--- /dev/null
+From b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Wed, 25 Jul 2018 10:26:19 +0800
+Subject: audit: fix potential null dereference 'context->module.name'
+
+From: Yi Wang <wang.yi59@zte.com.cn>
+
+commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream.
+
+The variable 'context->module.name' may be null pointer when
+kmalloc return null, so it's better to check it before using
+to avoid null dereference.
+Another one more thing this patch does is using kstrdup instead
+of (kmalloc + strcpy), and signal a lost record via audit_log_lost.
+
+Cc: stable@vger.kernel.org # 4.11
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/auditsc.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co
+ break;
+ case AUDIT_KERN_MODULE:
+ audit_log_format(ab, "name=");
+- audit_log_untrustedstring(ab, context->module.name);
+- kfree(context->module.name);
++ if (context->module.name) {
++ audit_log_untrustedstring(ab, context->module.name);
++ kfree(context->module.name);
++ } else
++ audit_log_format(ab, "(null)");
++
+ break;
+ }
+ audit_log_end(ab);
+@@ -2408,8 +2412,9 @@ void __audit_log_kern_module(char *name)
+ {
+ struct audit_context *context = current->audit_context;
+
+- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+- strcpy(context->module.name, name);
++ context->module.name = kstrdup(name, GFP_KERNEL);
++ if (!context->module.name)
++ audit_log_lost("out of memory in __audit_log_kern_module");
+ context->type = AUDIT_KERN_MODULE;
+ }
+
--- /dev/null
+From 299b6365a3b7cf7f5ea1c945a420e9ee4841d6f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sun, 22 Jul 2018 23:46:25 +0200
+Subject: brcmfmac: fix regression in parsing NVRAM for multiple devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit 299b6365a3b7cf7f5ea1c945a420e9ee4841d6f7 upstream.
+
+NVRAM is designed to work with Broadcom's SDK Linux kernel which fakes
+PCI domain 0 for all internal MMIO devices. Since official Linux kernel
+uses platform devices for that purpose there is a mismatch in numbering
+PCI domains.
+
+There used to be a fix for that problem but it was accidentally dropped
+during the last firmware loading rework. That resulted in brcmfmac not
+being able to extract device specific NVRAM content and all kind of
+calibration problems.
+
+Reported-by: Aditya Xavier <adityaxavier@gmail.com>
+Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1755,7 +1755,8 @@ brcmf_pcie_prepare_fw_request(struct brc
+ fwreq->items[BRCMF_PCIE_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
+ fwreq->items[BRCMF_PCIE_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
+ fwreq->items[BRCMF_PCIE_FW_NVRAM].flags = BRCMF_FW_REQF_OPTIONAL;
+- fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus);
++ /* NVRAM reserves PCI domain 0 for Broadcom's SDK faked bus */
++ fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus) + 1;
+ fwreq->bus_nr = devinfo->pdev->bus->number;
+
+ return fwreq;
--- /dev/null
+From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 18:50:42 +0300
+Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect()
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.
+
+ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
+is no its deallocation in ems_usb_disconnect().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1072,6 +1072,7 @@ static void ems_usb_disconnect(struct us
+ usb_free_urb(dev->intr_urb);
+
+ kfree(dev->intr_in_buffer);
++ kfree(dev->tx_msg_buffer);
+ }
+ }
+
--- /dev/null
+From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 13 Jul 2018 16:12:32 +0800
+Subject: crypto: padlock-aes - Fix Nano workaround data corruption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.
+
+This was detected by the self-test thanks to Ard's chunking patch.
+
+I finally got around to testing this out on my ancient Via box. It
+turns out that the workaround got the assembly wrong and we end up
+doing count + initial cycles of the loop instead of just count.
+
+This obviously causes corruption, either by overwriting the source
+that is yet to be processed, or writing over the end of the buffer.
+
+On CPUs that don't require the workaround only ECB is affected.
+On Nano CPUs both ECB and CBC are affected.
+
+This patch fixes it by doing the subtraction prior to the assembly.
+
+Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jamie Heilman <jamie@audible.transient.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/padlock-aes.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
+ return;
+ }
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+- : "d"(control_word), "b"(key), "c"(count - initial));
++ : "d"(control_word), "b"(key), "c"(count));
+ }
+
+ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
+ if (count < cbc_fetch_blocks)
+ return cbc_crypt(input, output, key, iv, control_word, count);
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+- : "d" (control_word), "b" (key), "c" (count-initial));
++ : "d" (control_word), "b" (key), "c" (count));
+ return iv;
+ }
+
--- /dev/null
+From 603ba2dfb338b307aebe95fe344c479a59b3a175 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Tue, 24 Jul 2018 15:32:15 +0200
+Subject: drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check()
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit 603ba2dfb338b307aebe95fe344c479a59b3a175 upstream.
+
+Async plane update is supposed to work only when updating the FB or FB
+position of an already enabled plane. That does not apply to requests
+where the plane was previously disabled or assigned to a different
+CTRC.
+
+Check old_plane_state->crtc value to make sure async plane update is
+allowed.
+
+Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180724133215.31917-1-boris.brezillon@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1516,7 +1516,8 @@ int drm_atomic_helper_async_check(struct
+ if (n_planes != 1)
+ return -EINVAL;
+
+- if (!new_plane_state->crtc)
++ if (!new_plane_state->crtc ||
++ old_plane_state->crtc != new_plane_state->crtc)
+ return -EINVAL;
+
+ funcs = plane->helper_private;
--- /dev/null
+From de2d8db395c32d121d02871819444b631f73e0b6 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Tue, 24 Jul 2018 15:33:00 +0200
+Subject: drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit de2d8db395c32d121d02871819444b631f73e0b6 upstream.
+
+drm_atomic_helper_async_check() declares the plane, old_plane_state and
+new_plane_state variables to iterate over all planes of the atomic
+state and make sure only one plane is enabled.
+
+Unfortunately gcc is not smart enough to figure out that the check on
+n_planes is enough to guarantee that plane, new_plane_state and
+old_plane_state are initialized.
+
+Explicitly initialize those variables to NULL to make gcc happy.
+
+Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180724133300.32023-1-boris.brezillon@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1499,8 +1499,9 @@ int drm_atomic_helper_async_check(struct
+ {
+ struct drm_crtc *crtc;
+ struct drm_crtc_state *crtc_state;
+- struct drm_plane *plane;
+- struct drm_plane_state *old_plane_state, *new_plane_state;
++ struct drm_plane *plane = NULL;
++ struct drm_plane_state *old_plane_state = NULL;
++ struct drm_plane_state *new_plane_state = NULL;
+ const struct drm_plane_helper_funcs *funcs;
+ int i, n_planes = 0;
+
--- /dev/null
+From a6a00918d4ad8718c3ccde38c02cec17f116b2fd Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Tue, 24 Jul 2018 15:36:01 +0200
+Subject: drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream.
+
+This is needed to ensure ->is_unity is correct when the plane was
+previously configured to output a multi-planar format with scaling
+enabled, and is then being reconfigured to output a uniplanar format.
+
+Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_plane.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -319,6 +319,9 @@ static int vc4_plane_setup_clipping_and_
+ vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
+ if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
+ vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
++ } else {
++ vc4_state->x_scaling[1] = VC4_SCALING_NONE;
++ vc4_state->y_scaling[1] = VC4_SCALING_NONE;
+ }
+
+ vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
--- /dev/null
+From eec3636ad198d4ac61e574cb122cb67e9bef5492 Mon Sep 17 00:00:00 2001
+From: Jane Chu <jane.chu@oracle.com>
+Date: Thu, 2 Aug 2018 15:36:05 -0700
+Subject: ipc/shm.c add ->pagesize function to shm_vm_ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jane Chu <jane.chu@oracle.com>
+
+commit eec3636ad198d4ac61e574cb122cb67e9bef5492 upstream.
+
+Commit 05ea88608d4e ("mm, hugetlbfs: introduce ->pagesize() to
+vm_operations_struct") adds a new ->pagesize() function to
+hugetlb_vm_ops, intended to cover all hugetlbfs backed files.
+
+With System V shared memory model, if "huge page" is specified, the
+"shared memory" is backed by hugetlbfs files, but the mappings initiated
+via shmget/shmat have their original vm_ops overwritten with shm_vm_ops,
+so we need to add a ->pagesize function to shm_vm_ops. Otherwise,
+vma_kernel_pagesize() returns PAGE_SIZE given a hugetlbfs backed vma,
+result in below BUG:
+
+ fs/hugetlbfs/inode.c
+ 443 if (unlikely(page_mapped(page))) {
+ 444 BUG_ON(truncate_op);
+
+resulting in
+
+ hugetlbfs: oracle (4592): Using mlock ulimits for SHM_HUGETLB is deprecated
+ ------------[ cut here ]------------
+ kernel BUG at fs/hugetlbfs/inode.c:444!
+ Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 ...
+ CPU: 35 PID: 5583 Comm: oracle_5583_sbt Not tainted 4.14.35-1829.el7uek.x86_64 #2
+ RIP: 0010:remove_inode_hugepages+0x3db/0x3e2
+ ....
+ Call Trace:
+ hugetlbfs_evict_inode+0x1e/0x3e
+ evict+0xdb/0x1af
+ iput+0x1a2/0x1f7
+ dentry_unlink_inode+0xc6/0xf0
+ __dentry_kill+0xd8/0x18d
+ dput+0x1b5/0x1ed
+ __fput+0x18b/0x216
+ ____fput+0xe/0x10
+ task_work_run+0x90/0xa7
+ exit_to_usermode_loop+0xdd/0x116
+ do_syscall_64+0x187/0x1ae
+ entry_SYSCALL_64_after_hwframe+0x150/0x0
+
+[jane.chu@oracle.com: relocate comment]
+ Link: http://lkml.kernel.org/r/20180731044831.26036-1-jane.chu@oracle.com
+Link: http://lkml.kernel.org/r/20180727211727.5020-1-jane.chu@oracle.com
+Fixes: 05ea88608d4e13 ("mm, hugetlbfs: introduce ->pagesize() to vm_operations_struct")
+Signed-off-by: Jane Chu <jane.chu@oracle.com>
+Suggested-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Davidlohr Bueso <dave@stgolabs.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/shm.c | 12 ++++++++++++
+ mm/hugetlb.c | 7 +++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -427,6 +427,17 @@ static int shm_split(struct vm_area_stru
+ return 0;
+ }
+
++static unsigned long shm_pagesize(struct vm_area_struct *vma)
++{
++ struct file *file = vma->vm_file;
++ struct shm_file_data *sfd = shm_file_data(file);
++
++ if (sfd->vm_ops->pagesize)
++ return sfd->vm_ops->pagesize(vma);
++
++ return PAGE_SIZE;
++}
++
+ #ifdef CONFIG_NUMA
+ static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
+ {
+@@ -554,6 +565,7 @@ static const struct vm_operations_struct
+ .close = shm_close, /* callback for when the vm-area is released */
+ .fault = shm_fault,
+ .split = shm_split,
++ .pagesize = shm_pagesize,
+ #if defined(CONFIG_NUMA)
+ .set_policy = shm_set_policy,
+ .get_policy = shm_get_policy,
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3166,6 +3166,13 @@ static int hugetlb_vm_op_fault(struct vm
+ return 0;
+ }
+
++/*
++ * When a new function is introduced to vm_operations_struct and added
++ * to hugetlb_vm_ops, please consider adding the function to shm_vm_ops.
++ * This is because under System V memory model, mappings created via
++ * shmget/shmat with "huge page" specified are backed by hugetlbfs files,
++ * their original vm_ops are overwritten with shm_vm_ops.
++ */
+ const struct vm_operations_struct hugetlb_vm_ops = {
+ .fault = hugetlb_vm_op_fault,
+ .open = hugetlb_vm_op_open,
--- /dev/null
+From 0a5257bc6d89c2ae69b9bf955679cb4f89261874 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 17 Jul 2018 13:43:56 +0300
+Subject: iwlwifi: add more card IDs for 9000 series
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream.
+
+Add new device IDs for the 9000 series.
+
+Cc: stable@vger.kernel.org # 4.14
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++++++++++
+ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 +
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++++
+ 3 files changed, 96 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+@@ -180,6 +180,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
+ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+ };
+
++const struct iwl_cfg iwl9260_killer_2ac_cfg = {
++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)",
++ .fw_name_pre = IWL9260A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++};
++
+ const struct iwl_cfg iwl9270_2ac_cfg = {
+ .name = "Intel(R) Dual Band Wireless AC 9270",
+ .fw_name_pre = IWL9260A_FW_PRE,
+@@ -269,6 +280,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc
+ .soc_latency = 5000,
+ };
+
++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
+ const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
+ .name = "Intel(R) Dual Band Wireless AC 9460",
+ .fw_name_pre = IWL9000A_FW_PRE,
+@@ -319,6 +358,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha
+ .fw_name_pre = IWL9000A_FW_PRE,
+ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+ IWL_DEVICE_9000,
+ .ht_params = &iwl9000_ht_params,
+ .nvm_ver = IWL9000_NVM_VERSION,
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -471,6 +471,7 @@ extern const struct iwl_cfg iwl8275_2ac_
+ extern const struct iwl_cfg iwl4165_2ac_cfg;
+ extern const struct iwl_cfg iwl9160_2ac_cfg;
+ extern const struct iwl_cfg iwl9260_2ac_cfg;
++extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
+ extern const struct iwl_cfg iwl9270_2ac_cfg;
+ extern const struct iwl_cfg iwl9460_2ac_cfg;
+ extern const struct iwl_cfg iwl9560_2ac_cfg;
+@@ -478,10 +479,14 @@ extern const struct iwl_cfg iwl9460_2ac_
+ extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl22000_2ac_cfg_hr;
+ extern const struct iwl_cfg iwl22000_2ac_cfg_hr_cdb;
+ extern const struct iwl_cfg iwl22000_2ac_cfg_jf;
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -545,6 +545,9 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -554,6 +557,7 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
+@@ -578,6 +582,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)},
+@@ -604,6 +610,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -630,6 +638,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)},
+@@ -656,6 +666,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -682,6 +694,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -708,6 +722,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -743,6 +759,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -771,6 +789,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -797,6 +817,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)},
--- /dev/null
+From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001
+From: Roman Kagan <rkagan@virtuozzo.com>
+Date: Thu, 19 Jul 2018 21:59:07 +0300
+Subject: kvm: x86: vmx: fix vpid leak
+
+From: Roman Kagan <rkagan@virtuozzo.com>
+
+commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.
+
+VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
+vmx is turned on with the module parameter.
+
+However, it's only freed if the L1 guest has executed VMXON which is not
+a given.
+
+As a result, on a system with nested==on every creation+deletion of an
+L1 vcpu without running an L2 guest results in leaking one vpid. Since
+the total number of vpids is limited to 64k, they can eventually get
+exhausted, preventing L2 from starting.
+
+Delay allocation of the L2 vpid until VMXON emulation, thus matching its
+freeing.
+
+Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7660,6 +7660,8 @@ static int enter_vmx_operation(struct kv
+ HRTIMER_MODE_REL_PINNED);
+ vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+
++ vmx->nested.vpid02 = allocate_vpid();
++
+ vmx->nested.vmxon = true;
+ return 0;
+
+@@ -10108,11 +10110,9 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ goto free_vmcs;
+ }
+
+- if (nested) {
++ if (nested)
+ nested_vmx_setup_ctls_msrs(&vmx->nested.msrs,
+ kvm_vcpu_apicv_active(&vmx->vcpu));
+- vmx->nested.vpid02 = allocate_vpid();
+- }
+
+ vmx->nested.posted_intr_nv = -1;
+ vmx->nested.current_vmptr = -1ull;
+@@ -10129,7 +10129,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ return &vmx->vcpu;
+
+ free_vmcs:
+- free_vpid(vmx->nested.vpid02);
+ free_loaded_vmcs(vmx->loaded_vmcs);
+ free_msrs:
+ kfree(vmx->guest_msrs);
--- /dev/null
+From e978de7a6d382ec378830ca2cf38e902df0b6d84 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Fri, 27 Jul 2018 22:43:02 +0000
+Subject: net: socket: Fix potential spectre v1 gadget in sock_is_registered
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit e978de7a6d382ec378830ca2cf38e902df0b6d84 upstream.
+
+'family' can be a user-controlled value, so sanitize it after the bounds
+check to avoid speculative out-of-bounds access.
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2694,7 +2694,8 @@ EXPORT_SYMBOL(sock_unregister);
+
+ bool sock_is_registered(int family)
+ {
+- return family < NPROTO && rcu_access_pointer(net_families[family]);
++ return family < NPROTO &&
++ rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
+ }
+
+ static int __init sock_init(void)
--- /dev/null
+From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Fri, 27 Jul 2018 22:43:01 +0000
+Subject: net: socket: fix potential spectre v1 gadget in socketcall
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2526,6 +2527,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
--- /dev/null
+From addb8a6559f0f8b5a37582b7ca698358445a55bf Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 11 Jul 2018 11:23:52 +0300
+Subject: RDMA/uverbs: Expand primary and alt AV port checks
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream.
+
+The commit cited below checked that the port numbers provided in the
+primary and alt AVs are legal.
+
+That is sufficient to prevent a kernel panic. However, it is not
+sufficient for correct operation.
+
+In Linux, AVs (both primary and alt) must be completely self-described.
+We do not accept an AV from userspace without an embedded port number.
+(This has been the case since kernel 3.14 commit dbf727de7440
+("IB/core: Use GID table in AH creation and dmac resolution")).
+
+For the primary AV, this embedded port number must match the port number
+specified with IB_QP_PORT.
+
+We also expect the port number embedded in the alt AV to match the
+alt_port_num value passed by the userspace driver in the modify_qp command
+base structure.
+
+Add these checks to modify_qp.
+
+Cc: <stable@vger.kernel.org> # 4.16
+Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 59 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 54 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1984,15 +1984,64 @@ static int modify_qp(struct ib_uverbs_fi
+ goto release_qp;
+ }
+
+- if ((cmd->base.attr_mask & IB_QP_AV) &&
+- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+- ret = -EINVAL;
+- goto release_qp;
++ if ((cmd->base.attr_mask & IB_QP_AV)) {
++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++
++ if (cmd->base.attr_mask & IB_QP_STATE &&
++ cmd->base.qp_state == IB_QPS_RTR) {
++ /* We are in INIT->RTR TRANSITION (if we are not,
++ * this transition will be rejected in subsequent checks).
++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set,
++ * but the IB_QP_STATE flag is required.
++ *
++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
++ * when IB_QP_AV is set, has required inclusion of a valid
++ * port number in the primary AV. (AVs are created and handled
++ * differently for infiniband and ethernet (RoCE) ports).
++ *
++ * Check the port number included in the primary AV against
++ * the port number in the qp struct, which was set (and saved)
++ * in the RST->INIT transition.
++ */
++ if (cmd->base.dest.port_num != qp->real_qp->port) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ } else {
++ /* We are in SQD->SQD. (If we are not, this transition will
++ * be rejected later in the verbs layer checks).
++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set
++ * together in the SQD->SQD transition.
++ *
++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the
++ * verbs layer driver does not track primary port changes
++ * resulting from path migration. Thus, in SQD, if the primary
++ * AV is modified, the primary port should also be modified).
++ *
++ * Note that in this transition, the IB_QP_STATE flag
++ * is not allowed.
++ */
++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == (IB_QP_AV | IB_QP_PORT)) &&
++ cmd->base.port_num != cmd->base.dest.port_num) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == IB_QP_AV) {
++ cmd->base.attr_mask |= IB_QP_PORT;
++ cmd->base.port_num = cmd->base.dest.port_num;
++ }
++ }
+ }
+
+ if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
+ (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
+- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
--- /dev/null
+From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Thu, 12 Jul 2018 16:30:45 -0400
+Subject: scsi: sg: fix minor memory leak in error path
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.
+
+Fix a minor memory leak when there is an error opening a /dev/sg device.
+
+Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
+ write_lock_irqsave(&sdp->sfd_lock, iflags);
+ if (atomic_read(&sdp->detaching)) {
+ write_unlock_irqrestore(&sdp->sfd_lock, iflags);
++ kfree(sfp);
+ return ERR_PTR(-ENODEV);
+ }
+ list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch
net-mlx5e-set-port-trust-mode-to-pcp-as-default.patch
net-mlx5e-ipoib-set-the-netdevice-sw-mtu-in-ipoib-enhanced-flow.patch
+squashfs-more-metadata-hardening.patch
+squashfs-more-metadata-hardenings.patch
+can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch
+net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch
+net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch
+virtio_balloon-fix-another-race-between-migration-and-ballooning.patch
+x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch
+x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch
+x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch
+kvm-x86-vmx-fix-vpid-leak.patch
+audit-fix-potential-null-dereference-context-module.name.patch
+ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch
+userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch
+iwlwifi-add-more-card-ids-for-9000-series.patch
+brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch
+rdma-uverbs-expand-primary-and-alt-av-port-checks.patch
+crypto-padlock-aes-fix-nano-workaround-data-corruption.patch
+drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch
+drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch
+drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch
+scsi-sg-fix-minor-memory-leak-in-error-path.patch
--- /dev/null
+From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Jul 2018 14:27:15 -0700
+Subject: squashfs: more metadata hardening
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.
+
+Anatoly reports another squashfs fuzzing issue, where the decompression
+parameters themselves are in a compressed block.
+
+This causes squashfs_read_data() to be called in order to read the
+decompression options before the decompression stream having been set
+up, making squashfs go sideways.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/block.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc
+ }
+
+ if (compressed) {
++ if (!msblk->stream)
++ goto read_failure;
+ length = squashfs_decompress(msblk, bh, b, offset, length,
+ output);
+ if (length < 0)
--- /dev/null
+From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 2 Aug 2018 08:43:35 -0700
+Subject: squashfs: more metadata hardening
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.
+
+The squashfs fragment reading code doesn't actually verify that the
+fragment is inside the fragment table. The end result _is_ verified to
+be inside the image when actually reading the fragment data, but before
+that is done, we may end up taking a page fault because the fragment
+table itself might not even exist.
+
+Another report from Anatoly and his endless squashfs image fuzzing.
+
+Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
+Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/fragment.c | 13 +++++++++----
+ fs/squashfs/squashfs_fs_sb.h | 1 +
+ fs/squashfs/super.c | 5 +++--
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl
+ u64 *fragment_block)
+ {
+ struct squashfs_sb_info *msblk = sb->s_fs_info;
+- int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+- u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++ int block, offset, size;
+ struct squashfs_fragment_entry fragment_entry;
+- int size;
++ u64 start_block;
++
++ if (fragment >= msblk->fragments)
++ return -EIO;
++ block = SQUASHFS_FRAGMENT_INDEX(fragment);
++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++ start_block = le64_to_cpu(msblk->fragment_index[block]);
+
+ size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+ &offset, sizeof(fragment_entry));
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+ unsigned short block_log;
+ long long bytes_used;
+ unsigned int inodes;
++ unsigned int fragments;
+ int xattr_ids;
+ };
+ #endif
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct su
+ msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+ msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+ msblk->inodes = le32_to_cpu(sblk->inodes);
++ msblk->fragments = le32_to_cpu(sblk->fragments);
+ flags = le16_to_cpu(sblk->flags);
+
+ TRACE("Found valid superblock on %pg\n", sb->s_bdev);
+@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct su
+ TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+ TRACE("Block size %d\n", msblk->block_size);
+ TRACE("Number of inodes %d\n", msblk->inodes);
+- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++ TRACE("Number of fragments %d\n", msblk->fragments);
+ TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+ TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+ TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -272,7 +273,7 @@ allocate_id_index_table:
+ sb->s_export_op = &squashfs_export_ops;
+
+ handle_fragments:
+- fragments = le32_to_cpu(sblk->fragments);
++ fragments = msblk->fragments;
+ if (fragments == 0)
+ goto check_directory_table;
+
--- /dev/null
+From 31e810aa1033a7db50a2746cd34a2432237f6420 Mon Sep 17 00:00:00 2001
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Date: Thu, 2 Aug 2018 15:36:09 -0700
+Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
+
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+
+commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream.
+
+The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
+vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
+vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags
+that were copied from the parent process VMA.
+
+As the result, there is an inconsistency between the values of
+vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON
+in userfaultfd_release().
+
+Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
+failure resolves the issue.
+
+Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com
+Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails")
+Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -631,8 +631,10 @@ static void userfaultfd_event_wait_compl
+ /* the various vma->vm_userfaultfd_ctx still points to it */
+ down_write(&mm->mmap_sem);
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
+ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
++ }
+ up_write(&mm->mmap_sem);
+
+ userfaultfd_ctx_put(release_new_ctx);
--- /dev/null
+From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+Date: Wed, 18 Jul 2018 10:29:28 +0800
+Subject: virtio_balloon: fix another race between migration and ballooning
+
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+
+commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.
+
+Kernel panic when with high memory pressure, calltrace looks like,
+
+PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
+ #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
+ #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
+ #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
+ #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
+ #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
+ #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
+ #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
+ #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
+ #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
+ #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
+ [exception RIP: _raw_spin_lock_irqsave+47]
+ RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
+ RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
+ RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
+ RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
+ R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+
+It happens in the pagefault and results in double pagefault
+during compacting pages when memory allocation fails.
+
+Analysed the vmcore, the page leads to second pagefault is corrupted
+with _mapcount=-256, but private=0.
+
+It's caused by the race between migration and ballooning, and lock
+missing in virtballoon_migratepage() of virtio_balloon driver.
+This patch fix the bug.
+
+Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -513,7 +513,9 @@ static int virtballoon_migratepage(struc
+ tell_host(vb, vb->inflate_vq);
+
+ /* balloon's page migration 2nd step -- deflate "page" */
++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+ balloon_page_delete(page);
++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+ vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+ set_page_pfns(vb, vb->pfns, page);
+ tell_host(vb, vb->deflate_vq);
--- /dev/null
+From d9e6dbcf28f383bf08e6a3180972f5722e514a54 Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Sat, 21 Jul 2018 17:19:19 -0400
+Subject: x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
+
+From: Len Brown <len.brown@intel.com>
+
+commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream.
+
+All SKX with stepping higher than 4 support the TSC_DEADLINE,
+no matter the microcode version.
+
+Without this patch, upcoming SKX steppings will not be able to use
+their TSC_DEADLINE timer.
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: <stable@kernel.org> # v4.14+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping")
+Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -573,6 +573,9 @@ static u32 skx_deadline_rev(void)
+ case 0x04: return 0x02000014;
+ }
+
++ if (boot_cpu_data.x86_stepping > 4)
++ return 0;
++
+ return ~0U;
+ }
+
--- /dev/null
+From 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Fri, 20 Jul 2018 10:28:46 +0900
+Subject: x86/efi: Access EFI MMIO data as unencrypted when SEV is active
+
+From: Brijesh Singh <brijesh.singh@amd.com>
+
+commit 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb upstream.
+
+SEV guest fails to update the UEFI runtime variables stored in the
+flash.
+
+The following commit:
+
+ 1379edd59673 ("x86/efi: Access EFI data as encrypted when SEV is active")
+
+unconditionally maps all the UEFI runtime data as 'encrypted' (C=1).
+
+When SEV is active the UEFI runtime data marked as EFI_MEMORY_MAPPED_IO
+should be mapped as 'unencrypted' so that both guest and hypervisor can
+access the data.
+
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: <stable@vger.kernel.org> # 4.15.x
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 1379edd59673 ("x86/efi: Access EFI data as encrypted ...")
+Link: http://lkml.kernel.org/r/20180720012846.23560-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -417,7 +417,7 @@ static void __init __map_region(efi_memo
+ if (!(md->attribute & EFI_MEMORY_WB))
+ flags |= _PAGE_PCD;
+
+- if (sev_active())
++ if (sev_active() && md->type != EFI_MEMORY_MAPPED_IO)
+ flags |= _PAGE_ENC;
+
+ pfn = md->phys_addr >> PAGE_SHIFT;
--- /dev/null
+From b3681dd548d06deb2e1573890829dff4b15abf46 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: x86/entry/64: Remove %ebx handling from error_entry/exit
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.
+
+error_entry and error_exit communicate the user vs. kernel status of
+the frame using %ebx. This is unnecessary -- the information is in
+regs->cs. Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug. Before all the Spectre nonsense, the
+xen_failsafe_callback entry point returned like this:
+
+ ALLOC_PT_GPREGS_ON_STACK
+ SAVE_C_REGS
+ SAVE_EXTRA_REGS
+ ENCODE_FRAME_POINTER
+ jmp error_exit
+
+And it did not go through error_entry. This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used. As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks. Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes. This was introduced by:
+
+ commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[ Historical note: I wrote this patch as a cleanup before I was aware
+ of the bug it fixed. ]
+
+[ Note to stable maintainers: this should probably get applied to all
+ kernels. If you're nervous about that, a more conservative fix to
+ add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+ also fix the problem. ]
+
+Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -981,7 +981,7 @@ ENTRY(\sym)
+
+ call \do_sym
+
+- jmp error_exit /* %ebx: no swapgs flag */
++ jmp error_exit
+ .endif
+ END(\sym)
+ .endm
+@@ -1222,7 +1222,6 @@ END(paranoid_exit)
+
+ /*
+ * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+ */
+ ENTRY(error_entry)
+ UNWIND_HINT_FUNC
+@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
+ * for these here too.
+ */
+ .Lerror_kernelspace:
+- incl %ebx
+ leaq native_irq_return_iret(%rip), %rcx
+ cmpq %rcx, RIP+8(%rsp)
+ je .Lerror_bad_iret
+@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
+
+ /*
+ * Pretend that the exception came from user mode: set up pt_regs
+- * as if we faulted immediately after IRET and clear EBX so that
+- * error_exit knows that we will be returning to user mode.
++ * as if we faulted immediately after IRET.
+ */
+ mov %rsp, %rdi
+ call fixup_bad_iret
+ mov %rax, %rsp
+- decl %ebx
+ jmp .Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- * 1: already in kernel mode, don't need SWAPGS
+- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ UNWIND_HINT_REGS
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+- testl %ebx, %ebx
+- jnz retint_kernel
++ testb $3, CS(%rsp)
++ jz retint_kernel
+ jmp retint_user
+ END(error_exit)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
