Commit 817de622 authored May 21, 2019 by Greg Kroah-Hartman

Merge 4.14.121 into android-4.14-q



Changes in 4.14.121
	net: core: another layer of lists, around PF_MEMALLOC skb handling
	locking/rwsem: Prevent decrement of reader count before increment
	PCI: hv: Fix a memory leak in hv_eject_device_work()
	PCI: hv: Add hv_pci_remove_slots() when we unload the driver
	PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary
	x86/speculation/mds: Revert CPU buffer clear on double fault exit
	x86/speculation/mds: Improve CPU buffer clear documentation
	objtool: Fix function fallthrough detection
	ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260
	ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3
	ARM: exynos: Fix a leaked reference by adding missing of_node_put
	power: supply: axp288_charger: Fix unchecked return value
	arm64: compat: Reduce address limit
	arm64: Clear OSDLR_EL1 on CPU boot
	arm64: Save and restore OSDLR_EL1 across suspend/resume
	sched/x86: Save [ER]FLAGS on context switch
	crypto: chacha20poly1305 - set cra_name correctly
	crypto: vmx - fix copy-paste error in CTR mode
	crypto: skcipher - don't WARN on unprocessed data after slow walk step
	crypto: crct10dif-generic - fix use via crypto_shash_digest()
	crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
	crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
	crypto: rockchip - update IV buffer to contain the next IV
	crypto: arm/aes-neonbs - don't access already-freed walk.iv
	ALSA: usb-audio: Fix a memory leak bug
	ALSA: hda/hdmi - Read the pin sense from register when repolling
	ALSA: hda/hdmi - Consider eld_valid when reporting jack event
	ALSA: hda/realtek - EAPD turn on later
	ASoC: max98090: Fix restore of DAPM Muxes
	ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
	bpf, arm64: remove prefetch insn in xadd mapping
	mm/mincore.c: make mincore() more conservative
	ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
	userfaultfd: use RCU to free the task struct when fork fails
	mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
	mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
	mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write
	tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0
	tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
	jbd2: check superblock mapped prior to committing
	ext4: make sanity check in mballoc more strict
	ext4: ignore e_value_offs for xattrs with value-in-ea-inode
	ext4: avoid drop reference to iloc.bh twice
	Btrfs: do not start a transaction during fiemap
	Btrfs: do not start a transaction at iterate_extent_inodes()
	bcache: fix a race between cache register and cacheset unregister
	bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
	ext4: fix use-after-free race with debug_want_extra_isize
	ext4: actually request zeroing of inode table after grow
	ext4: fix ext4_show_options for file systems w/o journal
	ipmi:ssif: compare block number correctly for multi-part return messages
	crypto: arm64/aes-neonbs - don't access already-freed walk.iv
	crypto: salsa20 - don't access already-freed walk.iv
	crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
	fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")
	fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
	ext4: zero out the unused memory region in the extent tree block
	ext4: fix data corruption caused by overlapping unaligned and aligned IO
	ext4: fix use-after-free in dx_release()
	ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
	KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
	iov_iter: optimize page_copy_sane()
	ext4: fix compile error when using BUFFER_TRACE
	Linux 4.14.121

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

parents f447148d bbcb3c09

Documentation/x86/mds.rst

+6 −38

Original line number	Diff line number	Diff line
		@@ -142,45 +142,13 @@ Mitigation points
		mds_user_clear.

		The mitigation is invoked in prepare_exit_to_usermode() which covers
		most of the kernel to user space transitions. There are a few exceptions
		which are not invoking prepare_exit_to_usermode() on return to user
		space. These exceptions use the paranoid exit code.
		all but one of the kernel to user space transitions. The exception
		is when we return from a Non Maskable Interrupt (NMI), which is
		handled directly in do_nmi().

		- Non Maskable Interrupt (NMI):

		Access to sensible data like keys, credentials in the NMI context is
		mostly theoretical: The CPU can do prefetching or execute a
		misspeculated code path and thereby fetching data which might end up
		leaking through a buffer.

		But for mounting other attacks the kernel stack address of the task is
		already valuable information. So in full mitigation mode, the NMI is
		mitigated on the return from do_nmi() to provide almost complete
		coverage.

		- Double fault (#DF):

		A double fault is usually fatal, but the ESPFIX workaround, which can
		be triggered from user space through modify_ldt(2) is a recoverable
		double fault. #DF uses the paranoid exit path, so explicit mitigation
		in the double fault handler is required.

		- Machine Check Exception (#MC):

		Another corner case is a #MC which hits between the CPU buffer clear
		invocation and the actual return to user. As this still is in kernel
		space it takes the paranoid exit path which does not clear the CPU
		buffers. So the #MC handler repopulates the buffers to some
		extent. Machine checks are not reliably controllable and the window is
		extremly small so mitigation would just tick a checkbox that this
		theoretical corner case is covered. To keep the amount of special
		cases small, ignore #MC.

		- Debug Exception (#DB):

		This takes the paranoid exit path only when the INT1 breakpoint is in
		kernel space. #DB on a user space address takes the regular exit path,
		so no extra mitigation required.
		(The reason that NMI is special is that prepare_exit_to_usermode() can
		enable IRQs. In NMI context, NMIs are blocked, and we don't want to
		enable IRQs with NMIs blocked.)


		2. C-State transition

Makefile

+1 −1

Original line number	Diff line number	Diff line
		# SPDX-License-Identifier: GPL-2.0
		VERSION = 4
		PATCHLEVEL = 14
		SUBLEVEL = 120
		SUBLEVEL = 121
		EXTRAVERSION =
		NAME = Petit Gorille

arch/arm/boot/dts/exynos5260.dtsi

+1 −1

Original line number	Diff line number	Diff line
		@@ -226,7 +226,7 @@
		wakeup-interrupt-controller {
		compatible = "samsung,exynos4210-wakeup-eint";
		interrupt-parent = <&gic>;
		interrupts = <GIC_SPI 32 IRQ_TYPE_LEVEL_HIGH>;
		interrupts = <GIC_SPI 48 IRQ_TYPE_LEVEL_HIGH>;
		};
		};

arch/arm/boot/dts/exynos5422-odroidxu3-audio.dtsi

+1 −1

Original line number	Diff line number	Diff line
		@@ -23,7 +23,7 @@
		"Headphone Jack", "HPL",
		"Headphone Jack", "HPR",
		"Headphone Jack", "MICBIAS",
		"IN1", "Headphone Jack",
		"IN12", "Headphone Jack",
		"Speakers", "SPKL",
		"Speakers", "SPKR";

arch/arm/crypto/aes-neonbs-glue.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -280,6 +280,8 @@ static int __xts_crypt(struct skcipher_request *req,
		int err;

		err = skcipher_walk_virt(&walk, req, true);
		if (err)
		return err;

		crypto_cipher_encrypt_one(ctx->tweak_tfm, walk.iv, walk.iv);