Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit df08e347 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Merge 4.9.178 into android-4.9 



Changes in 4.9.178
	net: core: another layer of lists, around PF_MEMALLOC skb handling
	locking/rwsem: Prevent decrement of reader count before increment
	PCI: hv: Fix a memory leak in hv_eject_device_work()
	x86/speculation/mds: Revert CPU buffer clear on double fault exit
	x86/speculation/mds: Improve CPU buffer clear documentation
	objtool: Fix function fallthrough detection
	ARM: exynos: Fix a leaked reference by adding missing of_node_put
	power: supply: axp288_charger: Fix unchecked return value
	arm64: compat: Reduce address limit
	arm64: Clear OSDLR_EL1 on CPU boot
	sched/x86: Save [ER]FLAGS on context switch
	crypto: chacha20poly1305 - set cra_name correctly
	crypto: vmx - fix copy-paste error in CTR mode
	crypto: crct10dif-generic - fix use via crypto_shash_digest()
	crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
	ALSA: usb-audio: Fix a memory leak bug
	ALSA: hda/hdmi - Read the pin sense from register when repolling
	ALSA: hda/hdmi - Consider eld_valid when reporting jack event
	ALSA: hda/realtek - EAPD turn on later
	ASoC: max98090: Fix restore of DAPM Muxes
	ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
	mm/mincore.c: make mincore() more conservative
	ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
	mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
	mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
	tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
	jbd2: check superblock mapped prior to committing
	ext4: actually request zeroing of inode table after grow
	ext4: fix ext4_show_options for file systems w/o journal
	Btrfs: do not start a transaction at iterate_extent_inodes()
	bcache: fix a race between cache register and cacheset unregister
	bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
	ipmi:ssif: compare block number correctly for multi-part return messages
	crypto: gcm - Fix error return code in crypto_gcm_create_common()
	crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
	crypto: salsa20 - don't access already-freed walk.iv
	crypto: arm/aes-neonbs - don't access already-freed walk.iv
	fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")
	writeback: synchronize sync(2) against cgroup writeback membership switches
	fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
	ext4: zero out the unused memory region in the extent tree block
	ext4: fix data corruption caused by overlapping unaligned and aligned IO
	ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
	KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
	Linux 4.9.178

Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
parents b2fc3516 a5f56b52

Documentation/x86/mds.rst

+6 −38
Original line number Diff line number Diff line
@@ -142,45 +142,13 @@ Mitigation points 
   mds_user_clear.



   The mitigation is invoked in prepare_exit_to_usermode() which covers

   most of the kernel to user space transitions. There are a few exceptions

   which are not invoking prepare_exit_to_usermode() on return to user

   space. These exceptions use the paranoid exit code.

   all but one of the kernel to user space transitions.  The exception

   is when we return from a Non Maskable Interrupt (NMI), which is

   handled directly in do_nmi().



   - Non Maskable Interrupt (NMI):



     Access to sensible data like keys, credentials in the NMI context is

     mostly theoretical: The CPU can do prefetching or execute a

     misspeculated code path and thereby fetching data which might end up

     leaking through a buffer.



     But for mounting other attacks the kernel stack address of the task is

     already valuable information. So in full mitigation mode, the NMI is

     mitigated on the return from do_nmi() to provide almost complete

     coverage.



   - Double fault (#DF):



     A double fault is usually fatal, but the ESPFIX workaround, which can

     be triggered from user space through modify_ldt(2) is a recoverable

     double fault. #DF uses the paranoid exit path, so explicit mitigation

     in the double fault handler is required.



   - Machine Check Exception (#MC):



     Another corner case is a #MC which hits between the CPU buffer clear

     invocation and the actual return to user. As this still is in kernel

     space it takes the paranoid exit path which does not clear the CPU

     buffers. So the #MC handler repopulates the buffers to some

     extent. Machine checks are not reliably controllable and the window is

     extremly small so mitigation would just tick a checkbox that this

     theoretical corner case is covered. To keep the amount of special

     cases small, ignore #MC.



   - Debug Exception (#DB):



     This takes the paranoid exit path only when the INT1 breakpoint is in

     kernel space. #DB on a user space address takes the regular exit path,

     so no extra mitigation required.

   (The reason that NMI is special is that prepare_exit_to_usermode() can

    enable IRQs.  In NMI context, NMIs are blocked, and we don't want to

    enable IRQs with NMIs blocked.)





2. C-State transition

Makefile

+1 −1
Original line number Diff line number Diff line 
VERSION = 4

PATCHLEVEL = 9

SUBLEVEL = 177

SUBLEVEL = 178

EXTRAVERSION =

NAME = Roaring Lionus

arch/arm/crypto/aesbs-glue.c

+4 −0
Original line number Diff line number Diff line
@@ -265,6 +265,8 @@ static int aesbs_xts_encrypt(struct blkcipher_desc *desc, 


	blkcipher_walk_init(&walk, dst, src, nbytes);

	err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);

	if (err)

		return err;



	/* generate the initial tweak */

	AES_encrypt(walk.iv, walk.iv, &ctx->twkey);
@@ -289,6 +291,8 @@ static int aesbs_xts_decrypt(struct blkcipher_desc *desc, 


	blkcipher_walk_init(&walk, dst, src, nbytes);

	err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);

	if (err)

		return err;



	/* generate the initial tweak */

	AES_encrypt(walk.iv, walk.iv, &ctx->twkey);

arch/arm/mach-exynos/firmware.c

+1 −0
Original line number Diff line number Diff line
@@ -205,6 +205,7 @@ void __init exynos_firmware_init(void) 
		return;



	addr = of_get_address(nd, 0, NULL, NULL);

	of_node_put(nd);

	if (!addr) {

		pr_err("%s: No address specified.\n", __func__);

		return;

arch/arm/mach-exynos/suspend.c

+2 −0
Original line number Diff line number Diff line
@@ -715,8 +715,10 @@ void __init exynos_pm_init(void) 


	if (WARN_ON(!of_find_property(np, "interrupt-controller", NULL))) {

		pr_warn("Outdated DT detected, suspend/resume will NOT work\n");

		of_node_put(np);

		return;

	}

	of_node_put(np);



	pm_data = (const struct exynos_pm_data *) match->data;