# git rev-parse -q --verify 958f338e96f874a0d29442396d6adf9c1e17aa2d^{commit} 958f338e96f874a0d29442396d6adf9c1e17aa2d already have revision, skipping fetch # git checkout -q -f -B kisskb 958f338e96f874a0d29442396d6adf9c1e17aa2d # git clean -qxdf # < git log -1 # commit 958f338e96f874a0d29442396d6adf9c1e17aa2d # Merge: 781fca5 07d981a # Author: Linus Torvalds # Date: Tue Aug 14 09:46:06 2018 -0700 # # Merge branch 'l1tf-final' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip # # Merge L1 Terminal Fault fixes from Thomas Gleixner: # "L1TF, aka L1 Terminal Fault, is yet another speculative hardware # engineering trainwreck. It's a hardware vulnerability which allows # unprivileged speculative access to data which is available in the # Level 1 Data Cache when the page table entry controlling the virtual # address, which is used for the access, has the Present bit cleared or # other reserved bits set. # # If an instruction accesses a virtual address for which the relevant # page table entry (PTE) has the Present bit cleared or other reserved # bits set, then speculative execution ignores the invalid PTE and loads # the referenced data if it is present in the Level 1 Data Cache, as if # the page referenced by the address bits in the PTE was still present # and accessible. # # While this is a purely speculative mechanism and the instruction will # raise a page fault when it is retired eventually, the pure act of # loading the data and making it available to other speculative # instructions opens up the opportunity for side channel attacks to # unprivileged malicious code, similar to the Meltdown attack. # # While Meltdown breaks the user space to kernel space protection, L1TF # allows to attack any physical memory address in the system and the # attack works across all protection domains. It allows an attack of SGX # and also works from inside virtual machines because the speculation # bypasses the extended page table (EPT) protection mechanism. # # The assoicated CVEs are: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 # # The mitigations provided by this pull request include: # # - Host side protection by inverting the upper address bits of a non # present page table entry so the entry points to uncacheable memory. # # - Hypervisor protection by flushing L1 Data Cache on VMENTER. # # - SMT (HyperThreading) control knobs, which allow to 'turn off' SMT # by offlining the sibling CPU threads. The knobs are available on # the kernel command line and at runtime via sysfs # # - Control knobs for the hypervisor mitigation, related to L1D flush # and SMT control. The knobs are available on the kernel command line # and at runtime via sysfs # # - Extensive documentation about L1TF including various degrees of # mitigations. # # Thanks to all people who have contributed to this in various ways - # patches, review, testing, backporting - and the fruitful, sometimes # heated, but at the end constructive discussions. # # There is work in progress to provide other forms of mitigations, which # might be less horrible performance wise for a particular kind of # workloads, but this is not yet ready for consumption due to their # complexity and limitations" # # * 'l1tf-final' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (75 commits) # x86/microcode: Allow late microcode loading with SMT disabled # tools headers: Synchronise x86 cpufeatures.h for L1TF additions # x86/mm/kmmio: Make the tracer robust against L1TF # x86/mm/pat: Make set_memory_np() L1TF safe # x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert # x86/speculation/l1tf: Invert all not present mappings # cpu/hotplug: Fix SMT supported evaluation # KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry # x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry # x86/speculation: Simplify sysfs report of VMX L1TF vulnerability # Documentation/l1tf: Remove Yonah processors from not vulnerable list # x86/KVM/VMX: Don't set l1tf_flush_l1d from vmx_handle_external_intr() # x86/irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d # x86: Don't include linux/irq.h from asm/hardirq.h # x86/KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d # x86/irq: Demote irq_cpustat_t::__softirq_pending to u16 # x86/KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush() # x86/KVM/VMX: Replace 'vmx_l1d_flush_always' with 'vmx_l1d_flush_cond' # x86/KVM/VMX: Don't set l1tf_flush_l1d to true from vmx_l1d_flush() # cpu/hotplug: detect SMT disabled by BIOS # ... # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux-gcc --version # < git log --format=%s --max-count=1 958f338e96f874a0d29442396d6adf9c1e17aa2d # < make -s -j 48 ARCH=arm64 O=/kisskb/build/linus_arm64-defconfig_arm64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- defconfig # make -s -j 48 ARCH=arm64 O=/kisskb/build/linus_arm64-defconfig_arm64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- :1335:2: warning: #warning syscall rseq not implemented [-Wcpp] In function 'fill_item_path', inlined from 'configfs_get_target_path' at /kisskb/src/fs/configfs/symlink.c:250:2, inlined from 'configfs_getlink' at /kisskb/src/fs/configfs/symlink.c:272:10, inlined from 'configfs_get_link.part.1' at /kisskb/src/fs/configfs/symlink.c:295:10, inlined from 'configfs_get_link': /kisskb/src/fs/configfs/symlink.c:67:3: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] strncpy(buffer + length,config_item_name(p),cur); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/fs/configfs/symlink.c: In function 'configfs_get_link': /kisskb/src/fs/configfs/symlink.c:63:13: note: length computed here int cur = strlen(config_item_name(p)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/crypto/ablkcipher.c: In function 'crypto_ablkcipher_report': /kisskb/src/crypto/ablkcipher.c:374:2: warning: 'strncpy' specified bound 64 equals destination size [-Wstringop-truncation] strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(rblkcipher.geniv)); ~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/crypto/ablkcipher.c: In function 'crypto_givcipher_report': /kisskb/src/crypto/ablkcipher.c:448:2: warning: 'strncpy' specified bound 64 equals destination size [-Wstringop-truncation] strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(rblkcipher.geniv)); ~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/crypto/blkcipher.c: In function 'crypto_blkcipher_report': /kisskb/src/crypto/blkcipher.c:513:2: warning: 'strncpy' specified bound 64 equals destination size [-Wstringop-truncation] strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(rblkcipher.geniv)); ~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'hidp_setup_hid', inlined from 'hidp_session_dev_init' at /kisskb/src/net/bluetooth/hidp/core.c:815:9, inlined from 'hidp_session_new' at /kisskb/src/net/bluetooth/hidp/core.c:953:8, inlined from 'hidp_connection_add' at /kisskb/src/net/bluetooth/hidp/core.c:1366:8: /kisskb/src/net/bluetooth/hidp/core.c:778:2: warning: 'strncpy' output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation] strncpy(hid->name, req->name, sizeof(req->name) - 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'kernfs_get_target_path', inlined from 'kernfs_getlink.isra.0' at /kisskb/src/fs/kernfs/symlink.c:109:10, inlined from 'kernfs_iop_get_link.part.1' at /kisskb/src/fs/kernfs/symlink.c:127:10, inlined from 'kernfs_iop_get_link': /kisskb/src/fs/kernfs/symlink.c:91:3: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] strncpy(s + len, kn->name, slen); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/fs/kernfs/symlink.c: In function 'kernfs_iop_get_link': /kisskb/src/fs/kernfs/symlink.c:88:14: note: length computed here int slen = strlen(kn->name); ^~~~~~~~~~~~~~~~ /kisskb/src/fs/ext4/super.c: In function '__save_error_info.isra.8': /kisskb/src/fs/ext4/super.c:344:2: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(es->s_last_error_func, func, sizeof(es->s_last_error_func)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/fs/ext4/super.c:349:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(es->s_first_error_func, func, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(es->s_first_error_func)); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'fill_kobj_path', inlined from 'kobject_get_path' at /kisskb/src/lib/kobject.c:155:2: /kisskb/src/lib/kobject.c:128:3: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] strncpy(path + length, kobject_name(parent), cur); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/lib/kobject.c: In function 'kobject_get_path': /kisskb/src/lib/kobject.c:125:13: note: length computed here int cur = strlen(kobject_name(parent)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'devfreq_add_device.part.7', inlined from 'devfreq_add_device': /kisskb/src/drivers/devfreq/devfreq.c:593:2: warning: 'strncpy' specified bound 16 equals destination size [-Wstringop-truncation] strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/gpu/drm/nouveau/nvif/client.c: In function 'nvif_client_init': /kisskb/src/drivers/gpu/drm/nouveau/nvif/client.c:72:2: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(args.name, name, sizeof(args.name)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'nvme_init_subnqn.isra.19', inlined from 'nvme_init_subsystem' at /kisskb/src/drivers/nvme/host/core.c:2207:2, inlined from 'nvme_init_identify' at /kisskb/src/drivers/nvme/host/core.c:2365:9: /kisskb/src/drivers/nvme/host/core.c:2061:3: warning: 'strncpy' output may be truncated copying 223 bytes from a string of length 255 [-Wstringop-truncation] strncpy(subsys->subnqn, id->subnqn, NVMF_NQN_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/gpu/drm/msm/msm_fence.c: In function 'msm_fence_context_alloc': /kisskb/src/drivers/gpu/drm/msm/msm_fence.c:34:2: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(fctx->name, name, sizeof(fctx->name)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'qcom_glink_rx_close', inlined from 'qcom_glink_work' at /kisskb/src/drivers/rpmsg/qcom_glink_native.c:1528:4: /kisskb/src/drivers/rpmsg/qcom_glink_native.c:1454:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(chinfo.name, channel->name, sizeof(chinfo.name)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'qcom_glink_rx_open', inlined from 'qcom_glink_work' at /kisskb/src/drivers/rpmsg/qcom_glink_native.c:1525:4: /kisskb/src/drivers/rpmsg/qcom_glink_native.c:1404:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(rpdev->id.name, name, RPMSG_NAME_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'qcom_smd_create_device.isra.2', inlined from 'qcom_channel_state_worker' at /kisskb/src/drivers/rpmsg/qcom_smd.c:1273:3: /kisskb/src/drivers/rpmsg/qcom_smd.c:1068:2: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(rpdev->id.name, channel->name, RPMSG_NAME_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/rpmsg/qcom_smd.c: In function 'qcom_channel_state_worker': /kisskb/src/drivers/rpmsg/qcom_smd.c:1296:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(chinfo.name, channel->name, sizeof(chinfo.name)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/video/hdmi.c: In function 'hdmi_spd_infoframe_init': /kisskb/src/drivers/video/hdmi.c:174:2: warning: 'strncpy' specified bound 8 equals destination size [-Wstringop-truncation] strncpy(frame->vendor, vendor, sizeof(frame->vendor)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/video/hdmi.c:175:2: warning: 'strncpy' specified bound 16 equals destination size [-Wstringop-truncation] strncpy(frame->product, product, sizeof(frame->product)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'nvkm_udevice_info', inlined from 'nvkm_udevice_mthd' at /kisskb/src/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c:223:10: /kisskb/src/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c:192:2: warning: 'strncpy' specified bound 16 equals destination size [-Wstringop-truncation] strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'brcmf_vndr_ie', inlined from 'brcmf_vif_set_mgmt_ie' at /kisskb/src/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4278:25: /kisskb/src/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4167:2: warning: 'strncpy' output truncated before terminating nul copying 3 bytes from a string of the same length [-Wstringop-truncation] strncpy(iebuf, add_del_cmd, VNDR_IE_CMD_LEN - 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'brcmf_vndr_ie', inlined from 'brcmf_vif_set_mgmt_ie' at /kisskb/src/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4315:25: /kisskb/src/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4167:2: warning: 'strncpy' output truncated before terminating nul copying 3 bytes from a string of the same length [-Wstringop-truncation] strncpy(iebuf, add_del_cmd, VNDR_IE_CMD_LEN - 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Completed OK # rm -rf /kisskb/build/linus_arm64-defconfig_arm64-gcc8 # Build took: 0:04:00.053449