--- /dev/null
+From da1b9564e85b1d7baf66cbfabcab27e183a1db63 Mon Sep 17 00:00:00 2001
+From: Minchan Kim <minchan@kernel.org>
+Date: Thu, 23 Aug 2018 14:29:56 +0900
+Subject: android: binder: fix the race mmap and alloc_new_buf_locked
+
+From: Minchan Kim <minchan@kernel.org>
+
+commit da1b9564e85b1d7baf66cbfabcab27e183a1db63 upstream.
+
+There is RaceFuzzer report like below because we have no lock to close
+below the race between binder_mmap and binder_alloc_new_buf_locked.
+To close the race, let's use memory barrier so that if someone see
+alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL.
+
+(I didn't add stable mark intentionallybecause standard android
+userspace libraries that interact with binder (libbinder & libhwbinder)
+prevent the mmap/ioctl race. - from Todd)
+
+"
+Thread interleaving:
+CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked)
+===== =====
+// drivers/android/binder_alloc.c
+// #L718 (v4.18-rc3)
+alloc->vma = vma;
+ // drivers/android/binder_alloc.c
+ // #L346 (v4.18-rc3)
+ if (alloc->vma == NULL) {
+ ...
+ // alloc->vma is not NULL at this point
+ return ERR_PTR(-ESRCH);
+ }
+ ...
+ // #L438
+ binder_update_page_range(alloc, 0,
+ (void *)PAGE_ALIGN((uintptr_t)buffer->data),
+ end_page_addr);
+
+ // In binder_update_page_range() #L218
+ // But still alloc->vma_vm_mm is NULL here
+ if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
+alloc->vma_vm_mm = vma->vm_mm;
+
+Crash Log:
+==================================================================
+BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
+BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline]
+BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline]
+BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
+Write of size 4 at addr 0000000000000058 by task syz-executor0/11184
+
+CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x16e/0x22c lib/dump_stack.c:113
+ kasan_report_error mm/kasan/report.c:352 [inline]
+ kasan_report+0x163/0x380 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267
+ kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
+ __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
+ atomic_add_unless include/linux/atomic.h:533 [inline]
+ mmget_not_zero include/linux/sched/mm.h:75 [inline]
+ binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
+ binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline]
+ binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513
+ binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957
+ binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528
+ binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456
+ binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686
+ ksys_ioctl+0x94/0xb0 fs/ioctl.c:701
+ __do_sys_ioctl fs/ioctl.c:708 [inline]
+ __se_sys_ioctl fs/ioctl.c:706 [inline]
+ __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706
+ do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+"
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 42 +++++++++++++++++++++++++++++++++--------
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -324,6 +324,34 @@ err_no_vma:
+ return vma ? -ENOMEM : -ESRCH;
+ }
+
++static inline void binder_alloc_set_vma(struct binder_alloc *alloc,
++ struct vm_area_struct *vma)
++{
++ if (vma)
++ alloc->vma_vm_mm = vma->vm_mm;
++ /*
++ * If we see alloc->vma is not NULL, buffer data structures set up
++ * completely. Look at smp_rmb side binder_alloc_get_vma.
++ * We also want to guarantee new alloc->vma_vm_mm is always visible
++ * if alloc->vma is set.
++ */
++ smp_wmb();
++ alloc->vma = vma;
++}
++
++static inline struct vm_area_struct *binder_alloc_get_vma(
++ struct binder_alloc *alloc)
++{
++ struct vm_area_struct *vma = NULL;
++
++ if (alloc->vma) {
++ /* Look at description in binder_alloc_set_vma */
++ smp_rmb();
++ vma = alloc->vma;
++ }
++ return vma;
++}
++
+ struct binder_buffer *binder_alloc_new_buf_locked(struct binder_alloc *alloc,
+ size_t data_size,
+ size_t offsets_size,
+@@ -339,7 +367,7 @@ struct binder_buffer *binder_alloc_new_b
+ size_t size, data_offsets_size;
+ int ret;
+
+- if (alloc->vma == NULL) {
++ if (!binder_alloc_get_vma(alloc)) {
+ pr_err("%d: binder_alloc_buf, no vma\n",
+ alloc->pid);
+ return ERR_PTR(-ESRCH);
+@@ -712,9 +740,7 @@ int binder_alloc_mmap_handler(struct bin
+ buffer->free = 1;
+ binder_insert_free_buffer(alloc, buffer);
+ alloc->free_async_space = alloc->buffer_size / 2;
+- barrier();
+- alloc->vma = vma;
+- alloc->vma_vm_mm = vma->vm_mm;
++ binder_alloc_set_vma(alloc, vma);
+ mmgrab(alloc->vma_vm_mm);
+
+ return 0;
+@@ -741,10 +767,10 @@ void binder_alloc_deferred_release(struc
+ int buffers, page_count;
+ struct binder_buffer *buffer;
+
+- BUG_ON(alloc->vma);
+-
+ buffers = 0;
+ mutex_lock(&alloc->mutex);
++ BUG_ON(alloc->vma);
++
+ while ((n = rb_first(&alloc->allocated_buffers))) {
+ buffer = rb_entry(n, struct binder_buffer, rb_node);
+
+@@ -886,7 +912,7 @@ int binder_alloc_get_allocated_count(str
+ */
+ void binder_alloc_vma_close(struct binder_alloc *alloc)
+ {
+- WRITE_ONCE(alloc->vma, NULL);
++ binder_alloc_set_vma(alloc, NULL);
+ }
+
+ /**
+@@ -921,7 +947,7 @@ enum lru_status binder_alloc_free_page(s
+
+ index = page - alloc->pages;
+ page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
+- vma = alloc->vma;
++ vma = binder_alloc_get_vma(alloc);
+ if (vma) {
+ if (!mmget_not_zero(alloc->vma_vm_mm))
+ goto err_mmget;
--- /dev/null
+From d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Thu, 6 Sep 2018 11:05:44 +0300
+Subject: block: bfq: swap puts in bfqg_and_blkg_put
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 upstream.
+
+Fix trivial use-after-free. This could be last reference to bfqg.
+
+Fixes: 8f9bebc33dd7 ("block, bfq: access and cache blkg data only when safe")
+Acked-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bfq-cgroup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -224,9 +224,9 @@ static void bfqg_and_blkg_get(struct bfq
+
+ void bfqg_and_blkg_put(struct bfq_group *bfqg)
+ {
+- bfqg_put(bfqg);
+-
+ blkg_put(bfqg_to_blkg(bfqg));
++
++ bfqg_put(bfqg);
+ }
+
+ void bfqg_stats_update_io_add(struct bfq_group *bfqg, struct bfq_queue *bfqq,
--- /dev/null
+From de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 17 Aug 2018 09:38:59 +0100
+Subject: Btrfs: fix data corruption when deduplicating between different files
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 upstream.
+
+If we deduplicate extents between two different files we can end up
+corrupting data if the source range ends at the size of the source file,
+the source file's size is not aligned to the filesystem's block size
+and the destination range does not go past the size of the destination
+file size.
+
+Example:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -f -c "pwrite -S 0x6b 0 2518890" /mnt/foo
+ # The first byte with a value of 0xae starts at an offset (2518890)
+ # which is not a multiple of the sector size.
+ $ xfs_io -c "pwrite -S 0xae 2518890 102398" /mnt/foo
+
+ # Confirm the file content is full of bytes with values 0x6b and 0xae.
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae
+ 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # Create a second file with a length not aligned to the sector size,
+ # whose bytes all have the value 0x6b, so that its extent(s) can be
+ # deduplicated with the first file.
+ $ xfs_io -f -c "pwrite -S 0x6b 0 557771" /mnt/bar
+
+ # Now deduplicate the entire second file into a range of the first file
+ # that also has all bytes with the value 0x6b. The destination range's
+ # end offset must not be aligned to the sector size and must be less
+ # then the offset of the first byte with the value 0xae (byte at offset
+ # 2518890).
+ $ xfs_io -c "dedupe /mnt/bar 0 1957888 557771" /mnt/foo
+
+ # The bytes in the range starting at offset 2515659 (end of the
+ # deduplication range) and ending at offset 2519040 (start offset
+ # rounded up to the block size) must all have the value 0xae (and not
+ # replaced with 0x00 values). In other words, we should have exactly
+ # the same data we had before we asked for deduplication.
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae
+ 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # Unmount the filesystem and mount it again. This guarantees any file
+ # data in the page cache is dropped.
+ $ umount /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11461300 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 00
+ 11461320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ *
+ 11470000 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # The bytes in range 2515659 to 2519040 have a value of 0x00 and not a
+ # value of 0xae, data corruption happened due to the deduplication
+ # operation.
+
+So fix this by rounding down, to the sector size, the length used for the
+deduplication when the following conditions are met:
+
+ 1) Source file's range ends at its i_size;
+ 2) Source file's i_size is not aligned to the sector size;
+ 3) Destination range does not cross the i_size of the destination file.
+
+Fixes: e1d227a42ea2 ("btrfs: Handle unaligned length in extent_same")
+CC: stable@vger.kernel.org # 4.2+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3158,6 +3158,25 @@ static int btrfs_extent_same(struct inod
+
+ same_lock_start = min_t(u64, loff, dst_loff);
+ same_lock_len = max_t(u64, loff, dst_loff) + len - same_lock_start;
++ } else {
++ /*
++ * If the source and destination inodes are different, the
++ * source's range end offset matches the source's i_size, that
++ * i_size is not a multiple of the sector size, and the
++ * destination range does not go past the destination's i_size,
++ * we must round down the length to the nearest sector size
++ * multiple. If we don't do this adjustment we end replacing
++ * with zeroes the bytes in the range that starts at the
++ * deduplication range's end offset and ends at the next sector
++ * size multiple.
++ */
++ if (loff + olen == i_size_read(src) &&
++ dst_loff + len < i_size_read(dst)) {
++ const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize;
++
++ len = round_down(i_size_read(src), sz) - loff;
++ olen = len;
++ }
+ }
+
+ /* don't make the dst file partly checksummed */
--- /dev/null
+From 851a15114895c5bce163a6f2d57e0aa4658a1be4 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Mon, 3 Sep 2018 11:24:57 +0300
+Subject: i2c: i801: fix DNV's SMBCTRL register offset
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit 851a15114895c5bce163a6f2d57e0aa4658a1be4 upstream.
+
+DNV's iTCO is slightly different with SMBCTRL sitting at a different
+offset when compared to all other devices. Let's fix so that we can
+properly use iTCO watchdog.
+
+Fixes: 84d7f2ebd70d ("i2c: i801: Add support for Intel DNV")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -138,6 +138,7 @@
+
+ #define SBREG_BAR 0x10
+ #define SBREG_SMBCTRL 0xc6000c
++#define SBREG_SMBCTRL_DNV 0xcf000c
+
+ /* Host status bits for SMBPCISTS */
+ #define SMBPCISTS_INTS BIT(3)
+@@ -1395,7 +1396,11 @@ static void i801_add_tco(struct i801_pri
+ spin_unlock(&p2sb_spinlock);
+
+ res = &tco_res[ICH_RES_MEM_OFF];
+- res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL;
++ if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS)
++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL_DNV;
++ else
++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL;
++
+ res->end = res->start + 3;
+ res->flags = IORESOURCE_MEM;
+
--- /dev/null
+From ae7304c3ea28a3ba47a7a8312c76c654ef24967e Mon Sep 17 00:00:00 2001
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Mon, 3 Sep 2018 15:11:11 +0530
+Subject: i2c: xiic: Make the start and the byte count write atomic
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+commit ae7304c3ea28a3ba47a7a8312c76c654ef24967e upstream.
+
+Disable interrupts while configuring the transfer and enable them back.
+
+We have below as the programming sequence
+1. start and slave address
+2. byte count and stop
+
+In some customer platform there was a lot of interrupts between 1 and 2
+and after slave address (around 7 clock cyles) if 2 is not executed
+then the transaction is nacked.
+
+To fix this case make the 2 writes atomic.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+[wsa: added a newline for better readability]
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-xiic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-xiic.c
++++ b/drivers/i2c/busses/i2c-xiic.c
+@@ -538,6 +538,7 @@ static void xiic_start_recv(struct xiic_
+ {
+ u8 rx_watermark;
+ struct i2c_msg *msg = i2c->rx_msg = i2c->tx_msg;
++ unsigned long flags;
+
+ /* Clear and enable Rx full interrupt. */
+ xiic_irq_clr_en(i2c, XIIC_INTR_RX_FULL_MASK | XIIC_INTR_TX_ERROR_MASK);
+@@ -553,6 +554,7 @@ static void xiic_start_recv(struct xiic_
+ rx_watermark = IIC_RX_FIFO_DEPTH;
+ xiic_setreg8(i2c, XIIC_RFD_REG_OFFSET, rx_watermark - 1);
+
++ local_irq_save(flags);
+ if (!(msg->flags & I2C_M_NOSTART))
+ /* write the address */
+ xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET,
+@@ -563,6 +565,8 @@ static void xiic_start_recv(struct xiic_
+
+ xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET,
+ msg->len | ((i2c->nmsgs == 1) ? XIIC_TX_DYN_STOP_MASK : 0));
++ local_irq_restore(flags);
++
+ if (i2c->nmsgs == 1)
+ /* very last, enable bus not busy as well */
+ xiic_irq_clr_en(i2c, XIIC_INTR_BNB_MASK);
--- /dev/null
+From 204c97245612b6c255edf4e21e24d417c4a0c008 Mon Sep 17 00:00:00 2001
+From: Pierre Morel <pmorel@linux.ibm.com>
+Date: Thu, 23 Aug 2018 12:25:54 +0200
+Subject: KVM: s390: vsie: copy wrapping keys to right place
+
+From: Pierre Morel <pmorel@linux.ibm.com>
+
+commit 204c97245612b6c255edf4e21e24d417c4a0c008 upstream.
+
+Copy the key mask to the right offset inside the shadow CRYCB
+
+Fixes: bbeaa58b3 ("KVM: s390: vsie: support aes dea wrapping keys")
+Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.8+
+Message-Id: <1535019956-23539-2-git-send-email-pmorel@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/vsie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/vsie.c
++++ b/arch/s390/kvm/vsie.c
+@@ -170,7 +170,8 @@ static int shadow_crycb(struct kvm_vcpu
+ return set_validity_icpt(scb_s, 0x0039U);
+
+ /* copy only the wrapping keys */
+- if (read_guest_real(vcpu, crycb_addr + 72, &vsie_page->crycb, 56))
++ if (read_guest_real(vcpu, crycb_addr + 72,
++ vsie_page->crycb.dea_wrapping_key_mask, 56))
+ return set_validity_icpt(scb_s, 0x0035U);
+
+ scb_s->ecb3 |= ecb3_flags;
--- /dev/null
+From c4409905cd6eb42cfd06126e9226b0150e05a715 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:46 -0700
+Subject: KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit c4409905cd6eb42cfd06126e9226b0150e05a715 upstream.
+
+Re-execution after an emulation decode failure is only intended to
+handle a case where two or vCPUs race to write a shadowed page, i.e.
+we should never re-execute an instruction as part of MMIO emulation.
+As handle_ept_misconfig() is only used for MMIO emulation, it should
+pass EMULTYPE_NO_REEXECUTE when using the emulator to skip an instr
+in the fast-MMIO case where VM_EXIT_INSTRUCTION_LEN is invalid.
+
+And because the cr2 value passed to x86_emulate_instruction() is only
+destined for use when retrying or reexecuting, we can simply call
+emulate_instruction().
+
+Fixes: d391f1207067 ("x86/kvm/vmx: do not use vm-exit instruction length
+ for fast MMIO when running nested")
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6965,8 +6965,8 @@ static int handle_ept_misconfig(struct k
+ if (!static_cpu_has(X86_FEATURE_HYPERVISOR))
+ return kvm_skip_emulated_instruction(vcpu);
+ else
+- return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
+- NULL, 0) == EMULATE_DONE;
++ return emulate_instruction(vcpu, EMULTYPE_SKIP) ==
++ EMULATE_DONE;
+ }
+
+ ret = kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
--- /dev/null
+From 0f02cfbc3d9e413d450d8d0fd660077c23f67eff Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 30 Aug 2018 11:01:21 -0700
+Subject: MIPS: VDSO: Match data page cache colouring when D$ aliases
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 0f02cfbc3d9e413d450d8d0fd660077c23f67eff upstream.
+
+When a system suffers from dcache aliasing a user program may observe
+stale VDSO data from an aliased cache line. Notably this can break the
+expectation that clock_gettime(CLOCK_MONOTONIC, ...) is, as its name
+suggests, monotonic.
+
+In order to ensure that users observe updates to the VDSO data page as
+intended, align the user mappings of the VDSO data page such that their
+cache colouring matches that of the virtual address range which the
+kernel will use to update the data page - typically its unmapped address
+within kseg0.
+
+This ensures that we don't introduce aliasing cache lines for the VDSO
+data page, and therefore that userland will observe updates without
+requiring cache invalidation.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
+Reported-by: Rene Nielsen <rene.nielsen@microsemi.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
+Patchwork: https://patchwork.linux-mips.org/patch/20344/
+Tested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Tested-by: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -13,6 +13,7 @@
+ #include <linux/err.h>
+ #include <linux/init.h>
+ #include <linux/ioport.h>
++#include <linux/kernel.h>
+ #include <linux/mm.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+@@ -20,6 +21,7 @@
+
+ #include <asm/abi.h>
+ #include <asm/mips-cps.h>
++#include <asm/page.h>
+ #include <asm/vdso.h>
+
+ /* Kernel-provided data used by the VDSO. */
+@@ -128,12 +130,30 @@ int arch_setup_additional_pages(struct l
+ vvar_size = gic_size + PAGE_SIZE;
+ size = vvar_size + image->size;
+
++ /*
++ * Find a region that's large enough for us to perform the
++ * colour-matching alignment below.
++ */
++ if (cpu_has_dc_aliases)
++ size += shm_align_mask + 1;
++
+ base = get_unmapped_area(NULL, 0, size, 0, 0);
+ if (IS_ERR_VALUE(base)) {
+ ret = base;
+ goto out;
+ }
+
++ /*
++ * If we suffer from dcache aliasing, ensure that the VDSO data page
++ * mapping is coloured the same as the kernel's mapping of that memory.
++ * This ensures that when the kernel updates the VDSO data userland
++ * will observe it without requiring cache invalidations.
++ */
++ if (cpu_has_dc_aliases) {
++ base = __ALIGN_MASK(base, shm_align_mask);
++ base += ((unsigned long)&vdso_data - gic_size) & shm_align_mask;
++ }
++
+ data_addr = base + gic_size;
+ vdso_addr = data_addr + PAGE_SIZE;
+
--- /dev/null
+From bc811f05d77f47059c197a98b6ad242eb03999cb Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 4 Sep 2018 11:52:34 -0600
+Subject: nbd: don't allow invalid blocksize settings
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream.
+
+syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl.
+We need proper validation of the input here. Not just if it's
+zero, but also if the value is a power-of-2 and in a valid
+range. Add that.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot <syzbot+25dbecbec1e62c6b0dd4@syzkaller.appspotmail.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1228,6 +1228,9 @@ static int __nbd_ioctl(struct block_devi
+ case NBD_SET_SOCK:
+ return nbd_add_socket(nbd, arg, false);
+ case NBD_SET_BLKSIZE:
++ if (!arg || !is_power_of_2(arg) || arg < 512 ||
++ arg > PAGE_SIZE)
++ return -EINVAL;
+ nbd_size_set(nbd, arg,
+ div_s64(config->bytesize, arg));
+ return 0;
--- /dev/null
+From 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Thu, 16 Aug 2018 16:04:05 -0700
+Subject: scsi: lpfc: Correct MDS diag and nvmet configuration
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 upstream.
+
+A recent change added some MDS processing in the lpfc_drain_txq routine
+that relies on the fcp_wq being allocated. For nvmet operation the fcp_wq
+is not allocated because it can only be an nvme-target. When the original
+MDS support was added LS_MDS_LOOPBACK was defined wrong, (0x16) it should
+have been 0x10 (decimal value used for hex setting). This incorrect value
+allowed MDS_LOOPBACK to be set simultaneously with LS_NPIV_FAB_SUPPORTED,
+causing the driver to crash when it accesses the non-existent fcp_wq.
+
+Correct the bad value setting for LS_MDS_LOOPBACK.
+
+Fixes: ae9e28f36a6c ("lpfc: Add MDS Diagnostic support.")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc.h
++++ b/drivers/scsi/lpfc/lpfc.h
+@@ -676,7 +676,7 @@ struct lpfc_hba {
+ #define LS_NPIV_FAB_SUPPORTED 0x2 /* Fabric supports NPIV */
+ #define LS_IGNORE_ERATT 0x4 /* intr handler should ignore ERATT */
+ #define LS_MDS_LINK_DOWN 0x8 /* MDS Diagnostics Link Down */
+-#define LS_MDS_LOOPBACK 0x16 /* MDS Diagnostics Link Up (Loopback) */
++#define LS_MDS_LOOPBACK 0x10 /* MDS Diagnostics Link Up (Loopback) */
+
+ uint32_t hba_flag; /* hba generic flags */
+ #define HBA_ERATT_HANDLED 0x1 /* This flag is set when eratt handled */
smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch
smb3-check-for-and-properly-advertise-directory-lease-support.patch
btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch
+kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch
+kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch
--- /dev/null
+From 5e19697b56a64004e2d0ff1bb952ea05493c088f Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 27 Aug 2018 17:04:13 -0500
+Subject: SMB3: Backup intent flag missing for directory opens with backupuid mounts
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 5e19697b56a64004e2d0ff1bb952ea05493c088f upstream.
+
+When "backup intent" is requested on the mount (e.g. backupuid or
+backupgid mount options), the corresponding flag needs to be set
+on opens of directories (and files) but was missing in some
+places causing access denied trying to enumerate and backup
+servers.
+
+Fixes kernel bugzilla #200953
+https://bugzilla.kernel.org/show_bug.cgi?id=200953
+
+Reported-and-tested-by: <whh@rubrik.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 2 ++
+ fs/cifs/smb2ops.c | 25 ++++++++++++++++++++-----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -467,6 +467,8 @@ cifs_sfu_type(struct cifs_fattr *fattr,
+ oparms.cifs_sb = cifs_sb;
+ oparms.desired_access = GENERIC_READ;
+ oparms.create_options = CREATE_NOT_DIR;
++ if (backup_cred(cifs_sb))
++ oparms.create_options |= CREATE_OPEN_BACKUP_INTENT;
+ oparms.disposition = FILE_OPEN;
+ oparms.path = path;
+ oparms.fid = &fid;
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -385,7 +385,10 @@ smb2_is_path_accessible(const unsigned i
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -534,7 +537,10 @@ smb2_query_eas(const unsigned int xid, s
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_EA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -613,7 +619,10 @@ smb2_set_ea(const unsigned int xid, stru
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_WRITE_EA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -1215,7 +1224,10 @@ smb2_query_dir_first(const unsigned int
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = fid;
+ oparms.reconnect = false;
+
+@@ -1491,7 +1503,10 @@ smb2_query_symlink(const unsigned int xi
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
--- /dev/null
+From f801568332321e2b1e7a8bd26c3e4913a312a2ec Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 31 Aug 2018 15:12:10 -0500
+Subject: smb3: check for and properly advertise directory lease support
+
+From: Steve French <stfrench@microsoft.com>
+
+commit f801568332321e2b1e7a8bd26c3e4913a312a2ec upstream.
+
+Although servers will typically ignore unsupported features,
+we should advertise the support for directory leases (as
+Windows e.g. does) in the negotiate protocol capabilities we
+pass to the server, and should check for the server capability
+(CAP_DIRECTORY_LEASING) before sending a lease request for an
+open of a directory. This will prevent us from accidentally
+sending directory leases to SMB2.1 or SMB2 server for example.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 10 +++++-----
+ fs/cifs/smb2pdu.c | 3 +++
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3215,7 +3215,7 @@ struct smb_version_values smb21_values =
+ struct smb_version_values smb3any_values = {
+ .version_string = SMB3ANY_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3235,7 +3235,7 @@ struct smb_version_values smb3any_values
+ struct smb_version_values smbdefault_values = {
+ .version_string = SMBDEFAULT_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3255,7 +3255,7 @@ struct smb_version_values smbdefault_val
+ struct smb_version_values smb30_values = {
+ .version_string = SMB30_VERSION_STRING,
+ .protocol_id = SMB30_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3275,7 +3275,7 @@ struct smb_version_values smb30_values =
+ struct smb_version_values smb302_values = {
+ .version_string = SMB302_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3296,7 +3296,7 @@ struct smb_version_values smb302_values
+ struct smb_version_values smb311_values = {
+ .version_string = SMB311_VERSION_STRING,
+ .protocol_id = SMB311_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1816,6 +1816,9 @@ SMB2_open(const unsigned int xid, struct
+ if (!(server->capabilities & SMB2_GLOBAL_CAP_LEASING) ||
+ *oplock == SMB2_OPLOCK_LEVEL_NONE)
+ req->RequestedOplockLevel = *oplock;
++ else if (!(server->capabilities & SMB2_GLOBAL_CAP_DIRECTORY_LEASING) &&
++ (oparms->create_options & CREATE_NOT_FILE))
++ req->RequestedOplockLevel = *oplock; /* no srv lease support */
+ else {
+ rc = add_lease_context(server, iov, &n_iov, oplock);
+ if (rc) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
