New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Randomly cannot start Containers with "Clean up Error! Cannot destroy container" "mkdir ...-init/merged/dev/shm: invalid argument" #22937

Open
KekSfabrik opened this Issue May 24, 2016 · 21 comments

Comments

Projects
None yet
10 participants
@KekSfabrik
Copy link

KekSfabrik commented May 24, 2016

Output of docker version:

# docker version
Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:30:23 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:30:23 2016
 OS/Arch:      linux/amd64

Output of docker info:

# docker info
Containers: 4
 Running: 3
 Paused: 0
 Stopped: 1
Images: 20
Server Version: 1.11.1
Storage Driver: overlay
 Backing Filesystem: xfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 3.19.0-39-generic
Operating System: Ubuntu 14.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 24
Total Memory: 94.29 GiB
Name: srv-0
ID: IDQ4:CJPJ:HFBJ:FGEP:XDNE:N5I6:VTZQ:O7LB:7EGT:MSAT:RAZK:74FH
Docker Root Dir: /data/docker/mnt
Debug mode (client): false
Debug mode (server): false
Username: keks
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Labels:
 my.company.environment=prod
 my.company.storage=hdd
 my.company.gateway=true
 my.company.name=srv-0
Cluster store: consul://192.168.10.1:8500
Cluster advertise: 192.168.10.1:2375

The running images are consul, gliderlabs/registrator and swarm:1.2.2

Additional environment details (AWS, VirtualBox, physical, etc.):
physical (hardware -> ubuntu 14.04.4 -> docker)

Steps to reproduce the issue:

  1. docker run ubuntu:precise

Describe the results you received:
I set up the daemon on new machines to use a non-default graph directory (--graph option) among other things (only bound to local network etc):

DOCKER_OPTS="\
-H                  unix:///var/run/docker.sock \
-H                  tcp://192.168.10.1:2375 \
--storage-driver    overlay \
--cluster-store     consul://192.168.10.1:8500 \
--cluster-advertise 192.168.10.1:2375 \
--dns               192.168.10.1 \
--dns               127.0.0.1 \
--dns-search        service.consul \
--graph             /data/docker/mnt \
--ip                192.168.10.1 \
--label             my.company.environment=prod \
--label             my.company.storage=hdd \
--label             my.company.gateway=true \
--label             my.company.name=srv-0 \
--log-driver        json-file \
--log-opt           max-size=10m \
--log-opt           max-file=9 \
"

Apparently some Images "randomly" work and then don't - in this example I tried (re-)running an ubuntu image (which worked about 30min ago):

root@srv-0:/data/docker/bootstrap# docker run --rm -it alpine sh # there, alpine works
/ # ^C
root@srv-0:/data/docker/bootstrap# docker run --rm -it ubuntu # yet ubuntu somehow doesn't
docker: Error response from daemon: mkdir /data/docker/mnt/overlay/646f16d12c8b5060f8a9e65a5fdabcf3604a108dc6a1d8c0497f7f2689e47e4a-init/merged/dev/shm: invalid argument.
See 'docker run --help'.
root@srv-0:/data/docker/bootstrap# tail -n 2 /var/log/upstart/docker.log
time="2016-05-24T11:40:06.625413479+02:00" level=error msg="Clean up Error! Cannot destroy container ffbcc96da1d9611a8d200e094bac3f12319360fa439f5105953160e5be64cb36: No such container: ffbcc96da1d9611a8d200e094bac3f12319360fa439f5105953160e5be64cb36" 
time="2016-05-24T11:40:06.625465100+02:00" level=error msg="Handler for POST /v1.23/containers/create returned error: mkdir /data/docker/mnt/overlay/646f16d12c8b5060f8a9e65a5fdabcf3604a108dc6a1d8c0497f7f2689e47e4a-init/merged/dev/shm: invalid argument" 
root@srv-0:/data/docker/bootstrap# ll -h /data/docker/mnt/
total 28K
drwx--x--x   9 root root  131 May 23 08:30 ./
drwxr-xr-x  11 root root 4.0K May 23 08:12 ../
drwx------   5 root root 4.0K May 24 11:49 containers/
drwx------   3 root root   28 May 23 08:30 image/
drwxr-x---   3 root root   26 May 23 08:30 network/
drwx------ 133 root root  12K May 24 11:49 overlay/
drwx------   2 root root   10 May 24 11:22 tmp/
drwx------   2 root root   10 May 23 08:30 trust/
drwx------   4 root root 4.0K May 23 12:32 volumes/

The configuration is about the same on all 3 boxes (IPs are different obviously) and they all show the same symptoms (one of the boxes has no internet access and is only on the 192.168.10.0/24 network with the other 2 - i put the images on there using docker save <images> | ssh docker load). Like this on another machine:

root@srv-2:/data/docker/bootstrap# docker run --rm -it ubuntu:latest
root@b031c7a80b8d:/# exit
root@srv-2:/data/docker/bootstrap# docker run --rm -it ubuntu:trusty
docker: Error response from daemon: mkdir /data/docker/mnt/overlay/e37098a0043c2bd200b919c4cd466a1cfe98a03865b08be82efa215e32e92196-init/merged/dev/shm: invalid argument.
See 'docker run --help'.

Describe the results you expected:
A Container starting..

Additional information you deem important (e.g. issue happens only occasionally):
I have a big chain of images all based on my (modification/addon FROM ubuntu:trusty) ubuntu image - i re-built the entire chain yesterday so all images (ntp, squid, java-base and its descendants tomcat & karaf, postgresql, rabbitmq, redis, mongodb, ...) share the layers of my ubuntu base - i pushed that to my private registry (registry:2.3). My first instinct when i failed to run anything earlier today was to think i cocked up somewhere along that path but a docker run ubuntu:trusty (layers "Already exists") failed while a newly pulled ubuntu:latest didn't - so my next thought was that maybe the official trusty image was b0rked?
However i can run either images on any other daemon (including one with the same 14.04.4 ubuntu, the same 3.19.0-39-generic kernel and overlay settings but in the default graph directory) so i'm guessing there's either some bug in the graph dir change (however there's still a single subfolder with a socket in /var/lib/docker/network/files/.sock that was apparently generated (either by compose or the daemon)
df -h and df -i report there's plenty of space (1% in use on everything but /boot), the host fs is ext4 (ubuntu) and the partition used for graphdir xfs and is a LVM partition..

@HackToday

This comment has been minimized.

Copy link
Contributor

HackToday commented May 26, 2016

I can confirm it can be reproduced, and also I mentioned on #22771
but seems not get any attention.

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented May 26, 2016

Error looks similar to #20640

@HackToday your comment on #22771 didn't get attention, because it was not related to the actual issue reported there.

@aGGre55or

This comment has been minimized.

Copy link

aGGre55or commented Jun 16, 2016

Everything is completely the same

# docker version

Client:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   b9f10c9
 Built:        Wed Jun  1 21:23:11 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   b9f10c9
 Built:        Wed Jun  1 21:23:11 2016
 OS/Arch:      linux/amd64

# docker info

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.11.2
Storage Driver: overlay
 Backing Filesystem: xfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 4.6.2-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 23.55 GiB
Name: srv-docker
ID: L7PV:MJZR:MWAB:COXJ:IOEW:NH3O:RS4Y:GH72:SK4K:5QYS:NH2H:PRVE
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

docker build -t bld/java .

Sending build context to Docker daemon  5.12 kB
Step 1 : FROM alpine:3.3
 ---> 184352182c50
Step 2 : MAINTAINER offer4job@outlook.com
error creating overlay mount to /var/lib/docker/overlay/0b5d2d3fd7de6109403f0984fd65b5eb67b5b2ed9132e3a99799bbe49a682d94-init/merged: invalid argument

docker 1.11.2 with overlay storage don't work in CentOS 7.2.1511 :(((((((((((

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jun 16, 2016

@aGGre55or if you have a system to test on; Docker 1.12 will add a new "overlay2" driver, that fixes some of the limitations of the current overlay driver (but requires Kernel 4.0); #22126

The first release candidate for docker 1.12 is now available (see https://github.com/docker/docker/releases, or https://test.docker.com); interested to hear if the new driver resolves this issue

@HackToday

This comment has been minimized.

Copy link
Contributor

HackToday commented Jun 17, 2016

@thaJeztah I suggest if possible to debug the root issue here, I agree overlay2 is better, but overlay here failed seems not a good idea. 🚶

@buster

This comment has been minimized.

Copy link

buster commented Jun 20, 2016

I have the same issue here:

Server Version: 1.12.0-rc2
Storage Driver: overlay2

Also not working with overlay driver.
Kernel is 4.6.0-1-amd64 #1 SMP Debian 4.6.1-1 (2016-06-06) x86_64 GNU/Linux.

@tj13

This comment has been minimized.

Copy link

tj13 commented Jun 29, 2016

met the same issue on docker 1.10.3.

#docker version

Client:
 Version:      1.10.3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   20f81dd
 Built:        Thu Mar 10 15:39:25 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   20f81dd
 Built:        Thu Mar 10 15:39:25 2016
 OS/Arch:      linux/amd64
# docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 1.10.3
Storage Driver: overlay
 Backing Filesystem: xfs
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 4.6.2-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.858 GiB
Name: centosdev04.sit.caijj.net
ID: QINT:J7RX:ZZBH:VBSY:DVU3:LQFD:JLW7:GGHG:2G4S:GMXW:MFLL:WPXG
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
#uname -a
Linux centosdev04.sit.caijj.net 4.6.2-1.el7.elrepo.x86_64 #1 SMP Wed Jun 8 14:49:20 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
# docker run -m 100m --restart=always --volume=/:/rootfs:ro --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=9014:8080 --detach=true --name=cadvisor --privileged=true google/cadvisor
docker: Error response from daemon: error creating overlay mount to /var/lib/docker/overlay/2a02eefe4a9a4f3a5a05b2a246781a0b391b8108e41de899bd7e3206c4725e75-init/merged: invalid argument.
See 'docker run --help'.
@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jun 29, 2016

@dmcgowan perhaps you have ideas?

@dmcgowan

This comment has been minimized.

Copy link
Member

dmcgowan commented Jun 29, 2016

I will try and setup an environment and test it out. The initial issue just appeared to be an xfs support issue since it was using 3.19.0-39-generic. The later issues are also xfs but getting a different message on a newer centos kernel, will see if can track down what is going on since we pointed to the rhel instructions to only use xfs in #10294.

@buster

This comment has been minimized.

Copy link

buster commented Jun 30, 2016

I have this problem since a few days, and i think this is related to this: http://www.gossamer-threads.com/lists/linux/kernel/2439708

Unfortunately, i have XFS and the ftype is 0 per default.
And changing this would require reformatting all machines running docker.

Any idea how to solve this?

My system is running Debian with Kernel 4.6.0-1-amd64

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jun 30, 2016

ping @rhvgoyal I see you were on that discussion that @buster linked above

@rhvgoyal

This comment has been minimized.

Copy link
Contributor

rhvgoyal commented Jun 30, 2016

If your xfs was built with d_type=0, one will have to rebuilt it. Don't know of any workaround. Having said that, this issue does not seem to be d_type related to me.

@dmcgowan

This comment has been minimized.

Copy link
Member

dmcgowan commented Jun 30, 2016

Thanks @rhvgoyal and @buster for the extra information. Adding the kernel flag.

I was able to test and confirm this works with 4.5 and not with 4.6 with ftype=0 on xfs.
See my test script here https://gist.github.com/dmcgowan/f01445186e59d19381d3bc7ca0c5324c.

Results

4.6.3-1-ARCH

  • mkfs -t xfs -m crc=0 -n ftype=0 -f /dev/loop0

    docker: Error response from daemon: error creating overlay mount to /tmp/tmp.8MfbWfl0lN/overlay/5b597886628faa4323251a510a571036ebafaa23e39775ac1965dbe7b01bd529-init/merged: invalid argument.

    and in dmesg

    overlayfs: upper fs needs to support d_type.
  • mkfs -t xfs -f /dev/loop0

    Run works fine

4.5.3-1-ARCH

  • mkfs -t xfs -m crc=0 -n ftype=0 -f /dev/loop0

    Run works fine
@buster

This comment has been minimized.

Copy link

buster commented Jul 1, 2016

I am confused since i was using docker just fine for months (with XFS) and suddenly it stops working and the only fix is to reformat the whole system? Especially since this is the default setting creating XFS.
Are there other alternatives then overlayfs for Debian+XFS?

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jul 1, 2016

@buster have you always run on the same kernel version?

@buster

This comment has been minimized.

Copy link

buster commented Jul 1, 2016

@thaJeztah nope, Debian updated the Kernel version a few days ago

The question is:
Will every server which used ftype=0 with XFS (which apparently is default) have a broken docker installation with Linux 4.16 and no way to fix it?

@rhvgoyal

This comment has been minimized.

Copy link
Contributor

rhvgoyal commented Jul 1, 2016

overlay is not supported with ftype=0. Thing is that we did not detect this and allowed this configuration and now we are detecting this and failing mounting.

But that has this side affect of breaking existing users. Though existing configuration itself is bad and whiteouts can become visible.

@rhvgoyal

This comment has been minimized.

Copy link
Contributor

rhvgoyal commented Jul 1, 2016

May be we should detect this bad configuration during mount and warn about it instead of failing mounting and that should allow existing configurations to work after upgrade.

@rhvgoyal

This comment has been minimized.

Copy link
Contributor

rhvgoyal commented Jul 1, 2016

Ok, proposed a patch upstream to warn instead of error out if d_type is not supported.

http://marc.info/?l=linux-fsdevel&m=146738177911913&w=2

torvalds pushed a commit to torvalds/linux that referenced this issue Jul 3, 2016

ovl: warn instead of error if d_type is not supported
overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebea ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6

scrapenbump pushed a commit to linux-scraping/linux-grsecurity that referenced this issue Jul 7, 2016

grsec: Apply grsecurity-3.1-4.6.3-201607062159.patch
commit c94fbc6f47fdae9a2dcf29d3048c8da8752dbbdf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 6 21:11:33 2016 -0400

    compile fix

 arch/x86/mm/init_32.c | 1 -
 1 file changed, 1 deletion(-)

commit ee4f4cdd26864ac40ac22b4a3b88f284a6d057d0
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Wed Jun 29 16:03:55 2016 +0200

    ovl: get_write_access() in truncate

    When truncating a file we should check write access on the underlying
    inode.  And we should do so on the lower file as well (before copy-up) for
    consistency.

    Original patch and test case by Aihua Zhang.

     - - >o >o - - test.c - - >o >o - -
    #include <stdio.h>
    #include <errno.h>
    #include <unistd.h>

    int main(int argc, char *argv[])
    {
    	int ret;

    	ret = truncate(argv[0], 4096);
    	if (ret != -1) {
    		fprintf(stderr, "truncate(argv[0]) should have failed\n");
    		return 1;
    	}
    	if (errno != ETXTBSY) {
    		perror("truncate(argv[0])");
    		return 1;
    	}

    	return 0;
    }
     - - >o >o - - >o >o - - >o >o - -

    Reported-by: Aihua Zhang <zhangaihua1@huawei.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Cc: <stable@vger.kernel.org>

 fs/overlayfs/inode.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

commit 4585d082282707fbe91025c987bd8cef4152196d
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    moby/moby#22937 (comment)

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebea ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6

 fs/overlayfs/super.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

commit 97bb95801d1ce86dafd1a59483803aba5b93e7c0
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Jul 6 16:06:53 2016 -0700

    init/Kconfig: keep Expert users menu together

    The "expert" menu was broken (split) such that all entries in it after
    KALLSYMS were displayed in the "General setup" area instead of in the
    "Expert users" area.  Fix this by adding one kconfig dependency.

    Yes, the Expert users menu is fragile.  Problems like this have happened
    several times in the past.  I will attempt to isolate the Expert users
    menu if there is interest in that.

    Fixes: 4d5d566 ("x86: kallsyms: disable absolute percpu symbols on !SMP")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Cc: stable@vger.kernel.org  # 4.6
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 init/Kconfig | 1 +
 1 file changed, 1 insertion(+)

commit 616a19ea32197667494240e8afc0de98d28fdd47
Merge: 769cc1b 98d6186
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 6 20:41:51 2016 -0400

    Merge branch 'pax-test' into grsec-test

commit 98d61867ac6a18500bbd9771678138154869cec3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 6 20:29:35 2016 -0400

    Update to pax-linux-4.6.3-test10.patch:
    - fixed a size overflow false positive in xfrm4_beet_output and xfrm6_beet_output, by Mathias Krause <minipli@ld-linux.so>
    - fixed UEFI boot regression under KERNEXEC, reported by Yves-Alexis Perez <corsac@corsac.net> and x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4502)
    - fixed a few constification related compile errors on arm/mips, by spender
    - updated the size overflow hash table from grsecurity
    - fixed an integer truncation bug in __ioremap_caller caught by the size overflow plugin

 arch/arm/mach-mmp/mmp2.c                           |   4 +-
 arch/arm/mach-mmp/pxa910.c                         |   4 +-
 arch/arm/mach-s3c64xx/mach-smdk6410.c              |   2 +-
 arch/arm/mm/fault.c                                |   2 +-
 arch/x86/include/asm/efi.h                         |   5 +
 arch/x86/include/asm/pgtable.h                     |   2 +-
 arch/x86/mm/dump_pagetables.c                      |  32 +++-
 arch/x86/mm/init_32.c                              |  55 +++---
 arch/x86/mm/init_64.c                              |  12 +-
 arch/x86/mm/ioremap.c                              |   2 +-
 arch/x86/mm/pageattr.c                             |   2 +-
 drivers/gpu/drm/sti/sti_cursor.c                   |   4 +-
 drivers/gpu/drm/sti/sti_dvo.c                      |   4 +-
 drivers/gpu/drm/sti/sti_gdp.c                      |  12 +-
 drivers/gpu/drm/sti/sti_hdmi.c                     |   4 +-
 drivers/gpu/drm/sti/sti_mixer.c                    |   8 +-
 drivers/gpu/drm/sti/sti_vid.c                      |   4 +-
 drivers/irqchip/irq-mmp.c                          |   2 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |   2 +-
 include/linux/irqchip/mmp.h                        |   2 +-
 net/ipv4/xfrm4_mode_beet.c                         |   2 +-
 net/ipv6/xfrm6_mode_beet.c                         |   2 +-
 .../size_overflow_plugin/size_overflow_hash.data   | 203 +++++++++++++++++----
 23 files changed, 280 insertions(+), 91 deletions(-)

commit 769cc1b850f164d9fd9284898295eb616896d66b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 6 20:08:29 2016 -0400

    Fix bug in RBAC learning reported by Andrew Flannery
    Nolog/noaudit-type capability checks were handled in a separate
    function which did not check if the requestor had the capability in
    their effective set.  This would cause privileged processes to be
    denied use of their capabilities in the small number of instances
    these kinds of checks were used (for ptrace_may_access() etc, which
    get used in deciding if privileged processes can bypass /proc
    restrictions) only when RBAC learning was enabled on the process.

    Remove some code duplication in the process of fixing the bug.

 grsecurity/gracl_cap.c      | 49 +++++++++------------------------------------
 grsecurity/grsec_disabled.c |  2 +-
 grsecurity/grsec_exec.c     |  9 ++++-----
 include/linux/grsecurity.h  |  4 ++--
 kernel/capability.c         |  2 +-
 kernel/sys.c                |  4 ++--
 6 files changed, 19 insertions(+), 51 deletions(-)

Signature-tree: e1cd148d0ba4f5ea8eb33c5048f7cb085ea528de

Whissi pushed a commit to Whissi/linux-stable that referenced this issue Jul 27, 2016

ovl: warn instead of error if d_type is not supported
commit e7c0b59 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebea ("ovl: Ensure upper filesystem supports d_type")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

kongzizaixian pushed a commit to kongzizaixian/kernel that referenced this issue Aug 27, 2016

ovl: warn instead of error if d_type is not supported
overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebea ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
@fatg1988

This comment has been minimized.

Copy link

fatg1988 commented Nov 1, 2017

`docker version
Client:
Version: 17.04.0-ce
API version: 1.28
Go version: go1.7.5
Git commit: 4845c56
Built: Wed Apr 5 23:33:17 2017
OS/Arch: linux/amd64

Server:
Version: 17.04.0-ce
API version: 1.28 (minimum version 1.12)
Go version: go1.7.5
Git commit: 4845c56
Built: Wed Apr 5 23:33:17 2017
OS/Arch: linux/amd64
Experimental: false`

docker info
Containers: 33
Running: 26
Paused: 0
Stopped: 7
Images: 30
Server Version: 17.04.0-ce
Storage Driver: overlay
Backing Filesystem: extfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary:
containerd version: 422e31ce907fd9c3833a38d7b8fdd023e5a76e73
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-229.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 31.11GiB
Name: xxx
ID: xxx
Docker Root Dir: /da/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
`

docker run -d --privileged=true --name gitlab-runner --restart always gitlab/gitlab-runner
docker: Error response from daemon: mkdir /da/docker/overlay/10bca507f5a9eeb31dd438b4afb44eddcefbd8b6c14fd72be21959c610ba4ea0-init/merged/dev/shm: invalid argument.

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Nov 1, 2017

@fatg1988 you are running an outdated version of Docker (17.04 has reached end-of-life), and based on the kernel version, a version of CentOS that's no longer supported as well (CentOS uses a rolling release model, and CentOS 7.4 is the current release, and the only version that's supported).

For RHEL and CentOS, only XFS as a backing system is supported;

The RHEL release notes mentions this; https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html

Only XFS is currently supported for use as a lower layer file system.
...
Note that XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay. With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart. When creating a new file system after the installation, run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command. To determine whether an existing file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.
..
Note that OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughly before deploying it with OverlayFS.

If you cannot update your system or switch to another backing filesystem, you may want to use device mapper as an alternative see the documentation about using device mapper as a storage driver

woodsts pushed a commit to woodsts/linux-stable that referenced this issue Aug 28, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b59 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebea ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

freeza-inc added a commit to freeza-inc/beastmode-honor-view-10 that referenced this issue Aug 28, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

moepda added a commit to moepda/android_kernel_huawei_berkeley that referenced this issue Aug 28, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Alucard24 added a commit to Alucard24/Alucard-Kernel-cheeseburger that referenced this issue Aug 29, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Panchajanya1999 added a commit to Panchajanya1999/kernel_asus_x00t that referenced this issue Aug 31, 2018

Linux 4.4.153
commit c16ef725a0c7050d2a3c5da67c6c05823aa288f7
Merge: 652328badee4 fac62a66d1e5
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Fri Aug 31 22:19:07 2018 +0530

    LA.UM.6.2.r2-05400-sdm660.0

    "LA.UM.6.2.r2-05400-sdm660.0"

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 652328badee4547a26892f418d9dfdfd70ba20f0
Merge: d2984282d176 577189c37a84
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Fri Aug 31 22:07:44 2018 +0530

    Merge tag 'v4.4.153' of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable into kernel.lnx.4.4.r27-rel

    This is the 4.4.153 stable release

commit fac62a66d1e5161c97e9011a0c04620597146131
Merge: e93ece5130b8 0dd9616f840f
Author: Linux Build Service Account <lnxbuild@localhost>
Date:   Tue Aug 28 05:05:10 2018 -0700

    Merge 0dd9616f840f8a1141d27dcfdd3327ac92beb43c on remote branch

    Change-Id: I2b93dc60e67e24f1dec1de10380cf70b595ef788

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9866720724db8a163cf305fc907cdab0b38fa09
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Aug 24 10:50:29 2017 -0700

    x86/mm: Fix use-after-free of ldt_struct

    commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.

    The following commit:

      39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")

    renamed init_new_context() to init_new_context_ldt() and added a new
    init_new_context() which calls init_new_context_ldt().  However, the
    error code of init_new_context_ldt() was ignored.  Consequently, if a
    memory allocation in alloc_ldt_struct() failed during a fork(), the
    ->context.ldt of the new task remained the same as that of the old task
    (due to the memcpy() in dup_mm()).  ldt_struct's are not intended to be
    shared, so a use-after-free occurred after one task exited.

    Fix the bug by making init_new_context() pass through the error code of
    init_new_context_ldt().

    This bug was found by syzkaller, which encountered the following splat:

        BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
        Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710

        CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x194/0x257 lib/dump_stack.c:52
         print_address_description+0x73/0x250 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x24e/0x340 mm/kasan/report.c:409
         __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
         free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         exec_mmap fs/exec.c:1061 [inline]
         flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
         load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
         search_binary_handler+0x142/0x6b0 fs/exec.c:1652
         exec_binprm fs/exec.c:1694 [inline]
         do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
         do_execve+0x31/0x40 fs/exec.c:1860
         call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

        Allocated by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
         kmalloc include/linux/slab.h:493 [inline]
         alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
         write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
         sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
         entry_SYSCALL_64_fastpath+0x1f/0xbe

        Freed by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
         __cache_free mm/slab.c:3503 [inline]
         kfree+0xca/0x250 mm/slab.c:3820
         free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         __mmput kernel/fork.c:916 [inline]
         mmput+0x541/0x6e0 kernel/fork.c:927
         copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
         copy_process kernel/fork.c:1546 [inline]
         _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
         SYSC_clone kernel/fork.c:2135 [inline]
         SyS_clone+0x37/0x50 kernel/fork.c:2129
         do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
         return_from_SYSCALL_64+0x0/0x7a

    Here is a C reproducer:

        #include <asm/ldt.h>
        #include <pthread.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <sys/syscall.h>
        #include <sys/wait.h>
        #include <unistd.h>

        static void *fork_thread(void *_arg)
        {
            fork();
        }

        int main(void)
        {
            struct user_desc desc = { .entry_number = 8191 };

            syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));

            for (;;) {
                if (fork() == 0) {
                    pthread_t t;

                    srand(getpid());
                    pthread_create(&t, NULL, fork_thread, NULL);
                    usleep(rand() % 10000);
                    syscall(__NR_exit_group, 0);
                }
                wait(NULL);
            }
        }

    Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
    may use vmalloc() to allocate a large ->entries array, and after
    commit:

      5d17a73a2ebe ("vmalloc: back off when the current task is killed")

    it is possible for userspace to fail a task's vmalloc() by
    sending a fatal signal, e.g. via exit_group().  It would be more
    difficult to reproduce this bug on kernels without that commit.

    This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.

    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org> [v4.6+]
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
    Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit adaba23ccd7d1625942f2c27612d2b416c87e011
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Aug 25 06:50:15 2018 -0700

    x86/mm/pat: Fix L1TF stable backport for CPA

    Patch for stable only to fix boot resets caused by the L1TF patches.

    Stable trees reverted the following patch

    Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"

        This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is
        commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream.

    but the L1TF patch backported here

       x86/mm/pat: Make set_memory_np() L1TF safe

        commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream

        set_memory_np() is used to mark kernel mappings not present, but it has
        it's own open coded mechanism which does not have the L1TF protection of
        inverting the address bits.

    assumed that cpa->pfn contains a PFN. With the above patch reverted
    it does not, which causes the PMD to be set to an incorrect address
    shifted by 12 bits, which can cause early boot reset on some
    systems, like an Apollo Lake embedded system.

    Convert the address to a PFN before passing it to pmd_pfn()

    Thanks to Bernhard for bisecting and testing.

    Cc: stable@vger.kernel.org # 4.4 and 4.9
    Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0dd9616f840f8a1141d27dcfdd3327ac92beb43c
Merge: 8246047d7e10 4ec0fb834b8a
Author: Linux Build Service Account <lnxbuild@localhost>
Date:   Fri Aug 24 11:58:27 2018 -0700

    Merge "nsfs: mark dentry with DCACHE_RCUACCESS"

commit 8246047d7e10b48f1a9ba2e36cf3c9a50e1ed203
Merge: 9086ce1f9b91 14c5f82252fa
Author: Linux Build Service Account <lnxbuild@localhost>
Date:   Fri Aug 24 11:58:26 2018 -0700

    Merge "drivers: qcom: lpm-stats: Fix undefined access error"

commit 9086ce1f9b919321188d81c101641845038ed121
Merge: 65723387463e bbe4e2fcc658
Author: Gerrit - the friendly Code Review server <code-review@localhost>
Date:   Fri Aug 24 11:23:31 2018 -0700

    Merge changes  into msm-4.4.c7

commit d2984282d176a6aaaee1257441955e438a18bf70
Merge: 806df71ee347 0c73169690eb
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Fri Aug 24 23:20:31 2018 +0530

    Merge tag 'v4.4.152' of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable into kernel.lnx.4.4.r27-rel

    This is the 4.4.152 stable release

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 0c73169690eb1d7d6f72a128a010bd84343e503a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Aug 24 13:27:02 2018 +0200

    Linux 4.4.152

commit 712254045c02edf3dc21714337a23bf361d0c5ee
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 21:59:37 2018 -0700

    reiserfs: fix broken xattr handling (heap corruption, bad retval)

    commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.

    This fixes the following issues:

    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.

    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.

    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.

    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.

    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e57e6c67fd4b568b180fdbd5c14043d39fe6cda
Author: Esben Haabendal <eha@deif.com>
Date:   Thu Aug 16 10:43:12 2018 +0200

    i2c: imx: Fix race condition in dma read

    commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.

    This fixes a race condition, where the DMAEN bit ends up being set after
    I2C slave has transmitted a byte following the dummy read.  When that
    happens, an interrupt is generated instead, and no DMA request is generated
    to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).

    Fixed by setting the DMAEN bit before the dummy read.

    Signed-off-by: Esben Haabendal <eha@deif.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 131412f4f6f52b72c3a099c9cdac5d9c6034c76c
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:32 2018 -0500

    PCI: pciehp: Fix use-after-free on unplug

    commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.

    When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
    hotplug_slot struct is deregistered and thus freed before freeing the
    IRQ.  The IRQ handler and the work items it schedules print the slot
    name referenced from the freed structure in various informational and
    debug log messages, each time resulting in a quadruple dereference of
    freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

    At best the slot name is logged as "(null)", at worst kernel memory is
    exposed in logs or the driver crashes:

      pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

    An attacker may provoke the bug by unplugging multiple devices on a
    Thunderbolt daisy chain at once.  Unplugging can also be simulated by
    powering down slots via sysfs.  The bug is particularly easy to trigger
    in poll mode.

    It has been present since the driver's introduction in 2004:
    https://git.kernel.org/tglx/history/c/c16b4b14d980

    Fix by rearranging teardown such that the IRQ is freed first.  Run the
    work items queued by the IRQ handler to completion before freeing the
    hotplug_slot struct by draining the work queue from the ->release_slot
    callback which is invoked by pci_hp_deregister().

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.6.4
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc7614a5e8ec4514aa27ee3874ad05a1057e644d
Author: Myron Stowe <myron.stowe@redhat.com>
Date:   Mon Aug 13 12:19:39 2018 -0600

    PCI: Skip MPS logic for Virtual Functions (VFs)

    commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.

    PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
    Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
    VFs.  Just prior to the table it states:

      "PF and VF functionality is defined in Section 7.5.3.4 except where
       noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
       applies to the VF."

    All of which implies that with respect to Max_Payload_Size Supported
    (MPSS), MPS, and MRRS values, we should not be paying any attention to the
    VF's fields, but rather only to the PF's.  Only looking at the PF's fields
    also logically makes sense as it's the sole physical interface to the PCIe
    bus.

    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
    Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
    Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # 4.3+
    Cc: Keith Busch <keith.busch@intel.com>
    Cc: Sinan Kaya <okaya@kernel.org>
    Cc: Dongdong Liu <liudongdong3@huawei.com>
    Cc: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8837163ebeba0ab5cd82d8eb284060e0e3cb4a35
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:31 2018 -0500

    PCI: hotplug: Don't leak pci_slot on registration failure

    commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.

    If addition of sysfs files fails on registration of a hotplug slot, the
    struct pci_slot as well as the entry in the slot_list is leaked.  The
    issue has been present since the hotplug core was introduced in 2002:
    https://git.kernel.org/tglx/history/c/a8a2069f432c

    Perhaps the idea was that even though sysfs addition fails, the slot
    should still be usable.  But that's not how drivers use the interface,
    they abort probe if a non-zero value is returned.

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.4.15+
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 400db6fe74317d64c920025ed4de2de7b3522230
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:31:17 2018 -0400

    parisc: Remove unnecessary barriers from spinlock.h

    commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream.

    Now that mb() is an instruction barrier, it will slow performance if we issue
    unnecessary barriers.

    The spinlock defines have a number of unnecessary barriers.  The __ldcw()
    define is both a hardware and compiler barrier.  The mb() barriers in the
    routines using __ldcw() serve no purpose.

    The only barrier needed is the one in arch_spin_unlock().  We need to ensure
    all accesses are complete prior to releasing the lock.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d124ea608ac800f46100741f7ccd79791c061c8
Author: Elad Raz <eladr@mellanox.com>
Date:   Wed Jan 6 13:01:04 2016 +0100

    bridge: Propagate vlan add failure to user

    commit 08474cc1e6ea71237cab7e4a651a623c9dea1084 upstream.

    Disallow adding interfaces to a bridge when vlan filtering operation
    failed. Send the failure code to the user.

    Signed-off-by: Elad Raz <eladr@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c4e369c9b98480a4b75b3a74a962a6b298120b
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Aug 6 10:38:34 2018 -0400

    packet: refine ring v3 block size test to hold one frame

    commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

    TPACKET_V3 stores variable length frames in fixed length blocks.
    Blocks must be able to store a block header, optional private space
    and at least one minimum sized frame.

    Frames, even for a zero snaplen packet, store metadata headers and
    optional reserved space.

    In the block size bounds check, ensure that the frame of the
    chosen configuration fits. This includes sockaddr_ll and optional
    tp_reserve.

    Syzbot was able to construct a ring with insuffient room for the
    sockaddr_ll in the header of a zero-length frame, triggering an
    out-of-bounds write in dev_parse_header.

    Convert the comparison to less than, as zero is a valid snap len.
    This matches the test for minimum tp_frame_size immediately below.

    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76cb5cc66114d2758796198fca7f3387a6f24b75
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 17 21:03:15 2018 +0200

    netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

    commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

    When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
    that has an un-initialized timeout value, i.e. such entry could be
    reaped at any time.

    Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
    an old state.

    Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6170d014af6d3e9608987a0dee6e7f01c074b3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 18 21:35:07 2018 -0700

    xfrm_user: prevent leaking 2 bytes of kernel memory

    commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

    struct xfrm_userpolicy_type has two holes, so we should not
    use C99 style initializer.

    KMSAN report:

    BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
    CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
     copyout lib/iov_iter.c:140 [inline]
     _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
     copy_to_iter include/linux/uio.h:106 [inline]
     skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
     skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
     netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
     sock_recvmsg_nosec net/socket.c:802 [inline]
     sock_recvmsg+0x1d6/0x230 net/socket.c:809
     ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
     __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
     do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
     __do_sys_recvmmsg net/socket.c:2485 [inline]
     __se_sys_recvmmsg net/socket.c:2481 [inline]
     __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x446ce9
    RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
    RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
    R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
    R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
     __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
     __nla_put lib/nlattr.c:569 [inline]
     nla_put+0x276/0x340 lib/nlattr.c:627
     copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
     dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
     xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
     netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
     __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
     netlink_dump_start include/linux/netlink.h:214 [inline]
     xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
     netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
     xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Local variable description: ----upt.i@dump_one_policy
    Variable was created at:
     dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

    Byte 130 of 137 is uninitialized
    Memory access starts at ffff88019550407f

    Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49b3acf7ed1997af70ab95d95995eb2a1a6fdf93
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:38:03 2018 -0400

    parisc: Remove ordered stores from syscall.S

    commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream.

    Now that we use a sync prior to releasing the locks in syscall.S, we don't need
    the PA 2.0 ordered stores used to release some locks.  Using an ordered store,
    potentially slows the release and subsequent code.

    There are a number of other ordered stores and loads that serve no purpose.  I
    have converted these to normal stores.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a89f83823b97b6da1ecf7a51184b28822e78cc07
Author: Jeremy Cline <jcline@redhat.com>
Date:   Thu Aug 2 00:03:40 2018 -0400

    ext4: fix spectre gadget in ext4_mb_regular_allocator()

    commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.

    'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
    derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
    index arrays which makes it a potential spectre gadget. Fix this by
    sanitizing the value assigned to 'ac->ac2_order'.  This covers the
    following accesses found with the help of smatch:

    * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
      spectre issue 'grp->bb_counters' [w] (local cap)

    * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

    * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

    Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1186a6ea75df00ec27b9cf2c5d0a5e4298739301
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon May 28 13:31:13 2018 +0200

    KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer

    commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.

    A comment warning against this bug is there, but the code is not doing what
    the comment says.  Therefore it is possible that an EPOLLHUP races against
    irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
    and if that runs soon enough, you get a use-after-free.

    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b84ec04bae905901f5226a67968dabc52ab0c3a6
Author: Daniel Rosenberg <drosen@google.com>
Date:   Tue Aug 21 13:31:50 2018 -0700

    staging: android: ion: check for kref overflow

    This patch is against 4.4. It does not apply to master due to a large
    rework of ion in 4.12 which removed the affected functions altogther.
    4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

    Userspace can cause the kref to handles to increment
    arbitrarily high. Ensure it does not overflow.

    Signed-off-by: Daniel Rosenberg <drosen@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81970da69122fe4bf2af5bb1bb4c7f62d4744e79
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Jul 17 18:27:45 2018 -0700

    tcp: identify cryptic messages as TCP seq # bugs

    [ Upstream commit e56b8ce363a36fb7b74b80aaa5cc9084f2c908b4 ]

    Attempt to make cryptic TCP seq number error messages clearer by
    (1) identifying the source of the message as "TCP", (2) identifying the
    errors as "seq # bug", and (3) grouping the field identifiers and values
    by separating them with commas.

    E.g., the following message is changed from:

    recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90

    to:

    TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0

    Suggested-by: 積丹尼 Dan Jacobson <jidanni@jidanni.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 780e559aaa6ae4b184d9af4acd0754f8608b3715
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:45 2018 +0200

    net: qca_spi: Fix log level if probe fails

    [ Upstream commit 50973993260a6934f0a00da53d9b746cfbea89ab ]

    In cases the probing fails the log level of the messages should
    be an error.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e77b1523b93cbc8863cfe656ca0c9e82f7ba43c9
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:44 2018 +0200

    net: qca_spi: Make sure the QCA7000 reset is triggered

    [ Upstream commit 711c62dfa6bdb4326ca6c587f295ea5c4f7269de ]

    In case the SPI thread is not running, a simple reset of sync
    state won't fix the transmit timeout. We also need to wake up the kernel
    thread.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: ed7d42e24eff ("net: qca_spi: fix transmit queue timeout handling")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8621e69878ba41ed24987a487eaf01a6505223c6
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:43 2018 +0200

    net: qca_spi: Avoid packet drop during initial sync

    [ Upstream commit b2bab426dc715de147f8039a3fccff27d795f4eb ]

    As long as the synchronization with the QCA7000 isn't finished, we
    cannot accept packets from the upper layers. So let the SPI thread
    enable the TX queue after sync and avoid unwanted packet drop.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8cfe6f3afe83a2768563f718bb57c99ca249cf4c
Author: David Lechner <david@lechnology.com>
Date:   Mon Jul 16 17:58:10 2018 -0500

    net: usb: rtl8150: demote allmulti message to dev_dbg()

    [ Upstream commit 3a9b0455062ffb9d2f6cd4473a76e3456f318c9f ]

    This driver can spam the kernel log with multiple messages of:

        net eth0: eth0: allmulti set

    Usually 4 or 8 at a time (probably because of using ConnMan).

    This message doesn't seem useful, so let's demote it from dev_info()
    to dev_dbg().

    Signed-off-by: David Lechner <david@lechnology.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0821ddad494b97f0980db1877c4417e7d45c4925
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Jul 13 21:25:19 2018 -0700

    net/ethernet/freescale/fman: fix cross-build error

    [ Upstream commit c133459765fae249ba482f62e12f987aec4376f0 ]

      CC [M]  drivers/net/ethernet/freescale/fman/fman.o
    In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
    ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
    ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
      clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
      ^~~~~~~~~~~~~~~

    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Madalin Bucur <madalin.bucur@nxp.com>
    Cc: netdev@vger.kernel.org
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c8f268dcdd5d3dacf504873861b9f18c70021b0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 3 15:30:56 2018 +0300

    drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

    [ Upstream commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 ]

    The bo array has req->nr_buffers elements so the > should be >= so we
    don't read beyond the end of the array.

    Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43707aa8c55fb165a1a56f590e0defb198ebdde9
Author: Yuchung Cheng <ycheng@google.com>
Date:   Thu Jul 12 06:04:53 2018 -0700

    tcp: remove DELAYED ACK events in DCTCP

    [ Upstream commit a69258f7aa2623e0930212f09c586fd06674ad79 ]

    After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK
    related callbacks are no longer needed

    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Acked-by: Lawrence Brakmo <brakmo@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7795ce1182d5317688750126958954e5d32e3eac
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 12 15:23:45 2018 +0300

    qlogic: check kstrtoul() for errors

    [ Upstream commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f ]

    We accidentally left out the error handling for kstrtoul().

    Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01a8ef2f327a6fe5075ee5027c9fa02df42c1c4e
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Jul 11 12:00:45 2018 -0400

    packet: reset network header if packet shorter than ll reserved space

    [ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ]

    If variable length link layer headers result in a packet shorter
    than dev->hard_header_len, reset the network header offset. Else
    skb->mac_len may exceed skb->len after skb_mac_reset_len.

    packet_sendmsg_spkt already has similar logic.

    Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ab85f3dc1b45f9189b62c97c82c7e6e1a3de569
Author: Alexander Duyck <alexander.h.duyck@intel.com>
Date:   Mon Jun 18 12:02:00 2018 -0400

    ixgbe: Be more careful when modifying MAC filters

    [ Upstream commit d14c780c11fbc10f66c43e7b64eefe87ca442bd3 ]

    This change makes it so that we are much more explicit about the ordering
    of updates to the receive address register (RAR) table. Prior to this patch
    I believe we may have been updating the table while entries were still
    active, or possibly allowing for reordering of things since we weren't
    explicitly flushing writes to either the lower or upper portion of the
    register prior to accessing the other half.

    Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Reviewed-by: Shannon Nelson <shannon.nelson@oracle.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcfa7262bbc0cf7b39ac112ae2ece9f9310ae4d9
Author: Adam Ford <aford173@gmail.com>
Date:   Wed Jul 11 12:54:54 2018 -0500

    ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller

    [ Upstream commit 923847413f7316b5ced3491769b3fefa6c56a79a ]

    The AM3517 has a different OTG controller location than the OMAP3,
    which is included from omap3.dtsi.  This results in a hwmod error.
    Since the AM3517 has a different OTG controller address, this patch
    disabes one that is isn't available.

    Signed-off-by: Adam Ford <aford173@gmail.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97d53c81980eaba74690868efd3160fb635b8d42
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Tue Jul 10 08:22:40 2018 +0100

    ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot

    [ Upstream commit b4c7e2bd2eb4764afe3af9409ff3b1b87116fa30 ]

    Dynamic ftrace requires modifying the code segments that are usually
    set to read-only. To do this, a per arch function is called both before
    and after the ftrace modifications are performed. The "before" function
    will set kernel code text to read-write to allow for ftrace to make the
    modifications, and the "after" function will set the kernel code text
    back to "read-only" to keep the kernel code text protected.

    The issue happens when dynamic ftrace is tested at boot up. The test is
    done before the kernel code text has been set to read-only. But the
    "before" and "after" calls are still performed. The "after" call will
    change the kernel code text to read-only prematurely, and other boot
    code that expects this code to be read-write will fail.

    The solution is to add a variable that is set when the kernel code text
    is expected to be converted to read-only, and make the ftrace "before"
    and "after" calls do nothing if that variable is not yet set. This is
    similar to the x86 solution from commit 162396309745 ("ftrace, x86:
    make kernel text writable only for conversions").

    Link: http://lkml.kernel.org/r/20180620212906.24b7b66e@vmware.local.home

    Reported-by: Stefan Agner <stefan@agner.ch>
    Tested-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0cd6f4de95a8fee74131bac79c444f8120c93e9
Author: Kim Phillips <kim.phillips@arm.com>
Date:   Fri Jun 29 12:46:52 2018 -0500

    perf llvm-utils: Remove bashism from kernel include fetch script

    [ Upstream commit f6432b9f65001651412dbc3589d251534822d4ab ]

    Like system(), popen() calls /bin/sh, which may/may not be bash.

    Script when run on dash and encounters the line, yields:

     exit: Illegal number: -1

    checkbashisms report on script content:

     possible bashism (exit|return with negative status code):
     exit -1

    Remove the bashism and use the more portable non-zero failure
    status code 1.

    Signed-off-by: Kim Phillips <kim.phillips@arm.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Michael Petlan <mpetlan@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sandipan Das <sandipan@linux.vnet.ibm.com>
    Cc: Thomas Richter <tmricht@linux.vnet.ibm.com>
    Link: http://lkml.kernel.org/r/20180629124652.8d0af7e2281fd3fd8262cacc@arm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 149751b516c07eb15f9378bbed175d23589b6215
Author: Vikas Gupta <vikas.gupta@broadcom.com>
Date:   Mon Jul 9 02:24:52 2018 -0400

    bnxt_en: Fix for system hang if request_irq fails

    [ Upstream commit c58387ab1614f6d7fb9e244f214b61e7631421fc ]

    Fix bug in the error code path when bnxt_request_irq() returns failure.
    bnxt_disable_napi() should not be called in this error path because
    NAPI has not been enabled yet.

    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cb585f9c5d6b70bfcd12beb314d9ba060c3208a
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date:   Sun Jun 24 14:35:10 2018 +0100

    drm/armada: fix colorkey mode property

    [ Upstream commit d378859a667edc99e3473704847698cae97ca2b1 ]

    The colorkey mode property was not correctly disabling the colorkeying
    when "disabled" mode was selected.  Arrange for this to work as one
    would expect.

    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe9ee61f5a1b9413ad3862bfa5a63c633d84f38a
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:14:05 2017 +0200

    ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 8f2fbc6c60ff213369e06a73610fc882a42fdf20 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24e3a53c0d2c6be3385c5676056124b44f7c06c2
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:54 2017 +0200

    ieee802154: at86rf230: use __func__ macro for debug messages

    [ Upstream commit 8a81388ec27c4c0adbdecd20e67bb5f411ab46b2 ]

    Instead of having the function name hard-coded (it might change and we
    forgot to update them in the debug output) we can use __func__ instead
    and also shorter the line so we do not need to break it. Also fix an
    extra blank line while being here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 691a13ac70e31e3004310bf56360ee69c62514cb
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:53 2017 +0200

    ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 20f330452ad8814f2289a589baf65e21270879a7 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be4691a7c58b40ddcdad5f82fb652475afc3440e
Author: Daniel Mack <daniel@zonque.org>
Date:   Fri Jul 6 22:15:00 2018 +0200

    ARM: pxa: irq: fix handling of ICMR registers in suspend/resume

    [ Upstream commit 0c1049dcb4ceec640d8bd797335bcbebdcab44d2 ]

    PXA3xx platforms have 56 interrupts that are stored in two ICMR
    registers. The code in pxa_irq_suspend() and pxa_irq_resume() however
    does a simple division by 32 which only leads to one register being
    saved at suspend and restored at resume time. The NAND interrupt
    setting, for instance, is lost.

    Fix this by using DIV_ROUND_UP() instead.

    Signed-off-by: Daniel Mack <daniel@zonque.org>
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e8f97b07a3be3493072f1cabe888f2d770b8077
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jul 4 20:25:32 2018 +0200

    netfilter: x_tables: set module owner for icmp(6) matches

    [ Upstream commit d376bef9c29b3c65aeee4e785fffcd97ef0a9a81 ]

    nft_compat relies on xt_request_find_match to increment
    refcount of the module that provides the match/target.

    The (builtin) icmp matches did't set the module owner so it
    was possible to rmmod ip(6)tables while icmp extensions were still in use.

    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7fda06308d6d1ed5d094a5f22b3e1e33852edbf
Author: Yuiko Oshino <yuiko.oshino@microchip.com>
Date:   Tue Jul 3 11:21:46 2018 -0400

    smsc75xx: Add workaround for gigabit link up hardware errata.

    [ Upstream commit d461e3da905332189aad546b2ad9adbe6071c7cc ]

    In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

    Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
    Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1acb2ad5d9d0fc66f18c74e22af3c07e41a5dbca
Author: Zhen Lei <thunder.leizhen@huawei.com>
Date:   Tue Jul 3 17:02:46 2018 -0700

    kasan: fix shadow_size calculation error in kasan_module_alloc

    [ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ]

    There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
    Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1].  The
    operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the
    roundup operation can not retrieve the missed one page.  For example:
    size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
    shadow_size=0x5000, but actually we need 6 pages.

      shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);

    This can lead to a kernel crash when kasan is enabled and the value of
    mod->core_layout.size or mod->init_layout.size is like above.  Because
    the shadow memory of X has not been allocated and mapped.

    move_module:
      ptr = module_alloc(mod->core_layout.size);
      ...
      memset(ptr, 0, mod->core_layout.size);		//crashed

      Unable to handle kernel paging request at virtual address ffff0fffff97b000
      ......
      Call trace:
        __asan_storeN+0x174/0x1a8
        memset+0x24/0x48
        layout_and_allocate+0xcd8/0x1800
        load_module+0x190/0x23e8
        SyS_finit_module+0x148/0x180

    Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com
    Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
    Reviewed-by: Dmitriy Vyukov <dvyukov@google.com>
    Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Libin <huawei.libin@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb1c3470bcb05537fca601a0101d759d054b822
Author: Mathieu Malaterre <malat@debian.org>
Date:   Thu Mar 8 21:58:43 2018 +0100

    tracing: Use __printf markup to silence compiler

    [ Upstream commit 26b68dd2f48fe7699a89f0cfbb9f4a650dc1c837 ]

    Silence warnings (triggered at W=1) by adding relevant __printf attributes.

      CC      kernel/trace/trace.o
    kernel/trace/trace.c: In function ‘__trace_array_vprintk’:
    kernel/trace/trace.c:2979:2: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
      len = vscnprintf(tbuffer, TRACE_BUF_SIZE, fmt, args);
      ^~~
      AR      kernel/trace/built-in.o

    Link: http://lkml.kernel.org/r/20180308205843.27447-1-malat@debian.org

    Signed-off-by: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be38b9556d9ba051adae074367acb3ee362180b2
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Tue Jun 26 08:37:09 2018 -0300

    ARM: imx_v4_v5_defconfig: Select ULPI support

    [ Upstream commit 2ceb2780b790b74bc408a949f6aedbad8afa693e ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like that use ULPI
    interface.

    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d0af17ae83d6feb29d676c72423461419df5110
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Mon Jun 25 09:34:03 2018 -0300

    ARM: imx_v6_v7_defconfig: Select ULPI support

    [ Upstream commit 157bcc06094c3c5800d3f4676527047b79b618e7 ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like imx51-babbge.

    This fixes a kernel hang in 4.18-rc1 on i.mx51-babbage, caused by commit
    03e6275ae381 ("usb: chipidea: Fix ULPI on imx51").

    Suggested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1bdab67ddfa7b4e9e7a90637a22f9abc6ca88cf4
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Tue Jun 26 09:58:02 2018 -0700

    HID: wacom: Correct touch maximum XY of 2nd-gen Intuos

    [ Upstream commit 3b8d573586d1b9dee33edf6cb6f2ca05f4bca568 ]

    The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096
    sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.).
    The incorrect maximum XY values don't normally affect userspace since
    touch input from these devices is typically relative rather than
    absolute. It does, however, cause problems when absolute distances
    need to be measured, e.g. for gesture recognition. Since the resolution
    of the touch sensor on these devices is 10 units / mm (versus 100 for
    the pen sensor), the proper maximum values can be calculated by simply
    dividing by 10.

    Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices")
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f2f46791e28b7058a32fb7eab32e498ff838627
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Mon Jun 18 15:34:14 2018 +1000

    m68k: fix "bad page state" oops on ColdFire boot

    [ Upstream commit ecd60532e060e45c63c57ecf1c8549b1d656d34d ]

    Booting a ColdFire m68k core with MMU enabled causes a "bad page state"
    oops since commit 1d40a5ea01d5 ("mm: mark pages in use for page tables"):

     BUG: Bad page state in process sh  pfn:01ce2
     page:004fefc8 count:0 mapcount:-1024 mapping:00000000 index:0x0
     flags: 0x0()
     raw: 00000000 00000000 00000000 fffffbff 00000000 00000100 00000200 00000000
     raw: 039c4000
     page dumped because: nonzero mapcount
     Modules linked in:
     CPU: 0 PID: 22 Comm: sh Not tainted 4.17.0-07461-g1d40a5ea01d5 #13

    Fix by calling pgtable_page_dtor() in our __pte_free_tlb() code path,
    so that the PG_table flag is cleared before we free the pte page.

    Note that I had to change the type of pte_free() to be static from
    extern. Otherwise you get a lot of warnings like this:

    ./arch/m68k/include/asm/mcf_pgalloc.h:80:2: warning: ‘pgtable_page_dtor’ is static but used in inline function ‘pte_free’ which is not static
      pgtable_page_dtor(page);
      ^

    And making it static is consistent with our use of this in the other
    m68k pgalloc definitions of pte_free().

    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    CC: Matthew Wilcox <willy@infradead.org>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aba71e6a936a62126d0c084d4add455db697ee24
Author: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
Date:   Thu Jun 28 04:52:15 2018 -0700

    bnx2x: Fix receiving tx-timeout in error or recovery state.

    [ Upstream commit 484c016d9392786ce5c74017c206c706f29f823d ]

    Driver performs the internal reload when it receives tx-timeout event from
    the OS. Internal reload might fail in some scenarios e.g., fatal HW issues.
    In such cases OS still see the link, which would result in undesirable
    functionalities such as re-generation of tx-timeouts.
    The patch addresses this issue by indicating the link-down to OS when
    tx-timeout is detected, and keeping the link in down state till the
    internal reload is successful.

    Please consider applying it to 'net' branch.

    Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
    Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc83070ba75b3ab93bf46f711246e9b97ed46c0
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Jun 7 13:07:49 2018 +0200

    drm/exynos: decon5433: Fix WINCONx reset value

    [ Upstream commit 7b7aa62c05eac9789c208b946f515983a9255d8d ]

    The only bits that should be preserved in decon_win_set_fmt() is
    WINCONx_ENWIN_F. All other bits depends on the selected pixel formats and
    are set by the mentioned function.

    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c46030269f686fc3ca92d93140c9f2957aefee3b
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Jun 7 13:07:40 2018 +0200

    drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes

    [ Upstream commit ab337fc274a1957ff0771f19e826c736253f7c39 ]

    Set per-plane global alpha to maximum value to get proper blending of
    XRGB and ARGB planes. This fixes the strange order of overlapping planes.

    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 048115cfba050e34667d7e3d05ce5f09fd54524f
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Jun 7 13:06:13 2018 +0200

    drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes

    [ Upstream commit dd209ef809080ced903e7747ee3ef640c923a1d2 ]

    Fix following issues related to planar YUV pixel format configuration:
    - NV16/61 modes were incorrectly programmed as NV12/21,
    - YVU420 was programmed as YUV420 on source,
    - YVU420 and YUV422 were programmed as YUV420 on output.

    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66de11067753fbc562b7d2dba550d563c02449ec
Author: BingJing Chang <bingjingc@synology.com>
Date:   Thu Jun 28 18:40:11 2018 +0800

    md/raid10: fix that replacement cannot complete recovery after reassemble

    [ Upstream commit bda3153998f3eb2cafa4a6311971143628eacdbc ]

    During assemble, the spare marked for replacement is not checked.
    conf->fullsync cannot be updated to be 1. As a result, recovery will
    treat it as a clean array. All recovering sectors are skipped. Original
    device is replaced with the not-recovered spare.

    mdadm -C /dev/md0 -l10 -n4 -pn2 /dev/loop[0123]
    mdadm /dev/md0 -a /dev/loop4
    mdadm /dev/md0 --replace /dev/loop0
    mdadm -S /dev/md0 # stop array during recovery

    mdadm -A /dev/md0 /dev/loop[01234]

    After reassemble, you can see recovery go on, but it completes
    immediately. In fact, recovery is not actually processed.

    To solve this problem, we just add the missing logics for replacment
    spares. (In raid1.c or raid5.c, they have already been checked.)

    Reported-by: Alex Chen <alexchen@synology.com>
    Reviewed-by: Alex Wu <alexwu@synology.com>
    Reviewed-by: Chung-Chiang Cheng <cccheng@synology.com>
    Signed-off-by: BingJing Chang <bingjingc@synology.com>
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0430caf5ccc880dfacba544accbddc839d70ded1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jun 22 14:15:47 2018 +0300

    dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()

    [ Upstream commit c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed ]

    The d->chans[] array has d->dma_requests elements so the > should be
    >= here.

    Fixes: 8e6152bc660e ("dmaengine: Add hisilicon k3 DMA engine driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d238b2e06f390de4a3a15058a9e0c538fb6e35e8
Author: Keerthy <j-keerthy@ti.com>
Date:   Tue Jun 5 15:37:51 2018 +0530

    ARM: dts: da850: Fix interrups property for gpio

    [ Upstream commit 3eb1b955cd7ed1e621ace856710006c2a8a7f231 ]

    The intc #interrupt-cells is equal to 1. Currently gpio
    node has 2 cells per IRQ which is wrong. Remove the additional
    cell for each of the interrupts.

    Signed-off-by: Keerthy <j-keerthy@ti.com>
    Fixes: 2e38b946dc54 ("ARM: davinci: da850: add GPIO DT node")
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a406f22b050bd41e803ede3ced9750d6eeaf61f
Author: Andy Lutomirski <luto@kernel.org>
Date:   Tue Jun 26 22:17:17 2018 -0700

    selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs

    [ Upstream commit ec348020566009d3da9b99f07c05814d13969c78 ]

    When I wrote the sigreturn test, I didn't realize that AMD's busted
    IRET behavior was different from Intel's busted IRET behavior:

    On AMD CPUs, the CPU leaks the high 32 bits of the…

Panchajanya1999 added a commit to Panchajanya1999/kernel_asus_x00t that referenced this issue Sep 1, 2018

Merge ASUS 323 Changes
commit 1153c838bcd7fd93b3599047c548ae5a10e47d82
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:53:41 2018 +0000

    Revert "icnss: Remove sending uevent after FW ready"

    This reverts commit dabc56ff4434cac9b64a0d6dbbf9f2f2bb12e9d1.

commit 6dc7b5e491c44135f14c14946a1873df4ebd74e8
Merge: 2e3cb1cde573 6bc76c807ae7
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:13:44 2018 +0000

    Merge https://github.com/android-linux-stable/msm-4.4 into lineage-15.1_S323

commit 6bc76c807ae760576837b0719a995835196ff668
Merge: c1208ec20032 577189c37a84
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Aug 27 22:48:36 2018 -0700

    Merge 4.4.153 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.153: (6 commits)
            x86/mm/pat: Fix L1TF stable backport for CPA
            x86/mm: Fix use-after-free of ldt_struct
            ovl: Ensure upper filesystem supports d_type
            ovl: Do d_type check only if work dir creation was successful
            ovl: warn instead of error if d_type is not supported
            Linux 4.4.153

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9866720724db8a163cf305fc907cdab0b38fa09
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Aug 24 10:50:29 2017 -0700

    x86/mm: Fix use-after-free of ldt_struct

    commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.

    The following commit:

      39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")

    renamed init_new_context() to init_new_context_ldt() and added a new
    init_new_context() which calls init_new_context_ldt().  However, the
    error code of init_new_context_ldt() was ignored.  Consequently, if a
    memory allocation in alloc_ldt_struct() failed during a fork(), the
    ->context.ldt of the new task remained the same as that of the old task
    (due to the memcpy() in dup_mm()).  ldt_struct's are not intended to be
    shared, so a use-after-free occurred after one task exited.

    Fix the bug by making init_new_context() pass through the error code of
    init_new_context_ldt().

    This bug was found by syzkaller, which encountered the following splat:

        BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
        Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710

        CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x194/0x257 lib/dump_stack.c:52
         print_address_description+0x73/0x250 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x24e/0x340 mm/kasan/report.c:409
         __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
         free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         exec_mmap fs/exec.c:1061 [inline]
         flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
         load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
         search_binary_handler+0x142/0x6b0 fs/exec.c:1652
         exec_binprm fs/exec.c:1694 [inline]
         do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
         do_execve+0x31/0x40 fs/exec.c:1860
         call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

        Allocated by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
         kmalloc include/linux/slab.h:493 [inline]
         alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
         write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
         sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
         entry_SYSCALL_64_fastpath+0x1f/0xbe

        Freed by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
         __cache_free mm/slab.c:3503 [inline]
         kfree+0xca/0x250 mm/slab.c:3820
         free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         __mmput kernel/fork.c:916 [inline]
         mmput+0x541/0x6e0 kernel/fork.c:927
         copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
         copy_process kernel/fork.c:1546 [inline]
         _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
         SYSC_clone kernel/fork.c:2135 [inline]
         SyS_clone+0x37/0x50 kernel/fork.c:2129
         do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
         return_from_SYSCALL_64+0x0/0x7a

    Here is a C reproducer:

        #include <asm/ldt.h>
        #include <pthread.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <sys/syscall.h>
        #include <sys/wait.h>
        #include <unistd.h>

        static void *fork_thread(void *_arg)
        {
            fork();
        }

        int main(void)
        {
            struct user_desc desc = { .entry_number = 8191 };

            syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));

            for (;;) {
                if (fork() == 0) {
                    pthread_t t;

                    srand(getpid());
                    pthread_create(&t, NULL, fork_thread, NULL);
                    usleep(rand() % 10000);
                    syscall(__NR_exit_group, 0);
                }
                wait(NULL);
            }
        }

    Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
    may use vmalloc() to allocate a large ->entries array, and after
    commit:

      5d17a73a2ebe ("vmalloc: back off when the current task is killed")

    it is possible for userspace to fail a task's vmalloc() by
    sending a fatal signal, e.g. via exit_group().  It would be more
    difficult to reproduce this bug on kernels without that commit.

    This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.

    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org> [v4.6+]
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
    Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit adaba23ccd7d1625942f2c27612d2b416c87e011
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Aug 25 06:50:15 2018 -0700

    x86/mm/pat: Fix L1TF stable backport for CPA

    Patch for stable only to fix boot resets caused by the L1TF patches.

    Stable trees reverted the following patch

    Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"

        This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is
        commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream.

    but the L1TF patch backported here

       x86/mm/pat: Make set_memory_np() L1TF safe

        commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream

        set_memory_np() is used to mark kernel mappings not present, but it has
        it's own open coded mechanism which does not have the L1TF protection of
        inverting the address bits.

    assumed that cpa->pfn contains a PFN. With the above patch reverted
    it does not, which causes the PMD to be set to an incorrect address
    shifted by 12 bits, which can cause early boot reset on some
    systems, like an Apollo Lake embedded system.

    Convert the address to a PFN before passing it to pmd_pfn()

    Thanks to Bernhard for bisecting and testing.

    Cc: stable@vger.kernel.org # 4.4 and 4.9
    Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1208ec20032cc152136c0098fb02bb63f0f4abd
Merge: 341dfcca5199 0c73169690eb
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Fri Aug 24 07:50:04 2018 -0700

    Merge 4.4.152 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.152: (79 commits)
            ARC: Explicitly add -mmedium-calls to CFLAGS
            netfilter: ipv6: nf_defrag: reduce struct net memory waste
            selftests: pstore: return Kselftest Skip code for skipped tests
            selftests: static_keys: return Kselftest Skip code for skipped tests
            selftests: user: return Kselftest Skip code for skipped tests
            selftests: zram: return Kselftest Skip code for skipped tests
            selftests: sync: add config fragment for testing sync framework
            ARM: dts: Cygnus: Fix I2C controller interrupt type
            usb: dwc2: fix isoc split in transfer with no data
            usb: gadget: composite: fix delayed_status race condition when set_interface
            usb: gadget: dwc2: fix memory leak in gadget_init()
            scsi: xen-scsifront: add error handling for xenbus_printf
            arm64: make secondary_start_kernel() notrace
            qed: Add sanity check for SIMD fastpath handler.
            enic: initialize enic->rfs_h.lock in enic_probe
            net: hamradio: use eth_broadcast_addr
            net: propagate dev_get_valid_name return code
            ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
            net: davinci_emac: match the mdio device against its compatible if possible
            locking/lockdep: Do not record IRQ state within lockdep code
            ipv6: mcast: fix unsolicited report interval after receiving querys
            Smack: Mark inode instant in smack_task_to_inode
            cxgb4: when disabling dcb set txq dcb priority to 0
            brcmfmac: stop watchdog before detach and free everything
            ARM: dts: am437x: make edt-ft5x06 a wakeup source
            usb: xhci: increase CRS timeout value
            perf test session topology: Fix test on s390
            perf report powerpc: Fix crash if callchain is empty
            selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
            ARM: dts: da850: Fix interrups property for gpio
            dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
            md/raid10: fix that replacement cannot complete recovery after reassemble
            drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
            drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
            drm/exynos: decon5433: Fix WINCONx reset value
            bnx2x: Fix receiving tx-timeout in error or recovery state.
            m68k: fix "bad page state" oops on ColdFire boot
            HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
            ARM: imx_v6_v7_defconfig: Select ULPI support
            ARM: imx_v4_v5_defconfig: Select ULPI support
            tracing: Use __printf markup to silence compiler
            kasan: fix shadow_size calculation error in kasan_module_alloc
            smsc75xx: Add workaround for gigabit link up hardware errata.
            netfilter: x_tables: set module owner for icmp(6) matches
            ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
            ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
            ieee802154: at86rf230: use __func__ macro for debug messages
            ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
            drm/armada: fix colorkey mode property
            bnxt_en: Fix for system hang if request_irq fails
            perf llvm-utils: Remove bashism from kernel include fetch script
            ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
            ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
            ixgbe: Be more careful when modifying MAC filters
            packet: reset network header if packet shorter than ll reserved space
            qlogic: check kstrtoul() for errors
            tcp: remove DELAYED ACK events in DCTCP
            drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
            net/ethernet/freescale/fman: fix cross-build error
            net: usb: rtl8150: demote allmulti message to dev_dbg()
            net: qca_spi: Avoid packet drop during initial sync
            net: qca_spi: Make sure the QCA7000 reset is triggered
            net: qca_spi: Fix log level if probe fails
            tcp: identify cryptic messages as TCP seq # bugs
            staging: android: ion: check for kref overflow
            KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
            ext4: fix spectre gadget in ext4_mb_regular_allocator()
            parisc: Remove ordered stores from syscall.S
            xfrm_user: prevent leaking 2 bytes of kernel memory
            netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
            packet: refine ring v3 block size test to hold one frame
            bridge: Propagate vlan add failure to user
            parisc: Remove unnecessary barriers from spinlock.h
            PCI: hotplug: Don't leak pci_slot on registration failure
            PCI: Skip MPS logic for Virtual Functions (VFs)
            PCI: pciehp: Fix use-after-free on unplug
            i2c: imx: Fix race condition in dma read
            reiserfs: fix broken xattr handling (heap corruption, bad retval)
            Linux 4.4.152

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

    Conflicts:
    	drivers/staging/android/ion/ion.c

commit 0c73169690eb1d7d6f72a128a010bd84343e503a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Aug 24 13:27:02 2018 +0200

    Linux 4.4.152

commit 712254045c02edf3dc21714337a23bf361d0c5ee
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 21:59:37 2018 -0700

    reiserfs: fix broken xattr handling (heap corruption, bad retval)

    commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.

    This fixes the following issues:

    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.

    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.

    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.

    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.

    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e57e6c67fd4b568b180fdbd5c14043d39fe6cda
Author: Esben Haabendal <eha@deif.com>
Date:   Thu Aug 16 10:43:12 2018 +0200

    i2c: imx: Fix race condition in dma read

    commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.

    This fixes a race condition, where the DMAEN bit ends up being set after
    I2C slave has transmitted a byte following the dummy read.  When that
    happens, an interrupt is generated instead, and no DMA request is generated
    to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).

    Fixed by setting the DMAEN bit before the dummy read.

    Signed-off-by: Esben Haabendal <eha@deif.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 131412f4f6f52b72c3a099c9cdac5d9c6034c76c
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:32 2018 -0500

    PCI: pciehp: Fix use-after-free on unplug

    commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.

    When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
    hotplug_slot struct is deregistered and thus freed before freeing the
    IRQ.  The IRQ handler and the work items it schedules print the slot
    name referenced from the freed structure in various informational and
    debug log messages, each time resulting in a quadruple dereference of
    freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

    At best the slot name is logged as "(null)", at worst kernel memory is
    exposed in logs or the driver crashes:

      pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

    An attacker may provoke the bug by unplugging multiple devices on a
    Thunderbolt daisy chain at once.  Unplugging can also be simulated by
    powering down slots via sysfs.  The bug is particularly easy to trigger
    in poll mode.

    It has been present since the driver's introduction in 2004:
    https://git.kernel.org/tglx/history/c/c16b4b14d980

    Fix by rearranging teardown such that the IRQ is freed first.  Run the
    work items queued by the IRQ handler to completion before freeing the
    hotplug_slot struct by draining the work queue from the ->release_slot
    callback which is invoked by pci_hp_deregister().

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.6.4
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc7614a5e8ec4514aa27ee3874ad05a1057e644d
Author: Myron Stowe <myron.stowe@redhat.com>
Date:   Mon Aug 13 12:19:39 2018 -0600

    PCI: Skip MPS logic for Virtual Functions (VFs)

    commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.

    PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
    Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
    VFs.  Just prior to the table it states:

      "PF and VF functionality is defined in Section 7.5.3.4 except where
       noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
       applies to the VF."

    All of which implies that with respect to Max_Payload_Size Supported
    (MPSS), MPS, and MRRS values, we should not be paying any attention to the
    VF's fields, but rather only to the PF's.  Only looking at the PF's fields
    also logically makes sense as it's the sole physical interface to the PCIe
    bus.

    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
    Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
    Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # 4.3+
    Cc: Keith Busch <keith.busch@intel.com>
    Cc: Sinan Kaya <okaya@kernel.org>
    Cc: Dongdong Liu <liudongdong3@huawei.com>
    Cc: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8837163ebeba0ab5cd82d8eb284060e0e3cb4a35
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:31 2018 -0500

    PCI: hotplug: Don't leak pci_slot on registration failure

    commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.

    If addition of sysfs files fails on registration of a hotplug slot, the
    struct pci_slot as well as the entry in the slot_list is leaked.  The
    issue has been present since the hotplug core was introduced in 2002:
    https://git.kernel.org/tglx/history/c/a8a2069f432c

    Perhaps the idea was that even though sysfs addition fails, the slot
    should still be usable.  But that's not how drivers use the interface,
    they abort probe if a non-zero value is returned.

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.4.15+
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 400db6fe74317d64c920025ed4de2de7b3522230
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:31:17 2018 -0400

    parisc: Remove unnecessary barriers from spinlock.h

    commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream.

    Now that mb() is an instruction barrier, it will slow performance if we issue
    unnecessary barriers.

    The spinlock defines have a number of unnecessary barriers.  The __ldcw()
    define is both a hardware and compiler barrier.  The mb() barriers in the
    routines using __ldcw() serve no purpose.

    The only barrier needed is the one in arch_spin_unlock().  We need to ensure
    all accesses are complete prior to releasing the lock.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d124ea608ac800f46100741f7ccd79791c061c8
Author: Elad Raz <eladr@mellanox.com>
Date:   Wed Jan 6 13:01:04 2016 +0100

    bridge: Propagate vlan add failure to user

    commit 08474cc1e6ea71237cab7e4a651a623c9dea1084 upstream.

    Disallow adding interfaces to a bridge when vlan filtering operation
    failed. Send the failure code to the user.

    Signed-off-by: Elad Raz <eladr@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c4e369c9b98480a4b75b3a74a962a6b298120b
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Aug 6 10:38:34 2018 -0400

    packet: refine ring v3 block size test to hold one frame

    commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

    TPACKET_V3 stores variable length frames in fixed length blocks.
    Blocks must be able to store a block header, optional private space
    and at least one minimum sized frame.

    Frames, even for a zero snaplen packet, store metadata headers and
    optional reserved space.

    In the block size bounds check, ensure that the frame of the
    chosen configuration fits. This includes sockaddr_ll and optional
    tp_reserve.

    Syzbot was able to construct a ring with insuffient room for the
    sockaddr_ll in the header of a zero-length frame, triggering an
    out-of-bounds write in dev_parse_header.

    Convert the comparison to less than, as zero is a valid snap len.
    This matches the test for minimum tp_frame_size immediately below.

    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76cb5cc66114d2758796198fca7f3387a6f24b75
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 17 21:03:15 2018 +0200

    netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

    commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

    When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
    that has an un-initialized timeout value, i.e. such entry could be
    reaped at any time.

    Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
    an old state.

    Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6170d014af6d3e9608987a0dee6e7f01c074b3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 18 21:35:07 2018 -0700

    xfrm_user: prevent leaking 2 bytes of kernel memory

    commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

    struct xfrm_userpolicy_type has two holes, so we should not
    use C99 style initializer.

    KMSAN report:

    BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
    CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
     copyout lib/iov_iter.c:140 [inline]
     _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
     copy_to_iter include/linux/uio.h:106 [inline]
     skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
     skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
     netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
     sock_recvmsg_nosec net/socket.c:802 [inline]
     sock_recvmsg+0x1d6/0x230 net/socket.c:809
     ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
     __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
     do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
     __do_sys_recvmmsg net/socket.c:2485 [inline]
     __se_sys_recvmmsg net/socket.c:2481 [inline]
     __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x446ce9
    RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
    RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
    R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
    R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
     __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
     __nla_put lib/nlattr.c:569 [inline]
     nla_put+0x276/0x340 lib/nlattr.c:627
     copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
     dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
     xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
     netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
     __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
     netlink_dump_start include/linux/netlink.h:214 [inline]
     xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
     netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
     xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Local variable description: ----upt.i@dump_one_policy
    Variable was created at:
     dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

    Byte 130 of 137 is uninitialized
    Memory access starts at ffff88019550407f

    Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49b3acf7ed1997af70ab95d95995eb2a1a6fdf93
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:38:03 2018 -0400

    parisc: Remove ordered stores from syscall.S

    commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream.

    Now that we use a sync prior to releasing the locks in syscall.S, we don't need
    the PA 2.0 ordered stores used to release some locks.  Using an ordered store,
    potentially slows the release and subsequent code.

    There are a number of other ordered stores and loads that serve no purpose.  I
    have converted these to normal stores.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a89f83823b97b6da1ecf7a51184b28822e78cc07
Author: Jeremy Cline <jcline@redhat.com>
Date:   Thu Aug 2 00:03:40 2018 -0400

    ext4: fix spectre gadget in ext4_mb_regular_allocator()

    commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.

    'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
    derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
    index arrays which makes it a potential spectre gadget. Fix this by
    sanitizing the value assigned to 'ac->ac2_order'.  This covers the
    following accesses found with the help of smatch:

    * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
      spectre issue 'grp->bb_counters' [w] (local cap)

    * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

    * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

    Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1186a6ea75df00ec27b9cf2c5d0a5e4298739301
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon May 28 13:31:13 2018 +0200

    KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer

    commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.

    A comment warning against this bug is there, but the code is not doing what
    the comment says.  Therefore it is possible that an EPOLLHUP races against
    irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
    and if that runs soon enough, you get a use-after-free.

    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b84ec04bae905901f5226a67968dabc52ab0c3a6
Author: Daniel Rosenberg <drosen@google.com>
Date:   Tue Aug 21 13:31:50 2018 -0700

    staging: android: ion: check for kref overflow

    This patch is against 4.4. It does not apply to master due to a large
    rework of ion in 4.12 which removed the affected functions altogther.
    4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

    Userspace can cause the kref to handles to increment
    arbitrarily high. Ensure it does not overflow.

    Signed-off-by: Daniel Rosenberg <drosen@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81970da69122fe4bf2af5bb1bb4c7f62d4744e79
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Jul 17 18:27:45 2018 -0700

    tcp: identify cryptic messages as TCP seq # bugs

    [ Upstream commit e56b8ce363a36fb7b74b80aaa5cc9084f2c908b4 ]

    Attempt to make cryptic TCP seq number error messages clearer by
    (1) identifying the source of the message as "TCP", (2) identifying the
    errors as "seq # bug", and (3) grouping the field identifiers and values
    by separating them with commas.

    E.g., the following message is changed from:

    recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90

    to:

    TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0

    Suggested-by: 積丹尼 Dan Jacobson <jidanni@jidanni.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 780e559aaa6ae4b184d9af4acd0754f8608b3715
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:45 2018 +0200

    net: qca_spi: Fix log level if probe fails

    [ Upstream commit 50973993260a6934f0a00da53d9b746cfbea89ab ]

    In cases the probing fails the log level of the messages should
    be an error.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e77b1523b93cbc8863cfe656ca0c9e82f7ba43c9
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:44 2018 +0200

    net: qca_spi: Make sure the QCA7000 reset is triggered

    [ Upstream commit 711c62dfa6bdb4326ca6c587f295ea5c4f7269de ]

    In case the SPI thread is not running, a simple reset of sync
    state won't fix the transmit timeout. We also need to wake up the kernel
    thread.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: ed7d42e24eff ("net: qca_spi: fix transmit queue timeout handling")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8621e69878ba41ed24987a487eaf01a6505223c6
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:43 2018 +0200

    net: qca_spi: Avoid packet drop during initial sync

    [ Upstream commit b2bab426dc715de147f8039a3fccff27d795f4eb ]

    As long as the synchronization with the QCA7000 isn't finished, we
    cannot accept packets from the upper layers. So let the SPI thread
    enable the TX queue after sync and avoid unwanted packet drop.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8cfe6f3afe83a2768563f718bb57c99ca249cf4c
Author: David Lechner <david@lechnology.com>
Date:   Mon Jul 16 17:58:10 2018 -0500

    net: usb: rtl8150: demote allmulti message to dev_dbg()

    [ Upstream commit 3a9b0455062ffb9d2f6cd4473a76e3456f318c9f ]

    This driver can spam the kernel log with multiple messages of:

        net eth0: eth0: allmulti set

    Usually 4 or 8 at a time (probably because of using ConnMan).

    This message doesn't seem useful, so let's demote it from dev_info()
    to dev_dbg().

    Signed-off-by: David Lechner <david@lechnology.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0821ddad494b97f0980db1877c4417e7d45c4925
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Jul 13 21:25:19 2018 -0700

    net/ethernet/freescale/fman: fix cross-build error

    [ Upstream commit c133459765fae249ba482f62e12f987aec4376f0 ]

      CC [M]  drivers/net/ethernet/freescale/fman/fman.o
    In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
    ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
    ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
      clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
      ^~~~~~~~~~~~~~~

    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Madalin Bucur <madalin.bucur@nxp.com>
    Cc: netdev@vger.kernel.org
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c8f268dcdd5d3dacf504873861b9f18c70021b0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 3 15:30:56 2018 +0300

    drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

    [ Upstream commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 ]

    The bo array has req->nr_buffers elements so the > should be >= so we
    don't read beyond the end of the array.

    Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43707aa8c55fb165a1a56f590e0defb198ebdde9
Author: Yuchung Cheng <ycheng@google.com>
Date:   Thu Jul 12 06:04:53 2018 -0700

    tcp: remove DELAYED ACK events in DCTCP

    [ Upstream commit a69258f7aa2623e0930212f09c586fd06674ad79 ]

    After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK
    related callbacks are no longer needed

    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Acked-by: Lawrence Brakmo <brakmo@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7795ce1182d5317688750126958954e5d32e3eac
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 12 15:23:45 2018 +0300

    qlogic: check kstrtoul() for errors

    [ Upstream commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f ]

    We accidentally left out the error handling for kstrtoul().

    Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01a8ef2f327a6fe5075ee5027c9fa02df42c1c4e
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Jul 11 12:00:45 2018 -0400

    packet: reset network header if packet shorter than ll reserved space

    [ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ]

    If variable length link layer headers result in a packet shorter
    than dev->hard_header_len, reset the network header offset. Else
    skb->mac_len may exceed skb->len after skb_mac_reset_len.

    packet_sendmsg_spkt already has similar logic.

    Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ab85f3dc1b45f9189b62c97c82c7e6e1a3de569
Author: Alexander Duyck <alexander.h.duyck@intel.com>
Date:   Mon Jun 18 12:02:00 2018 -0400

    ixgbe: Be more careful when modifying MAC filters

    [ Upstream commit d14c780c11fbc10f66c43e7b64eefe87ca442bd3 ]

    This change makes it so that we are much more explicit about the ordering
    of updates to the receive address register (RAR) table. Prior to this patch
    I believe we may have been updating the table while entries were still
    active, or possibly allowing for reordering of things since we weren't
    explicitly flushing writes to either the lower or upper portion of the
    register prior to accessing the other half.

    Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Reviewed-by: Shannon Nelson <shannon.nelson@oracle.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcfa7262bbc0cf7b39ac112ae2ece9f9310ae4d9
Author: Adam Ford <aford173@gmail.com>
Date:   Wed Jul 11 12:54:54 2018 -0500

    ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller

    [ Upstream commit 923847413f7316b5ced3491769b3fefa6c56a79a ]

    The AM3517 has a different OTG controller location than the OMAP3,
    which is included from omap3.dtsi.  This results in a hwmod error.
    Since the AM3517 has a different OTG controller address, this patch
    disabes one that is isn't available.

    Signed-off-by: Adam Ford <aford173@gmail.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97d53c81980eaba74690868efd3160fb635b8d42
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Tue Jul 10 08:22:40 2018 +0100

    ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot

    [ Upstream commit b4c7e2bd2eb4764afe3af9409ff3b1b87116fa30 ]

    Dynamic ftrace requires modifying the code segments that are usually
    set to read-only. To do this, a per arch function is called both before
    and after the ftrace modifications are performed. The "before" function
    will set kernel code text to read-write to allow for ftrace to make the
    modifications, and the "after" function will set the kernel code text
    back to "read-only" to keep the kernel code text protected.

    The issue happens when dynamic ftrace is tested at boot up. The test is
    done before the kernel code text has been set to read-only. But the
    "before" and "after" calls are still performed. The "after" call will
    change the kernel code text to read-only prematurely, and other boot
    code that expects this code to be read-write will fail.

    The solution is to add a variable that is set when the kernel code text
    is expected to be converted to read-only, and make the ftrace "before"
    and "after" calls do nothing if that variable is not yet set. This is
    similar to the x86 solution from commit 162396309745 ("ftrace, x86:
    make kernel text writable only for conversions").

    Link: http://lkml.kernel.org/r/20180620212906.24b7b66e@vmware.local.home

    Reported-by: Stefan Agner <stefan@agner.ch>
    Tested-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0cd6f4de95a8fee74131bac79c444f8120c93e9
Author: Kim Phillips <kim.phillips@arm.com>
Date:   Fri Jun 29 12:46:52 2018 -0500

    perf llvm-utils: Remove bashism from kernel include fetch script

    [ Upstream commit f6432b9f65001651412dbc3589d251534822d4ab ]

    Like system(), popen() calls /bin/sh, which may/may not be bash.

    Script when run on dash and encounters the line, yields:

     exit: Illegal number: -1

    checkbashisms report on script content:

     possible bashism (exit|return with negative status code):
     exit -1

    Remove the bashism and use the more portable non-zero failure
    status code 1.

    Signed-off-by: Kim Phillips <kim.phillips@arm.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Michael Petlan <mpetlan@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sandipan Das <sandipan@linux.vnet.ibm.com>
    Cc: Thomas Richter <tmricht@linux.vnet.ibm.com>
    Link: http://lkml.kernel.org/r/20180629124652.8d0af7e2281fd3fd8262cacc@arm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 149751b516c07eb15f9378bbed175d23589b6215
Author: Vikas Gupta <vikas.gupta@broadcom.com>
Date:   Mon Jul 9 02:24:52 2018 -0400

    bnxt_en: Fix for system hang if request_irq fails

    [ Upstream commit c58387ab1614f6d7fb9e244f214b61e7631421fc ]

    Fix bug in the error code path when bnxt_request_irq() returns failure.
    bnxt_disable_napi() should not be called in this error path because
    NAPI has not been enabled yet.

    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cb585f9c5d6b70bfcd12beb314d9ba060c3208a
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date:   Sun Jun 24 14:35:10 2018 +0100

    drm/armada: fix colorkey mode property

    [ Upstream commit d378859a667edc99e3473704847698cae97ca2b1 ]

    The colorkey mode property was not correctly disabling the colorkeying
    when "disabled" mode was selected.  Arrange for this to work as one
    would expect.

    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe9ee61f5a1b9413ad3862bfa5a63c633d84f38a
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:14:05 2017 +0200

    ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 8f2fbc6c60ff213369e06a73610fc882a42fdf20 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24e3a53c0d2c6be3385c5676056124b44f7c06c2
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:54 2017 +0200

    ieee802154: at86rf230: use __func__ macro for debug messages

    [ Upstream commit 8a81388ec27c4c0adbdecd20e67bb5f411ab46b2 ]

    Instead of having the function name hard-coded (it might change and we
    forgot to update them in the debug output) we can use __func__ instead
    and also shorter the line so we do not need to break it. Also fix an
    extra blank line while being here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 691a13ac70e31e3004310bf56360ee69c62514cb
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:53 2017 +0200

    ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 20f330452ad8814f2289a589baf65e21270879a7 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be4691a7c58b40ddcdad5f82fb652475afc3440e
Author: Daniel Mack <daniel@zonque.org>
Date:   Fri Jul 6 22:15:00 2018 +0200

    ARM: pxa: irq: fix handling of ICMR registers in suspend/resume

    [ Upstream commit 0c1049dcb4ceec640d8bd797335bcbebdcab44d2 ]

    PXA3xx platforms have 56 interrupts that are stored in two ICMR
    registers. The code in pxa_irq_suspend() and pxa_irq_resume() however
    does a simple division by 32 which only leads to one register being
    saved at suspend and restored at resume time. The NAND interrupt
    setting, for instance, is lost.

    Fix this by using DIV_ROUND_UP() instead.

    Signed-off-by: Daniel Mack <daniel@zonque.org>
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e8f97b07a3be3493072f1cabe888f2d770b8077
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jul 4 20:25:32 2018 +0200

    netfilter: x_tables: set module owner for icmp(6) matches

    [ Upstream commit d376bef9c29b3c65aeee4e785fffcd97ef0a9a81 ]

    nft_compat relies on xt_request_find_match to increment
    refcount of the module that provides the match/target.

    The (builtin) icmp matches did't set the module owner so it
    was possible to rmmod ip(6)tables while icmp extensions were still in use.

    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7fda06308d6d1ed5d094a5f22b3e1e33852edbf
Author: Yuiko Oshino <yuiko.oshino@microchip.com>
Date:   Tue Jul 3 11:21:46 2018 -0400

    smsc75xx: Add workaround for gigabit link up hardware errata.

    [ Upstream commit d461e3da905332189aad546b2ad9adbe6071c7cc ]

    In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

    Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
    Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1acb2ad5d9d0fc66f18c74e22af3c07e41a5dbca
Author: Zhen Lei <thunder.leizhen@huawei.com>
Date:   Tue Jul 3 17:02:46 2018 -0700

    kasan: fix shadow_size calculation error in kasan_module_alloc

    [ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ]

    There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
    Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1].  The
    operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the
    roundup operation can not retrieve the missed one page.  For example:
    size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
    shadow_size=0x5000, but actually we need 6 pages.

      shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);

    This can lead to a kernel crash when kasan is enabled and the value of
    mod->core_layout.size or mod->init_layout.size is like above.  Because
    the shadow memory of X has not been allocated and mapped.

    move_module:
      ptr = module_alloc(mod->core_layout.size);
      ...
      memset(ptr, 0, mod->core_layout.size);		//crashed

      Unable to handle kernel paging request at virtual address ffff0fffff97b000
      ......
      Call trace:
        __asan_storeN+0x174/0x1a8
        memset+0x24/0x48
        layout_and_allocate+0xcd8/0x1800
        load_module+0x190/0x23e8
        SyS_finit_module+0x148/0x180

    Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com
    Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
    Reviewed-by: Dmitriy Vyukov <dvyukov@google.com>
    Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Libin <huawei.libin@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb1c3470bcb05537fca601a0101d759d054b822
Author: Mathieu Malaterre <malat@debian.org>
Date:   Thu Mar 8 21:58:43 2018 +0100

    tracing: Use __printf markup to silence compiler

    [ Upstream commit 26b68dd2f48fe7699a89f0cfbb9f4a650dc1c837 ]

    Silence warnings (triggered at W=1) by adding relevant __printf attributes.

      CC      kernel/trace/trace.o
    kernel/trace/trace.c: In function ‘__trace_array_vprintk’:
    kernel/trace/trace.c:2979:2: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
      len = vscnprintf(tbuffer, TRACE_BUF_SIZE, fmt, args);
      ^~~
      AR      kernel/trace/built-in.o

    Link: http://lkml.kernel.org/r/20180308205843.27447-1-malat@debian.org

    Signed-off-by: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be38b9556d9ba051adae074367acb3ee362180b2
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Tue Jun 26 08:37:09 2018 -0300

    ARM: imx_v4_v5_defconfig: Select ULPI support

    [ Upstream commit 2ceb2780b790b74bc408a949f6aedbad8afa693e ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like that use ULPI
    interface.

    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d0af17ae83d6feb29d676c72423461419df5110
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Mon Jun 25 09:34:03 2018 -0300

    ARM: imx_v6_v7_defconfig: Select ULPI support

    [ Upstream commit 157bcc06094c3c5800d3f4676527047b79b618e7 ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like imx51-babbge.

    This fixes a kernel hang in 4.18-rc1 on i.mx51-babbage, caused by commit
    03e6275ae381 ("usb: chipidea: Fix ULPI on imx51").

    Suggested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1bdab67ddfa7b4e9e7a90637a22f9abc6ca88cf4
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Tue Jun 26 09:58:02 2018 -0700

    HID: wacom: Correct touch maximum XY of 2nd-gen Intuos

    [ Upstream commit 3b8d573586d1b9dee33edf6cb6f2ca05f4bca568 ]

    The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096
    sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.).
    The incorrect maximum XY values don't normally affect userspace since
    touch input from these devices is typically relative rather than
    absolute. It does, however, cause problems when absolute distances
    need to be measured, e.g. for gesture recognition. Since the resolution
    of the touch sensor on these devices is 10 units / mm (versus 100 for
    the pen sensor), the proper maximum values can be calculated by simply
    dividing by 10.

    Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices")
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f2f46791e28b7058a32fb7eab32e498ff838627
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Mon Jun 18 15:34:14 2018 +1000

    m68k: fix "bad page state" oops on ColdFire boot

    [ Upstream commit ecd60532e060e45c63c57ecf1c8549b1d656d34d ]

    Booting a ColdFire m68k core with MMU enabled causes a "bad page state"
    oops since commit 1d40a5ea01d5 ("mm: mark pages in use for page tables"):

     BUG: Bad page state in process sh  pfn:01ce2
     page:004fefc8 count:0 mapcount:-1024 mapping:00000000 index:0x0
     flags: 0x0()
     raw: 00000000 00000000 00000000 fffffbff 00000000 00000100 00000200 00000000
     raw: 039c4000
     page dumped because: nonzero mapcount
     Modules linked in:
     CPU: 0 PID: 22 Comm: sh Not tainted 4.17.0-07461-g1d40a5ea01d5 #13

    Fix by calling pgtable_page_dtor() in our __pte_free_tlb() code path,
    so that the PG_table flag is cleared before we free the pte page.

    Note that I had to change the type of pte_free() to be static from
    extern. Otherwise you get a lot of warnings like this:

    ./arch/m68k/include/asm/mcf_pgalloc.h:80:2: warning: ‘pgtable_page_dtor’ is static but used in inline function ‘pte_free’ which is not static
      pgtable_page_dtor(page);
      ^

    And making it static is consistent with our use of this in the other
    m68k pgalloc definitions of pte_free().

    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    CC: Matthew Wilcox <willy@infradead.org>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aba71e6a936a62126d0c084d4add455db697ee24
Author: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
Date:   Thu Jun 28 04:52:15 2018 -0700

    bnx2x: Fix receiving tx-timeout in error or recovery state.

    [ Upstream commit 484c016d9392786ce5c74017c206c706f29f823d ]

    Driver performs the internal reload when it receives tx-timeout event from
    the OS. Internal reload might fail in some scenarios e.g., fatal HW issues.
    In such cases OS still see the link, which would result in undesirable
    functionalities such as re-generation of tx-timeouts.
    The patch addresses this issue by indicating the link-down to OS when
    tx-timeout is detected, and keeping the link in down state till the
    internal reload is successful.

    Please consider applying it to 'net' branch.

    Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
    Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc83070ba75b3ab93bf46f711246e9b97ed46c0
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Jun 7 13:07:49 2018 +0200

    drm/exynos: decon5433: Fix WINCONx reset value

    [ Upstream commit 7b7aa62c05eac9789c208b946f515983a9255d8d ]

    The only bits that should be preserved in decon_win_set_fmt() is
    WINCONx_ENWIN_F. All other bits depends on the selected pixel formats and
    are set by the mentioned function.

    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha …

chandr1000 added a commit to chandr1000/op5-oreo-kernel that referenced this issue Sep 1, 2018

Squashed commit of the following:
commit af8d3b400b7ea0684a2fdd665726ab7d57ee321b
Author: chandr1000 <chandrananda10@gmail.com>
Date:   Sun Sep 2 06:01:01 2018 +0800

    build script changes

commit c7d2ce5a9dd7246d932d7cd8276ed5546e21758e
Merge: 59477c6 d896c89
Author: Irina Shinakawa <chandrananda10@gmail.com>
Date:   Sun Sep 2 04:35:27 2018 +0800

    Merge pull request #4 from EAS-Project/master

    Update

commit d896c89866de7b8aa03185812c24c295c5287daf
Merge: b596cc8 72e186d
Author: joshuous <joshuous@gmail.com>
Date:   Sat Sep 1 16:22:07 2018 +0000

    Merge branch 'release-3.6.0'

    * release-3.6.0:
      Fix audio issue for gsi
      Fix icon issue for gsi
      drivers: qcom: lpm-stats: Fix undefined access error
      Quote from Documentation/filesystems/sysfs.txt:
      defconfig: Align qcacld-3.0 configs with stock CAF Kbuild
      UPSTREAM: binder: replace "%p" with "%pK"
      UPSTREAM: binder: free memory on error
      UPSTREAM: binder: fix proc->files use-after-free
      UPSTREAM: Revert "FROMLIST: binder: fix proc->files use-after-free"
      UPSTREAM: ANDROID: binder: change down_write to down_read
      UPSTREAM: ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR
      UPSTREAM: ANDROID: binder: remove 32-bit binder interface.
      UPSTREAM: ANDROID: binder: re-order some conditions
      UPSTREAM: android: binder: use VM_ALLOC to get vm area
      UPSTREAM: android: binder: Use true and false for boolean values
      UPSTREAM: android: binder: Use octal permissions
      UPSTREAM: android: binder: Prefer __func__ to using hardcoded function name
      UPSTREAM: ANDROID: binder: make binder_alloc_new_buf_locked static and indent its arguments
      UPSTREAM: android: binder: Check for errors in binder_alloc_shrinker_init().
      Revert "msm: kgsl: Offload mementry destroy work to separate thread"
      build.config: Move modules to /renderzenith/modules
      build.config: Add build configurations
      softirq, sched: reduce softirq conflicts with RT
      ANDROID: sched/rt: rt cpu selection integration with EAS.
      Improve stability
      Improve power consumption
      Improve usb stability
      Improve power consumption
      Improve dash charging
      Fix usb issue
      Improve NFC power consumption
      Linux 4.4.153
      ovl: warn instead of error if d_type is not supported
      ovl: Do d_type check only if work dir creation was successful
      ovl: Ensure upper filesystem supports d_type
      x86/mm: Fix use-after-free of ldt_struct
      x86/mm/pat: Fix L1TF stable backport for CPA
      Linux 4.4.152
      reiserfs: fix broken xattr handling (heap corruption, bad retval)
      i2c: imx: Fix race condition in dma read
      PCI: pciehp: Fix use-after-free on unplug
      PCI: Skip MPS logic for Virtual Functions (VFs)
      PCI: hotplug: Don't leak pci_slot on registration failure
      parisc: Remove unnecessary barriers from spinlock.h
      bridge: Propagate vlan add failure to user
      packet: refine ring v3 block size test to hold one frame
      netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
      xfrm_user: prevent leaking 2 bytes of kernel memory
      parisc: Remove ordered stores from syscall.S
      ext4: fix spectre gadget in ext4_mb_regular_allocator()
      KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
      staging: android: ion: check for kref overflow
      tcp: identify cryptic messages as TCP seq # bugs
      net: qca_spi: Fix log level if probe fails
      net: qca_spi: Make sure the QCA7000 reset is triggered
      net: qca_spi: Avoid packet drop during initial sync
      net: usb: rtl8150: demote allmulti message to dev_dbg()
      net/ethernet/freescale/fman: fix cross-build error
      drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
      tcp: remove DELAYED ACK events in DCTCP
      qlogic: check kstrtoul() for errors
      packet: reset network header if packet shorter than ll reserved space
      ixgbe: Be more careful when modifying MAC filters
      ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
      ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
      perf llvm-utils: Remove bashism from kernel include fetch script
      bnxt_en: Fix for system hang if request_irq fails
      drm/armada: fix colorkey mode property
      ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
      ieee802154: at86rf230: use __func__ macro for debug messages
      ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
      ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
      netfilter: x_tables: set module owner for icmp(6) matches
      smsc75xx: Add workaround for gigabit link up hardware errata.
      kasan: fix shadow_size calculation error in kasan_module_alloc
      tracing: Use __printf markup to silence compiler
      ARM: imx_v4_v5_defconfig: Select ULPI support
      ARM: imx_v6_v7_defconfig: Select ULPI support
      HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
      m68k: fix "bad page state" oops on ColdFire boot
      bnx2x: Fix receiving tx-timeout in error or recovery state.
      drm/exynos: decon5433: Fix WINCONx reset value
      drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
      drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
      md/raid10: fix that replacement cannot complete recovery after reassemble
      dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
      ARM: dts: da850: Fix interrups property for gpio
      selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
      perf report powerpc: Fix crash if callchain is empty
      perf test session topology: Fix test on s390
      usb: xhci: increase CRS timeout value
      ARM: dts: am437x: make edt-ft5x06 a wakeup source
      brcmfmac: stop watchdog before detach and free everything
      cxgb4: when disabling dcb set txq dcb priority to 0
      Smack: Mark inode instant in smack_task_to_inode
      ipv6: mcast: fix unsolicited report interval after receiving querys
      locking/lockdep: Do not record IRQ state within lockdep code
      net: davinci_emac: match the mdio device against its compatible if possible
      ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
      net: propagate dev_get_valid_name return code
      net: hamradio: use eth_broadcast_addr
      enic: initialize enic->rfs_h.lock in enic_probe
      qed: Add sanity check for SIMD fastpath handler.
      arm64: make secondary_start_kernel() notrace
      scsi: xen-scsifront: add error handling for xenbus_printf
      usb: gadget: dwc2: fix memory leak in gadget_init()
      usb: gadget: composite: fix delayed_status race condition when set_interface
      usb: dwc2: fix isoc split in transfer with no data
      ARM: dts: Cygnus: Fix I2C controller interrupt type
      selftests: sync: add config fragment for testing sync framework
      selftests: zram: return Kselftest Skip code for skipped tests
      selftests: user: return Kselftest Skip code for skipped tests
      selftests: static_keys: return Kselftest Skip code for skipped tests
      selftests: pstore: return Kselftest Skip code for skipped tests
      netfilter: ipv6: nf_defrag: reduce struct net memory waste
      ARC: Explicitly add -mmedium-calls to CFLAGS
      Linux 4.4.151
      isdn: Disable IIOCDBGVAR
      Bluetooth: avoid killing an already killed socket
      x86/mm: Simplify p[g4um]d_page() macros
      serial: 8250_dw: always set baud rate in dw8250_set_termios
      ACPI / PM: save NVS memory for ASUS 1025C laptop
      ACPI: save NVS memory for Lenovo G50-45
      USB: option: add support for DW5821e
      USB: serial: sierra: fix potential deadlock at close
      ALSA: vxpocket: Fix invalid endian conversions
      ALSA: memalloc: Don't exceed over the requested size
      ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry
      ALSA: cs5535audio: Fix invalid endian conversion
      ALSA: virmidi: Fix too long output trigger loop
      ALSA: vx222: Fix invalid endian conversions
      ALSA: hda - Turn CX8200 into D3 as well upon reboot
      ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs
      net_sched: fix NULL pointer dereference when delete tcindex filter
      vsock: split dwork to avoid reinitializations
      net_sched: Fix missing res info when create new tc_index filter
      llc: use refcount_inc_not_zero() for llc_sap_find()
      l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
      Linux 4.4.150
      x86/speculation/l1tf: Exempt zeroed PTEs from inversion

commit 72e186d747f7383db0978bd780a3821e48078b22
Author: wangdongdong <arthur.wang@oneplus.net>
Date:   Wed Aug 15 20:04:44 2018 +0800

    Fix audio issue for gsi

    Add a new directory

    Change-Id: I1c828c99a00e5d397e19884bb2960a87d898e127
    Signed-off-by: wangdongdong <arthur.wang@oneplus.net>

commit 1797e928e95d4b8dac1ad28130951acb012440f9
Author: youchih.wang <youchih.wang@oneplus.com>
Date:   Thu Aug 16 20:25:31 2018 +0800

    Fix icon issue for gsi

    Report DCP charger type to system.

    Change-Id: Ia5b9b2eb28debed3235790e6e9096ad59da2ee1d

commit 5aeaf5a17a127f55e48aa4ecc636a8eb27758854
Author: Mahesh Sivasubramanian <msivasub@codeaurora.org>
Date:   Wed Mar 7 16:00:07 2018 -0700

    drivers: qcom: lpm-stats: Fix undefined access error

    In cleanup_stats(), a freed memory pointer pos might be accessed for
    list traversal. Switch to using _safe() variant of the list API to
    prevent undefined accesses.

    Change-Id: I7d068cb7813ccb9bfdbcab4646b4ec890145828a
    Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
    (cherry picked from commit b9c2bbbac5d4374a9508e399d94d9c5ca25dc471)
    (cherry picked from commit 9b6d46b83679e9cb1ac7dcbfc8def1890057e605)

commit 53a2df1828f7b4fb884e7d576c983b2407ae058a
Author: davidliu <“david.liu@oneplus.net”>
Date:   Thu Jun 7 19:45:06 2018 +0800

    Quote from Documentation/filesystems/sysfs.txt:

      show() must not use snprintf() when formatting the value to be
      returned to user space. If you can guarantee that an overflow
      will never happen you can use sprintf() otherwise you must use
      scnprintf().

    Commit 4efe874aace5 ("PCI: Don't read past the end of sysfs
    "driver_override" buffer") introduced such a snprintf() usage from
    driver_override_show() while at the same time tweaking
    driver_override_store() such that the write buffer can't ever get
    overflowed.

    Reasoning:
    Since aforementioned commit, driver_override_store() only accepts to be
    written buffers less than PAGE_SIZE - 1 in size.

    The then kstrndup()'ed driver_override string will be at most PAGE_SIZE - 1
    in length, including the trailing '\0'.

    After the addition of a '\n' in driver_override_show(), the result won't
    exceed PAGE_SIZE characters in length, again including the trailing '\0'.

    Hence, snprintf(buf, PAGE_SIZE, ...) and sprintf(buf, ...) are equivalent
    at this point.

    Replace the former by the latter in order to adhere to the rules in
    Documentation/filesystems/sysfs.txt.

    This is a style fix only and there's no change in functionality.

    Signed-off-by: Nicolai Stange <nstange@suse.de>
    Change-Id: I22463aad4524c195b3066641fb92aa899c9cb212
    (cherry picked from commit b4bdb05de732307e3b8cba7a063826d23a36a968)
    (cherry picked from commit 83ecc5acbf5f1f9b2ff44cd753dca7d257b594b0)

commit d9430c2348c9b15390f5c839ceb32dc267a45b57
Author: joshuous <joshuous@gmail.com>
Date:   Mon Aug 13 05:25:15 2018 -0400

    defconfig: Align qcacld-3.0 configs with stock CAF Kbuild

    Based on Kbuild file.

    Signed-off-by: joshuous <joshuous@gmail.com>

commit 417a18e1a5f21f475741f1d879b061696aa406c6
Author: Todd Kjos <tkjos@android.com>
Date:   Wed Feb 7 13:57:37 2018 -0800

    UPSTREAM: binder: replace "%p" with "%pK"

    The format specifier "%p" can leak kernel addresses. Use
    "%pK" instead. There were 4 remaining cases in binder.c.

    Signed-off-by: Todd Kjos <tkjos@google.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 8ca86f1639ec5890d400fff9211aca22d0a392eb)

    Change-Id: I309241853c53bcdfa65c17cb05876e786597afdd

commit c0b2f20dd0c89a71b41ffa8cb76f6694186c09bd
Author: Christian Brauner <christian.brauner@ubuntu.com>
Date:   Mon Aug 21 16:13:28 2017 +0200

    UPSTREAM: binder: free memory on error

    On binder_init() the devices string is duplicated and smashed into individual
    device names which are passed along. However, the original duplicated string
    wasn't freed in case binder_init() failed. Let's free it on error.

    Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 22eb9476b5d80a393ac0ba235c42bccc90b82c76)

    Change-Id: I78fdeecf70c31ba4248b3de17130f97546288f84

commit d7d43b29ab5d059339ac61540e91553386ca5316
Author: Todd Kjos <tkjos@android.com>
Date:   Mon Nov 27 09:32:33 2017 -0800

    UPSTREAM: binder: fix proc->files use-after-free

    proc->files cleanup is initiated by binder_vma_close. Therefore
    a reference on the binder_proc is not enough to prevent the
    files_struct from being released while the binder_proc still has
    a reference. This can lead to an attempt to dereference the
    stale pointer obtained from proc->files prior to proc->files
    cleanup. This has been seen once in task_get_unused_fd_flags()
    when __alloc_fd() is called with a stale "files".

    The fix is to protect proc->files with a mutex to prevent cleanup
    while in use.

    Signed-off-by: Todd Kjos <tkjos@google.com>
    Cc: stable <stable@vger.kernel.org> # 4.14
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 7f3dc0088b98533f17128058fac73cd8b2752ef1)

    Change-Id: I40982bb0b4615bda5459538c20eb2a913964042c

commit 91c73284dee5cc30dd22e57a0ec536ec9f76107c
Author: Martijn Coenen <maco@android.com>
Date:   Fri Jun 15 11:53:36 2018 +0200

    UPSTREAM: Revert "FROMLIST: binder: fix proc->files use-after-free"

    This reverts commit f09daf140e6e6d3b34e34382bc47a06b854b774e.

    Change-Id: I6d340f75e57e1badc5fe3f41e0aa8f148047c7bd

commit af9caf7ada3c74eca6d33a9ed3225441fee2aa2b
Author: Minchan Kim <minchan@kernel.org>
Date:   Mon May 7 23:15:37 2018 +0900

    UPSTREAM: ANDROID: binder: change down_write to down_read

    binder_update_page_range needs down_write of mmap_sem because
    vm_insert_page need to change vma->vm_flags to VM_MIXEDMAP unless
    it is set. However, when I profile binder working, it seems
    every binder buffers should be mapped in advance by binder_mmap.
    It means we could set VM_MIXEDMAP in binder_mmap time which is
    already hold a mmap_sem as down_write so binder_update_page_range
    doesn't need to hold a mmap_sem as down_write.
    Please use proper API down_read. It would help mmap_sem contention
    problem as well as fixing down_write abuse.

    Ganesh Mahendran tested app launching and binder throughput test
    and he said he couldn't find any problem and I did binder latency
    test per Greg KH request(Thanks Martijn to teach me how I can do)
    I cannot find any problem, too.

    Cc: Ganesh Mahendran <opensource.ganesh@gmail.com>
    Cc: Joe Perches <joe@perches.com>
    Cc: Arve Hjønnevåg <arve@android.com>
    Cc: Todd Kjos <tkjos@google.com>
    Reviewed-by: Martijn Coenen <maco@android.com>
    Signed-off-by: Minchan Kim <minchan@kernel.org>
    Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 720c241924046aff83f5f2323232f34a30a4c281)

    Change-Id: I8358ceaaab4030f7122c95308dcad59557cad411

commit a163deaa9145f4106659b0001e3211dcf9f41783
Author: 宋金时 <songjinshi@xiaomi.com>
Date:   Thu May 10 02:05:03 2018 +0000

    UPSTREAM: ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR

    When to execute binder_stat_br the e->cmd has been modifying as BR_OK
    instead of the original return error cmd, in fact we want to know the
    original return error, such as BR_DEAD_REPLY or BR_FAILED_REPLY, etc.
    instead of always BR_OK, in order to avoid the value of the e->cmd is
    always BR_OK, so we need assign the value of the e->cmd to cmd before
    e->cmd = BR_OK.

    Signed-off-by: songjinshi <songjinshi@xiaomi.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 838d5565669aa5bb7deb605684a5970d51d5eaf6)

    Change-Id: I425b32c5419a491c6b9ceee7c00dde6513e0421d

commit ce024e06b44c69656549d5f1b42237fe8e279c8e
Author: Martijn Coenen <maco@google.com>
Date:   Fri May 11 01:45:24 2018 -0700

    UPSTREAM: ANDROID: binder: remove 32-bit binder interface.

    New devices launching with Android P need to use the 64-bit
    binder interface, even on 32-bit SoCs [0].

    This change removes the Kconfig option to select the 32-bit
    binder interface. We don't think this will affect existing
    userspace for the following reasons:
    1) The latest Android common tree is 4.14, so we don't
       believe any Android devices are on kernels >4.14.
    2) Android devices launch on an LTS release and stick with
       it, so we wouldn't expect devices running on <= 4.14 now
       to upgrade to 4.17 or later. But even if they did, they'd
       rebuild the world (kernel + userspace) anyway.
    3) Other userspaces like 'anbox' are already using the
       64-bit interface.

    Note that this change doesn't remove the 32-bit UAPI
    itself; the reason for that is that Android userspace
    always uses the latest UAPI headers from upstream, and
    userspace retains 32-bit support for devices that are
    upgrading. This will be removed as well in 2-3 years,
    at which point we can remove the code from the UAPI
    as well.

    Finally, this change introduces build errors on archs where
    64-bit get_user/put_user is not supported, so make binder
    unavailable on m68k (which wouldn't want it anyway).

    [0]: https://android-review.googlesource.com/c/platform/build/+/595193

    Signed-off-by: Martijn Coenen <maco@android.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 1190b4e38f97023154e6b3bef61b251aa5f970d0)

    Change-Id: I73dadf1d7b45a42bb18be5d5d3f5c090e61866de

commit c34a3b5a5ca970ef84a992dde6423d70eb4c104d
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 29 12:14:40 2018 +0300

    UPSTREAM: ANDROID: binder: re-order some conditions

    It doesn't make any difference to runtime but I've switched these two
    checks to make my static checker happy.

    The problem is that "buffer->data_size" is user controlled and if it's
    less than "sizeo(*hdr)" then that means "offset" can be more than
    "buffer->data_size".  It's just cleaner to check it in the other order.

    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Martijn Coenen <maco@android.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 361f2ddbb0c9f9b4f336025a7bd0212cea4a34f0)

    Change-Id: I098d525ba63d125caa9840e6e1d5004bf70edc3c

commit e40870cfc27ece3f5790e07227c6b39156c8757c
Author: Ganesh Mahendran <opensource.ganesh@gmail.com>
Date:   Wed Jan 10 10:49:05 2018 +0800

    UPSTREAM: android: binder: use VM_ALLOC to get vm area

    VM_IOREMAP is used to access hardware through a mechanism called
    I/O mapped memory. Android binder is a IPC machanism which will
    not access I/O memory.

    And VM_IOREMAP has alignment requiement which may not needed in
    binder.
        __get_vm_area_node()
        {
        ...
            if (flags & VM_IOREMAP)
                align = 1ul << clamp_t(int, fls_long(size),
                   PAGE_SHIFT, IOREMAP_MAX_ORDER);
        ...
        }

    This patch will save some kernel vm area, especially for 32bit os.

    In 32bit OS, kernel vm area is only 240MB. We may got below
    error when launching a app:

    <3>[ 4482.440053] binder_alloc: binder_alloc_mmap_handler: 15728 8ce67000-8cf65000 get_vm_area failed -12
    <3>[ 4483.218817] binder_alloc: binder_alloc_mmap_handler: 15745 8ce67000-8cf65000 get_vm_area failed -12

    Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
    Acked-by: Martijn Coenen <maco@android.com>
    Acked-by: Todd Kjos <tkjos@google.com>
    Cc: stable <stable@vger.kernel.org>

    ----
    V3: update comments
    V2: update comments
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit aac6830ec1cb681544212838911cdc57f2638216)

    Change-Id: Ide458abc6a4d3ec07973733aa223c4247eef20e6

commit f938445813c532324d001371330f55e436d0f43a
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Tue Jan 23 12:04:27 2018 -0600

    UPSTREAM: android: binder: Use true and false for boolean values

    Assign true or false to boolean variables instead of an integer value.

    This issue was detected with the help of Coccinelle.

    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Cc: Todd Kjos <tkjos@android.com>
    Cc: Martijn Coenen <maco@android.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 197410ad884eb18b31d48e9d8e64cb5a9e326f2f)

    Change-Id: I30bed831d6b6ff2e9e3e521ccc5d6836f0b30944

commit 3473e58df6023f5b4226ee02aaad9161e5089e6f
Author: Harsh Shandilya <harsh@prjkt.io>
Date:   Fri Dec 22 19:37:02 2017 +0530

    UPSTREAM: android: binder: Use octal permissions

    checkpatch warns against the use of symbolic permissions,
    this patch migrates all symbolic permissions in the binder
    driver to octal permissions.

    Test: debugfs nodes created by binder have the same unix
    permissions prior to and after this patch was applied.

    Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
    Cc: "Arve Hjønnevåg" <arve@android.com>
    Cc: Todd Kjos <tkjos@android.com>
    Cc: Martijn Coenen <maco@android.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 21d02ddf716669e182a13b69b4dd928cf8ef5e0f)

    Change-Id: I8152fe280ead1d04d89593e813a722f9eb5def27

commit eb28af6167b87d3e2b0fbd4a7be4d16dea0faa27
Author: Elad Wexler <elad.wexler@gmail.com>
Date:   Fri Dec 29 11:03:37 2017 +0200

    UPSTREAM: android: binder: Prefer __func__ to using hardcoded function name

    Coding style fixup

    Signed-off-by: Elad Wexler <elad.wexler@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 00c41cddebde8d1a635bf81a7b255b7e56fd0d15)

    Change-Id: I795e2a9f525c4a8df5cd0a81842a88529ba54f21

commit c13670fcd830697f02967ac4e4ab7028498a3a99
Author: Xiongwei Song <sxwjean@gmail.com>
Date:   Thu Dec 14 12:15:42 2017 +0800

    UPSTREAM: ANDROID: binder: make binder_alloc_new_buf_locked static and indent its arguments

    The function binder_alloc_new_buf_locked() is only used in this file, so
    make it static. Also clean up sparse warning:

    drivers/android/binder_alloc.c:330:23: warning: no previous prototype
    for ‘binder_alloc_new_buf_locked’ [-Wmissing-prototypes]

    In addition, the line of the function name exceeds 80 characters when
    add static for this function, hence indent its arguments anew.

    Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 3f827245463a57f5ef64a665e1ca64eed0da00a5)

    Change-Id: I6b379df815d30f9b3e9f1dd50334375123b25bbc

commit 6c60d2d9c9fea4c81e9e5af8c1100f53453b1503
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Nov 29 22:29:47 2017 +0900

    UPSTREAM: android: binder: Check for errors in binder_alloc_shrinker_init().

    Both list_lru_init() and register_shrinker() might return an error.

    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Sherry Yang <sherryy@android.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 533dfb250d1c8d2bb8c9b65252f7b296b29913d4)

    Change-Id: I5325ccaf34a04179ef3dae73dd8f3abfd6e21565

commit 9502aad47de2ffab7d8f635114429cb0174307d5
Author: Hareesh Gundu <hareeshg@codeaurora.org>
Date:   Fri Jun 16 17:06:57 2017 +0530

    Revert "msm: kgsl: Offload mementry destroy work to separate thread"

    This reverts commit 281fcb5e184b9d1074dd404016cebacce12a8664.

    To address the issue with the OOMkiller causing to kill the
    foreground application.

    Change-Id: Ie4c078d706fdf1c13ad45840f72b414ddc37c1d0
    Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
    Signed-off-by: Venkateswara Rao Tadikonda <vtadik@codeaurora.org>
    Signed-off-by: joshuous <joshuous@gmail.com>

commit 41f8077e54f32083f8043de1c6846b183bf1512e
Author: joshuous <joshuous@gmail.com>
Date:   Thu Jul 5 03:53:47 2018 +0200

    build.config: Move modules to /renderzenith/modules

    Signed-off-by: joshuous <joshuous@gmail.com>

commit 02987ffdf7e4c73e05e1256f52d19aaefa597cda
Author: joshuous <joshuous@gmail.com>
Date:   Thu Jul 5 03:21:45 2018 +0200

    build.config: Add build configurations

    Signed-off-by: joshuous <joshuous@gmail.com>

commit 59477c618b8bcf9d62818811470af0b5ea319ed5
Author: wangdongdong <arthur.wang@oneplus.net>
Date:   Wed Aug 15 20:04:44 2018 +0800

    Fix audio issue for gsi

    Add a new directory

    Change-Id: I1c828c99a00e5d397e19884bb2960a87d898e127
    Signed-off-by: wangdongdong <arthur.wang@oneplus.net>

commit fb36f04594764d9bd8d25861a07cdf8cf7d046c9
Author: youchih.wang <youchih.wang@oneplus.com>
Date:   Thu Aug 16 20:25:31 2018 +0800

    Fix icon issue for gsi

    Report DCP charger type to system.

    Change-Id: Ia5b9b2eb28debed3235790e6e9096ad59da2ee1d

commit a124f89e4fa3bb3f24473eae1a0e74a0acdac441
Author: John Dias <joaodias@google.com>
Date:   Mon Aug 21 16:21:47 2017 -0700

    softirq, sched: reduce softirq conflicts with RT

    joshuous: Adapted to work with CAF's "softirq: defer softirq processing
    to ksoftirqd if CPU is busy with RT" commit.

    We're finding audio glitches caused by audio-producing RT tasks
    that are either interrupted to handle softirq's or that are
    scheduled onto cpu's that are handling softirq's.
    In a previous patch, we attempted to catch many cases of the
    latter problem, but it's clear that we are still losing
    significant numbers of races in some apps.

    This patch attempts to address both problems:
    1. It prohibits handling softirq's when interrupting
       an RT task, by delaying the softirq to the ksoftirqd
       thread.
    2. It attempts to reduce the most common windows in which
       we lose the race between scheduling an RT task on a remote
       core and starting to handle softirq's on that core.
       We still lose some races, but we lose significantly fewer.
       (And we don't want to introduce any heavyweight forms
       of synchronization on these paths.)

    Bug: 64912585
    Change-Id: Ida89a903be0f1965552dd0e84e67ef1d3158c7d8
    Signed-off-by: John Dias <joaodias@google.com>
    Signed-off-by: joshuous <joshuous@gmail.com>

commit 9315e319a7c4b9fc609ec3ece2a86d6a91b0d6e5
Author: Srinath Sridharan <srinathsr@google.com>
Date:   Thu Sep 8 13:47:02 2016 -0700

    ANDROID: sched/rt: rt cpu selection integration with EAS.

    joshuous:
    * Adapted for kernel/common
    * "ANDORID: sched/rt: fix schedtune accouting on prio change" not needed

    For effective interplay between RT and fair tasks. Enables sched_fifo
    for UI and Render tasks. Critical for improving user experience.

    bug: 24503801
    bug: 30377696
    Change-Id: I2a210c567c3f5c7edbdd7674244822f848e6d0cf
    Signed-off-by: Srinath Sridharan <srinathsr@google.com>
    (cherry picked from commit dfe0f16b6fd3a694173c5c62cf825643eef184a3)
    Signed-off-by: joshuous <joshuous@gmail.com>

    Conflicts:
    	kernel/sched/rt.c

commit c9d37f930ced5d026ebb2b870d032cfd9c6ab6b5
Author: liwei <liwei@oneplus.net>
Date:   Mon Oct 2 16:17:39 2017 +0800

    Improve stability

    Use create_workqueue instead of alloc_workqueue.

    Change-Id: Ice6aaa9b4b64f340cad53b4915dc22887895e33b

commit c02514b016e539998ef8ac872af4ff97a34b5337
Author: liuhaituo <tony.liu@oneplus.net>
Date:   Fri Jun 22 14:36:16 2018 +0800

    Improve power consumption

    Forbiden ELECT_REM irq and don't use it.

    Change-Id: Ifefc90b45c2773c0a793159fa71b89f4a9a80673

commit 01492abe7c6c3c205f54abc7104ab086abde1b16
Author: hecaiqiang <hecaiqiang@oneplus.com>
Date:   Fri Jun 22 21:53:01 2018 +0800

    Improve usb stability

    enable and disable endpoints in interrupt context.

    Change-Id: Ib6e390af88d7a34ca74a29f267a7ff14e1e649c4

commit 633cc0458a8dbca64bb05614ca69cbf2714acef2
Author: liuhaituo <tony.liu@oneplus.net>
Date:   Fri Jun 8 18:51:23 2018 +0800

    Improve power consumption

    Keep micbias on when headset is inserted.

    Change-Id: I2c3f5e975a60542f5e02b770904de6f5485e00fe

commit 2473af7c12ab7801e0bc2a773ad0cdeadd3cb78d
Author: yangfangbiao <yangfangbiao@oneplus.com>
Date:   Fri Jun 15 12:28:59 2018 +0800

    Improve dash charging

    Check dash when charger type is FLOAT.

    Change-Id: I9eb0b711581ae4006b02e22838c47edb36724b2a

commit 349ec4c5ec3fca5873ac423588fa64bfef10511d
Author: yangfangbiao <yangfangbiao@oneplus.com>
Date:   Mon May 28 10:34:55 2018 +0800

    Fix usb issue

    Ajust apsd result.

    Change-Id: Ia6f8323d60c210913a2a00353c22d6a306fee645

commit e603d7127c5eefebeb01fde6143d3be97fc3230a
Author: guoling <lynn.guo@oneplus.com>
Date:   Mon May 21 23:06:20 2018 +0800

    Improve NFC power consumption

    Modify CLK_REQ and adjust suspend strategy.

    Change-Id: Icc196c58a963012ff7316d1f9c69e0e19cbea4ca

commit 0fd963ceacab93b9403088665d2656b0d536d8fe
Merge: 21e5c49 577189c
Author: joshuous <joshuous@gmail.com>
Date:   Thu Aug 30 10:31:18 2018 +0000

    Merge Linux stable release 4.4.153

    This is the 4.4.153 stable release

    * tag 'v4.4.153':
      Linux 4.4.153
      ovl: warn instead of error if d_type is not supported
      ovl: Do d_type check only if work dir creation was successful
      ovl: Ensure upper filesystem supports d_type
      x86/mm: Fix use-after-free of ldt_struct
      x86/mm/pat: Fix L1TF stable backport for CPA

commit 21e5c495794513fde1ba923e52cbb92c62c02c65
Merge: 814322f 0c73169
Author: joshuous <joshuous@gmail.com>
Date:   Thu Aug 30 10:30:49 2018 +0000

    Merge Linux stable release 4.4.152

    This is the 4.4.152 stable release

    * tag 'v4.4.152':
      Linux 4.4.152
      reiserfs: fix broken xattr handling (heap corruption, bad retval)
      i2c: imx: Fix race condition in dma read
      PCI: pciehp: Fix use-after-free on unplug
      PCI: Skip MPS logic for Virtual Functions (VFs)
      PCI: hotplug: Don't leak pci_slot on registration failure
      parisc: Remove unnecessary barriers from spinlock.h
      bridge: Propagate vlan add failure to user
      packet: refine ring v3 block size test to hold one frame
      netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
      xfrm_user: prevent leaking 2 bytes of kernel memory
      parisc: Remove ordered stores from syscall.S
      ext4: fix spectre gadget in ext4_mb_regular_allocator()
      KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
      staging: android: ion: check for kref overflow
      tcp: identify cryptic messages as TCP seq # bugs
      net: qca_spi: Fix log level if probe fails
      net: qca_spi: Make sure the QCA7000 reset is triggered
      net: qca_spi: Avoid packet drop during initial sync
      net: usb: rtl8150: demote allmulti message to dev_dbg()
      net/ethernet/freescale/fman: fix cross-build error
      drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
      tcp: remove DELAYED ACK events in DCTCP
      qlogic: check kstrtoul() for errors
      packet: reset network header if packet shorter than ll reserved space
      ixgbe: Be more careful when modifying MAC filters
      ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
      ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
      perf llvm-utils: Remove bashism from kernel include fetch script
      bnxt_en: Fix for system hang if request_irq fails
      drm/armada: fix colorkey mode property
      ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
      ieee802154: at86rf230: use __func__ macro for debug messages
      ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
      ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
      netfilter: x_tables: set module owner for icmp(6) matches
      smsc75xx: Add workaround for gigabit link up hardware errata.
      kasan: fix shadow_size calculation error in kasan_module_alloc
      tracing: Use __printf markup to silence compiler
      ARM: imx_v4_v5_defconfig: Select ULPI support
      ARM: imx_v6_v7_defconfig: Select ULPI support
      HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
      m68k: fix "bad page state" oops on ColdFire boot
      bnx2x: Fix receiving tx-timeout in error or recovery state.
      drm/exynos: decon5433: Fix WINCONx reset value
      drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
      drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
      md/raid10: fix that replacement cannot complete recovery after reassemble
      dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
      ARM: dts: da850: Fix interrups property for gpio
      selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
      perf report powerpc: Fix crash if callchain is empty
      perf test session topology: Fix test on s390
      usb: xhci: increase CRS timeout value
      ARM: dts: am437x: make edt-ft5x06 a wakeup source
      brcmfmac: stop watchdog before detach and free everything
      cxgb4: when disabling dcb set txq dcb priority to 0
      Smack: Mark inode instant in smack_task_to_inode
      ipv6: mcast: fix unsolicited report interval after receiving querys
      locking/lockdep: Do not record IRQ state within lockdep code
      net: davinci_emac: match the mdio device against its compatible if possible
      ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
      net: propagate dev_get_valid_name return code
      net: hamradio: use eth_broadcast_addr
      enic: initialize enic->rfs_h.lock in enic_probe
      qed: Add sanity check for SIMD fastpath handler.
      arm64: make secondary_start_kernel() notrace
      scsi: xen-scsifront: add error handling for xenbus_printf
      usb: gadget: dwc2: fix memory leak in gadget_init()
      usb: gadget: composite: fix delayed_status race condition when set_interface
      usb: dwc2: fix isoc split in transfer with no data
      ARM: dts: Cygnus: Fix I2C controller interrupt type
      selftests: sync: add config fragment for testing sync framework
      selftests: zram: return Kselftest Skip code for skipped tests
      selftests: user: return Kselftest Skip code for skipped tests
      selftests: static_keys: return Kselftest Skip code for skipped tests
      selftests: pstore: return Kselftest Skip code for skipped tests
      netfilter: ipv6: nf_defrag: reduce struct net memory waste
      ARC: Explicitly add -mmedium-calls to CFLAGS

    Signed-off-by: joshuous <joshuous@gmail.com>

commit 814322f9d555217777985eaed6c9975d14cd757f
Merge: ff19aa57 78f654f
Author: joshuous <joshuous@gmail.com>
Date:   Thu Aug 30 10:29:59 2018 +0000

    Merge Linux stable release 4.4.151

    This is the 4.4.151 stable release

    * tag 'v4.4.151':
      Linux 4.4.151
      isdn: Disable IIOCDBGVAR
      Bluetooth: avoid killing an already killed socket
      x86/mm: Simplify p[g4um]d_page() macros
      serial: 8250_dw: always set baud rate in dw8250_set_termios
      ACPI / PM: save NVS memory for ASUS 1025C laptop
      ACPI: save NVS memory for Lenovo G50-45
      USB: option: add support for DW5821e
      USB: serial: sierra: fix potential deadlock at close
      ALSA: vxpocket: Fix invalid endian conversions
      ALSA: memalloc: Don't exceed over the requested size
      ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry
      ALSA: cs5535audio: Fix invalid endian conversion
      ALSA: virmidi: Fix too long output trigger loop
      ALSA: vx222: Fix invalid endian conversions
      ALSA: hda - Turn CX8200 into D3 as well upon reboot
      ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs
      net_sched: fix NULL pointer dereference when delete tcindex filter
      vsock: split dwork to avoid reinitializations
      net_sched: Fix missing res info when create new tc_index filter
      llc: use refcount_inc_not_zero() for llc_sap_find()
      l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()

commit ff19aa57d78c62878837f5c58d7940a6fe9269ef
Merge: 7b53529 7dc18eb
Author: joshuous <joshuous@gmail.com>
Date:   Thu Aug 30 10:29:39 2018 +0000

    Merge Linux stable release 4.4.150

    This is the 4.4.150 stable release

    * tag 'v4.4.150':
      Linux 4.4.150
      x86/speculation/l1tf: Exempt zeroed PTEs from inversion

commit 17bf13268663df2266519bebe55f42b32abe2171
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Aug 27 22:51:15 2018 -0700

    Merge 4.4.153 into oneplus/QC8998_O_8.1_Beta

    Changes in 4.4.153: (6 commits)
            x86/mm/pat: Fix L1TF stable backport for CPA
            x86/mm: Fix use-after-free of ldt_struct
            ovl: Ensure upper filesystem supports d_type
            ovl: Do d_type check only if work dir creation was successful
            ovl: warn instead of error if d_type is not supported
            Linux 4.4.153

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9866720724db8a163cf305fc907cdab0b38fa09
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Aug 24 10:50:29 2017 -0700

    x86/mm: Fix use-after-free of ldt_struct

    commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.

    The following commit:

      39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")

    renamed init_new_context() to init_new_context_ldt() and added a new
    init_new_context() which calls init_new_context_ldt().  However, the
    error code of init_new_context_ldt() was ignored.  Consequently, if a
    memory allocation in alloc_ldt_struct() failed during a fork(), the
    ->context.ldt of the new task remained the same as that of the old task
    (due to the memcpy() in dup_mm()).  ldt_struct's are not intended to be
    shared, so a use-after-free occurred after one task exited.

    Fix the bug by making init_new_context() pass through the error code of
    init_new_context_ldt().

    This bug was found by syzkaller, which encountered the following splat:

        BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
        Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710

        CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x194/0x257 lib/dump_stack.c:52
         print_address_description+0x73/0x250 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x24e/0x340 mm/kasan/report.c:409
         __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
         free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         exec_mmap fs/exec.c:1061 [inline]
         flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
         load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
         search_binary_handler+0x142/0x6b0 fs/exec.c:1652
         exec_binprm fs/exec.c:1694 [inline]
         do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
         do_execve+0x31/0x40 fs/exec.c:1860
         call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

        Allocated by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
         kmalloc include/linux/slab.h:493 [inline]
         alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
         write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
         sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
         entry_SYSCALL_64_fastpath+0x1f/0xbe

        Freed by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
         __cache_free mm/slab.c:3503 [inline]
         kfree+0xca/0x250 mm/slab.c:3820
         free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         __mmput kernel/fork.c:916 [inline]
         mmput+0x541/0x6e0 kernel/fork.c:927
         copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
         copy_process kernel/fork.c:1546 [inline]
         _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
         SYSC_clone kernel/fork.c:2135 [inline]
         SyS_clone+0x37/0x50 kernel/fork.c:2129
         do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
         return_from_SYSCALL_64+0x0/0x7a

    Here is a C reproducer:

        #include <asm/ldt.h>
        #include <pthread.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <sys/syscall.h>
        #include <sys/wait.h>
        #include <unistd.h>

        static void *fork_thread(void *_arg)
        {
            fork();
        }

        int main(void)
        {
            struct user_desc desc = { .entry_number = 8191 };

            syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));

            for (;;) {
                if (fork() == 0) {
                    pthread_t t;

                    srand(getpid());
                    pthread_create(&t, NULL, fork_thread, NULL);
                    usleep(rand() % 10000);
                    syscall(__NR_exit_group, 0);
                }
                wait(NULL);
            }
        }

    Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
    may use vmalloc() to allocate a large ->entries array, and after
    commit:

      5d17a73a2ebe ("vmalloc: back off when the current task is killed")

    it is possible for userspace to fail a task's vmalloc() by
    sending a fatal signal, e.g. via exit_group().  It would be more
    difficult to reproduce this bug on kernels without that commit.

    This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.

    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org> [v4.6+]
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
    Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit adaba23ccd7d1625942f2c27612d2b416c87e011
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Aug 25 06:50:15 2018 -0700

    x86/mm/pat: Fix L1TF stable backport for CPA

    Patch for stable only to fix boot resets caused by the L1TF patches.

    Stable trees reverted the following patch

    Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"

        This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is
        commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream.

    but the L1TF patch backported here

       x86/mm/pat: Make set_memory_np() L1TF safe

        commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream

        set_memory_np() is used to mark kernel mappings not present, but it has
        it's own open coded mechanism which does not have the L1TF protection of
        inverting the address bits.

    assumed that cpa->pfn contains a PFN. With the above patch reverted
    it does not, which causes the PMD to be set to an incorrect address
    shifted by 12 bits, which can cause early boot reset on some
    systems, like an Apollo Lake embedded system.

    Convert the address to a PFN before passing it to pmd_pfn()

    Thanks to Bernhard for bisecting and testing.

    Cc: stable@vger.kernel.org # 4.4 and 4.9
    Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0c73169690eb1d7d6f72a128a010bd84343e503a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Aug 24 13:27:02 2018 +0200

    Linux 4.4.152

commit 712254045c02edf3dc21714337a23bf361d0c5ee
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 21:59:37 2018 -0700

    reiserfs: fix broken xattr handling (heap corruption, bad retval)

    commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.

    This fixes the following issues:

    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.

    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.

    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.

    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.

    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e57e6c67fd4b568b180fdbd5c14043d39fe6cda
Author: Esben Haabendal <eha@deif.com>
Date:   Thu Aug 16 10:43:12 2018 +0200

    i2c: imx: Fix race condition in dma read

    commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.

    This fixes a race condition, where the DMAEN bit ends up being set after
    I2C slave has transmitted a byte following the dummy read.  When that
    happens, an interrupt is generated instead, and no DMA request is generated
    to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).

    Fixed by setting the DMAEN bit before the dummy read.

    Signed-off-by: Esben Haabendal <eha@deif.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 131412f4f6f52b72c3a099c9cdac5d9c6034c76c
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:32 2018 -0500

    PCI: pciehp: Fix use-after-free on unplug

    commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.

    When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
    hotplug_slot struct is deregistered and thus freed before freeing the
    IRQ.  The IRQ handler and the work items it schedules print the slot
    name referenced from the freed structure in various informational and
    debug log messages, each time resulting in a quadruple dereference of
    freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

    At best the slot name is logged as "(null)", at worst kernel memory is
    exposed in logs or the driver crashes:

      pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

    An attacker may provoke the bug by unplugging multiple devices on a
    Thunderbolt daisy chain at once.  Unplugging can also be simulated by
    powering down slots via sysfs.  The bug is particularly easy to trigger
    in poll mode.

    It has been present since the driver's introduction in 2004:
    https://git.kernel.org/tglx/history/c/c16b4b14d980

    Fix by rearranging teardown such that the IRQ is freed first.  Run the
    work items queued by the IRQ handler to completion before freeing the
    hotplug_slot struct by draining the work queue from the ->release_slot
    callback which is invoked by pci_hp_deregister().

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.6.4
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc7614a5e8ec4514aa27ee3874ad05a1057e644d
Author: Myron Stowe <myron.stowe@redhat.com>
Date:   Mon Aug 13 12:19:39 2018 -0600

    PCI: Skip MPS logic for Virtual Functions (VFs)

    commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.

    PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
    Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
    VFs.  Just prior to the table it states:

      "PF and VF functionality is defined in Section 7.5.3.4 except where
       noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
       applies to the VF."

    All of which implies that with respect to Max_Payload_Size Supported
    (MPSS), MPS, and MRRS values, we should not be paying any attention to the
    VF's fields, but rather only to the PF's.  Only looking at the PF's fields
    also logically makes sense as it's the sole physical interface to the PCIe
    bus.

    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
    Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
    Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # 4.3+
    Cc: Keith Busch <keith.busch@intel.com>
    Cc: Sinan Kaya <okaya@kernel.org>
    Cc: Dongdong Liu <liudongdong3@huawei.com>
    Cc: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8837163ebeba0ab5cd82d8eb284060e0e3cb4a35
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:31 2018 -0500

    PCI: hotplug: Don't leak pci_slot on registration failure

    commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.

    If addition of sysfs files fails on registration of a hotplug slot, the
    struct pci_slot as well as the entry in the slot_list is leaked.  The
    issue has been present since the hotplug core was introduced in 2002:
    https://git.kernel.org/tglx/history/c/a8a2069f432c

    Perhaps the idea was that even though sysfs addition fails, the slot
    should still be usable.  But that's not how drivers use the interface,
    they abort probe if a non-zero value is returned.

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.4.15+
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 400db6fe74317d64c920025ed4de2de7b3522230
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:31:17 2018 -0400

    parisc: Remove unnecessary barriers from spinlock.h

    commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream.

    Now that mb() is an instruction barrier, it will slow performance if we issue
    unnecessary barriers.

    The spinlock defines have a number of unnecessary barriers.  The __ldcw()
    define is both a hardware and compiler barrier.  The mb() barriers in the
    routines using __ldcw() serve no purpose.

    The only barrier needed is the one in arch_spin_unlock().  We need to ensure
    all accesses are complete prior to releasing the lock.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d124ea608ac800f46100741f7ccd79791c061c8
Author: Elad Raz <eladr@mellanox.com>
Date:   Wed Jan 6 13:01:04 2016 +0100

    bridge: Propagate vlan add failure to user

    commit 08474cc1e6ea71237cab7e4a651a623c9dea1084 upstream.

    Disallow adding interfaces to a bridge when vlan filtering operation
    failed. Send the failure code to the user.

    Signed-off-by: Elad Raz <eladr@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c4e369c9b98480a4b75b3a74a962a6b298120b
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Aug 6 10:38:34 2018 -0400

    packet: refine ring v3 block size test to hold one frame

    commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

    TPACKET_V3 stores variable length frames in fixed length blocks.
    Blocks must be able to store a block header, optional private space
    and at least one minimum sized frame.

    Frames, even for a zero snaplen packet, store metadata headers and
    optional reserved space.

    In the block size bounds check, ensure that the frame of the
    chosen configuration fits. This includes sockaddr_ll and optional
    tp_reserve.

    Syzbot was able to construct a ring with insuffient room for the
    sockaddr_ll in the header of a zero-length frame, triggering an
    out-of-bounds write in dev_parse_header.

    Convert the comparison to less than, as zero is a valid snap len.
    This matches the test for minimum tp_frame_size immediately below.

    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76cb5cc66114d2758796198fca7f3387a6f24b75
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 17 21:03:15 2018 +0200

    netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

    commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

    When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
    that has an un-initialized timeout value, i.e. such entry could be
    reaped at any time.

    Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
    an old state.

    Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6170d014af6d3e9608987a0dee6e7f01c074b3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 18 21:35:07 2018 -0700

    xfrm_user: prevent leaking 2 bytes of kernel memory

    commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

    struct xfrm_userpolicy_type has two holes, so we should not
    use C99 style initializer.

    KMSAN report:

    BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
    CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
     copyout lib/iov_iter.c:140 [inline]
     _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
     copy_to_iter include/linux/uio.h:106 [inline]
     skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
     skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
     netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
     sock_recvmsg_nosec net/socket.c:802 [inline]
     sock_recvmsg+0x1d6/0x230 net/socket.c:809
     ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
     __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
     do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
     __do_sys_recvmmsg net/socket.c:2485 [inline]
     __se_sys_recvmmsg net/socket.c:2481 [inline]
     __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x446ce9
    RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
    RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
    R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
    R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
     __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
     __nla_put lib/nlattr.c:569 [inline]
     nla_put+0x276/0x340 lib/nlattr.c:627
     copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
     dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
     xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
     netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
     __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
     netlink_dump_start include/linux/netlink.h:214 [inline]
     xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
     netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
     xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Local variable description: ----upt.i@dump_one_policy
    Variable was created at:
     dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

    Byte 130 of 137 is uninitialized
    Memory access starts at ffff88019550407f

    Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49b3acf…

Panchajanya1999 added a commit to Panchajanya1999/kernel_asus_x00t that referenced this issue Sep 1, 2018

Merge ASUS 323 Changes
* Revert "icnss: Remove sending uevent after FW ready"

This reverts commit dabc56ff4434cac9b64a0d6dbbf9f2f2bb12e9d1.

* Merge ASUS 323 Changes

commit 1153c838bcd7fd93b3599047c548ae5a10e47d82
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:53:41 2018 +0000

    Revert "icnss: Remove sending uevent after FW ready"

    This reverts commit dabc56ff4434cac9b64a0d6dbbf9f2f2bb12e9d1.

commit 6dc7b5e491c44135f14c14946a1873df4ebd74e8
Merge: 2e3cb1cde573 6bc76c807ae7
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:13:44 2018 +0000

    Merge https://github.com/android-linux-stable/msm-4.4 into lineage-15.1_S323

commit 6bc76c807ae760576837b0719a995835196ff668
Merge: c1208ec20032 577189c37a84
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Aug 27 22:48:36 2018 -0700

    Merge 4.4.153 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.153: (6 commits)
            x86/mm/pat: Fix L1TF stable backport for CPA
            x86/mm: Fix use-after-free of ldt_struct
            ovl: Ensure upper filesystem supports d_type
            ovl: Do d_type check only if work dir creation was successful
            ovl: warn instead of error if d_type is not supported
            Linux 4.4.153

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9866720724db8a163cf305fc907cdab0b38fa09
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Aug 24 10:50:29 2017 -0700

    x86/mm: Fix use-after-free of ldt_struct

    commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.

    The following commit:

      39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")

    renamed init_new_context() to init_new_context_ldt() and added a new
    init_new_context() which calls init_new_context_ldt().  However, the
    error code of init_new_context_ldt() was ignored.  Consequently, if a
    memory allocation in alloc_ldt_struct() failed during a fork(), the
    ->context.ldt of the new task remained the same as that of the old task
    (due to the memcpy() in dup_mm()).  ldt_struct's are not intended to be
    shared, so a use-after-free occurred after one task exited.

    Fix the bug by making init_new_context() pass through the error code of
    init_new_context_ldt().

    This bug was found by syzkaller, which encountered the following splat:

        BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
        Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710

        CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x194/0x257 lib/dump_stack.c:52
         print_address_description+0x73/0x250 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x24e/0x340 mm/kasan/report.c:409
         __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
         free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         exec_mmap fs/exec.c:1061 [inline]
         flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
         load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
         search_binary_handler+0x142/0x6b0 fs/exec.c:1652
         exec_binprm fs/exec.c:1694 [inline]
         do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
         do_execve+0x31/0x40 fs/exec.c:1860
         call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

        Allocated by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
         kmalloc include/linux/slab.h:493 [inline]
         alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
         write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
         sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
         entry_SYSCALL_64_fastpath+0x1f/0xbe

        Freed by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
         __cache_free mm/slab.c:3503 [inline]
         kfree+0xca/0x250 mm/slab.c:3820
         free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         __mmput kernel/fork.c:916 [inline]
         mmput+0x541/0x6e0 kernel/fork.c:927
         copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
         copy_process kernel/fork.c:1546 [inline]
         _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
         SYSC_clone kernel/fork.c:2135 [inline]
         SyS_clone+0x37/0x50 kernel/fork.c:2129
         do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
         return_from_SYSCALL_64+0x0/0x7a

    Here is a C reproducer:

        #include <asm/ldt.h>
        #include <pthread.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <sys/syscall.h>
        #include <sys/wait.h>
        #include <unistd.h>

        static void *fork_thread(void *_arg)
        {
            fork();
        }

        int main(void)
        {
            struct user_desc desc = { .entry_number = 8191 };

            syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));

            for (;;) {
                if (fork() == 0) {
                    pthread_t t;

                    srand(getpid());
                    pthread_create(&t, NULL, fork_thread, NULL);
                    usleep(rand() % 10000);
                    syscall(__NR_exit_group, 0);
                }
                wait(NULL);
            }
        }

    Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
    may use vmalloc() to allocate a large ->entries array, and after
    commit:

      5d17a73a2ebe ("vmalloc: back off when the current task is killed")

    it is possible for userspace to fail a task's vmalloc() by
    sending a fatal signal, e.g. via exit_group().  It would be more
    difficult to reproduce this bug on kernels without that commit.

    This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.

    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org> [v4.6+]
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
    Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit adaba23ccd7d1625942f2c27612d2b416c87e011
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Aug 25 06:50:15 2018 -0700

    x86/mm/pat: Fix L1TF stable backport for CPA

    Patch for stable only to fix boot resets caused by the L1TF patches.

    Stable trees reverted the following patch

    Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"

        This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is
        commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream.

    but the L1TF patch backported here

       x86/mm/pat: Make set_memory_np() L1TF safe

        commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream

        set_memory_np() is used to mark kernel mappings not present, but it has
        it's own open coded mechanism which does not have the L1TF protection of
        inverting the address bits.

    assumed that cpa->pfn contains a PFN. With the above patch reverted
    it does not, which causes the PMD to be set to an incorrect address
    shifted by 12 bits, which can cause early boot reset on some
    systems, like an Apollo Lake embedded system.

    Convert the address to a PFN before passing it to pmd_pfn()

    Thanks to Bernhard for bisecting and testing.

    Cc: stable@vger.kernel.org # 4.4 and 4.9
    Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1208ec20032cc152136c0098fb02bb63f0f4abd
Merge: 341dfcca5199 0c73169690eb
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Fri Aug 24 07:50:04 2018 -0700

    Merge 4.4.152 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.152: (79 commits)
            ARC: Explicitly add -mmedium-calls to CFLAGS
            netfilter: ipv6: nf_defrag: reduce struct net memory waste
            selftests: pstore: return Kselftest Skip code for skipped tests
            selftests: static_keys: return Kselftest Skip code for skipped tests
            selftests: user: return Kselftest Skip code for skipped tests
            selftests: zram: return Kselftest Skip code for skipped tests
            selftests: sync: add config fragment for testing sync framework
            ARM: dts: Cygnus: Fix I2C controller interrupt type
            usb: dwc2: fix isoc split in transfer with no data
            usb: gadget: composite: fix delayed_status race condition when set_interface
            usb: gadget: dwc2: fix memory leak in gadget_init()
            scsi: xen-scsifront: add error handling for xenbus_printf
            arm64: make secondary_start_kernel() notrace
            qed: Add sanity check for SIMD fastpath handler.
            enic: initialize enic->rfs_h.lock in enic_probe
            net: hamradio: use eth_broadcast_addr
            net: propagate dev_get_valid_name return code
            ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
            net: davinci_emac: match the mdio device against its compatible if possible
            locking/lockdep: Do not record IRQ state within lockdep code
            ipv6: mcast: fix unsolicited report interval after receiving querys
            Smack: Mark inode instant in smack_task_to_inode
            cxgb4: when disabling dcb set txq dcb priority to 0
            brcmfmac: stop watchdog before detach and free everything
            ARM: dts: am437x: make edt-ft5x06 a wakeup source
            usb: xhci: increase CRS timeout value
            perf test session topology: Fix test on s390
            perf report powerpc: Fix crash if callchain is empty
            selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
            ARM: dts: da850: Fix interrups property for gpio
            dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
            md/raid10: fix that replacement cannot complete recovery after reassemble
            drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
            drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
            drm/exynos: decon5433: Fix WINCONx reset value
            bnx2x: Fix receiving tx-timeout in error or recovery state.
            m68k: fix "bad page state" oops on ColdFire boot
            HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
            ARM: imx_v6_v7_defconfig: Select ULPI support
            ARM: imx_v4_v5_defconfig: Select ULPI support
            tracing: Use __printf markup to silence compiler
            kasan: fix shadow_size calculation error in kasan_module_alloc
            smsc75xx: Add workaround for gigabit link up hardware errata.
            netfilter: x_tables: set module owner for icmp(6) matches
            ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
            ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
            ieee802154: at86rf230: use __func__ macro for debug messages
            ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
            drm/armada: fix colorkey mode property
            bnxt_en: Fix for system hang if request_irq fails
            perf llvm-utils: Remove bashism from kernel include fetch script
            ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
            ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
            ixgbe: Be more careful when modifying MAC filters
            packet: reset network header if packet shorter than ll reserved space
            qlogic: check kstrtoul() for errors
            tcp: remove DELAYED ACK events in DCTCP
            drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
            net/ethernet/freescale/fman: fix cross-build error
            net: usb: rtl8150: demote allmulti message to dev_dbg()
            net: qca_spi: Avoid packet drop during initial sync
            net: qca_spi: Make sure the QCA7000 reset is triggered
            net: qca_spi: Fix log level if probe fails
            tcp: identify cryptic messages as TCP seq # bugs
            staging: android: ion: check for kref overflow
            KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
            ext4: fix spectre gadget in ext4_mb_regular_allocator()
            parisc: Remove ordered stores from syscall.S
            xfrm_user: prevent leaking 2 bytes of kernel memory
            netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
            packet: refine ring v3 block size test to hold one frame
            bridge: Propagate vlan add failure to user
            parisc: Remove unnecessary barriers from spinlock.h
            PCI: hotplug: Don't leak pci_slot on registration failure
            PCI: Skip MPS logic for Virtual Functions (VFs)
            PCI: pciehp: Fix use-after-free on unplug
            i2c: imx: Fix race condition in dma read
            reiserfs: fix broken xattr handling (heap corruption, bad retval)
            Linux 4.4.152

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

    Conflicts:
    	drivers/staging/android/ion/ion.c

commit 0c73169690eb1d7d6f72a128a010bd84343e503a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Aug 24 13:27:02 2018 +0200

    Linux 4.4.152

commit 712254045c02edf3dc21714337a23bf361d0c5ee
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 21:59:37 2018 -0700

    reiserfs: fix broken xattr handling (heap corruption, bad retval)

    commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.

    This fixes the following issues:

    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.

    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.

    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.

    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.

    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e57e6c67fd4b568b180fdbd5c14043d39fe6cda
Author: Esben Haabendal <eha@deif.com>
Date:   Thu Aug 16 10:43:12 2018 +0200

    i2c: imx: Fix race condition in dma read

    commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.

    This fixes a race condition, where the DMAEN bit ends up being set after
    I2C slave has transmitted a byte following the dummy read.  When that
    happens, an interrupt is generated instead, and no DMA request is generated
    to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).

    Fixed by setting the DMAEN bit before the dummy read.

    Signed-off-by: Esben Haabendal <eha@deif.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 131412f4f6f52b72c3a099c9cdac5d9c6034c76c
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:32 2018 -0500

    PCI: pciehp: Fix use-after-free on unplug

    commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.

    When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
    hotplug_slot struct is deregistered and thus freed before freeing the
    IRQ.  The IRQ handler and the work items it schedules print the slot
    name referenced from the freed structure in various informational and
    debug log messages, each time resulting in a quadruple dereference of
    freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

    At best the slot name is logged as "(null)", at worst kernel memory is
    exposed in logs or the driver crashes:

      pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

    An attacker may provoke the bug by unplugging multiple devices on a
    Thunderbolt daisy chain at once.  Unplugging can also be simulated by
    powering down slots via sysfs.  The bug is particularly easy to trigger
    in poll mode.

    It has been present since the driver's introduction in 2004:
    https://git.kernel.org/tglx/history/c/c16b4b14d980

    Fix by rearranging teardown such that the IRQ is freed first.  Run the
    work items queued by the IRQ handler to completion before freeing the
    hotplug_slot struct by draining the work queue from the ->release_slot
    callback which is invoked by pci_hp_deregister().

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.6.4
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc7614a5e8ec4514aa27ee3874ad05a1057e644d
Author: Myron Stowe <myron.stowe@redhat.com>
Date:   Mon Aug 13 12:19:39 2018 -0600

    PCI: Skip MPS logic for Virtual Functions (VFs)

    commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.

    PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
    Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
    VFs.  Just prior to the table it states:

      "PF and VF functionality is defined in Section 7.5.3.4 except where
       noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
       applies to the VF."

    All of which implies that with respect to Max_Payload_Size Supported
    (MPSS), MPS, and MRRS values, we should not be paying any attention to the
    VF's fields, but rather only to the PF's.  Only looking at the PF's fields
    also logically makes sense as it's the sole physical interface to the PCIe
    bus.

    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
    Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
    Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # 4.3+
    Cc: Keith Busch <keith.busch@intel.com>
    Cc: Sinan Kaya <okaya@kernel.org>
    Cc: Dongdong Liu <liudongdong3@huawei.com>
    Cc: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8837163ebeba0ab5cd82d8eb284060e0e3cb4a35
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:31 2018 -0500

    PCI: hotplug: Don't leak pci_slot on registration failure

    commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.

    If addition of sysfs files fails on registration of a hotplug slot, the
    struct pci_slot as well as the entry in the slot_list is leaked.  The
    issue has been present since the hotplug core was introduced in 2002:
    https://git.kernel.org/tglx/history/c/a8a2069f432c

    Perhaps the idea was that even though sysfs addition fails, the slot
    should still be usable.  But that's not how drivers use the interface,
    they abort probe if a non-zero value is returned.

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.4.15+
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 400db6fe74317d64c920025ed4de2de7b3522230
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:31:17 2018 -0400

    parisc: Remove unnecessary barriers from spinlock.h

    commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream.

    Now that mb() is an instruction barrier, it will slow performance if we issue
    unnecessary barriers.

    The spinlock defines have a number of unnecessary barriers.  The __ldcw()
    define is both a hardware and compiler barrier.  The mb() barriers in the
    routines using __ldcw() serve no purpose.

    The only barrier needed is the one in arch_spin_unlock().  We need to ensure
    all accesses are complete prior to releasing the lock.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d124ea608ac800f46100741f7ccd79791c061c8
Author: Elad Raz <eladr@mellanox.com>
Date:   Wed Jan 6 13:01:04 2016 +0100

    bridge: Propagate vlan add failure to user

    commit 08474cc1e6ea71237cab7e4a651a623c9dea1084 upstream.

    Disallow adding interfaces to a bridge when vlan filtering operation
    failed. Send the failure code to the user.

    Signed-off-by: Elad Raz <eladr@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c4e369c9b98480a4b75b3a74a962a6b298120b
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Aug 6 10:38:34 2018 -0400

    packet: refine ring v3 block size test to hold one frame

    commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

    TPACKET_V3 stores variable length frames in fixed length blocks.
    Blocks must be able to store a block header, optional private space
    and at least one minimum sized frame.

    Frames, even for a zero snaplen packet, store metadata headers and
    optional reserved space.

    In the block size bounds check, ensure that the frame of the
    chosen configuration fits. This includes sockaddr_ll and optional
    tp_reserve.

    Syzbot was able to construct a ring with insuffient room for the
    sockaddr_ll in the header of a zero-length frame, triggering an
    out-of-bounds write in dev_parse_header.

    Convert the comparison to less than, as zero is a valid snap len.
    This matches the test for minimum tp_frame_size immediately below.

    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76cb5cc66114d2758796198fca7f3387a6f24b75
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 17 21:03:15 2018 +0200

    netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

    commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

    When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
    that has an un-initialized timeout value, i.e. such entry could be
    reaped at any time.

    Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
    an old state.

    Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6170d014af6d3e9608987a0dee6e7f01c074b3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 18 21:35:07 2018 -0700

    xfrm_user: prevent leaking 2 bytes of kernel memory

    commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

    struct xfrm_userpolicy_type has two holes, so we should not
    use C99 style initializer.

    KMSAN report:

    BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
    CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
     copyout lib/iov_iter.c:140 [inline]
     _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
     copy_to_iter include/linux/uio.h:106 [inline]
     skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
     skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
     netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
     sock_recvmsg_nosec net/socket.c:802 [inline]
     sock_recvmsg+0x1d6/0x230 net/socket.c:809
     ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
     __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
     do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
     __do_sys_recvmmsg net/socket.c:2485 [inline]
     __se_sys_recvmmsg net/socket.c:2481 [inline]
     __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x446ce9
    RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
    RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
    R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
    R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
     __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
     __nla_put lib/nlattr.c:569 [inline]
     nla_put+0x276/0x340 lib/nlattr.c:627
     copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
     dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
     xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
     netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
     __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
     netlink_dump_start include/linux/netlink.h:214 [inline]
     xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
     netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
     xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Local variable description: ----upt.i@dump_one_policy
    Variable was created at:
     dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

    Byte 130 of 137 is uninitialized
    Memory access starts at ffff88019550407f

    Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49b3acf7ed1997af70ab95d95995eb2a1a6fdf93
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:38:03 2018 -0400

    parisc: Remove ordered stores from syscall.S

    commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream.

    Now that we use a sync prior to releasing the locks in syscall.S, we don't need
    the PA 2.0 ordered stores used to release some locks.  Using an ordered store,
    potentially slows the release and subsequent code.

    There are a number of other ordered stores and loads that serve no purpose.  I
    have converted these to normal stores.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a89f83823b97b6da1ecf7a51184b28822e78cc07
Author: Jeremy Cline <jcline@redhat.com>
Date:   Thu Aug 2 00:03:40 2018 -0400

    ext4: fix spectre gadget in ext4_mb_regular_allocator()

    commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.

    'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
    derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
    index arrays which makes it a potential spectre gadget. Fix this by
    sanitizing the value assigned to 'ac->ac2_order'.  This covers the
    following accesses found with the help of smatch:

    * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
      spectre issue 'grp->bb_counters' [w] (local cap)

    * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

    * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

    Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1186a6ea75df00ec27b9cf2c5d0a5e4298739301
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon May 28 13:31:13 2018 +0200

    KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer

    commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.

    A comment warning against this bug is there, but the code is not doing what
    the comment says.  Therefore it is possible that an EPOLLHUP races against
    irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
    and if that runs soon enough, you get a use-after-free.

    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b84ec04bae905901f5226a67968dabc52ab0c3a6
Author: Daniel Rosenberg <drosen@google.com>
Date:   Tue Aug 21 13:31:50 2018 -0700

    staging: android: ion: check for kref overflow

    This patch is against 4.4. It does not apply to master due to a large
    rework of ion in 4.12 which removed the affected functions altogther.
    4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

    Userspace can cause the kref to handles to increment
    arbitrarily high. Ensure it does not overflow.

    Signed-off-by: Daniel Rosenberg <drosen@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81970da69122fe4bf2af5bb1bb4c7f62d4744e79
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Jul 17 18:27:45 2018 -0700

    tcp: identify cryptic messages as TCP seq # bugs

    [ Upstream commit e56b8ce363a36fb7b74b80aaa5cc9084f2c908b4 ]

    Attempt to make cryptic TCP seq number error messages clearer by
    (1) identifying the source of the message as "TCP", (2) identifying the
    errors as "seq # bug", and (3) grouping the field identifiers and values
    by separating them with commas.

    E.g., the following message is changed from:

    recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90

    to:

    TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0

    Suggested-by: 積丹尼 Dan Jacobson <jidanni@jidanni.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 780e559aaa6ae4b184d9af4acd0754f8608b3715
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:45 2018 +0200

    net: qca_spi: Fix log level if probe fails

    [ Upstream commit 50973993260a6934f0a00da53d9b746cfbea89ab ]

    In cases the probing fails the log level of the messages should
    be an error.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e77b1523b93cbc8863cfe656ca0c9e82f7ba43c9
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:44 2018 +0200

    net: qca_spi: Make sure the QCA7000 reset is triggered

    [ Upstream commit 711c62dfa6bdb4326ca6c587f295ea5c4f7269de ]

    In case the SPI thread is not running, a simple reset of sync
    state won't fix the transmit timeout. We also need to wake up the kernel
    thread.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: ed7d42e24eff ("net: qca_spi: fix transmit queue timeout handling")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8621e69878ba41ed24987a487eaf01a6505223c6
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:43 2018 +0200

    net: qca_spi: Avoid packet drop during initial sync

    [ Upstream commit b2bab426dc715de147f8039a3fccff27d795f4eb ]

    As long as the synchronization with the QCA7000 isn't finished, we
    cannot accept packets from the upper layers. So let the SPI thread
    enable the TX queue after sync and avoid unwanted packet drop.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8cfe6f3afe83a2768563f718bb57c99ca249cf4c
Author: David Lechner <david@lechnology.com>
Date:   Mon Jul 16 17:58:10 2018 -0500

    net: usb: rtl8150: demote allmulti message to dev_dbg()

    [ Upstream commit 3a9b0455062ffb9d2f6cd4473a76e3456f318c9f ]

    This driver can spam the kernel log with multiple messages of:

        net eth0: eth0: allmulti set

    Usually 4 or 8 at a time (probably because of using ConnMan).

    This message doesn't seem useful, so let's demote it from dev_info()
    to dev_dbg().

    Signed-off-by: David Lechner <david@lechnology.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0821ddad494b97f0980db1877c4417e7d45c4925
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Jul 13 21:25:19 2018 -0700

    net/ethernet/freescale/fman: fix cross-build error

    [ Upstream commit c133459765fae249ba482f62e12f987aec4376f0 ]

      CC [M]  drivers/net/ethernet/freescale/fman/fman.o
    In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
    ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
    ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
      clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
      ^~~~~~~~~~~~~~~

    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Madalin Bucur <madalin.bucur@nxp.com>
    Cc: netdev@vger.kernel.org
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c8f268dcdd5d3dacf504873861b9f18c70021b0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 3 15:30:56 2018 +0300

    drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

    [ Upstream commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 ]

    The bo array has req->nr_buffers elements so the > should be >= so we
    don't read beyond the end of the array.

    Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43707aa8c55fb165a1a56f590e0defb198ebdde9
Author: Yuchung Cheng <ycheng@google.com>
Date:   Thu Jul 12 06:04:53 2018 -0700

    tcp: remove DELAYED ACK events in DCTCP

    [ Upstream commit a69258f7aa2623e0930212f09c586fd06674ad79 ]

    After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK
    related callbacks are no longer needed

    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Acked-by: Lawrence Brakmo <brakmo@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7795ce1182d5317688750126958954e5d32e3eac
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 12 15:23:45 2018 +0300

    qlogic: check kstrtoul() for errors

    [ Upstream commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f ]

    We accidentally left out the error handling for kstrtoul().

    Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01a8ef2f327a6fe5075ee5027c9fa02df42c1c4e
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Jul 11 12:00:45 2018 -0400

    packet: reset network header if packet shorter than ll reserved space

    [ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ]

    If variable length link layer headers result in a packet shorter
    than dev->hard_header_len, reset the network header offset. Else
    skb->mac_len may exceed skb->len after skb_mac_reset_len.

    packet_sendmsg_spkt already has similar logic.

    Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ab85f3dc1b45f9189b62c97c82c7e6e1a3de569
Author: Alexander Duyck <alexander.h.duyck@intel.com>
Date:   Mon Jun 18 12:02:00 2018 -0400

    ixgbe: Be more careful when modifying MAC filters

    [ Upstream commit d14c780c11fbc10f66c43e7b64eefe87ca442bd3 ]

    This change makes it so that we are much more explicit about the ordering
    of updates to the receive address register (RAR) table. Prior to this patch
    I believe we may have been updating the table while entries were still
    active, or possibly allowing for reordering of things since we weren't
    explicitly flushing writes to either the lower or upper portion of the
    register prior to accessing the other half.

    Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Reviewed-by: Shannon Nelson <shannon.nelson@oracle.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcfa7262bbc0cf7b39ac112ae2ece9f9310ae4d9
Author: Adam Ford <aford173@gmail.com>
Date:   Wed Jul 11 12:54:54 2018 -0500

    ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller

    [ Upstream commit 923847413f7316b5ced3491769b3fefa6c56a79a ]

    The AM3517 has a different OTG controller location than the OMAP3,
    which is included from omap3.dtsi.  This results in a hwmod error.
    Since the AM3517 has a different OTG controller address, this patch
    disabes one that is isn't available.

    Signed-off-by: Adam Ford <aford173@gmail.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97d53c81980eaba74690868efd3160fb635b8d42
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Tue Jul 10 08:22:40 2018 +0100

    ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot

    [ Upstream commit b4c7e2bd2eb4764afe3af9409ff3b1b87116fa30 ]

    Dynamic ftrace requires modifying the code segments that are usually
    set to read-only. To do this, a per arch function is called both before
    and after the ftrace modifications are performed. The "before" function
    will set kernel code text to read-write to allow for ftrace to make the
    modifications, and the "after" function will set the kernel code text
    back to "read-only" to keep the kernel code text protected.

    The issue happens when dynamic ftrace is tested at boot up. The test is
    done before the kernel code text has been set to read-only. But the
    "before" and "after" calls are still performed. The "after" call will
    change the kernel code text to read-only prematurely, and other boot
    code that expects this code to be read-write will fail.

    The solution is to add a variable that is set when the kernel code text
    is expected to be converted to read-only, and make the ftrace "before"
    and "after" calls do nothing if that variable is not yet set. This is
    similar to the x86 solution from commit 162396309745 ("ftrace, x86:
    make kernel text writable only for conversions").

    Link: http://lkml.kernel.org/r/20180620212906.24b7b66e@vmware.local.home

    Reported-by: Stefan Agner <stefan@agner.ch>
    Tested-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0cd6f4de95a8fee74131bac79c444f8120c93e9
Author: Kim Phillips <kim.phillips@arm.com>
Date:   Fri Jun 29 12:46:52 2018 -0500

    perf llvm-utils: Remove bashism from kernel include fetch script

    [ Upstream commit f6432b9f65001651412dbc3589d251534822d4ab ]

    Like system(), popen() calls /bin/sh, which may/may not be bash.

    Script when run on dash and encounters the line, yields:

     exit: Illegal number: -1

    checkbashisms report on script content:

     possible bashism (exit|return with negative status code):
     exit -1

    Remove the bashism and use the more portable non-zero failure
    status code 1.

    Signed-off-by: Kim Phillips <kim.phillips@arm.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Michael Petlan <mpetlan@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sandipan Das <sandipan@linux.vnet.ibm.com>
    Cc: Thomas Richter <tmricht@linux.vnet.ibm.com>
    Link: http://lkml.kernel.org/r/20180629124652.8d0af7e2281fd3fd8262cacc@arm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 149751b516c07eb15f9378bbed175d23589b6215
Author: Vikas Gupta <vikas.gupta@broadcom.com>
Date:   Mon Jul 9 02:24:52 2018 -0400

    bnxt_en: Fix for system hang if request_irq fails

    [ Upstream commit c58387ab1614f6d7fb9e244f214b61e7631421fc ]

    Fix bug in the error code path when bnxt_request_irq() returns failure.
    bnxt_disable_napi() should not be called in this error path because
    NAPI has not been enabled yet.

    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cb585f9c5d6b70bfcd12beb314d9ba060c3208a
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date:   Sun Jun 24 14:35:10 2018 +0100

    drm/armada: fix colorkey mode property

    [ Upstream commit d378859a667edc99e3473704847698cae97ca2b1 ]

    The colorkey mode property was not correctly disabling the colorkeying
    when "disabled" mode was selected.  Arrange for this to work as one
    would expect.

    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe9ee61f5a1b9413ad3862bfa5a63c633d84f38a
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:14:05 2017 +0200

    ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 8f2fbc6c60ff213369e06a73610fc882a42fdf20 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24e3a53c0d2c6be3385c5676056124b44f7c06c2
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:54 2017 +0200

    ieee802154: at86rf230: use __func__ macro for debug messages

    [ Upstream commit 8a81388ec27c4c0adbdecd20e67bb5f411ab46b2 ]

    Instead of having the function name hard-coded (it might change and we
    forgot to update them in the debug output) we can use __func__ instead
    and also shorter the line so we do not need to break it. Also fix an
    extra blank line while being here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 691a13ac70e31e3004310bf56360ee69c62514cb
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:53 2017 +0200

    ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 20f330452ad8814f2289a589baf65e21270879a7 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be4691a7c58b40ddcdad5f82fb652475afc3440e
Author: Daniel Mack <daniel@zonque.org>
Date:   Fri Jul 6 22:15:00 2018 +0200

    ARM: pxa: irq: fix handling of ICMR registers in suspend/resume

    [ Upstream commit 0c1049dcb4ceec640d8bd797335bcbebdcab44d2 ]

    PXA3xx platforms have 56 interrupts that are stored in two ICMR
    registers. The code in pxa_irq_suspend() and pxa_irq_resume() however
    does a simple division by 32 which only leads to one register being
    saved at suspend and restored at resume time. The NAND interrupt
    setting, for instance, is lost.

    Fix this by using DIV_ROUND_UP() instead.

    Signed-off-by: Daniel Mack <daniel@zonque.org>
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e8f97b07a3be3493072f1cabe888f2d770b8077
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jul 4 20:25:32 2018 +0200

    netfilter: x_tables: set module owner for icmp(6) matches

    [ Upstream commit d376bef9c29b3c65aeee4e785fffcd97ef0a9a81 ]

    nft_compat relies on xt_request_find_match to increment
    refcount of the module that provides the match/target.

    The (builtin) icmp matches did't set the module owner so it
    was possible to rmmod ip(6)tables while icmp extensions were still in use.

    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7fda06308d6d1ed5d094a5f22b3e1e33852edbf
Author: Yuiko Oshino <yuiko.oshino@microchip.com>
Date:   Tue Jul 3 11:21:46 2018 -0400

    smsc75xx: Add workaround for gigabit link up hardware errata.

    [ Upstream commit d461e3da905332189aad546b2ad9adbe6071c7cc ]

    In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

    Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
    Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1acb2ad5d9d0fc66f18c74e22af3c07e41a5dbca
Author: Zhen Lei <thunder.leizhen@huawei.com>
Date:   Tue Jul 3 17:02:46 2018 -0700

    kasan: fix shadow_size calculation error in kasan_module_alloc

    [ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ]

    There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
    Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1].  The
    operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the
    roundup operation can not retrieve the missed one page.  For example:
    size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
    shadow_size=0x5000, but actually we need 6 pages.

      shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);

    This can lead to a kernel crash when kasan is enabled and the value of
    mod->core_layout.size or mod->init_layout.size is like above.  Because
    the shadow memory of X has not been allocated and mapped.

    move_module:
      ptr = module_alloc(mod->core_layout.size);
      ...
      memset(ptr, 0, mod->core_layout.size);		//crashed

      Unable to handle kernel paging request at virtual address ffff0fffff97b000
      ......
      Call trace:
        __asan_storeN+0x174/0x1a8
        memset+0x24/0x48
        layout_and_allocate+0xcd8/0x1800
        load_module+0x190/0x23e8
        SyS_finit_module+0x148/0x180

    Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com
    Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
    Reviewed-by: Dmitriy Vyukov <dvyukov@google.com>
    Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Libin <huawei.libin@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb1c3470bcb05537fca601a0101d759d054b822
Author: Mathieu Malaterre <malat@debian.org>
Date:   Thu Mar 8 21:58:43 2018 +0100

    tracing: Use __printf markup to silence compiler

    [ Upstream commit 26b68dd2f48fe7699a89f0cfbb9f4a650dc1c837 ]

    Silence warnings (triggered at W=1) by adding relevant __printf attributes.

      CC      kernel/trace/trace.o
    kernel/trace/trace.c: In function ‘__trace_array_vprintk’:
    kernel/trace/trace.c:2979:2: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
      len = vscnprintf(tbuffer, TRACE_BUF_SIZE, fmt, args);
      ^~~
      AR      kernel/trace/built-in.o

    Link: http://lkml.kernel.org/r/20180308205843.27447-1-malat@debian.org

    Signed-off-by: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be38b9556d9ba051adae074367acb3ee362180b2
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Tue Jun 26 08:37:09 2018 -0300

    ARM: imx_v4_v5_defconfig: Select ULPI support

    [ Upstream commit 2ceb2780b790b74bc408a949f6aedbad8afa693e ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like that use ULPI
    interface.

    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d0af17ae83d6feb29d676c72423461419df5110
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Mon Jun 25 09:34:03 2018 -0300

    ARM: imx_v6_v7_defconfig: Select ULPI support

    [ Upstream commit 157bcc06094c3c5800d3f4676527047b79b618e7 ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like imx51-babbge.

    This fixes a kernel hang in 4.18-rc1 on i.mx51-babbage, caused by commit
    03e6275ae381 ("usb: chipidea: Fix ULPI on imx51").

    Suggested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1bdab67ddfa7b4e9e7a90637a22f9abc6ca88cf4
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Tue Jun 26 09:58:02 2018 -0700

    HID: wacom: Correct touch maximum XY of 2nd-gen Intuos

    [ Upstream commit 3b8d573586d1b9dee33edf6cb6f2ca05f4bca568 ]

    The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096
    sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.).
    The incorrect maximum XY values don't normally affect userspace since
    touch input from these devices is typically relative rather than
    absolute. It does, however, cause problems when absolute distances
    need to be measured, e.g. for gesture recognition. Since the resolution
    of the touch sensor on these devices is 10 units / mm (versus 100 for
    the pen sensor), the proper maximum values can be calculated by simply
    dividing by 10.

    Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices")
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f2f46791e28b7058a32fb7eab32e498ff838627
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Mon Jun 18 15:34:14 2018 +1000

    m68k: fix "bad page state" oops on ColdFire boot

    [ Upstream commit ecd60532e060e45c63c57ecf1c8549b1d656d34d ]

    Booting a ColdFire m68k core with MMU enabled causes a "bad page state"
    oops since commit 1d40a5ea01d5 ("mm: mark pages in use for page tables"):

     BUG: Bad page state in process sh  pfn:01ce2
     page:004fefc8 count:0 mapcount:-1024 mapping:00000000 index:0x0
     flags: 0x0()
     raw: 00000000 00000000 00000000 fffffbff 00000000 00000100 00000200 00000000
     raw: 039c4000
     page dumped because: nonzero mapcount
     Modules linked in:
     CPU: 0 PID: 22 Comm: sh Not tainted 4.17.0-07461-g1d40a5ea01d5 #13

    Fix by calling pgtable_page_dtor() in our __pte_free_tlb() code path,
    so that the PG_table flag is cleared before we free the pte page.

    Note that I had to change the type of pte_free() to be static from
    extern. Otherwise you get a lot of warnings like this:

    ./arch/m68k/include/asm/mcf_pgalloc.h:80:2: warning: ‘pgtable_page_dtor’ is static but used in inline function ‘pte_free’ which is not static
      pgtable_page_dtor(page);
      ^

    And making it static is consistent with our use of this in the other
    m68k pgalloc definitions of pte_free().

    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    CC: Matthew Wilcox <willy@infradead.org>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aba71e6a936a62126d0c084d4add455db697ee24
Author: Sudarsana Reddy Kalluru <sudarsana.kallur…

NeonDragon1909 added a commit to Dil3mm4/labyrinth_kernel_prague that referenced this issue Sep 2, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

freak07 added a commit to freak07/Kirisakura_Taimen_8.1.0 that referenced this issue Sep 3, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 7eaa995c75bd23b57163541c3285a2c984018b7e)

freak07 added a commit to freak07/OCEAN_OREO_EAS that referenced this issue Sep 6, 2018

ovl: warn instead of error if d_type is not supported
commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

moby/moby#22937 (comment)

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Panchajanya1999 added a commit to Panchajanya1999/kernel_asus_x00t that referenced this issue Sep 15, 2018

ASUS 323 Changes
commit b2a9962cff1e917f70ff3ed542212ede6c38f17f
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Sun Sep 16 00:24:15 2018 +0530

    Symlinked Qcom

    Symlinked [ln -sr arch/arm/boot/dts/qcom arch/arm64/boot/dts/qcom]

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 35003a3c3843d6883f097f10f385d3bf6db69736
Merge: f701058c8a40 1153c838bcd7
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Sat Sep 15 23:57:43 2018 +0530

    Merge remote-tracking branch 'lineage-15.1_S323' into asus

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 1153c838bcd7fd93b3599047c548ae5a10e47d82
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:53:41 2018 +0000

    Revert "icnss: Remove sending uevent after FW ready"

    This reverts commit dabc56ff4434cac9b64a0d6dbbf9f2f2bb12e9d1.

commit 6dc7b5e491c44135f14c14946a1873df4ebd74e8
Merge: 2e3cb1cde573 6bc76c807ae7
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:13:44 2018 +0000

    Merge https://github.com/android-linux-stable/msm-4.4 into lineage-15.1_S323

commit 6bc76c807ae760576837b0719a995835196ff668
Merge: c1208ec20032 577189c37a84
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Aug 27 22:48:36 2018 -0700

    Merge 4.4.153 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.153: (6 commits)
            x86/mm/pat: Fix L1TF stable backport for CPA
            x86/mm: Fix use-after-free of ldt_struct
            ovl: Ensure upper filesystem supports d_type
            ovl: Do d_type check only if work dir creation was successful
            ovl: warn instead of error if d_type is not supported
            Linux 4.4.153

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9866720724db8a163cf305fc907cdab0b38fa09
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Aug 24 10:50:29 2017 -0700

    x86/mm: Fix use-after-free of ldt_struct

    commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.

    The following commit:

      39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")

    renamed init_new_context() to init_new_context_ldt() and added a new
    init_new_context() which calls init_new_context_ldt().  However, the
    error code of init_new_context_ldt() was ignored.  Consequently, if a
    memory allocation in alloc_ldt_struct() failed during a fork(), the
    ->context.ldt of the new task remained the same as that of the old task
    (due to the memcpy() in dup_mm()).  ldt_struct's are not intended to be
    shared, so a use-after-free occurred after one task exited.

    Fix the bug by making init_new_context() pass through the error code of
    init_new_context_ldt().

    This bug was found by syzkaller, which encountered the following splat:

        BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
        Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710

        CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         __dump_stack lib/dump_stack.c:16 [inline]
         dump_stack+0x194/0x257 lib/dump_stack.c:52
         print_address_description+0x73/0x250 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x24e/0x340 mm/kasan/report.c:409
         __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
         free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         exec_mmap fs/exec.c:1061 [inline]
         flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
         load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
         search_binary_handler+0x142/0x6b0 fs/exec.c:1652
         exec_binprm fs/exec.c:1694 [inline]
         do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
         do_execve+0x31/0x40 fs/exec.c:1860
         call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
         ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

        Allocated by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
         kmalloc include/linux/slab.h:493 [inline]
         alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
         write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
         sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
         entry_SYSCALL_64_fastpath+0x1f/0xbe

        Freed by task 3700:
         save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459 [inline]
         kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
         __cache_free mm/slab.c:3503 [inline]
         kfree+0xca/0x250 mm/slab.c:3820
         free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
         free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
         destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
         destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
         __mmdrop+0xe9/0x530 kernel/fork.c:889
         mmdrop include/linux/sched/mm.h:42 [inline]
         __mmput kernel/fork.c:916 [inline]
         mmput+0x541/0x6e0 kernel/fork.c:927
         copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
         copy_process kernel/fork.c:1546 [inline]
         _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
         SYSC_clone kernel/fork.c:2135 [inline]
         SyS_clone+0x37/0x50 kernel/fork.c:2129
         do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
         return_from_SYSCALL_64+0x0/0x7a

    Here is a C reproducer:

        #include <asm/ldt.h>
        #include <pthread.h>
        #include <signal.h>
        #include <stdlib.h>
        #include <sys/syscall.h>
        #include <sys/wait.h>
        #include <unistd.h>

        static void *fork_thread(void *_arg)
        {
            fork();
        }

        int main(void)
        {
            struct user_desc desc = { .entry_number = 8191 };

            syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));

            for (;;) {
                if (fork() == 0) {
                    pthread_t t;

                    srand(getpid());
                    pthread_create(&t, NULL, fork_thread, NULL);
                    usleep(rand() % 10000);
                    syscall(__NR_exit_group, 0);
                }
                wait(NULL);
            }
        }

    Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
    may use vmalloc() to allocate a large ->entries array, and after
    commit:

      5d17a73a2ebe ("vmalloc: back off when the current task is killed")

    it is possible for userspace to fail a task's vmalloc() by
    sending a fatal signal, e.g. via exit_group().  It would be more
    difficult to reproduce this bug on kernels without that commit.

    This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.

    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org> [v4.6+]
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
    Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit adaba23ccd7d1625942f2c27612d2b416c87e011
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Aug 25 06:50:15 2018 -0700

    x86/mm/pat: Fix L1TF stable backport for CPA

    Patch for stable only to fix boot resets caused by the L1TF patches.

    Stable trees reverted the following patch

    Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"

        This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is
        commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream.

    but the L1TF patch backported here

       x86/mm/pat: Make set_memory_np() L1TF safe

        commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream

        set_memory_np() is used to mark kernel mappings not present, but it has
        it's own open coded mechanism which does not have the L1TF protection of
        inverting the address bits.

    assumed that cpa->pfn contains a PFN. With the above patch reverted
    it does not, which causes the PMD to be set to an incorrect address
    shifted by 12 bits, which can cause early boot reset on some
    systems, like an Apollo Lake embedded system.

    Convert the address to a PFN before passing it to pmd_pfn()

    Thanks to Bernhard for bisecting and testing.

    Cc: stable@vger.kernel.org # 4.4 and 4.9
    Reported-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Tested-by: Bernhard Kaindl <bernhard.kaindl@thalesgroup.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1208ec20032cc152136c0098fb02bb63f0f4abd
Merge: 341dfcca5199 0c73169690eb
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Fri Aug 24 07:50:04 2018 -0700

    Merge 4.4.152 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.152: (79 commits)
            ARC: Explicitly add -mmedium-calls to CFLAGS
            netfilter: ipv6: nf_defrag: reduce struct net memory waste
            selftests: pstore: return Kselftest Skip code for skipped tests
            selftests: static_keys: return Kselftest Skip code for skipped tests
            selftests: user: return Kselftest Skip code for skipped tests
            selftests: zram: return Kselftest Skip code for skipped tests
            selftests: sync: add config fragment for testing sync framework
            ARM: dts: Cygnus: Fix I2C controller interrupt type
            usb: dwc2: fix isoc split in transfer with no data
            usb: gadget: composite: fix delayed_status race condition when set_interface
            usb: gadget: dwc2: fix memory leak in gadget_init()
            scsi: xen-scsifront: add error handling for xenbus_printf
            arm64: make secondary_start_kernel() notrace
            qed: Add sanity check for SIMD fastpath handler.
            enic: initialize enic->rfs_h.lock in enic_probe
            net: hamradio: use eth_broadcast_addr
            net: propagate dev_get_valid_name return code
            ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
            net: davinci_emac: match the mdio device against its compatible if possible
            locking/lockdep: Do not record IRQ state within lockdep code
            ipv6: mcast: fix unsolicited report interval after receiving querys
            Smack: Mark inode instant in smack_task_to_inode
            cxgb4: when disabling dcb set txq dcb priority to 0
            brcmfmac: stop watchdog before detach and free everything
            ARM: dts: am437x: make edt-ft5x06 a wakeup source
            usb: xhci: increase CRS timeout value
            perf test session topology: Fix test on s390
            perf report powerpc: Fix crash if callchain is empty
            selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
            ARM: dts: da850: Fix interrups property for gpio
            dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
            md/raid10: fix that replacement cannot complete recovery after reassemble
            drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
            drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
            drm/exynos: decon5433: Fix WINCONx reset value
            bnx2x: Fix receiving tx-timeout in error or recovery state.
            m68k: fix "bad page state" oops on ColdFire boot
            HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
            ARM: imx_v6_v7_defconfig: Select ULPI support
            ARM: imx_v4_v5_defconfig: Select ULPI support
            tracing: Use __printf markup to silence compiler
            kasan: fix shadow_size calculation error in kasan_module_alloc
            smsc75xx: Add workaround for gigabit link up hardware errata.
            netfilter: x_tables: set module owner for icmp(6) matches
            ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
            ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
            ieee802154: at86rf230: use __func__ macro for debug messages
            ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
            drm/armada: fix colorkey mode property
            bnxt_en: Fix for system hang if request_irq fails
            perf llvm-utils: Remove bashism from kernel include fetch script
            ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
            ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
            ixgbe: Be more careful when modifying MAC filters
            packet: reset network header if packet shorter than ll reserved space
            qlogic: check kstrtoul() for errors
            tcp: remove DELAYED ACK events in DCTCP
            drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
            net/ethernet/freescale/fman: fix cross-build error
            net: usb: rtl8150: demote allmulti message to dev_dbg()
            net: qca_spi: Avoid packet drop during initial sync
            net: qca_spi: Make sure the QCA7000 reset is triggered
            net: qca_spi: Fix log level if probe fails
            tcp: identify cryptic messages as TCP seq # bugs
            staging: android: ion: check for kref overflow
            KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
            ext4: fix spectre gadget in ext4_mb_regular_allocator()
            parisc: Remove ordered stores from syscall.S
            xfrm_user: prevent leaking 2 bytes of kernel memory
            netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
            packet: refine ring v3 block size test to hold one frame
            bridge: Propagate vlan add failure to user
            parisc: Remove unnecessary barriers from spinlock.h
            PCI: hotplug: Don't leak pci_slot on registration failure
            PCI: Skip MPS logic for Virtual Functions (VFs)
            PCI: pciehp: Fix use-after-free on unplug
            i2c: imx: Fix race condition in dma read
            reiserfs: fix broken xattr handling (heap corruption, bad retval)
            Linux 4.4.152

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

    Conflicts:
    	drivers/staging/android/ion/ion.c

commit 0c73169690eb1d7d6f72a128a010bd84343e503a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Aug 24 13:27:02 2018 +0200

    Linux 4.4.152

commit 712254045c02edf3dc21714337a23bf361d0c5ee
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 21:59:37 2018 -0700

    reiserfs: fix broken xattr handling (heap corruption, bad retval)

    commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.

    This fixes the following issues:

    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.

    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.

    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.

    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.

    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e57e6c67fd4b568b180fdbd5c14043d39fe6cda
Author: Esben Haabendal <eha@deif.com>
Date:   Thu Aug 16 10:43:12 2018 +0200

    i2c: imx: Fix race condition in dma read

    commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.

    This fixes a race condition, where the DMAEN bit ends up being set after
    I2C slave has transmitted a byte following the dummy read.  When that
    happens, an interrupt is generated instead, and no DMA request is generated
    to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).

    Fixed by setting the DMAEN bit before the dummy read.

    Signed-off-by: Esben Haabendal <eha@deif.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 131412f4f6f52b72c3a099c9cdac5d9c6034c76c
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:32 2018 -0500

    PCI: pciehp: Fix use-after-free on unplug

    commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.

    When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
    hotplug_slot struct is deregistered and thus freed before freeing the
    IRQ.  The IRQ handler and the work items it schedules print the slot
    name referenced from the freed structure in various informational and
    debug log messages, each time resulting in a quadruple dereference of
    freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

    At best the slot name is logged as "(null)", at worst kernel memory is
    exposed in logs or the driver crashes:

      pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

    An attacker may provoke the bug by unplugging multiple devices on a
    Thunderbolt daisy chain at once.  Unplugging can also be simulated by
    powering down slots via sysfs.  The bug is particularly easy to trigger
    in poll mode.

    It has been present since the driver's introduction in 2004:
    https://git.kernel.org/tglx/history/c/c16b4b14d980

    Fix by rearranging teardown such that the IRQ is freed first.  Run the
    work items queued by the IRQ handler to completion before freeing the
    hotplug_slot struct by draining the work queue from the ->release_slot
    callback which is invoked by pci_hp_deregister().

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.6.4
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc7614a5e8ec4514aa27ee3874ad05a1057e644d
Author: Myron Stowe <myron.stowe@redhat.com>
Date:   Mon Aug 13 12:19:39 2018 -0600

    PCI: Skip MPS logic for Virtual Functions (VFs)

    commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.

    PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
    Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
    VFs.  Just prior to the table it states:

      "PF and VF functionality is defined in Section 7.5.3.4 except where
       noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
       applies to the VF."

    All of which implies that with respect to Max_Payload_Size Supported
    (MPSS), MPS, and MRRS values, we should not be paying any attention to the
    VF's fields, but rather only to the PF's.  Only looking at the PF's fields
    also logically makes sense as it's the sole physical interface to the PCIe
    bus.

    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
    Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
    Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # 4.3+
    Cc: Keith Busch <keith.busch@intel.com>
    Cc: Sinan Kaya <okaya@kernel.org>
    Cc: Dongdong Liu <liudongdong3@huawei.com>
    Cc: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8837163ebeba0ab5cd82d8eb284060e0e3cb4a35
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jul 19 17:27:31 2018 -0500

    PCI: hotplug: Don't leak pci_slot on registration failure

    commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.

    If addition of sysfs files fails on registration of a hotplug slot, the
    struct pci_slot as well as the entry in the slot_list is leaked.  The
    issue has been present since the hotplug core was introduced in 2002:
    https://git.kernel.org/tglx/history/c/a8a2069f432c

    Perhaps the idea was that even though sysfs addition fails, the slot
    should still be usable.  But that's not how drivers use the interface,
    they abort probe if a non-zero value is returned.

    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v2.4.15+
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 400db6fe74317d64c920025ed4de2de7b3522230
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:31:17 2018 -0400

    parisc: Remove unnecessary barriers from spinlock.h

    commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream.

    Now that mb() is an instruction barrier, it will slow performance if we issue
    unnecessary barriers.

    The spinlock defines have a number of unnecessary barriers.  The __ldcw()
    define is both a hardware and compiler barrier.  The mb() barriers in the
    routines using __ldcw() serve no purpose.

    The only barrier needed is the one in arch_spin_unlock().  We need to ensure
    all accesses are complete prior to releasing the lock.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d124ea608ac800f46100741f7ccd79791c061c8
Author: Elad Raz <eladr@mellanox.com>
Date:   Wed Jan 6 13:01:04 2016 +0100

    bridge: Propagate vlan add failure to user

    commit 08474cc1e6ea71237cab7e4a651a623c9dea1084 upstream.

    Disallow adding interfaces to a bridge when vlan filtering operation
    failed. Send the failure code to the user.

    Signed-off-by: Elad Raz <eladr@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c4e369c9b98480a4b75b3a74a962a6b298120b
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Aug 6 10:38:34 2018 -0400

    packet: refine ring v3 block size test to hold one frame

    commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

    TPACKET_V3 stores variable length frames in fixed length blocks.
    Blocks must be able to store a block header, optional private space
    and at least one minimum sized frame.

    Frames, even for a zero snaplen packet, store metadata headers and
    optional reserved space.

    In the block size bounds check, ensure that the frame of the
    chosen configuration fits. This includes sockaddr_ll and optional
    tp_reserve.

    Syzbot was able to construct a ring with insuffient room for the
    sockaddr_ll in the header of a zero-length frame, triggering an
    out-of-bounds write in dev_parse_header.

    Convert the comparison to less than, as zero is a valid snap len.
    This matches the test for minimum tp_frame_size immediately below.

    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76cb5cc66114d2758796198fca7f3387a6f24b75
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 17 21:03:15 2018 +0200

    netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state

    commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.

    When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
    that has an un-initialized timeout value, i.e. such entry could be
    reaped at any time.

    Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
    an old state.

    Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6170d014af6d3e9608987a0dee6e7f01c074b3
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 18 21:35:07 2018 -0700

    xfrm_user: prevent leaking 2 bytes of kernel memory

    commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

    struct xfrm_userpolicy_type has two holes, so we should not
    use C99 style initializer.

    KMSAN report:

    BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
    CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
     copyout lib/iov_iter.c:140 [inline]
     _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
     copy_to_iter include/linux/uio.h:106 [inline]
     skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
     skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
     netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
     sock_recvmsg_nosec net/socket.c:802 [inline]
     sock_recvmsg+0x1d6/0x230 net/socket.c:809
     ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
     __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
     do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
     __do_sys_recvmmsg net/socket.c:2485 [inline]
     __se_sys_recvmmsg net/socket.c:2481 [inline]
     __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x446ce9
    RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
    RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
    RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
    R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
    R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
     __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
     __nla_put lib/nlattr.c:569 [inline]
     nla_put+0x276/0x340 lib/nlattr.c:627
     copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
     dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
     xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
     netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
     __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
     netlink_dump_start include/linux/netlink.h:214 [inline]
     xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
     netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
     xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Local variable description: ----upt.i@dump_one_policy
    Variable was created at:
     dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
     xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

    Byte 130 of 137 is uninitialized
    Memory access starts at ffff88019550407f

    Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49b3acf7ed1997af70ab95d95995eb2a1a6fdf93
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Aug 12 16:38:03 2018 -0400

    parisc: Remove ordered stores from syscall.S

    commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream.

    Now that we use a sync prior to releasing the locks in syscall.S, we don't need
    the PA 2.0 ordered stores used to release some locks.  Using an ordered store,
    potentially slows the release and subsequent code.

    There are a number of other ordered stores and loads that serve no purpose.  I
    have converted these to normal stores.

    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: stable@vger.kernel.org # 4.0+
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a89f83823b97b6da1ecf7a51184b28822e78cc07
Author: Jeremy Cline <jcline@redhat.com>
Date:   Thu Aug 2 00:03:40 2018 -0400

    ext4: fix spectre gadget in ext4_mb_regular_allocator()

    commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.

    'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
    derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
    index arrays which makes it a potential spectre gadget. Fix this by
    sanitizing the value assigned to 'ac->ac2_order'.  This covers the
    following accesses found with the help of smatch:

    * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
      spectre issue 'grp->bb_counters' [w] (local cap)

    * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

    * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
      'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

    Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1186a6ea75df00ec27b9cf2c5d0a5e4298739301
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon May 28 13:31:13 2018 +0200

    KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer

    commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.

    A comment warning against this bug is there, but the code is not doing what
    the comment says.  Therefore it is possible that an EPOLLHUP races against
    irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
    and if that runs soon enough, you get a use-after-free.

    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b84ec04bae905901f5226a67968dabc52ab0c3a6
Author: Daniel Rosenberg <drosen@google.com>
Date:   Tue Aug 21 13:31:50 2018 -0700

    staging: android: ion: check for kref overflow

    This patch is against 4.4. It does not apply to master due to a large
    rework of ion in 4.12 which removed the affected functions altogther.
    4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

    Userspace can cause the kref to handles to increment
    arbitrarily high. Ensure it does not overflow.

    Signed-off-by: Daniel Rosenberg <drosen@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81970da69122fe4bf2af5bb1bb4c7f62d4744e79
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Jul 17 18:27:45 2018 -0700

    tcp: identify cryptic messages as TCP seq # bugs

    [ Upstream commit e56b8ce363a36fb7b74b80aaa5cc9084f2c908b4 ]

    Attempt to make cryptic TCP seq number error messages clearer by
    (1) identifying the source of the message as "TCP", (2) identifying the
    errors as "seq # bug", and (3) grouping the field identifiers and values
    by separating them with commas.

    E.g., the following message is changed from:

    recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90

    to:

    TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
    WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0

    Suggested-by: 積丹尼 Dan Jacobson <jidanni@jidanni.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 780e559aaa6ae4b184d9af4acd0754f8608b3715
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:45 2018 +0200

    net: qca_spi: Fix log level if probe fails

    [ Upstream commit 50973993260a6934f0a00da53d9b746cfbea89ab ]

    In cases the probing fails the log level of the messages should
    be an error.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e77b1523b93cbc8863cfe656ca0c9e82f7ba43c9
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:44 2018 +0200

    net: qca_spi: Make sure the QCA7000 reset is triggered

    [ Upstream commit 711c62dfa6bdb4326ca6c587f295ea5c4f7269de ]

    In case the SPI thread is not running, a simple reset of sync
    state won't fix the transmit timeout. We also need to wake up the kernel
    thread.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: ed7d42e24eff ("net: qca_spi: fix transmit queue timeout handling")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8621e69878ba41ed24987a487eaf01a6505223c6
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Wed Jul 18 08:31:43 2018 +0200

    net: qca_spi: Avoid packet drop during initial sync

    [ Upstream commit b2bab426dc715de147f8039a3fccff27d795f4eb ]

    As long as the synchronization with the QCA7000 isn't finished, we
    cannot accept packets from the upper layers. So let the SPI thread
    enable the TX queue after sync and avoid unwanted packet drop.

    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8cfe6f3afe83a2768563f718bb57c99ca249cf4c
Author: David Lechner <david@lechnology.com>
Date:   Mon Jul 16 17:58:10 2018 -0500

    net: usb: rtl8150: demote allmulti message to dev_dbg()

    [ Upstream commit 3a9b0455062ffb9d2f6cd4473a76e3456f318c9f ]

    This driver can spam the kernel log with multiple messages of:

        net eth0: eth0: allmulti set

    Usually 4 or 8 at a time (probably because of using ConnMan).

    This message doesn't seem useful, so let's demote it from dev_info()
    to dev_dbg().

    Signed-off-by: David Lechner <david@lechnology.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0821ddad494b97f0980db1877c4417e7d45c4925
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Jul 13 21:25:19 2018 -0700

    net/ethernet/freescale/fman: fix cross-build error

    [ Upstream commit c133459765fae249ba482f62e12f987aec4376f0 ]

      CC [M]  drivers/net/ethernet/freescale/fman/fman.o
    In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
    ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
    ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
      clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
      ^~~~~~~~~~~~~~~

    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Madalin Bucur <madalin.bucur@nxp.com>
    Cc: netdev@vger.kernel.org
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c8f268dcdd5d3dacf504873861b9f18c70021b0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 3 15:30:56 2018 +0300

    drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()

    [ Upstream commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 ]

    The bo array has req->nr_buffers elements so the > should be >= so we
    don't read beyond the end of the array.

    Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43707aa8c55fb165a1a56f590e0defb198ebdde9
Author: Yuchung Cheng <ycheng@google.com>
Date:   Thu Jul 12 06:04:53 2018 -0700

    tcp: remove DELAYED ACK events in DCTCP

    [ Upstream commit a69258f7aa2623e0930212f09c586fd06674ad79 ]

    After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK
    related callbacks are no longer needed

    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Acked-by: Lawrence Brakmo <brakmo@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7795ce1182d5317688750126958954e5d32e3eac
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 12 15:23:45 2018 +0300

    qlogic: check kstrtoul() for errors

    [ Upstream commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f ]

    We accidentally left out the error handling for kstrtoul().

    Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01a8ef2f327a6fe5075ee5027c9fa02df42c1c4e
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Jul 11 12:00:45 2018 -0400

    packet: reset network header if packet shorter than ll reserved space

    [ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ]

    If variable length link layer headers result in a packet shorter
    than dev->hard_header_len, reset the network header offset. Else
    skb->mac_len may exceed skb->len after skb_mac_reset_len.

    packet_sendmsg_spkt already has similar logic.

    Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ab85f3dc1b45f9189b62c97c82c7e6e1a3de569
Author: Alexander Duyck <alexander.h.duyck@intel.com>
Date:   Mon Jun 18 12:02:00 2018 -0400

    ixgbe: Be more careful when modifying MAC filters

    [ Upstream commit d14c780c11fbc10f66c43e7b64eefe87ca442bd3 ]

    This change makes it so that we are much more explicit about the ordering
    of updates to the receive address register (RAR) table. Prior to this patch
    I believe we may have been updating the table while entries were still
    active, or possibly allowing for reordering of things since we weren't
    explicitly flushing writes to either the lower or upper portion of the
    register prior to accessing the other half.

    Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Reviewed-by: Shannon Nelson <shannon.nelson@oracle.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcfa7262bbc0cf7b39ac112ae2ece9f9310ae4d9
Author: Adam Ford <aford173@gmail.com>
Date:   Wed Jul 11 12:54:54 2018 -0500

    ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller

    [ Upstream commit 923847413f7316b5ced3491769b3fefa6c56a79a ]

    The AM3517 has a different OTG controller location than the OMAP3,
    which is included from omap3.dtsi.  This results in a hwmod error.
    Since the AM3517 has a different OTG controller address, this patch
    disabes one that is isn't available.

    Signed-off-by: Adam Ford <aford173@gmail.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97d53c81980eaba74690868efd3160fb635b8d42
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Tue Jul 10 08:22:40 2018 +0100

    ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot

    [ Upstream commit b4c7e2bd2eb4764afe3af9409ff3b1b87116fa30 ]

    Dynamic ftrace requires modifying the code segments that are usually
    set to read-only. To do this, a per arch function is called both before
    and after the ftrace modifications are performed. The "before" function
    will set kernel code text to read-write to allow for ftrace to make the
    modifications, and the "after" function will set the kernel code text
    back to "read-only" to keep the kernel code text protected.

    The issue happens when dynamic ftrace is tested at boot up. The test is
    done before the kernel code text has been set to read-only. But the
    "before" and "after" calls are still performed. The "after" call will
    change the kernel code text to read-only prematurely, and other boot
    code that expects this code to be read-write will fail.

    The solution is to add a variable that is set when the kernel code text
    is expected to be converted to read-only, and make the ftrace "before"
    and "after" calls do nothing if that variable is not yet set. This is
    similar to the x86 solution from commit 162396309745 ("ftrace, x86:
    make kernel text writable only for conversions").

    Link: http://lkml.kernel.org/r/20180620212906.24b7b66e@vmware.local.home

    Reported-by: Stefan Agner <stefan@agner.ch>
    Tested-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0cd6f4de95a8fee74131bac79c444f8120c93e9
Author: Kim Phillips <kim.phillips@arm.com>
Date:   Fri Jun 29 12:46:52 2018 -0500

    perf llvm-utils: Remove bashism from kernel include fetch script

    [ Upstream commit f6432b9f65001651412dbc3589d251534822d4ab ]

    Like system(), popen() calls /bin/sh, which may/may not be bash.

    Script when run on dash and encounters the line, yields:

     exit: Illegal number: -1

    checkbashisms report on script content:

     possible bashism (exit|return with negative status code):
     exit -1

    Remove the bashism and use the more portable non-zero failure
    status code 1.

    Signed-off-by: Kim Phillips <kim.phillips@arm.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Michael Petlan <mpetlan@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sandipan Das <sandipan@linux.vnet.ibm.com>
    Cc: Thomas Richter <tmricht@linux.vnet.ibm.com>
    Link: http://lkml.kernel.org/r/20180629124652.8d0af7e2281fd3fd8262cacc@arm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 149751b516c07eb15f9378bbed175d23589b6215
Author: Vikas Gupta <vikas.gupta@broadcom.com>
Date:   Mon Jul 9 02:24:52 2018 -0400

    bnxt_en: Fix for system hang if request_irq fails

    [ Upstream commit c58387ab1614f6d7fb9e244f214b61e7631421fc ]

    Fix bug in the error code path when bnxt_request_irq() returns failure.
    bnxt_disable_napi() should not be called in this error path because
    NAPI has not been enabled yet.

    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cb585f9c5d6b70bfcd12beb314d9ba060c3208a
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date:   Sun Jun 24 14:35:10 2018 +0100

    drm/armada: fix colorkey mode property

    [ Upstream commit d378859a667edc99e3473704847698cae97ca2b1 ]

    The colorkey mode property was not correctly disabling the colorkeying
    when "disabled" mode was selected.  Arrange for this to work as one
    would expect.

    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe9ee61f5a1b9413ad3862bfa5a63c633d84f38a
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:14:05 2017 +0200

    ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 8f2fbc6c60ff213369e06a73610fc882a42fdf20 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24e3a53c0d2c6be3385c5676056124b44f7c06c2
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:54 2017 +0200

    ieee802154: at86rf230: use __func__ macro for debug messages

    [ Upstream commit 8a81388ec27c4c0adbdecd20e67bb5f411ab46b2 ]

    Instead of having the function name hard-coded (it might change and we
    forgot to update them in the debug output) we can use __func__ instead
    and also shorter the line so we do not need to break it. Also fix an
    extra blank line while being here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 691a13ac70e31e3004310bf56360ee69c62514cb
Author: Stefan Schmidt <stefan@datenfreihafen.org>
Date:   Fri Sep 22 14:13:53 2017 +0200

    ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem

    [ Upstream commit 20f330452ad8814f2289a589baf65e21270879a7 ]

    The check is valid but it does not warrant to crash the kernel. A
    WARN_ON() is good enough here.
    Found by checkpatch.

    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be4691a7c58b40ddcdad5f82fb652475afc3440e
Author: Daniel Mack <daniel@zonque.org>
Date:   Fri Jul 6 22:15:00 2018 +0200

    ARM: pxa: irq: fix handling of ICMR registers in suspend/resume

    [ Upstream commit 0c1049dcb4ceec640d8bd797335bcbebdcab44d2 ]

    PXA3xx platforms have 56 interrupts that are stored in two ICMR
    registers. The code in pxa_irq_suspend() and pxa_irq_resume() however
    does a simple division by 32 which only leads to one register being
    saved at suspend and restored at resume time. The NAND interrupt
    setting, for instance, is lost.

    Fix this by using DIV_ROUND_UP() instead.

    Signed-off-by: Daniel Mack <daniel@zonque.org>
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e8f97b07a3be3493072f1cabe888f2d770b8077
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jul 4 20:25:32 2018 +0200

    netfilter: x_tables: set module owner for icmp(6) matches

    [ Upstream commit d376bef9c29b3c65aeee4e785fffcd97ef0a9a81 ]

    nft_compat relies on xt_request_find_match to increment
    refcount of the module that provides the match/target.

    The (builtin) icmp matches did't set the module owner so it
    was possible to rmmod ip(6)tables while icmp extensions were still in use.

    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7fda06308d6d1ed5d094a5f22b3e1e33852edbf
Author: Yuiko Oshino <yuiko.oshino@microchip.com>
Date:   Tue Jul 3 11:21:46 2018 -0400

    smsc75xx: Add workaround for gigabit link up hardware errata.

    [ Upstream commit d461e3da905332189aad546b2ad9adbe6071c7cc ]

    In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

    Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
    Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1acb2ad5d9d0fc66f18c74e22af3c07e41a5dbca
Author: Zhen Lei <thunder.leizhen@huawei.com>
Date:   Tue Jul 3 17:02:46 2018 -0700

    kasan: fix shadow_size calculation error in kasan_module_alloc

    [ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ]

    There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
    Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1].  The
    operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the
    roundup operation can not retrieve the missed one page.  For example:
    size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
    shadow_size=0x5000, but actually we need 6 pages.

      shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);

    This can lead to a kernel crash when kasan is enabled and the value of
    mod->core_layout.size or mod->init_layout.size is like above.  Because
    the shadow memory of X has not been allocated and mapped.

    move_module:
      ptr = module_alloc(mod->core_layout.size);
      ...
      memset(ptr, 0, mod->core_layout.size);		//crashed

      Unable to handle kernel paging request at virtual address ffff0fffff97b000
      ......
      Call trace:
        __asan_storeN+0x174/0x1a8
        memset+0x24/0x48
        layout_and_allocate+0xcd8/0x1800
        load_module+0x190/0x23e8
        SyS_finit_module+0x148/0x180

    Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com
    Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
    Reviewed-by: Dmitriy Vyukov <dvyukov@google.com>
    Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Libin <huawei.libin@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb1c3470bcb05537fca601a0101d759d054b822
Author: Mathieu Malaterre <malat@debian.org>
Date:   Thu Mar 8 21:58:43 2018 +0100

    tracing: Use __printf markup to silence compiler

    [ Upstream commit 26b68dd2f48fe7699a89f0cfbb9f4a650dc1c837 ]

    Silence warnings (triggered at W=1) by adding relevant __printf attributes.

      CC      kernel/trace/trace.o
    kernel/trace/trace.c: In function ‘__trace_array_vprintk’:
    kernel/trace/trace.c:2979:2: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
      len = vscnprintf(tbuffer, TRACE_BUF_SIZE, fmt, args);
      ^~~
      AR      kernel/trace/built-in.o

    Link: http://lkml.kernel.org/r/20180308205843.27447-1-malat@debian.org

    Signed-off-by: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be38b9556d9ba051adae074367acb3ee362180b2
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Tue Jun 26 08:37:09 2018 -0300

    ARM: imx_v4_v5_defconfig: Select ULPI support

    [ Upstream commit 2ceb2780b790b74bc408a949f6aedbad8afa693e ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like that use ULPI
    interface.

    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d0af17ae83d6feb29d676c72423461419df5110
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Mon Jun 25 09:34:03 2018 -0300

    ARM: imx_v6_v7_defconfig: Select ULPI support

    [ Upstream commit 157bcc06094c3c5800d3f4676527047b79b618e7 ]

    Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that
    USB ULPI can be functional on some boards like imx51-babbge.

    This fixes a kernel hang in 4.18-rc1 on i.mx51-babbage, caused by commit
    03e6275ae381 ("usb: chipidea: Fix ULPI on imx51").

    Suggested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1bdab67ddfa7b4e9e7a90637a22f9abc6ca88cf4
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Tue Jun 26 09:58:02 2018 -0700

    HID: wacom: Correct touch maximum XY of 2nd-gen Intuos

    [ Upstream commit 3b8d573586d1b9dee33edf6cb6f2ca05f4bca568 ]

    The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096
    sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.).
    The incorrect maximum XY values don't normally affect userspace since
    touch input from these devices is typically relative rather than
    absolute. It does, however, cause problems when absolute distances
    need to be measured, e.g. for gesture recognition. Since the resolution
    of the touch sensor on these devices is 10 units / mm (versus 100 for
    the pen sensor), the proper maximum values can be calculated by simply
    dividing by 10.

    Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices")
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f2f46791e28b7058a32fb7eab32e498ff838627
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Mon Jun 18 15:34:14 2018 +1000

    m68k: fix "bad page state" oops on ColdFire boot

    [ Upstream commit ecd60532e060e45c63c57ecf1c8549b1d656d34d ]

    Booting a ColdFire m68k core with MMU enabled causes a "bad page state"
    oops since commit 1d40a5ea01d5 ("mm: mark pages in use for page tables"):

     BUG: Bad page state in process sh  pfn:01ce2
     page:004fefc8 count:0 mapcount:-1024 mapping:00000000 index:0x0
     flags: 0x0()
     raw: 00000000 00000000 00000000 fffffbff 00000000 00000100 00000200 00000000
     raw: 039c4000
     page dumped because: nonzero mapcount
     Modules linked in:
     CPU: 0 PID: 22 Comm: sh Not tainted 4.17.0-07461-g1d40a5ea01d5 #13

    Fix by calling pgtable_page_dtor() in our __pte_free_tlb() code path,
    so that the PG_table flag is cleared before we free the pte page.

    Note that I had to change the type of pte_free() to be static from
    extern. Otherwise you get a lot of warnings like this:

    ./arch/m68k/include/asm/mcf_pgalloc.h:80:2: warning: ‘pgtable_page_dtor’ is static but used in inline function ‘pte_free’ which is not static
      pgtable_page_dtor(page);
      ^

    And making it static is consistent with our use of this in the other
    m68k pgalloc definitions of pte_free().

    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    CC: Matthew Wilcox <willy@infradead.org>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aba71e6a936a62126d0c084d4add455db697ee24
Author: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
Date:   Thu Jun 28 04:52:15 2018 -0700

    bnx2x: Fix receiving tx-timeout in error or recovery state.

    [ Upstream commit 484c016d9392786ce5c74017c206c706f29f823d ]

    Driver performs the internal reload when it receives tx-timeout event from
    the OS. Internal reload might fail in some scenarios e.g., fatal HW issues.
    In such cases OS still see the link, which would result in undesirable
    functionalities such as re-generation of tx-timeouts.
    The patch addresses this issue by indicating the link-down to OS when
    tx-timeout is detected, and keeping the link in down state till the
    internal reload is successful.

    Please consider applying it to 'net' branch.

    Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
    Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc83070ba75b…

Panchajanya1999 added a commit to Panchajanya1999/kernel_asus_x00t that referenced this issue Sep 16, 2018

ASUS 323 Changes [Squash]
commit fce5724268a017b4cf6c073c6ae7ef77765a8ffd
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Sun Sep 16 14:04:48 2018 +0530

    Revert "arm/dt: sdm660-mdss: Enable Idle Power Collapse"

    This reverts commit d72b54d59b5a9aa80f0507cdf616505fde37e507.

commit 8d21509203ec695b62e27835acb04ac736965b5a
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Sun Sep 16 13:58:19 2018 +0530

    Symlinked Qcom

    Symlinked [ln -sr arch/arm/boot/dts/qcom arch/arm64/boot/dts/qcom]

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 35003a3c3843d6883f097f10f385d3bf6db69736
Merge: f701058c8a40 1153c838bcd7
Author: Panchajanya1999 <rsk52959@gmail.com>
Date:   Sat Sep 15 23:57:43 2018 +0530

    Merge remote-tracking branch 'lineage-15.1_S323' into asus

    Signed-off-by: Panchajanya1999 <rsk52959@gmail.com>

commit 1153c838bcd7fd93b3599047c548ae5a10e47d82
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:53:41 2018 +0000

    Revert "icnss: Remove sending uevent after FW ready"

    This reverts commit dabc56ff4434cac9b64a0d6dbbf9f2f2bb12e9d1.

commit 6dc7b5e491c44135f14c14946a1873df4ebd74e8
Merge: 2e3cb1cde573 6bc76c807ae7
Author: SagarMakhar <sagarmakhar@gmail.com>
Date:   Thu Aug 30 16:13:44 2018 +0000

    Merge https://github.com/android-linux-stable/msm-4.4 into lineage-15.1_S323

commit 6bc76c807ae760576837b0719a995835196ff668
Merge: c1208ec20032 577189c37a84
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Aug 27 22:48:36 2018 -0700

    Merge 4.4.153 into kernel.lnx.4.4.r27-rel

    Changes in 4.4.153: (6 commits)
            x86/mm/pat: Fix L1TF stable backport for CPA
            x86/mm: Fix use-after-free of ldt_struct
            ovl: Ensure upper filesystem supports d_type
            ovl: Do d_type check only if work dir creation was successful
            ovl: warn instead of error if d_type is not supported
            Linux 4.4.153

    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>

commit 577189c37a844243359afce1c3c94418259fe696
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Aug 28 07:23:44 2018 +0200

    Linux 4.4.153

commit 7eaa995c75bd23b57163541c3285a2c984018b7e
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri Jul 1 10:02:44 2016 -0400

    ovl: warn instead of error if d_type is not supported

    commit e7c0b5991dd1be7b6f6dc2b54a15a0f47b64b007 upstream.

    overlay needs underlying fs to support d_type. Recently I put in a
    patch in to detect this condition and started failing mount if
    underlying fs did not support d_type.

    But this breaks existing configurations over kernel upgrade. Those who
    are running docker (partially broken configuration) with xfs not
    supporting d_type, are surprised that after kernel upgrade docker does
    not run anymore.

    https://github.com/docker/docker/issues/22937#issuecomment-229881315

    So instead of erroring out, detect broken configuration and warn
    about it. This should allow existing docker setups to continue
    working after kernel upgrade.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Fixes: 45aebeaf4f67 ("ovl: Ensure upper filesystem supports d_type")
    Cc: <stable@vger.kernel.org> 4.6
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f9a6d88cd9f3b16a86639bd652202fe27096b18
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Fri May 20 09:04:26 2016 -0400

    ovl: Do d_type check only if work dir creation was successful

    commit 21765194cecf2e4514ad75244df459f188140a0f upstream.

    d_type check requires successful creation of workdir as iterates
    through work dir and expects work dir to be present in it. If that's
    not the case, this check will always return d_type not supported even
    if underlying filesystem might be supporting it.

    So don't do this check if work dir creation failed in previous step.

    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5e678942de33a5d8545a8b7c825eb93b57be1a9
Author: Vivek Goyal <vgoyal@redhat.com>
Date:   Mon Feb 22 09:28:34 2016 -0500

    ovl: Ensure upper filesystem supports d_type

    commit 45aebeaf4f67468f76bedf62923a576a519a9b68 upstream.

    In some instances xfs has been created with ftype=0 and there if a file
    on lower fs is removed, overlay leaves a whiteout in upper fs but that
    whiteout does not get filtered out and is visible to overlayfs users.

    And reason it does not get filtered out because upper filesystem does
    not report file type of whiteout as DT_CHR during iterate_dir().

    So it seems to be a requirement that upper filesystem support d_type for
    overlayfs to work properly. Do this check during mount and fail if d_type
    is not supported.

    Suggested-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Miklos Szeredi