Home Home > GIT Browse > openSUSE-42.3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-01-19 07:25:54 +0100
committerKernel Build Daemon <kbuild@suse.de>2019-01-19 07:25:54 +0100
commit6a680e4b07c621e2cea0effeb433a9430e6a07c5 (patch)
treea89beca1ed76696cc090a778a2047b6c374526ab
parentf49368b8e0041dd79c0ed8ad3abc8b08d8f98a9c (diff)
parent769c65df970d2a8c0dbbe5bcd1f560705ce202eb (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3
-rw-r--r--patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch220
-rw-r--r--patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch6
-rw-r--r--patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch32
-rw-r--r--series.conf27
4 files changed, 141 insertions, 144 deletions
diff --git a/patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch b/patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
index f82912e6f8..81b6a723a9 100644
--- a/patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
+++ b/patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
@@ -89,113 +89,9 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
arch/x86/kvm/vmx.c | 56 +++++++++++++----
5 files changed, 166 insertions(+), 19 deletions(-)
---- a/Documentation/ABI/testing/sysfs-devices-system-cpu
-+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -277,6 +277,7 @@ What: /sys/devices/system/cpu/vulnerabi
- /sys/devices/system/cpu/vulnerabilities/spectre_v1
- /sys/devices/system/cpu/vulnerabilities/spectre_v2
- /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
-+ /sys/devices/system/cpu/vulnerabilities/l1tf
- Date: January 2018
- Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
- Description: Information about CPU vulnerabilities
-@@ -289,6 +290,9 @@ Description: Information about CPU vulne
- "Vulnerable" CPU is affected and no mitigation in effect
- "Mitigation: $M" CPU is affected and mitigation $M is in effect
-
-+ Details about the l1tf file can be found in
-+ Documentation/l1tf.rst
-+
- What: /sys/devices/system/cpu/smt
- /sys/devices/system/cpu/smt/active
- /sys/devices/system/cpu/smt/control
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -1862,12 +1862,6 @@ bytes respectively. Such letter suffixes
- for all guests.
- Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.
-
-- kvm-intel.nosmt=[KVM,Intel] If the L1TF CPU bug is present (CVE-2018-3620)
-- and the system has SMT (aka Hyper-Threading) enabled then
-- don't allow guests to be created.
--
-- Default is 0 (allow guests to be created).
--
- kvm-intel.ept= [KVM,Intel] Disable extended page tables
- (virtualized MMU) support on capable Intel chips.
- Default is 1 (enabled)
-@@ -1909,6 +1903,68 @@ bytes respectively. Such letter suffixes
- Disables the paravirtualized spinlock slowpath
- optimizations for KVM.
-
-+ l1tf= [X86] Control mitigation of the L1TF vulnerability on
-+ affected CPUs
-+
-+ The kernel PTE inversion protection is unconditionally
-+ enabled and cannot be disabled.
-+
-+ full
-+ Provides all available mitigations for the
-+ L1TF vulnerability. Disables SMT and
-+ enables all mitigations in the
-+ hypervisors, i.e. unconditional L1D flush.
-+
-+ SMT control and L1D flush control via the
-+ sysfs interface is still possible after
-+ boot. Hypervisors will issue a warning
-+ when the first VM is started in a
-+ potentially insecure configuration,
-+ i.e. SMT enabled or L1D flush disabled.
-+
-+ full,force
-+ Same as 'full', but disables SMT and L1D
-+ flush runtime control. Implies the
-+ 'nosmt=force' command line option.
-+ (i.e. sysfs control of SMT is disabled.)
-+
-+ flush
-+ Leaves SMT enabled and enables the default
-+ hypervisor mitigation, i.e. conditional
-+ L1D flush.
-+
-+ SMT control and L1D flush control via the
-+ sysfs interface is still possible after
-+ boot. Hypervisors will issue a warning
-+ when the first VM is started in a
-+ potentially insecure configuration,
-+ i.e. SMT enabled or L1D flush disabled.
-+
-+ flush,nosmt
-+
-+ Disables SMT and enables the default
-+ hypervisor mitigation.
-+
-+ SMT control and L1D flush control via the
-+ sysfs interface is still possible after
-+ boot. Hypervisors will issue a warning
-+ when the first VM is started in a
-+ potentially insecure configuration,
-+ i.e. SMT enabled or L1D flush disabled.
-+
-+ flush,nowarn
-+ Same as 'flush', but hypervisors will not
-+ warn when a VM is started in a potentially
-+ insecure configuration.
-+
-+ off
-+ Disables hypervisor mitigations and doesn't
-+ emit any warnings.
-+
-+ Default is 'flush'.
-+
-+ For details see: Documentation/l1tf.rst
-+
- l2cr= [PPC]
-
- l3cr= [PPC]
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
-@@ -867,4 +867,16 @@ bool xen_set_default_idle(void);
+@@ -859,4 +859,16 @@ bool xen_set_default_idle(void);
void stop_this_cpu(void *dummy);
void df_debug(struct pt_regs *regs, long error_code);
@@ -214,7 +110,7 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
#endif /* _ASM_X86_PROCESSOR_H */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -220,7 +220,11 @@ static void x86_amd_ssb_disable(void)
+@@ -214,7 +214,11 @@ static void x86_amd_ssb_disable(void)
wrmsrl(MSR_AMD64_LS_CFG, msrval);
}
@@ -226,7 +122,7 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
#endif
-@@ -733,6 +737,20 @@ static void __init l1tf_select_mitigatio
+@@ -695,6 +699,20 @@ static void __init l1tf_select_mitigatio
override_cache_bits(&boot_cpu_data);
@@ -247,7 +143,7 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
#if CONFIG_PGTABLE_LEVELS == 2
pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
return;
-@@ -752,6 +770,33 @@ static void __init l1tf_select_mitigatio
+@@ -714,6 +732,33 @@ static void __init l1tf_select_mitigatio
}
#undef pr_fmt
@@ -293,7 +189,7 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
static bool __read_mostly enable_vpid = 1;
module_param_named(vpid, enable_vpid, bool, 0444);
-@@ -200,15 +197,31 @@ static int vmx_setup_l1d_flush(enum vmx_
+@@ -208,15 +205,31 @@ static int vmx_setup_l1d_flush(enum vmx_
{
struct page *page;
@@ -329,7 +225,7 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
if (l1tf != VMENTER_L1D_FLUSH_NEVER && !vmx_l1d_flush_pages &&
!boot_cpu_has(X86_FEATURE_FLUSH_L1D)) {
page = alloc_pages(GFP_KERNEL, L1D_CACHE_ORDER);
-@@ -9166,16 +9179,33 @@ free_vcpu:
+@@ -9213,16 +9226,33 @@ free_vcpu:
return ERR_PTR(err);
}
@@ -369,3 +265,107 @@ Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
}
return 0;
}
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -277,6 +277,7 @@ What: /sys/devices/system/cpu/vulnerabi
+ /sys/devices/system/cpu/vulnerabilities/spectre_v1
+ /sys/devices/system/cpu/vulnerabilities/spectre_v2
+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
++ /sys/devices/system/cpu/vulnerabilities/l1tf
+ Date: January 2018
+ Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
+ Description: Information about CPU vulnerabilities
+@@ -289,6 +290,9 @@ Description: Information about CPU vulne
+ "Vulnerable" CPU is affected and no mitigation in effect
+ "Mitigation: $M" CPU is affected and mitigation $M is in effect
+
++ Details about the l1tf file can be found in
++ Documentation/l1tf.rst
++
+ What: /sys/devices/system/cpu/smt
+ /sys/devices/system/cpu/smt/active
+ /sys/devices/system/cpu/smt/control
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1860,12 +1860,6 @@ bytes respectively. Such letter suffixes
+ for all guests.
+ Default is 1 (enabled) if in 64-bit or 32-bit PAE mode.
+
+- kvm-intel.nosmt=[KVM,Intel] If the L1TF CPU bug is present (CVE-2018-3620)
+- and the system has SMT (aka Hyper-Threading) enabled then
+- don't allow guests to be created.
+-
+- Default is 0 (allow guests to be created).
+-
+ kvm-intel.ept= [KVM,Intel] Disable extended page tables
+ (virtualized MMU) support on capable Intel chips.
+ Default is 1 (enabled)
+@@ -1903,6 +1897,68 @@ bytes respectively. Such letter suffixes
+ feature (tagged TLBs) on capable Intel chips.
+ Default is 1 (enabled)
+
++ l1tf= [X86] Control mitigation of the L1TF vulnerability on
++ affected CPUs
++
++ The kernel PTE inversion protection is unconditionally
++ enabled and cannot be disabled.
++
++ full
++ Provides all available mitigations for the
++ L1TF vulnerability. Disables SMT and
++ enables all mitigations in the
++ hypervisors, i.e. unconditional L1D flush.
++
++ SMT control and L1D flush control via the
++ sysfs interface is still possible after
++ boot. Hypervisors will issue a warning
++ when the first VM is started in a
++ potentially insecure configuration,
++ i.e. SMT enabled or L1D flush disabled.
++
++ full,force
++ Same as 'full', but disables SMT and L1D
++ flush runtime control. Implies the
++ 'nosmt=force' command line option.
++ (i.e. sysfs control of SMT is disabled.)
++
++ flush
++ Leaves SMT enabled and enables the default
++ hypervisor mitigation, i.e. conditional
++ L1D flush.
++
++ SMT control and L1D flush control via the
++ sysfs interface is still possible after
++ boot. Hypervisors will issue a warning
++ when the first VM is started in a
++ potentially insecure configuration,
++ i.e. SMT enabled or L1D flush disabled.
++
++ flush,nosmt
++
++ Disables SMT and enables the default
++ hypervisor mitigation.
++
++ SMT control and L1D flush control via the
++ sysfs interface is still possible after
++ boot. Hypervisors will issue a warning
++ when the first VM is started in a
++ potentially insecure configuration,
++ i.e. SMT enabled or L1D flush disabled.
++
++ flush,nowarn
++ Same as 'flush', but hypervisors will not
++ warn when a VM is started in a potentially
++ insecure configuration.
++
++ off
++ Disables hypervisor mitigations and doesn't
++ emit any warnings.
++
++ Default is 'flush'.
++
++ For details see: Documentation/l1tf.rst
++
+ l2cr= [PPC]
+
+ l3cr= [PPC]
diff --git a/patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch b/patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch
index 5843bbf2dd..f8d6f05804 100644
--- a/patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch
+++ b/patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch
@@ -2,12 +2,10 @@ From b4f6a2228077ea61b5944835cc67aba83cc9e82d Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Fri, 13 Jul 2018 16:23:26 +0200
Subject: [PATCH 11/11] Documentation: Add section about CPU vulnerabilities
-Patch-mainline: not yet, under discussion
+Git-commit: 3ec8ce5d866ec6a08a9cfab82b62acf4a830b35f
+Patch-mainline: v4.19
References: bsc#1089343 CVE-2018-3646
-
-commit 3ec8ce5d866ec6a08a9cfab82b62acf4a830b35f upstream
-
Add documentation for the L1TF vulnerability and the mitigation mechanisms:
- Explain the problem and risks
diff --git a/patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch b/patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch
index 04decea2b2..725b9d41fc 100644
--- a/patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch
+++ b/patches.suse/0001-kvm-Introduce-nopvspin-kernel-parameter.patch
@@ -20,19 +20,6 @@ Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
include/linux/jump_label.h | 6 ++++++
6 files changed, 58 insertions(+), 1 deletion(-)
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -1887,6 +1887,10 @@ bytes respectively. Such letter suffixes
- feature (tagged TLBs) on capable Intel chips.
- Default is 1 (enabled)
-
-+ kvm_nopvspin [X86,KVM]
-+ Disables the paravirtualized spinlock slowpath
-+ optimizations for KVM.
-+
- l2cr= [PPC]
-
- l3cr= [PPC]
--- a/arch/x86/include/asm/qspinlock.h
+++ b/arch/x86/include/asm/qspinlock.h
@@ -1,6 +1,7 @@
@@ -130,7 +117,7 @@ Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
__pv_init_lock_hash();
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
-@@ -124,6 +124,14 @@ unsigned paravirt_patch_jmp(void *insnbu
+@@ -130,6 +130,14 @@ unsigned paravirt_patch_jmp(void *insnbu
return 5;
}
@@ -155,7 +142,7 @@ Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
#include <asm/spec-ctrl.h>
#include <asm/intel-family.h>
#include <asm/cpu_device_id.h>
-@@ -1247,6 +1248,7 @@ void __init native_smp_prepare_boot_cpu(
+@@ -1309,6 +1310,7 @@ void __init native_smp_prepare_boot_cpu(
/* already set me in cpu_online_mask in boot_cpu_init() */
cpumask_set_cpu(me, cpu_callout_mask);
cpu_set_state_online(me);
@@ -163,9 +150,22 @@ Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
}
void __init native_smp_cpus_done(unsigned int max_cpus)
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1899,6 +1899,10 @@ bytes respectively. Such letter suffixes
+ feature (tagged TLBs) on capable Intel chips.
+ Default is 1 (enabled)
+
++ kvm_nopvspin [X86,KVM]
++ Disables the paravirtualized spinlock slowpath
++ optimizations for KVM.
++
+ l1tf= [X86] Control mitigation of the L1TF vulnerability on
+ affected CPUs
+
--- a/include/linux/jump_label.h
+++ b/include/linux/jump_label.h
-@@ -269,9 +269,15 @@ struct static_key_false {
+@@ -277,9 +277,15 @@ struct static_key_false {
#define DEFINE_STATIC_KEY_TRUE(name) \
struct static_key_true name = STATIC_KEY_TRUE_INIT
diff --git a/series.conf b/series.conf
index 7034ab047d..e55b72208d 100644
--- a/series.conf
+++ b/series.conf
@@ -16339,6 +16339,7 @@
patches.drivers/0007-ASoC-hdmi-codec-Fix-hdmi_of_xlate_dai_name-when-soun.patch
patches.suse/SES5-0183-libceph-fix-legacy-layout-decode-with-pool-0.patch
patches.fixes/0003-libceph-initialize-last_linger_id-with-a-large-integer.patch
+ patches.fixes/aio-hold-an-extra-file-reference-over-AIO-read-write.patch
patches.drivers/hfi1-qib-0350-infiniband-shut-up-a-maybe-uninitialized-warning.patch
patches.drivers/0096-Documentation-synopsys-dw-mshc-add-binding-for-reset.patch
patches.drivers/0040-mmc-dw_mmc-add-the-reset-as-name-of-reset-controller.patch
@@ -23604,6 +23605,18 @@
patches.arch/09-x86-KVM-VMX-Extend-add_atomic_switch_msr-to-allow-VM.patch
patches.arch/10-x86-KVM-VMX-Use-MSR-save-list-for-IA32_FLUSH_CMD-if-.patch
patches.arch/16-cpu-hotplug-Online-siblings-when-SMT-control-is-turn.patch
+ patches.arch/0001-x86-litf-Introduce-vmx-status-variable.patch
+ patches.arch/0002-x86-kvm-Drop-L1TF-MSR-list-approach.patch
+ patches.arch/0003-x86-l1tf-Handle-EPT-disabled-state-proper.patch
+ patches.arch/0004-x86-kvm-Move-l1tf-setup-function.patch
+ patches.arch/0005-x86-kvm-Add-static-key-for-flush-always.patch
+ patches.arch/0006-x86-kvm-Serialize-L1D-flush-parameter-setter.patch
+ patches.arch/0007-x86-kvm-Allow-runtime-control-of-L1D-flush.patch
+ patches.arch/0008-cpu-hotplug-Expose-SMT-control-init-function.patch
+ patches.arch/0009-cpu-hotplug-Set-CPU_SMT_NOT_SUPPORTED-early.patch
+ patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
+ patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch
+ patches.arch/0012-cpu-hotplug-detect-SMT-disabled-by-BIOS.patch
patches.drivers/nvme-move-init-of-keep_alive-work-item-to-controller.patch
patches.suse/readahead-stricter-check-for-bdi-io_pages.patch
patches.drivers/0082-bcache-simplify-the-calculation-of-the-total-amount-.patch
@@ -25160,18 +25173,6 @@
patches.suse/nospec-fix-forced-cpucaps-ordering.patch
# SMT runtime control
- patches.arch/0001-x86-litf-Introduce-vmx-status-variable.patch
- patches.arch/0002-x86-kvm-Drop-L1TF-MSR-list-approach.patch
- patches.arch/0003-x86-l1tf-Handle-EPT-disabled-state-proper.patch
- patches.arch/0004-x86-kvm-Move-l1tf-setup-function.patch
- patches.arch/0005-x86-kvm-Add-static-key-for-flush-always.patch
- patches.arch/0006-x86-kvm-Serialize-L1D-flush-parameter-setter.patch
- patches.arch/0007-x86-kvm-Allow-runtime-control-of-L1D-flush.patch
- patches.arch/0008-cpu-hotplug-Expose-SMT-control-init-function.patch
- patches.arch/0009-cpu-hotplug-Set-CPU_SMT_NOT_SUPPORTED-early.patch
- patches.arch/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch
- patches.arch/0011-Documentation-Add-section-about-CPU-vulnerabilities.patch
- patches.arch/0012-cpu-hotplug-detect-SMT-disabled-by-BIOS.patch
patches.arch/cpu-hotplug-fix-smt-supported-evaluation.patch
# disable it temporary pending upstream discussion
- patches.arch/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch
@@ -25181,7 +25182,6 @@
# fixes
patches.arch/0001-x86-KVM-VMX-Initialize-the-vmx_l1d_flush_pages-conte.patch
-
# bsc#1106369
patches.arch/x86-speculation-use-arch_capabilities-to-skip-l1d-flush-on-vmentry
patches.arch/kvm-vmx-fixes-for-vmentry_l1d_flush-module-parameter
@@ -25269,7 +25269,6 @@
patches.suse/hpwdt-calculate-reload-each-use.patch
patches.suse/hpwdt-add-dynamic-debug.patch
- patches.fixes/aio-hold-an-extra-file-reference-over-AIO-read-write.patch
########################################################
# You'd better have a good reason for adding a patch
# below here.