commit 128642b28a7de3171541132cf300e33a7a8e5f21
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Aug 6 16:18:22 2018 +0200

    Linux 4.17.13

commit bced7cbdcc36743e357480f067cea89d97c10e3d
Author: Tony Battersby <tonyb@cybernetics.com>
Date:   Thu Jul 12 16:30:45 2018 -0400

    scsi: sg: fix minor memory leak in error path
    
    commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.
    
    Fix a minor memory leak when there is an error opening a /dev/sg device.
    
    Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
    Cc: <stable@vger.kernel.org>
    Reviewed-by: Ewan D. Milne <emilne@redhat.com>
    Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
    Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d61d4bdf223006219b182c8e473ae7dc127b74b
Author: Boris Brezillon <boris.brezillon@bootlin.com>
Date:   Tue Jul 24 15:33:00 2018 +0200

    drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy
    
    commit de2d8db395c32d121d02871819444b631f73e0b6 upstream.
    
    drm_atomic_helper_async_check() declares the plane, old_plane_state and
    new_plane_state variables to iterate over all planes of the atomic
    state and make sure only one plane is enabled.
    
    Unfortunately gcc is not smart enough to figure out that the check on
    n_planes is enough to guarantee that plane, new_plane_state and
    old_plane_state are initialized.
    
    Explicitly initialize those variables to NULL to make gcc happy.
    
    Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
    Reviewed-by: Sean Paul <seanpaul@chromium.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180724133300.32023-1-boris.brezillon@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3859ebae85c7263a438a8d836e5934d3f31aae93
Author: Boris Brezillon <boris.brezillon@bootlin.com>
Date:   Tue Jul 24 15:32:15 2018 +0200

    drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check()
    
    commit 603ba2dfb338b307aebe95fe344c479a59b3a175 upstream.
    
    Async plane update is supposed to work only when updating the FB or FB
    position of an already enabled plane. That does not apply to requests
    where the plane was previously disabled or assigned to a different
    CTRC.
    
    Check old_plane_state->crtc value to make sure async plane update is
    allowed.
    
    Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180724133215.31917-1-boris.brezillon@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 53a1cb1c35dfc0a2b16acd9f9da3459c5da05c3e
Author: Boris Brezillon <boris.brezillon@bootlin.com>
Date:   Tue Jul 24 15:36:01 2018 +0200

    drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats
    
    commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream.
    
    This is needed to ensure ->is_unity is correct when the plane was
    previously configured to output a multi-planar format with scaling
    enabled, and is then being reconfigured to output a uniplanar format.
    
    Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f9bc0411d111469f389c02d5048fb02054df58c
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Fri Jul 13 16:12:32 2018 +0800

    crypto: padlock-aes - Fix Nano workaround data corruption
    
    commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.
    
    This was detected by the self-test thanks to Ard's chunking patch.
    
    I finally got around to testing this out on my ancient Via box.  It
    turns out that the workaround got the assembly wrong and we end up
    doing count + initial cycles of the loop instead of just count.
    
    This obviously causes corruption, either by overwriting the source
    that is yet to be processed, or writing over the end of the buffer.
    
    On CPUs that don't require the workaround only ECB is affected.
    On Nano CPUs both ECB and CBC are affected.
    
    This patch fixes it by doing the subtraction prior to the assembly.
    
    Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
    Cc: <stable@vger.kernel.org>
    Reported-by: Jamie Heilman <jamie@audible.transient.net>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d432f2f0bf992b5f5c46022c72a1ba6eccb2b86a
Author: Jack Morgenstein <jackm@dev.mellanox.co.il>
Date:   Wed Jul 11 11:23:52 2018 +0300

    RDMA/uverbs: Expand primary and alt AV port checks
    
    commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream.
    
    The commit cited below checked that the port numbers provided in the
    primary and alt AVs are legal.
    
    That is sufficient to prevent a kernel panic. However, it is not
    sufficient for correct operation.
    
    In Linux, AVs (both primary and alt) must be completely self-described.
    We do not accept an AV from userspace without an embedded port number.
    (This has been the case since kernel 3.14 commit dbf727de7440
    ("IB/core: Use GID table in AH creation and dmac resolution")).
    
    For the primary AV, this embedded port number must match the port number
    specified with IB_QP_PORT.
    
    We also expect the port number embedded in the alt AV to match the
    alt_port_num value passed by the userspace driver in the modify_qp command
    base structure.
    
    Add these checks to modify_qp.
    
    Cc: <stable@vger.kernel.org> # 4.16
    Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it")
    Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afda82507fe24703bfb03a65d7d9a440f0049c5c
Author: Rafał Miłecki <rafal@milecki.pl>
Date:   Sun Jul 22 23:46:25 2018 +0200

    brcmfmac: fix regression in parsing NVRAM for multiple devices
    
    commit 299b6365a3b7cf7f5ea1c945a420e9ee4841d6f7 upstream.
    
    NVRAM is designed to work with Broadcom's SDK Linux kernel which fakes
    PCI domain 0 for all internal MMIO devices. Since official Linux kernel
    uses platform devices for that purpose there is a mismatch in numbering
    PCI domains.
    
    There used to be a fix for that problem but it was accidentally dropped
    during the last firmware loading rework. That resulted in brcmfmac not
    being able to extract device specific NVRAM content and all kind of
    calibration problems.
    
    Reported-by: Aditya Xavier <adityaxavier@gmail.com>
    Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function")
    Cc: stable@vger.kernel.org # v4.17+
    Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
    Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b5c014661a4159f7bbbaf583ce3a224dea216484
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Tue Jul 17 13:43:56 2018 +0300

    iwlwifi: add more card IDs for 9000 series
    
    commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream.
    
    Add new device IDs for the 9000 series.
    
    Cc: stable@vger.kernel.org # 4.14
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9559dd910cfa7e01667949b700989a17d6283df1
Author: Mike Rapoport <rppt@linux.vnet.ibm.com>
Date:   Thu Aug 2 15:36:09 2018 -0700

    userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
    
    commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream.
    
    The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
    vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
    vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags
    that were copied from the parent process VMA.
    
    As the result, there is an inconsistency between the values of
    vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON
    in userfaultfd_release().
    
    Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
    failure resolves the issue.
    
    Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com
    Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails")
    Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
    Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Eric Biggers <ebiggers3@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80755071c18c1cf1155fe533c1d0901f894b43ea
Author: Jane Chu <jane.chu@oracle.com>
Date:   Thu Aug 2 15:36:05 2018 -0700

    ipc/shm.c add ->pagesize function to shm_vm_ops
    
    commit eec3636ad198d4ac61e574cb122cb67e9bef5492 upstream.
    
    Commit 05ea88608d4e ("mm, hugetlbfs: introduce ->pagesize() to
    vm_operations_struct") adds a new ->pagesize() function to
    hugetlb_vm_ops, intended to cover all hugetlbfs backed files.
    
    With System V shared memory model, if "huge page" is specified, the
    "shared memory" is backed by hugetlbfs files, but the mappings initiated
    via shmget/shmat have their original vm_ops overwritten with shm_vm_ops,
    so we need to add a ->pagesize function to shm_vm_ops.  Otherwise,
    vma_kernel_pagesize() returns PAGE_SIZE given a hugetlbfs backed vma,
    result in below BUG:
    
      fs/hugetlbfs/inode.c
            443             if (unlikely(page_mapped(page))) {
            444                     BUG_ON(truncate_op);
    
    resulting in
    
      hugetlbfs: oracle (4592): Using mlock ulimits for SHM_HUGETLB is deprecated
      ------------[ cut here ]------------
      kernel BUG at fs/hugetlbfs/inode.c:444!
      Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 ...
      CPU: 35 PID: 5583 Comm: oracle_5583_sbt Not tainted 4.14.35-1829.el7uek.x86_64 #2
      RIP: 0010:remove_inode_hugepages+0x3db/0x3e2
      ....
      Call Trace:
        hugetlbfs_evict_inode+0x1e/0x3e
        evict+0xdb/0x1af
        iput+0x1a2/0x1f7
        dentry_unlink_inode+0xc6/0xf0
        __dentry_kill+0xd8/0x18d
        dput+0x1b5/0x1ed
        __fput+0x18b/0x216
        ____fput+0xe/0x10
        task_work_run+0x90/0xa7
        exit_to_usermode_loop+0xdd/0x116
        do_syscall_64+0x187/0x1ae
        entry_SYSCALL_64_after_hwframe+0x150/0x0
    
    [jane.chu@oracle.com: relocate comment]
      Link: http://lkml.kernel.org/r/20180731044831.26036-1-jane.chu@oracle.com
    Link: http://lkml.kernel.org/r/20180727211727.5020-1-jane.chu@oracle.com
    Fixes: 05ea88608d4e13 ("mm, hugetlbfs: introduce ->pagesize() to vm_operations_struct")
    Signed-off-by: Jane Chu <jane.chu@oracle.com>
    Suggested-by: Mike Kravetz <mike.kravetz@oracle.com>
    Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
    Acked-by: Davidlohr Bueso <dave@stgolabs.net>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Jérôme Glisse <jglisse@redhat.com>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cbdef783b1a6fa332b6960a6e4c617c7f8a764f9
Author: Yi Wang <wang.yi59@zte.com.cn>
Date:   Wed Jul 25 10:26:19 2018 +0800

    audit: fix potential null dereference 'context->module.name'
    
    commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream.
    
    The variable 'context->module.name' may be null pointer when
    kmalloc return null, so it's better to check it before using
    to avoid null dereference.
    Another one more thing this patch does is using kstrdup instead
    of (kmalloc + strcpy), and signal a lost record via audit_log_lost.
    
    Cc: stable@vger.kernel.org # 4.11
    Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
    Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
    Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aa0703c2e330692f922fb0a21a32011ce4a4065a
Author: Roman Kagan <rkagan@virtuozzo.com>
Date:   Thu Jul 19 21:59:07 2018 +0300

    kvm: x86: vmx: fix vpid leak
    
    commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.
    
    VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
    vmx is turned on with the module parameter.
    
    However, it's only freed if the L1 guest has executed VMXON which is not
    a given.
    
    As a result, on a system with nested==on every creation+deletion of an
    L1 vcpu without running an L2 guest results in leaking one vpid.  Since
    the total number of vpids is limited to 64k, they can eventually get
    exhausted, preventing L2 from starting.
    
    Delay allocation of the L2 vpid until VMXON emulation, thus matching its
    freeing.
    
    Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
    Cc: stable@vger.kernel.org
    Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6557adc69262f90b3f1ddf3d4f874e203894a246
Author: Andy Lutomirski <luto@kernel.org>
Date:   Sun Jul 22 11:05:09 2018 -0700

    x86/entry/64: Remove %ebx handling from error_entry/exit
    
    commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.
    
    error_entry and error_exit communicate the user vs. kernel status of
    the frame using %ebx.  This is unnecessary -- the information is in
    regs->cs.  Just use regs->cs.
    
    This makes error_entry simpler and makes error_exit more robust.
    
    It also fixes a nasty bug.  Before all the Spectre nonsense, the
    xen_failsafe_callback entry point returned like this:
    
            ALLOC_PT_GPREGS_ON_STACK
            SAVE_C_REGS
            SAVE_EXTRA_REGS
            ENCODE_FRAME_POINTER
            jmp     error_exit
    
    And it did not go through error_entry.  This was bogus: RBX
    contained garbage, and error_exit expected a flag in RBX.
    
    Fortunately, it generally contained *nonzero* garbage, so the
    correct code path was used.  As part of the Spectre fixes, code was
    added to clear RBX to mitigate certain speculation attacks.  Now,
    depending on kernel configuration, RBX got zeroed and, when running
    some Wine workloads, the kernel crashes.  This was introduced by:
    
        commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
    
    With this patch applied, RBX is no longer needed as a flag, and the
    problem goes away.
    
    I suspect that malicious userspace could use this bug to crash the
    kernel even without the offending patch applied, though.
    
    [ Historical note: I wrote this patch as a cleanup before I was aware
      of the bug it fixed. ]
    
    [ Note to stable maintainers: this should probably get applied to all
      kernels.  If you're nervous about that, a more conservative fix to
      add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
      also fix the problem. ]
    
    Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dominik Brodowski <linux@dominikbrodowski.net>
    Cc: Greg KH <gregkh@linuxfoundation.org>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Juergen Gross <jgross@suse.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Cc: xen-devel@lists.xenproject.org
    Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
    Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15265c81886bfd975c1408dc88aeb01281b5deae
Author: Len Brown <len.brown@intel.com>
Date:   Sat Jul 21 17:19:19 2018 -0400

    x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
    
    commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream.
    
    All SKX with stepping higher than 4 support the TSC_DEADLINE,
    no matter the microcode version.
    
    Without this patch, upcoming SKX steppings will not be able to use
    their TSC_DEADLINE timer.
    
    Signed-off-by: Len Brown <len.brown@intel.com>
    Cc: <stable@kernel.org> # v4.14+
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping")
    Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d17111f7b41fba6f9cd0e3baef1732cae2ca42aa
Author: Brijesh Singh <brijesh.singh@amd.com>
Date:   Fri Jul 20 10:28:46 2018 +0900

    x86/efi: Access EFI MMIO data as unencrypted when SEV is active
    
    commit 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb upstream.
    
    SEV guest fails to update the UEFI runtime variables stored in the
    flash.
    
    The following commit:
    
      1379edd59673 ("x86/efi: Access EFI data as encrypted when SEV is active")
    
    unconditionally maps all the UEFI runtime data as 'encrypted' (C=1).
    
    When SEV is active the UEFI runtime data marked as EFI_MEMORY_MAPPED_IO
    should be mapped as 'unencrypted' so that both guest and hypervisor can
    access the data.
    
    Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
    Cc: <stable@vger.kernel.org> # 4.15.x
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-efi@vger.kernel.org
    Fixes: 1379edd59673 ("x86/efi: Access EFI data as encrypted ...")
    Link: http://lkml.kernel.org/r/20180720012846.23560-2-ard.biesheuvel@linaro.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c301e0b0a0f2bb030e70aca196155f3f52dea89d
Author: Jiang Biao <jiang.biao2@zte.com.cn>
Date:   Wed Jul 18 10:29:28 2018 +0800

    virtio_balloon: fix another race between migration and ballooning
    
    commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.
    
    Kernel panic when with high memory pressure, calltrace looks like,
    
    PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
     #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
     #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
     #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
     #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
     #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
     #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
     #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
     #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
     #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
     #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
        [exception RIP: _raw_spin_lock_irqsave+47]
        RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
        RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
        RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
        RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
        R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
        R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
        ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
    
    It happens in the pagefault and results in double pagefault
    during compacting pages when memory allocation fails.
    
    Analysed the vmcore, the page leads to second pagefault is corrupted
    with _mapcount=-256, but private=0.
    
    It's caused by the race between migration and ballooning, and lock
    missing in virtballoon_migratepage() of virtio_balloon driver.
    This patch fix the bug.
    
    Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
    Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 82d0d07a25ebdfebaa2aa3fe713ea6311f5b8669
Author: Jeremy Cline <jcline@redhat.com>
Date:   Fri Jul 27 22:43:02 2018 +0000

    net: socket: Fix potential spectre v1 gadget in sock_is_registered
    
    commit e978de7a6d382ec378830ca2cf38e902df0b6d84 upstream.
    
    'family' can be a user-controlled value, so sanitize it after the bounds
    check to avoid speculative out-of-bounds access.
    
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit baaa0eb84e9a6ffba110a9c9d49c216a9fc66bb1
Author: Jeremy Cline <jcline@redhat.com>
Date:   Fri Jul 27 22:43:01 2018 +0000

    net: socket: fix potential spectre v1 gadget in socketcall
    
    commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.
    
    'call' is a user-controlled value, so sanitize the array index after the
    bounds check to avoid speculating past the bounds of the 'nargs' array.
    
    Found with the help of Smatch:
    
    net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
    'nargs' [r] (local cap)
    
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8445da5dfe0e8cf9fa426dc30061093e66a61bb
Author: Anton Vasilyev <vasilyev@ispras.ru>
Date:   Fri Jul 27 18:50:42 2018 +0300

    can: ems_usb: Fix memory leak on ems_usb_disconnect()
    
    commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.
    
    ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
    is no its deallocation in ems_usb_disconnect().
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ca774ff89f46d42342c9caaa82e50126e6c4c1c6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Aug 2 08:43:35 2018 -0700

    squashfs: more metadata hardenings
    
    commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.
    
    The squashfs fragment reading code doesn't actually verify that the
    fragment is inside the fragment table.  The end result _is_ verified to
    be inside the image when actually reading the fragment data, but before
    that is done, we may end up taking a page fault because the fragment
    table itself might not even exist.
    
    Another report from Anatoly and his endless squashfs image fuzzing.
    
    Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
    Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c14014186eefb612894797ffced49e6141cc1e30
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Jul 30 14:27:15 2018 -0700

    squashfs: more metadata hardening
    
    commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.
    
    Anatoly reports another squashfs fuzzing issue, where the decompression
    parameters themselves are in a compressed block.
    
    This causes squashfs_read_data() to be called in order to read the
    decompression options before the decompression stream having been set
    up, making squashfs go sideways.
    
    Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
    Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c83fc5eeecc322cb7e1b3c05703a3c0f88cfed6
Author: Feras Daoud <ferasda@mellanox.com>
Date:   Sun Jul 15 13:59:36 2018 +0300

    net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow
    
    [ Upstream commit 8e1d162d8e81838119de18b4ca1e302ce906f2a6 ]
    
    After introduction of the cited commit, mlx5e_build_nic_params
    receives the netdevice mtu in order to set the sw_mtu of mlx5e_params.
    For enhanced IPoIB, the netdevice mtu is not set in this stage,
    therefore, the initial sw_mtu equals zero. As a result, the hw_mtu
    of the receive queue will be calculated incorrectly causing traffic
    issues.
    
    To fix this issue, query for port mtu before building the nic params.
    
    Fixes: 472a1e44b349 ("net/mlx5e: Save MTU in channels params")
    Signed-off-by: Feras Daoud <ferasda@mellanox.com>
    Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4cecd1c061143d090ad39cdf06784c36bafd69d
Author: Or Gerlitz <ogerlitz@mellanox.com>
Date:   Thu Jul 19 16:17:00 2018 +0000

    net/mlx5e: Set port trust mode to PCP as default
    
    [ Upstream commit 2e8e70d249e8c5c79bf88bbb36bb68154ab15471 ]
    
    The hairpin offload code has dependency on the trust mode being PCP.
    
    Hence we should set PCP as the default for handling cases where we are
    disallowed to read the trust mode from the FW, or failed to initialize it.
    
    Fixes: 106be53b6b0a ('net/mlx5e: Set per priority hairpin pairs')
    Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
    Reviewed-by: Parav Pandit <parav@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 60406fbeb48d38b967191e954e368b40de79a00c
Author: Eli Cohen <eli@mellanox.com>
Date:   Mon Jul 16 11:49:27 2018 +0300

    net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager
    
    [ Upstream commit 5f5991f36dce1e69dd8bd7495763eec2e28f08e7 ]
    
    Execute mlx5_eswitch_init() only if we have MLX5_ESWITCH_MANAGER
    capabilities.
    Do the same for mlx5_eswitch_cleanup().
    
    Fixes: a9f7705ffd66 ("net/mlx5: Unify vport manager capability check")
    Signed-off-by: Eli Cohen <eli@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 528e9fa8184b6f4b0552859eb98f276758c4456f
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Aug 1 13:27:23 2018 +0100

    rxrpc: Fix user call ID check in rxrpc_service_prealloc_one
    
    [ Upstream commit c01f6c9b3207e52fc9973a066a856ddf7a0538d8 ]
    
    There just check the user call ID isn't already in use, hence should
    compare user_call_ID with xcall->user_call_ID, which is current
    node's user_call_ID.
    
    Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
    Suggested-by: David Howells <dhowells@redhat.com>
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6ee47da71bf77d101f3f99a82555098a54d1faf7
Author: Jose Abreu <Jose.Abreu@synopsys.com>
Date:   Tue Jul 31 15:08:20 2018 +0100

    net: stmmac: Fix WoL for PCI-based setups
    
    [ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ]
    
    WoL won't work in PCI-based setups because we are not saving the PCI EP
    state before entering suspend state and not allowing D3 wake.
    
    Fix this by using a wrapper around stmmac_{suspend/resume} which
    correctly sets the PCI EP state.
    
    Signed-off-by: Jose Abreu <joabreu@synopsys.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Joao Pinto <jpinto@synopsys.com>
    Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
    Cc: Alexandre Torgue <alexandre.torgue@st.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a927731692c7642767c5cb4f92a5c2e4d7090960
Author: Jeremy Cline <jcline@redhat.com>
Date:   Tue Jul 31 21:13:16 2018 +0000

    netlink: Fix spectre v1 gadget in netlink_create()
    
    [ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]
    
    'protocol' is a user-controlled value, so sanitize it after the bounds
    check to avoid using it for speculative out-of-bounds access to arrays
    indexed by it.
    
    This addresses the following accesses detected with the help of smatch:
    
    * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
      spectre issue 'nlk_cb_mutex_keys' [w]
    
    * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
      spectre issue 'nlk_cb_mutex_key_strings' [w]
    
    * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
      issue 'nl_table' [w] (local cap)
    
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfa48dc9a9f95ed2a26e53a06faf06bc1ba8d598
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Tue Jul 31 17:12:52 2018 -0700

    net: dsa: Do not suspend/resume closed slave_dev
    
    [ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]
    
    If a DSA slave network device was previously disabled, there is no need
    to suspend or resume it.
    
    Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement suspend/resume hooks")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 868d277f414298ef7e36281828a189f572d1be6e
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jul 30 21:50:29 2018 -0700

    ipv4: frags: handle possible skb truesize change
    
    [ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ]
    
    ip_frag_queue() might call pskb_pull() on one skb that
    is already in the fragment queue.
    
    We need to take care of possible truesize change, or we
    might have an imbalance of the netns frags memory usage.
    
    IPv6 is immune to this bug, because RFC5722, Section 4,
    amended by Errata ID 3089 states :
    
      When reassembling an IPv6 datagram, if
      one or more its constituent fragments is determined to be an
      overlapping fragment, the entire datagram (and any constituent
      fragments) MUST be silently discarded.
    
    Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e874d4ea8d2409c3ab94df4c5916579aa29fe7a3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jul 30 20:09:11 2018 -0700

    inet: frag: enforce memory limits earlier
    
    [ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]
    
    We currently check current frags memory usage only when
    a new frag queue is created. This allows attackers to first
    consume the memory budget (default : 4 MB) creating thousands
    of frag queues, then sending tiny skbs to exceed high_thresh
    limit by 2 to 3 order of magnitude.
    
    Note that before commit 648700f76b03 ("inet: frags: use rhashtables
    for reassembly units"), work queue could be starved under DOS,
    getting no cpu cycles.
    After commit 648700f76b03, only the per frag queue timer can eventually
    remove an incomplete frag queue and its skbs.
    
    Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Jann Horn <jannh@google.com>
    Cc: Florian Westphal <fw@strlen.de>
    Cc: Peter Oskolkov <posk@google.com>
    Cc: Paolo Abeni <pabeni@redhat.com>
    Acked-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e611b8fdde06b343b7573a292a4f297c2bf30fe7
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 31 06:30:54 2018 -0700

    bonding: avoid lockdep confusion in bond_get_stats()
    
    [ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ]
    
    syzbot found that the following sequence produces a LOCKDEP splat [1]
    
    ip link add bond10 type bond
    ip link add bond11 type bond
    ip link set bond11 master bond10
    
    To fix this, we can use the already provided nest_level.
    
    This patch also provides correct nesting for dev->addr_list_lock
    
    [1]
    WARNING: possible recursive locking detected
    4.18.0-rc6+ #167 Not tainted
    --------------------------------------------
    syz-executor751/4439 is trying to acquire lock:
    (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
    (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
    
    but task is already holding lock:
    (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
    (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
    
    other info that might help us debug this:
     Possible unsafe locking scenario:
    
           CPU0
           ----
      lock(&(&bond->stats_lock)->rlock);
      lock(&(&bond->stats_lock)->rlock);
    
     *** DEADLOCK ***
    
     May be due to missing lock nesting notation
    
    3 locks held by syz-executor751/4439:
     #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
     #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
     #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
     #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215
    
    stack backtrace:
    CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
     print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
     check_deadlock kernel/locking/lockdep.c:1809 [inline]
     validate_chain kernel/locking/lockdep.c:2405 [inline]
     __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
     lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
     __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
     _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
     spin_lock include/linux/spinlock.h:310 [inline]
     bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
     dev_get_stats+0x10f/0x470 net/core/dev.c:8316
     bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
     dev_get_stats+0x10f/0x470 net/core/dev.c:8316
     rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
     rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
     rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
     rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
     rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
     rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
     notifier_call_chain+0x180/0x390 kernel/notifier.c:93
     __raw_notifier_call_chain kernel/notifier.c:394 [inline]
     raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
     call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
     call_netdevice_notifiers net/core/dev.c:1753 [inline]
     netdev_features_change net/core/dev.c:1321 [inline]
     netdev_change_features+0xb3/0x110 net/core/dev.c:7759
     bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
     bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
     bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
     dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
     dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
     sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
     sock_ioctl+0x30d/0x680 net/socket.c:1093
     vfs_ioctl fs/ioctl.c:46 [inline]
     file_ioctl fs/ioctl.c:500 [inline]
     do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
     ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
     __do_sys_ioctl fs/ioctl.c:708 [inline]
     __se_sys_ioctl fs/ioctl.c:706 [inline]
     __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
     do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x440859
    Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859
    RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003
    RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
    R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390
    R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jay Vosburgh <j.vosburgh@gmail.com>
    Cc: Veaceslav Falico <vfalico@gmail.com>
    Cc: Andy Gospodarek <andy@greyhouse.net>
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>