Commit 8d33d083 authored Feb 14, 2018 by Blagovest Kolenichev

Merge android-4.9-o.81 (1b9d719b) into msm-4.9



* refs/heads/tmp-1b9d719b:
  Linux 4.9.81
  x86/microcode: Do the family check first
  drm: rcar-du: Fix race condition when disabling planes at CRTC stop
  drm: rcar-du: Use the VBK interrupt for vblank events
  ASoC: rsnd: avoid duplicate free_irq()
  ASoC: rsnd: don't call free_irq() on Parent SSI
  ASoC: simple-card: Fix misleading error message
  crypto: tcrypt - fix S/G table for test_aead_speed()
  KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
  KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
  KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
  KVM/x86: Add IBPB support
  KVM: VMX: make MSR bitmaps per-VCPU
  KVM: VMX: introduce alloc_loaded_vmcs
  KVM: nVMX: Eliminate vmcs02 pool
  KVM: nVMX: mark vmcs12 pages dirty on L2 exit
  KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail
  KVM: nVMX: kmap() can't fail
  x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
  x86/pti: Mark constant arrays as __initconst
  x86/spectre: Simplify spectre_v2 command line parsing
  x86/retpoline: Avoid retpolines for built-in __init functions
  x86/kvm: Update spectre-v1 mitigation
  x86/paravirt: Remove 'noreplace-paravirt' cmdline option
  x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
  x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
  x86/spectre: Report get_user mitigation for spectre_v1
  nl80211: Sanitize array index in parse_txq_params
  vfs, fdtable: Prevent bounds-check bypass via speculative execution
  x86/syscall: Sanitize syscall table de-references under speculation
  x86/get_user: Use pointer masking to limit speculation
  x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
  x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
  x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
  x86: Introduce barrier_nospec
  x86: Implement array_index_mask_nospec
  array_index_nospec: Sanitize speculative array de-references
  Documentation: Document array_index_nospec
  x86/asm: Move 'status' from thread_struct to thread_info
  x86/entry/64: Push extra regs right away
  x86/entry/64: Remove the SYSCALL64 fast path
  x86/spectre: Check CONFIG_RETPOLINE in command line parser
  x86/retpoline: Simplify vmexit_fill_RSB()
  x86/cpufeatures: Clean up Spectre v2 related CPUID flags
  x86/cpu/bugs: Make retpoline module warning conditional
  x86/bugs: Drop one "mitigation" from dmesg
  x86/nospec: Fix header guards names
  x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
  x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
  x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
  x86/msr: Add definitions for new speculation control MSRs
  x86/cpufeatures: Add AMD feature bits for Speculation Control
  x86/cpufeatures: Add Intel feature bits for Speculation Control
  x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
  module/retpoline: Warn about missing retpoline in module
  KVM: VMX: Make indirect call speculation safe
  KVM: x86: Make indirect calls in emulator speculation safe
  x86/retpoline: Remove the esp/rsp thunk
  KEYS: encrypted: fix buffer overread in valid_master_desc()
  b43: Add missing MODULE_FIRMWARE()
  media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
  x86/microcode/AMD: Do not load when running on a hypervisor
  x86/asm: Fix inline asm call constraints for GCC 4.4
  soreuseport: fix mem leak in reuseport_add_sock()
  ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only
  cls_u32: add missing RCU annotation.
  tcp_bbr: fix pacing_gain to always be unity when using lt_bw
  vhost_net: stop device during reset owner
  tcp: release sk_frag.page in tcp_disconnect
  r8169: fix RTL8168EP take too long to complete driver initialization.
  qmi_wwan: Add support for Quectel EP06
  qlcnic: fix deadlock bug
  net: igmp: add a missing rcu locking section
  ip6mr: fix stale iterator
  serial: core: mark port as initialized after successful IRQ change
  kaiser: allocate pgd with order 0 when pti=off
  x86/pti: Make unpoison of pgd for trusted boot work for real
  kaiser: fix intel_bts perf crashes
  ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
  pinctrl: pxa: pxa2xx: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
  auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
  powerpc/64s: Allow control of RFI flush via debugfs
  powerpc/64s: Wire up cpu_show_meltdown()
  powerpc/powernv: Check device-tree for RFI flush settings
  powerpc/pseries: Query hypervisor for RFI flush settings
  powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti
  powerpc/64s: Add support for RFI flush of L1-D cache
  powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
  powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
  powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
  powerpc/64: Add macros for annotating the destination of rfid/hrfid
  powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
  sched/fair: prevent possible infinite loop in sched_group_energy
  ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree

Conflicts:
	kernel/sched/fair.c

Change-Id: I32559a9e5fee34df4f6e50e54032189afe4db613
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>

parents 4b19ee48 1b9d719b

Documentation/kernel-parameters.txt

+0 −2

Original line number	Diff line number	Diff line
		@@ -2821,8 +2821,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
		norandmaps Don't use address space randomization. Equivalent to
		echo 0 > /proc/sys/kernel/randomize_va_space

		noreplace-paravirt [X86,IA-64,PV_OPS] Don't patch paravirt_ops

		noreplace-smp [X86-32,SMP] Don't replace SMP instructions
		with UP alternatives

Documentation/speculation.txt

0 → 100644

+90 −0

Original line number	Diff line number	Diff line
		This document explains potential effects of speculation, and how undesirable
		effects can be mitigated portably using common APIs.

		===========
		Speculation
		===========

		To improve performance and minimize average latencies, many contemporary CPUs
		employ speculative execution techniques such as branch prediction, performing
		work which may be discarded at a later stage.

		Typically speculative execution cannot be observed from architectural state,
		such as the contents of registers. However, in some cases it is possible to
		observe its impact on microarchitectural state, such as the presence or
		absence of data in caches. Such state may form side-channels which can be
		observed to extract secret information.

		For example, in the presence of branch prediction, it is possible for bounds
		checks to be ignored by code which is speculatively executed. Consider the
		following code:

		int load_array(int *array, unsigned int index)
		{
		if (index >= MAX_ARRAY_ELEMS)
		return 0;
		else
		return array[index];
		}

		Which, on arm64, may be compiled to an assembly sequence such as:

		CMP <index>, #MAX_ARRAY_ELEMS
		B.LT less
		MOV <returnval>, #0
		RET
		less:
		LDR <returnval>, [<array>, <index>]
		RET

		It is possible that a CPU mis-predicts the conditional branch, and
		speculatively loads array[index], even if index >= MAX_ARRAY_ELEMS. This
		value will subsequently be discarded, but the speculated load may affect
		microarchitectural state which can be subsequently measured.

		More complex sequences involving multiple dependent memory accesses may
		result in sensitive information being leaked. Consider the following
		code, building on the prior example:

		int load_dependent_arrays(int arr1, int arr2, int index)
		{
		int val1, val2,

		val1 = load_array(arr1, index);
		val2 = load_array(arr2, val1);

		return val2;
		}

		Under speculation, the first call to load_array() may return the value
		of an out-of-bounds address, while the second call will influence
		microarchitectural state dependent on this value. This may provide an
		arbitrary read primitive.

		====================================
		Mitigating speculation side-channels
		====================================

		The kernel provides a generic API to ensure that bounds checks are
		respected even under speculation. Architectures which are affected by
		speculation-based side-channels are expected to implement these
		primitives.

		The array_index_nospec() helper in <linux/nospec.h> can be used to
		prevent information from being leaked via side-channels.

		A call to array_index_nospec(index, size) returns a sanitized index
		value that is bounded to [0, size) even under cpu speculation
		conditions.

		This can be used to protect the earlier load_array() example:

		int load_array(int *array, unsigned int index)
		{
		if (index >= MAX_ARRAY_ELEMS)
		return 0;
		else {
		index = array_index_nospec(index, MAX_ARRAY_ELEMS);
		return array[index];
		}
		}

Makefile

+1 −1

Original line number	Diff line number	Diff line
		VERSION = 4
		PATCHLEVEL = 9
		SUBLEVEL = 80
		SUBLEVEL = 81
		EXTRAVERSION =
		NAME = Roaring Lionus

arch/powerpc/Kconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -129,6 +129,7 @@ config PPC
		select ARCH_HAS_GCOV_PROFILE_ALL
		select GENERIC_SMP_IDLE_THREAD
		select GENERIC_CMOS_UPDATE
		select GENERIC_CPU_VULNERABILITIES if PPC_BOOK3S_64
		select GENERIC_TIME_VSYSCALL_OLD
		select GENERIC_CLOCKEVENTS
		select GENERIC_CLOCKEVENTS_BROADCAST if SMP

arch/powerpc/include/asm/exception-64e.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -209,5 +209,11 @@ exc_##label##_book3e:
		ori r3,r3,vector_offset@l; \
		mtspr SPRN_IVOR##vector_number,r3;

		#define RFI_TO_KERNEL \
		rfi

		#define RFI_TO_USER \
		rfi

		#endif /* _ASM_POWERPC_EXCEPTION_64E_H */