--- /dev/null
+From b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Wed, 25 Jul 2018 10:26:19 +0800
+Subject: audit: fix potential null dereference 'context->module.name'
+
+From: Yi Wang <wang.yi59@zte.com.cn>
+
+commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream.
+
+The variable 'context->module.name' may be null pointer when
+kmalloc return null, so it's better to check it before using
+to avoid null dereference.
+Another one more thing this patch does is using kstrdup instead
+of (kmalloc + strcpy), and signal a lost record via audit_log_lost.
+
+Cc: stable@vger.kernel.org # 4.11
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/auditsc.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co
+ break;
+ case AUDIT_KERN_MODULE:
+ audit_log_format(ab, "name=");
+- audit_log_untrustedstring(ab, context->module.name);
+- kfree(context->module.name);
++ if (context->module.name) {
++ audit_log_untrustedstring(ab, context->module.name);
++ kfree(context->module.name);
++ } else
++ audit_log_format(ab, "(null)");
++
+ break;
+ }
+ audit_log_end(ab);
+@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name)
+ {
+ struct audit_context *context = current->audit_context;
+
+- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+- strcpy(context->module.name, name);
++ context->module.name = kstrdup(name, GFP_KERNEL);
++ if (!context->module.name)
++ audit_log_lost("out of memory in __audit_log_kern_module");
+ context->type = AUDIT_KERN_MODULE;
+ }
+
--- /dev/null
+From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 18:50:42 +0300
+Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect()
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.
+
+ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
+is no its deallocation in ems_usb_disconnect().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct us
+ usb_free_urb(dev->intr_urb);
+
+ kfree(dev->intr_in_buffer);
++ kfree(dev->tx_msg_buffer);
+ }
+ }
+
--- /dev/null
+From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 13 Jul 2018 16:12:32 +0800
+Subject: crypto: padlock-aes - Fix Nano workaround data corruption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.
+
+This was detected by the self-test thanks to Ard's chunking patch.
+
+I finally got around to testing this out on my ancient Via box. It
+turns out that the workaround got the assembly wrong and we end up
+doing count + initial cycles of the loop instead of just count.
+
+This obviously causes corruption, either by overwriting the source
+that is yet to be processed, or writing over the end of the buffer.
+
+On CPUs that don't require the workaround only ECB is affected.
+On Nano CPUs both ECB and CBC are affected.
+
+This patch fixes it by doing the subtraction prior to the assembly.
+
+Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jamie Heilman <jamie@audible.transient.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/padlock-aes.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
+ return;
+ }
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+- : "d"(control_word), "b"(key), "c"(count - initial));
++ : "d"(control_word), "b"(key), "c"(count));
+ }
+
+ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
+ if (count < cbc_fetch_blocks)
+ return cbc_crypt(input, output, key, iv, control_word, count);
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+- : "d" (control_word), "b" (key), "c" (count-initial));
++ : "d" (control_word), "b" (key), "c" (count));
+ return iv;
+ }
+
--- /dev/null
+From a6a00918d4ad8718c3ccde38c02cec17f116b2fd Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Tue, 24 Jul 2018 15:36:01 +0200
+Subject: drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream.
+
+This is needed to ensure ->is_unity is correct when the plane was
+previously configured to output a multi-planar format with scaling
+enabled, and is then being reconfigured to output a uniplanar format.
+
+Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_plane.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_
+ vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
+ if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
+ vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
++ } else {
++ vc4_state->x_scaling[1] = VC4_SCALING_NONE;
++ vc4_state->y_scaling[1] = VC4_SCALING_NONE;
+ }
+
+ vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
--- /dev/null
+From 0a5257bc6d89c2ae69b9bf955679cb4f89261874 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 17 Jul 2018 13:43:56 +0300
+Subject: iwlwifi: add more card IDs for 9000 series
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream.
+
+Add new device IDs for the 9000 series.
+
+Cc: stable@vger.kernel.org # 4.14
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++++++++++
+ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 +
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++++
+ 3 files changed, 96 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
+ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+ };
+
++const struct iwl_cfg iwl9260_killer_2ac_cfg = {
++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)",
++ .fw_name_pre = IWL9260A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++};
++
+ const struct iwl_cfg iwl9270_2ac_cfg = {
+ .name = "Intel(R) Dual Band Wireless AC 9270",
+ .fw_name_pre = IWL9260A_FW_PRE,
+@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc
+ .soc_latency = 5000,
+ };
+
++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
+ const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
+ .name = "Intel(R) Dual Band Wireless AC 9460",
+ .fw_name_pre = IWL9000A_FW_PRE,
+@@ -316,6 +355,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha
+ .fw_name_pre = IWL9000A_FW_PRE,
+ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+ IWL_DEVICE_9000,
+ .ht_params = &iwl9000_ht_params,
+ .nvm_ver = IWL9000_NVM_VERSION,
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_
+ extern const struct iwl_cfg iwl4165_2ac_sdio_cfg;
+ extern const struct iwl_cfg iwl9160_2ac_cfg;
+ extern const struct iwl_cfg iwl9260_2ac_cfg;
++extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
+ extern const struct iwl_cfg iwl9270_2ac_cfg;
+ extern const struct iwl_cfg iwl9460_2ac_cfg;
+ extern const struct iwl_cfg iwl9560_2ac_cfg;
+@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_
+ extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr_cdb;
+ extern const struct iwl_cfg iwla000_2ac_cfg_jf;
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -543,6 +543,9 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -552,6 +555,7 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
+@@ -576,6 +580,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)},
+@@ -602,6 +608,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -628,6 +636,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)},
+@@ -654,6 +664,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -680,6 +692,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -706,6 +720,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -741,6 +757,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -769,6 +787,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -795,6 +815,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)},
--- /dev/null
+From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001
+From: Roman Kagan <rkagan@virtuozzo.com>
+Date: Thu, 19 Jul 2018 21:59:07 +0300
+Subject: kvm: x86: vmx: fix vpid leak
+
+From: Roman Kagan <rkagan@virtuozzo.com>
+
+commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.
+
+VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
+vmx is turned on with the module parameter.
+
+However, it's only freed if the L1 guest has executed VMXON which is not
+a given.
+
+As a result, on a system with nested==on every creation+deletion of an
+L1 vcpu without running an L2 guest results in leaking one vpid. Since
+the total number of vpids is limited to 64k, they can eventually get
+exhausted, preventing L2 from starting.
+
+Delay allocation of the L2 vpid until VMXON emulation, thus matching its
+freeing.
+
+Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kv
+ HRTIMER_MODE_REL_PINNED);
+ vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+
++ vmx->nested.vpid02 = allocate_vpid();
++
+ vmx->nested.vmxon = true;
+ return 0;
+
+@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ goto free_vmcs;
+ }
+
+- if (nested) {
++ if (nested)
+ nested_vmx_setup_ctls_msrs(vmx);
+- vmx->nested.vpid02 = allocate_vpid();
+- }
+
+ vmx->nested.posted_intr_nv = -1;
+ vmx->nested.current_vmptr = -1ull;
+@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ return &vmx->vcpu;
+
+ free_vmcs:
+- free_vpid(vmx->nested.vpid02);
+ free_loaded_vmcs(vmx->loaded_vmcs);
+ free_msrs:
+ kfree(vmx->guest_msrs);
--- /dev/null
+From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Fri, 27 Jul 2018 22:43:01 +0000
+Subject: net: socket: fix potential spectre v1 gadget in socketcall
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
--- /dev/null
+From addb8a6559f0f8b5a37582b7ca698358445a55bf Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 11 Jul 2018 11:23:52 +0300
+Subject: RDMA/uverbs: Expand primary and alt AV port checks
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream.
+
+The commit cited below checked that the port numbers provided in the
+primary and alt AVs are legal.
+
+That is sufficient to prevent a kernel panic. However, it is not
+sufficient for correct operation.
+
+In Linux, AVs (both primary and alt) must be completely self-described.
+We do not accept an AV from userspace without an embedded port number.
+(This has been the case since kernel 3.14 commit dbf727de7440
+("IB/core: Use GID table in AH creation and dmac resolution")).
+
+For the primary AV, this embedded port number must match the port number
+specified with IB_QP_PORT.
+
+We also expect the port number embedded in the alt AV to match the
+alt_port_num value passed by the userspace driver in the modify_qp command
+base structure.
+
+Add these checks to modify_qp.
+
+Cc: <stable@vger.kernel.org> # 4.16
+Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 59 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 54 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_fi
+ goto release_qp;
+ }
+
+- if ((cmd->base.attr_mask & IB_QP_AV) &&
+- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+- ret = -EINVAL;
+- goto release_qp;
++ if ((cmd->base.attr_mask & IB_QP_AV)) {
++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++
++ if (cmd->base.attr_mask & IB_QP_STATE &&
++ cmd->base.qp_state == IB_QPS_RTR) {
++ /* We are in INIT->RTR TRANSITION (if we are not,
++ * this transition will be rejected in subsequent checks).
++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set,
++ * but the IB_QP_STATE flag is required.
++ *
++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
++ * when IB_QP_AV is set, has required inclusion of a valid
++ * port number in the primary AV. (AVs are created and handled
++ * differently for infiniband and ethernet (RoCE) ports).
++ *
++ * Check the port number included in the primary AV against
++ * the port number in the qp struct, which was set (and saved)
++ * in the RST->INIT transition.
++ */
++ if (cmd->base.dest.port_num != qp->real_qp->port) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ } else {
++ /* We are in SQD->SQD. (If we are not, this transition will
++ * be rejected later in the verbs layer checks).
++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set
++ * together in the SQD->SQD transition.
++ *
++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the
++ * verbs layer driver does not track primary port changes
++ * resulting from path migration. Thus, in SQD, if the primary
++ * AV is modified, the primary port should also be modified).
++ *
++ * Note that in this transition, the IB_QP_STATE flag
++ * is not allowed.
++ */
++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == (IB_QP_AV | IB_QP_PORT)) &&
++ cmd->base.port_num != cmd->base.dest.port_num) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == IB_QP_AV) {
++ cmd->base.attr_mask |= IB_QP_PORT;
++ cmd->base.port_num = cmd->base.dest.port_num;
++ }
++ }
+ }
+
+ if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
+ (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
+- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
--- /dev/null
+From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Thu, 12 Jul 2018 16:30:45 -0400
+Subject: scsi: sg: fix minor memory leak in error path
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.
+
+Fix a minor memory leak when there is an error opening a /dev/sg device.
+
+Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
+ write_lock_irqsave(&sdp->sfd_lock, iflags);
+ if (atomic_read(&sdp->detaching)) {
+ write_unlock_irqrestore(&sdp->sfd_lock, iflags);
++ kfree(sfp);
+ return ERR_PTR(-ENODEV);
+ }
+ list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
net-stmmac-fix-wol-for-pci-based-setups.patch
rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch
net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch
+squashfs-more-metadata-hardening.patch
+squashfs-more-metadata-hardenings.patch
+can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch
+net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch
+virtio_balloon-fix-another-race-between-migration-and-ballooning.patch
+x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch
+x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch
+kvm-x86-vmx-fix-vpid-leak.patch
+audit-fix-potential-null-dereference-context-module.name.patch
+userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch
+iwlwifi-add-more-card-ids-for-9000-series.patch
+rdma-uverbs-expand-primary-and-alt-av-port-checks.patch
+crypto-padlock-aes-fix-nano-workaround-data-corruption.patch
+drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch
+scsi-sg-fix-minor-memory-leak-in-error-path.patch
--- /dev/null
+From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Jul 2018 14:27:15 -0700
+Subject: squashfs: more metadata hardening
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.
+
+Anatoly reports another squashfs fuzzing issue, where the decompression
+parameters themselves are in a compressed block.
+
+This causes squashfs_read_data() to be called in order to read the
+decompression options before the decompression stream having been set
+up, making squashfs go sideways.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/block.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc
+ }
+
+ if (compressed) {
++ if (!msblk->stream)
++ goto read_failure;
+ length = squashfs_decompress(msblk, bh, b, offset, length,
+ output);
+ if (length < 0)
--- /dev/null
+From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 2 Aug 2018 08:43:35 -0700
+Subject: squashfs: more metadata hardening
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.
+
+The squashfs fragment reading code doesn't actually verify that the
+fragment is inside the fragment table. The end result _is_ verified to
+be inside the image when actually reading the fragment data, but before
+that is done, we may end up taking a page fault because the fragment
+table itself might not even exist.
+
+Another report from Anatoly and his endless squashfs image fuzzing.
+
+Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
+Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/fragment.c | 13 +++++++++----
+ fs/squashfs/squashfs_fs_sb.h | 1 +
+ fs/squashfs/super.c | 5 +++--
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl
+ u64 *fragment_block)
+ {
+ struct squashfs_sb_info *msblk = sb->s_fs_info;
+- int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+- u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++ int block, offset, size;
+ struct squashfs_fragment_entry fragment_entry;
+- int size;
++ u64 start_block;
++
++ if (fragment >= msblk->fragments)
++ return -EIO;
++ block = SQUASHFS_FRAGMENT_INDEX(fragment);
++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++ start_block = le64_to_cpu(msblk->fragment_index[block]);
+
+ size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+ &offset, sizeof(fragment_entry));
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+ unsigned short block_log;
+ long long bytes_used;
+ unsigned int inodes;
++ unsigned int fragments;
+ int xattr_ids;
+ };
+ #endif
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct su
+ msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+ msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+ msblk->inodes = le32_to_cpu(sblk->inodes);
++ msblk->fragments = le32_to_cpu(sblk->fragments);
+ flags = le16_to_cpu(sblk->flags);
+
+ TRACE("Found valid superblock on %pg\n", sb->s_bdev);
+@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct su
+ TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+ TRACE("Block size %d\n", msblk->block_size);
+ TRACE("Number of inodes %d\n", msblk->inodes);
+- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++ TRACE("Number of fragments %d\n", msblk->fragments);
+ TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+ TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+ TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -272,7 +273,7 @@ allocate_id_index_table:
+ sb->s_export_op = &squashfs_export_ops;
+
+ handle_fragments:
+- fragments = le32_to_cpu(sblk->fragments);
++ fragments = msblk->fragments;
+ if (fragments == 0)
+ goto check_directory_table;
+
--- /dev/null
+From 31e810aa1033a7db50a2746cd34a2432237f6420 Mon Sep 17 00:00:00 2001
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Date: Thu, 2 Aug 2018 15:36:09 -0700
+Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
+
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+
+commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream.
+
+The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
+vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
+vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags
+that were copied from the parent process VMA.
+
+As the result, there is an inconsistency between the values of
+vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON
+in userfaultfd_release().
+
+Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
+failure resolves the issue.
+
+Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com
+Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails")
+Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -628,8 +628,10 @@ static void userfaultfd_event_wait_compl
+ /* the various vma->vm_userfaultfd_ctx still points to it */
+ down_write(&mm->mmap_sem);
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
+ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
++ }
+ up_write(&mm->mmap_sem);
+
+ userfaultfd_ctx_put(release_new_ctx);
--- /dev/null
+From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+Date: Wed, 18 Jul 2018 10:29:28 +0800
+Subject: virtio_balloon: fix another race between migration and ballooning
+
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+
+commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.
+
+Kernel panic when with high memory pressure, calltrace looks like,
+
+PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
+ #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
+ #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
+ #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
+ #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
+ #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
+ #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
+ #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
+ #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
+ #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
+ #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
+ [exception RIP: _raw_spin_lock_irqsave+47]
+ RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
+ RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
+ RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
+ RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
+ R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+
+It happens in the pagefault and results in double pagefault
+during compacting pages when memory allocation fails.
+
+Analysed the vmcore, the page leads to second pagefault is corrupted
+with _mapcount=-256, but private=0.
+
+It's caused by the race between migration and ballooning, and lock
+missing in virtballoon_migratepage() of virtio_balloon driver.
+This patch fix the bug.
+
+Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struc
+ tell_host(vb, vb->inflate_vq);
+
+ /* balloon's page migration 2nd step -- deflate "page" */
++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+ balloon_page_delete(page);
++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+ vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+ set_page_pfns(vb, vb->pfns, page);
+ tell_host(vb, vb->deflate_vq);
--- /dev/null
+From d9e6dbcf28f383bf08e6a3180972f5722e514a54 Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Sat, 21 Jul 2018 17:19:19 -0400
+Subject: x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
+
+From: Len Brown <len.brown@intel.com>
+
+commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream.
+
+All SKX with stepping higher than 4 support the TSC_DEADLINE,
+no matter the microcode version.
+
+Without this patch, upcoming SKX steppings will not be able to use
+their TSC_DEADLINE timer.
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: <stable@kernel.org> # v4.14+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping")
+Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void)
+ case 0x04: return 0x02000014;
+ }
+
++ if (boot_cpu_data.x86_stepping > 4)
++ return 0;
++
+ return ~0U;
+ }
+
--- /dev/null
+From b3681dd548d06deb2e1573890829dff4b15abf46 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: x86/entry/64: Remove %ebx handling from error_entry/exit
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.
+
+error_entry and error_exit communicate the user vs. kernel status of
+the frame using %ebx. This is unnecessary -- the information is in
+regs->cs. Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug. Before all the Spectre nonsense, the
+xen_failsafe_callback entry point returned like this:
+
+ ALLOC_PT_GPREGS_ON_STACK
+ SAVE_C_REGS
+ SAVE_EXTRA_REGS
+ ENCODE_FRAME_POINTER
+ jmp error_exit
+
+And it did not go through error_entry. This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used. As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks. Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes. This was introduced by:
+
+ commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[ Historical note: I wrote this patch as a cleanup before I was aware
+ of the bug it fixed. ]
+
+[ Note to stable maintainers: this should probably get applied to all
+ kernels. If you're nervous about that, a more conservative fix to
+ add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+ also fix the problem. ]
+
+Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -933,7 +933,7 @@ ENTRY(\sym)
+
+ call \do_sym
+
+- jmp error_exit /* %ebx: no swapgs flag */
++ jmp error_exit
+ .endif
+ END(\sym)
+ .endm
+@@ -1166,7 +1166,6 @@ END(paranoid_exit)
+
+ /*
+ * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+ */
+ ENTRY(error_entry)
+ UNWIND_HINT_FUNC
+@@ -1213,7 +1212,6 @@ ENTRY(error_entry)
+ * for these here too.
+ */
+ .Lerror_kernelspace:
+- incl %ebx
+ leaq native_irq_return_iret(%rip), %rcx
+ cmpq %rcx, RIP+8(%rsp)
+ je .Lerror_bad_iret
+@@ -1247,28 +1245,20 @@ ENTRY(error_entry)
+
+ /*
+ * Pretend that the exception came from user mode: set up pt_regs
+- * as if we faulted immediately after IRET and clear EBX so that
+- * error_exit knows that we will be returning to user mode.
++ * as if we faulted immediately after IRET.
+ */
+ mov %rsp, %rdi
+ call fixup_bad_iret
+ mov %rax, %rsp
+- decl %ebx
+ jmp .Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- * 1: already in kernel mode, don't need SWAPGS
+- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ UNWIND_HINT_REGS
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+- testl %ebx, %ebx
+- jnz retint_kernel
++ testb $3, CS(%rsp)
++ jz retint_kernel
+ jmp retint_user
+ END(error_exit)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
