--- /dev/null
+From da1b9564e85b1d7baf66cbfabcab27e183a1db63 Mon Sep 17 00:00:00 2001
+From: Minchan Kim <minchan@kernel.org>
+Date: Thu, 23 Aug 2018 14:29:56 +0900
+Subject: android: binder: fix the race mmap and alloc_new_buf_locked
+
+From: Minchan Kim <minchan@kernel.org>
+
+commit da1b9564e85b1d7baf66cbfabcab27e183a1db63 upstream.
+
+There is RaceFuzzer report like below because we have no lock to close
+below the race between binder_mmap and binder_alloc_new_buf_locked.
+To close the race, let's use memory barrier so that if someone see
+alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL.
+
+(I didn't add stable mark intentionallybecause standard android
+userspace libraries that interact with binder (libbinder & libhwbinder)
+prevent the mmap/ioctl race. - from Todd)
+
+"
+Thread interleaving:
+CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked)
+===== =====
+// drivers/android/binder_alloc.c
+// #L718 (v4.18-rc3)
+alloc->vma = vma;
+ // drivers/android/binder_alloc.c
+ // #L346 (v4.18-rc3)
+ if (alloc->vma == NULL) {
+ ...
+ // alloc->vma is not NULL at this point
+ return ERR_PTR(-ESRCH);
+ }
+ ...
+ // #L438
+ binder_update_page_range(alloc, 0,
+ (void *)PAGE_ALIGN((uintptr_t)buffer->data),
+ end_page_addr);
+
+ // In binder_update_page_range() #L218
+ // But still alloc->vma_vm_mm is NULL here
+ if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
+alloc->vma_vm_mm = vma->vm_mm;
+
+Crash Log:
+==================================================================
+BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
+BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline]
+BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline]
+BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
+Write of size 4 at addr 0000000000000058 by task syz-executor0/11184
+
+CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x16e/0x22c lib/dump_stack.c:113
+ kasan_report_error mm/kasan/report.c:352 [inline]
+ kasan_report+0x163/0x380 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267
+ kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
+ __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
+ atomic_add_unless include/linux/atomic.h:533 [inline]
+ mmget_not_zero include/linux/sched/mm.h:75 [inline]
+ binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
+ binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline]
+ binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513
+ binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957
+ binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528
+ binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456
+ binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686
+ ksys_ioctl+0x94/0xb0 fs/ioctl.c:701
+ __do_sys_ioctl fs/ioctl.c:708 [inline]
+ __se_sys_ioctl fs/ioctl.c:706 [inline]
+ __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706
+ do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+"
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 43 +++++++++++++++++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -327,6 +327,35 @@ err_no_vma:
+ return vma ? -ENOMEM : -ESRCH;
+ }
+
++
++static inline void binder_alloc_set_vma(struct binder_alloc *alloc,
++ struct vm_area_struct *vma)
++{
++ if (vma)
++ alloc->vma_vm_mm = vma->vm_mm;
++ /*
++ * If we see alloc->vma is not NULL, buffer data structures set up
++ * completely. Look at smp_rmb side binder_alloc_get_vma.
++ * We also want to guarantee new alloc->vma_vm_mm is always visible
++ * if alloc->vma is set.
++ */
++ smp_wmb();
++ alloc->vma = vma;
++}
++
++static inline struct vm_area_struct *binder_alloc_get_vma(
++ struct binder_alloc *alloc)
++{
++ struct vm_area_struct *vma = NULL;
++
++ if (alloc->vma) {
++ /* Look at description in binder_alloc_set_vma */
++ smp_rmb();
++ vma = alloc->vma;
++ }
++ return vma;
++}
++
+ static struct binder_buffer *binder_alloc_new_buf_locked(
+ struct binder_alloc *alloc,
+ size_t data_size,
+@@ -343,7 +372,7 @@ static struct binder_buffer *binder_allo
+ size_t size, data_offsets_size;
+ int ret;
+
+- if (alloc->vma == NULL) {
++ if (!binder_alloc_get_vma(alloc)) {
+ pr_err("%d: binder_alloc_buf, no vma\n",
+ alloc->pid);
+ return ERR_PTR(-ESRCH);
+@@ -714,9 +743,7 @@ int binder_alloc_mmap_handler(struct bin
+ buffer->free = 1;
+ binder_insert_free_buffer(alloc, buffer);
+ alloc->free_async_space = alloc->buffer_size / 2;
+- barrier();
+- alloc->vma = vma;
+- alloc->vma_vm_mm = vma->vm_mm;
++ binder_alloc_set_vma(alloc, vma);
+ mmgrab(alloc->vma_vm_mm);
+
+ return 0;
+@@ -743,10 +770,10 @@ void binder_alloc_deferred_release(struc
+ int buffers, page_count;
+ struct binder_buffer *buffer;
+
+- BUG_ON(alloc->vma);
+-
+ buffers = 0;
+ mutex_lock(&alloc->mutex);
++ BUG_ON(alloc->vma);
++
+ while ((n = rb_first(&alloc->allocated_buffers))) {
+ buffer = rb_entry(n, struct binder_buffer, rb_node);
+
+@@ -889,7 +916,7 @@ int binder_alloc_get_allocated_count(str
+ */
+ void binder_alloc_vma_close(struct binder_alloc *alloc)
+ {
+- WRITE_ONCE(alloc->vma, NULL);
++ binder_alloc_set_vma(alloc, NULL);
+ }
+
+ /**
+@@ -924,7 +951,7 @@ enum lru_status binder_alloc_free_page(s
+
+ index = page - alloc->pages;
+ page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
+- vma = alloc->vma;
++ vma = binder_alloc_get_vma(alloc);
+ if (vma) {
+ if (!mmget_not_zero(alloc->vma_vm_mm))
+ goto err_mmget;
--- /dev/null
+From 7d14919c0d475a795c0127631ac8ecb2b0f31831 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 23 Aug 2018 11:51:43 +0100
+Subject: arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 7d14919c0d475a795c0127631ac8ecb2b0f31831 upstream.
+
+If trapping FPSIMD in the context of an AArch32 guest, it is critical
+to set FPEXC32_EL2.EN to 1 so that the trapping is taken to EL2 and
+not EL1.
+
+Conversely, it is just as critical *not* to set FPEXC32_EL2.EN to 1
+if we're not going to trap FPSIMD, as we then corrupt the existing
+VFP state.
+
+Moving the call to __activate_traps_fpsimd32 to the point where we
+know for sure that we are going to trap ensures that we don't set that
+bit spuriously.
+
+Fixes: e6b673b741ea ("KVM: arm64: Optimise FPSIMD handling to reduce guest/host thrashing")
+Cc: stable@vger.kernel.org # v4.18
+Cc: Dave Martin <dave.martin@arm.com>
+Reported-by: Alexander Graf <agraf@suse.de>
+Tested-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/hyp/switch.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kvm/hyp/switch.c
++++ b/arch/arm64/kvm/hyp/switch.c
+@@ -98,8 +98,10 @@ static void activate_traps_vhe(struct kv
+ val = read_sysreg(cpacr_el1);
+ val |= CPACR_EL1_TTA;
+ val &= ~CPACR_EL1_ZEN;
+- if (!update_fp_enabled(vcpu))
++ if (!update_fp_enabled(vcpu)) {
+ val &= ~CPACR_EL1_FPEN;
++ __activate_traps_fpsimd32(vcpu);
++ }
+
+ write_sysreg(val, cpacr_el1);
+
+@@ -114,8 +116,10 @@ static void __hyp_text __activate_traps_
+
+ val = CPTR_EL2_DEFAULT;
+ val |= CPTR_EL2_TTA | CPTR_EL2_TZ;
+- if (!update_fp_enabled(vcpu))
++ if (!update_fp_enabled(vcpu)) {
+ val |= CPTR_EL2_TFP;
++ __activate_traps_fpsimd32(vcpu);
++ }
+
+ write_sysreg(val, cptr_el2);
+ }
+@@ -129,7 +133,6 @@ static void __hyp_text __activate_traps(
+ if (cpus_have_const_cap(ARM64_HAS_RAS_EXTN) && (hcr & HCR_VSE))
+ write_sysreg_s(vcpu->arch.vsesr_el2, SYS_VSESR_EL2);
+
+- __activate_traps_fpsimd32(vcpu);
+ if (has_vhe())
+ activate_traps_vhe(vcpu);
+ else
--- /dev/null
+From d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Thu, 6 Sep 2018 11:05:44 +0300
+Subject: block: bfq: swap puts in bfqg_and_blkg_put
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 upstream.
+
+Fix trivial use-after-free. This could be last reference to bfqg.
+
+Fixes: 8f9bebc33dd7 ("block, bfq: access and cache blkg data only when safe")
+Acked-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bfq-cgroup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -275,9 +275,9 @@ static void bfqg_and_blkg_get(struct bfq
+
+ void bfqg_and_blkg_put(struct bfq_group *bfqg)
+ {
+- bfqg_put(bfqg);
+-
+ blkg_put(bfqg_to_blkg(bfqg));
++
++ bfqg_put(bfqg);
+ }
+
+ /* @stats = 0 */
--- /dev/null
+From 8b2ded1c94c06f841f8c1612bcfa33c85012a36b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 5 Sep 2018 16:14:36 -0600
+Subject: block: don't warn when doing fsync on read-only devices
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8b2ded1c94c06f841f8c1612bcfa33c85012a36b upstream.
+
+It is possible to call fsync on a read-only handle (for example, fsck.ext2
+does it when doing read-only check), and this call results in kernel
+warning.
+
+The patch b089cfd95d32 ("block: don't warn for flush on read-only device")
+attempted to disable the warning, but it is buggy and it doesn't
+(op_is_flush tests flags, but bio_op strips off the flags).
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: 721c7fc701c7 ("block: fail op_is_write() requests to read-only partitions")
+Cc: stable@vger.kernel.org # 4.18
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -2161,9 +2161,12 @@ static inline bool bio_check_ro(struct b
+ {
+ const int op = bio_op(bio);
+
+- if (part->policy && (op_is_write(op) && !op_is_flush(op))) {
++ if (part->policy && op_is_write(op)) {
+ char b[BDEVNAME_SIZE];
+
++ if (op_is_flush(bio->bi_opf) && !bio_sectors(bio))
++ return false;
++
+ WARN_ONCE(1,
+ "generic_make_request: Trying to write "
+ "to read-only block-device %s (partno %d)\n",
--- /dev/null
+From de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 17 Aug 2018 09:38:59 +0100
+Subject: Btrfs: fix data corruption when deduplicating between different files
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 upstream.
+
+If we deduplicate extents between two different files we can end up
+corrupting data if the source range ends at the size of the source file,
+the source file's size is not aligned to the filesystem's block size
+and the destination range does not go past the size of the destination
+file size.
+
+Example:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -f -c "pwrite -S 0x6b 0 2518890" /mnt/foo
+ # The first byte with a value of 0xae starts at an offset (2518890)
+ # which is not a multiple of the sector size.
+ $ xfs_io -c "pwrite -S 0xae 2518890 102398" /mnt/foo
+
+ # Confirm the file content is full of bytes with values 0x6b and 0xae.
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae
+ 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # Create a second file with a length not aligned to the sector size,
+ # whose bytes all have the value 0x6b, so that its extent(s) can be
+ # deduplicated with the first file.
+ $ xfs_io -f -c "pwrite -S 0x6b 0 557771" /mnt/bar
+
+ # Now deduplicate the entire second file into a range of the first file
+ # that also has all bytes with the value 0x6b. The destination range's
+ # end offset must not be aligned to the sector size and must be less
+ # then the offset of the first byte with the value 0xae (byte at offset
+ # 2518890).
+ $ xfs_io -c "dedupe /mnt/bar 0 1957888 557771" /mnt/foo
+
+ # The bytes in the range starting at offset 2515659 (end of the
+ # deduplication range) and ending at offset 2519040 (start offset
+ # rounded up to the block size) must all have the value 0xae (and not
+ # replaced with 0x00 values). In other words, we should have exactly
+ # the same data we had before we asked for deduplication.
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae
+ 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # Unmount the filesystem and mount it again. This guarantees any file
+ # data in the page cache is dropped.
+ $ umount /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ od -t x1 /mnt/foo
+ 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+ *
+ 11461300 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 00
+ 11461320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ *
+ 11470000 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae
+ *
+ 11777540 ae ae ae ae ae ae ae ae
+ 11777550
+
+ # The bytes in range 2515659 to 2519040 have a value of 0x00 and not a
+ # value of 0xae, data corruption happened due to the deduplication
+ # operation.
+
+So fix this by rounding down, to the sector size, the length used for the
+deduplication when the following conditions are met:
+
+ 1) Source file's range ends at its i_size;
+ 2) Source file's i_size is not aligned to the sector size;
+ 3) Destination range does not cross the i_size of the destination file.
+
+Fixes: e1d227a42ea2 ("btrfs: Handle unaligned length in extent_same")
+CC: stable@vger.kernel.org # 4.2+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3463,6 +3463,25 @@ static int btrfs_extent_same_range(struc
+
+ same_lock_start = min_t(u64, loff, dst_loff);
+ same_lock_len = max_t(u64, loff, dst_loff) + len - same_lock_start;
++ } else {
++ /*
++ * If the source and destination inodes are different, the
++ * source's range end offset matches the source's i_size, that
++ * i_size is not a multiple of the sector size, and the
++ * destination range does not go past the destination's i_size,
++ * we must round down the length to the nearest sector size
++ * multiple. If we don't do this adjustment we end replacing
++ * with zeroes the bytes in the range that starts at the
++ * deduplication range's end offset and ends at the next sector
++ * size multiple.
++ */
++ if (loff + olen == i_size_read(src) &&
++ dst_loff + len < i_size_read(dst)) {
++ const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize;
++
++ len = round_down(i_size_read(src), sz) - loff;
++ olen = len;
++ }
+ }
+
+ again:
--- /dev/null
+From a5b7f4295eeae8b05ca91f6d145cd8773b08de9e Mon Sep 17 00:00:00 2001
+From: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Date: Thu, 9 Aug 2018 09:46:04 +0800
+Subject: btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata
+
+From: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+
+commit a5b7f4295eeae8b05ca91f6d145cd8773b08de9e upstream.
+
+After btrfs_qgroup_reserve_meta_prealloc(), num_bytes will be assigned
+again by btrfs_calc_trans_metadata_size(). Once block_rsv fails, we
+can't properly free the num_bytes of the previous qgroup_reserve. Use a
+separate variable to store the num_bytes of the qgroup_reserve.
+
+Delete the comment for the qgroup_reserved that does not exist and add a
+comment about use_global_rsv.
+
+Fixes: c4c129db5da8 ("btrfs: drop unused parameter qgroup_reserved")
+CC: stable@vger.kernel.org # 4.18+
+Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -5935,7 +5935,7 @@ void btrfs_trans_release_chunk_metadata(
+ * root: the root of the parent directory
+ * rsv: block reservation
+ * items: the number of items that we need do reservation
+- * qgroup_reserved: used to return the reserved size in qgroup
++ * use_global_rsv: allow fallback to the global block reservation
+ *
+ * This function is used to reserve the space for snapshot/subvolume
+ * creation and deletion. Those operations are different with the
+@@ -5945,10 +5945,10 @@ void btrfs_trans_release_chunk_metadata(
+ * the space reservation mechanism in start_transaction().
+ */
+ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
+- struct btrfs_block_rsv *rsv,
+- int items,
++ struct btrfs_block_rsv *rsv, int items,
+ bool use_global_rsv)
+ {
++ u64 qgroup_num_bytes = 0;
+ u64 num_bytes;
+ int ret;
+ struct btrfs_fs_info *fs_info = root->fs_info;
+@@ -5956,12 +5956,11 @@ int btrfs_subvolume_reserve_metadata(str
+
+ if (test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) {
+ /* One for parent inode, two for dir entries */
+- num_bytes = 3 * fs_info->nodesize;
+- ret = btrfs_qgroup_reserve_meta_prealloc(root, num_bytes, true);
++ qgroup_num_bytes = 3 * fs_info->nodesize;
++ ret = btrfs_qgroup_reserve_meta_prealloc(root,
++ qgroup_num_bytes, true);
+ if (ret)
+ return ret;
+- } else {
+- num_bytes = 0;
+ }
+
+ num_bytes = btrfs_calc_trans_metadata_size(fs_info, items);
+@@ -5973,8 +5972,8 @@ int btrfs_subvolume_reserve_metadata(str
+ if (ret == -ENOSPC && use_global_rsv)
+ ret = btrfs_block_rsv_migrate(global_rsv, rsv, num_bytes, 1);
+
+- if (ret && num_bytes)
+- btrfs_qgroup_free_meta_prealloc(root, num_bytes);
++ if (ret && qgroup_num_bytes)
++ btrfs_qgroup_free_meta_prealloc(root, qgroup_num_bytes);
+
+ return ret;
+ }
--- /dev/null
+From 395a2076b4064f97d3fce03af15210ff2a7bb7f9 Mon Sep 17 00:00:00 2001
+From: Thomas Werschlein <thomas.werschlein@geo.uzh.ch>
+Date: Thu, 30 Aug 2018 18:29:20 +0200
+Subject: cifs: connect to servername instead of IP for IPC$ share
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Werschlein <thomas.werschlein@geo.uzh.ch>
+
+commit 395a2076b4064f97d3fce03af15210ff2a7bb7f9 upstream.
+
+This patch is required allows access to a Microsoft fileserver failover
+cluster behind a 1:1 NAT firewall.
+
+The change also provides stronger context for authentication and share
+connection (see MS-SMB2 3.3.5.7 and MS-SRVS 3.1.6.8) as noted by
+Tom Talpey, and addresses comments about the buffer size for the UNC
+made by Aurélien Aptel.
+
+Signed-off-by: Thomas Werschlein <thomas.werschlein@geo.uzh.ch>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Tom Talpey <ttalpey@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2523,7 +2523,7 @@ cifs_setup_ipc(struct cifs_ses *ses, str
+ if (tcon == NULL)
+ return -ENOMEM;
+
+- snprintf(unc, sizeof(unc), "\\\\%s\\IPC$", ses->serverName);
++ snprintf(unc, sizeof(unc), "\\\\%s\\IPC$", ses->server->hostname);
+
+ /* cannot fail */
+ nls_codepage = load_nls_default();
--- /dev/null
+From 0d6c3011409135ea84e2a231b013a22017ff999a Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 4 Sep 2018 15:31:14 +0200
+Subject: HID: core: fix grouping by application
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 0d6c3011409135ea84e2a231b013a22017ff999a upstream.
+
+commit f07b3c1da92d ("HID: generic: create one input report per
+application type") was effectively the same as MULTI_INPUT:
+hidinput->report was never set, so hidinput_match_application()
+always returned null.
+
+Fix that by testing against the real application.
+
+Note that this breaks some old eGalax touchscreens that expect MULTI_INPUT
+instead of HID_QUIRK_INPUT_PER_APP. Enable this quirk for backward
+compatibility on all non-Win8 touchscreens.
+
+link: https://bugzilla.kernel.org/show_bug.cgi?id=200847
+link: https://bugzilla.kernel.org/show_bug.cgi?id=200849
+link: https://bugs.archlinux.org/task/59699
+link: https://github.com/NixOS/nixpkgs/issues/45165
+
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 4 ++--
+ drivers/hid/hid-multitouch.c | 3 +++
+ include/linux/hid.h | 1 +
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1579,6 +1579,7 @@ static struct hid_input *hidinput_alloca
+ input_dev->dev.parent = &hid->dev;
+
+ hidinput->input = input_dev;
++ hidinput->application = application;
+ list_add_tail(&hidinput->list, &hid->inputs);
+
+ INIT_LIST_HEAD(&hidinput->reports);
+@@ -1674,8 +1675,7 @@ static struct hid_input *hidinput_match_
+ struct hid_input *hidinput;
+
+ list_for_each_entry(hidinput, &hid->inputs, list) {
+- if (hidinput->report &&
+- hidinput->report->application == report->application)
++ if (hidinput->application == report->application)
+ return hidinput;
+ }
+
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1488,6 +1488,9 @@ static int mt_probe(struct hid_device *h
+ */
+ hdev->quirks |= HID_QUIRK_INPUT_PER_APP;
+
++ if (id->group != HID_GROUP_MULTITOUCH_WIN_8)
++ hdev->quirks |= HID_QUIRK_MULTI_INPUT;
++
+ timer_setup(&td->release_timer, mt_expired_timeout, 0);
+
+ ret = hid_parse(hdev);
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -520,6 +520,7 @@ struct hid_input {
+ const char *name;
+ bool registered;
+ struct list_head reports; /* the list of reports */
++ unsigned int application; /* application usage for this input */
+ };
+
+ enum hid_type {
--- /dev/null
+From fb6acf76c3fdd97fea6995e64e2c665725f00fc5 Mon Sep 17 00:00:00 2001
+From: AceLan Kao <acelan.kao@canonical.com>
+Date: Tue, 21 Aug 2018 16:55:13 +0800
+Subject: HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen
+
+From: AceLan Kao <acelan.kao@canonical.com>
+
+commit fb6acf76c3fdd97fea6995e64e2c665725f00fc5 upstream.
+
+The incomplete report flooded after S3 and touchscreen becomes
+malfunctioned.
+[ 1367.646244] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/18785)
+[ 1367.649471] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/28743)
+[ 1367.651092] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/26757)
+[ 1367.652658] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/52280)
+[ 1367.654287] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/56059)
+
+Adding device ID, 04F3:30CC, to the quirk to re-send report description
+after resume.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/i2c-hid/i2c-hid.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -528,6 +528,7 @@
+
+ #define I2C_VENDOR_ID_RAYD 0x2386
+ #define I2C_PRODUCT_ID_RAYD_3118 0x3118
++#define I2C_PRODUCT_ID_RAYD_4B33 0x4B33
+
+ #define USB_VENDOR_ID_HANWANG 0x0b57
+ #define USB_DEVICE_ID_HANWANG_TABLET_FIRST 0x5000
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -174,6 +174,8 @@ static const struct i2c_hid_quirks {
+ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH,
+ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
++ { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_4B33,
++ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { 0, 0 }
+ };
+
--- /dev/null
+From e38c0ac55ee67cf3626cfbc2283f8873dc44d370 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Tue, 28 Aug 2018 13:29:55 +0200
+Subject: HID: input: fix leaking custom input node name
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit e38c0ac55ee67cf3626cfbc2283f8873dc44d370 upstream.
+
+Make sure to free the custom input node name on disconnect.
+
+Cc: stable@vger.kernel.org # v4.18+
+Fixes: c554bb045511 ("HID: input: append a suffix matching the application")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1812,6 +1812,7 @@ void hidinput_disconnect(struct hid_devi
+ input_unregister_device(hidinput->input);
+ else
+ input_free_device(hidinput->input);
++ kfree(hidinput->name);
+ kfree(hidinput);
+ }
+
--- /dev/null
+From ec6adef5fbc3f140c70e7499fdad818acb3a46c6 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 4 Sep 2018 15:31:12 +0200
+Subject: HID: multitouch: fix Elan panels with 2 input modes declaration
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit ec6adef5fbc3f140c70e7499fdad818acb3a46c6 upstream.
+
+When implementing commit 7f81c8db5489 ("HID: multitouch: simplify
+the settings of the various features"), I wrongly removed a test
+that made sure we never try to set the second InputMode feature
+to something else than 0.
+
+This broke badly some recent Elan panels that now forget to send the
+click button in some area of the touchpad.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200899
+Fixes: 7f81c8db5489 ("HID: multitouch: simplify the settings of the various features")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-multitouch.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1167,7 +1167,8 @@ static bool mt_need_to_apply_feature(str
+ struct hid_usage *usage,
+ enum latency_mode latency,
+ bool surface_switch,
+- bool button_switch)
++ bool button_switch,
++ bool *inputmode_found)
+ {
+ struct mt_device *td = hid_get_drvdata(hdev);
+ struct mt_class *cls = &td->mtclass;
+@@ -1179,6 +1180,14 @@ static bool mt_need_to_apply_feature(str
+
+ switch (usage->hid) {
+ case HID_DG_INPUTMODE:
++ /*
++ * Some elan panels wrongly declare 2 input mode features,
++ * and silently ignore when we set the value in the second
++ * field. Skip the second feature and hope for the best.
++ */
++ if (*inputmode_found)
++ return false;
++
+ if (cls->quirks & MT_QUIRK_FORCE_GET_FEATURE) {
+ report_len = hid_report_len(report);
+ buf = hid_alloc_report_buf(report, GFP_KERNEL);
+@@ -1194,6 +1203,7 @@ static bool mt_need_to_apply_feature(str
+ }
+
+ field->value[index] = td->inputmode_value;
++ *inputmode_found = true;
+ return true;
+
+ case HID_DG_CONTACTMAX:
+@@ -1231,6 +1241,7 @@ static void mt_set_modes(struct hid_devi
+ struct hid_usage *usage;
+ int i, j;
+ bool update_report;
++ bool inputmode_found = false;
+
+ rep_enum = &hdev->report_enum[HID_FEATURE_REPORT];
+ list_for_each_entry(rep, &rep_enum->report_list, list) {
+@@ -1249,7 +1260,8 @@ static void mt_set_modes(struct hid_devi
+ usage,
+ latency,
+ surface_switch,
+- button_switch))
++ button_switch,
++ &inputmode_found))
+ update_report = true;
+ }
+ }
--- /dev/null
+From 851a15114895c5bce163a6f2d57e0aa4658a1be4 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Mon, 3 Sep 2018 11:24:57 +0300
+Subject: i2c: i801: fix DNV's SMBCTRL register offset
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit 851a15114895c5bce163a6f2d57e0aa4658a1be4 upstream.
+
+DNV's iTCO is slightly different with SMBCTRL sitting at a different
+offset when compared to all other devices. Let's fix so that we can
+properly use iTCO watchdog.
+
+Fixes: 84d7f2ebd70d ("i2c: i801: Add support for Intel DNV")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -139,6 +139,7 @@
+
+ #define SBREG_BAR 0x10
+ #define SBREG_SMBCTRL 0xc6000c
++#define SBREG_SMBCTRL_DNV 0xcf000c
+
+ /* Host status bits for SMBPCISTS */
+ #define SMBPCISTS_INTS BIT(3)
+@@ -1396,7 +1397,11 @@ static void i801_add_tco(struct i801_pri
+ spin_unlock(&p2sb_spinlock);
+
+ res = &tco_res[ICH_RES_MEM_OFF];
+- res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL;
++ if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS)
++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL_DNV;
++ else
++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL;
++
+ res->end = res->start + 3;
+ res->flags = IORESOURCE_MEM;
+
--- /dev/null
+From ae7304c3ea28a3ba47a7a8312c76c654ef24967e Mon Sep 17 00:00:00 2001
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Mon, 3 Sep 2018 15:11:11 +0530
+Subject: i2c: xiic: Make the start and the byte count write atomic
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+commit ae7304c3ea28a3ba47a7a8312c76c654ef24967e upstream.
+
+Disable interrupts while configuring the transfer and enable them back.
+
+We have below as the programming sequence
+1. start and slave address
+2. byte count and stop
+
+In some customer platform there was a lot of interrupts between 1 and 2
+and after slave address (around 7 clock cyles) if 2 is not executed
+then the transaction is nacked.
+
+To fix this case make the 2 writes atomic.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+[wsa: added a newline for better readability]
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-xiic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-xiic.c
++++ b/drivers/i2c/busses/i2c-xiic.c
+@@ -532,6 +532,7 @@ static void xiic_start_recv(struct xiic_
+ {
+ u8 rx_watermark;
+ struct i2c_msg *msg = i2c->rx_msg = i2c->tx_msg;
++ unsigned long flags;
+
+ /* Clear and enable Rx full interrupt. */
+ xiic_irq_clr_en(i2c, XIIC_INTR_RX_FULL_MASK | XIIC_INTR_TX_ERROR_MASK);
+@@ -547,6 +548,7 @@ static void xiic_start_recv(struct xiic_
+ rx_watermark = IIC_RX_FIFO_DEPTH;
+ xiic_setreg8(i2c, XIIC_RFD_REG_OFFSET, rx_watermark - 1);
+
++ local_irq_save(flags);
+ if (!(msg->flags & I2C_M_NOSTART))
+ /* write the address */
+ xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET,
+@@ -556,6 +558,8 @@ static void xiic_start_recv(struct xiic_
+
+ xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET,
+ msg->len | ((i2c->nmsgs == 1) ? XIIC_TX_DYN_STOP_MASK : 0));
++ local_irq_restore(flags);
++
+ if (i2c->nmsgs == 1)
+ /* very last, enable bus not busy as well */
+ xiic_irq_clr_en(i2c, XIIC_INTR_BNB_MASK);
--- /dev/null
+From 694556d54f354d3fe43bb2e61fd6103cca2638a4 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 23 Aug 2018 09:58:27 +0100
+Subject: KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 694556d54f354d3fe43bb2e61fd6103cca2638a4 upstream.
+
+When triggering a CoW, we unmap the RO page via an MMU notifier
+(invalidate_range_start), and then populate the new PTE using another
+one (change_pte). In the meantime, we'll have copied the old page
+into the new one.
+
+The problem is that the data for the new page is sitting in the
+cache, and should the guest have an uncached mapping to that page
+(or its MMU off), following accesses will bypass the cache.
+
+In a way, this is similar to what happens on a translation fault:
+We need to clean the page to the PoC before mapping it. So let's just
+do that.
+
+This fixes a KVM unit test regression observed on a HiSilicon platform,
+and subsequently reproduced on Seattle.
+
+Fixes: a9c0e12ebee5 ("KVM: arm/arm64: Only clean the dcache on translation fault")
+Cc: stable@vger.kernel.org # v4.16+
+Reported-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/mmu.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -1831,13 +1831,20 @@ static int kvm_set_spte_handler(struct k
+ void kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte)
+ {
+ unsigned long end = hva + PAGE_SIZE;
++ kvm_pfn_t pfn = pte_pfn(pte);
+ pte_t stage2_pte;
+
+ if (!kvm->arch.pgd)
+ return;
+
+ trace_kvm_set_spte_hva(hva);
+- stage2_pte = pfn_pte(pte_pfn(pte), PAGE_S2);
++
++ /*
++ * We've moved a page around, probably through CoW, so let's treat it
++ * just like a translation fault and clean the cache to the PoC.
++ */
++ clean_dcache_guest_page(pfn, PAGE_SIZE);
++ stage2_pte = pfn_pte(pfn, PAGE_S2);
+ handle_hva_to_gpa(kvm, hva, end, &kvm_set_spte_handler, &stage2_pte);
+ }
+
--- /dev/null
+From c066fafc595eef5ae3c83ae3a8305956b8c3ef15 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Tue, 14 Aug 2018 20:37:45 +1000
+Subject: KVM: PPC: Book3S HV: Use correct pagesize in kvm_unmap_radix()
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit c066fafc595eef5ae3c83ae3a8305956b8c3ef15 upstream.
+
+Since commit e641a317830b ("KVM: PPC: Book3S HV: Unify dirty page map
+between HPT and radix", 2017-10-26), kvm_unmap_radix() computes the
+number of PAGE_SIZEd pages being unmapped and passes it to
+kvmppc_update_dirty_map(), which expects to be passed the page size
+instead. Consequently it will only mark one system page dirty even
+when a large page (for example a THP page) is being unmapped. The
+consequence of this is that part of the THP page might not get copied
+during live migration, resulting in memory corruption for the guest.
+
+This fixes it by computing and passing the page size in kvm_unmap_radix().
+
+Cc: stable@vger.kernel.org # v4.15+
+Fixes: e641a317830b (KVM: PPC: Book3S HV: Unify dirty page map between HPT and radix)
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_64_mmu_radix.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_radix.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c
+@@ -738,10 +738,10 @@ int kvm_unmap_radix(struct kvm *kvm, str
+ gpa, shift);
+ kvmppc_radix_tlbie_page(kvm, gpa, shift);
+ if ((old & _PAGE_DIRTY) && memslot->dirty_bitmap) {
+- unsigned long npages = 1;
++ unsigned long psize = PAGE_SIZE;
+ if (shift)
+- npages = 1ul << (shift - PAGE_SHIFT);
+- kvmppc_update_dirty_map(memslot, gfn, npages);
++ psize = 1ul << shift;
++ kvmppc_update_dirty_map(memslot, gfn, psize);
+ }
+ }
+ return 0;
--- /dev/null
+From 204c97245612b6c255edf4e21e24d417c4a0c008 Mon Sep 17 00:00:00 2001
+From: Pierre Morel <pmorel@linux.ibm.com>
+Date: Thu, 23 Aug 2018 12:25:54 +0200
+Subject: KVM: s390: vsie: copy wrapping keys to right place
+
+From: Pierre Morel <pmorel@linux.ibm.com>
+
+commit 204c97245612b6c255edf4e21e24d417c4a0c008 upstream.
+
+Copy the key mask to the right offset inside the shadow CRYCB
+
+Fixes: bbeaa58b3 ("KVM: s390: vsie: support aes dea wrapping keys")
+Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.8+
+Message-Id: <1535019956-23539-2-git-send-email-pmorel@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/vsie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/vsie.c
++++ b/arch/s390/kvm/vsie.c
+@@ -173,7 +173,8 @@ static int shadow_crycb(struct kvm_vcpu
+ return set_validity_icpt(scb_s, 0x0039U);
+
+ /* copy only the wrapping keys */
+- if (read_guest_real(vcpu, crycb_addr + 72, &vsie_page->crycb, 56))
++ if (read_guest_real(vcpu, crycb_addr + 72,
++ vsie_page->crycb.dea_wrapping_key_mask, 56))
+ return set_validity_icpt(scb_s, 0x0035U);
+
+ scb_s->ecb3 |= ecb3_flags;
--- /dev/null
+From c4409905cd6eb42cfd06126e9226b0150e05a715 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:46 -0700
+Subject: KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit c4409905cd6eb42cfd06126e9226b0150e05a715 upstream.
+
+Re-execution after an emulation decode failure is only intended to
+handle a case where two or vCPUs race to write a shadowed page, i.e.
+we should never re-execute an instruction as part of MMIO emulation.
+As handle_ept_misconfig() is only used for MMIO emulation, it should
+pass EMULTYPE_NO_REEXECUTE when using the emulator to skip an instr
+in the fast-MMIO case where VM_EXIT_INSTRUCTION_LEN is invalid.
+
+And because the cr2 value passed to x86_emulate_instruction() is only
+destined for use when retrying or reexecuting, we can simply call
+emulate_instruction().
+
+Fixes: d391f1207067 ("x86/kvm/vmx: do not use vm-exit instruction length
+ for fast MMIO when running nested")
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7539,8 +7539,8 @@ static int handle_ept_misconfig(struct k
+ if (!static_cpu_has(X86_FEATURE_HYPERVISOR))
+ return kvm_skip_emulated_instruction(vcpu);
+ else
+- return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
+- NULL, 0) == EMULATE_DONE;
++ return emulate_instruction(vcpu, EMULTYPE_SKIP) ==
++ EMULATE_DONE;
+ }
+
+ return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
--- /dev/null
+From 472faffacd9032164f611f56329d0025ddca55b5 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:50 -0700
+Subject: KVM: x86: Default to not allowing emulation retry in kvm_mmu_page_fault
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 472faffacd9032164f611f56329d0025ddca55b5 upstream.
+
+Effectively force kvm_mmu_page_fault() to opt-in to allowing retry to
+make it more obvious when and why it allows emulation to be retried.
+Previously this approach was less convenient due to retry and
+re-execute behavior being controlled by separate flags that were also
+inverted in their implementations (opt-in versus opt-out).
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru
+ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ void *insn, int insn_len)
+ {
+- int r, emulation_type = EMULTYPE_ALLOW_RETRY;
++ int r, emulation_type = 0;
+ enum emulation_result er;
+ bool direct = vcpu->arch.mmu.direct_map;
+
+@@ -4973,10 +4973,8 @@ int kvm_mmu_page_fault(struct kvm_vcpu *
+ r = RET_PF_INVALID;
+ if (unlikely(error_code & PFERR_RSVD_MASK)) {
+ r = handle_mmio_page_fault(vcpu, cr2, direct);
+- if (r == RET_PF_EMULATE) {
+- emulation_type = 0;
++ if (r == RET_PF_EMULATE)
+ goto emulate;
+- }
+ }
+
+ if (r == RET_PF_INVALID) {
+@@ -5003,8 +5001,16 @@ int kvm_mmu_page_fault(struct kvm_vcpu *
+ return 1;
+ }
+
+- if (mmio_info_in_cache(vcpu, cr2, direct))
+- emulation_type = 0;
++ /*
++ * vcpu->arch.mmu.page_fault returned RET_PF_EMULATE, but we can still
++ * optimistically try to just unprotect the page and let the processor
++ * re-execute the instruction that caused the page fault. Do not allow
++ * retrying MMIO emulation, as it's not only pointless but could also
++ * cause us to enter an infinite loop because the processor will keep
++ * faulting on the non-existent MMIO address.
++ */
++ if (!mmio_info_in_cache(vcpu, cr2, direct))
++ emulation_type = EMULTYPE_ALLOW_RETRY;
+ emulate:
+ /*
+ * On AMD platforms, under certain conditions insn_len may be zero on #NPF.
--- /dev/null
+From 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:51 -0700
+Subject: KVM: x86: Do not re-{try,execute} after failed emulation in L2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef upstream.
+
+Commit a6f177efaa58 ("KVM: Reenter guest after emulation failure if
+due to access to non-mmio address") added reexecute_instruction() to
+handle the scenario where two (or more) vCPUS race to write a shadowed
+page, i.e. reexecute_instruction() is intended to return true if and
+only if the instruction being emulated was accessing a shadowed page.
+As L0 is only explicitly shadowing L1 tables, an emulation failure of
+a nested VM instruction cannot be due to a race to write a shadowed
+page and so should never be re-executed.
+
+This fixes an issue where an "MMIO" emulation failure[1] in L2 is all
+but guaranteed to result in an infinite loop when TDP is enabled.
+Because "cr2" is actually an L2 GPA when TDP is enabled, calling
+kvm_mmu_gva_to_gpa_write() to translate cr2 in the non-direct mapped
+case (L2 is never direct mapped) will almost always yield UNMAPPED_GVA
+and cause reexecute_instruction() to immediately return true. The
+!mmio_info_in_cache() check in kvm_mmu_page_fault() doesn't catch this
+case because mmio_info_in_cache() returns false for a nested MMU (the
+MMIO caching currently handles L1 only, e.g. to cache nested guests'
+GPAs we'd have to manually flush the cache when switching between
+VMs and when L1 updated its page tables controlling the nested guest).
+
+Way back when, commit 68be0803456b ("KVM: x86: never re-execute
+instruction with enabled tdp") changed reexecute_instruction() to
+always return false when using TDP under the assumption that KVM would
+only get into the emulator for MMIO. Commit 95b3cf69bdf8 ("KVM: x86:
+let reexecute_instruction work for tdp") effectively reverted that
+behavior in order to handle the scenario where emulation failed due to
+an access from L1 to the shadow page tables for L2, but it didn't
+account for the case where emulation failed in L2 with TDP enabled.
+
+All of the above logic also applies to retry_instruction(), added by
+commit 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing
+instructions"). An indefinite loop in retry_instruction() should be
+impossible as it protects against retrying the same instruction over
+and over, but it's still correct to not retry an L2 instruction in
+the first place.
+
+Fix the immediate issue by adding a check for a nested guest when
+determining whether or not to allow retry in kvm_mmu_page_fault().
+In addition to fixing the immediate bug, add WARN_ON_ONCE in the
+retry functions since they are not designed to handle nested cases,
+i.e. they need to be modified even if there is some scenario in the
+future where we want to allow retrying a nested guest.
+
+[1] This issue was encountered after commit 3a2936dedd20 ("kvm: mmu:
+ Don't expose private memslots to L2") changed the page fault path
+ to return KVM_PFN_NOSLOT when translating an L2 access to a
+ prive memslot. Returning KVM_PFN_NOSLOT is semantically correct
+ when we want to hide a memslot from L2, i.e. there effectively is
+ no defined memory region for L2, but it has the unfortunate side
+ effect of making KVM think the GFN is a MMIO page, thus triggering
+ emulation. The failure occurred with in-development code that
+ deliberately exposed a private memslot to L2, which L2 accessed
+ with an instruction that is not emulated by KVM.
+
+Fixes: 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp")
+Fixes: 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+Cc: Xiao Guangrong <xiaoguangrong@tencent.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 7 +++++--
+ arch/x86/kvm/x86.c | 6 ++++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -5007,9 +5007,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *
+ * re-execute the instruction that caused the page fault. Do not allow
+ * retrying MMIO emulation, as it's not only pointless but could also
+ * cause us to enter an infinite loop because the processor will keep
+- * faulting on the non-existent MMIO address.
++ * faulting on the non-existent MMIO address. Retrying an instruction
++ * from a nested guest is also pointless and dangerous as we are only
++ * explicitly shadowing L1's page tables, i.e. unprotecting something
++ * for L1 isn't going to magically fix whatever issue cause L2 to fail.
+ */
+- if (!mmio_info_in_cache(vcpu, cr2, direct))
++ if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu))
+ emulation_type = EMULTYPE_ALLOW_RETRY;
+ emulate:
+ /*
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5813,6 +5813,9 @@ static bool reexecute_instruction(struct
+ if (!(emulation_type & EMULTYPE_ALLOW_RETRY))
+ return false;
+
++ if (WARN_ON_ONCE(is_guest_mode(vcpu)))
++ return false;
++
+ if (!vcpu->arch.mmu.direct_map) {
+ /*
+ * Write permission should be allowed since only
+@@ -5901,6 +5904,9 @@ static bool retry_instruction(struct x86
+ if (!(emulation_type & EMULTYPE_ALLOW_RETRY))
+ return false;
+
++ if (WARN_ON_ONCE(is_guest_mode(vcpu)))
++ return false;
++
+ if (x86_page_table_writing_insn(ctxt))
+ return false;
+
--- /dev/null
+From 8065dbd1ee0ef04321d80da7999b4f0086e0a407 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:48 -0700
+Subject: KVM: x86: Invert emulation re-execute behavior to make it opt-in
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 8065dbd1ee0ef04321d80da7999b4f0086e0a407 upstream.
+
+Re-execution of an instruction after emulation decode failure is
+intended to be used only when emulating shadow page accesses. Invert
+the flag to make allowing re-execution opt-in since that behavior is
+by far in the minority.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 8 +++-----
+ arch/x86/kvm/mmu.c | 2 +-
+ arch/x86/kvm/x86.c | 2 +-
+ 3 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1199,7 +1199,7 @@ enum emulation_result {
+ #define EMULTYPE_TRAP_UD (1 << 1)
+ #define EMULTYPE_SKIP (1 << 2)
+ #define EMULTYPE_RETRY (1 << 3)
+-#define EMULTYPE_NO_REEXECUTE (1 << 4)
++#define EMULTYPE_ALLOW_REEXECUTE (1 << 4)
+ #define EMULTYPE_NO_UD_ON_FAIL (1 << 5)
+ #define EMULTYPE_VMWARE (1 << 6)
+ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
+@@ -1208,15 +1208,13 @@ int x86_emulate_instruction(struct kvm_v
+ static inline int emulate_instruction(struct kvm_vcpu *vcpu,
+ int emulation_type)
+ {
+- return x86_emulate_instruction(vcpu, 0,
+- emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
++ return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
+ }
+
+ static inline int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu,
+ void *insn, int insn_len)
+ {
+- return x86_emulate_instruction(vcpu, 0, EMULTYPE_NO_REEXECUTE,
+- insn, insn_len);
++ return x86_emulate_instruction(vcpu, 0, 0, insn, insn_len);
+ }
+
+ void kvm_enable_efer_bits(u64);
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru
+ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ void *insn, int insn_len)
+ {
+- int r, emulation_type = EMULTYPE_RETRY;
++ int r, emulation_type = EMULTYPE_RETRY | EMULTYPE_ALLOW_REEXECUTE;
+ enum emulation_result er;
+ bool direct = vcpu->arch.mmu.direct_map;
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5810,7 +5810,7 @@ static bool reexecute_instruction(struct
+ gpa_t gpa = cr2;
+ kvm_pfn_t pfn;
+
+- if (emulation_type & EMULTYPE_NO_REEXECUTE)
++ if (!(emulation_type & EMULTYPE_ALLOW_REEXECUTE))
+ return false;
+
+ if (!vcpu->arch.mmu.direct_map) {
--- /dev/null
+From 384bf2218e96f57118270945b1841e4dbbe9e352 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:49 -0700
+Subject: KVM: x86: Merge EMULTYPE_RETRY and EMULTYPE_ALLOW_REEXECUTE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 384bf2218e96f57118270945b1841e4dbbe9e352 upstream.
+
+retry_instruction() and reexecute_instruction() are a package deal,
+i.e. there is no scenario where one is allowed and the other is not.
+Merge their controlling emulation type flags to enforce this in code.
+Name the combined flag EMULTYPE_ALLOW_RETRY to make it abundantly
+clear that we are allowing re{try,execute} to occur, as opposed to
+explicitly requesting retry of a previously failed instruction.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 7 +++----
+ arch/x86/kvm/mmu.c | 2 +-
+ arch/x86/kvm/x86.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1198,10 +1198,9 @@ enum emulation_result {
+ #define EMULTYPE_NO_DECODE (1 << 0)
+ #define EMULTYPE_TRAP_UD (1 << 1)
+ #define EMULTYPE_SKIP (1 << 2)
+-#define EMULTYPE_RETRY (1 << 3)
+-#define EMULTYPE_ALLOW_REEXECUTE (1 << 4)
+-#define EMULTYPE_NO_UD_ON_FAIL (1 << 5)
+-#define EMULTYPE_VMWARE (1 << 6)
++#define EMULTYPE_ALLOW_RETRY (1 << 3)
++#define EMULTYPE_NO_UD_ON_FAIL (1 << 4)
++#define EMULTYPE_VMWARE (1 << 5)
+ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
+ int emulation_type, void *insn, int insn_len);
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru
+ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ void *insn, int insn_len)
+ {
+- int r, emulation_type = EMULTYPE_RETRY | EMULTYPE_ALLOW_REEXECUTE;
++ int r, emulation_type = EMULTYPE_ALLOW_RETRY;
+ enum emulation_result er;
+ bool direct = vcpu->arch.mmu.direct_map;
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5810,7 +5810,7 @@ static bool reexecute_instruction(struct
+ gpa_t gpa = cr2;
+ kvm_pfn_t pfn;
+
+- if (!(emulation_type & EMULTYPE_ALLOW_REEXECUTE))
++ if (!(emulation_type & EMULTYPE_ALLOW_RETRY))
+ return false;
+
+ if (!vcpu->arch.mmu.direct_map) {
+@@ -5898,7 +5898,7 @@ static bool retry_instruction(struct x86
+ */
+ vcpu->arch.last_retry_eip = vcpu->arch.last_retry_addr = 0;
+
+- if (!(emulation_type & EMULTYPE_RETRY))
++ if (!(emulation_type & EMULTYPE_ALLOW_RETRY))
+ return false;
+
+ if (x86_page_table_writing_insn(ctxt))
--- /dev/null
+From 35be0aded76b54a24dc8aa678a71bca22273e8d8 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 23 Aug 2018 13:56:47 -0700
+Subject: KVM: x86: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 35be0aded76b54a24dc8aa678a71bca22273e8d8 upstream.
+
+Re-execution after an emulation decode failure is only intended to
+handle a case where two or vCPUs race to write a shadowed page, i.e.
+we should never re-execute an instruction as part of RSM emulation.
+
+Add a new helper, kvm_emulate_instruction_from_buffer(), to support
+emulating from a pre-defined buffer. This eliminates the last direct
+call to x86_emulate_instruction() outside of kvm_mmu_page_fault(),
+which means x86_emulate_instruction() can be unexported in a future
+patch.
+
+Fixes: 7607b7174405 ("KVM: SVM: install RSM intercept")
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 7 +++++++
+ arch/x86/kvm/svm.c | 4 ++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1212,6 +1212,13 @@ static inline int emulate_instruction(st
+ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
+ }
+
++static inline int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu,
++ void *insn, int insn_len)
++{
++ return x86_emulate_instruction(vcpu, 0, EMULTYPE_NO_REEXECUTE,
++ insn, insn_len);
++}
++
+ void kvm_enable_efer_bits(u64);
+ bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer);
+ int kvm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr);
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3875,8 +3875,8 @@ static int emulate_on_interception(struc
+
+ static int rsm_interception(struct vcpu_svm *svm)
+ {
+- return x86_emulate_instruction(&svm->vcpu, 0, 0,
+- rsm_ins_bytes, 2) == EMULATE_DONE;
++ return kvm_emulate_instruction_from_buffer(&svm->vcpu,
++ rsm_ins_bytes, 2) == EMULATE_DONE;
+ }
+
+ static int rdpmc_interception(struct vcpu_svm *svm)
--- /dev/null
+From 20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 20 Aug 2018 13:56:07 +0300
+Subject: mac80211: don't update the PM state of a peer upon a multicast frame
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 upstream.
+
+I changed the way mac80211 updates the PM state of the peer.
+I forgot that we could also have multicast frames from the
+peer and that those frame should of course not change the
+PM state of the peer: A peer goes to power save when it
+needs to scan, but it won't send the broadcast Probe Request
+with the PM bit set.
+
+This made us mark the peer as awake when it wasn't and then
+Intel's firmware would fail to transmit because the peer is
+asleep according to its database. The driver warned about
+this and it looked like this:
+
+ WARNING: CPU: 0 PID: 184 at /usr/src/linux-4.16.14/drivers/net/wireless/intel/iwlwifi/mvm/tx.c:1369 iwl_mvm_rx_tx_cmd+0x53b/0x860
+ CPU: 0 PID: 184 Comm: irq/124-iwlwifi Not tainted 4.16.14 #1
+ RIP: 0010:iwl_mvm_rx_tx_cmd+0x53b/0x860
+ Call Trace:
+ iwl_pcie_rx_handle+0x220/0x880
+ iwl_pcie_irq_handler+0x6c9/0xa20
+ ? irq_forced_thread_fn+0x60/0x60
+ ? irq_thread_dtor+0x90/0x90
+
+The relevant code that spits the WARNING is:
+
+ case TX_STATUS_FAIL_DEST_PS:
+ /* the FW should have stopped the queue and not
+ * return this status
+ */
+ WARN_ON(1);
+ info->flags |= IEEE80211_TX_STAT_TX_FILTERED;
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199967.
+
+Fixes: 9fef65443388 ("mac80211: always update the PM state of a peer on MGMT / DATA frames")
+Cc: <stable@vger.kernel.org> #4.16+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1612,6 +1612,7 @@ ieee80211_rx_h_sta_process(struct ieee80
+ */
+ if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
+ !ieee80211_has_morefrags(hdr->frame_control) &&
++ !is_multicast_ether_addr(hdr->addr1) &&
+ (ieee80211_is_mgmt(hdr->frame_control) ||
+ ieee80211_is_data(hdr->frame_control)) &&
+ !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
--- /dev/null
+From 4e8346d0be889c7ab5eb2d3deedc18111d741e99 Mon Sep 17 00:00:00 2001
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Date: Tue, 4 Sep 2018 15:46:09 -0700
+Subject: memory_hotplug: fix kernel_panic on offline page processing
+
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+
+commit 4e8346d0be889c7ab5eb2d3deedc18111d741e99 upstream.
+
+Within show_valid_zones() the function test_pages_in_a_zone() should be
+called for online memory blocks only.
+
+Otherwise it might lead to the VM_BUG_ON due to uninitialized struct
+pages (when CONFIG_DEBUG_VM_PGFLAGS kernel option is set):
+
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ ------------[ cut here ]------------
+ Call Trace:
+ ([<000000000038f91e>] test_pages_in_a_zone+0xe6/0x168)
+ [<0000000000923472>] show_valid_zones+0x5a/0x1a8
+ [<0000000000900284>] dev_attr_show+0x3c/0x78
+ [<000000000046f6f0>] sysfs_kf_seq_show+0xd0/0x150
+ [<00000000003ef662>] seq_read+0x212/0x4b8
+ [<00000000003bf202>] __vfs_read+0x3a/0x178
+ [<00000000003bf3ca>] vfs_read+0x8a/0x148
+ [<00000000003bfa3a>] ksys_read+0x62/0xb8
+ [<0000000000bc2220>] system_call+0xdc/0x2d8
+
+That VM_BUG_ON was triggered by the page poisoning introduced in
+mm/sparse.c with the git commit d0dc12e86b31 ("mm/memory_hotplug:
+optimize memory hotplug").
+
+With the same commit the new 'nid' field has been added to the struct
+memory_block in order to store and later on derive the node id for
+offline pages (instead of accessing struct page which might be
+uninitialized). But one reference to nid in show_valid_zones() function
+has been overlooked. Fixed with current commit. Also, nr_pages will
+not be used any more after test_pages_in_a_zone() call, do not update
+it.
+
+Link: http://lkml.kernel.org/r/20180828090539.41491-1-zaslonko@linux.ibm.com
+Fixes: d0dc12e86b31 ("mm/memory_hotplug: optimize memory hotplug")
+Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: <stable@vger.kernel.org> [4.17+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/memory.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -417,25 +417,23 @@ static ssize_t show_valid_zones(struct d
+ int nid;
+
+ /*
+- * The block contains more than one zone can not be offlined.
+- * This can happen e.g. for ZONE_DMA and ZONE_DMA32
+- */
+- if (!test_pages_in_a_zone(start_pfn, start_pfn + nr_pages, &valid_start_pfn, &valid_end_pfn))
+- return sprintf(buf, "none\n");
+-
+- start_pfn = valid_start_pfn;
+- nr_pages = valid_end_pfn - start_pfn;
+-
+- /*
+ * Check the existing zone. Make sure that we do that only on the
+ * online nodes otherwise the page_zone is not reliable
+ */
+ if (mem->state == MEM_ONLINE) {
++ /*
++ * The block contains more than one zone can not be offlined.
++ * This can happen e.g. for ZONE_DMA and ZONE_DMA32
++ */
++ if (!test_pages_in_a_zone(start_pfn, start_pfn + nr_pages,
++ &valid_start_pfn, &valid_end_pfn))
++ return sprintf(buf, "none\n");
++ start_pfn = valid_start_pfn;
+ strcat(buf, page_zone(pfn_to_page(start_pfn))->name);
+ goto out;
+ }
+
+- nid = pfn_to_nid(start_pfn);
++ nid = mem->nid;
+ default_zone = zone_for_pfn_range(MMOP_ONLINE_KEEP, nid, start_pfn, nr_pages);
+ strcat(buf, default_zone->name);
+
--- /dev/null
+From 0f02cfbc3d9e413d450d8d0fd660077c23f67eff Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 30 Aug 2018 11:01:21 -0700
+Subject: MIPS: VDSO: Match data page cache colouring when D$ aliases
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 0f02cfbc3d9e413d450d8d0fd660077c23f67eff upstream.
+
+When a system suffers from dcache aliasing a user program may observe
+stale VDSO data from an aliased cache line. Notably this can break the
+expectation that clock_gettime(CLOCK_MONOTONIC, ...) is, as its name
+suggests, monotonic.
+
+In order to ensure that users observe updates to the VDSO data page as
+intended, align the user mappings of the VDSO data page such that their
+cache colouring matches that of the virtual address range which the
+kernel will use to update the data page - typically its unmapped address
+within kseg0.
+
+This ensures that we don't introduce aliasing cache lines for the VDSO
+data page, and therefore that userland will observe updates without
+requiring cache invalidation.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
+Reported-by: Rene Nielsen <rene.nielsen@microsemi.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
+Patchwork: https://patchwork.linux-mips.org/patch/20344/
+Tested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Tested-by: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -13,6 +13,7 @@
+ #include <linux/err.h>
+ #include <linux/init.h>
+ #include <linux/ioport.h>
++#include <linux/kernel.h>
+ #include <linux/mm.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+@@ -20,6 +21,7 @@
+
+ #include <asm/abi.h>
+ #include <asm/mips-cps.h>
++#include <asm/page.h>
+ #include <asm/vdso.h>
+
+ /* Kernel-provided data used by the VDSO. */
+@@ -128,12 +130,30 @@ int arch_setup_additional_pages(struct l
+ vvar_size = gic_size + PAGE_SIZE;
+ size = vvar_size + image->size;
+
++ /*
++ * Find a region that's large enough for us to perform the
++ * colour-matching alignment below.
++ */
++ if (cpu_has_dc_aliases)
++ size += shm_align_mask + 1;
++
+ base = get_unmapped_area(NULL, 0, size, 0, 0);
+ if (IS_ERR_VALUE(base)) {
+ ret = base;
+ goto out;
+ }
+
++ /*
++ * If we suffer from dcache aliasing, ensure that the VDSO data page
++ * mapping is coloured the same as the kernel's mapping of that memory.
++ * This ensures that when the kernel updates the VDSO data userland
++ * will observe it without requiring cache invalidations.
++ */
++ if (cpu_has_dc_aliases) {
++ base = __ALIGN_MASK(base, shm_align_mask);
++ base += ((unsigned long)&vdso_data - gic_size) & shm_align_mask;
++ }
++
+ data_addr = base + gic_size;
+ vdso_addr = data_addr + PAGE_SIZE;
+
--- /dev/null
+From 464c7ffbcb164b2e5cebfa406b7fc6cdb7945344 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Tue, 4 Sep 2018 15:45:59 -0700
+Subject: mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported.
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 464c7ffbcb164b2e5cebfa406b7fc6cdb7945344 upstream.
+
+When scanning for movable pages, filter out Hugetlb pages if hugepage
+migration is not supported. Without this we hit infinte loop in
+__offline_pages() where we do
+
+ pfn = scan_movable_pages(start_pfn, end_pfn);
+ if (pfn) { /* We have movable pages */
+ ret = do_migrate_range(pfn, end_pfn);
+ goto repeat;
+ }
+
+Fix this by checking hugepage_migration_supported both in
+has_unmovable_pages which is the primary backoff mechanism for page
+offlining and for consistency reasons also into scan_movable_pages
+because it doesn't make any sense to return a pfn to non-migrateable
+huge page.
+
+This issue was revealed by, but not caused by 72b39cfc4d75 ("mm,
+memory_hotplug: do not fail offlining too early").
+
+Link: http://lkml.kernel.org/r/20180824063314.21981-1-aneesh.kumar@linux.ibm.com
+Fixes: 72b39cfc4d75 ("mm, memory_hotplug: do not fail offlining too early")
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Reported-by: Haren Myneni <haren@linux.vnet.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory_hotplug.c | 3 ++-
+ mm/page_alloc.c | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1341,7 +1341,8 @@ static unsigned long scan_movable_pages(
+ if (__PageMovable(page))
+ return pfn;
+ if (PageHuge(page)) {
+- if (page_huge_active(page))
++ if (hugepage_migration_supported(page_hstate(page)) &&
++ page_huge_active(page))
+ return pfn;
+ else
+ pfn = round_up(pfn + 1,
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -7649,6 +7649,10 @@ bool has_unmovable_pages(struct zone *zo
+ * handle each tail page individually in migration.
+ */
+ if (PageHuge(page)) {
++
++ if (!hugepage_migration_supported(page_hstate(page)))
++ goto unmovable;
++
+ iter = round_up(iter + 1, 1<<compound_order(page)) - 1;
+ continue;
+ }
--- /dev/null
+From bc811f05d77f47059c197a98b6ad242eb03999cb Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 4 Sep 2018 11:52:34 -0600
+Subject: nbd: don't allow invalid blocksize settings
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream.
+
+syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl.
+We need proper validation of the input here. Not just if it's
+zero, but also if the value is a power-of-2 and in a valid
+range. Add that.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot <syzbot+25dbecbec1e62c6b0dd4@syzkaller.appspotmail.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1239,6 +1239,9 @@ static int __nbd_ioctl(struct block_devi
+ case NBD_SET_SOCK:
+ return nbd_add_socket(nbd, arg, false);
+ case NBD_SET_BLKSIZE:
++ if (!arg || !is_power_of_2(arg) || arg < 512 ||
++ arg > PAGE_SIZE)
++ return -EINVAL;
+ nbd_size_set(nbd, arg,
+ div_s64(config->bytesize, arg));
+ return 0;
--- /dev/null
+From 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Thu, 16 Aug 2018 16:04:05 -0700
+Subject: scsi: lpfc: Correct MDS diag and nvmet configuration
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 upstream.
+
+A recent change added some MDS processing in the lpfc_drain_txq routine
+that relies on the fcp_wq being allocated. For nvmet operation the fcp_wq
+is not allocated because it can only be an nvme-target. When the original
+MDS support was added LS_MDS_LOOPBACK was defined wrong, (0x16) it should
+have been 0x10 (decimal value used for hex setting). This incorrect value
+allowed MDS_LOOPBACK to be set simultaneously with LS_NPIV_FAB_SUPPORTED,
+causing the driver to crash when it accesses the non-existent fcp_wq.
+
+Correct the bad value setting for LS_MDS_LOOPBACK.
+
+Fixes: ae9e28f36a6c ("lpfc: Add MDS Diagnostic support.")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc.h
++++ b/drivers/scsi/lpfc/lpfc.h
+@@ -672,7 +672,7 @@ struct lpfc_hba {
+ #define LS_NPIV_FAB_SUPPORTED 0x2 /* Fabric supports NPIV */
+ #define LS_IGNORE_ERATT 0x4 /* intr handler should ignore ERATT */
+ #define LS_MDS_LINK_DOWN 0x8 /* MDS Diagnostics Link Down */
+-#define LS_MDS_LOOPBACK 0x16 /* MDS Diagnostics Link Up (Loopback) */
++#define LS_MDS_LOOPBACK 0x10 /* MDS Diagnostics Link Up (Loopback) */
+
+ uint32_t hba_flag; /* hba generic flags */
+ #define HBA_ERATT_HANDLED 0x1 /* This flag is set when eratt handled */
cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch
btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch
btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch
+arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch
+kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch
+kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch
+kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch
+kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch
+kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch
+kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch
+kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch
+kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch
+kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch
--- /dev/null
+From 5e19697b56a64004e2d0ff1bb952ea05493c088f Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 27 Aug 2018 17:04:13 -0500
+Subject: SMB3: Backup intent flag missing for directory opens with backupuid mounts
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 5e19697b56a64004e2d0ff1bb952ea05493c088f upstream.
+
+When "backup intent" is requested on the mount (e.g. backupuid or
+backupgid mount options), the corresponding flag needs to be set
+on opens of directories (and files) but was missing in some
+places causing access denied trying to enumerate and backup
+servers.
+
+Fixes kernel bugzilla #200953
+https://bugzilla.kernel.org/show_bug.cgi?id=200953
+
+Reported-and-tested-by: <whh@rubrik.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 2 ++
+ fs/cifs/smb2ops.c | 25 ++++++++++++++++++++-----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -469,6 +469,8 @@ cifs_sfu_type(struct cifs_fattr *fattr,
+ oparms.cifs_sb = cifs_sb;
+ oparms.desired_access = GENERIC_READ;
+ oparms.create_options = CREATE_NOT_DIR;
++ if (backup_cred(cifs_sb))
++ oparms.create_options |= CREATE_OPEN_BACKUP_INTENT;
+ oparms.disposition = FILE_OPEN;
+ oparms.path = path;
+ oparms.fid = &fid;
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -626,7 +626,10 @@ smb2_is_path_accessible(const unsigned i
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -775,7 +778,10 @@ smb2_query_eas(const unsigned int xid, s
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_EA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -854,7 +860,10 @@ smb2_set_ea(const unsigned int xid, stru
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_WRITE_EA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
+@@ -1460,7 +1469,10 @@ smb2_query_dir_first(const unsigned int
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = fid;
+ oparms.reconnect = false;
+
+@@ -1735,7 +1747,10 @@ smb2_query_symlink(const unsigned int xi
+ oparms.tcon = tcon;
+ oparms.desired_access = FILE_READ_ATTRIBUTES;
+ oparms.disposition = FILE_OPEN;
+- oparms.create_options = 0;
++ if (backup_cred(cifs_sb))
++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT;
++ else
++ oparms.create_options = 0;
+ oparms.fid = &fid;
+ oparms.reconnect = false;
+
--- /dev/null
+From f801568332321e2b1e7a8bd26c3e4913a312a2ec Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 31 Aug 2018 15:12:10 -0500
+Subject: smb3: check for and properly advertise directory lease support
+
+From: Steve French <stfrench@microsoft.com>
+
+commit f801568332321e2b1e7a8bd26c3e4913a312a2ec upstream.
+
+Although servers will typically ignore unsupported features,
+we should advertise the support for directory leases (as
+Windows e.g. does) in the negotiate protocol capabilities we
+pass to the server, and should check for the server capability
+(CAP_DIRECTORY_LEASING) before sending a lease request for an
+open of a directory. This will prevent us from accidentally
+sending directory leases to SMB2.1 or SMB2 server for example.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 10 +++++-----
+ fs/cifs/smb2pdu.c | 3 +++
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3478,7 +3478,7 @@ struct smb_version_values smb21_values =
+ struct smb_version_values smb3any_values = {
+ .version_string = SMB3ANY_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3499,7 +3499,7 @@ struct smb_version_values smb3any_values
+ struct smb_version_values smbdefault_values = {
+ .version_string = SMBDEFAULT_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3520,7 +3520,7 @@ struct smb_version_values smbdefault_val
+ struct smb_version_values smb30_values = {
+ .version_string = SMB30_VERSION_STRING,
+ .protocol_id = SMB30_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3541,7 +3541,7 @@ struct smb_version_values smb30_values =
+ struct smb_version_values smb302_values = {
+ .version_string = SMB302_VERSION_STRING,
+ .protocol_id = SMB302_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+@@ -3563,7 +3563,7 @@ struct smb_version_values smb302_values
+ struct smb_version_values smb311_values = {
+ .version_string = SMB311_VERSION_STRING,
+ .protocol_id = SMB311_PROT_ID,
+- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION,
++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING,
+ .large_lock_type = 0,
+ .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK,
+ .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK,
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2179,6 +2179,9 @@ SMB2_open(const unsigned int xid, struct
+ if (!(server->capabilities & SMB2_GLOBAL_CAP_LEASING) ||
+ *oplock == SMB2_OPLOCK_LEVEL_NONE)
+ req->RequestedOplockLevel = *oplock;
++ else if (!(server->capabilities & SMB2_GLOBAL_CAP_DIRECTORY_LEASING) &&
++ (oparms->create_options & CREATE_NOT_FILE))
++ req->RequestedOplockLevel = *oplock; /* no srv lease support */
+ else {
+ rc = add_lease_context(server, iov, &n_iov,
+ oparms->fid->lease_key, oplock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
