--- /dev/null
+From 0633da48f0793aeba27f82d30605624416723a91 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Tue, 21 Aug 2018 21:51:45 -0700
+Subject: autofs: fix autofs_sbi() does not check super block type
+
+From: Ian Kent <raven@themaw.net>
+
+commit 0633da48f0793aeba27f82d30605624416723a91 upstream.
+
+autofs_sbi() does not check the superblock magic number to verify it has
+been given an autofs super block.
+
+Backport Note: autofs4 has been renamed to autofs upstream. As a result
+the upstream patch does not apply cleanly onto 4.14.y.
+
+Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
+Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/autofs4/autofs_i.h | 4 +++-
+ fs/autofs4/inode.c | 1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -18,6 +18,7 @@
+ #include <linux/mutex.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
++#include <linux/magic.h>
+
+ /* This is the range of ioctl() numbers we claim as ours */
+ #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY
+@@ -135,7 +136,8 @@ struct autofs_sb_info {
+
+ static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb)
+ {
+- return (struct autofs_sb_info *)(sb->s_fs_info);
++ return sb->s_magic != AUTOFS_SUPER_MAGIC ?
++ NULL : (struct autofs_sb_info *)(sb->s_fs_info);
+ }
+
+ static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry)
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -18,7 +18,6 @@
+ #include <linux/pagemap.h>
+ #include <linux/parser.h>
+ #include <linux/bitops.h>
+-#include <linux/magic.h>
+ #include "autofs_i.h"
+ #include <linux/module.h>
+
--- /dev/null
+From 0522236d4f9c5ab2e79889cb020d1acbe5da416e Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 22 Aug 2018 08:26:31 +0200
+Subject: crypto: vmx - Fix sleep-in-atomic bugs
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream.
+
+This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
+implementations. The problem is that the blkcipher_* functions should
+not be called in atomic context.
+
+The bugs can be reproduced via the AF_ALG interface by trying to
+encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
+VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
+trigger BUG in crypto_yield():
+
+[ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
+[ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
+[ 891.864739] 1 lock held by kcapi-enc/12347:
+[ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
+[ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
+[ 891.865251] Call Trace:
+[ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
+[ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
+[ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
+[ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
+[ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
+[ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
+[ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
+[ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
+[ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
+[ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
+
+Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module")
+Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+--- a/drivers/crypto/vmx/aes_cbc.c
++++ b/drivers/crypto/vmx/aes_cbc.c
+@@ -111,24 +111,23 @@ static int p8_aes_cbc_encrypt(struct blk
+ ret = crypto_blkcipher_encrypt(&fallback_desc, dst, src,
+ nbytes);
+ } else {
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_altivec();
+- enable_kernel_vsx();
+-
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ ret = blkcipher_walk_virt(desc, &walk);
+ while ((nbytes = walk.nbytes)) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
++ enable_kernel_altivec();
+ aes_p8_cbc_encrypt(walk.src.virt.addr,
+ walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK,
+ &ctx->enc_key, walk.iv, 1);
++ pagefault_enable();
++ preempt_enable();
++
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, &walk, nbytes);
+ }
+-
+- pagefault_enable();
+- preempt_enable();
+ }
+
+ return ret;
+@@ -152,24 +151,23 @@ static int p8_aes_cbc_decrypt(struct blk
+ ret = crypto_blkcipher_decrypt(&fallback_desc, dst, src,
+ nbytes);
+ } else {
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_altivec();
+- enable_kernel_vsx();
+-
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ ret = blkcipher_walk_virt(desc, &walk);
+ while ((nbytes = walk.nbytes)) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
++ enable_kernel_altivec();
+ aes_p8_cbc_encrypt(walk.src.virt.addr,
+ walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK,
+ &ctx->dec_key, walk.iv, 0);
++ pagefault_enable();
++ preempt_enable();
++
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, &walk, nbytes);
+ }
+-
+- pagefault_enable();
+- preempt_enable();
+ }
+
+ return ret;
--- /dev/null
+From 552165bcf7060b998b4a9b5b86110b6a5e04dfd9 Mon Sep 17 00:00:00 2001
+From: David Rivshin <drivshin@allworx.com>
+Date: Wed, 27 Apr 2016 21:25:25 -0400
+Subject: drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
+
+From: David Rivshin <drivshin@allworx.com>
+
+commit 552165bcf7060b998b4a9b5b86110b6a5e04dfd9 upstream.
+
+Commit 9e42f715264ff158478fa30eaed847f6e131366b ("drivers: net: cpsw: add
+phy-handle parsing") saved the "phy-handle" phandle into a new cpsw_priv
+field. However, phy connections are per-slave, so the phy_node field should
+be in cpsw_slave_data rather than cpsw_priv.
+
+This would go unnoticed in a single emac configuration. But in dual_emac
+mode, the last "phy-handle" property parsed for either slave would be used
+by both of them, causing them both to refer to the same phy_device.
+
+Fixes: 9e42f715264f ("drivers: net: cpsw: add phy-handle parsing")
+Signed-off-by: David Rivshin <drivshin@allworx.com>
+Tested-by: Nicolas Chauvet <kwizart@gmail.com>
+Tested-by: Andrew Goodbody <andrew.goodbody@cambrionix.com>
+Reviewed-by: Mugunthan V N <mugunthanvnm@ti.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ti/cpsw.c | 13 ++++++-------
+ drivers/net/ethernet/ti/cpsw.h | 1 +
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -371,7 +371,6 @@ struct cpsw_priv {
+ spinlock_t lock;
+ struct platform_device *pdev;
+ struct net_device *ndev;
+- struct device_node *phy_node;
+ struct napi_struct napi_rx;
+ struct napi_struct napi_tx;
+ struct device *dev;
+@@ -1165,8 +1164,8 @@ static void cpsw_slave_open(struct cpsw_
+ cpsw_ale_add_mcast(priv->ale, priv->ndev->broadcast,
+ 1 << slave_port, 0, 0, ALE_MCAST_FWD_2);
+
+- if (priv->phy_node)
+- slave->phy = of_phy_connect(priv->ndev, priv->phy_node,
++ if (slave->data->phy_node)
++ slave->phy = of_phy_connect(priv->ndev, slave->data->phy_node,
+ &cpsw_adjust_link, 0, slave->data->phy_if);
+ else
+ slave->phy = phy_connect(priv->ndev, slave->data->phy_id,
+@@ -1957,12 +1956,11 @@ static void cpsw_slave_init(struct cpsw_
+ slave->port_vlan = data->dual_emac_res_vlan;
+ }
+
+-static int cpsw_probe_dt(struct cpsw_priv *priv,
++static int cpsw_probe_dt(struct cpsw_platform_data *data,
+ struct platform_device *pdev)
+ {
+ struct device_node *node = pdev->dev.of_node;
+ struct device_node *slave_node;
+- struct cpsw_platform_data *data = &priv->data;
+ int i = 0, ret;
+ u32 prop;
+
+@@ -2050,7 +2048,8 @@ static int cpsw_probe_dt(struct cpsw_pri
+ if (strcmp(slave_node->name, "slave"))
+ continue;
+
+- priv->phy_node = of_parse_phandle(slave_node, "phy-handle", 0);
++ slave_data->phy_node = of_parse_phandle(slave_node,
++ "phy-handle", 0);
+ parp = of_get_property(slave_node, "phy_id", &lenp);
+ if (of_phy_is_fixed_link(slave_node)) {
+ struct device_node *phy_node;
+@@ -2291,7 +2290,7 @@ static int cpsw_probe(struct platform_de
+ /* Select default pin state */
+ pinctrl_pm_select_default_state(&pdev->dev);
+
+- if (cpsw_probe_dt(priv, pdev)) {
++ if (cpsw_probe_dt(&priv->data, pdev)) {
+ dev_err(&pdev->dev, "cpsw: platform data missing\n");
+ ret = -ENODEV;
+ goto clean_runtime_disable_ret;
+--- a/drivers/net/ethernet/ti/cpsw.h
++++ b/drivers/net/ethernet/ti/cpsw.h
+@@ -18,6 +18,7 @@
+ #include <linux/phy.h>
+
+ struct cpsw_slave_data {
++ struct device_node *phy_node;
+ char phy_id[MII_BUS_ID_SIZE];
+ int phy_if;
+ u8 mac_addr[ETH_ALEN];
--- /dev/null
+From 5817f977527e5cdbea9ca56d2b95824f59c8747d Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Mon, 1 Aug 2016 15:02:43 +0800
+Subject: ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 5817f977527e5cdbea9ca56d2b95824f59c8747d upstream.
+
+of_node_put needs to be called when the device node which is got
+from of_parse_phandle has finished using.
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -2108,6 +2108,7 @@ static int davinci_emac_remove(struct pl
+ cpdma_ctlr_destroy(priv->dma);
+
+ unregister_netdev(ndev);
++ of_node_put(priv->phy_node);
+ free_netdev(ndev);
+
+ return 0;
--- /dev/null
+From 7233982ade15eeac05c6f351e8d347406e6bcd2f Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 18 Jan 2018 14:05:05 +0000
+Subject: mtd: ubi: wl: Fix error return code in ubi_wl_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 7233982ade15eeac05c6f351e8d347406e6bcd2f upstream.
+
+Fix to return error code -ENOMEM from the kmem_cache_alloc() error
+handling case instead of 0, as done elsewhere in this function.
+
+Fixes: f78e5623f45b ("ubi: fastmap: Erase outdated anchor PEBs during
+attach")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1597,8 +1597,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ cond_resched();
+
+ e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+- if (!e)
++ if (!e) {
++ err = -ENOMEM;
+ goto out_free;
++ }
+
+ e->pnum = aeb->pnum;
+ e->ec = aeb->ec;
+@@ -1617,8 +1619,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ cond_resched();
+
+ e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+- if (!e)
++ if (!e) {
++ err = -ENOMEM;
+ goto out_free;
++ }
+
+ e->pnum = aeb->pnum;
+ e->ec = aeb->ec;
--- /dev/null
+From 86e1d5adcef961eb383ce4eacbe0ef22f06e2045 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 17 Nov 2016 17:39:59 +0100
+Subject: net: ethernet: ti: cpsw: fix mdio device reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 86e1d5adcef961eb383ce4eacbe0ef22f06e2045 upstream.
+
+Make sure to drop the reference taken by of_find_device_by_node() when
+looking up an mdio device from a phy_id property during probe.
+
+Fixes: 549985ee9c72 ("cpsw: simplify the setup of the register
+pointers")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ti/cpsw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -2086,6 +2086,7 @@ static int cpsw_probe_dt(struct cpsw_pla
+ }
+ snprintf(slave_data->phy_id, sizeof(slave_data->phy_id),
+ PHY_ID_FMT, mdio->name, phyid);
++ put_device(&mdio->dev);
+ } else {
+ dev_err(&pdev->dev, "No slave[%d] phy_id or fixed-link property\n", i);
+ goto no_phy_slave;
--- /dev/null
+From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Oct 2017 02:50:07 -0700
+Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
+
+syzkaller reports an out of bound read in strlcpy(), triggered
+by xt_copy_counters_from_user()
+
+Fix this by using memcpy(), then forcing a zero byte at the last position
+of the destination, as Florian did for the non COMPAT code.
+
+Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -876,7 +876,7 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- strlcpy(info->name, compat_tmp.name, sizeof(info->name));
++ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
+ info->num_counters = compat_tmp.num_counters;
+ user += sizeof(compat_tmp);
+ } else
+@@ -889,9 +889,9 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(info, user, sizeof(*info)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- info->name[sizeof(info->name) - 1] = '\0';
+ user += sizeof(*info);
+ }
++ info->name[sizeof(info->name) - 1] = '\0';
+
+ size = sizeof(struct xt_counters);
+ size *= info->num_counters;
f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch
mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch
rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch
+xhci-fix-use-after-free-in-xhci_free_virt_device.patch
+vmw_balloon-include-asm-io.h.patch
+netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
+drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch
+net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch
+ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch
+crypto-vmx-fix-sleep-in-atomic-bugs.patch
+mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
+autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
+x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch
--- /dev/null
+From namit@vmware.com Mon Sep 17 13:42:18 2018
+From: Nadav Amit <namit@vmware.com>
+Date: Thu, 13 Sep 2018 13:18:52 -0700
+Subject: vmw_balloon: include asm/io.h
+To: <stable@vger.kernel.org>
+Cc: Nadav Amit <namit@vmware.com>, Xavier Deguillard <xdeguillard@vmware.com>
+Message-ID: <20180913201852.24631-1-namit@vmware.com>
+
+From: Nadav Amit <namit@vmware.com>
+
+Fix a build error due to missing virt_to_phys()
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: f0a1bf29d821b ("vmw_balloon: fix inflation with batching")
+Cc: stable@vger.kernel.org
+Cc: Xavier Deguillard <xdeguillard@vmware.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_balloon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -45,6 +45,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/vmw_vmci_defs.h>
+ #include <linux/vmw_vmci_api.h>
++#include <linux/io.h>
+ #include <asm/hypervisor.h>
+
+ MODULE_AUTHOR("VMware, Inc.");
--- /dev/null
+From andi@firstfloor.org Mon Sep 17 14:00:08 2018
+From: Andi Kleen <andi@firstfloor.org>
+Date: Mon, 3 Sep 2018 10:19:13 -0700
+Subject: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
+To: stable@vger.kernel.org
+Cc: Andi Kleen <ak@linux.intel.com>, Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org, linux-kernel@vger.kernel.org, Michael Hocko <mhocko@suse.com>, vbabka@suse.cz
+Message-ID: <20180903171913.36570-1-andi@firstfloor.org>
+
+
+From: Andi Kleen <ak@linux.intel.com>
+
+[upstream cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4 for 4.4.
+Note there might be still a trivial conflict with the backport
+for b0a182f875689647b014bc01d36b340217792852, but should
+be easy to resolve]
+
+On Nehalem and newer core CPUs the CPU cache internally uses 44 bits
+physical address space. The L1TF workaround is limited by this internal
+cache address width, and needs to have one bit free there for the
+mitigation to work.
+
+Older client systems report only 36bit physical address space so the range
+check decides that L1TF is not mitigated for a 36bit phys/32GB system with
+some memory holes.
+
+But since these actually have the larger internal cache width this warning
+is bogus because it would only really be needed if the system had more than
+43bits of memory.
+
+Add a new internal x86_cache_bits field. Normally it is the same as the
+physical bits field reported by CPUID, but for Nehalem and newerforce it to
+be at least 44bits.
+
+Change the L1TF memory size warning to use the new cache_bits field to
+avoid bogus warnings and remove the bogus comment about memory size.
+
+Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
+Reported-by: George Anchev <studio@anchev.net>
+Reported-by: Christopher Snowhill <kode54@gmail.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86@kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Michael Hocko <mhocko@suse.com>
+Cc: vbabka@suse.cz
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/processor.h | 4 ++-
+ arch/x86/kernel/cpu/bugs.c | 47 ++++++++++++++++++++++++++++----
+ arch/x86/kernel/cpu/common.c | 2 ++
+ 3 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index a3a53955f01c..cb07d3f618ca 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -104,6 +104,8 @@ struct cpuinfo_x86 {
+ __u8 x86_phys_bits;
+ /* CPUID returned core id bits: */
+ __u8 x86_coreid_bits;
++
++ __u8 x86_cache_bits;
+ /* Max extended CPUID function supported: */
+ __u32 extended_cpuid_level;
+ /* Maximum supported CPUID level, -1=no CPUID: */
+@@ -174,7 +176,7 @@ extern void cpu_detect(struct cpuinfo_x86 *c);
+
+ static inline unsigned long l1tf_pfn_limit(void)
+ {
+- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
++ return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT);
+ }
+
+ extern void early_cpu_init(void);
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 34e4aaaf03d2..2a41a86aa5c2 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -634,6 +634,46 @@ void x86_spec_ctrl_setup_ap(void)
+
+ #undef pr_fmt
+ #define pr_fmt(fmt) "L1TF: " fmt
++
++/*
++ * These CPUs all support 44bits physical address space internally in the
++ * cache but CPUID can report a smaller number of physical address bits.
++ *
++ * The L1TF mitigation uses the top most address bit for the inversion of
++ * non present PTEs. When the installed memory reaches into the top most
++ * address bit due to memory holes, which has been observed on machines
++ * which report 36bits physical address bits and have 32G RAM installed,
++ * then the mitigation range check in l1tf_select_mitigation() triggers.
++ * This is a false positive because the mitigation is still possible due to
++ * the fact that the cache uses 44bit internally. Use the cache bits
++ * instead of the reported physical bits and adjust them on the affected
++ * machines to 44bit if the reported bits are less than 44.
++ */
++static void override_cache_bits(struct cpuinfo_x86 *c)
++{
++ if (c->x86 != 6)
++ return;
++
++ switch (c->x86_model) {
++ case INTEL_FAM6_NEHALEM:
++ case INTEL_FAM6_WESTMERE:
++ case INTEL_FAM6_SANDYBRIDGE:
++ case INTEL_FAM6_IVYBRIDGE:
++ case INTEL_FAM6_HASWELL_CORE:
++ case INTEL_FAM6_HASWELL_ULT:
++ case INTEL_FAM6_HASWELL_GT3E:
++ case INTEL_FAM6_BROADWELL_CORE:
++ case INTEL_FAM6_BROADWELL_GT3E:
++ case INTEL_FAM6_SKYLAKE_MOBILE:
++ case INTEL_FAM6_SKYLAKE_DESKTOP:
++ case INTEL_FAM6_KABYLAKE_MOBILE:
++ case INTEL_FAM6_KABYLAKE_DESKTOP:
++ if (c->x86_cache_bits < 44)
++ c->x86_cache_bits = 44;
++ break;
++ }
++}
++
+ static void __init l1tf_select_mitigation(void)
+ {
+ u64 half_pa;
+@@ -641,16 +681,13 @@ static void __init l1tf_select_mitigation(void)
+ if (!boot_cpu_has_bug(X86_BUG_L1TF))
+ return;
+
++ override_cache_bits(&boot_cpu_data);
++
+ #if CONFIG_PGTABLE_LEVELS == 2
+ pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
+ return;
+ #endif
+
+- /*
+- * This is extremely unlikely to happen because almost all
+- * systems have far more MAX_PA/2 than RAM can be fit into
+- * DIMM slots.
+- */
+ half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
+ if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) {
+ pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 4d3fa79c0f09..b12c0287d6cf 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -798,6 +798,8 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
+ c->x86_phys_bits = 36;
+ #endif
+
++ c->x86_cache_bits = c->x86_phys_bits;
++
+ if (c->extended_cpuid_level >= 0x8000000a)
+ c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a);
+
+--
+2.17.1
+
--- /dev/null
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+ dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3675,6 +3675,9 @@ void xhci_free_dev(struct usb_hcd *hcd,
+ }
+
+ spin_lock_irqsave(&xhci->lock, flags);
++
++ virt_dev->udev = NULL;
++
+ /* Don't disable the slot if the host controller is dead. */
+ state = readl(&xhci->op_regs->status);
+ if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
