malloc.
+
+Suggested-by: Shankara Pailoor <shankarapailoor@gmail.com>
+Reported-by: Shankara Pailoor <shankarapailoor@gmail.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+---
+ fs/jfs/xattr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index c60f3d32ee91..96b9355ff69a 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -493,14 +493,14 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
+ * To keep the rest of the code simple. Allocate a
+ * contiguous buffer to work with
+ */
+- ea_buf->xattr = kmalloc(size, GFP_KERNEL);
+- if (ea_buf->xattr == NULL)
+- return -ENOMEM;
+-
+ ea_buf->flag = EA_MALLOC;
+ ea_buf->max_size = (size + sb->s_blocksize - 1) &
+ ~(sb->s_blocksize - 1);
+
++ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
++ if (ea_buf->xattr == NULL)
++ return -ENOMEM;
++
+ if (ea_size == 0)
+ return 0;
+
+--
+2.7.4
+
diff --git a/patches.suse/nospec-fix-forced-cpucaps-ordering.patch b/patches.suse/nospec-fix-forced-cpucaps-ordering.patch
index e4e6486f0b..e003cc8b0f 100644
--- a/patches.suse/nospec-fix-forced-cpucaps-ordering.patch
+++ b/patches.suse/nospec-fix-forced-cpucaps-ordering.patch
@@ -18,9 +18,9 @@ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
--- a/arch/x86/kernel/cpu/spec_ctrl.c
+++ b/arch/x86/kernel/cpu/spec_ctrl.c
-@@ -87,7 +87,13 @@ void noibrs(void)
+@@ -80,7 +80,13 @@ EXPORT_SYMBOL_GPL(x86_spec_check);
- static void noibpb(void)
+ int nospec(char *str)
{
+ /*
+ * Due to way how apply_forced_caps() works, we have to
@@ -29,6 +29,6 @@ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+ */
setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
+ clear_bit(X86_FEATURE_SPEC_CTRL, (unsigned long *)cpu_caps_set);
+ ibrs_state = 0;
ibpb_state = 0;
- }
diff --git a/series.conf b/series.conf
index 7701d9caca..c9e75eca42 100644
--- a/series.conf
+++ b/series.conf
@@ -7986,6 +7986,7 @@
patches.fixes/0002-f2fs-clean-up-free-nid-list-operations.patch
patches.fixes/0003-f2fs-cover-more-area-with-nat_tree_lock.patch
patches.fixes/0004-f2fs-fix-race-condition-in-between-free-nid-allocato.patch
+ patches.suse/jfs-Fix-buffer-overrun-in-ea_get.patch
########################################################
# Overlayfs
@@ -10343,6 +10344,7 @@
patches.fixes/xen-fix-booting-ballooned-down-hvm-guest.patch
patches.fixes/xen-events-fifo-dont-use-get-put-cpu.patch
patches.fixes/xen-x86-mark-xen_find_pt_base-as-init.patch
+ patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
# bsc#1042422
patches.fixes/xen-hold-lock_device_hotplug-throughout-vcpu-hotplug.patch
@@ -23643,8 +23645,6 @@
patches.arch/48-x86-bugs-rename-ssbd_no-to-ssb_no.patch
patches.kabi/fix-kvm-kabi.patch
- patches.suse/ibrs-avoid-lfence-when-runtime-disabled.patch
-
# IBRS disabling fix
patches.suse/nospec-fix-forced-cpucaps-ordering.patch
patches.suse/0001-KVM-x86-Sync-back-MSR_IA32_SPEC_CTRL-to-VCPU-data-st.patch