commit 872e1aead3efecaa6e4113c1c218059e9412beb7
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed May 16 10:08:45 2018 +0200

    Linux 4.9.100

commit 70e65f281a5671c1a6de239bdd5a331046b077f6
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Apr 20 14:08:58 2018 +0200

    perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    
    commit 46b1b577229a091b137831becaa0fae8690ee15a upstream.
    
    > arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap)
    > arch/x86/events/intel/core.c:337 intel_pmu_event_map() warn: potential spectre issue 'intel_perfmon_event_map'
    > arch/x86/events/intel/knc.c:122 knc_pmu_event_map() warn: potential spectre issue 'knc_perfmon_event_map'
    > arch/x86/events/intel/p4.c:722 p4_pmu_event_map() warn: potential spectre issue 'p4_general_events'
    > arch/x86/events/intel/p6.c:116 p6_pmu_event_map() warn: potential spectre issue 'p6_perfmon_event_map'
    > arch/x86/events/amd/core.c:132 amd_pmu_event_map() warn: potential spectre issue 'amd_perfmon_event_map'
    
    Userspace controls @attr, sanitize @attr->config before passing it on
    to x86_pmu::event_map().
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c64ca00ec73546a6079621d90b9cce7ed25b0885
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Apr 20 14:03:18 2018 +0200

    perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    
    commit 4411ec1d1993e8dbff2898390e3fed280d88e446 upstream.
    
    > kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages'
    
    Userspace controls @pgoff through the fault address. Sanitize the
    array index before doing the array dereference.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5edbd2d8db426d49bc570a3a019720b5e810d951
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Apr 20 14:23:36 2018 +0200

    perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
    
    commit 06ce6e9b6d6c09d4129c6e24a1314a395d816c10 upstream.
    
    > arch/x86/events/msr.c:178 msr_event_init() warn: potential spectre issue 'msr' (local cap)
    
    Userspace controls @attr, sanitize cfg (attr->config) before using it
    to index an array.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 688d5d9189ce0132564be4f4642ae5f4087a3c7c
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Apr 20 14:25:48 2018 +0200

    perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    
    commit a5f81290ce475489fa2551c01a07470c1a4c932e upstream.
    
    > arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap)
    
    Userspace controls @attr, sanitize cfg (attr->config) before using it
    to index an array.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 662218f1216ddb3755e79120767462eeaab5e12a
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Apr 20 14:06:29 2018 +0200

    perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    
    commit ef9ee4ad38445a30909c48998624861716f2a994 upstream.
    
    > arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids[cache_type]' (local cap)
    > arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids' (local cap)
    > arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs[cache_type]' (local cap)
    > arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs' (local cap)
    
    Userspace controls @config which contains 3 (byte) fields used for a 3
    dimensional array deref.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fba70eb3ecbcdc0d177ae904a21beeb7b0595612
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Tue Apr 10 21:20:08 2018 +0900

    tracing/uprobe_event: Fix strncpy corner case
    
    commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 upstream.
    
    Fix string fetch function to terminate with NUL.
    It is OK to drop the rest of string.
    
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Song Liu <songliubraving@fb.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: security@kernel.org
    Cc: 范龙飞 <long7573@126.com>
    Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5d1639dae65f6c8b1a71a84e11d29696b7915d34
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Mon Apr 16 12:11:53 2018 +0200

    thermal: exynos: Propagate error value from tmu_read()
    
    commit c8da6cdef57b459ac0fd5d9d348f8460a575ae90 upstream.
    
    tmu_read() in case of Exynos4210 might return error for out of bound
    values. Current code ignores such value, what leads to reporting critical
    temperature value. Add proper error code propagation to exynos_get_temp()
    function.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    CC: stable@vger.kernel.org # v4.6+
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3cc96a4acf139c30ff5b4d0312fddaab082db699
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Mon Apr 16 12:11:52 2018 +0200

    thermal: exynos: Reading temperature makes sense only when TMU is turned on
    
    commit 88fc6f73fddf64eb507b04f7b2bd01d7291db514 upstream.
    
    When thermal sensor is not yet enabled, reading temperature might return
    random value. This might even result in stopping system booting when such
    temperature is higher than the critical value. Fix this by checking if TMU
    has been actually enabled before reading the temperature.
    
    This change fixes booting of Exynos4210-based board with TMU enabled (for
    example Samsung Trats board), which was broken since v4.4 kernel release.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Fixes: 9e4249b40340 ("thermal: exynos: Fix first temperature read after registering sensor")
    CC: stable@vger.kernel.org # v4.6+
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7a2c159d6beff177aa9df5037b30a5a9ec08d1b
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Thu Apr 26 14:18:19 2018 +0200

    Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    
    commit 544a591668813583021474fa5c7ff4942244d654 upstream.
    
    Commit f44cb4b19ed4 ("Bluetooth: btusb: Fix quirk for Atheros
    1525/QCA6174") is causing bluetooth to no longer work for several
    people, see: https://bugzilla.redhat.com/show_bug.cgi?id=1568911
    
    So lets revert it for now and try to find another solution for
    devices which need the modified quirk.
    
    Cc: stable@vger.kernel.org
    Cc: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad43aede80e2faf876d6f0c4d27e462f8e0380dd
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Thu May 3 13:17:12 2018 -0500

    atm: zatm: Fix potential Spectre v1
    
    commit 2be147f7459db5bbf292e0a6f135037b55e20b39 upstream.
    
    pool can be indirectly controlled by user-space, hence leading to
    a potential exploitation of the Spectre variant 1 vulnerability.
    
    This issue was detected with the help of Smatch:
    
    drivers/atm/zatm.c:1462 zatm_ioctl() warn: potential spectre issue
    'zatm_dev->pool_info' (local cap)
    
    Fix this by sanitizing pool before using it to index
    zatm_dev->pool_info
    
    Notice that given that speculation windows are large, the policy is
    to kill the speculation on the first load and not worry if it can be
    completed with a dependent load/store [1].
    
    [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81b8eb6b9a3531b769357f8ae468c7eacffa7cd6
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Thu May 3 13:45:58 2018 -0500

    net: atm: Fix potential Spectre v1
    
    commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream.
    
    ioc_data.dev_num can be controlled by user-space, hence leading to
    a potential exploitation of the Spectre variant 1 vulnerability.
    
    This issue was detected with the help of Smatch:
    net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue
    'dev_lec'
    
    Fix this by sanitizing ioc_data.dev_num before using it to index
    dev_lec. Also, notice that there is another instance in which array
    dev_lec is being indexed using ioc_data.dev_num at line 705:
    lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]),
    
    Notice that given that speculation windows are large, the policy is
    to kill the speculation on the first load and not worry if it can be
    completed with a dependent load/store [1].
    
    [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28d832be7e9fbf6f18e2d931db116980eee5eeff
Author: Florent Flament <contact@florentflament.com>
Date:   Thu Apr 19 19:07:00 2018 +0300

    drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
    
    commit e8f48f96db7e482995743f461b3e8a5c1a102533 upstream.
    
    Fix `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to
    power on` in kernel log at boot time.
    
    Toshiba Satellite Z930 laptops needs between 1 and 2 seconds to power
    on its screen during Intel i915 DRM initialization. This currently
    results in a `[drm:intel_enable_lvds] *ERROR* timed out waiting for
    panel to power on` message appearing in the kernel log during boot
    time and when stopping the machine.
    
    This change increases the timeout of the `intel_enable_lvds` function
    from 1 to 5 seconds, letting enough time for the Satellite 930 LCD
    screen to power on, and suppressing the error message from the kernel
    log.
    
    This patch has been successfully tested on Linux 4.14 running on a
    Toshiba Satellite Z930.
    
    [vsyrjala: bump the timeout from 2 to 5 seconds to match the DP
     code and properly cover the max hw timeout of ~4 seconds, and
     drop the comment about the specific machine since this is not
     a particulary surprising issue, nor specific to that one machine]
    
    Signed-off-by: Florent Flament <contact@florentflament.com>
    Cc: stable@vger.kernel.org
    Cc: Pavel Petrovic <ppetrovic@acm.org>
    Cc: Sérgio M. Basto <sergio@serjux.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103414
    References: https://bugzilla.kernel.org/show_bug.cgi?id=57591
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180419160700.19828-1-ville.syrjala@linux.intel.com
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    (cherry picked from commit 280b54ade5914d3b4abe4f0ebe083ddbd4603246)
    Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 87994a2165ec29dbef64029b26315b1a1debf7b9
Author: Boris Brezillon <boris.brezillon@bootlin.com>
Date:   Mon May 7 14:13:03 2018 +0200

    drm/vc4: Fix scaling of uni-planar formats
    
    commit 9a0e9802217291e54c4dd1fc5462f189a4be14ec upstream.
    
    When using uni-planar formats (like RGB), the scaling parameters are
    stored in plane 0, not plane 1.
    
    Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180507121303.5610-1-boris.brezillon@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e79ef256d4634699b2ed3b872176ceffd904be5
Author: Jimmy Assarsson <extja@kvaser.com>
Date:   Fri Apr 20 14:38:46 2018 +0200

    can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    
    commit 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 upstream.
    
    Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped.
    
    Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f94eef3a4c9c4c17e910c1f35f79d4bcb580b73b
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Wed May 9 11:59:32 2018 -0400

    tracing: Fix regex_match_front() to not over compare the test string
    
    commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream.
    
    The regex match function regex_match_front() in the tracing filter logic,
    was fixed to test just the pattern length from testing the entire test
    string. That is, it went from strncmp(str, r->pattern, len) to
    strcmp(str, r->pattern, r->len).
    
    The issue is that str is not guaranteed to be nul terminated, and if r->len
    is greater than the length of str, it can access more memory than is
    allocated.
    
    The solution is to add a simple test if (len < r->len) return 0.
    
    Cc: stable@vger.kernel.org
    Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching")
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b2692091a9f418ed918ed00e97f31eeb11860f27
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Thu Apr 26 22:32:21 2018 +0200

    libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    
    commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream.
    
    Richard Jones has reported that using med_power_with_dipm on a T450s
    with a Sandisk SD7UB3Q256G1001 SSD (firmware version X2180501) is
    causing the machine to hang.
    
    Switching the LPM to max_performance fixes this, so it seems that
    this Sandisk SSD does not handle LPM well.
    
    Note in the past there have been bug-reports about the following
    Sandisk models not working with min_power, so we may need to extend
    the quirk list in the future: name - firmware
    Sandisk SD6SB2M512G1022I   - X210400
    Sandisk SD6PP4M-256G-1006  - A200906
    
    Cc: stable@vger.kernel.org
    Cc: Richard W.M. Jones <rjones@redhat.com>
    Reported-and-tested-by: Richard W.M. Jones <rjones@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd4e7140c4dec8ce0bacb0d0ff152653e0b85660
Author: Johan Hovold <johan@kernel.org>
Date:   Thu Apr 26 09:31:52 2018 +0200

    rfkill: gpio: fix memory leak in probe error path
    
    commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream.
    
    Make sure to free the rfkill device in case registration fails during
    probe.
    
    Fixes: 5e7ca3937fbe ("net: rfkill: gpio: convert to resource managed allocation")
    Cc: stable <stable@vger.kernel.org>     # 3.13
    Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 63e2ae9d75d4c348f47600dcef0f3d90eef7f34e
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Mon Apr 16 13:17:53 2018 +0200

    gpio: fix error path in lineevent_create
    
    commit f001cc351ad3309ec8736c374e90e5a4bc472d41 upstream.
    
    If gpiod_request() fails the cleanup must not call gpiod_free().
    
    Cc: stable@vger.kernel.org
    Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2b0e672598f9ae572b69898cb235fbeffc3e2f8e
Author: Govert Overgaauw <govert.overgaauw@prodrive-technologies.com>
Date:   Fri Apr 6 14:41:35 2018 +0200

    gpio: fix aspeed_gpio unmask irq
    
    commit f241632fd087d3d9fbd5450f4d8c8604badd8348 upstream.
    
    The unmask function disables all interrupts in a bank when unmasking an
    interrupt. Only disable the given interrupt.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Govert Overgaauw <govert.overgaauw@prodrive-technologies.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 31d04ca1eb232077e7d8032bc845bba6e6465d22
Author: Timur Tabi <timur@codeaurora.org>
Date:   Thu Mar 29 13:29:12 2018 -0500

    gpioib: do not free unrequested descriptors
    
    commit ab3dbcf78f60f46d6a0ad63b1f4b690b7a427140 upstream.
    
    If the main loop in linehandle_create() encounters an error, it
    unwinds completely by freeing all previously requested GPIO
    descriptors.  However, if the error occurs in the beginning of
    the loop before that GPIO is requested, then the exit code
    attempts to free a null descriptor.  If extrachecks is enabled,
    gpiod_free() triggers a WARN_ON.
    
    Instead, keep a separate count of legitimate GPIOs so that only
    those are freed.
    
    Cc: stable@vger.kernel.org
    Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Timur Tabi <timur@codeaurora.org>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b8c320884eff003581ee61c5970a2e83f513eff1
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Mon Mar 26 15:12:49 2018 +0100

    arm64: Add work around for Arm Cortex-A55 Erratum 1024718
    
    commit ece1397cbc89c51914fae1aec729539cfd8bd62b upstream.
    
    Some variants of the Arm Cortex-55 cores (r0p0, r0p1, r1p0) suffer
    from an erratum 1024718, which causes incorrect updates when DBM/AP
    bits in a page table entry is modified without a break-before-make
    sequence. The work around is to skip enabling the hardware DBM feature
    on the affected cores. The hardware Access Flag management features
    is not affected. There are some other cores suffering from this
    errata, which could be added to the midr_list to trigger the work
    around.
    
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: ckadabi@codeaurora.org
    Reviewed-by: Dave Martin <dave.martin@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b8bf4b886b82585202ab4ee169718656661cb89e
Author: Wei Fang <fangwei1@huawei.com>
Date:   Sun Jan 22 12:21:02 2017 +0800

    f2fs: fix a dead loop in f2fs_fiemap()
    
    commit b86e33075ed1909d8002745b56ecf73b833db143 upstream.
    
    A dead loop can be triggered in f2fs_fiemap() using the test case
    as below:
    
            ...
            fd = open();
            fallocate(fd, 0, 0, 4294967296);
            ioctl(fd, FS_IOC_FIEMAP, fiemap_buf);
            ...
    
    It's caused by an overflow in __get_data_block():
            ...
            bh->b_size = map.m_len << inode->i_blkbits;
            ...
    map.m_len is an unsigned int, and bh->b_size is a size_t which is 64 bits
    on 64 bits archtecture, type conversion from an unsigned int to a size_t
    will result in an overflow.
    
    In the above-mentioned case, bh->b_size will be zero, and f2fs_fiemap()
    will call get_data_block() at block 0 again an again.
    
    Fix this by adding a force conversion before left shift.
    
    Signed-off-by: Wei Fang <fangwei1@huawei.com>
    Acked-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b87943f388ab24f66b4db380d47fe691a67dc44d
Author: Paul Mackerras <paulus@ozlabs.org>
Date:   Wed Mar 7 22:17:20 2018 +1100

    KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry
    
    commit a8b48a4dccea77e29462e59f1dbf0d5aa1ff167c upstream.
    
    This fixes a bug where the trap number that is returned by
    __kvmppc_vcore_entry gets corrupted.  The effect of the corruption
    is that IPIs get ignored on POWER9 systems when the IPI is sent via
    a doorbell interrupt to a CPU which is executing in a KVM guest.
    The effect of the IPI being ignored is often that another CPU locks
    up inside smp_call_function_many() (and if that CPU is holding a
    spinlock, other CPUs then lock up inside raw_spin_lock()).
    
    The trap number is currently held in register r12 for most of the
    assembly-language part of the guest exit path.  In that path, we
    call kvmppc_subcore_exit_guest(), which is a C function, without
    restoring r12 afterwards.  Depending on the kernel config and the
    compiler, it may modify r12 or it may not, so some config/compiler
    combinations see the bug and others don't.
    
    To fix this, we arrange for the trap number to be stored on the
    stack from the 'guest_bypass:' label until the end of the function,
    then the trap number is loaded and returned in r12 as before.
    
    Cc: stable@vger.kernel.org # v4.8+
    Fixes: fd7bacbca47a ("KVM: PPC: Book3S HV: Fix TB corruption in guest exit path on HMI interrupt")
    Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 57d641003679cf452f995b6f034b567d5d4e3be3
Author: Jan Kara <jack@suse.cz>
Date:   Thu May 3 18:26:26 2018 +0200

    bdi: Fix oops in wb_workfn()
    
    commit b8b784958eccbf8f51ebeee65282ca3fd59ea391 upstream.
    
    Syzbot has reported that it can hit a NULL pointer dereference in
    wb_workfn() due to wb->bdi->dev being NULL. This indicates that
    wb_workfn() was called for an already unregistered bdi which should not
    happen as wb_shutdown() called from bdi_unregister() should make sure
    all pending writeback works are completed before bdi is unregistered.
    Except that wb_workfn() itself can requeue the work with:
    
            mod_delayed_work(bdi_wq, &wb->dwork, 0);
    
    and if this happens while wb_shutdown() is waiting in:
    
            flush_delayed_work(&wb->dwork);
    
    the dwork can get executed after wb_shutdown() has finished and
    bdi_unregister() has cleared wb->bdi->dev.
    
    Make wb_workfn() use wakeup_wb() for requeueing the work which takes all
    the necessary precautions against racing with bdi unregistration.
    
    CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    CC: Tejun Heo <tj@kernel.org>
    Fixes: 839a8e8660b6777e7fe4e80af1a048aebe2b5977
    Reported-by: syzbot <syzbot+9873874c735f2892e7e9@syzkaller.appspotmail.com>
    Reviewed-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 869f538101abb7d394a9bfdc49e0874a7a07b308
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun Apr 29 18:55:20 2018 -0700

    tcp: fix TCP_REPAIR_QUEUE bound checking
    
    commit bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 upstream.
    
    syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
    with following C-repro :
    
    socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
    setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
    setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
    bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
    sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
            1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
    setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
    writev(3, [{"\270", 1}], 1)             = 1
    setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
    writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
    
    The 3rd system call looks odd :
    setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
    
    This patch makes sure bound checking is using an unsigned compare.
    
    Fixes: ee9952831cfd ("tcp: Initial repair mode")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68447d694fd41d8381090ea012185fddc8df25c5
Author: Jiri Olsa <jolsa@kernel.org>
Date:   Sun Apr 15 11:23:52 2018 +0200

    perf: Remove superfluous allocation error check
    
    commit bfb3d7b8b906b66551424d7636182126e1d134c8 upstream.
    
    If the get_callchain_buffers fails to allocate the buffer it will
    decrease the nr_callchain_events right away.
    
    There's no point of checking the allocation error for
    nr_callchain_events > 1. Removing that check.
    
    Signed-off-by: Jiri Olsa <jolsa@kernel.org>
    Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Andi Kleen <andi@firstfloor.org>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: syzkaller-bugs@googlegroups.com
    Cc: x86@kernel.org
    Link: http://lkml.kernel.org/r/20180415092352.12403-3-jolsa@kernel.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e68fb96236f46032def5d2eee26875b4d1eb0f4c
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:43 2018 -0700

    soreuseport: initialise timewait reuseport field
    
    commit 3099a52918937ab86ec47038ad80d377ba16c531 upstream.
    
    syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
    
    It turns out we never propagated sk->sk_reuseport into timewait socket.
    
    [1]
    BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
    CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:53
     kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
     __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
     inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
     inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
     inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
     SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
     SyS_bind+0x54/0x80 net/socket.c:1460
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    RIP: 0033:0x4416e9
    RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
    RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
    RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
    RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
    R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
    R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
    
    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
     __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
     tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
     tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
     tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
     sk_backlog_rcv include/net/sock.h:908 [inline]
     __release_sock+0x2d6/0x680 net/core/sock.c:2271
     release_sock+0x97/0x2a0 net/core/sock.c:2786
     tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
     inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
     inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
     sock_release net/socket.c:595 [inline]
     sock_close+0xe0/0x300 net/socket.c:1149
     __fput+0x49e/0xa10 fs/file_table.c:209
     ____fput+0x37/0x40 fs/file_table.c:243
     task_work_run+0x243/0x2c0 kernel/task_work.c:113
     exit_task_work include/linux/task_work.h:22 [inline]
     do_exit+0x10e1/0x38d0 kernel/exit.c:867
     do_group_exit+0x1a0/0x360 kernel/exit.c:970
     SYSC_exit_group+0x21/0x30 kernel/exit.c:981
     SyS_exit_group+0x25/0x30 kernel/exit.c:979
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
     __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
     inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
     tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
     tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
     tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
     sk_backlog_rcv include/net/sock.h:908 [inline]
     __release_sock+0x2d6/0x680 net/core/sock.c:2271
     release_sock+0x97/0x2a0 net/core/sock.c:2786
     tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
     inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
     inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
     sock_release net/socket.c:595 [inline]
     sock_close+0xe0/0x300 net/socket.c:1149
     __fput+0x49e/0xa10 fs/file_table.c:209
     ____fput+0x37/0x40 fs/file_table.c:243
     task_work_run+0x243/0x2c0 kernel/task_work.c:113
     exit_task_work include/linux/task_work.h:22 [inline]
     do_exit+0x10e1/0x38d0 kernel/exit.c:867
     do_group_exit+0x1a0/0x360 kernel/exit.c:970
     SYSC_exit_group+0x21/0x30 kernel/exit.c:981
     SyS_exit_group+0x25/0x30 kernel/exit.c:979
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    Uninit was created at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
     kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
     kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
     inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
     tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
     tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
     tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
     sk_backlog_rcv include/net/sock.h:908 [inline]
     __release_sock+0x2d6/0x680 net/core/sock.c:2271
     release_sock+0x97/0x2a0 net/core/sock.c:2786
     tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
     inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
     inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
     sock_release net/socket.c:595 [inline]
     sock_close+0xe0/0x300 net/socket.c:1149
     __fput+0x49e/0xa10 fs/file_table.c:209
     ____fput+0x37/0x40 fs/file_table.c:243
     task_work_run+0x243/0x2c0 kernel/task_work.c:113
     exit_task_work include/linux/task_work.h:22 [inline]
     do_exit+0x10e1/0x38d0 kernel/exit.c:867
     do_group_exit+0x1a0/0x360 kernel/exit.c:970
     SYSC_exit_group+0x21/0x30 kernel/exit.c:981
     SyS_exit_group+0x25/0x30 kernel/exit.c:979
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    
    Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 543cb05defa68c8020fefb04d09420fc13d6b626
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:41 2018 -0700

    dccp: initialize ireq->ir_mark
    
    commit b855ff827476adbdc2259e9895681d82b7b26065 upstream.
    
    syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
    
    Thanks to the nice report, I tracked the problem to dccp not caring
    of ireq->ir_mark for passive sessions.
    
    BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
    BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
    CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:53
     kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
     __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
     ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
     iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
     nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
     nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
     nf_hook include/linux/netfilter.h:243 [inline]
     __ip_local_out net/ipv4/ip_output.c:113 [inline]
     ip_local_out net/ipv4/ip_output.c:122 [inline]
     ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
     dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
     dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
     dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
     dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
     inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
     sock_sendmsg_nosec net/socket.c:630 [inline]
     sock_sendmsg net/socket.c:640 [inline]
     ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
     __sys_sendmsg net/socket.c:2080 [inline]
     SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
     SyS_sendmsg+0x54/0x80 net/socket.c:2087
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    RIP: 0033:0x455259
    RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
    RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
    RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
    
    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
     __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
     ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
     dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
     dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
     dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
     dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
     inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
     sock_sendmsg_nosec net/socket.c:630 [inline]
     sock_sendmsg net/socket.c:640 [inline]
     ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
     __sys_sendmsg net/socket.c:2080 [inline]
     SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
     SyS_sendmsg+0x54/0x80 net/socket.c:2087
     do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
     __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
     inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
     dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
     dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
     dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
     dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
     dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
     ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
     NF_HOOK include/linux/netfilter.h:288 [inline]
     ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
     dst_input include/net/dst.h:449 [inline]
     ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
     NF_HOOK include/linux/netfilter.h:288 [inline]
     ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
     __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
     __netif_receive_skb net/core/dev.c:4627 [inline]
     process_backlog+0x62d/0xe20 net/core/dev.c:5307
     napi_poll net/core/dev.c:5705 [inline]
     net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
     __do_softirq+0x56d/0x93d kernel/softirq.c:285
    Uninit was created at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
     kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
     kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
     kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
     reqsk_alloc include/net/request_sock.h:88 [inline]
     inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
     dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
     dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
     dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
     dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
     dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
     sk_backlog_rcv include/net/sock.h:908 [inline]
     __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
     dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
     ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
     NF_HOOK include/linux/netfilter.h:288 [inline]
     ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
     dst_input include/net/dst.h:449 [inline]
     ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
     NF_HOOK include/linux/netfilter.h:288 [inline]
     ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
     __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
     __netif_receive_skb net/core/dev.c:4627 [inline]
     process_backlog+0x62d/0xe20 net/core/dev.c:5307
     napi_poll net/core/dev.c:5705 [inline]
     net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
     __do_softirq+0x56d/0x93d kernel/softirq.c:285
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 45227db4a6c2174b8aaf55c4a607aa55b134a74e
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:40 2018 -0700

    net: fix uninit-value in __hw_addr_add_ex()
    
    commit 77d36398d99f2565c0a8d43a86fd520a82e64bb8 upstream.
    
    syzbot complained :
    
    BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
    CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Workqueue: ipv6_addrconf addrconf_dad_work
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:53
     kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
     __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
     memcmp+0x119/0x180 lib/string.c:861
     __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
     __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
     dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
     igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
     ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
     addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
     addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
     addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
     process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
     worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
     kthread+0x539/0x720 kernel/kthread.c:239
    
    Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec98618c20d0ba798798ec93fb366681f18347de
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:39 2018 -0700

    net: initialize skb->peeked when cloning
    
    commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.
    
    syzbot reported __skb_try_recv_from_queue() was using skb->peeked
    while it was potentially unitialized.
    
    We need to clear it in __skb_clone()
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a3cac7e26bbd944cc8bfc96c81d6784fbde594ec
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:38 2018 -0700

    net: fix rtnh_ok()
    
    commit b1993a2de12c9e75c35729e2ffbc3a92d50c0d31 upstream.
    
    syzbot reported :
    
    BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
    BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
    BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
    
    @remaining is an integer, coming from user space.
    If it is negative we want rtnh_ok() to return false.
    
    Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 473ac55c5e036a73455bfbf5bf7b7bffeac4fa3d
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:37 2018 -0700

    netlink: fix uninit-value in netlink_sendmsg
    
    commit 6091f09c2f79730d895149bcfe3d66140288cd0e upstream.
    
    syzbot reported :
    
    BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
    BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7b38b6dd316e5359c70fc11df7eb27825d4f3f15
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 7 13:42:36 2018 -0700

    crypto: af_alg - fix possible uninit-value in alg_bind()
    
    commit a466856e0b7ab269cdf9461886d007e88ff575b0 upstream.
    
    syzbot reported :
    
    BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
    
    We need to check addr_len before dereferencing sa (or uaddr)
    
    Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Stephan Mueller <smueller@chronox.de>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 383250363daf01eb7aa3728c09ef8a4f6d8a3252
Author: Tom Herbert <tom@quantonium.net>
Date:   Wed Feb 14 09:22:42 2018 -0800

    kcm: Call strp_stop before strp_done in kcm_attach
    
    commit dff8baa261174de689a44572d0ea182d7aa70598 upstream.
    
    In kcm_attach strp_done is called when sk_user_data is already
    set to fail the attach. strp_done needs the strp to be stopped and
    warns if it isn't. Call strp_stop in this case to eliminate the
    warning message.
    
    Reported-by: syzbot+88dfb55e4c8b770d86e3@syzkaller.appspotmail.com
    Fixes: e5571240236c5652f ("kcm: Check if sk_user_data already set in kcm_attach"
    Signed-off-by: Tom Herbert <tom@quantonium.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1899f679355d34d18447e76fa76eae16299fddda
Author: Sagi Grimberg <sagi@grimberg.me>
Date:   Wed Mar 8 22:03:17 2017 +0200

    IB/device: Convert ib-comp-wq to be CPU-bound
    
    commit b7363e67b23e04c23c2a99437feefac7292a88bc upstream.
    
    This workqueue is used by our storage target mode ULPs
    via the new CQ API. Recent observations when working
    with very high-end flash storage devices reveal that
    UNBOUND workqueue threads can migrate between cpu cores
    and even numa nodes (although some numa locality is accounted
    for).
    
    While this attribute can be useful in some workloads,
    it does not fit in very nicely with the normal
    run-to-completion model we usually use in our target-mode
    ULPs and the block-mq irq<->cpu affinity facilities.
    
    The whole block-mq concept is that the completion will
    land on the same cpu where the submission was performed.
    The fact that our submitter thread is migrating cpus
    can break this locality.
    
    We assume that as a target mode ULP, we will serve multiple
    initiators/clients and we can spread the load enough without
    having to use unbound kworkers.
    
    Also, while we're at it, expose this workqueue via sysfs which
    is harmless and can be useful for debug.
    
    Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
    Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>--
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Cc: Raju  Rangoju <rajur@chelsio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 83797a770fe0b4bcbe6f19fa71404d97aaddfda4
Author: Julian Anastasov <ja@ssi.bg>
Date:   Sat Apr 7 15:50:47 2018 +0300

    ipvs: fix rtnl_lock lockups caused by start_sync_thread
    
    commit 5c64576a77894a50be80be0024bed27171b55989 upstream.
    
    syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
    
    We have 2 problems in start_sync_thread if error path is
    taken, eg. on memory allocation error or failure to configure
    sockets for mcast group or addr/port binding:
    
    1. recursive locking: holding rtnl_lock while calling sock_release
    which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
    the mcast group, as noticed by Florian Westphal. Additionally,
    sock_release can not be called while holding sync_mutex (ABBA
    deadlock).
    
    2. task hung: holding rtnl_lock while calling kthread_stop to
    stop the running kthreads. As the kthreads do the same to leave
    the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
    they hang.
    
    Fix the problems by calling rtnl_unlock early in the error path,
    now sock_release is called after unlocking both mutexes.
    
    Problem 3 (task hung reported by syzkaller [2]) is variant of
    problem 2: use _trylock to prevent one user to call rtnl_lock and
    then while waiting for sync_mutex to block kthreads that execute
    sock_release when they are stopped by stop_sync_thread.
    
    [1]
    IPVS: stopping backup sync thread 4500 ...
    WARNING: possible recursive locking detected
    4.16.0-rc7+ #3 Not tainted
    --------------------------------------------
    syzkaller688027/4497 is trying to acquire lock:
      (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
    
    but task is already holding lock:
    IPVS: stopping backup sync thread 4495 ...
      (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
    
    other info that might help us debug this:
      Possible unsafe locking scenario:
    
            CPU0
            ----
       lock(rtnl_mutex);
       lock(rtnl_mutex);
    
      *** DEADLOCK ***
    
      May be due to missing lock nesting notation
    
    2 locks held by syzkaller688027/4497:
      #0:  (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
      #1:  (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>]
    do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
    
    stack backtrace:
    CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
    Google 01/01/2011
    Call Trace:
      __dump_stack lib/dump_stack.c:17 [inline]
      dump_stack+0x194/0x24d lib/dump_stack.c:53
      print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
      check_deadlock kernel/locking/lockdep.c:1805 [inline]
      validate_chain kernel/locking/lockdep.c:2401 [inline]
      __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431
      lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
      __mutex_lock_common kernel/locking/mutex.c:756 [inline]
      __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
      mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
      rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
      ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643
      inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413
      sock_release+0x8d/0x1e0 net/socket.c:595
      start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924
      do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389
      nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
      nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
      ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
      udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406
      sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
      SYSC_setsockopt net/socket.c:1849 [inline]
      SyS_setsockopt+0x189/0x360 net/socket.c:1828
      do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
      entry_SYSCALL_64_after_hwframe+0x42/0xb7
    RIP: 0033:0x446a69
    RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69
    RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
    RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000
    R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8
    R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60
    
    [2]
    IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
    id = 0
    IPVS: stopping backup sync thread 25415 ...
    INFO: task syz-executor7:25421 blocked for more than 120 seconds.
           Not tainted 4.16.0-rc6+ #284
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    syz-executor7   D23688 25421   4408 0x00000004
    Call Trace:
      context_switch kernel/sched/core.c:2862 [inline]
      __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
      schedule+0xf5/0x430 kernel/sched/core.c:3499
      schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
      do_wait_for_common kernel/sched/completion.c:86 [inline]
      __wait_for_common kernel/sched/completion.c:107 [inline]
      wait_for_common kernel/sched/completion.c:118 [inline]
      wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
      kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
      stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
      do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
      nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
      nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
      ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
      sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
      sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
      SYSC_setsockopt net/socket.c:1850 [inline]
      SyS_setsockopt+0x189/0x360 net/socket.c:1829
      do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
      entry_SYSCALL_64_after_hwframe+0x42/0xb7
    RIP: 0033:0x454889
    RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
    RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889
    RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017
    RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000
    R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001
    
    Showing all locks held in the system:
    2 locks held by khungtaskd/868:
      #0:  (rcu_read_lock){....}, at: [<00000000a1a8f002>]
    check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
      #0:  (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60
    kernel/hung_task.c:249
      #1:  (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>]
    debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
    1 lock held by rsyslogd/4247:
      #0:  (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>]
    __fdget_pos+0x12b/0x190 fs/file.c:765
    2 locks held by getty/4338:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4339:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4340:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4341:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4342:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4343:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    2 locks held by getty/4344:
      #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
    ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
      #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
    n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
    3 locks held by kworker/0:5/6494:
      #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
    [<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline]
      #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
    [<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline]
      #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
    [<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646
    [inline]
      #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
    [<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084
      #1:  ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>]
    process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088
      #2:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
    1 lock held by syz-executor7/25421:
      #0:  (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>]
    do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393
    2 locks held by syz-executor7/25427:
      #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
      #1:  (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>]
    do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
    1 lock held by syz-executor7/25435:
      #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
    1 lock held by ipvs-b:2:0/25415:
      #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
    net/core/rtnetlink.c:74
    
    Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com
    Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early")
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Zubin Mithra <zsm@chromium.org>
    Cc: Guenter Roeck <groeck@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>