Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-04-23 07:06:22 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-04-23 07:06:22 +0200
commit6afbf917f6c4ad43ec0a942ca4b0cf621abcee9f (patch)
treea0003a35604fc488e9b7bb5c00d2bd24e1d5c072
parent79784a08aaa0d6463b4f8e212d8f93f8459bc75d (diff)
parent6e198cc5c9641077fd4007ef8327052d8f675474 (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--blacklist.conf1
-rw-r--r--patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch161
-rw-r--r--patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch117
-rw-r--r--patches.arch/s390-speculation-support-mitigations-cmdline-option.patch91
-rw-r--r--patches.arch/x86-speculation-support-mitigations-cmdline-option.patch148
-rw-r--r--patches.fixes/0001-gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_r.patch34
-rw-r--r--patches.fixes/0001-net-bridge-add-vlan_tunnel-to-bridge-port-policies.patch34
-rw-r--r--patches.fixes/0001-netfilter-ip6t_MASQUERADE-add-dependency-on-conntrac.patch47
-rw-r--r--patches.fixes/0001-rxrpc-Don-t-release-call-mutex-on-error-pointer.patch39
-rw-r--r--patches.kabi/KABI-cpu-hotplug-provide-the-old-get-put_online_cpus.patch9
-rw-r--r--series.conf10
11 files changed, 688 insertions, 3 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 7ef56ae834..c0d1fc1bd4 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1070,3 +1070,4 @@ ea145aacf4ae8485cf179a4d0dc502e9f75044f4 # No bugfix, just cleanup
83cdb56864bcb1466b454f17fff47348ca7925a2 # No bugfix, just cleanup
bebd024e4815b1a170fcd21ead9c2222b23ce9e6 # SLE kernels already enable this
23ff6ba8feec5c4bdf993af3fba3937d57883dc8 # applied with rdma/cxgb4: Add support for kernel mode SRQ's
+bbbe211c295ffb309247adb7b871dda60d92d2d5 # there is no do_xdp_generic() function, doesn't apply
diff --git a/patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch b/patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
new file mode 100644
index 0000000000..58fd60fc29
--- /dev/null
+++ b/patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
@@ -0,0 +1,161 @@
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 12 Apr 2019 15:39:28 -0500
+Subject: cpu/speculation: Add 'mitigations=' cmdline option
+Git-commit: 98af8452945c55652de68536afdde3b520fec429
+Patch-mainline: queued in subsystem tree
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+References: bsc#1112178
+
+Keeping track of the number of mitigations for all the CPU speculation
+bugs has become overwhelming for many users. It's getting more and more
+complicated to decide which mitigations are needed for a given
+architecture. Complicating matters is the fact that each arch tends to
+have its own custom way to mitigate the same vulnerability.
+
+Most users fall into a few basic categories:
+
+a) they want all mitigations off;
+
+b) they want all reasonable mitigations on, with SMT enabled even if
+ it's vulnerable; or
+
+c) they want all reasonable mitigations on, with SMT disabled if
+ vulnerable.
+
+Define a set of curated, arch-independent options, each of which is an
+aggregation of existing options:
+
+- mitigations=off: Disable all mitigations.
+
+- mitigations=auto: [default] Enable all the default mitigations, but
+ leave SMT enabled, even if it's vulnerable.
+
+- mitigations=auto,nosmt: Enable all the default mitigations, disabling
+ SMT if needed by a mitigation.
+
+Currently, these options are placeholders which don't actually do
+anything. They will be fleshed out in upcoming patches.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
+Reviewed-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Jon Masters <jcm@redhat.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-arch@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Phil Auld <pauld@redhat.com>
+Link: https://lkml.kernel.org/r/b07a8ef9b7c5055c3a4637c87d07c296d5016fe0.1555085500.git.jpoimboe@redhat.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 24 ++++++++++++++++++++++++
+ include/linux/cpu.h | 24 ++++++++++++++++++++++++
+ kernel/cpu.c | 15 +++++++++++++++
+ 3 files changed, 63 insertions(+)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2374,6 +2374,30 @@
+ in the "bleeding edge" mini2440 support kernel at
+ http://repo.or.cz/w/linux-2.6/mini2440.git
+
++ mitigations=
++ Control optional mitigations for CPU vulnerabilities.
++ This is a set of curated, arch-independent options, each
++ of which is an aggregation of existing arch-specific
++ options.
++
++ off
++ Disable all optional CPU mitigations. This
++ improves system performance, but it may also
++ expose users to several CPU vulnerabilities.
++
++ auto (default)
++ Mitigate all CPU vulnerabilities, but leave SMT
++ enabled, even if it's vulnerable. This is for
++ users who don't want to be surprised by SMT
++ getting disabled across kernel upgrades, or who
++ have other ways of avoiding SMT-based attacks.
++ This is the default behavior.
++
++ auto,nosmt
++ Mitigate all CPU vulnerabilities, disabling SMT
++ if needed. This is for users who always want to
++ be fully mitigated, even if it means losing SMT.
++
+ mminit_loglevel=
+ [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
+ parameter allows control of the logging verbosity for
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -196,4 +196,28 @@ static inline void cpu_smt_check_topolog
+ static inline void cpu_smt_check_topology(void) { }
+ #endif
+
++/*
++ * These are used for a global "mitigations=" cmdline option for toggling
++ * optional CPU mitigations.
++ */
++enum cpu_mitigations {
++ CPU_MITIGATIONS_OFF,
++ CPU_MITIGATIONS_AUTO,
++ CPU_MITIGATIONS_AUTO_NOSMT,
++};
++
++extern enum cpu_mitigations cpu_mitigations;
++
++/* mitigations=off */
++static inline bool cpu_mitigations_off(void)
++{
++ return cpu_mitigations == CPU_MITIGATIONS_OFF;
++}
++
++/* mitigations=auto,nosmt */
++static inline bool cpu_mitigations_auto_nosmt(void)
++{
++ return cpu_mitigations == CPU_MITIGATIONS_AUTO_NOSMT;
++}
++
+ #endif /* _LINUX_CPU_H_ */
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2082,3 +2082,18 @@ void __init boot_cpu_hotplug_init(void)
+ this_cpu_write(cpuhp_state.booted_once, true);
+ this_cpu_write(cpuhp_state.state, CPUHP_ONLINE);
+ }
++
++enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
++
++static int __init mitigations_parse_cmdline(char *arg)
++{
++ if (!strcmp(arg, "off"))
++ cpu_mitigations = CPU_MITIGATIONS_OFF;
++ else if (!strcmp(arg, "auto"))
++ cpu_mitigations = CPU_MITIGATIONS_AUTO;
++ else if (!strcmp(arg, "auto,nosmt"))
++ cpu_mitigations = CPU_MITIGATIONS_AUTO_NOSMT;
++
++ return 0;
++}
++early_param("mitigations", mitigations_parse_cmdline);
diff --git a/patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch b/patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
new file mode 100644
index 0000000000..f9072b1237
--- /dev/null
+++ b/patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
@@ -0,0 +1,117 @@
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 12 Apr 2019 15:39:30 -0500
+Subject: powerpc/speculation: Support 'mitigations=' cmdline option
+Git-commit: 782e69efb3dfed6e8360bc612e8c7827a901a8f9
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+Patch-mainline: queued in subsystem tree
+References: bsc#1112178
+
+Configure powerpc CPU runtime speculation bug mitigations in accordance
+with the 'mitigations=' cmdline option. This affects Meltdown, Spectre
+v1, Spectre v2, and Speculative Store Bypass.
+
+The default behavior is unchanged.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
+Reviewed-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Jon Masters <jcm@redhat.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-arch@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Phil Auld <pauld@redhat.com>
+Link: https://lkml.kernel.org/r/245a606e1a42a558a310220312d9b6adb9159df6.1555085500.git.jpoimboe@redhat.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
+ arch/powerpc/kernel/security.c | 5 +++--
+ arch/powerpc/kernel/setup_64.c | 2 +-
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -7,6 +7,7 @@
+ #include <linux/kernel.h>
+ #include <linux/device.h>
+ #include <linux/seq_buf.h>
++#include <linux/cpu.h>
+
+ #include <asm/asm-prototypes.h>
+ #include <asm/code-patching.h>
+@@ -52,7 +53,7 @@ void setup_barrier_nospec(void)
+ enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
+ security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
+
+- if (!no_nospec)
++ if (!no_nospec && !cpu_mitigations_off())
+ enable_barrier_nospec(enable);
+ }
+
+@@ -274,7 +275,7 @@ void setup_stf_barrier(void)
+
+ stf_enabled_flush_types = type;
+
+- if (!no_stf_barrier)
++ if (!no_stf_barrier && !cpu_mitigations_off())
+ stf_barrier_enable(enable);
+ }
+
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -893,7 +893,7 @@ void setup_rfi_flush(enum l1d_flush_type
+
+ enabled_flush_types = types;
+
+- if (!no_rfi_flush)
++ if (!no_rfi_flush && !cpu_mitigations_off())
+ rfi_flush_enable(enable);
+ }
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2375,7 +2375,7 @@
+ http://repo.or.cz/w/linux-2.6/mini2440.git
+
+ mitigations=
+- [X86] Control optional mitigations for CPU
++ [X86,PPC] Control optional mitigations for CPU
+ vulnerabilities. This is a set of curated,
+ arch-independent options, each of which is an
+ aggregation of existing arch-specific options.
+@@ -2384,10 +2384,11 @@
+ Disable all optional CPU mitigations. This
+ improves system performance, but it may also
+ expose users to several CPU vulnerabilities.
+- Equivalent to: nopti [X86]
+- nospectre_v2 [X86]
++ Equivalent to: nopti [X86,PPC]
++ nospectre_v1 [PPC]
++ nospectre_v2 [X86,PPC]
+ spectre_v2_user=off [X86]
+- spec_store_bypass_disable=off [X86]
++ spec_store_bypass_disable=off [X86,PPC]
+ l1tf=off [X86]
+
+ auto (default)
diff --git a/patches.arch/s390-speculation-support-mitigations-cmdline-option.patch b/patches.arch/s390-speculation-support-mitigations-cmdline-option.patch
new file mode 100644
index 0000000000..232c182f03
--- /dev/null
+++ b/patches.arch/s390-speculation-support-mitigations-cmdline-option.patch
@@ -0,0 +1,91 @@
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 12 Apr 2019 15:39:31 -0500
+Subject: s390/speculation: Support 'mitigations=' cmdline option
+Git-commit: 0336e04a6520bdaefdb0769d2a70084fa52e81ed
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+Patch-mainline: queued in subsystem tree
+References: bsc#1112178
+
+Configure s390 runtime CPU speculation bug mitigations in accordance
+with the 'mitigations=' cmdline option. This affects Spectre v1 and
+Spectre v2.
+
+The default behavior is unchanged.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
+Reviewed-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Jon Masters <jcm@redhat.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-arch@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Phil Auld <pauld@redhat.com>
+Link: https://lkml.kernel.org/r/e4a161805458a5ec88812aac0307ae3908a030fc.1555085500.git.jpoimboe@redhat.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 5 +++--
+ arch/s390/kernel/nospec-branch.c | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/nospec-branch.c
++++ b/arch/s390/kernel/nospec-branch.c
+@@ -2,6 +2,7 @@
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <asm/facility.h>
++#include <linux/cpu.h>
+ #include <asm/nospec-branch.h>
+
+ static int __init nobp_setup_early(char *str)
+@@ -59,7 +60,7 @@ early_param("nospectre_v2", nospectre_v2
+
+ void __init nospec_auto_detect(void)
+ {
+- if (test_facility(156)) {
++ if (test_facility(156) || cpu_mitigations_off()) {
+ /*
+ * The machine supports etokens.
+ * Disable expolines and disable nobp.
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2375,7 +2375,7 @@
+ http://repo.or.cz/w/linux-2.6/mini2440.git
+
+ mitigations=
+- [X86,PPC] Control optional mitigations for CPU
++ [X86,PPC,S390] Control optional mitigations for CPU
+ vulnerabilities. This is a set of curated,
+ arch-independent options, each of which is an
+ aggregation of existing arch-specific options.
+@@ -2386,7 +2386,8 @@
+ expose users to several CPU vulnerabilities.
+ Equivalent to: nopti [X86,PPC]
+ nospectre_v1 [PPC]
+- nospectre_v2 [X86,PPC]
++ nobp=0 [S390]
++ nospectre_v2 [X86,PPC,S390]
+ spectre_v2_user=off [X86]
+ spec_store_bypass_disable=off [X86,PPC]
+ l1tf=off [X86]
diff --git a/patches.arch/x86-speculation-support-mitigations-cmdline-option.patch b/patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
new file mode 100644
index 0000000000..8fda421f64
--- /dev/null
+++ b/patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
@@ -0,0 +1,148 @@
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 12 Apr 2019 15:39:29 -0500
+Subject: x86/speculation: Support 'mitigations=' cmdline option
+Git-commit: d68be4c4d31295ff6ae34a8ddfaa4c1a8ff42812
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+Patch-mainline: queued in subsystem tree
+References: bsc#1112178
+
+Configure x86 runtime CPU speculation bug mitigations in accordance with
+the 'mitigations=' cmdline option. This affects Meltdown, Spectre v2,
+Speculative Store Bypass, and L1TF.
+
+The default behavior is unchanged.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
+Reviewed-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Jon Masters <jcm@redhat.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-arch@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Phil Auld <pauld@redhat.com>
+Link: https://lkml.kernel.org/r/6616d0ae169308516cfdf5216bedd169f8a8291b.1555085500.git.jpoimboe@redhat.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 16 +++++++++++-----
+ arch/x86/kernel/cpu/bugs.c | 11 +++++++++--
+ arch/x86/mm/pti.c | 4 +++-
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -260,6 +260,11 @@ static void __init l1tf_select_mitigatio
+ if (!boot_cpu_has_bug(X86_BUG_L1TF))
+ return;
+
++ if (cpu_mitigations_off())
++ l1tf_mitigation = L1TF_MITIGATION_OFF;
++ else if (cpu_mitigations_auto_nosmt())
++ l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
++
+ override_cache_bits(&boot_cpu_data);
+
+ switch (l1tf_mitigation) {
+@@ -546,7 +551,8 @@ static enum spectre_v2_mitigation_cmd __
+ char arg[20];
+ int ret, i;
+
+- if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
++ if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
++ cpu_mitigations_off())
+ return SPECTRE_V2_CMD_NONE;
+
+ ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
+@@ -792,7 +798,8 @@ static enum ssb_mitigation_cmd __init ss
+ char arg[20];
+ int ret, i;
+
+- if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
++ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
++ cpu_mitigations_off()) {
+ return SPEC_STORE_BYPASS_CMD_NONE;
+ } else {
+ ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
+--- a/arch/x86/mm/pti.c
++++ b/arch/x86/mm/pti.c
+@@ -35,6 +35,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/mm.h>
+ #include <linux/uaccess.h>
++#include <linux/cpu.h>
+
+ #include <asm/cpufeature.h>
+ #include <asm/hypervisor.h>
+@@ -90,7 +91,8 @@ void __init pti_check_boottime_disable(v
+ goto autosel;
+ }
+
+- if (cmdline_find_option_bool(boot_command_line, "nopti")) {
++ if (cmdline_find_option_bool(boot_command_line, "nopti") ||
++ cpu_mitigations_off()) {
+ pti_print_if_insecure("disabled on command line.");
+ return;
+ }
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2375,15 +2375,20 @@
+ http://repo.or.cz/w/linux-2.6/mini2440.git
+
+ mitigations=
+- Control optional mitigations for CPU vulnerabilities.
+- This is a set of curated, arch-independent options, each
+- of which is an aggregation of existing arch-specific
+- options.
++ [X86] Control optional mitigations for CPU
++ vulnerabilities. This is a set of curated,
++ arch-independent options, each of which is an
++ aggregation of existing arch-specific options.
+
+ off
+ Disable all optional CPU mitigations. This
+ improves system performance, but it may also
+ expose users to several CPU vulnerabilities.
++ Equivalent to: nopti [X86]
++ nospectre_v2 [X86]
++ spectre_v2_user=off [X86]
++ spec_store_bypass_disable=off [X86]
++ l1tf=off [X86]
+
+ auto (default)
+ Mitigate all CPU vulnerabilities, but leave SMT
+@@ -2391,12 +2396,13 @@
+ users who don't want to be surprised by SMT
+ getting disabled across kernel upgrades, or who
+ have other ways of avoiding SMT-based attacks.
+- This is the default behavior.
++ Equivalent to: (default behavior)
+
+ auto,nosmt
+ Mitigate all CPU vulnerabilities, disabling SMT
+ if needed. This is for users who always want to
+ be fully mitigated, even if it means losing SMT.
++ Equivalent to: l1tf=flush,nosmt [X86]
+
+ mminit_loglevel=
+ [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
diff --git a/patches.fixes/0001-gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_r.patch b/patches.fixes/0001-gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_r.patch
new file mode 100644
index 0000000000..4e4dc94d00
--- /dev/null
+++ b/patches.fixes/0001-gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_r.patch
@@ -0,0 +1,34 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Subject: gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
+Patch-mainline: v4.15-rc1
+Git-commit: 981542c526ecd846920bc500e9989da906ee9fb9
+References: git-fixes
+
+After commit 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call
+common GRE functions") it's not used anywhere in the module, but
+previously was used in ip6gre_rcv().
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_gre.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index b90bad7a4e56..4cfd8e0696fe 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -460,7 +460,7 @@ static int ip6gre_rcv(struct sk_buff *skb, const struct tnl_ptk_info *tpi)
+ &ipv6h->saddr, &ipv6h->daddr, tpi->key,
+ tpi->proto);
+ if (tunnel) {
+- ip6_tnl_rcv(tunnel, skb, tpi, NULL, false);
++ ip6_tnl_rcv(tunnel, skb, tpi, NULL, log_ecn_error);
+
+ return PACKET_RCVD;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0001-net-bridge-add-vlan_tunnel-to-bridge-port-policies.patch b/patches.fixes/0001-net-bridge-add-vlan_tunnel-to-bridge-port-policies.patch
new file mode 100644
index 0000000000..fd18252494
--- /dev/null
+++ b/patches.fixes/0001-net-bridge-add-vlan_tunnel-to-bridge-port-policies.patch
@@ -0,0 +1,34 @@
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Subject: net: bridge: add vlan_tunnel to bridge port policies
+Patch-mainline: v5.1-rc1
+Git-commit: fbec443bfe44f58a40e00962e969b5a9cafde457
+References: git-fixes
+
+Found another missing port flag policy entry for IFLA_BRPORT_VLAN_TUNNEL
+so add it now.
+
+CC: Roopa Prabhu <roopa@cumulusnetworks.com>
+Fixes: efa5356b0d97 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/br_netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index fbbb5a34702b..54fdcfe8eee2 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -637,6 +637,7 @@ static const struct nla_policy br_port_policy[IFLA_BRPORT_MAX + 1] = {
+ [IFLA_BRPORT_MCAST_TO_UCAST] = { .type = NLA_U8 },
+ [IFLA_BRPORT_MCAST_FLOOD] = { .type = NLA_U8 },
+ [IFLA_BRPORT_BCAST_FLOOD] = { .type = NLA_U8 },
++ [IFLA_BRPORT_VLAN_TUNNEL] = { .type = NLA_U8 },
+ };
+
+ /* Change the state of the port and notify spanning tree */
+--
+2.12.3
+
diff --git a/patches.fixes/0001-netfilter-ip6t_MASQUERADE-add-dependency-on-conntrac.patch b/patches.fixes/0001-netfilter-ip6t_MASQUERADE-add-dependency-on-conntrac.patch
new file mode 100644
index 0000000000..8c78df7a97
--- /dev/null
+++ b/patches.fixes/0001-netfilter-ip6t_MASQUERADE-add-dependency-on-conntrac.patch
@@ -0,0 +1,47 @@
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Subject: netfilter: ip6t_MASQUERADE: add dependency on conntrack
+ module
+Patch-mainline: v4.15-rc4
+Git-commit: 23715275e4fb6f64358a499d20928a9e93819f2f
+References: git-fixes
+
+After commit 4d3a57f23dec ("netfilter: conntrack: do not enable connection
+tracking unless needed") conntrack is disabled by default unless some
+module explicitly declares dependency in particular network namespace.
+
+Fixes: a357b3f80bc8 ("netfilter: nat: add dependencies on conntrack module")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/netfilter/ip6t_MASQUERADE.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c
+index 2b1a15846f9a..92c0047e7e33 100644
+--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c
++++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
+@@ -33,13 +33,19 @@ static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
+
+ if (range->flags & NF_NAT_RANGE_MAP_IPS)
+ return -EINVAL;
+- return 0;
++ return nf_ct_netns_get(par->net, par->family);
++}
++
++static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par)
++{
++ nf_ct_netns_put(par->net, par->family);
+ }
+
+ static struct xt_target masquerade_tg6_reg __read_mostly = {
+ .name = "MASQUERADE",
+ .family = NFPROTO_IPV6,
+ .checkentry = masquerade_tg6_checkentry,
++ .destroy = masquerade_tg6_destroy,
+ .target = masquerade_tg6,
+ .targetsize = sizeof(struct nf_nat_range),
+ .table = "nat",
+--
+2.12.3
+
diff --git a/patches.fixes/0001-rxrpc-Don-t-release-call-mutex-on-error-pointer.patch b/patches.fixes/0001-rxrpc-Don-t-release-call-mutex-on-error-pointer.patch
new file mode 100644
index 0000000000..513e720753
--- /dev/null
+++ b/patches.fixes/0001-rxrpc-Don-t-release-call-mutex-on-error-pointer.patch
@@ -0,0 +1,39 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Don't release call mutex on error pointer
+Patch-mainline: v5.1-rc1
+Git-commit: 6cb3ece9685f78f9b288dd2afea58c35784e40b8
+References: git-fixes
+
+Don't release call mutex at the end of rxrpc_kernel_begin_call() if the
+call pointer actually holds an error value.
+
+Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/af_rxrpc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
+index 7fb59c3f1542..38dd20096efa 100644
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -291,10 +291,11 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
+ cp.service_id = srx->srx_service;
+ call = rxrpc_new_client_call(rx, &cp, srx, user_call_ID, gfp);
+ /* The socket has been unlocked. */
+- if (!IS_ERR(call))
++ if (!IS_ERR(call)) {
+ call->notify_rx = notify_rx;
++ mutex_unlock(&call->user_mutex);
++ }
+
+- mutex_unlock(&call->user_mutex);
+ _leave(" = %p", call);
+ return call;
+ }
+--
+2.12.3
+
diff --git a/patches.kabi/KABI-cpu-hotplug-provide-the-old-get-put_online_cpus.patch b/patches.kabi/KABI-cpu-hotplug-provide-the-old-get-put_online_cpus.patch
index fe0edcecfa..67fa6505bd 100644
--- a/patches.kabi/KABI-cpu-hotplug-provide-the-old-get-put_online_cpus.patch
+++ b/patches.kabi/KABI-cpu-hotplug-provide-the-old-get-put_online_cpus.patch
@@ -31,11 +31,10 @@ Signed-off-by: Michal Suchanek <msuchanek@suse.de>
extern int freeze_secondary_cpus(int primary);
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
-@@ -2074,3 +2074,11 @@ void __init boot_cpu_hotplug_init(void)
- this_cpu_write(cpuhp_state.booted_once, true);
+@@ -2083,6 +2083,14 @@ void __init boot_cpu_hotplug_init(void)
this_cpu_write(cpuhp_state.state, CPUHP_ONLINE);
}
-+
+
+/* kabi */
+#undef get_online_cpus
+#undef put_online_cpus
@@ -43,3 +42,7 @@ Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+static void put_online_cpus(void) { cpus_read_unlock(); }
+EXPORT_SYMBOL_GPL(get_online_cpus);
+EXPORT_SYMBOL_GPL(put_online_cpus);
++
+ enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
+
+ static int __init mitigations_parse_cmdline(char *arg)
diff --git a/series.conf b/series.conf
index 3553348934..4173bd5938 100644
--- a/series.conf
+++ b/series.conf
@@ -7670,6 +7670,7 @@
patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch
patches.drivers/soreuseport-fix-initialization-race.patch
patches.drivers/net-ethtool-remove-error-check-for-legacy-setting-tr.patch
+ patches.fixes/0001-rxrpc-Don-t-release-call-mutex-on-error-pointer.patch
patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch
patches.suse/objtool-Fix-memory-leak-in-decode_instructions.patch
patches.suse/irqchip-gic-v3-its-Fix-the-incorrect-BUG_ON-in-its_i.patch
@@ -9241,6 +9242,7 @@
patches.fixes/bpf-fix-and-add-test-cases-for-ARG_CONST_SIZE_OR_ZER.patch
patches.drivers/net-hns3-Updates-MSI-MSI-X-alloc-free-APIs-depricate.patch
patches.drivers/net-mvneta-fix-handling-of-the-Tx-descriptor-counter.patch
+ patches.fixes/0001-net-bridge-add-vlan_tunnel-to-bridge-port-policies.patch
patches.drivers/ibmvnic-121-Feature-implementation-of-Vital-Product-Data.patch
patches.fixes/atm-horizon-Fix-irq-release-error.patch
patches.fixes/ipv6-set-all.accept_dad-to-0-by-default.patch
@@ -10337,6 +10339,7 @@
patches.fixes/rbd-set-discard_alignment-to-zero.patch
patches.suse/0018-libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch
patches.fixes/orangefs-remove-initialization-of-i_version.patch
+ patches.fixes/0001-gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_r.patch
patches.fixes/tcp-when-scheduling-TLP-time-of-RTO-should-account-f.patch
patches.drivers/net-ena-fix-race-condition-between-device-reset-and-.patch
patches.fixes/0001-net-qmi_wwan-add-Quectel-BG96-2c7c-0296.patch
@@ -10902,6 +10905,7 @@
patches.fixes/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
patches.fixes/netfilter-xt_bpf-add-overflow-checks.patch
patches.fixes/netfilter-xt_osf-Add-missing-permission-checks.patch
+ patches.fixes/0001-netfilter-ip6t_MASQUERADE-add-dependency-on-conntrac.patch
patches.drivers/hippi-Fix-a-Fix-a-possible-sleep-in-atomic-bug-in-rr
patches.fixes/tcp-fix-potential-underestimation-on-rcv_rtt.patch
patches.fixes/tcp-refresh-tcp_mstamp-from-timers-callbacks.patch
@@ -21540,6 +21544,12 @@
patches.suse/msft-hv-1766-hv_netvsc-fix-vf-serial-matching-with-pci-slot-info.patch
patches.drivers/ibmvnic-Report-actual-backing-device-speed-and-duple.patch
+ # tip/tip
+ patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
+ patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
+ patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
+ patches.arch/s390-speculation-support-mitigations-cmdline-option.patch
+
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
patches.suse/0002-efi-Add-EFI-signature-data-types.patch